JP7629977B1 - Information processing system, information processing method, and program - Google Patents

Abstract

The present invention makes it possible to timely acquire large amounts of data required to understand communication conditions even if the configuration of a core network becomes complex.
[Solution] The system includes an acquisition unit that acquires C-Plane packets and U-Plane packets from a core network, an extraction unit that extracts a source address, a destination address, and a TEID from the U-Plane packets acquired by the acquisition unit, and extracts the source address, destination address, and TEID of the U-Plane packets from information stored in the payload of the C-Plane packets acquired by the acquisition unit, and a linking unit that links the C-Plane packets and the U-Plane packets based on the source address, destination address, and TEID extracted by the extraction unit.
[Selection] Figure 11

Description

Patent Act Article 30, Paragraph 2 applies. Name of the research meeting: Japan P4 Users Group 2023 Venue: Tokyo Tatemono Nihonbashi Building, 1-3-13 Nihonbashi, Chuo-ku, Tokyo Date: October 12, 2023

The present invention relates to an information processing system, an information processing method, and a program that can timely acquire large amounts of data required to understand communication conditions even when the core network configuration is complex.

The quality of communication is evaluated by analyzing packets flowing through the network and calculating KPIs. Packets flowing through the network are also analyzed for marketing activities that utilize RTB, etc.

For example, in LTE, C-Plane packets and U-Plane packets are extracted from reference point S11, which is related to the connection between the MME and S-GW, and reference point S1-U, which is related to the connection between the base station eNodeB and the S-GW. By linking the extracted C-Plane packets and U-Plane packets, data related to communications by the same user can be identified, and information necessary for analyzing the communications status can be obtained.

In addition, a technology has been proposed in which a packet analysis unit that analyzes received packets refers to flow information to classify the received packets into flows and assign a flow ID, which is an identifier for the flow corresponding to the packet, thereby improving traffic control units and traffic control methods (see, for example, Patent Document 1).

Patent Publication 2022-090476

In the initial release of LTE, the packet extraction locations for the C-Plane and the U-Plane were concentrated within a single data center.

Meanwhile, in the CUPS (C-U-Plane Separate) architecture defined in later releases of LTE and 5G (hereinafter sometimes referred to as "5G compatible and beyond"), servers that handle network functions such as the UPF related to U-Plane processing are now distributed. For example, to improve the performance of the core network, servers that function as UPFs are often placed in data centers near base stations.

As a result, after the advent of 5G, the data center that extracts packets for the C-Plane and the data center that extracts packets for the U-Plane are often different, making it difficult to link data related to communications for the same user. On the other hand, for example, Cited Document 1 does not take into consideration the fact that the location for extracting packets for the C-Plane and the location for extracting packets for the U-Plane are located in different data centers.

In addition, in the past, data related to the same user's communications was linked using a table that associated the IDs provisionally assigned to each user's traffic with a unique ID. As a result, the processing load of the past linking process was high, and the number of users for which data could be linked was limited, making it impossible to perform sufficient analysis of, for example, key performance indicators (KPIs).

One aspect of the present invention aims to realize a technology that can acquire large amounts of data required to understand communication conditions in a timely manner, even if the core network configuration becomes complex.

An information processing system according to one aspect of the present invention includes an acquisition unit that acquires C-Plane packets and U-Plane packets from a core network, an extraction unit that extracts a source address, a destination address, and a TEID (Tunnel Endpoint Identifier) from the U-Plane packets acquired by the acquisition unit, and extracts the source address, destination address, and TEID of the U-Plane packets from information stored in the payload of the C-Plane packets acquired by the acquisition unit, and a linking unit that links the C-Plane packets and U-Plane packets based on the source address, destination address, and TEID extracted by the extraction unit.

An information processing method according to one aspect of the present invention includes the steps of acquiring C-Plane packets and U-Plane packets from a core network, extracting a source address, a destination address, and a TEID from the acquired U-Plane packets, and extracting the source address, destination address, and TEID of the U-Plane packets from information stored in the payload of the acquired C-Plane packets, and linking the C-Plane packets and U-Plane packets based on the extracted source address, destination address, and TEID.

Each aspect of the present invention may be realized by a computer. In this case, the program that causes a computer to execute each step of the above method, and the computer-readable recording medium on which the program is recorded, also fall within the scope of the present invention.

According to one aspect of the present invention, even if the core network configuration becomes complex, it is possible to obtain a large amount of data necessary to understand the communication situation in a timely manner.

FIG. 1 is a diagram illustrating a conventional packet analysis system for analyzing a communication situation. FIG. 2 is a diagram illustrating an example of a schematic internal configuration of the packet analysis system of FIG. 1. FIG. 13 is a diagram showing an example of a table in which IMSIs and TEIDs are associated with each other. FIG. 1 is a diagram showing an example of applying a conventional packet analysis system to a 5G core network. FIG. 2 is a diagram showing an example of components of a packet in the U-Plane. FIG. 1 is a diagram illustrating an example of components of a C-Plane packet. A diagram showing another example of components of a C-Plane packet. A diagram showing yet another example of components of a C-Plane packet. 11 is a diagram illustrating an example of information required to generate a session index. FIG. 1 is a diagram illustrating the encoding format of F-TEID defined in the standard TS 129 274 8.22. 1 is a block diagram showing an example of the configuration of a packet analysis system according to a first embodiment. 1 is a diagram illustrating an example of a packet acquisition position corresponding to an LTE core network. FIG. 13 is a diagram showing a list of message types of packets to be supplied to a session identification unit. FIG. 13 is a diagram showing a list of IEs to be referred to when classifying packets by IE. A diagram illustrating an example of a packet acquisition location corresponding to a 5G core network. 13 is a diagram showing a list of procedure codes of packets to be supplied to a session identification unit. FIG. A diagram illustrating another example of a packet acquisition location corresponding to a 5G core network. 13 is a flowchart illustrating an example of the flow of a packet analysis process. FIG. 1 is a diagram illustrating an example of the configuration of a computer that executes instructions of a program, which is software that realizes each function.

Below, an embodiment of the present invention will be described with reference to the drawings. First, the problems with the conventional technology will be described.

Traditionally, communication quality has been evaluated by analyzing packets flowing through a network and calculating KPIs.

Figure 1 is a diagram explaining a conventional packet analysis system for analyzing communication conditions. As shown in the figure, in the fourth generation mobile communication system (LTE), a UE (User Equipment) is connected to an LTE core network 30 via an eNodeB, which is a base station. The core network 30 includes network function units such as an MME (Mobility Management Entity), an S-GW (Serving Gateway), and a P-GW (PDN Gateway). The UE is also connected to an external network such as the Internet via an IP network used to provide carrier services, which is composed of a base station, a core network, and a CGN (Carrier Grade NAT), etc. Networks such as the IP network for carrier services and the Internet are sometimes collectively referred to as a DN (Data Network).

(Network configuration: LTE)
1 also shows a packet analysis system 50 corresponding to the LTE core network. The packet analysis system 50 extracts C-Plane packets and U-Plane packets from a reference point related to the connection between the MME and the S-GW and a reference point related to the connection between the eNodeB and the S-GW, respectively. That is, C-Plane packets are obtained from S11, which is a reference point related to the connection between the MME and the S-GW, and U-Plane packets are obtained from S1-U, which is a reference point related to the connection between the eNodeB and the S-GW.

C-Plane packets are packets related to communication for controlling, for example, which terminal is communicating with which base station. U-Plane packets are packets related to communication of data mainly related to the content itself, such as the website that the user is viewing or the voice data during a call.

The packet analysis system 50 identifies data related to communications by the same user by linking the acquired C-Plane packets with the acquired U-Plane packets, and acquires information necessary for analyzing the communication status. By inputting such information, for example, to a monitor device (not shown) and performing an analysis of the communication status, it becomes possible to calculate, for example, index values related to KPIs.

