CN101192920A - A method and device for responding to a request - Google Patents

Abstract

The embodiment of the present invention discloses a method for responding to a request, which is suitable for a CSI service of a circuit-switched IP multimedia subsystem IMS service. The method includes: configuring a request message black and white list, and recording prohibition and permission respectively in the request message black and white list The requesting terminal; when other terminals send a request to the CSI terminal, refer to the black and white list of the request message to determine the list to which the terminal sending the request belongs, and when the terminal sending the request belongs to the white list, accept the terminal's request; when the terminal sending the request belongs to the blacklist, rejecting the terminal's request. By applying the embodiment of the present invention, various requests from other terminals to the CSI terminal can be restricted, frequent requests from malicious terminals can be avoided, normal call establishment can be ensured, and system performance can be improved. The embodiment of the invention also discloses a device for responding to requests in CSI services, including a receiving module, a blacklist and whitelist configuration module and a judgment module.

Description

A method and device for responding to a request

technical field

The invention relates to the security technology in the SIP system, in particular to a method and equipment for responding to requests in circuit-switched IP Multimedia Subsystem (IMS) Composite Service (CSI) services.

Background technique

With the development of mobile communication technology, more and more new communication technologies are applied to mobile communication. The communication speed of mobile communication is faster, the types of communication services are more, and the communication is more convenient for people. With the increase of business and the continuous emergence of new business, how to develop business conveniently and quickly has become the focus of people's attention. Therefore, the concept of IMS is proposed. IMS is the center for the 3G core network to provide end-to-end multimedia services and cluster multimedia services. In the 3GPP R6 version, IMS has been defined as a multimedia service core network that supports all IP access networks, and can support any mobile or fixed, Wired or wireless IP access network (IP-CAN). IMS is gradually becoming a common service platform, through which services can be quickly deployed and customized, bringing huge benefits to operators.

Based on IMS technology, operators can carry out many services, such as streaming media services, videophone services, and CSI services. The so-called CSI service, its full name is Combined Circuit Switched (CS) and IP Multimedia Subsystem (IMS) sessions, which can also be called CSICS. Its service can be simply expressed as the concurrency of CS session and IMS session. It can be that a user establishes an end-to-end IMS session during a CS call, or that a user establishes a CS session during an IMS session.

Based on the standard protocols of 3GPP and IETF, CSI implements concurrent IMS sessions during CS sessions between point-to-point devices, and concurrent CS sessions during IMS sessions. Through the concurrency of CS and IMS sessions, it is possible to share content through IMS during CS calls, including video clips, music, pictures, text, and files. Therefore, CSI is also called the technology of Share.

In order to realize the CSI service, the terminal must support CS connection and IMS connection at the same time. The IMS connection can be connected to the IMS core network in various ways, such as wireless networks such as WCDMA, CDMA2000, WLAN, and EDGE, or wired networks such as XDSL. Among them, the CS network mainly provides high-quality, real-time voice communication; the IMS network mainly provides user end-to-end addressing, terminal capability negotiation and service control functions.

There are mainly two ways to realize the CSI service, that is, E2E and E2G ways. At this stage, major equipment manufacturers are adopting the E2E method. FIG. 1 is a network structure diagram of the E2E mode. In this mode, the main functions, features and operations are concentrated on the terminal, and the IMS network only provides a message routing and forwarding mechanism to assist the terminal to complete the service. This method requires strong terminal capability, and at the same time, since the main functions are performed on the terminal side, the entire IMS does not require much modification, and basically the existing network can provide this service.

In addition to the above-mentioned E2E method, an E2G method is also considered in the industry. FIG. 2 is a network structure diagram of the E2G mode. In this approach, the control right is transferred from the terminal to the system side. The control in this way strengthens the ability of centralized management, facilitates business development, and reduces the burden on the terminal. However, at the same time, this method requires the support of the terminal to provide services; at the same time, this method requires the transformation of the existing network, which is more difficult to implement than the former method.

At present, the main implementation method in the industry is to provide the function of content sharing based on the E2E method. Using the existing CS network and IMS core network, the terminal can realize sharing such as video clips, live video content, audio, pictures, files, etc. during the voice call. Before the establishment of the CSI session, the CSI terminals need to go through the capability negotiation phase to realize the interaction process of the capability information between the terminals. At present, the interaction of CSI terminal capabilities is realized by querying the capabilities of the terminals each other, and the procedure for two terminals to query each other is the same. The following uses CSI terminal A to query the capability of CSI terminal B as an example to illustrate the current method flow of querying the capability of the CSI terminal in the CSI service.

FIG. 1 shows the flow of CSI terminal A querying the capability of CSI terminal B. There are several reasons for UE capability interaction: CSI terminal A does not know the capabilities of CSI terminal B; the capabilities of CSI terminal A itself have changed; when CSI terminal B requests the capabilities of CSI terminal A, CSI terminal A discovers the capabilities of CSI terminal B Version changed.

