CN114867028A - Protection method, device and network equipment for counterfeit attack - Google Patents

Protection method, device and network equipment for counterfeit attack Download PDF

Info

Publication number
CN114867028A
CN114867028A CN202110151293.3A CN202110151293A CN114867028A CN 114867028 A CN114867028 A CN 114867028A CN 202110151293 A CN202110151293 A CN 202110151293A CN 114867028 A CN114867028 A CN 114867028A
Authority
CN
China
Prior art keywords
imsi
terminal
flow
service
blacklist
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110151293.3A
Other languages
Chinese (zh)
Inventor
王峰生
王黎明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Ltd Research Institute filed Critical China Mobile Communications Group Co Ltd
Priority to CN202110151293.3A priority Critical patent/CN114867028A/en
Publication of CN114867028A publication Critical patent/CN114867028A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0022Control or signalling for completing the hand-off for data sessions of end-to-end connection for transferring data sessions between adjacent core network technologies

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a protection method, a device and network equipment for counterfeit attacks, and relates to the technical field of core network security. The method comprises the following steps: sending an identification request message carrying a first international mobile subscriber identity IMSI to a terminal; receiving an identification response message which is sent by the terminal based on the identification request message and carries the second IMSI; and when the second IMSI is inconsistent with the first IMSI, if the second IMSI is in the blacklist, rejecting the service flow of the terminal. The scheme of the invention solves the problem of low business safety caused by the hijacking of the called business.