(System Overview)
Fig. 2 is a diagram showing a schematic internal configuration example of the packet analysis system 50 of Fig. 1. As shown in the figure, C-Plane packets acquired from S11 and U-Plane packets acquired from S1-U are supplied to a packet identifier 51. In this example, C-Plane packets and U-Plane packets related to Sub (representing subscriber) 1, Sub 2, and Sub 3 indicating individual users are supplied to the packet identifier 51.

The packet identifier 51 refers to a table described later, links C-Plane packets and U-Plane packets, and supplies them to DPI servers 52-1 to 52-3. For example, the packet identifier 51 links "S11 (Sub1)", a C-Plane packet related to user Sub1, and "S1-U (Sub1)", a U-Plane packet, and supplies them to DPI server 52-1. Similarly, the packet identifier 51 links "S11 (Sub2)" and "S1-U (Sub2)" related to user Sub2, and supplies them to DPI server 52-2, and links "S11 (Sub3)" and "S1-U (Sub3)" related to user Sub3, and supplies them to DPI server 52-3.

At this time, the packet identifier 51 uses a table that associates IMSI (International Mobile Subscriber Identity) with TEID (Tunnel Endpoint Identifier) to link C-Plane packets and U-Plane packets related to the same user. Note that the IMSI is an ID that is assigned to each user in advance. The TEID is an ID used in the tunneling protocol (GTP) and is assigned at the start of communication.

(Table for linking)
Fig. 3 is a diagram showing an example of a table associating IMSIs with TEIDs used in the packet analysis system 50 shown in the figure. In the example shown in the figure, IMSI "44020xxxxxxxxxxxx01" is associated with TEID "teid1", and IMSI "44020xxxxxxxxxxxx02" is associated with TEID "teid2". In this way, in the table of Fig. 3, each IMSI is associated with a TEID.

Since C-Plane packets contain an IMSI, the packet identifier 51 can identify the TEID that corresponds to that IMSI by referring to the table in FIG. 3. The packet identifier 51 can then identify the U-Plane packets that should be linked to each C-Plane packet by referring to the TEID contained in the U-Plane packets.

DPI servers 52-1 to 52-3 analyze the data of the associated C-Plane packets and U-Plane packets, and generate information necessary for analyzing the communication status. The generated information is supplied to, for example, a traffic monitor (not shown), and the communication status is analyzed.

(Network configuration: 5G)
Such analysis of the communication status of each user needs to be continued even if the core network becomes a fifth generation mobile communication system (5G). Figure 4 is a diagram showing an example of applying a conventional packet analysis system to a 5G core network. As shown in the figure, the 5G core network 40 includes network function units such as an AUSF (Authentication Server Function), an AMF (Access and Mobility Management Function), an NSSF (Network Slice Selection Function), an SMF (Session Management Function), a UDM (Unified Data Management), a PCF (Policy Control Function), and a UPF (User Plane Function).

The functions of the MME in the LTE core network 30 are mainly assigned to the AMF in the 5G core network 40. The functions of the S-GW in the LTE core network 30 are mainly assigned to the SMF and the UPF in the 5G core network 40. For this reason, in the 5G core network 40, U-Plane packets may be acquired from N3, which is a reference point relating to the connection between the gNodeB, which is a base station, and the UPF. On the other hand, in the 5G core network 40, C-Plane packets may be acquired, for example, from N11, which is a reference point relating to the connection between the AMF to which the gNodeB is connected, and the SMF.

On the other hand, compared to the initial release of LTE, after 5G support, the network function unit that executes processing related to the C-Plane and the network function unit that executes processing related to the U-Plane are clearly separated. Therefore, after 5G support, it is now possible to place the network function unit that executes processing related to the U-Plane separately from the network function unit that executes processing related to the C-Plane.

For example, UPF requires higher processing power than SMF. Therefore, when providing a low-latency communication service, the UPF function can be distributed and implemented in multiple devices. In particular, when providing a low-latency communication service, the server on the DN that handles the processing related to such a service is placed physically close to the user (or UE). Therefore, in order to improve the performance of the connection from the UE to the DN, it is preferable that the UPF is distributed and placed near the base station.

Therefore, in an actual 5G core network, for example, a configuration may be adopted in which multiple UPFs are deployed corresponding to gNodeBs. In this case, for example, the UPFs will be deployed in a data center different from the data center in which the AUSF, AMF, NSSF, SMF, UDM, PCF, etc. are deployed. As an example, for example, all network function units of the 5G core network 40 are deployed in the Tokyo data center, and the UPFs are deployed in the Sapporo data center, the Nagoya data center, and the Osaka data center.

In this case, N3, which is the reference point for connecting the base station gNodeB and the UPF, will be present in the Tokyo data center, the Sapporo data center, the Nagoya data center, and the Osaka data center. Therefore, in order to link C-Plane packets and U-Plane packets related to the same user, for example, U-Plane packets acquired in the Sapporo data center, the Nagoya data center, and the Osaka data center must be transferred at high speed to the packet identifier 51 in the Tokyo data center.

When the packet identifier 51 and the reference point N3 are located in the same data center, for example, by laying a dedicated optical fiber cable, the U-Plane packets acquired at the reference point N3 can be transferred to the packet identifier 51 at high speed. However, when the packet identifier 51 and the reference point N3 are located in different data centers, laying a dedicated optical fiber cable is unrealistic.

In addition, for example, when generating a table such as that shown in FIG. 3 in order to link C-Plane packets and U-Plane packets related to the same user, it is necessary to update the table to associate the IMSI with a TEID each time it is assigned. This increases the load due to the processing involved in updating the table, and high processing power is required of the packet identifier 51. Furthermore, since the size of the table that can be stored is limited, the number of C-Plane packets and U-Plane packets that can be linked is also limited.

First Embodiment
Next, a first embodiment of the present invention will be described. In the first embodiment, a session index is generated to link a C-Plane packet with a U-Plane packet. The session index is generated based on information contained in each of the C-Plane packet and the U-Plane packet, and is assigned to each of the C-Plane packet and the U-Plane packet. By combining the C-Plane packet and the U-Plane packet so that the session indexes match, it becomes possible to link the C-Plane packet and the U-Plane packet related to the same UE. In this case, for example, a table such as that shown in FIG. 3 is not required.

The method for generating a session index is explained with reference to Figures 5 to 9. Note that a session index is identification information that is assigned to each packet.

(U-Plane packets)
5 is a diagram showing components of a U-Plane packet. In this example, a U-Plane packet 300 includes an Ethernet header 301, an IP (outer) header 302, a UDP (outer) header 303, a tunneling protocol (GTPv1) header 304, an IP (inner) header 305, a UDP (inner) header 306, and a payload 307.

In the figure, "(outer)" and "(inner)" are used to distinguish the headers used in the tunneling protocol, with "(inner)" referring to the header of a packet encapsulated by the tunneling protocol, and "(outer)" referring to the header of a packet that stores the encapsulated packet. For example, the "(outer)" header is used for communication within the core network of the encapsulated packet, and the "(inner)" header is used for communication between the UE and DN of the packet in the U-Plane.

For U-Plane packets, the tunneling protocol used is, for example, GTP (General Packet Radio Service (GPRS) Tunneling Protocol) v1.

(C-Plane packets)
6 is a diagram showing components of a C-Plane packet corresponding to an LTE core network and obtainable at a reference point S11. In this example, a C-Plane packet 330 includes an Ethernet header 331, an IP header 332, a UDP header 333, a tunneling protocol (GTPv2) header 334, and a payload 337. The payload 377 is also called a GTP-C message.

For C-Plane packets, the tunneling protocol used is, for example, GTPv2.

The session index is generated based on the source (src) IP address, destination (dst) IP address, and TEID contained in each of the U-Plane and C-Plane packets.