Specifically, if the first call is a standard IMS call process, and the extended CSI capability interaction field is not carried in the call signaling, and the capability information exchange of the CSI terminal is not performed during the call, then the CSI terminal can use the initial session The option (OPTIONS) command of the protocol (SIP) obtains the capability information of the CSI terminal. After the terminal completes the capability interaction, the terminal feeds back the available service types to the user according to the obtained opposite terminal service capability information.

In the CSI service process, regardless of whether the first call is an IMS call or a CS call, the user can use the OPTIONS method to obtain the capability information of the CSI terminal during the call, which is very important for the scenario where the terminal suddenly changes capabilities during the call of.

As shown in Figure 3, the methods for querying terminal capabilities include:

In step 301, CSI terminal A requests CSI terminal B for query capability.

In this step, a query request is sent using a SIP OPTIONS message. The OPTIONS message contains the URI of the CSI terminal B, and the URI or MSISDN of the CSI terminal A. Table 1 is a specific example of the sent OPTIONS message.

OPTIONS request (terminal 1 to terminal 2)

OPTIONS tel:+12125552222 SIP/2.0Via:SIP/2.0/UDP[5555::aaa:bbb:ccc:ddd]:1357; comp＝sigcomp; branch＝z9hG4bKnashds7Max-Forwards: 70Route:<sip:pcscf1.visited1.net :7531;lr;comp=sigcomp>, <sip:orig@scscf1.home1.net;lr>P-Preferred-Identity:<tel:+1-212-555-1111>P-Access-Network-Info:3GPP -UTRAN-TDD;utran-cell-id-3gpp=234151D0FCE11Privacy:noneFrom:<sip:user1_publicl@home1.net>;ag=171828To:<tel:+12125552222>Call-ID:cb03a0s09a2sdfglkj490333Cseq:127reagre-OPec-xyS Require:sec-agreeSecurity-Verify:ipsec-3gpp;q=0.1;alg=hmac-sha-1-96;spi-c=98765432;spi-s=87654321;port-c=8642;port-s=7531Contact: <sip:[5555::aaa:bbb:ccc:ddd]:1357; comp=sigcomp> Accept-Contact:*, +g.3gpp.cs-voice, +g.3gpp.cs-video; explicitAllow: INVITE, ACK, CANCEL, BYE, PRACK, UPDATE, REFER, MESSAGE, OPTIONSAccept:application/sdpUser-Aqent:PMI-0007Content-Length:0

Table 1

Step 302, IMS core network A sends a SIP OPTIONS message to IMS core network B.

In step 303, the IMS core network B selects a route for the SIP OPTIONS message.

In step 304, the IMS core network B sends the SIP OPTIONS message to the CSI terminal B.

Step 305, CSI terminal B stores the address of CSI terminal A.

In steps 306-308, CSI terminal B sends a 200 OK message to CSI terminal A through IMS core network A and IMS core network B, and carries the capability description of CSI terminal B in the message.

In this step, the response message returned by CSI terminal B to CSI terminal A is shown in Table 2:

200 (OK) response (terminal 2 to terminal 1)

SIP/2.0 200 OKVia:SIP/2.0/UDp pcscf2.visited2.net:5088; comp=sigcomp; branch=z9hG4bK361k21.1, SIP/2.0/UDPscscf2.home2.net; branch=z9hG4bK764z87.1, SIP/2.0/UDPicscf2_s .home2.net; branch=z9hG4bK871y12.1, SIP/2.0/UDPscscf1.home1.net; branch=z9hG4bK332b23.1, SIP/2.0/UDPpcscf1.visited1.net; branch=z9hG4bK240f34.1, SIP/2.0/UDP[5555 ::aaa:bbb:ccc:ddd]:1357;comp=sigcomp;branch=z9hG4bKnashds7Record-Route:<sip:pcscf2.visited2.net:5088;lr;comp=sigcomp>>,<sip:scscf2.home2.net ;lr>,<sip:scscf1.home1.net;lr>,<sip:pcscf1.visited1.net;lr>Privacy:noneP-Access-Network-Info:3GPP-UTRAN-TDD;utran-cell-id-3gpp ＝123451D0FCE11From:<sip:user1_publicl@home1.net>;tag＝171828To:<sip:user2_publicl@home2.net>;tag＝314159Call-ID:cb03a0s09a2sdfglkj 490333Cseq:127 OPTIONSContact:<sip:2_public>2_h g.3gpp.cs-voice, <tel:+12125552222>Allow:INVITE, ACK, CANCEL, BYE, PRACK, UPDATE, REFER, MESSAGE, OPTIONSServer:PMI-0EA2Content-Type:application/sdpContent-Length:(…)v ＝0o＝-2987933615 2987933617 IN IP6 5555::eee:fff:aaa:bbbs＝-c＝IN IP6 5555::eee:fff:aaa:bbbt＝0 0m＝message 0 TCP/MSRP *a＝accept-types: text/plain text/html message/cpim image/jpeg image/gif video/3gppa＝max-size:65536m＝video 0 RTP/AVP 96a＝rtpmap:96 H2 63-2000/90000m＝audio 0 RTP/AVP 97a＝rtpmap :97 AMR/8000

Table 2

Step 309, CSI terminal A saves the capability description of CSI terminal B.