Description

Protection method, device and network equipment for counterfeit attack
Technical Field
The present invention relates to the field of core network security technologies, and in particular, to a protection method, an apparatus, and a network device for counterfeit attacks.
Background
As Global System for Mobile communications (GSM) technologies mature, attack reports and events for the GSM System increase, and one of the threats commonly mentioned in these related reports is hijacking called services (calls or short messages).
The implementation principle for hijacking the called service in the GSM system is as follows: in the process of executing the called service by using the GSM system, it is not strictly checked whether the parameter of the fake Signed RESponse (SRES)/International Mobile Subscriber Identity (IMSI) reported by triggering the calling process corresponds to the called user, thereby exposing a bypass vulnerability. When monitoring that a paging Request (paging Request) message of a called Service is triggered, actively triggering a calling Service message, such as a Connection Management (CM) layer Service Request (Service Request) message, at the same time, utilizing an Authentication and identification process attached in a calling process, and using a long-term key Ki in other Subscriber Identity Modules (SIMs) legally accessing a network to calculate an IMSI information required by an SRES parameter required by an Authentication Response (Authentication Response) or an IMSI information required by an identification Response (Identity Response), and returning the IMSI information to the GSM network. The method is used for inserting a calling flow into a called call and replacing a user verification step in the called flow with a user verification step (an authentication and identification flow) in the calling flow so as to realize hijacking (hijacking conversation and intercepting short messages) on called services.
The authentication and identification process for user verification is used in the subsequent Long Term Evolution (LTE) mobile communication network networking, that is, the user is verified through the authentication and identification process in the LTE networking. The attack method of actively triggering the calling service in the called service link of the user in the Circuit Switched Fallback (CSFB) scene of the LTE is still effective for impersonating the user by using the medium and long-term secret key K and IMSI information of other legal network access Universal Subscriber Identity Modules (USIMs); the method is also effective in the link that the LTE user needs authentication and verification of an identification process in the Attach (Attach) process, and can also utilize long-term secret key K and IMSI information in other legal network access USIM cards to perform network access verification on fake users so as to realize hijacking (hijacking conversation and intercepting short messages) of called services.
Disclosure of Invention
The invention aims to provide a protection method, a device and network equipment for counterfeit attacks, which solve the problem of low service security caused by hijacking of called services.
In order to achieve the above object, an embodiment of the present invention provides a method for protecting against counterfeit attacks, which is applied to a network device, and includes:
sending an identification request message carrying a first international mobile subscriber identity IMSI to a terminal;
receiving an identification response message which is sent by the terminal based on the identification request message and carries the second IMSI;
and when the second IMSI is inconsistent with the first IMSI, if the second IMSI is in the blacklist, rejecting the service flow of the terminal.
Optionally, the method further comprises:
and when the second IMSI is consistent with the first IMSI, continuing to execute the service flow of the terminal.
Optionally, the method further comprises:
when the second IMSI is inconsistent with the first IMSI, if the second IMSI is not in the blacklist, sending the second IMSI, the first IMSI and the Temporary Mobile Subscriber Identity (TMSI) of the terminal to a statistical analysis function;
wherein the statistical analysis function is configured to generate the blacklist based on the second IMSI, the first IMSI, and the TMSI of the terminal.
Optionally, the method further comprises:
and if the records of the second IMSI corresponding to different IMSIs and/or the records of the second IMSI corresponding to different TMSI exceed a set threshold, adding the second IMSI into the blacklist, and rejecting the service flow of the terminal.
Optionally, the business process includes: location update flow, attach flow, calling and called flow or Circuit Switched Fallback (CSFB) flow.
Optionally, the rejecting the service flow of the terminal includes:
if the service flow is a position updating flow, prohibiting the terminal from updating the position;
if the service flow is an attachment flow, prohibiting the terminal from updating the position;
if the service flow is a calling/called flow, rejecting the calling/called service of the terminal;
and if the service flow is the CSFB flow, rejecting the CSFB service of the terminal.
In order to achieve the above object, an embodiment of the present invention provides a protection device for spoofing an attack, which is applied to a network side device, and includes:
the sending module is used for sending an identification request message carrying a first international mobile subscriber identity IMSI to the terminal;
the receiving module is used for receiving an identification response message which is sent by the terminal based on the identification request message and carries the second IMSI;
and the first processing module is used for rejecting the service flow of the terminal if the second IMSI is in the blacklist when the second IMSI is inconsistent with the first IMSI.
Optionally, the apparatus further comprises:
and the second processing module is used for continuously executing the service flow of the terminal when the second IMSI is consistent with the first IMSI.
Optionally, the apparatus further comprises:
a third processing module, configured to send, when the second IMSI is inconsistent with the first IMSI, the second IMSI, the first IMSI, and a temporary mobile subscriber identity TMSI of the terminal to a statistical analysis function if the second IMSI is not in the blacklist;
wherein the statistical analysis function is configured to generate the blacklist based on the second IMSI, the first IMSI, and the TMSI of the terminal.
Optionally, the first processing module is further configured to: and if the records of the second IMSI corresponding to different IMSIs and/or the records of the second IMSI corresponding to different TMSI exceed a set threshold, adding the second IMSI into the blacklist, and rejecting the service flow of the terminal.
Optionally, the business process includes: location update flow, attach flow, calling and called flow or Circuit Switched Fallback (CSFB) flow.
Optionally, the first processing module includes:
a first processing unit, configured to prohibit the terminal from performing location update if the service flow is a location update flow;
a second processing unit, configured to prohibit the terminal from performing location update if the service flow is an attach flow;
a third processing unit, configured to reject the calling and called services of the terminal if the service flow is a calling and called flow;
a fourth processing unit, configured to reject the CSFB service of the terminal if the service flow is a CSFB flow.
To achieve the above object, an embodiment of the present invention provides a mobile terminal including a processor and a transceiver, wherein,
the transceiver is configured to: sending an identification request message carrying a first international mobile subscriber identity IMSI to a terminal; the receiving terminal sends an identification response message carrying the second IMSI based on the identification request message;
the processor is configured to: and when the second IMSI is inconsistent with the first IMSI, if the second IMSI is in the blacklist, rejecting the service flow of the terminal.