Figure 7 is a diagram showing components of a C-Plane packet corresponding to a 5G core network and that can be acquired at reference point N2. NGAP (Next Generation Application Protocol) is used in communication between gNodeB and AMF. Details of NGAP are specified in detail, for example, in the 3GPP standard TS. 38.412.

In this example, a C-Plane packet 350 includes an Ethernet header 351, an IP header 352, an SCTP header 353, an NGAP header 354, and a payload 355. The NGAP header 354 and the payload 355 are also referred to as an NGAP Message.

Figure 8 is a diagram showing the components of a C-Plane packet corresponding to the 5G core network and that can be acquired at reference point N12. HTTP (Hypertext Transfer Protocol)/2 is used for communication between the AMF and the AUSF. Details of HTTP/2 are specified in detail, for example, in the 3GPP standard TS. 29.500.

In this example, a C-Plane packet 370 includes an Ethernet header 371, an IP header 372, a TCP header 373, an HTTP/2 header 374, and a payload 375. The payload 375 is also referred to as an application.

(Information required to generate a session index)
9 is a diagram for explaining an example of information required for generating a session index. In addition, "(uplink)" and "(downlink)" in the figure indicate the direction in which a packet is transmitted. "(uplink)" indicates the upward direction, that is, a packet from a UE or a base station to a core network, and "(downlink)" indicates the downward direction, that is, a packet from a core network to a UE or a base station.

As shown in the figure, the information required to generate a session index is the source IP address, destination IP address, and TEID, whether in the U-Plane or the C-Plane. However, the node that assigns the source, destination, and TEID differs depending on the direction in which the packet is sent.

(In the case of U-Plane)
As shown in the figure, in the case of a packet of the U-Plane (uplink), the source IP address means the IP address of the eNodeB or gNodeB. The destination IP address means the IP address of the S-GW, UPF, or SMF. The TEID means the TEID assigned by the S-GW, UPF, or SMF.

In addition, for U-Plane (downlink) packets, the source IP address means the IP address of the S-GW or UPF. The destination IP address means the IP address of the eNodeB or gNodeB. The TEID means the TEID assigned by the eNodeB or gNodeB.

For U-Plane packets, the source IP address and destination IP address are stored in the IP (outer) header 302 in Figure 5, and the TEID is stored in the GTPv1 header 304 in Figure 5.

(In the case of C-Plane)
In the case of a C-Plane (uplink) packet, as in the case of a U-Plane (uplink) packet, the source IP address means the IP address of the eNodeB or gNodeB. The destination IP address means the IP address of the S-GW, UPF, or SMF. The TEID means the TEID assigned by the S-GW, UPF, or SMF. That is, the payload of the C-Plane (uplink) packet contains the source IP address and destination IP address of the U-Plane (uplink) packet, as well as the TEID, and a session index is generated using these.

In addition, in the case of a C-Plane (downlink) packet, as in the case of a U-Plane (downlink) packet, the source IP address means the IP address of the S-GW or UPF. The destination IP address means the IP address of the eNodeB or gNodeB. The TEID means the TEID assigned by the eNodeB or gNodeB. In other words, the payload of a C-Plane (downlink) packet stores the source IP address and destination IP address of the U-Plane (downlink) packet, as well as the TEID, and a session index is generated using these.

(Packets that can be acquired in S11)
In the case of a C-Plane packet obtainable at reference point S11, the source IP address, destination IP address, and TEID are stored in the payload 337 in Fig. 6. That is, in the case of a C-Plane packet obtainable at reference point S11, the source IP address, destination IP address, and TEID of the U-Plane packet are stored in the information transmitted by the GTPv2 protocol.

The source IP address, destination IP address, and TEID are stored in the IE (Information Element) of "Fully Qualified Tunnel Endpoint Identifier" with IE Type Value 87 in payload 337. The storage location of each piece of information in the IE with IE Type Value 87 is described in detail in 3GPP standard TS 129 274 8.22 Fully Qualified TEID (F-TEID).

Figure 10 is a diagram explaining the encoding format of F-TEID defined in the standard TS 129 274 8.22. The source IP address and destination IP address required for generating the session index are stored in "IPv4 address" or "IPv6 address" in Figure 10. The TEID required for generating the session index is stored in "TEID / GRE Key" in Figure 10.

(Packets available on N2)
In the case of a C-Plane packet obtainable at reference point N2, the source IP address, destination IP address, and TEID are stored in the payload 355 in Fig. 7. That is, in the case of a C-Plane packet obtainable at reference point N2, the source IP address, destination IP address, and TEID are stored in the information transmitted by the NGAP protocol.

(Packets that can be acquired at N12)
In the case of a C-Plane packet obtainable at reference point N12, the source IP address, destination IP address, and TEID are stored in the payload 375 in Fig. 8. That is, in the case of a C-Plane packet obtainable at reference point N12, the source IP address, destination IP address, and TEID are stored in the information transmitted by the HTTP/2 protocol.

In addition, in 5G, various security measures are adopted from the viewpoint of countermeasures against security threats. Specifically, for example, SUPI (Subscription Permanent Identifier), which is a subscriber ID in 5G, is transmitted from the UE to the network as SUCI (Subscription Concealed Identifier), which is information in which SUPI is encrypted with a predetermined public key. As a result, in 5G, the subscriber ID is concealed. Therefore, even if a C-Plane packet is acquired from reference point N2, it is not possible to grasp the relationship with the user or UE that sent the packet. Therefore, SUCI is acquired from a packet related to authentication processing transmitted and received between AMF and AUSF, which is a C-Plane packet that can be acquired at reference point N12, and SUPI and KSEAF are acquired from a response packet to the request. This makes it possible, for example, in a monitoring device, to derive the SUPI from the SUCI contained in a C-Plane packet.

Note that SUPI, SUCI, and KSEAF are each stored in the payload portion of packets sent and received using the HTTP/2 protocol. For operators who design their networks so as not to perform the above-mentioned encryption, there is no need to derive SUPI from SUCI, and therefore acquisition of C-Plane packets at reference point N12 is not essential for such operators.

(Packet linking by session index)
If the communications relate to the same user, the source IP address and destination IP address stored in the IE with IE Type Value 87 in the payload 337 of the C-Plane (uplink) packet obtainable at reference point S11 match the source IP address and destination IP address stored in the IP (outer) header 302 of the U-Plane (uplink) packet, respectively. And the TEID stored in the IE with IE Type Value 87 in the payload 337 of the C-Plane (uplink) packet matches the TEID stored in the tunneling protocol header 304 of the U-Plane (uplink) packet.

Similarly, if the communication is related to the same user, the source IP address, destination IP address, and TEID stored in the payload 355 of the C-Plane (uplink) packet obtainable at reference point N2 match the source IP address, destination IP address, and TEID stored in the IP (outer) header 302 of the U-Plane (uplink) packet, and the TEID stored in the tunneling protocol header 304, respectively.

Furthermore, if the communication is related to the same user, the source IP address, destination IP address, and TEID stored in the payload 375 of the C-Plane (uplink) packet obtainable at reference point N12 match the source IP address, destination IP address, and TEID stored in the IP (outer) header 302 of the U-Plane (uplink) packet, and the TEID stored in the tunneling protocol header 304, respectively.

Furthermore, if the communication is related to the same user, the source IP address and destination IP address stored in the IE with IE Type Value 87 in the payload 337 of the C-Plane (downlink) packet obtainable at reference point S11 match the source IP address and destination IP address stored in the IP (outer) header 302 of the U-Plane (downlink) packet. And the TEID stored in the IE with IE Type Value 87 in the payload 337 of the C-Plane (downlink) packet matches the TEID stored in the tunneling protocol header 304 of the U-Plane (downlink) packet.

Similarly, if the communication is related to the same user, the source IP address, destination IP address, and TEID stored in the payload 355 of the C-Plane (downlink) packet obtainable at reference point N2 match the source IP address, destination IP address, and TEID stored in the IP (outer) header 302 of the U-Plane (downlink) packet, and the TEID stored in the tunneling protocol header 304, respectively.