After the capability query between CSI terminals is performed according to the above method, a CSI call can be established.

In the above steps 306-308, CSI terminal B feeds back its own three media processing capabilities, including MSRP, H.263 video capability and AMR audio capability, and gives detailed parameters of each media processing capability. In fact, it needs to consume a lot of terminal system resources for the CSI terminal B to feed back these information.

Contents of the invention

In the CSI terminal capability query method shown in Figure 3, if there is a malicious terminal that frequently initiates the OPTIONS command and repeatedly requests CSI terminal B to send capability information, CSI terminal B needs to occupy a large amount of system resources because it returns media capability information every time , it is likely to cause the entire system to respond slowly to user instructions, or fail to respond to normal call requests from other terminals. Even if the software system of the terminal has defects in design and lacks system redundancy protection, the entire operating system may crash during the process of frequently responding to capability queries.

In addition, the CSI terminal has multiple media capabilities. For some applications, it is unnecessary for the terminal to feed back all the media capabilities after receiving the OPTIONS message each time, and it will bring security risks. Especially if there is a malicious terminal that uses a defect in a certain media communication capability to launch an attack on the terminal, the consequences will be very serious.

To sum up, the current method for querying terminal capabilities in the CSI service will greatly reduce system performance and affect normal call establishment when malicious attacks are encountered. At the same time, for other request messages such as connection establishment in the CSI service, there are also security holes exploited by malicious terminals. Too frequent processing of request messages will cause congestion of CSI terminals and even cause system crashes.

In view of this, an embodiment of the present invention provides a method for responding to requests, which can prevent malicious attacks on CSI terminals by using requests in CSI services, and improve system performance.

The embodiment of the present invention also provides a request response device, the terminal can prevent malicious attacks on the CSI terminal by using the request in the CSI service, and improve system performance.

The embodiment of the present invention adopts following technical scheme:

A method for responding to a request, suitable for a circuit-switched IP multimedia subsystem IMS composite service CSI service, the method comprising:

Configure the request message black and white list, and record the terminals that prohibit and allow the request respectively in the request message black and white list;

When other terminals send a request to the CSI terminal, refer to the black and white list of the request message to determine the list to which the terminal sending the request belongs, and when the terminal sending the request belongs to the white list, accept the request of the terminal; when the sending When the requested terminal belongs to the blacklist, the request of the terminal is rejected.

A device for responding to a request, the device includes: a receiving module, a black and white list configuration module, and a judgment module, wherein,

The receiving module is configured to receive requests sent by other terminals, and forward the requests to the judging module;

The black-and-white list configuration module is used to accept the configuration to generate and save the request message black-and-white list;

The judging module is configured to receive the request forwarded by the receiving module, and refer to the black and white list of request messages stored in the black and white list configuration module to judge the terminal sending the request, when the terminal sending the request belongs to the request message When the terminal is in the white list, the request of the terminal is accepted, and when the terminal sending the request belongs to the blacklist of the request message, the request of the terminal is rejected.

It can be seen from the above technical solution that in the embodiment of the present invention, a black and white list of request messages is configured to control requests from other terminals to the CSI terminal. When another terminal sends a request to the CSI terminal, it first judges the list to which the terminal sending the request belongs according to the configured black and white list of request messages, and then judges whether to accept the request of the terminal sending the request. By applying the embodiment of the present invention, various requests from other terminals to the CSI terminal can be restricted, frequent requests from malicious terminals can be avoided, normal call establishment can be ensured, and system performance can be improved.

Description of drawings

FIG. 1 is a network structure diagram of the E2E mode.

FIG. 2 is a network structure diagram of the E2G mode.

FIG. 3 is a flow chart of a current method for querying terminal capabilities.

Fig. 4 is an overall flowchart of a method for responding to a request in a CSI service according to an embodiment of the present invention.

FIG. 5 is a main flowchart of a method for responding to a request in a CSI service in Embodiment 1 of the present invention.

FIG. 6 is a main structural diagram of a device responding to a request in a CSI service in Embodiment 1 of the present invention.

FIG. 7 is a main flowchart of a method for responding to a request in a CSI service in Embodiment 2 of the present invention.

FIG. 8 is a main structural diagram of a device responding to a request in a CSI service according to Embodiment 2 of the present invention.

FIG. 9 is a main flow chart of a method for querying a CSI terminal capability in Embodiment 3 of the present invention.

FIG. 10 is a main structural diagram of a terminal device for a CSI service in Embodiment 3 of the present invention.

FIG. 11 is a main flow chart of configuring or modifying the black and white lists of request messages by means of active terminal detection.

Detailed ways

In order to make the purpose, technical means and advantages of the embodiments of the present invention clearer, the embodiments of the present invention will be further described in detail below in conjunction with the accompanying drawings.

The basic idea of the embodiments of the present invention is to configure a black and white list of request messages on a CSI terminal to control requests from other terminals to the CSI terminal. When other terminals send a request message to the CSI terminal, the CSI terminal first judges the list to which the requesting terminal belongs according to the configured black and white list of request messages, and then judges whether to accept the request of the requesting terminal.