Optionally, the processor is further configured to: and when the second IMSI is consistent with the first IMSI, continuing to execute the service flow of the terminal.
Optionally, the processor is further configured to: when the second IMSI is inconsistent with the first IMSI, if the second IMSI is not in the blacklist, sending the second IMSI, the first IMSI and the Temporary Mobile Subscriber Identity (TMSI) of the terminal to a statistical analysis function;
wherein the statistical analysis function is configured to generate the blacklist based on the second IMSI, the first IMSI, and the TMSI of the terminal.
Optionally, the processor is further configured to: and if the records of the second IMSI corresponding to different IMSIs and/or the records of the second IMSI corresponding to different TMSI exceed a set threshold, adding the second IMSI into the blacklist, and rejecting the service flow of the terminal.
Optionally, the business process includes: location update flow, attach flow, calling and called flow or Circuit Switched Fallback (CSFB) flow.
Optionally, the processor is further configured to:
if the service flow is a position updating flow, prohibiting the terminal from updating the position;
if the service flow is an attachment flow, prohibiting the terminal from updating the position;
if the service flow is a calling/called flow, rejecting the calling/called service of the terminal;
and if the service flow is the CSFB flow, rejecting the CSFB service of the terminal.
To achieve the above object, an embodiment of the present invention provides a network device, including: a transceiver, a processor, a memory, and a program or instructions stored on the memory and executable on the processor; wherein the processor, when executing the program or instructions, implements the steps of the method of protection against phishing attacks as described above.
To achieve the above object, an embodiment of the present invention provides a readable storage medium on which a program or instructions are stored, which when executed by a processor implement the steps in the method for defending against a spoofing attack as described above.
The technical scheme of the invention has the following beneficial effects:
in the protection method and apparatus for counterfeit attacks and the network side device of the embodiments of the present invention, when the network side device detects a network counterfeit attack behavior in which the second IMSI is inconsistent with the first IMSI reported by the system requirement in the identification Response (Identity Response) message, if the second IMSI is the IMSI in the blacklist, the network side device prohibits subsequent network access and service request to the terminal in the blacklist, can identify the attack behavior in the network, and performs related security protection operations, so as to prevent an attacker from using related vulnerabilities to perform service hijack.
Drawings
Fig. 1 is one of the flow diagrams of a protection method for counterfeit attacks according to the embodiment of the present invention;
FIG. 2 is a second flowchart of a method for defending against phishing attacks according to an embodiment of the present invention;
FIG. 3 is a third schematic flowchart of a method for defending against phishing attacks according to an embodiment of the present invention;
FIG. 4 is a fourth flowchart illustrating a protection method against counterfeit attacks according to an embodiment of the present invention;
FIG. 5 is a block diagram of a spoofed attack shield apparatus in accordance with an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a network device according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of a protective system framework according to an embodiment of the invention;
fig. 8 is a second schematic structural diagram of a network device according to an embodiment of the present invention.
Detailed Description
In order to make the technical problems, technical solutions and advantages of the present invention more apparent, the following detailed description is given with reference to the accompanying drawings and specific embodiments.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
In various embodiments of the present invention, it should be understood that the sequence numbers of the following processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
In addition, the terms "system" and "network" are often used interchangeably herein.
In the embodiments provided herein, it should be understood that "B corresponding to a" means that B is associated with a from which B can be determined. It should also be understood that determining B from a does not mean determining B from a alone, but may be determined from a and/or other information.
In the existing mobile communication system, the subsequent called service processing can be performed based on the wireless air interface link established by the actively triggered non-circuit domain other service, but it is not explicitly required that the core network equipment at the moment is the wireless air interface link established by the calling non-circuit domain other service triggered by the legal network access terminal corresponding to the called user at the moment; therefore, when the MSC processes the called service of the B user, the A user can be used for replacing the B user to actively trigger one time of calling non-circuit domain other services to bypass the MSC for not strict inspection, and the called service of the B user is hijacked. The network actually requires the terminal to reply the IMSI corresponding to the paged user identification TMSI, and an attacker replies the network with the IMSIs of other users, so that the unclear omission of the requirement occurs when the MSC function design is combined, and the called identification process of the network can be bypassed by utilizing the identification triggered by other services of the calling non-circuit domain. In order to solve the problem, the embodiment of the invention can identify the attack behavior in the network and carry out related security protection operation in the following way, thereby preventing an attacker from using related vulnerabilities to hijack the service.
As shown in fig. 1, a method for protecting against counterfeit attacks according to an embodiment of the present invention is applied to a network device, and includes the following steps:
step 11: and sending an identification request message carrying the IMSI of the first international mobile subscriber to the terminal.
Step 12: and the receiving terminal sends an identification response message carrying the second IMSI based on the identification request message.
Wherein, the steps 11 and 12 can be implemented by the network side in the mobile system triggering the identification process that requires the user to report the IMSI representation. The security mechanism in the mobile communication system includes an authentication path and an identification process. When the terminal is paged in a specific location area, the terminal can respond to the pagegRequest message of the called Service by actively triggering the CM Service Request to Request the non-circuit domain Service. When the terminal is paged in the non-location area, the terminal can respond to the pagegRequest message of the called Service by actively triggering the CM Service Request to Request the non-circuit domain Service. After responding to the pagengrequest message of the called Service by actively triggering the CM Service Request to Request the non-circuit domain Service, the MSC sets the access state of the wireless link required for the called paging Service in the system to the PASS state, that is, the called Service can be processed based on the currently established wireless link.