Furthermore, if the communication is related to the same user, the source IP address, destination IP address, and TEID stored in the payload 375 of the C-Plane (downlink) packet obtainable at reference point N12 match the source IP address, destination IP address, and TEID stored in the IP (outer) header 302 of the U-Plane (downlink) packet, and the TEID stored in the tunneling protocol header 304, respectively.

Therefore, for example, by extracting the source IP address, destination IP address, and TEID from each packet and using their hash value as the session index of the packet, it is possible to identify packets of communication related to the same user. In other words, by identifying a C-Plane packet that has the same session index as the session index of a U-Plane packet, it is possible to link C-Plane packets and U-Plane packets related to the same user.

By analyzing the information stored in payload 307 of the U-Plane packet, it is possible to identify the data transmitted and received between the UE and the DN. Then, by analyzing the information stored in payload 337, payload 355, and payload 375 of the C-Plane packet linked to the U-Plane packet, it is possible to identify the UE and the behavior of the UE (e.g., handover, etc.). In this way, if the content of each user's communication can be identified, it is possible to perform a detailed analysis of the communication status.

Here, an example has been described in which a hash value of the source IP address, destination IP address, and TEID stored in each packet is calculated to be used as the session index for that packet, but the session index may be generated by a different calculation. That is, the session index may be generated by performing a predetermined calculation on the source IP address, destination IP address, and TEID stored in each packet. Specifically, for example, the session index may be the sum of the values of the source IP address, destination IP address, and TEID.

(Example of packet analysis system configuration)
11 is a block diagram showing an example of the configuration of a packet analysis system 200 according to this embodiment. The packet analysis system 200 shown in the figure is a system that acquires packets in a core network and analyzes the communication status. As shown in the figure, the packet analysis system 200 has an analysis device 201A and an analysis device 201B.

(Analysis Equipment)
For example, analysis device 201A and analysis device 201B may be located in different data centers. Also, the connection between analysis device 201A and analysis device 201B may be made using a dedicated line provided by a telecommunications carrier.

The analysis device 201A is a device that mainly executes processing related to packets in the C-Plane. The analysis device 201A has an acquisition unit 221A, a session identification unit 222A, and a linking unit 223A.

The analysis device 201B is a device that mainly executes processing related to packets in the U-Plane. The analysis device 201B has an acquisition unit 221B and a session identification unit 222B.

Acquisition unit 221A and session identification unit 222A may be functional blocks with the same configuration as acquisition unit 221B and session identification unit 222B. For example, when an acquisition unit of a certain analysis device is connected to a reference point for acquiring C-plane packets, it may function as acquisition unit 221A that acquires C-plane packets, and the session identification unit of the analysis device may function as session identification unit 222A. Also, when an analysis device is connected to a reference point for acquiring U-plane packets, it may function as acquisition unit 221B that acquires U-plane packets, and the session identification unit of the analysis device may function as session identification unit 222B.

In the following, unless there is a particular need to distinguish between them, acquisition unit 221A and acquisition unit 221B will be collectively referred to as acquisition unit 221, session identification unit 222A and session identification unit 222B will be collectively referred to as session identification unit 222, and linking unit 223A will be referred to as linking unit 223. Similarly, unless there is a particular need to distinguish between them, analysis device 201A and analysis device 201B will be collectively referred to as analysis device 201.

(Acquisition Department)
The acquisition unit 221 acquires packets of the C-Plane and packets of the U-Plane at a position corresponding to a predetermined reference point in the core network. The packets acquired by the acquisition unit 221 are supplied to the session identification unit 222.

(Session Identification Unit)
The session identification unit 222 extracts the source address, destination address, and TEID from the C-Plane packet and the U-Plane packet acquired by the acquisition unit 221, and extracts the source address, destination address, and TEID of the U-Plane packet from the information stored in the payload of the C-Plane packet acquired by the acquisition unit 221. Then, the session identification unit 222 generates identification information for identifying packets related to communication by each of a plurality of users based on the extracted source address, destination address, and TEID. Here, the identification information generated by the session identification unit 222 may be the above-mentioned session index.

The session index may be generated by performing a predetermined calculation on the source IP address, destination IP address, and TEID stored in each packet. As an example, a session index may be generated that includes a hash value of the source IP address, destination IP address, and TEID.

That is, the session identification unit 222A of the analysis device 201A extracts the source address, destination address, and TEID from the payload 227 in FIG. 6 in the C-Plane packet acquired by the acquisition unit 221A, and generates a session index. Also, the session identification unit 222B of the analysis device 201B extracts the source IP address and destination IP address from the IP (outer) header 302 in FIG. 5 in the U-Plane packet acquired by the acquisition unit 221B, and extracts the TEID from the tunneling protocol header 304, and generates a session index.

The session identification unit 222, for example, assigns the generated identification information (session index) to the C-Plane packets and U-Plane packets acquired by the acquisition unit 221 and supplies them to the linking unit 223.

Depending on the operational status of the core network and packet analysis system 200, U-Plane packets may occur that cannot be linked to C-Plane packets. Specifically, for example, a period may occur during which C-Plane packets cannot be acquired due to maintenance of analysis device 201A. In such a case, the core network is operating normally and the UE can establish a connection with the DN, so acquisition unit 221B of analysis device 201B acquires U-Plane packets as usual. In such a case, since no C-Plane packets exist on packet analysis system 200, U-Plane packets occur that cannot be linked to C-Plane packets.

For example, if there are no C-Plane packets (i.e., a session index cannot be generated), the analysis device 201B may be configured not to transmit the U-Plane packets acquired by the acquisition unit 221B to the analysis device 201A.

In the example of FIG. 11, the information output from the session identification unit 222B of the analysis device 201B is configured to be supplied to the linking unit 223A of the analysis device 201A together with the information output from the session identification unit 222A of the analysis device 201A.

(Linking section)
The linking unit 223 links the C-Plane packet and the U-Plane packet based on the session index. That is, the linking unit 223 links the session index given to the C-Plane packet with the U-Plane to which the same session index is given. This makes it possible to identify data related to communication of the same UE and obtain information necessary for analyzing the communication status.

As described below, the recording device 202 records sequence information in association with each pair of a C-Plane packet and a U-Plane packet linked by the linking unit 223. The sequence information may be, for example, the transmission time or reception time of the packet, or the sequence number of the packet. In short, it is sufficient that information for identifying the order in which packets were transmitted and received is associated with each pair of a C-Plane packet and a U-Plane packet.

The monitor device 203 performs a detailed analysis of the communication status by referring to each pair of C-Plane packets and U-Plane packets that are associated with sequence information. This allows the calculation of, for example, index values related to KPIs and index values related to the degree of improvement in user satisfaction.

The recording device 202 may be configured, for example, as an integrated unit with the analysis device 201A, or as an integrated unit with the monitor device 203.

In the above example, it has been described that the session identification unit 222 generates a session index based on the extracted source address, destination address, and TEID, but the session identification unit 222 may not generate a session index. In this case, the session identification unit 222 may supply the C-Plane packets and U-Plane packets acquired by the acquisition unit 221 to the linking unit 223 together with the source address, destination address, and TEID. The linking unit 223 may then link the C-Plane packets and U-Plane packets based on the source address, destination address, and TEID.

.
Here, when linking packets in the C-Plane and packets in the U-Plane, there may be cases where the source address, destination address, and TEID of packets acquired from different UEs overlap. More specifically, for example, when packets collected over a certain period of time are linked at once, there may be cases where the source address, destination address, and TEID of packets acquired from different UEs overlap. According to the provisions of the 3GPP standard, in one network function (NE), processing is performed so that TEIDs do not overlap. However, when a user or UE that used one TEID ends communication, the TEID may be reused by another user or UE. Therefore, when linking packets collected over a certain period of time at once, it is possible to determine whether the packets are packets of the same user or packets of different users by referring to the order information in addition to the source address, destination address, and TEID.