Fig. 4 is an overall flow chart of responding to a request in a CSI service according to an embodiment of the present invention. As shown in Figure 4, the method includes:

Step 401, configure black and white lists of request messages.

Step 402, other terminals send request messages to the CSI terminal.

Step 403, refer to the configured black and white list of request messages, and judge the list to which the terminal sending the request belongs. If terminal A belongs to the white list of request messages, execute step 404, and if terminal A belongs to the black list of request messages, execute step 405.

Step 404, accept the request from the terminal that sent the request, and end the query process.

Step 405, rejecting the request of the terminal that sent the request, and ending the query process.

In the request message blacklist and blacklist configured in the embodiment of the present invention, terminals that are forbidden and allowed to request are respectively recorded, and compared with the blacklist and whitelist, it is determined whether the terminal that sends the request has request authority. In addition, when the terminal sending the request is in the white list, that is, it has the request authority, it can be further required to perform authentication, so as to further ensure the security of the system; or, when the request sent is a capability query request, it can also be The type of capability for query is limited to save system consumption and meet user needs.

The following three examples are given to illustrate the specific implementations of the basic blacklist and whitelist judgment response request method, the authentication response request method, and the capability query method with added capability query restrictions. In the three embodiments, a capability query request is taken as an example to describe a specific implementation manner of answering the request.

Embodiment one:

In this embodiment, a basic black-and-white list is used to determine whether to allow the request of other terminals, and in the black-and-white list, the address of the terminal is used to represent a certain terminal.

FIG. 5 is a main flowchart of a method for responding to a request in a CSI service in Embodiment 1 of the present invention. As shown in Figure 5, the method includes:

Step 501, configure black and white lists of request messages in the CSI terminal.

In this step, the configuration of the blacklist and whitelist of request messages may be configured actively by the user. In this embodiment, the address information of the terminal is used to represent a certain terminal, for example, a SIP address is used to represent a terminal, that is to say, the terminal list is actually a terminal address list.

After configuring the request message blacklist and whitelist for the CSI terminal in the above method, if there is a terminal A requesting to query the capability of the CSI terminal configured with the request message blacklist and whitelist, perform the following operations:

Step 502, terminal A sends a capability query request to the CSI terminal.

In this embodiment, the capability query is performed using the SIP OPTIONS command.

In step 503, the CSI terminal receives the capability query request sent by terminal A, and judges the list to which terminal A belongs. If terminal A belongs to the request message whitelist, perform step 504. If terminal A belongs to the request message blacklist, perform step 504. 505.

In this step, the way to determine the list to which terminal A belongs is to extract the address information of terminal A, such as a SIP address, from the OPTIONS message received by the CSI terminal, compare the address information with the address information in the black and white list stored in the CSI terminal, and determine In which list the address information of terminal A is stored, the terminal belongs to the list.

Step 504: Return the capability information of the CSI terminal to terminal A, and end the query process.

In step 505, a rejection message is returned, notifying terminal A that it is prohibited from inquiring about the capability information of the CSI terminal, and ending the inquiry process.

The above is the specific flow of the method for responding to the capability query request in this embodiment. This embodiment also provides a specific implementation manner of the terminal device in the CSI service, which can be used to implement the above method flow. FIG. 6 is a main structural diagram of a device responding to a request in a CSI service in Embodiment 1 of the present invention. As shown in FIG. 6 , the device 600 includes: a receiving module 601 , a blacklist and whitelist configuration module 602 and a decision module 603 .

In the device 600 , the receiving module 601 is configured to receive requests sent by other terminals, and forward the requests to the judging module 602 .

The black and white list configuration module 602 is configured to accept the configuration to generate and save the request message black and white list.

The judging module 603 is used to receive the request forwarded by the receiving module 601, and refer to the black and white list of request messages stored in the black and white list configuration module 602 to judge the terminal sending the request. When the terminal sending the request belongs to the white list of request messages, then Accept the request of the terminal, and reject the request of the terminal when the terminal sending the request belongs to the request message blacklist.

As can be seen from the above, after the request message black and white list is pre-configured in the CSI terminal in this embodiment, the query of the capability information in the CSI terminal will be restricted by the request message black and white list. If the terminal requesting the query belongs to the request message blacklist, Capability information will not be returned to it, and after the malicious terminal is included in the blacklist of the request message, the attack of the malicious terminal can be avoided.

In this embodiment, the configuration of the request message blacklist is actively completed by the user. In fact, it is also possible to use the terminal to automatically detect OPTIONS attacks and update them in real time. For example, define an attack behavior and the corresponding threshold value. Whenever the terminal receives an OPTIONS request, it will calculate the OPTIONS command once. If the frequency of the request exceeds a certain threshold value, the terminal considers it to be A malicious attack. The terminal that initiates a malicious attack is directly added to the terminal list that is prohibited from performing capability query, or, after confirmation by the user, is added to the list of terminal that is prohibited from querying. The method of adding the terminal category may be to add an illegal terminal address in the terminal list prohibited from querying. Subsequent CSI terminals can block the OPTIONS request sent by the attacker according to the updated terminal list.