Taking the called service as an example, the authentication process includes: the terminal receives the paging request message sent by the network, applies for a wireless channel, and responds to the network paging response message after acquiring the network issued immediate assignment command and allocating a dedicated control channel; then the network side triggers the authentication flow, the terminal receives the authentication request message sent by the network, the request message carries the random number (RAND) parameter, after the terminal receives the RAND parameter, the terminal calculates the SRES by the Ki stored in the terminal SIM card through the A3 algorithm, and the calculated SRES parameter responds to the network through the authentication response message. Judging whether the SRES is matched by the network: if the SRES is judged to be matched with the SRES calculated by Ki owned by the user identification value (TMSI/IMSI) issued by the paging, the authentication process is completed; if the SRES is judged not to be matched with the SRES calculated by Ki owned by the user identification value (TMSI/IMSI) issued by the paging, the user is refused to access or other verification processes are initiated to the terminal to judge whether the SRES is a legal user.
Under the condition that any wireless connection is alive, the mobile terminal replies an identification response message to the network side after receiving the identification request message. The called service often involves a subscriber identification procedure (in this case, subscriber paging is typically performed using TMSI), which generally occurs after an authentication procedure, and may also be triggered directly after a paging response. The identification process comprises the following steps: after receiving the paging request message sent by the network, the terminal applies for a wireless channel, and after acquiring the network to issue an immediate assignment command and allocating a dedicated control channel, the terminal responds to the network paging response message; then, the network side triggers the identification process, the terminal receives the identification request message sent by the network, the request message carries the parameters (such as IMSI, IMEI, IMEISV, etc.) required for the terminal to report, after receiving the identification request message, the terminal uses the information stored in the terminal SIM card to construct the identification response message to respond to the network.
Judging whether the parameters reported by the terminal are matched with the parameters of the called user by the network: if the network judges that the reported parameters are consistent with the called user, the identification process is completed; if the network judges that the reported parameters are inconsistent with the called user, the network refuses the user to access or judges whether the user is a legal user by initiating other verification processes to the terminal.
Specifically, steps 11 and 12 of the embodiment of the present invention may be implemented by referring to an identification process, for example, the network side sends an identification Request (Identity Request) message carrying a first IMSI (e.g., IMSI) to the terminal, and then the network side receives a second IMSI (e.g., IMSI ') reported by the terminal through the identification Request (Identity Response) message, and the network side detects whether the IMSI' is consistent with the IMSI required to be reported. The method for defending against counterfeit attacks further comprises the following steps after the step 12: and when the second IMSI is consistent with the first IMSI, continuing to execute the service flow of the terminal, namely if the IMSI' is consistent with the IMSI required to be reported, continuing to execute the original flow by the network side. If not, step 13 is performed.
Step 13: and when the second IMSI is inconsistent with the first IMSI, if the second IMSI is in the blacklist, rejecting the service flow of the terminal.
That is, if the IMSI 'is inconsistent with the IMSI required to be reported, the network side determines whether the IMSI' is on the system blacklist, and if the IMSI 'is on the system blacklist, the network side enters the application protection function and directly rejects all services of the user of the IMSI'.
Optionally, when the second IMSI is inconsistent with the first IMSI, the method for protecting against spoofing attacks further includes: and if the second IMSI is not in the blacklist, sending the second IMSI, the first IMSI and the Temporary Mobile Subscriber Identity (TMSI) of the terminal to a statistical analysis function. Wherein the statistical analysis function is configured to generate a blacklist based on the second IMSI, the first IMSI, and the TMSI of the terminal. That is, when the IMSI ' is inconsistent with the IMSI required to be reported, if the IMSI ' is not on the system blacklist, the service request TMSI, the IMSI to be reported by the user, and the IMSI ' reported in the identification response message are reported to the statistical analysis function together.
The processing flow of the attack detection process is introduced above, and as shown in fig. 3, the process specifically includes:
the network side sends an Identity Request message for requesting the terminal to report the IMSI identifier;
a network side receives IMSI' reported by a terminal through an Identity Response message;
the network side detects whether the IMSI' is consistent with the IMSI required to be reported.
If the flow is consistent with the original flow, the network side continues to execute the original flow;
if not, the network side judges whether the IMSI' is on a system blacklist.
If the IMSI is in the system blacklist, the application protection function is entered, and all services of the IMSI' user are directly rejected;
if not, the service request TMSI, IMSI reported by the user and IMSI' reported in the identification response message are reported to the statistical analysis function.
The statistical analysis function may be configured to generate a blacklist based on the second IMSI, the first IMSI, and the TMSI of the terminal, and specifically, the method for protecting against counterfeit attacks further includes: and if the records of the second IMSI corresponding to different IMSIs and/or the records of the second IMSI corresponding to different TMSI exceed the set threshold value, adding the second IMSI into a blacklist, and rejecting the service flow of the terminal. That is to say, the statistical analysis function can perform statistical analysis on the TMSI, IMSI ' of the user reported by the attack detection function, and for the records that the same IMSI ' corresponds to different IMSIs and TMSI, when the different IMSI records corresponding to the IMSI ' exceed the system set threshold, it can be determined that the user corresponding to the IMSI ' is an illegal attack user, and the IMSI ' is updated into the system blacklist; reporting the IMSI' and the corresponding user number to an alarm system, and informing a system administrator that the user has illegal attack network behavior; and simultaneously sending the blacklist to the application protection function. The system setting threshold may be set by a system administrator through a network management system, or may be set by the system as a default initial value, such as 50 records.
As shown in fig. 3, the method of generating and updating the blacklist includes, but is not limited to, the following steps:
receiving and recording data of the IMSI' inconsistent with the IMSI;
the network side judges whether the IMSI' recording times exceed a system set threshold value;
if the IMSI ' exceeds the threshold value, reporting the IMSI ' and the corresponding user number to an alarm system, putting the IMSI ' into a system blacklist, and further sending the system blacklist to an application protection function;
if the threshold value is not exceeded, the network side continues to execute the original flow.
The application protection function is used for implementing protection operation for the user corresponding to the IMSI' in the blacklist transmitted to the application protection function by the statistical analysis function: namely, when detecting that the reported identification response message carries the related service of the IMSI', directly refusing. Optionally, the service flow of the embodiment of the present invention includes: location update flow, attach flow, calling and called flow or Circuit Switched Fallback (CSFB) flow.