(Arrangement of analysis equipment)
11, one analysis device 201B is provided for one analysis device 201A, but in reality, multiple analysis devices 201B may be provided for one analysis device 201A. That is, for a combination of an acquisition unit 221A and a session identification unit 222A related to packets in the C-Plane, multiple combinations of an acquisition unit 221B and a session identification unit 222B related to packets in the U-Plane may be provided.

For example, in a 5G core network, when providing a low-latency communication service, the UPF function may be distributed and implemented in multiple devices. In particular, when providing a low-latency communication service, it is preferable that the UPFs are distributed and placed near the base station in order to improve the performance of the connection from the UE to the DN. Depending on the network operation mode and the service provision mode, the UPF may be placed near the server on the DN.

Therefore, in an actual 5G core network, for example, a configuration may be adopted in which multiple UPFs are deployed corresponding to gNodeBs or servers on a DN. For example, a UPF may be deployed in a data center different from the data center in which the AUSF, AMF, NSSF, SMF, UDM, PCF, etc. are deployed.

In this case, analysis device 201A is placed in a data center where AUSF, AMF, NSSF, SMF, UDM, PCF, etc. are placed, and analysis device 201B is placed in a data center where UPF is placed.

As described above, when multiple UPFs are arranged corresponding to multiple gNodeBs or servers on the DN, multiple data centers are prepared near each of the multiple gNodeBs (base stations) or servers on the DN, and the analysis device 201B is arranged in each of the multiple data centers together with the UPFs. In other words, the acquisition unit 221B and session identification unit 222B related to packets in the U-Plane may be arranged in the vicinity of the base station.

On the other hand, for example, when the packet analysis system 200 according to this embodiment is used in an LTE core network, if the MME and S-GW are arranged in the same data center, the analysis device 201A and the analysis device 201B may be arranged in the same data center. Similarly, even when the packet analysis system 200 according to this embodiment is used in a 5G core network, if the UPF is also arranged in a data center where the AUSF, AMF, NSSF, SMF, UDM, PCF, etc. are arranged, the analysis device 201A and the analysis device 201B may be arranged in the same data center.

When analysis device 201A and analysis device 201B are located in the same data center, the connection between analysis device 201A and analysis device 201B may be made, for example, by an optical fiber cable (it is not necessary to use a dedicated line provided by a telecommunications carrier).

(Packet acquisition position: LTE)
12 is a diagram for explaining an example of a packet acquisition position of a C-Plane corresponding to an LTE core network and a packet acquisition position of a U-Plane in this embodiment. In the figure, each network function unit and base station of the core network are displayed by a rectangle, and a reference point related to the packet acquisition position is displayed as a character and a number surrounded by a circle.

In the example of FIG. 12, analysis device 201A acquires packets in the C-Plane at reference point S11 between the MME and the S-GW. Also, analysis device 201B acquires packets in the U-Plane at reference point S1-U between the eNodeB and the S-GW.

In other words, if the core network is a core network in an LTE communication network, the acquisition unit 221 acquires C-Plane packets from reference point S11 and acquires U-Plane packets from reference point S1-U.

In FIG. 12, analysis device 201A and analysis device 201B may be, for example, concentrated and placed in the same data center, or may be distributed and placed in separate data centers.

(Classification of packets by message type)
Of the packets acquired at reference point S11, only those that satisfy a predetermined condition may be supplied to session identification unit 222. For example, by referring to the message type of C-Plane packets that can be acquired at reference point S11, only packets of a predetermined message type may be supplied to session identification unit 222. The message type is information stored in tunneling protocol header 334.

Figure 13 is a diagram showing a list of message types of packets to be supplied to the session identification unit 222. The diagram shows the message type number and the message type corresponding to the message type number. The message type is information indicating the behavior of the UE (e.g., handover, etc.), and by referring to the message type, it is possible to classify packets into those necessary for analyzing the communication status in the downstream monitoring device 203 and those that are not necessary.

As shown in FIG. 13, packets whose message type number stored in the tunneling protocol header 334 is any of 32, 33, 34, ... 171, 176, and 177 are classified as packets necessary for analysis of the communication status in the downstream monitoring device 203. On the other hand, packets whose message type number stored in the tunneling protocol header 334 is other than the message type numbers shown in FIG. 13 are classified as packets not necessary for analysis of the communication status in the downstream monitoring device 203.

In this way, the acquisition unit 221 may refer to the message type of the C-Plane packets acquired from the reference point S11, classify the packets into a first type of packets (packets necessary for analyzing the communication status) and a second type of packets (unnecessary packets), and supply only packets classified as the first type to the session identification unit 222.

(Classification of packets by IE)
Packets of any of the message types shown in Fig. 13 may be further classified into necessary packets and unnecessary packets by referring to the IE in the payload 337. Fig. 14 is a diagram showing a list of IEs referred to at this time. In the diagram, IE Type Value and IE (Information Element) corresponding to the IE Type Value are shown.

For example, a list of values (or ranges) to be compared with the values stored in the IEs corresponding to IE Type Value 1, 2, 3, ... 87, 93, 97 is created in advance. For example, a value to be compared with the value stored in the IE of IE Type Value 1 is set in advance, and if it matches the value stored in the IE of IE Type Value 1, the packet is treated as a necessary packet and subsequent processing is performed, and if it does not match, the packet is treated as an unnecessary packet and is not subject to subsequent processing. Note that a flag indicating whether it is necessary or unnecessary may be assigned to each packet, or only necessary packets may be stored, and unnecessary packets may be discarded.

In addition, the range of values to be compared with the value stored in the IE IE Type Value2 is set in advance, and if the value stored in the IE IE Type Value1 is within this range, the packet is treated as a necessary packet and subsequent processing is performed, and if it is outside the range, the packet is treated as an unnecessary packet and is not subject to subsequent processing.

The same process is performed for IE Type Value 3, ... 87, 93, 97, and it is determined whether the packet is necessary or unnecessary for the downstream monitor device 203 to analyze the communication status.

In this way, the acquisition unit 221 may supply only those packets that satisfy a predetermined condition among those acquired at the reference point S11 to the session identification unit 222. That is, the acquisition unit 221 may refer to the value of a predetermined IE (Information Element) stored in a packet classified as the first type by referring to the message type as described above, to further classify the packets into a third type packet and a fourth type packet, and supply only packets classified as the third type to the session identification unit 222.

Alternatively, the acquisition unit 221 may extract values stored in the IEs corresponding to IE Type Value 1, 2, 3, ... 87, 93, 97 from a packet of any of the message types shown in FIG. 13, and supply these values to the session identification unit 222 together with the packet. That is, each of the IEs shown in FIG. 14 may be supplied to the subsequent session identification unit 222 and monitor device 203 as information required for analyzing the communication status. In this case, there is no need to further classify packets classified as packets required for analyzing the communication status by referring to the message type.

(Packet acquisition location: 5G)
15 is a diagram illustrating an example of the acquisition position of a packet in the C-Plane corresponding to the 5G core network and the acquisition position of a packet in the U-Plane in this embodiment. In the figure, each network function unit and base station of the core network are displayed by a rectangle, and the reference point related to the acquisition position of the packet is displayed as a character and a number surrounded by a circle.

In the example of FIG. 15, analysis device 201A acquires C-Plane packets at reference point N2 between gNodeB and AMF, and at reference point N12 between AMF and AUSF. Furthermore, analysis device 201B acquires U-Plane packets at reference point N3 between gNodeB and UPF.

In the case of a 5G core network, it is also possible to acquire C-Plane packets at reference point N11 between the AMF and the SMF. However, in the case of a 5G core network, a header compression method called HPACK is adopted for communication between the AMF and the SMF.