Embodiment two:

In order to increase the flexibility of the system, the terminal can set security options when configuring the list of terminals allowed to be queried, and requires authentication operations for capability request information from certain terminals. In this embodiment, on the basis of Embodiment 1, a method for querying terminal capabilities that includes an authentication operation is described in detail, and the specific authentication operation is password authentication.

FIG. 5 is a main flowchart of a method for responding to a request in a CSI service in Embodiment 2 of the present invention. As shown in Figure 5, the method includes:

Step 501, configure black and white lists of request messages in the CSI terminal.

In this step, since the CSI call is established on the basis of the IMS call, the way of configuring the capability blacklist and whitelist may be: synchronizing with the call blacklist and whitelist of the IMS. Specifically, during initial configuration, the call blacklist of the IMS may be used as the request message blacklist, and the IMS call whitelist may be used as the request message whitelist. Further, according to the needs of the user, the contents of the blacklist and whitelist of the request message can be modified accordingly by means of active configuration by the user. When the call blacklist and whitelist of the IMS are changed, the request message blacklist and whitelist are also modified at the same time. For example, when the user adds or deletes an illegal terminal in the blacklist of IMS calls, the illegal terminal is automatically added or deleted in the request message blacklist; when the user adds or deletes a legal terminal in the white list of IMS calls, Automatically add or delete the legal terminal in the request message white list.

In this embodiment, in addition to the terminal list that is allowed to perform capability query, the white list may further include an authentication entry. Since the authentication operation adopts a password authentication method, the authentication entry includes: Whether the terminal corresponding to the item needs to perform password verification, and the authentication password.

Assume that terminal A exists, and when requesting to query the capabilities of a CSI terminal configured with a blacklist or blacklist of request messages, perform the following operations:

Step 702, terminal A sends a capability query request to the CSI terminal.

In step 703, the CSI terminal receives the capability query request sent by terminal A, and judges the list to which terminal A belongs. If terminal A belongs to the request message white list, execute step 704 and subsequent steps. If terminal A belongs to the request message blacklist , then step 709 is executed.

In this step, the manner of judging the list to which terminal A belongs is the same as that in Embodiment 1, and will not be repeated here.

In step 704, the CSI terminal judges whether terminal A needs password verification according to the authentication entry corresponding to terminal A, and if so, executes step 705 and subsequent steps, otherwise executes step 708.

In step 705, the CSI terminal judges whether the received capability query request contains a verification password, if yes, executes step 707 and its subsequent steps, otherwise executes step 706 and its subsequent steps.

In step 706, the CSI terminal sends a message requiring authentication to terminal A, and after receiving the message, terminal A resends a capability query request carrying a verification password.

In step 707, the CSI terminal judges whether the authentication password carried in the capability query request is legal according to the authentication password in the authentication entry, and if so, executes step 708; otherwise, executes step 709.

Step 708: Return the capability information of the CSI terminal to terminal A, and end the query process.

In step 709, the capability query request is discarded, no information is fed back to terminal A, and the query process ends.

The above is the specific flow of the method for responding to the capability query request in this embodiment. This embodiment also provides a specific implementation manner of the terminal device in the CSI service, which can be used to implement the above method flow. FIG. 8 is a main structural diagram of a device responding to a request in a CSI service according to Embodiment 2 of the present invention. As shown in FIG. 8 , the device 800 includes: a receiving module 801 , a blacklist and whitelist configuration module 802 and a judgment module 803 .

In the device 800 , a receiving module 801 is configured to receive requests sent by other terminals, and forward the requests to a judging module 802 .

The black and white list configuration module 802 is configured to accept the configuration, generate and save the black and white list of request messages, and further include authentication entries in the saved white list of request messages.

The judging module 803 is used to receive the request forwarded by the receiving module 801, and refer to the black and white list of request messages stored in the black and white list configuration module 802 to judge the terminal sending the request, and when the terminal sending the request belongs to the white list of request messages, further Query from the black and white list configuration module 802 whether the terminal sending the request needs to be authenticated, and perform authentication. When the terminal sending the request belongs to the blacklist of the request message, the request of the terminal is rejected.

The method for querying terminal capabilities in this embodiment is basically the same as that in Embodiment 1. The differences are as follows: 1. When configuring the capability query whitelist, it further includes the setting of security options. Specifically: add an authentication entry in the request message whitelist, indicating whether the corresponding terminal needs to perform authentication operations and the authentication password when performing authentication operations; 2. When judging whether to feed back CSI terminal capability information, this The embodiment further includes steps 704-707 shown in FIG. 7 , judging whether the terminal A that sends the capability query request needs to be authenticated, and introduces the whole process of authentication in detail.

In fact, private key signatures can also be used for authentication operations. In this way, the authentication information stored in the authentication entry is the result of the private key signature. When the called party sends a message requesting authentication to the calling party, the calling party will return the result of the private key signature to the called party, and the called party will pass the result of the received private key signature and the value stored in the authentication entry The content is compared to realize user identification.