The protection operation in step 13 will be further described with reference to a specific service flow, and further the step of rejecting the service flow of the terminal in step 13 includes one of the following steps:
if the service flow is a position updating flow, the terminal is prohibited from updating the position; for example, when the terminal performs location update in the GSM system, the MSC/VLR performs corresponding operations by judging whether the identification response message carries IMSI ', and rejects the location update of the terminal when judging that the identification response message carries IMSI'; and when the identification response message is judged not to carry the IMSI', the original flow is continuously executed.
If the business flow is an attachment flow, the terminal is prohibited from updating the position; for example, when the terminal performs Attach or joint location update operation in the LTE system, the MSC/VLR performs corresponding operation by judging whether the identification response message carries IMSI ', and rejects the location update of the terminal when judging that the identification response message carries IMSI'; and when the identification response message is judged not to carry the IMSI', the original flow is continuously executed.
If the service flow is a calling/called flow, rejecting the calling/called service of the terminal; for example, when the terminal triggers the calling and called services in the GSM system, the MSC/VLR performs corresponding operations by judging whether the identification response message carries IMSI ', and rejects the service connection of the terminal when judging that the identification response message carries IMSI'; and when the identification response message is judged not to carry the IMSI', the original flow is continuously executed.
If the service flow is the CSFB flow, rejecting the CSFB service of the terminal; for example, when the terminal triggers all CSFB services in the LTE system, the MSC/VLR performs a corresponding operation by determining whether the identification response message carries an IMSI ', and rejects the service connection of the terminal when determining that the identification response message carries an IMSI'; and when the identification response message is judged not to carry the IMSI', the original flow is continuously executed.
Specifically, as shown in fig. 4, the process flow of applying the protection function may include, but is not limited to, the following steps:
judging whether the identity identification process is in the GSM position updating process, if so, forbidding the terminal to update the position, and failing to update the position;
otherwise, judging whether the identity identification process is in the LTE Attach or joint position updating process, if so, prohibiting the terminal from updating the position, and failing to update the position;
otherwise, judging whether the identity identification process is in the GSM calling and called service process, if so, rejecting the service connection;
otherwise, judging whether the full identification process is in the LTE CSFB service process, if so, rejecting service connection;
otherwise, the network side continues to execute the original flow.
In the method for protecting against counterfeit attacks of the embodiments of the present invention, when a network device detects a network impersonation attack behavior in which a second IMSI is inconsistent with a first IMSI reported by a system requirement in an identification Response (Identity Response) message, if the second IMSI is an IMSI in a blacklist, subsequent network access and service requests are prohibited for a terminal in the blacklist, the attack behavior in the network can be identified, and a related security protection operation is performed, so that an attacker can be prevented from using a related vulnerability to perform service hijacking.
The embodiments of the protection method for counterfeit attacks according to the embodiments of the present invention are described above, and the embodiments of the corresponding apparatus will be further described with reference to the accompanying drawings.
As shown in fig. 5, the apparatus 500 for protecting against counterfeit attacks according to the embodiment of the present invention includes the following functional modules:
a sending module 510, configured to send an identification request message carrying a first international mobile subscriber identity IMSI to a terminal;
a receiving module 520, configured to receive an identification response message carrying the second IMSI and sent by the terminal based on the identification request message;
the first processing module 530 is configured to, when the second IMSI is inconsistent with the first IMSI, reject the service flow of the terminal if the second IMSI is in the blacklist.
Optionally, the counterfeit attack protection apparatus 500 further includes:
and the second processing module is used for continuously executing the service flow of the terminal when the second IMSI is consistent with the first IMSI.
Optionally, the apparatus for defending against counterfeit attacks further comprises:
the third processing module is used for sending the second IMSI, the first IMSI and the Temporary Mobile Subscriber Identity (TMSI) of the terminal to the statistical analysis function if the second IMSI is not consistent with the first IMSI and the second IMSI is not in the blacklist; the statistical analysis function is configured to generate a blacklist based on the second IMSI, the first IMSI, and the TMSI of the terminal.
Optionally, the first processing module is further configured to add the second IMSI into a blacklist and reject the service flow of the terminal if the record of the second IMSI corresponding to different IMSIs and/or the record of the second IMSI corresponding to different TMSI exceeds a set threshold.
Optionally, the business process includes: location update flow, attach flow, calling and called flow or Circuit Switched Fallback (CSFB) flow.
Optionally, the first processing module 530 includes:
the first processing unit is used for forbidding the terminal to carry out position updating if the service flow is a position updating flow;
the second processing unit is used for forbidding the terminal to update the position if the service flow is the attachment flow;
the third processing unit is used for rejecting the calling and called services of the terminal if the service flow is the calling and called flow;
and the fourth processing unit is configured to reject the CSFB service of the terminal if the service flow is the CSFB flow.
It is to be noted that the apparatus embodiment of the present invention is a product embodiment corresponding to the method embodiment, and all implementation manners of the method embodiment are applicable to the apparatus embodiment and can achieve the same technical effect, so that details are not described herein again.
As shown in fig. 6, a network device 600 according to an embodiment of the present invention includes a processor 610 and a transceiver 620, wherein,
the transceiver 620 is configured to send an identification request message carrying a first international mobile subscriber identity IMSI to a terminal; and the receiving terminal sends an identification response message carrying the second IMSI based on the identification request message.
The processor 610 is configured to reject the service flow of the terminal if the second IMSI is in the blacklist when the second IMSI is inconsistent with the first IMSI.
Optionally, the processor is further configured to: and when the second IMSI is consistent with the first IMSI, continuing to execute the service flow of the terminal.
Optionally, the processor is further configured to: when the second IMSI is inconsistent with the first IMSI, if the second IMSI is not in the blacklist, sending the second IMSI, the first IMSI and the Temporary Mobile Subscriber Identity (TMSI) of the terminal to a statistical analysis function;
wherein the statistical analysis function is configured to generate the blacklist based on the second IMSI, the first IMSI, and the TMSI of the terminal.