In the case of communication employing HPACK, the index number changes even if a retransmission occurs due to, for example, packet loss. Nodes other than the node that requested the retransmission cannot determine which packet is being retransmitted, so if an attempt is made to restore a header compressed by HPACK according to the index number, the header may not be restored correctly. In other words, since analysis device 201A is not the node that requested the retransmission, it may not be able to restore a header compressed by HPACK correctly. For this reason, in this embodiment, acquisition unit 221 does not acquire C-Plane packets at reference point N11, but acquires C-Plane packets at reference point N2.

In a 5G core network that does not use HPACK, C-Plane packets may be acquired at reference point N11. In this case, there is no need to acquire C-Plane packets at reference point N2.

In addition, in the case of a 5G core network, the IMSI in the C-Plane packets is encrypted, and the encrypted IMSI needs to be decrypted in order to analyze the communication status in the downstream monitoring device 203. For this reason, in this embodiment, the acquisition unit 221 acquires C-Plane packets at reference point N12 between AMF and AUSF. At reference point N12, the acquisition unit 221 acquires packets corresponding to scheme 2, scheme 7, scheme 12, and scheme 14 among the schemes defined in /nausf-auth/v1/ue-authentications.

In this way, when the core network is a core network in a 5G communication network, the acquisition unit 221 acquires C-Plane packets from reference point N2 and reference point N12, and acquires U-Plane packets from reference point N3.

In FIG. 15, analysis device 201A and analysis device 201B may be, for example, concentrated and placed in the same data center, or may be distributed and placed in separate data centers.

(Classification of packets by procedure code)
Of the packets acquired at reference point N2, only those that satisfy a predetermined condition may be supplied to session identification unit 222. For example, by referring to the procedure code of C-Plane packets that can be acquired at N2, only packets with a predetermined procedure code may be acquired. The procedure code is information stored in payload 355 in FIG. 7.

Figure 16 is a diagram showing a list of procedure codes for packets to be supplied to the session identification unit 222. The diagram shows the procedure code and the code name corresponding to the procedure code. The procedure code is information indicating the behavior of the UE, similar to the message type in Figure 13, and by referring to the procedure code, it is possible to classify packets into those necessary for analyzing the communication status in the downstream monitoring device 203 and those that are not necessary.

As shown in FIG. 16, packets with a procedure code of 4, 11, 12, ..., 41, 42, 46 are classified as packets necessary for analysis of the communication status in the downstream monitoring device 203. On the other hand, packets with procedure codes other than those shown in FIG. 16 are classified as packets not necessary for analysis of the communication status in the downstream monitoring device 203.

In this way, the acquisition unit 221 may refer to the procedure code of the C-Plane packets acquired from reference point N2, classify the packets into a first type of packets (packets necessary for analyzing the communication status) and a second type of packets (unnecessary packets), and supply only packets classified as the first type to the session identification unit 222.

(Packet acquisition position: 5G interworking)
17 is a diagram illustrating another example of the packet acquisition position of the C-Plane corresponding to the 5G core network and the packet acquisition position of the U-Plane in this embodiment. In the figure, each network function unit and base station of the core network are displayed by a rectangle, and the reference point related to the packet acquisition position is displayed as a character and a number surrounded by a circle.

In the case of FIG. 17, unlike the example of FIG. 15, the acquisition position related to the 5G core network having an interworking function between 5GC and EPC (Evolved Packet Core) is explained. The configuration of such a 5G core network is shown in the 3GPP standard TS 123 501 4.3 "Interworking with EPC".

In the example of Figure 17, in addition to the configuration of Figure 15, an MME and an eNodeB are included. Furthermore, in the case of a 5G core network that has an interworking function between 5GC and EPC, the functions of the S-GW and P-GW are implemented in a server that performs the functions of the SMF or UPF. In the example of Figure 17, it is assumed that the functions of the S-GW are implemented in a server that performs the functions of the UPF.

In the example of FIG. 17, analysis device 201A acquires C-Plane packets at reference point N2 between gNodeB and AMF, and at reference point N12 between AMF and AUSF, and further at reference point N26 between MME and AMF. Furthermore, analysis device 201A acquires C-Plane packets at reference point S11 between MME and UPF. Note that the UPF in FIG. 17 is a server that performs the functions of UPF, and implements the functions of S-GW. Therefore, it can be said that reference point S11 related to the acquisition of C-Plane packets is actually a reference point between MME and S-GW.

In the example of FIG. 17, U-Plane packets are acquired by analysis device 201B at reference point N3 between gNodeB and UPF. Furthermore, U-Plane packets are acquired by analysis device 201B at reference point S1-U between eNodeB and UPF (actually S-GW).

Reference points S11 and S1-U are the same as those described above with reference to FIG. 12. Reference points N2, N12, and N3 are the same as those described above with reference to FIG. 15.

In mobile communications such as LTE and 5G, information is encrypted during communication. For example, consider a case where a UE is connected to a gNodeB, then handed over to an eNodeB, and then handed over again to reconnect to the gNodeB. In this case, the encryption key changes when the UE is connected to the eNodeB, so when the UE reconnects to the gNodeB, the encryption key that was used immediately before must be obtained from the MME. For this reason, it is necessary for analysis device 201A to obtain C-Plane packets at reference point N26.

In FIG. 17, analysis device 201A and analysis device 201B may be, for example, concentrated and placed in the same data center, or may be distributed and placed in separate data centers.

(Packet analysis processing)
Next, a description will be given of an example of packet analysis processing by the packet analysis system 200 of Fig. 11. Fig. 18 is a flowchart illustrating an example of the flow of the packet analysis processing.

In step S101, the acquisition unit 221A of the analysis device 201A acquires packets in the C-Plane. At this time, if the core network is a core network in an LTE communication network, the packets in the C-Plane are acquired at the reference point S11 between the MME and the S-GW, as described above with reference to FIG. 12.

When the core network is a core network in a 5G communication network, as described above with reference to FIG. 15, C-Plane packets are acquired from reference points N2 and N12 between the gNodeB and the AMF. At reference point N12, packets corresponding to scheme 2, scheme 7, scheme 12, and scheme 14 among the schemes defined in /nausf-auth/v1/ue-authentications are acquired by acquisition unit 221.

Furthermore, when the core network is a core network in a 5G communication network and has an interworking function between 5GC and EPC, as described above with reference to FIG. 17, C-Plane packets are acquired at reference point N2, reference point N12, and reference point N26 between the MME and the AMF. Furthermore, C-Plane packets are acquired at reference point S11 between the MME and the UPF (actually the S-GW).

The packet acquired by the acquisition unit 221 in step S101 is supplied to the session identification unit 222.

As described above with reference to FIG. 13, only packets that satisfy a predetermined condition among packets acquired at reference point S11 may be supplied to the session identification unit 222. For example, the Message Type of C-Plane packets that can be acquired at S11 may be referenced, and only packets of a predetermined message type may be supplied to the session identification unit 222. As described above with reference to FIG. 14, the packets may be further classified by referring to an IE in the payload 337, and only packets that satisfy a predetermined condition among packets acquired at reference point S11 may be supplied to the session identification unit 222.

Also, as described above with reference to FIG. 16, among the packets acquired at reference point N2, only those that satisfy a predetermined condition may be supplied to the session identification unit 222. For example, the procedure code of the C-Plane packets that can be acquired at N2 may be referenced, and only packets with a predetermined procedure code may be supplied to the session identification unit 222.

In step S102, the acquisition unit 221B of the analysis device 201B acquires packets in the U-Plane. At this time, if the core network is a core network in an LTE communication network, the packets in the U-Plane are acquired at the reference point S1-U between the eNodeB and the S-GW, as described above with reference to FIG. 12.

Furthermore, when the core network is a core network in a 5G communication network, as described above with reference to FIG. 15, U-Plane packets are acquired by the acquisition unit 221B of the analysis device 201B at the reference point N3 between the gNodeB and the UPF.