In this embodiment, the method of configuring the blacklist and whitelist of the request message is synchronized with the blacklist and whitelist of the IMS call. In this method, the blacklist and whitelist of the request message are specifically configured according to the blacklist and whitelist of the IMS call. In fact, another way can be: use the user's initiative to configure the special black and white list, and the black and white list of the request message used for black and white list judgment specifically includes the special black and white list configured by the user and the black and white of IMS calls. list. In this way, since the capability query list itself includes the black and white lists of IMS calls, the purpose of synchronizing with the black and white lists of IMS calls is naturally achieved.

Through the addition of authentication entries in this embodiment, the CSI terminals configured with the black and white lists of request messages can set the security level of certain sending request terminals and require them to perform authentication, which further increases the security of the CSI terminals.

Embodiment three:

According to user needs and saving unnecessary system consumption, the terminal capability description type that does not need feedback can be specified in the black and white list. When the terminal determines that the terminal capability description can be fed back, it only needs to feed back the capability description that the terminal needs to feedback, so as to meet user needs, and save system consumption. This embodiment is based on the first embodiment to describe this implementation manner in detail.

FIG. 9 is a main flow chart of a method for querying a CSI terminal capability in Embodiment 3 of the present invention. As shown in Figure 9, the method includes:

Step 901, configure black and white lists of request messages in the CSI terminal.

In this step, the method of configuring the blacklist and whitelist of the request message may be as follows: the terminal automatically detects the OPTIONS attack, and adds it to the blacklist and blacklist after it is found and confirmed by the user. Specifically, define an attack behavior and the corresponding threshold value. Whenever the terminal receives an OPTIONS request, it will calculate the OPTIONS command once. If the frequency of the request exceeds a certain threshold value, the terminal considers this It is a malicious attack. Then the terminal reports to the user interface, and after the user approves, an illegal SIP address is added to the black and white list, and the subsequent terminal can block the OPTIONS request sent by the attacker according to the black and white list. For example, user settings: if a CSI terminal is connected 10 times in 10 seconds, it can be considered as a malicious attacker and can be automatically added to the blacklist.

In this embodiment, in addition to the list of terminals allowed to perform capability query, the white list may further include a capability query restriction entry, which records capability types that are not allowed to be queried.

Assume that terminal A exists, and when requesting to query the capabilities of a CSI terminal configured with a terminal list, perform the following operations:

Step 902, terminal A sends a capability query request to the CSI terminal.

Step 903: The CSI terminal receives the capability query request sent by terminal A, and judges the list to which terminal A belongs. If terminal A belongs to the list that allows capability query, execute step 904 and subsequent steps. If terminal A belongs to the list that is prohibited from performing If there is a list of capability queries, go to step 905.

In this step, the manner of judging the list to which terminal A belongs is the same as that in Embodiment 1, so it will not be repeated here.

Step 904, the CSI terminal extracts the capability query response list according to the capability query restriction entry corresponding to terminal A, and feeds back the capability information in the list to the terminal that sent the request, and ends the query process.

In this step, the CSI terminal finds terminal A in the white list, and determines the specific requirements of the terminal's corresponding capability query restrictions. capability information.

In step 905, the capability query request is discarded, no information is fed back to terminal A, and the query process ends.

The difference between the method for querying terminal capabilities in this embodiment and Embodiment 1 is that when configuring the terminal list that allows capability query in step 501, or in the course of business, in the white list, for different terminals, specify The terminal capability description type that does not want to be fed back. Therefore, the CSI terminal can feed back different capability description types according to different terminals that send the capability query request.

For example, if the user does not want to share multimedia information, such as Jpg pictures, or 3gpp format videos, in the MSRP session with terminal A for some reason, then the terminal user can set it in the white list, and then communicate with terminal A A Jpg picture or a video in 3gpp format is filled in the capability query restriction entry corresponding to A. After the CSI terminal completes the setting, if the CSI terminal receives the OPTIONS request sent by the terminal A, it will not return the capability information in this aspect.

Of course, when setting the ability to limit the query, it is also possible to limit the capability query of all terminals at the same time.

The above is the specific flow of the method for responding to the capability query request in this embodiment. This embodiment also provides a specific implementation manner of the terminal device in the CSI service, which can be used to implement the above method flow. FIG. 10 is a main structural diagram of a device responding to a request in a CSI service according to Embodiment 3 of the present invention. As shown in Fig. 10, the device 1000 includes: a receiving module 1001, a blacklist and whitelist configuration module 1002, and a decision module 1003, wherein the decision module 1003 includes a capability list storage unit 1003a.

In the device 1000 , the receiving module 1001 is configured to receive requests sent by other terminals, and forward the requests to the judging module 1002 .

The black and white list configuration module 1002 is configured to accept the configuration to generate and save the request message black and white list, and further include a capability query restriction entry in the saved request message white list.