Optionally, the processor is further configured to: and if the records of the second IMSI corresponding to different IMSIs and/or the records of the second IMSI corresponding to different TMSI exceed a set threshold, adding the second IMSI into the blacklist, and rejecting the service flow of the terminal.
Optionally, the business process includes: location update flow, attach flow, calling and called flow or Circuit Switched Fallback (CSFB) flow.
Optionally, the processor is further configured to:
if the service flow is a position updating flow, prohibiting the terminal from updating the position;
if the service flow is an attachment flow, prohibiting the terminal from updating the position;
if the service flow is a calling/called flow, rejecting the calling/called service of the terminal;
and if the service flow is the CSFB flow, rejecting the CSFB service of the terminal.
In addition to the processor and the transceiver, as shown in fig. 7, the network device may further include an attack detection function, a statistical analysis function, and an application protection function. These network functions may be integrated with the processor and transceiver in a single device or may be separate from the processor and transceiver.
Wherein, the attack detection function is mainly used for: and detecting the IMSI ' (second IMSI) reported in the identity identification process, and if the IMSI ' (second IMSI) is not matched with the user and is not in a system blacklist, reporting the TMSI, the IMSI (first IMSI) to be reported by the user and the IMSI ' reported in the identification response message to a statistical analysis function.
The statistical analysis functions are mainly used for: carrying out statistical analysis on TMSI, IMSI and IMSI ' of users reported by an attack detection function, and judging that the user corresponding to the IMSI ' is an illegal attack user when different IMSI records corresponding to the IMSI ' exceed a set threshold value for the records corresponding to different IMSIs and TMSI of the same IMSI ', and putting the IMSI ' into a system blacklist; reporting the IMSI' and the corresponding user number to an alarm system, and informing a system administrator that the user has illegal attack network behavior; and simultaneously sending the blacklist to the application protection function.
The application protection function is mainly used for: and for the user corresponding to the IMSI' in the blacklist transmitted to the application protection function by the statistical analysis function, executing protection operation: namely, when detecting that the reported identification response message carries the related service of the IMSI', directly refusing. The rejection may involve scenarios including: when the GSM system carries out position updating, the successful position updating of the user carrying the IMSI' in the identification response message is forbidden; secondly, when the LTE system carries out Attach or joint location updating operation, the successful location updating of the user carrying the IMSI' in the response message through identification is forbidden; thirdly, directly rejecting all services carrying the IMSI' in the reported identification response message in the calling and called services in the GSM system; and fourthly, directly rejecting all services carrying the IMSI' in the reported identification response message in all CSFB services in the LTE system.
When the network device of this embodiment detects a network impersonation attack behavior in which the second IMSI is inconsistent with the first IMSI requested to be reported by the system in the identification Response (Identity Response) message, if the second IMSI is an IMSI in the blacklist, subsequent network access and service request are prohibited for the terminal in the blacklist, the attack behavior in the network can be identified, and a related security protection operation is performed, so that an attacker can be prevented from using a related vulnerability to perform service hijacking.
A network device according to another embodiment of the present invention, as shown in fig. 8, includes a transceiver 810, a processor 800, a memory 820, and a program or instructions stored in the memory 820 and executable on the processor 800; the processor 800 implements the steps of the protection method applied to the counterfeit attack when executing the program or the instruction, and can achieve the same technical effect, and the details are not repeated here to avoid repetition.
The transceiver 810 is used for receiving and transmitting data under the control of the processor 800.
Where in fig. 8, the bus architecture may include any number of interconnected buses and bridges, with various circuits being linked together, particularly one or more processors represented by processor 800 and memory represented by memory 820. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 810 may be a number of elements including a transmitter and a receiver that provide a means for communicating with various other apparatus over a transmission medium. The processor 800 is responsible for managing the bus architecture and general processing, and the memory 820 may store data used by the processor 800 in performing operations.
The readable storage medium of the embodiment of the present invention stores a program or an instruction thereon, and the program or the instruction, when executed by the processor, implements the steps in the above-described protection method for spoofing an attack, and can achieve the same technical effect, and is not described herein again to avoid repetition.
Wherein, the processor is the processor in the network device in the above embodiment. The readable storage medium includes a computer readable storage medium, such as a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.
It is further noted that the network devices described in this specification include, but are not limited to, base stations, core networks, network servers, etc., and that many of the functional components described are referred to as modules in order to more particularly emphasize their implementation independence.
In embodiments of the present invention, modules may be implemented in software for execution by various types of processors. An identified module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions which may, for instance, be constructed as an object, procedure, or function. Nevertheless, the executables of an identified module need not be physically located together, but may comprise disparate instructions stored in different bits which, when joined logically together, comprise the module and achieve the stated purpose for the module.
Indeed, a module of executable code may be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several memory devices. Similarly, operational data may be identified within modules, and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices, and may exist, at least partially, merely as electronic signals on a system or network.
When a module can be implemented by software, considering the level of existing hardware technology, a module implemented by software may build a corresponding hardware circuit to implement a corresponding function, without considering cost, and the hardware circuit may include a conventional Very Large Scale Integration (VLSI) circuit or a gate array and an existing semiconductor such as a logic chip, a transistor, or other discrete components. A module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.
The exemplary embodiments described above are described with reference to the drawings, and many different forms and embodiments of the invention may be made without departing from the spirit and teaching of the invention, therefore, the invention is not to be construed as limited to the exemplary embodiments set forth herein. Rather, these exemplary embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. In the drawings, the size and relative sizes of elements may be exaggerated for clarity. The terminology used herein is for the purpose of describing particular example embodiments only and is not intended to be limiting. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. Unless otherwise indicated, a range of values, when stated, includes the upper and lower limits of the range, and any subranges therebetween.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (10)