Furthermore, when the core network is a core network in a 5G communication network and has an interworking function between 5GC and EPC, packets of the U-Plane are acquired by the analysis device 201B at reference point N3 and reference point S1-U, as described above with reference to FIG. 17.

In step S103, the session identification unit 222 extracts the source address, destination address, and TEID from the C-Plane packets and U-Plane packets acquired by the acquisition unit 221.

That is, the session identification unit 222A of the analysis device 201A extracts the source address, destination address, and TEID from the C-Plane packet acquired by the acquisition unit 221A.

At this time, when the acquisition unit 221A acquires a C-Plane packet from reference point S11, the source IP address, destination IP address, and TEID are extracted from the IE with an IE Type Value of 87 in payload 337 in FIG. 6. Also, when the acquisition unit 221A acquires a C-Plane packet from reference point N2, the source IP address, destination IP address, and TEID stored in payload 355 in FIG. 7 are extracted. Furthermore, when the acquisition unit 221A acquires a C-Plane packet from reference point N12, the source IP address, destination IP address, and TEID stored in payload 375 in FIG. 8 are extracted.

The session identification unit 222B of the analysis device 201B also extracts the source address, destination address, and TEID from the U-Plane packet acquired by the acquisition unit 221B. At this time, as described above, the source IP address and destination IP address are extracted from the IP (outer) header 302 in FIG. 5, and the TEID is extracted from the tunneling protocol header 304.

In step S104, the session identification unit 222 generates a session index, which is identification information for identifying packets related to communication by each of multiple users, based on the source address, destination address, and TEID extracted in the processing of step S103. That is, the session identification unit 222A of the analysis device 201A generates a session index for the C-Plane packets acquired by the acquisition unit 221A, and the session identification unit 222B of the analysis device 201B generates a session index for the U-Plane packets acquired by the acquisition unit 221B.

The session index may be generated by performing a predetermined calculation on the source IP address, destination IP address, and TEID stored in each packet. As an example, a session index is generated that includes a hash value of the source IP address, destination IP address, and TEID.

The session identification unit 222 supplies the C-Plane packets and U-Plane packets acquired by the acquisition unit 221 to the linking unit 223 together with the generated session index.

In step S105, the linking unit 223 links the C-Plane packets and the U-Plane packets based on the session index.

At this time, for example, the session index of the C-Plane packet supplied from the session identification unit 222A of the analysis device 201A is compared with the session index of the U-Plane packet supplied from the session identification unit 222B of the analysis device 201B. Then, the U-Plane packet having the same session index as the session index of the C-Plane packet is linked to the C-plane packet. This makes it possible to identify data related to communications of the same user and obtain information necessary for analyzing the communication status.

In step S106, the recording device 202 records sequence information in association with each pair of a C-Plane packet and a U-Plane packet that are linked by the processing in step S105. The sequence information may be, for example, the transmission time or reception time of the packet, or the sequence number of the packet.

In step S107, the monitoring device 203 performs a detailed analysis of the communication status by referring to each pair of C-Plane packets and U-Plane packets whose sequence information has been associated by the processing in step S106. This allows, for example, the calculation of index values related to KPIs.

This is how the packet analysis process is carried out.

(Effects of the embodiment)
According to this embodiment, even if a configuration is adopted in which multiple UPFs are deployed corresponding to a base station, which is a gNodeB, it is possible to efficiently obtain information necessary for analyzing communication conditions.

In this embodiment, as described above, C-Plane packets and U-Plane packets are linked by a session index. Therefore, even if N3, which is the reference point for connecting gNodeB and UPF, is distributed in different data centers, there is no need to lay a dedicated optical fiber cable to transfer U-Plane packets acquired by N3 at high speed.

In addition, in this embodiment, for example, a table that associates TEID with IMSI is not required, so the processing load of the device can be reduced. Furthermore, the number of C-Plane packets and U-Plane packets that can be linked is not limited by the size of the table, so communication conditions can be analyzed using large amounts of data.

In this way, according to this embodiment, even if the core network configuration becomes complex, it is possible to obtain a large amount of data necessary to understand the communication situation in a timely manner.

Second Embodiment
11, the configuration has been described in which analysis device 201A has acquisition unit 221A, session identification unit 222A, and linking unit 223A, and analysis device 201B has acquisition unit 221B and session identification unit 222B. However, analysis device 201A and analysis device 201B may be devices with the same configuration.

For example, analysis device 201B may be provided with linking unit 223B, which is a functional block having the same configuration as linking unit 223A. In other words, multiple analysis devices 201 having the same configuration may be prepared, and one of them may be used as analysis device 201A and the others may be used as analysis device 201B.

In this case, the linking unit 223B of the analysis device 201B is not operated, and the packets in the C-Plane and the packets in the U-Plane are linked in the linking unit 223A of the analysis device 201A.
Third Embodiment

In the above embodiment, it has been explained that the linking unit 223A in the analysis device 201A links packets in the C-Plane with packets in the U-Plane. This is because linking is performed in the analysis device 201A, which is centrally located, rather than in the analysis device 201B, which may be distributed, thereby improving the maintainability of the entire packet analysis system 200.

However, the linking unit 223B in the analysis device 201B may link packets in the C-Plane and packets in the U-Plane. For example, the linking unit 223B in the analysis device 201B may be operated, while the linking unit 223A in the analysis device 201A may not be operated. Alternatively, only the analysis device 201B may have the linking unit B, and no linking unit may be provided in the analysis device 201A.

Since C-Plane packets are packets related to the control of UE on the network, and U-Plane packets are packets including websites viewed by users and voice data during calls, generally, U-Plane packets tend to have a larger data size than C-Plane packets. Here, if the linking is performed in analysis device 201B, it is only necessary to transfer C-Plane packets, which have a relatively small data size, from analysis device 201A to analysis device 201B, and the communication load between analysis device 201A and analysis device 201B can be reduced.
<Other embodiments>
In the above-described embodiment, an example in which one analysis device 201B is provided for one analysis device 201A, and an example in which multiple analysis devices 201B are provided for one analysis device 201A have been described, but the present invention is not limited to these. For example, multiple analysis devices 201A can be provided for one analysis device 201B.

<Example of software implementation>
The above-mentioned analysis device 201 is a program for causing a computer to function, and can be realized by a program for causing a computer to function as the analysis device 201. In this case, the analysis device 201 includes a computer having at least one control device (e.g., a processor) and at least one storage device (e.g., a memory) as hardware for executing the above-mentioned program. An example of such a computer is shown in FIG. 19.

The computer 500 includes at least one processor 501 and at least one memory 502. The memory 502 stores a program 520 for causing the computer 500 to operate as the analysis device 201. In the computer 500, the processor 501 reads and executes the program 520 from the memory 502, thereby realizing each function of the analysis device 201.

The processor 501 may be, for example, a CPU (Central Processing Unit), a GPU (Graphic Processing Unit), a DSP (Digital Signal Processor), an MPU (Micro Processing Unit), an FPU (Floating point number Processing Unit), a PPU (Physics Processing Unit), a microcontroller, or a combination of these.

For example, the memory 502 may be a flash memory, a hard disk drive (HDD), a solid state drive (SSD), or a combination of these.

The computer 500 may further include a RAM (Random Access Memory) for expanding the program 520 during execution and for temporarily storing various data. The computer 500 may further include a communication interface for transmitting and receiving data to and from other devices. The computer 500 may further include an input/output interface for connecting input/output devices such as a keyboard, mouse, display, and printer.

The program 520 for causing the computer 500 to operate as the analysis device 201 can be recorded on a non-transitory, tangible recording medium 530 that can be read by the computer 500. For example, a tape, a disk, a card, a semiconductor memory, or a programmable logic circuit can be used as such a recording medium 530. The computer 500 can obtain the program 520 via such a recording medium 530.