The judging module 1003 is used to receive the request forwarded by the receiving module 1001, and refer to the black and white list of request messages stored in the black and white list configuration module 1002 to judge the terminal sending the request. When the terminal sending the request belongs to the white list of request messages, further Query the capability query restriction content corresponding to the terminal sending the request from the black and white list configuration module 1002, and according to the content, extract the capability information to be fed back from the capability list storage unit 1003a, when the terminal sending the request belongs to the request message blacklist, Then reject the terminal's request.

The capability list storage unit 1003a is configured to store the capability list of the terminal device.

In this embodiment, when configuring the black and white list of request messages, on the basis of the black and white list of request messages configured in Embodiment 1, an entry for capability query restriction is further added to the white list; when configuring the black and white list of request messages in Embodiment 2, in On the basis of the black and white list of request messages configured in Embodiment 1, authentication entries are further added to the white list.

Of course, on the basis of the request message black and white list configured in the first embodiment, an authentication entry and a capability query restriction entry can be added to the white list at the same time. When the CSI terminal judges whether to feed back its own capability information, it first judges the black and white list. If it belongs to the white list, it further judges whether authentication is required according to the authentication table item, and then after the requesting terminal passes the authentication, according to the capability query Restrict entries to selectively feed back the capability information of CSI terminals.

Through the addition of the above capability query restriction table items, the CSI terminal configured with the black and white list of the request message can control the capability information list fed back to the terminal, and the services that the CSI terminal does not want to carry out may not be identified in the capability information fed back. In this way, The terminal receiving the feedback capability information cannot know the capability of the CSI terminal in this aspect. The flexibility of the CSI terminal is further improved.

In the third embodiment, when configuring the blacklist and whitelist of the request message, the terminal automatically detects the OPTIONS attack combined with user confirmation. Specifically, the attack behavior is preset, and when the terminal automatically detects the attack behavior, configure and modify the black and white list of request messages according to the set policy.

Wherein, the set attack behavior may be: the frequency of sending requests exceeds a preset threshold; and/or, the number of authentication failures of a terminal requiring authentication exceeds a preset threshold. The set strategy can be: when the CSI terminal detects an attack behavior, blacklist the terminal that initiates the attack behavior; or, when the CSI terminal detects an attack behavior, report the attack behavior, and after getting the user's confirmation After that, the terminal that initiated the attack will be blacklisted.

A specific example is given below to illustrate the above configuration and modification of the request message blacklist and whitelist. In this example, assume that the set attack behavior is: the frequency of sending OPTIONS requests exceeds 10 times per second; the set strategy is: when the CSI terminal detects the attack behavior, it will report the attack behavior, After confirmation, the terminal that initiated the attack will be blacklisted. As shown in Figure 11, specifically include:

Step 1101, the CSI terminal is idle and ready to receive a request.

Step 1102, the CSI terminal receives an OPTIONS command sent by terminal A.

Step 1103, counting the number of OPTIONS requests received from terminal A within 1 second.

Step 1104, judge whether the quantity obtained in step 1103 exceeds 10, if yes, execute step 1105, otherwise return to step 1101.

Step 1105, alerting the user through the CSI terminal interface, and reporting the attack behavior to the user.

Step 1106, the user inputs a selection.

In this example, the choice is whether to add terminal A to the blacklist of the request message.

Step 1107, judge the input in step 1106 confirmed by the user, if it is confirmed to add terminal A to the request message blacklist, then execute step 1108, otherwise execute step 1109.

Step 1108, add terminal A to the request message blacklist, and end this process.

In step 1109, the number of OPTIONS requests of terminal A is counted to 0, and this process ends.

After the above process, the request message blacklist and whitelist can be configured or modified. Of course, other attack behaviors and corresponding strategies can be set. After applying this attack behavior and strategy, the method of configuring or modifying the black and white lists of request messages is the same as the above example, and will not be repeated here.

The above is the specific implementation manner of the method for responding to the request in the CSI service and the terminal device in the embodiment of the present invention. In the embodiments of the present invention, it is taken as an example that other terminals send an OPTIONS command to a CSI terminal configured with a black and white list of request messages as a capability query request. Of course, this method can also be used for sending other requests to a CSI terminal. The manner in the embodiment of the invention is processed. Such as a connection establishment request, the request can be sent by a SIP INVITE command, the method of establishing a black and white list for this request and the method of judging whether to accept the request are the same as the above-mentioned embodiment, but the specific content of the black and white list may be different. The actions taken after accepting and rejecting requests are different. For different requests, the specific content of the black and white lists and the operations that should be performed when accepting and rejecting the request are the contents that can be grasped by those skilled in the art, and will not be repeated here.

In addition, the above-mentioned embodiments all take the configuration of the black and white lists in the CSI terminal as an example to illustrate the specific implementation of the response request in the CSI service. Of course, in the E2G network structure, the method and device of the embodiment of the present invention can also be implemented on the server, specifically including the configuration of black and white lists and the judgment of whether to accept user requests; or the above operations can also be completed by the cooperation of the server and the CSI terminal. The specific method of configuring the black and white lists and the method of using the black and white lists to determine whether to accept the user request are the same as the above-mentioned embodiment, and will not be repeated here.

The above are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.