1. A protection method for counterfeit attacks is applied to network equipment and is characterized by comprising the following steps:
sending an identification request message carrying a first international mobile subscriber identity IMSI to a terminal;
receiving an identification response message which is sent by the terminal based on the identification request message and carries a second IMSI;
and when the second IMSI is inconsistent with the first IMSI, if the second IMSI is in a blacklist, rejecting the service flow of the terminal.
2. The method of defending against phishing attacks as recited in claim 1, further comprising:
and when the second IMSI is consistent with the first IMSI, continuing to execute the service flow of the terminal.
3. The method of defending against phishing attacks as recited in claim 1, further comprising:
when the second IMSI is inconsistent with the first IMSI, if the second IMSI is not in the blacklist, sending the second IMSI, the first IMSI and a Temporary Mobile Subscriber Identity (TMSI) of the terminal to a statistical analysis function;
wherein the statistical analysis function is configured to generate the blacklist based on the second IMSI, the first IMSI, and the TMSI of the terminal.
4. The method of defending against phishing attacks as recited in claim 3, further comprising:
and if the records of the second IMSI corresponding to different IMSIs and/or the records of the second IMSI corresponding to different TMSI exceed a set threshold, adding the second IMSI into the blacklist, and rejecting the service flow of the terminal.
5. The method for defending against phishing attacks according to any one of claims 1 to 4, wherein the business process comprises: location update flow, attach flow, calling and called flow or Circuit Switched Fallback (CSFB) flow.
6. The method for protecting against phishing attacks according to claim 5, wherein said rejecting the traffic flow of the terminal comprises:
if the service flow is a position updating flow, prohibiting the terminal from updating the position;
if the service flow is an attachment flow, prohibiting the terminal from updating the position;
if the service flow is a calling/called flow, rejecting the calling/called service of the terminal;
and if the service flow is the CSFB flow, rejecting the CSFB service of the terminal.
7. A protection device for counterfeit attacks is applied to network equipment, and is characterized by comprising:
the sending module is used for sending an identification request message carrying a first international mobile subscriber identity IMSI to the terminal;
a receiving module, configured to receive an identification response message carrying a second IMSI and sent by the terminal based on the identification request message;
and the first processing module is used for rejecting the service flow of the terminal if the second IMSI is in a blacklist when the second IMSI is inconsistent with the first IMSI.
8. A network device, comprising: a transceiver and a processor;
the transceiver is used for sending an identification request message carrying a first international mobile subscriber identity IMSI to the terminal; receiving an identification response message which is sent by the terminal based on the identification request message and carries a second IMSI;
the processor is configured to reject the service flow of the terminal if the second IMSI is in a blacklist when the second IMSI is inconsistent with the first IMSI.
9. A network device, comprising: a transceiver, a processor, a memory, and a program or instructions stored on the memory and executable on the processor; wherein the steps of the method of protection against phishing attacks as claimed in any one of claims 1-6 are implemented when the program or instructions are executed by the processor.
10. A readable storage medium on which a program or instructions are stored, which program or instructions, when executed by a processor, carry out the steps in the method of protection against counterfeit attacks according to any one of claims 1 to 6.
CN202110151293.3A 2021-02-03 2021-02-03 Protection method, device and network equipment for counterfeit attack Pending CN114867028A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110151293.3A CN114867028A (en) 2021-02-03 2021-02-03 Protection method, device and network equipment for counterfeit attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110151293.3A CN114867028A (en) 2021-02-03 2021-02-03 Protection method, device and network equipment for counterfeit attack