The program 520 for operating the computer 500 as the analysis device 201 can be transmitted via a transmission medium. For example, a communication network or broadcast waves can be used as such a transmission medium. The computer 500 can also acquire the program 520 via such a transmission medium.

In addition, some or all of the functions of the analysis device 201 can be realized by logic circuits. For example, an integrated circuit in which a logic circuit that functions as each of the above control blocks is formed is also included in the scope of the present invention. In addition, it is also possible to realize the functions of each of the above control blocks by, for example, a quantum computer.

According to each aspect of the present invention described above, the above-mentioned effects can be achieved, thereby contributing to the achievement of Goal 9 of the Sustainable Development Goals (SDGs), "Build resilient infrastructure, promote inclusive and sustainable industrialization and innovation."

The present invention is not limited to the above-described embodiments, and various modifications are possible within the scope of the claims. The technical scope of the present invention also includes embodiments obtained by appropriately combining the technical means disclosed in the different embodiments.

〔summary〕
The information processing system according to aspect 1 of the present invention includes an acquisition unit that acquires C-Plane packets and U-Plane packets from a core network, an extraction unit that extracts a source address, a destination address, and a TEID (Tunnel Endpoint Identifier) from the U-Plane packets acquired by the acquisition unit, and extracts the source address, destination address, and TEID of the U-Plane packets from information stored in the payload of the C-Plane packets acquired by the acquisition unit, and a linking unit that links the C-Plane packets and U-Plane packets based on the source address, destination address, and TEID extracted by the extraction unit.

In the information processing system according to aspect 2 of the present invention, in the above aspect 1, the core network is a core network in a 5G communication network, and the acquisition unit acquires C-Plane packets from reference point N2 and reference point N12, and acquires U-Plane packets from reference point N3.

In the information processing system according to aspect 3 of the present invention, in the above aspect 2, the acquisition unit further acquires C-Plane packets from reference point N26.

In the information processing system according to aspect 4 of the present invention, in the above aspect 2 or 3, the acquisition unit classifies C-Plane packets acquired from reference point N2 into a first type of packet and a second type of packet by referring to the procedure code of the packet, and supplies only the packets classified into the first type to the extraction unit.

In the information processing system according to aspect 5 of the present invention, in the above aspect 1, the core network is a core network in an LTE communication network, and the acquisition unit acquires C-Plane packets from reference point S11 and U-Plane packets from reference point S1-U.

In the information processing system according to aspect 6 of the present invention, in the above aspect 5, the acquisition unit classifies C-Plane packets acquired from reference point S11 into a first type of packet and a second type of packet by referring to the message type of the packet, and supplies only the packets classified into the first type to the extraction unit.

In the information processing system according to aspect 7 of the present invention, in the above aspect 6, the acquisition unit further classifies packets classified as the first type into packets of a third type and packets of a fourth type by referring to a value of a predetermined IE (Information Element) stored in the packets, and supplies only packets classified as the third type to the extraction unit.

In the information processing system according to aspect 8 of the present invention, in the above aspects 1 to 7, the extraction unit generates identification information for identifying packets related to communications by each of multiple users based on the extracted source address, destination address, and TEID, and the linking unit links the packets of the C-Plane and the packets of the U-Plane based on the identification information.

In the information processing system according to aspect 9 of the present invention, in the above aspect 8, the identification information includes a hash value of the source address, the destination address, and the TEID.

The information processing system according to aspect 10 of the present invention, in the above aspects 1 to 9, has a first acquisition unit and a first extraction unit related to packets in the C-Plane, and a second acquisition unit and a second extraction unit related to packets in the U-Plane, and for one combination of the first acquisition unit and the first extraction unit, multiple combinations of the second acquisition unit and the second extraction unit are provided, and the second acquisition unit and the second extraction unit are arranged in close proximity to a base station.

The information processing method according to aspect 11 of the present invention includes the steps of acquiring C-Plane packets and U-Plane packets from a core network, extracting a source address, a destination address, and a TEID from the acquired U-Plane packets, and extracting the source address, destination address, and TEID of the U-Plane packets from information stored in the payload of the acquired C-Plane packets, and linking the C-Plane packets and U-Plane packets based on the extracted source address, destination address, and TEID.

The program according to aspect 12 of the present invention causes a computer to execute information processing including the steps of acquiring C-Plane packets and U-Plane packets from a core network, extracting a source address, a destination address, and a TEID from the acquired U-Plane packets, and extracting the source address, destination address, and TEID of the U-Plane packets from information stored in the payload of the acquired C-Plane packets, and linking the C-Plane packets and U-Plane packets based on the extracted source address, destination address, and TEID.

200 Packet analysis system 201 Analysis device 202 Recording device 203 Monitor device 221 Acquisition unit 222 Session identification unit 223 Linking unit

Claims (12)

an acquisition unit that acquires packets of a C-Plane and packets of a U-Plane from a core network;
an extraction unit that extracts a source address, a destination address, and a TEID (Tunnel Endpoint Identifier) from the U-Plane packet acquired by the acquisition unit, and extracts the source address, destination address, and TEID of the U-Plane packet from information stored in a payload of the C-Plane packet acquired by the acquisition unit;
and a linking unit that links the C-Plane packet with the U-Plane packet based on the source address, destination address, and TEID extracted by the extraction unit. The core network is a core network in a 5G communication network,
2. The information processing system according to claim 1, wherein the acquisition unit acquires C-Plane packets from reference point N2 and reference point N12, and acquires U-Plane packets from reference point N3. The information processing system according to claim 2 , wherein the acquisition unit further acquires packets of the C-Plane from a reference point N26. 3. The information processing system according to claim 2, wherein the acquisition unit classifies C-Plane packets acquired from the reference point N2 into a first type packet and a second type packet by referring to a procedure code of the packet, and supplies only the packets classified into the first type to the extraction unit. The core network is a core network in an LTE communication network,
2. The information processing system according to claim 1, wherein the acquisition unit acquires packets in the C-Plane from a reference point S11, and acquires packets in the U-Plane from a reference point S1-U. The information processing system according to claim 5, wherein the acquisition unit classifies C-Plane packets acquired from reference point S11 into a first type packet and a second type packet by referring to a message type of the packet, and supplies only packets classified into the first type to the extraction unit. 7. The information processing system according to claim 6, wherein the acquisition unit further classifies the packets classified into the first type into packets of a third type and packets of a fourth type by referring to a value of a predetermined IE (Information Element) stored in the packets, and supplies only the packets classified into the third type to the extraction unit. the extraction unit generates identification information for identifying packets related to communications by each of a plurality of users, based on the extracted source address, destination address, and TEID;
The information processing system according to claim 1 , wherein the linking unit links the packets in the C-Plane and the packets in the U-Plane based on the identification information. The information processing system according to claim 8 , wherein the identification information includes a hash value of the source address, the destination address, and the TEID. A first acquisition unit and a first extraction unit related to packets of the C-Plane;
A second acquisition unit and a second extraction unit related to packets of the U-Plane,
The information processing system according to claim 7 , wherein a plurality of combinations of the second acquisition unit and the second extraction unit are provided for one combination of the first acquisition unit and the first extraction unit. acquiring packets of a C-Plane and packets of a U-Plane from a core network;
extracting a source address, a destination address, and a TEID from the acquired U-Plane packet, and extracting a source address, a destination address, and a TEID of the U-Plane packet from information stored in a payload of the acquired C-Plane packet;
and a step of linking the C-Plane packet with the U-Plane packet based on the extracted source address, destination address, and TEID. On the computer,
acquiring packets of a C-Plane and packets of a U-Plane from a core network;
extracting a source address, a destination address, and a TEID from the acquired U-Plane packet, and extracting a source address, a destination address, and a TEID of the U-Plane packet from information stored in a payload of the acquired C-Plane packet;
and a step of linking the C-Plane packet with the U-Plane packet based on the extracted source address, destination address, and TEID.

Images