Claims (16)

1. A method for responding to a request, suitable for circuit switching IP multimedia subsystem IMS composite service CSI service, the method comprising: Configure the request message black and white list, and record the terminals that prohibit and allow the request respectively in the request message black and white list; When other terminals send a request to the CSI terminal, refer to the black and white list of the request message to determine the list to which the terminal sending the request belongs, and when the terminal sending the request belongs to the white list, accept the request of the terminal; when the sending request When the terminal belongs to the blacklist, the request of the terminal is rejected. 2. The method according to claim 1, wherein an authentication entry is further included in the request message whitelist, and the authentication entry includes: information about whether the terminal corresponding to the entry needs to be authenticated and authentication information required for authentication. 3. The method according to claim 2, characterized in that, after determining that the terminal sending the request belongs to the request message whitelist, and before accepting the terminal's request, further comprising: a1. According to the authentication entry corresponding to the terminal sending the request, determine whether the terminal sending the request needs to be authenticated, if so, perform steps a2-a4, otherwise continue to perform the operation of accepting the request of the terminal, and end this process; a2. Determine whether the received request includes authentication information, if so, execute step a4, otherwise send a message requesting authentication to the terminal sending the request, and execute step a3; a3. After receiving the message requiring authentication, the terminal sending the request resends the request carrying the authentication information; a4. According to the authentication information in the authentication entry, judge whether the authentication information carried in the request is legal, if so, then the authentication is successful, and continue to perform the operation of accepting the terminal request, otherwise, the authentication fails and the request is rejected The terminal request. 4. The method according to any one of claims 1 to 3, wherein the request is a capability query request or a connection establishment request. 5. The method according to claim 4, wherein when the request is a capability query request, The accepting the terminal request is to feed back the capability information of the CSI terminal to the terminal; The rejecting the terminal request is not to feed back the capability information of the CSI terminal to the terminal. 6. The method according to claim 5, characterized in that, the request message whitelist further includes a capability query restriction entry, which records the capability types that are prohibited from being queried; The feeding back the capability information of the CSI terminal to the terminal sending the request further includes: extracting a capability query response list according to the capability query restriction entry corresponding to the terminal sending the request, and feeding back the capability information in the list to the The terminal sending the request is described above. 7. The method according to claim 4, wherein the capability query request is an OPTIONS command of the initial session protocol SIP, and the session establishment request is an INVITE command of the SIP. 8. The method according to claim 1, further comprising modifying the black and white list of the request message. 9. The method according to claim 8, wherein the configuration or modification request message black and white list is: The user configures or modifies the black and white list of request messages; Or, use the black and white lists of IP Multimedia Subsystem IMS calls to configure or modify the black and white lists of request messages; Or, after detecting the preset attack behavior, configure or modify the black and white list of request messages according to the set policy. 10. The method according to claim 9, characterized in that, the black and white list of the IMS call is used to modify the list of terminals allowed and prohibited from performing capability inquiry as follows: When adding or deleting an illegal user on the blacklist of IMS calling, add or delete this illegal user in the blacklist of the request message; Add or delete the legal user from the white list. 11. The method according to claim 9, wherein the configuration or modification request message black and white list using the black and white lists of IMS calls is: The request message whitelist further includes terminals listed in the IMS call whitelist, and the request message blacklist further includes terminals listed in the IMS call blacklist. 12. The method according to claim 9, wherein the attack behavior is: the frequency of sending requests exceeds a preset threshold; and/or, the number of failed authentications of terminals requiring authentication exceeds a preset threshold. 13. The method according to claim 9, wherein the policy is: when a terminal detects an attack, blacklist the terminal that initiates the attack; or, when the terminal detects an attack, Report the attack, and blacklist the terminal that initiated the attack after confirmation from the user. 14. A device for responding to a request, characterized in that the device includes: a receiving module, a blacklist and whitelist configuration module, and a judgment module, wherein, The receiving module is configured to receive requests sent by other terminals, and forward the requests to the judging module; The black-and-white list configuration module is used to accept the configuration to generate and save the request message black-and-white list; The judging module is configured to receive the request forwarded by the receiving module, and refer to the black and white list of request messages stored in the black and white list configuration module to judge the terminal sending the request, when the terminal sending the request belongs to the request message When the terminal is in the white list, the request of the terminal is accepted, and when the terminal sending the request belongs to the blacklist of the request message, the request of the terminal is rejected. 15. The apparatus of claim 14, wherein: The request message white list stored in the black and white list configuration module further includes authentication entries; The judging module is configured to, after determining that the terminal sending the request belongs to the white list of the request message, further query from the black and white list configuration module whether the terminal sending the request needs to be authenticated, and perform authentication. 16. The device according to claim 14 or 15, wherein the judging module further comprises a capability list storage unit for storing the capability list of the terminal device; The request message white list stored in the black and white list configuration module further includes a capability query restriction entry; The judging module, when the sending request is a capability query request, is configured to further query the capability query restriction content corresponding to the terminal sending the request from the black and white list configuration module after confirming that the request is accepted, and according to The content is to extract the capability information to be fed back from the capability list storage unit.

Images