Publications (1)

Publication Number Publication Date
CN114867028A true CN114867028A (en) 2022-08-05

Family

ID=82623466

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110151293.3A Pending CN114867028A (en) 2021-02-03 2021-02-03 Protection method, device and network equipment for counterfeit attack

Country Status (1)

Country Link
CN (1) CN114867028A (en)

Similar Documents

Publication Publication Date Title
TWI757827B (en) Method and apparatus for handling non-integrity protected reject messages in non-public networks
EP3821630B1 (en) Method, system, and computer readable medium for validating a visitor location register (vlr) using a signaling system no. 7 (ss7) signal transfer point (stp)
EP3780538B1 (en) Method and device for managing and controlling terminal ue
CN112335271B (en) Methods, systems, and computer readable media for network node authentication
CN106332067B (en) Method, device and system for preventing diameter signaling attack in wireless network
CN108353283B (en) Method and apparatus for preventing attacks from a pseudo base station
CN112567779A (en) Method, system, and computer readable medium for performing temporal distance security countermeasures for outbound roaming subscribers using DIAMETER edge proxies
US20070077931A1 (en) Method and apparatus for wireless network protection against malicious transmissions
EP2755413B1 (en) Managing undesired service requests in a network
US20180091526A1 (en) MITIGATING AN INTERNET OF THINGS (IoT) WORM
CN109429231B (en) Honeycomb security framework
EP3761590B1 (en) Method for controlling terminal to access network, and network element
EP2874367B1 (en) Call authentication method, device, and system
KR20070104633A (en) Method and apparatus for protecting a core network
CN108293259B (en) NAS message processing and cell list updating method and equipment
CN112806044B (en) Pseudo base station identification method and device, mobile terminal and storage medium
EP3993471B1 (en) Sim swap scam protection via passive monitoring
US10154369B2 (en) Deterrence of user equipment device location tracking
KR100949833B1 (en) Method and system for protection of personal information in a stolen mobile equipment
CN114867028A (en) Protection method, device and network equipment for counterfeit attack
CN106454776B (en) Pseudo base station protection method and device
CN112956225A (en) Method, user equipment and network node for detecting communication with a non-legitimate device
CN110753015B (en) Short message processing method, device and equipment
KR102440411B1 (en) Method and apparatus for detecting abnormal roaming request
US20240224045A1 (en) Automated suspect device filtering on equipment identity registers

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination