WO2011054251A1 - Method, system and terminal for preventing access from illegal terminals - Google Patents

Method, system and terminal for preventing access from illegal terminals Download PDF

Info

Publication number
WO2011054251A1
WO2011054251A1 PCT/CN2010/077919 CN2010077919W WO2011054251A1 WO 2011054251 A1 WO2011054251 A1 WO 2011054251A1 CN 2010077919 W CN2010077919 W CN 2010077919W WO 2011054251 A1 WO2011054251 A1 WO 2011054251A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
access
type
network
access capability
Prior art date
Application number
PCT/CN2010/077919
Other languages
French (fr)
Chinese (zh)
Inventor
谢宝国
李志军
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011054251A1 publication Critical patent/WO2011054251A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Definitions

  • the present invention relates to the field of mobile communications, and in particular, to a method, a terminal, and a system for accessing a network by a Universal Subscriber Identity Module (USIM) that prevents an unauthorized terminal from stealing other devices.
  • USIM Universal Subscriber Identity Module
  • M2M Machine to Machine
  • GPRS General Packet Radio service
  • EPS Evolved Packet System
  • H2H Human to Human
  • the GPRS network is a second-generation mobile communication network based on packet switching.
  • GPRS evolves into a Universal Mobile Telecommunication System Packet Switch (UMTS PS) i or.
  • UMTS PS Universal Mobile Telecommunication System Packet Switch
  • the network architecture of the UMTS PS includes the following network elements:
  • Radio Network System includes NodeB (Node B) and Radio Network Controller (RNC).
  • NodeB provides air interface connection for terminals.
  • RNC is mainly used to manage radio resources and control NodeB.
  • the RNC and the NodeB are connected through a lub port, and the terminal accesses the packet domain core network (Packet Core) of the UMTS through the RNS;
  • Packet Core packet domain core network
  • the Serving GPRS Support Node is used to store the location information of the user's routing area, responsible for security and access control; the SGSN is connected to the RNS through the Iu port; and the Gateway GPRS support node (GGSN) is used.
  • the function of assigning the IP address of the terminal and the gateway to the external network is internally connected to the SGSN through the Gn port;
  • the Home Location Register (HLR) is used to store the subscriber's subscription data and the current SGSN address, and is connected to the SGSN through the Gr port and connected to the GGSN through the Gc interface.
  • the Packet Data Network (PDN) is used to provide a packet-based service network for users, and is connected to the GGSN through the Gi port.
  • the Machine Type Communication (MTC) UE needs to transmit data information to the MTC Server or other MTC UEs through the GPRS network.
  • the GPRS network establishes a tunnel between the RNC-SGSN and the GGSN for this transmission.
  • the tunnel is based on the GPRS Tunneling Protocol (GTP), and the data information is reliably transmitted through the GTP tunnel.
  • GTP GPRS Tunneling Protocol
  • SAE System Architecture Evolution
  • EPC Evolved Packet Core
  • the current SAE architecture is shown in Figure 2.
  • the network element included in the Evolved Radio Access Network is an Evolved NodeB (eNodeB) for users.
  • Access provides wireless resources
  • Packet Data Network (PDN) is a network that provides services to users
  • EPC provides lower latency and allows more wireless access systems to access, including the following Yuan:
  • a Mobility Management Entity is a control plane function entity that temporarily stores user data. It is responsible for managing and storing the context of user equipment (User Equipment, UE for short) (such as user identity, mobility management status, User security parameters, etc., assign a temporary identifier to the user, and when the UE is camped on the tracking area or the network, it is responsible for authenticating the user;
  • UE User Equipment
  • the Serving Gateway is a user plane entity responsible for user plane data routing processing and terminating downlink data of UEs in idle (ECM_IDLE) state. Manage and store the SAE bearer context of the UE, such as IP bearer service parameters and network internal routing information.
  • the SGW is an anchor point of the internal user plane of the 3GPP system, and one user can only have one SGW at a time;
  • the PDN Gateway is the gateway responsible for the UE accessing the PDN, and assigns the user IP address. It is also the mobility anchor of the 3GPP and non-3GPP access systems.
  • the PGW functions include policy implementation and accounting. stand by. Users can access multiple PGWs at the same time.
  • the Policy and Charging Enforcement Function (PCEF) is also located in the PGW.
  • the Policy and Charging Rules Function (PCRF) is responsible for providing policy control and charging rules to the PCEF.
  • the Home Subscriber Server (HSS) is responsible for permanently storing user subscription data.
  • the content stored in the HSS includes the International Mobile Subscriber Identification (IMSSI) of the UE and the IP address of the PGW.
  • IMSSI International Mobile Subscriber Identification
  • the SGW and the PGW may be unified.
  • the EPC system user plane network element includes the SGW and the PGW.
  • the Machine Type Communication Server (MTC Server) is mainly responsible for information collection and data storage/processing of MTC devices, and necessary management of MTC devices.
  • Machine Type Communication Device similar to UE, also includes Universal Integrated Circuit Card (UICC) and Mobile Equipment (ME), which are usually responsible for collecting several collectors.
  • UICC Universal Integrated Circuit Card
  • ME Mobile Equipment
  • the information is accessed by the RAN node to the core network and interacts with the MTC Server.
  • the MTC UE needs to transmit data information to the MTC Server or other MTC UEs through the SAE network.
  • the SAE network establishes a GTP tunnel between the SGW and the PGW for this transmission, and the data information is reliably transmitted through the GTP tunnel.
  • FIG. 3 is a process of the UE accessing the EPS network and performing network attachment and IP bearer establishment in the prior art.
  • the UE initiates a network attach request to the eNodeB in order to access the SAE network, where Carrying an international mobile subscriber identity (IMSI),
  • IMSI international mobile subscriber identity
  • the eNodeB selects an MME for the UE to serve, and forwards the attach request to the MME, and also carries important information such as the identifier of the UE to the MME;
  • the MME sends an authentication data request message to the HSS (the message includes IMSI),
  • the HSS first determines the subscription data corresponding to the IMSI. If no subscription is found or the IMSI is blacklisted, the HSS returns an authentication data response to the MME and carries the appropriate error reason; 303b, if the subscription data corresponding to the IMSI is found, Then the HSS returns an authentication data response message (including an authentication vector) to the MME;
  • the MME performs an authentication process to verify the legitimacy of the terminal IMSI and performs a secure mode procedure to enable secure connections.
  • the MME sends a location update request to the HSS of the home network, where the message carries the identifier of the MME and the identifier of the UE, to inform the UE of the currently accessed area;
  • the HSS searches for the subscription user data of the UE according to the identifier of the UE, and sends the data to the MME.
  • User data mainly includes information such as the default access point name (Access Point Name, ⁇ for short) and the bandwidth size.
  • Receive user data check whether the UE is allowed to access the network, and return the receiving user response to the HSS; if the UE finds that the UE has roaming restrictions or access restrictions, etc., the UE will be forbidden to attach and notify the HSS.
  • the HSS sends a confirmation location update response to the MME.
  • the MME selects an S-GW for the UE, and sends a request for establishing a default bearer.
  • the MME informs the S-GW of the necessary information: the identifier of the UE, the identifier of the MME, the indication of assigning an IP address to the UE, the default bandwidth information, the PDN GW address, and the like;
  • the S-GW sends a request for establishing a default bearer to the PDN GW.
  • the S-GW informs the PDN GW of the necessary information: the address of the S-GW, the default bandwidth information, an indication for assigning an IP address to the UE, and the like;
  • the PDN GW requests the PCRF to apply the policy and charging rules and decision information configured for the UE. 310.
  • the PDN GW establishes a default bearer according to the policy and charging decision information returned by the PCRF, and returns a bearer setup response to the S-GW.
  • the S-GW sends a response to the default bearer establishment to the MME.
  • the MME sends an attach response to the eNodeB, indicating that the UE's request to attach to the network has been accepted.
  • the eNodeB sends a radio bearer setup request to the UE, requesting the UE to save the important information of the bearer establishment, and open the corresponding port.
  • the radio bearer setup request carries a bearer network ID, a PDN GW address, an IP address allocated to the UE, bandwidth information, and the like;
  • the UE sends a radio bearer setup response to the eNodeB.
  • the eNodeB notifies that the MME attach process is completed
  • the MME sends an update bearer request to the S-GW, and notifies the identifier and address of the eNodeB served by the UE.
  • the S-GW sends an update 7-load response to the MME.
  • the MME sends a location update request to the HSS, and notifies the HSS of the address information of the PDN GW served by the UE, and the HSS updates the information.
  • the authentication of the UE by the SAE network is mainly to verify the legitimacy of the IMSI.
  • FIG. 4 is a process of the UE accessing the GPRS network and performing network attachment in the prior art.
  • the user initiates an attach request to the SGSN through the RNS for the first time, and carries parameters such as an attachment type and an IMSI.
  • RNS based on its load, with the user's international mobile subscriber identity (International
  • IMSI Mobile subscriber identity
  • the SGSN requests the HLR to authenticate the IMSI, and the HLR downloads the authentication authentication parameter according to the IMSI, and the SGSN authenticates and authenticates the UE.
  • the SGSN sends a location update request to the HLR, and carries parameters such as an SGSN number and address, IMSI, and the like;
  • the HLR downloads the subscription data corresponding to the IMSI to the SGSN, and the SGSN performs an access control check on the ME, checks whether the UE has an area restriction or an access restriction, and then returns the insertion data. Respond to the HLR.
  • the HLR confirms the location update message, and sends a concurrent location update response to the SGSN. If the location update request is rejected by the HLR, the SGSN will reject the UE's attach request;
  • the SGSN allocates a packet-Temporate Mobile Subscriber Identity (P-TMSI) to the user, and then sends an attach accept message to the UE, and carries information such as P-TMSI allocated to the UE.
  • P-TMSI packet-Temporate Mobile Subscriber Identity
  • the MS If the P-TMSI is updated, the MS returns an attach complete message to the SGSN for confirmation, and completes the GPRS attach procedure.
  • the authentication of the UE by the GPRS network is mainly to verify the legitimacy of the IMSI.
  • the M2M service is a networked application and service centered on intelligent interaction of machine terminals. It uses intelligent machine terminals to transmit information over the wireless network, providing customers with information solutions to meet customer information needs for monitoring, command and dispatch, data collection and measurement.
  • the communication object of M2M is machine-to-machine, which can be communication between people and machines, communication between machines and servers, and communication between different intelligent terminals.
  • Different applications of MTC equipment have different characteristics, such as elevators and other elevator equipment with low mobility, PS only attributes, and monitoring, alarm devices in addition to low mobility, PS only, low data transmission and high availability. Therefore, different system optimizations are required for MTC devices of different applications, which can effectively manage, monitor, and pay for MTC devices.
  • M2M communication especially the speciality of MTC equipment (such as unattended outdoor MTC terminals), therefore anti-theft and prevention of illegal access to the MTC server is a very important requirement.
  • the illegal user may steal the SIM card of the MTC terminal and insert it into the H2H device.
  • the H2H device uses the IMSI of the MTC device to access the network illegally, not only enjoying the rate of the MTC terminal.
  • Preferential and other personalized services more importantly, can illegally invade the MTC Sever, posing a great hidden danger to the information security of the MTC Server. So need to The network process is optimized to restrict illegal devices from using the USIM access network of the M2M terminal.
  • the technical problem to be solved by the present invention is to provide a method, a terminal and a system for preventing illegal terminal access, so that an illegal terminal cannot access the network and improve communication security.
  • the present invention provides a method for preventing unauthorized terminal access, including: when the terminal requests access to the network, the network side determines whether the device type and/or the device access capability of the terminal matches the user subscription data. If not, the network side refuses to access the terminal to the network.
  • the foregoing method may further have the following feature: the network side acquires a device type and/or a device access capability of the terminal from an access request sent by the terminal.
  • the above method may also have the following features: the device type refers to a mobile phone type device or a machine type device; the device access capability refers to a mobile phone type device access capability or a machine type device access capability.
  • the method may also have the following features: the device type of the terminal does not match the device type in the user subscription data, or the device access capability of the terminal is connected to the device in the user subscription data.
  • the device capability of the terminal does not match the device access capability in the user subscription data, or the device access capability of the terminal does not match the device type in the user subscription data.
  • the method may further include the following feature: when the network side refuses to access the network to the terminal, the method further includes: returning a rejection reason value to the terminal, indicating that the terminal is an illegal terminal.
  • the present invention also provides a system for preventing unauthorized terminal access, comprising: a network side, which is configured to: when the terminal requests access to the network, determine whether the device type and/or the device access capability of the terminal matches the user subscription data. If it does not match, the terminal is denied access to the network.
  • the above system may also have the following features:
  • the network side is further configured to: obtain a device type and/or a device access capability of the terminal from an access request sent by the terminal.
  • the above system may also have the following features: the device type refers to a mobile phone type device or a machine type device; the device access capability refers to a mobile phone type device access capability or a machine type device access capability.
  • the system may also have the following features:
  • the network side is configured to: determine that the device type of the terminal does not match the device type in the user subscription data, or the device access capability of the terminal. The device access capability in the user subscription data does not match, or the device type of the terminal does not match the device access capability in the user subscription data, or the device access capability of the terminal is in the subscription data of the user. If the device type does not match, it is considered that the device type and/or device access capability of the terminal does not match the user subscription data.
  • the system may also be configured to: the network side is further configured to: when the terminal is denied access to the network, return a reject reason value to the terminal, indicating that the terminal is an illegal terminal.
  • the present invention further provides a terminal for preventing unauthorized access.
  • the terminal is configured to: when requesting access to the network, carry the device type of the terminal or/and the access capability of the device in the access request.
  • the foregoing terminal may also have the following features: the device type refers to a mobile phone type device or a machine type device; the device access capability refers to a mobile phone type device access capability or a machine type device access capability.
  • the MME/SGSN can determine whether the device is illegal according to the matching relationship between the device type/device access capability and the subscription data. If it is an H2H terminal and the subscription data is a subscription to the M2M terminal, it is considered to be an illegal device access, and vice versa.
  • the method can effectively prevent the illegal user from stealing the USIM access network of the MTC device and ensure the security of the MTC communication.
  • FIG. 1 is a schematic diagram of a GPRS network system architecture in the prior art
  • FIG. 2 is a schematic diagram of an EPS network system architecture in the prior art
  • FIG. 3 is a flow chart of attaching an MTC UE to an EPS network in the prior art
  • FIG. 5 is a flow chart of attaching an illegal MTC UE to a PS network in the present invention
  • FIG. 6 is a flowchart of attaching an illegal MTC UE to an EPS network according to Embodiment 1 of the present invention
  • FIG. 7 is a flowchart of attaching an illegal MTC UE to an EPS network according to Embodiment 2 of the present invention
  • FIG. 8 is an illegal embodiment 3 of the present invention
  • FIG. 9 is a flow chart of attaching an illegal MTC UE to a GPRS network according to Embodiment 4 of the present invention.
  • the terminal needs to carry device-related information, such as device type information, indicating whether the device is a machine type device or a mobile phone type device; or is device access capability information, indicating whether the device has a machine type access capability or a mobile phone type access capability.
  • device-related information such as device type information, indicating whether the device is a machine type device or a mobile phone type device; or is device access capability information, indicating whether the device has a machine type access capability or a mobile phone type access capability.
  • the SGSN/MME downloads the user subscription data from the user database, it can determine whether it is a machine type subscription or a mobile phone type subscription according to the user subscription data.
  • the M2M access capability or the H2H access capability can be signed in the user subscription data, and the M2M device subscription information or the H2H device subscription information can also be marked in the user subscription data, or can be divided by different IMSIs.
  • the field is identified, and the H2H device and the M2M device use different IMSI number segments, which can be defined by the operator. If the MME/SGSN determines that the terminal device information does not match the subscription data, it needs to reject the access of the terminal device, ensure the security of the network, and return the reason for the rejection to the user database and the terminal.
  • the method for preventing the access of the illegal terminal includes: when the terminal requests access to the network, the network side determines whether the device information of the terminal matches the subscription data of the user, and if not, rejects the terminal from accessing the network.
  • the device information of the terminal is brought to the network by the terminal in the access request.
  • the device information may be a device type and/or a device access capability.
  • the device type can be a machine type device (or M2M device) or a mobile phone type device (or H2H device).
  • the device access capability is machine type device access capability (or M2M access capability) or mobile device access capability (or H2H access capability).
  • the user subscription data may include the backup type information and/or the device access capability information.
  • the device information of the terminal does not match the user subscription data.
  • the device type of the terminal does not match the device type included in the user subscription data, or the device access capability of the terminal and the device access capability included in the user subscription data. Mismatch. If the device information of the terminal does not match the user subscription data, the device type that can be extended to the terminal does not match the device access capability included in the user subscription data, or the device access capability of the terminal and the device type included in the user subscription data are not match.
  • the device type of the terminal is the H2H device type and the user subscription data is the M2M access capability, the two are considered to be mismatched.
  • the network when the network refuses to access the terminal, the network also returns the cause value of the illegal access to the terminal, and identifies the terminal as an illegal terminal.
  • FIG. 5 is a flow chart of the method of the present invention, specifically comprising the following steps:
  • the MTC UE sends an attach request message to the PS core network through the radio access network; in the attach request message, the parameter needs to be extended, and the device information parameter is added;
  • the device information parameter may be a device type indicating whether the terminal is a machine type device (MTC device) or a mobile phone type device (H2H device).
  • MTC device machine type device
  • H2H device mobile phone type device
  • the device type can also be extended to define different types of machine-type devices or different types of mobile phone-type devices, which can be defined according to the requirements of the operator;
  • the device type of the mobile phone device may have a default parameter of null
  • the device information parameter may also be a device access capability, indicating whether the terminal has a device-type device access capability or a mobile-type device access capability, and may expand related parameters in a field of the terminal network capability.
  • the device access capability can also be extended to define different types of machine-type device access capabilities or different types of mobile phone-type device access capabilities, which can be defined according to the operator's needs;
  • the device access capability of the mobile phone device may be null by default
  • the PS core network sends a location update request to the HLR/HSS, and carries parameters such as a PS core network address and an IMSI.
  • HLR/HSS is the user database.
  • the HLR/HSS finds the user subscription data corresponding to the IMSI, and downloads the user subscription data to the PS core network.
  • User subscription data may include device access capability information, such as machine type device access capability (M2M access capability) and mobile device access capability (H2H access capability) according to the operator's requirements; user subscription data may also be included.
  • M2M access capability machine type device access capability
  • H2H access capability mobile device access capability
  • Device information and slave data carried in the PS core network to the terminal attach request message The user subscription data downloaded by the library is matched. If there is no match, the access request of the terminal is rejected, and the reason for rejecting is returned to the HLR/HSS in the response of inserting the user data;
  • the device type of the terminal is inconsistent with the device type indicated in the user subscription data; or the device access capability of the terminal is inconsistent with the device access capability indicated in the user subscription data; or the device type and user of the terminal
  • the device access capability indicated in the subscription data is inconsistent; or the device access capability of the terminal is inconsistent with the device type indicated in the user subscription data.
  • the PS core network discovers that the device information carried by the terminal does not match the device information of the user subscription data, rejects the terminal accessing the network, and sends a reject message to the terminal.
  • the reject message may carry a reason value of the reject, indicating that the terminal is an illegal terminal.
  • the embodiment of the present invention is shown in FIG. 6.
  • the terminal accesses the EPS network
  • the device carries the device type parameter
  • the MME determines whether the device type parameter matches the subscription data.
  • the specific process of the present invention is as follows:
  • the UE initiates an attach request to the eNodeB to access the SAE network, and carries information such as an IMSI, a device type, a network access capability of the UE, and an instruction to allocate an IP.
  • information such as an IMSI, a device type, a network access capability of the UE, and an instruction to allocate an IP.
  • the device type can be used to identify whether the terminal is an M2M device or an H2H device. It can also be extended to identify which type of M2M device or which type of H2H device. For example, the M2M device type such as meter reading and monitoring can be defined according to the operator's requirements.
  • the default parameter is null, that is, the device type field is set to null.
  • the eNodeB selects an MME for the UE, and forwards the attach request to the MME, and carries important information such as the identifier of the UE and the device type of the UE to the MME.
  • the MME sends an authentication data request message (including IMSI) to the HSS, where the HSS finds the subscription data corresponding to the IMSI, and returns an authentication data response message (including an authentication vector) to the MME.
  • IMSI authentication data request message
  • HSS finds the subscription data corresponding to the IMSI
  • an authentication data response message including an authentication vector
  • the MME performs an authentication process to verify the legitimacy of the terminal IMSI and performs a secure mode procedure to enable secure connections.
  • the MME sends a location update request to the HSS of the home network, where the message carries the identifier of the MME and the identifier of the UE, to notify the UE of the currently accessed area.
  • the HSS searches for the user subscription data of the UE according to the identifier of the UE, and sends the data to the MME.
  • User subscription data mainly includes information such as the default access point name (Access Point Name, ⁇ for short) and bandwidth.
  • the user subscription data can include the device type, indicating whether the device is a device or a device. Without this information, the operator can distinguish which type of equipment terminal by assigning different IMSI number segments;
  • the user receives the subscription data of the user, checks whether the UE is allowed to access the network, and if the UE finds that the UE has roaming restrictions or access restrictions, the UE is prohibited from attaching and the HSS is notified.
  • the MME needs to check whether the device type parameter carried by the terminal matches the device type corresponding to the user subscription data. If the device does not match, for example, the terminal carries the H2H device, and the user subscription data indicates the M2M device. The MME needs to reject the access of the terminal and identify the access as an illegal terminal.
  • the MME sends an insertion user data response message to the HSS, and carries information such as whether the UE allows access, whether it is an illegal terminal, or the like;
  • the MME finds that the type of the device carried by the terminal does not match the user subscription data, rejects the attachment request of the terminal, and carries the reason value of the illegal terminal access to the UE, indicating that the UE is an illegal terminal.
  • the embodiment 2 of the present invention is shown in FIG. 7.
  • the terminal accesses the EPS network
  • the device access capability parameter is carried, and the MME determines whether the device access capability parameter matches the subscription data.
  • the specific process of the present invention is as follows:
  • the UE initiates an attach request to the eNodeB to access the SAE network, and carries information such as an IMSI, a device access capability, a network access capability of the UE, and an indication for requesting IP allocation.
  • the device access capability may identify the terminal. Whether the M2M access capability or the H2H access capability is available, the access capability parameter may be extended in the terminal network capability field.
  • the device access capability indication may also be extended to identify which type of M2M access capability or which type of H2H access capability, such as the PS only class, the high availability class, and the M2M access capability type, which may be defined according to the operator's requirements;
  • the default parameter for the H2H access capability is null;
  • the eNodeB selects an MME for the UE to serve, and forwards the attach request to the MME.
  • the MME also carries important information such as the identifier of the UE and the access capability of the UE to the MME;
  • the MME sends an authentication data request message (including IMSI) to the HSS, where the HSS finds the subscription data corresponding to the IMSI, and returns an authentication data response message (including an authentication vector) to the MME.
  • IMSI authentication data request message
  • HSS finds the subscription data corresponding to the IMSI
  • an authentication data response message including an authentication vector
  • the MME performs an authentication process to verify the legitimacy of the terminal IMSI and performs a secure mode procedure to enable secure connections.
  • the MME sends a location update request to the HSS of the home network, where the message carries the identifier of the MME and the identifier of the UE, to notify the UE of the currently accessed area.
  • the HSS searches for the user subscription data of the UE according to the identifier of the UE, and sends the data to the MME.
  • User subscription data mainly includes information such as the default access point name (Access Point Name, ⁇ for short) and bandwidth.
  • the user subscription data may include a backup access capability, indicating whether the device subscribes to the M2M access capability or the H2H access capability;
  • the MME receives the user subscription data, checks whether the UE is allowed to access the network, and returns a receiving user response to the HSS. If the MME finds that the UE has roaming restrictions or access restrictions, the MME will prohibit the UE from attaching and notify the HSS;
  • the MME needs to check whether the access capability of the device carried by the terminal matches the access capability of the device corresponding to the user subscription data. If the device does not match, for example, the terminal carries the H2H access capability, and the user subscribes to the data. Indicates the M2M access capability, and the MME needs to reject the access of the terminal and identify it as an illegal terminal access.
  • the MME sends an insertion user data response message to the HSS, and carries information such as whether the UE allows access, whether it is an illegal terminal, or the like;
  • the MME finds that the access capability of the device carried by the terminal does not match the subscription data of the user, and rejects the attach request of the terminal, and carries the cause value of the illegal terminal access to the UE, indicating that the UE is an illegal terminal.
  • Embodiment 3 of the present invention is shown in FIG. 8.
  • the terminal accesses the GPRS network
  • the device type parameter is carried, and the SGSN determines whether the device type parameter matches the subscription data.
  • the specific process of the present invention is as follows:
  • the user initiates an attach request to the SGSN through the RNS for the first time, carrying the attachment type, IMSI, Parameters such as device type.
  • the RNS routes the message to the SGSN according to the load condition of the user, using the International Mobile Subscriber Identity (IMSI) of the user as the request identifier;
  • IMSI International Mobile Subscriber Identity
  • the device type can be used to identify whether the terminal is an M2M device or an H2H device, or which type of M2M device or which type of H2H device, such as meter reading and monitoring, can be defined according to the operator's requirements.
  • the default parameter for the H2H device is null.
  • the SGSN requests the HLR to authenticate the IMSI, and the HLR downloads the authentication authentication parameter according to the IMSI, and the SGSN authenticates and authenticates the UE.
  • the SGSN sends a location update request to the HLR, and carries the SGSN number and address, IMSI, and the like;
  • the HLR downloads the user subscription data corresponding to the IMSI to the SGSN.
  • the user subscription data includes information such as the bandwidth and the device type, and indicates whether the device is an M2M device or an H2H device. Without this information, the operator can distinguish which type of device is by assigning different IMSI segments;
  • the SGSN performs an access control check on the ME, and checks whether the UE has an area restriction or an access restriction.
  • the SGSN also needs to check whether the device type carried by the terminal matches the device type corresponding to the user subscription data. If the SGSN does not match, for example, the terminal carries The H2H device, and the user subscription data indicates the M2M device, and the MME needs to deny access to the terminal and identify the access as an illegal terminal.
  • the SGSN sends an insertion user data response message to the HLR, and carries information such as whether the UE is allowed to access, whether it is an illegal terminal, or the like;
  • the SGSN finds that the type of the device carried by the terminal does not match the user subscription data, and rejects the connection request of the terminal, and carries the reason value of the illegal terminal access to the UE, indicating that the UE is an illegal terminal.
  • Embodiment 4 of the present invention is shown in FIG. 9.
  • the terminal accesses the GPRS network
  • the device access capability parameter is carried, and the SGSN determines whether the device access capability matches the subscription data.
  • the specific process of the present invention is as follows:
  • the user initiates an attach request to the SGSN through the RNS for the first time, carrying an attachment type, an IMSI, Parameters such as device access capability.
  • the RNS routes the message to the SGSN according to its load condition, using the IMSI of the user as the request identifier;
  • the device access capability can identify whether the terminal has M2M access capability or H2H access capability, and the access capability parameter can be extended in the terminal network capability field.
  • the access capability parameter can also be extended to identify which type of M2M access capability or which type of H2H access capability, such as the PS only class, high availability class, etc., can be defined according to the operator's requirements;
  • the default parameter for the H2H access capability is null.
  • the SGSN requests the HLR to authenticate the IMSI, and the HLR downloads the authentication authentication parameter according to the IMSI, and the SGSN authenticates and authenticates the UE.
  • the SGSN sends a location update request to the HLR, and carries the SGSN number and address, IMSI, and the like;
  • the HLR downloads the user subscription data corresponding to the IMSI to the SGSN.
  • the user subscription data includes information about the bandwidth and the device access capability, and indicates whether the device subscribes to the M2M access capability or the H2H access capability.
  • the SGSN performs an access control check on the ME, and checks whether the UE has an area restriction or an access restriction.
  • the SGSN also needs to check whether the device access capability carried by the terminal matches the device access capability corresponding to the user subscription data. For example, the terminal carries the H2H access capability, and the user subscription data indicates the M2M access capability, and the MME needs to reject the access of the terminal and identify the access as an illegal terminal.
  • the SGSN sends an insertion user data response message to the HLR, and carries information such as whether the UE allows access, whether it is an illegal terminal, or the like;
  • the SGSN finds that the access capability of the device carried by the terminal does not match the subscription data of the user, and rejects the attach request of the terminal, and carries the reason value of the illegal terminal access to the UE, indicating that the UE is an illegal terminal.
  • the present invention also provides a system for preventing unauthorized terminal access, comprising: a network side, configured to determine, when the terminal requests access to the network, whether the device type and/or the device access capability of the terminal matches the user subscription data, if If the match does not match, the terminal is denied access to the network.
  • the device type refers to a mobile phone type device or a machine type device; the device access capability refers to a mobile phone type device access capability or Machine type equipment access capability.
  • the network side is configured to obtain, by using an access request sent by the terminal, a device type and/or a device access capability of the terminal.
  • the network side determines that the device type of the terminal does not match the device type in the user subscription data, or the device access capability of the terminal does not match the device access capability in the user subscription data, or The device type of the terminal does not match the device access capability in the user subscription data, or the device access capability of the terminal does not match the device type in the user subscription data, and the device type of the terminal is considered and/or The device access capability does not match the user subscription data.
  • the network side is further configured to: when the terminal is denied access to the network, return a reject reason value to the terminal, and indicate that the terminal is an illegal terminal.
  • the present invention further provides a terminal for preventing unauthorized access, wherein the terminal is configured to carry the device type of the terminal or/and the device access capability in the access request when requesting access to the network.
  • the device type refers to a mobile phone type device or a machine type device; the device access capability refers to a mobile phone type device access capability or a machine type device access capability.
  • the invention prevents the access of the illegal terminal by checking the user equipment information.
  • the MME/SGSN can determine whether the device is illegal according to the matching relationship between the device type/device access capability and the subscription data. If it is an H2H terminal and the subscription data is a subscription to the M2M terminal, it is considered to be an illegal device access, and vice versa.
  • the method can effectively prevent the illegal user from stealing the USIM access network of the MTC device and ensure the security of the MTC communication.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method, system and terminal for preventing the access from illegal terminals are disclosed. The method comprises: when a terminal requests to access a network, a network side judges whether the device type and/or the device accessing capability of the terminal match the subscription data of users, and if not, the network side denies the terminal the access to the network. The present application can prevent the phenomenon that users maliciously misappropriate the universal subscriber identity module (USIM) of a machine type communication (MTC) device to access the network and ensure the security of the MTC communication.

Description

一种防止非法终端接入的方法、 终端及***  Method, terminal and system for preventing illegal terminal access
技术领域 Technical field
本发明涉及移动通信领域, 具体涉及一种防止非法终端盗用其它设备的 全球用户识别卡( Universal Subscriber Identity Module , USIM )接入到网络的 方法、 终端及***。 背景技术  The present invention relates to the field of mobile communications, and in particular, to a method, a terminal, and a system for accessing a network by a Universal Subscriber Identity Module (USIM) that prevents an unauthorized terminal from stealing other devices. Background technique
近年来, 机器到机器间的通信(Machine to Machine, M2M )业务逐渐开 始得到应用, 如物流***、 远程抄表、 智能家居等应用。 M2M服务商使用现 有的无线网络, 如通用分组无线业务( General Packet Radio service , GPRS ) 网络、 演进分组***(Evolved Packet System, EPS ) 网络等 PS 网络开展 M2M业务。 因 M2M业务与人与人之间的通信(Human to Human, H2H )业 务有明显的差异性, 需要对现有的网络进行必要的优化, 以获得最佳的网络 管理与网络通讯质量。  In recent years, the Machine to Machine (M2M) business has gradually begun to be applied, such as logistics systems, remote meter reading, smart home applications. M2M service providers use existing wireless networks, such as General Packet Radio service (GPRS) networks, Evolved Packet System (EPS) networks, and other PS networks to conduct M2M services. Due to the obvious difference between the M2M service and the Human to Human (H2H) service, it is necessary to optimize the existing network to obtain the best network management and network communication quality.
GPRS 网络是一个基于包交换的第二代移动通信网络, 到了第三代移动 通信***, GPRS 演进为通用移动通信***分组交换( Universal Mobile Telecommunication system Packet Switch, UMTS PS )i或。如图 1 所示,为 UMTS PS 的网络架构, 该网络架构中包含如下网元:  The GPRS network is a second-generation mobile communication network based on packet switching. To the third generation mobile communication system, GPRS evolves into a Universal Mobile Telecommunication System Packet Switch (UMTS PS) i or. As shown in Figure 1, the network architecture of the UMTS PS includes the following network elements:
无线网络*** ( Radio Network System, RNS ) , RNS中包含 NodeB (节 点 B )与无线网络控制器 ( Radio Network Controller, RNC), NodeB为终端 提供空口连接; RNC主要用于管理无线资源以及控制 NodeB。 RNC 与 NodeB 之间通过 lub 口连接, 终端通过 RNS接入 UMTS 的分组域核心网 (Packet Core );  Radio Network System (RNS), RNS includes NodeB (Node B) and Radio Network Controller (RNC). NodeB provides air interface connection for terminals. RNC is mainly used to manage radio resources and control NodeB. The RNC and the NodeB are connected through a lub port, and the terminal accesses the packet domain core network (Packet Core) of the UMTS through the RNS;
服务 GPRS 支持节点( Serving GPRS Support Node, SGSN)用于保存用户 的路由区位置信息, 负责安全和接入控制; SGSN通过 Iu 口与 RNS相连; 网关 GPRS 支持节点( Gateway GPRS support Node, GGSN )用于负责分 配终端的 IP地址和到外部网络的网关功能,在内部通过 Gn口与 SGSN相连; 归属位置寄存器( Home Location Register, HLR)用于保存用户的签约数据 和当前所在的 SGSN地址,通过 Gr口与 SGSN相连,通过 Gc口与 GGSN相 连; The Serving GPRS Support Node (SGSN) is used to store the location information of the user's routing area, responsible for security and access control; the SGSN is connected to the RNS through the Iu port; and the Gateway GPRS support node (GGSN) is used. The function of assigning the IP address of the terminal and the gateway to the external network is internally connected to the SGSN through the Gn port; The Home Location Register (HLR) is used to store the subscriber's subscription data and the current SGSN address, and is connected to the SGSN through the Gr port and connected to the GGSN through the Gc interface.
分组数据网络( Packet Data Network, PDN )用于为用户提供基于分组的 业务网, 通过 Gi口与 GGSN相连。  The Packet Data Network (PDN) is used to provide a packet-based service network for users, and is connected to the GGSN through the Gi port.
在图 1 中, 机器类型通信 ( Machine Type Communication, MTC ) UE 需要通过 GPRS网络向 MTC Server或其它的 MTC UE传输数据信息。 GPRS 网络为此次传输建立 RNC-SGSN - GGSN之间的隧道, 隧道基于 GPRS 隧道 协议(GPRS Tunneling Protocol, GTP ) , 数据信息通过 GTP隧道实现可靠传 输。  In Figure 1, the Machine Type Communication (MTC) UE needs to transmit data information to the MTC Server or other MTC UEs through the GPRS network. The GPRS network establishes a tunnel between the RNC-SGSN and the GGSN for this transmission. The tunnel is based on the GPRS Tunneling Protocol (GTP), and the data information is reliably transmitted through the GTP tunnel.
随着无线宽带技术的发展, 业务层对传输层的带宽、 时延等性能要求越 来越高。 为提高其网络性能, 降低网络建设及运营成本, 3GPP致力于***架 构演进( System Architecture Evolution, 简称 SAE ) 的研究, 目的是使得演进 的分组网 (Evolved Packet Core, 简称 EPC )可提供更高的传输速率、 更短的 传输延时、优化分组 ,及支持演进的 UTRAN ( Evolved UTRAN, E-UTRAN )、 UTRAN, 无线局域网( Wireless Local Area Network, 简称 WLAN )及其他非 3GPP的接入网络之间的移动性管理。  With the development of wireless broadband technology, the performance requirements of the service layer for the bandwidth and delay of the transport layer are getting higher and higher. In order to improve its network performance and reduce network construction and operation costs, 3GPP is committed to the study of System Architecture Evolution (SAE), which aims to make Evolved Packet Core (EPC) provide higher Transmission rate, shorter transmission delay, optimized packet, and support between evolved UTRAN (Evolved UTRAN, E-UTRAN), UTRAN, Wireless Local Area Network (WLAN) and other non-3GPP access networks Mobility management.
目前 SAE的架构如图 2所示, 其中, 演进的无线接入网 ( Evolved Radio Access Network, 简称 E-RAN )中包含的网元是演进节点 B ( Evolved NodeB , 简称 eNodeB ) , 用于为用户的接入提供无线资源; 分组数据网 (Packet Data Network, 简称 PDN )是为用户提供业务的网络; EPC提供了更低的延迟, 并允许更多的无线接入***接入, 其包括如下网元:  The current SAE architecture is shown in Figure 2. The network element included in the Evolved Radio Access Network (E-RAN) is an Evolved NodeB (eNodeB) for users. Access provides wireless resources; Packet Data Network (PDN) is a network that provides services to users; EPC provides lower latency and allows more wireless access systems to access, including the following Yuan:
移动管理实体 ( Mobility Management Entity, 简称 MME ) , 是控制面功 能实体, 临时存储用户数据的服务器, 负责管理和存储用户设备 (User Equipment, 简称 UE ) 的上下文(比如用户标识、 移动性管理状态、 用户安 全参数等) , 为用户分配临时标识, 当 UE驻扎在该跟踪区域或者该网络时, 负责对该用户进行鉴权;  A Mobility Management Entity (MME) is a control plane function entity that temporarily stores user data. It is responsible for managing and storing the context of user equipment (User Equipment, UE for short) (such as user identity, mobility management status, User security parameters, etc., assign a temporary identifier to the user, and when the UE is camped on the tracking area or the network, it is responsible for authenticating the user;
服务网关(Serving Gateway, 简称 SGW ) , 是一个用户面实体, 负责用 户面数据路由处理, 终结处于空闲 (ECM— IDLE )状态的 UE 的下行数据。 管理和存储 UE的 SAE承载(bearer )上下文, 比如 IP承载业务参数和网络 内部路由信息等。 SGW是 3GPP***内部用户面的锚点, 一个用户在一个时 刻只能有一个 SGW; The Serving Gateway (SGW) is a user plane entity responsible for user plane data routing processing and terminating downlink data of UEs in idle (ECM_IDLE) state. Manage and store the SAE bearer context of the UE, such as IP bearer service parameters and network internal routing information. The SGW is an anchor point of the internal user plane of the 3GPP system, and one user can only have one SGW at a time;
分组数据网网关( PDN Gateway, 简称 PGW ) , 是负责 UE接入 PDN的 网关,分配用户 IP地址,也是 3GPP和非 3GPP接入***的移动性锚点, PGW 的功能还包括策略实施、 计费支持。 用户在同一时刻能够接入多个 PGW。 策 略与计费实施功能实体( Policy and Charging Enforcement Function,简称 PCEF ) 也位于 PGW中;  The PDN Gateway (PGW) is the gateway responsible for the UE accessing the PDN, and assigns the user IP address. It is also the mobility anchor of the 3GPP and non-3GPP access systems. The PGW functions include policy implementation and accounting. stand by. Users can access multiple PGWs at the same time. The Policy and Charging Enforcement Function (PCEF) is also located in the PGW.
策略与计费规则功能实体 ( Policy and Charging Rules Function, 简称 PCRF ) , 负责向 PCEF提供策略控制与计费规则;  The Policy and Charging Rules Function (PCRF) is responsible for providing policy control and charging rules to the PCEF.
归属用户服务器(Home Subscriber Server, 简称 HSS ) , 负责永久存储 用户签约数据, HSS存储的内容包括 UE的国际移动用户识别码(International Mobile Subscriber Identification, 简称 IMSI ) 、 PGW的 IP地址。  The Home Subscriber Server (HSS) is responsible for permanently storing user subscription data. The content stored in the HSS includes the International Mobile Subscriber Identification (IMSSI) of the UE and the IP address of the PGW.
在物理上, SGW和 PGW可能合一, EPC***用户面网元包括 SGW和 PGW。  Physically, the SGW and the PGW may be unified. The EPC system user plane network element includes the SGW and the PGW.
机器类通信服务器 (Machine Type Communication Server, 简称 MTC Server), 主要负责对 MTC设备的信息釆集和数据存储 /处理等工作, 并可对 MTC设备进行必要的管理。  The Machine Type Communication Server (MTC Server) is mainly responsible for information collection and data storage/processing of MTC devices, and necessary management of MTC devices.
机器类通信设备 (Machine Type Communication Device , 简称 MTC UE) , 与 UE类似,也包括通用集成电路卡( Universal Integrated Circuit Card, UICC ) 和移动设备 ( Mobile Equipment, ME ) , 通常负责收集若干釆集器的信息并 通过 RAN节点接入核心网, 并与 MTC Server交互数据。  Machine Type Communication Device (MTC UE), similar to UE, also includes Universal Integrated Circuit Card (UICC) and Mobile Equipment (ME), which are usually responsible for collecting several collectors. The information is accessed by the RAN node to the core network and interacts with the MTC Server.
在图 2中, MTC UE需要通过 SAE网络向 MTC Server或其它的 MTC UE 传输数据信息。 SAE网络为此次传输建立 SGW-PGW之间的 GTP隧道, 数 据信息通过 GTP隧道实现可靠传输。  In Figure 2, the MTC UE needs to transmit data information to the MTC Server or other MTC UEs through the SAE network. The SAE network establishes a GTP tunnel between the SGW and the PGW for this transmission, and the data information is reliably transmitted through the GTP tunnel.
图 3是现有技术下, UE接入到 EPS网络,执行网络附着及 IP承载建立 的过程。  FIG. 3 is a process of the UE accessing the EPS network and performing network attachment and IP bearer establishment in the prior art.
301 , UE为了接入到 SAE网络, 向 eNodeB发起网络附着请求, 在其中 携带了国际移动用户识别码 ( international mobile subscriber identity, IMSI ) 、301. The UE initiates a network attach request to the eNodeB in order to access the SAE network, where Carrying an international mobile subscriber identity (IMSI),
UE的网络接入能力、 请求分配 IP的指示等信息; Information such as the network access capability of the UE, the indication of the IP allocation request, and the like;
302, eNodeB为 UE选择一个为之服务的 MME, 并将附着请求转发到该 MME, 同时将 UE的标识等重要信息也携带给该 MME;  302, the eNodeB selects an MME for the UE to serve, and forwards the attach request to the MME, and also carries important information such as the identifier of the UE to the MME;
303 , 303a, MME向 HSS发送鉴权数据请求消息 (消息中含 IMSI ) , 303, 303a, the MME sends an authentication data request message to the HSS (the message includes IMSI),
HSS首先判断 IMSI对应的签约数据, 如果查找不到任何签约或者 IMSI已被 列入黑名单,则 HSS向 MME返回鉴权数据响应并携带合适的错误原因; 303b, 如果找到 IMSI对应的签约数据,则 HSS向 MME返回鉴权数据响应消息(含 鉴权向量) ; The HSS first determines the subscription data corresponding to the IMSI. If no subscription is found or the IMSI is blacklisted, the HSS returns an authentication data response to the MME and carries the appropriate error reason; 303b, if the subscription data corresponding to the IMSI is found, Then the HSS returns an authentication data response message (including an authentication vector) to the MME;
MME执行鉴权流程以验证终端 IMSI的合法性, 并执行安全模式流程以 启用安全连接。  The MME performs an authentication process to verify the legitimacy of the terminal IMSI and performs a secure mode procedure to enable secure connections.
304 , MME向归属网的 HSS发送位置更新请求, 消息中携带 MME的标 识、 UE的标识, 以告知 UE当前所接入的区域;  The MME sends a location update request to the HSS of the home network, where the message carries the identifier of the MME and the identifier of the UE, to inform the UE of the currently accessed area;
305, HSS根据 UE的标识查找出 UE的签约用户数据, 发送给 MME。 用户数据中主要包含缺省接入点名称( Access Point Name , 简称 ΑΡΝ ) 、 带 宽大小等信息;  305. The HSS searches for the subscription user data of the UE according to the identifier of the UE, and sends the data to the MME. User data mainly includes information such as the default access point name (Access Point Name, ΑΡΝ for short) and the bandwidth size.
ΜΜΕ接收到用户数据, 检查 UE是否被允许接入到网络, 向 HSS返回 接收用户响应; 若 ΜΜΕ发现 UE有漫游限制或接入限制等问题, ΜΜΕ将禁 止 UE附着, 并通知 HSS。  ΜΜΕ Receive user data, check whether the UE is allowed to access the network, and return the receiving user response to the HSS; if the UE finds that the UE has roaming restrictions or access restrictions, etc., the UE will be forbidden to attach and notify the HSS.
306, HSS向 MME发送确认位置更新响应;  306. The HSS sends a confirmation location update response to the MME.
307, MME为 UE选择一个 S-GW, 并向其发送建立默认承载的请求。 在该请求中, MME告知 S-GW必要的信息: UE的标识、 MME的标识、 为 UE分配 IP地址的指示、 缺省带宽信息、 PDN GW地址等;  307. The MME selects an S-GW for the UE, and sends a request for establishing a default bearer. In the request, the MME informs the S-GW of the necessary information: the identifier of the UE, the identifier of the MME, the indication of assigning an IP address to the UE, the default bandwidth information, the PDN GW address, and the like;
308, S-GW向 PDN GW发送建立默认承载的请求。 在该请求中, S-GW 告知 PDN GW必要的信息: S-GW的地址、 缺省带宽信息、 为 UE分配 IP地 址的指示等;  308. The S-GW sends a request for establishing a default bearer to the PDN GW. In the request, the S-GW informs the PDN GW of the necessary information: the address of the S-GW, the default bandwidth information, an indication for assigning an IP address to the UE, and the like;
309, 如有必要, PDN GW向 PCRF请求为该 UE所配置的策略和计费规 则、 决策信息; 310, PDN GW根据 PCRF返回的策略和计费决策信息 , 建立缺省承载 , 并向 S-GW返回承载建立响应; 309. If necessary, the PDN GW requests the PCRF to apply the policy and charging rules and decision information configured for the UE. 310. The PDN GW establishes a default bearer according to the policy and charging decision information returned by the PCRF, and returns a bearer setup response to the S-GW.
311 , S-GW向 MME发送默认承载建立的响应;  311. The S-GW sends a response to the default bearer establishment to the MME.
312, MME向 eNodeB发送附着响应, 表明 UE的附着到网络的请求已 被接受;  312. The MME sends an attach response to the eNodeB, indicating that the UE's request to attach to the network has been accepted.
313 , eNodeB向 UE发送无线承载建立请求,要求 UE保存承载建立的重 要信息,并开放相应的端口。在无线承载建立请求中携带了承载网络 ID、 PDN GW地址、 分配给 UE的 IP地址、 带宽信息等;  313. The eNodeB sends a radio bearer setup request to the UE, requesting the UE to save the important information of the bearer establishment, and open the corresponding port. The radio bearer setup request carries a bearer network ID, a PDN GW address, an IP address allocated to the UE, bandwidth information, and the like;
314, UE向 eNodeB发送无线承载建立响应;  314. The UE sends a radio bearer setup response to the eNodeB.
315, eNodeB通知 MME附着过程完成;  315, the eNodeB notifies that the MME attach process is completed;
316, MME向 S-GW发送更新承载请求, 通知为 UE服务的 eNodeB的 标识、 地址  316. The MME sends an update bearer request to the S-GW, and notifies the identifier and address of the eNodeB served by the UE.
317, S-GW向 MME发送更新 7 载响应;  317. The S-GW sends an update 7-load response to the MME.
318, 如果 PDN GW不是 HSS指定的, 则 MME向 HSS发送位置更新请 求, 通知给 HSS为 UE所服务的 PDN GW的地址信息, HSS更新该信息。  318. If the PDN GW is not specified by the HSS, the MME sends a location update request to the HSS, and notifies the HSS of the address information of the PDN GW served by the UE, and the HSS updates the information.
在图 3中, SAE网络对 UE的鉴权主要是验证 IMSI的合法性。  In Figure 3, the authentication of the UE by the SAE network is mainly to verify the legitimacy of the IMSI.
图 4是现有技术下, UE接入到 GPRS网络, 执行网络附着的过程。FIG. 4 is a process of the UE accessing the GPRS network and performing network attachment in the prior art.
401 , 用户首次通过 RNS 向 SGSN发起附着请求, 携带附着类型、 IMSI 等参数。 RNS根据其负载情况, 以用户的国际移动用户标识 ( International401. The user initiates an attach request to the SGSN through the RNS for the first time, and carries parameters such as an attachment type and an IMSI. RNS based on its load, with the user's international mobile subscriber identity (International
Mobile subscriber Identity, IMSI )为请求标识将该消息路由到 SGSN; Mobile subscriber identity, IMSI) routes the message to the SGSN for the request identifier;
402, SGSN向 HLR请求对 IMSI进行鉴权, HLR根据 IMSI下载鉴权认 证参数, SGSN对 UE进行鉴权与认证;  402. The SGSN requests the HLR to authenticate the IMSI, and the HLR downloads the authentication authentication parameter according to the IMSI, and the SGSN authenticates and authenticates the UE.
403 , SGSN发送位置更新请求给 HLR, 携带 SGSN号码与地址、 IMSI 等参数;  403. The SGSN sends a location update request to the HLR, and carries parameters such as an SGSN number and address, IMSI, and the like;
404, HLR将与 IMSI相对应的签约数据下载给 SGSN, SGSN对 ME进 行接入控制检查, 检查 UE是否有区域限制或接入限制, 然后返回***数据 响应给 HLR。 404. The HLR downloads the subscription data corresponding to the IMSI to the SGSN, and the SGSN performs an access control check on the ME, checks whether the UE has an area restriction or an access restriction, and then returns the insertion data. Respond to the HLR.
405, HLR确认位置更新消息, 并发位置更新响应给 SGSN。 若位置更新 请求被 HLR拒绝, SGSN将拒绝 UE的附着请求;  405. The HLR confirms the location update message, and sends a concurrent location update response to the SGSN. If the location update request is rejected by the HLR, the SGSN will reject the UE's attach request;
406 , SGSN为该用户分配分组临时移动用户识别号码( Packet-Temporate Mobile subscriber Identify , P-TMSI ) , 然后将附着接受消息发给 UE, 携带 为 UE分配的 P-TMSI等信息;  406. The SGSN allocates a packet-Temporate Mobile Subscriber Identity (P-TMSI) to the user, and then sends an attach accept message to the UE, and carries information such as P-TMSI allocated to the UE.
407, 若 P-TMSI被更新, MS返回附着完成消息给 SGSN进行确认, 完 成 GPRS附着流程。  407. If the P-TMSI is updated, the MS returns an attach complete message to the SGSN for confirmation, and completes the GPRS attach procedure.
在图 4中, GPRS网络对 UE的鉴权主要是验证 IMSI的合法性。  In Figure 4, the authentication of the UE by the GPRS network is mainly to verify the legitimacy of the IMSI.
M2M业务是以机器终端智能交互为核心的、 网络化的应用与服务。 它釆 用智能机器终端, 通过无线网络传输信息, 为客户提供的信息化解决方案, 用于满足客户对监控、 指挥调度、 数据釆集和测量等方面的信息化需求。  The M2M service is a networked application and service centered on intelligent interaction of machine terminals. It uses intelligent machine terminals to transmit information over the wireless network, providing customers with information solutions to meet customer information needs for monitoring, command and dispatch, data collection and measurement.
M2M的通信对象为机器对机器, 可以是人与机器之间的通信,机器与服 务器之间的通信,不同智能终端之间的通信。不同应用的 MTC设备具有不同 的特性, 如电梯等升降机设备具有低移动性、 PS only属性, 而监视、 警报设 备除具有低移动性、 PS only外, 还具有低数据传输和高可用性等属性。 因此 需要针对不同应用的 MTC设备进行不同的***优化, 可有效的对 MTC设备 进行管理、 监控、 付费等。  The communication object of M2M is machine-to-machine, which can be communication between people and machines, communication between machines and servers, and communication between different intelligent terminals. Different applications of MTC equipment have different characteristics, such as elevators and other elevator equipment with low mobility, PS only attributes, and monitoring, alarm devices in addition to low mobility, PS only, low data transmission and high availability. Therefore, different system optimizations are required for MTC devices of different applications, which can effectively manage, monitor, and pay for MTC devices.
目前现有 GPRS与 LTE网络中, 从图 3与图 4的流程中可以看出, 现有 技术仅支持对普通移动用户身份的鉴权, 即对用户的 IMSI进行认证。 只要 IMSI在 HSS中的签约没有问题,终端设备就可以接入到网络中,这是不能满 足 M2M应用对通信安全性的需求的。  In the existing GPRS and LTE networks, it can be seen from the flow of FIG. 3 and FIG. 4 that the prior art only supports the authentication of the identity of the ordinary mobile user, that is, the authentication of the user's IMSI. As long as IMSI has no problem in signing in the HSS, the terminal device can access the network, which cannot meet the communication security requirements of the M2M application.
M2M通信的引入,尤其是 MTC设备的特殊性(如无人值守的户外 MTC 终端), 因此防盗与防止非法接入到 MTC服务器是非常重要的需求。在 H2H 应用与 M2M应用共存的场景中,非法用户可能会盗用 MTC终端的 SIM卡插 入到 H2H设备中, 釆用 H2H设备以 MTC设备的 IMSI非法接入到网络, 不 但可以享受 MTC终端的费率优惠及其它个性化服务,更重要的是可以非法侵 入到 MTC Sever中,对 MTC Server的信息安全造成极大的隐患。 因此需要对 网络流程进行优化以限制非法的设备釆用 M2M终端的 USIM接入网络。 The introduction of M2M communication, especially the speciality of MTC equipment (such as unattended outdoor MTC terminals), therefore anti-theft and prevention of illegal access to the MTC server is a very important requirement. In the scenario where the H2H application coexists with the M2M application, the illegal user may steal the SIM card of the MTC terminal and insert it into the H2H device. The H2H device uses the IMSI of the MTC device to access the network illegally, not only enjoying the rate of the MTC terminal. Preferential and other personalized services, more importantly, can illegally invade the MTC Sever, posing a great hidden danger to the information security of the MTC Server. So need to The network process is optimized to restrict illegal devices from using the USIM access network of the M2M terminal.
发明内容 Summary of the invention
本发明要解决的技术问题是提供一种防止非法终端接入的方法、 终端及 ***, 使得非法终端无法接入到网络, 提高通信安全。  The technical problem to be solved by the present invention is to provide a method, a terminal and a system for preventing illegal terminal access, so that an illegal terminal cannot access the network and improve communication security.
为了解决上述问题, 本发明提供了一种防止非法终端接入的方法, 包括: 网络侧在终端请求接入到网络时, 判断终端的设备类型和 /或设备接入能力与 用户签约数据是否匹配, 如果不匹配, 所述网络侧拒绝所述终端接入到网络。  In order to solve the above problem, the present invention provides a method for preventing unauthorized terminal access, including: when the terminal requests access to the network, the network side determines whether the device type and/or the device access capability of the terminal matches the user subscription data. If not, the network side refuses to access the terminal to the network.
上述方法还可具有以下特点, 所述网络侧从所述终端发送的接入请求中 获取所述终端的设备类型和 /或设备接入能力。  The foregoing method may further have the following feature: the network side acquires a device type and/or a device access capability of the terminal from an access request sent by the terminal.
上述方法还可具有以下特点, 所述设备类型是指手机类设备或者机器类 设备;所述设备接入能力是指手机类设备接入能力或者机器类设备接入能力。  The above method may also have the following features: the device type refers to a mobile phone type device or a machine type device; the device access capability refers to a mobile phone type device access capability or a machine type device access capability.
上述方法还可具有以下特点, 所述不匹配是指, 终端的设备类型与所述 用户签约数据中的设备类型不匹配, 或者, 终端的设备接入能力与所述用户 签约数据中的设备接入能力不匹配; 或者, 终端的设备类型与所述用户签约 数据中的设备接入能力不匹配, 或者, 终端的设备接入能力与所述用户签约 数据中的设备类型不匹配。  The method may also have the following features: the device type of the terminal does not match the device type in the user subscription data, or the device access capability of the terminal is connected to the device in the user subscription data. The device capability of the terminal does not match the device access capability in the user subscription data, or the device access capability of the terminal does not match the device type in the user subscription data.
上述方法还可具有以下特点, 所述网络侧拒绝所述终端接入到网络时, 该方法还包括: 返回拒绝原因值给所述终端, 指示所述终端为非法终端。  The method may further include the following feature: when the network side refuses to access the network to the terminal, the method further includes: returning a rejection reason value to the terminal, indicating that the terminal is an illegal terminal.
本发明还提供一种防止非法终端接入的***, 包括: 网络侧, 其设置为: 在终端请求接入到网络时, 判断终端的设备类型和 /或设备接入能力与用户签 约数据是否匹配, 如果不匹配, 拒绝所述终端接入到网络。  The present invention also provides a system for preventing unauthorized terminal access, comprising: a network side, which is configured to: when the terminal requests access to the network, determine whether the device type and/or the device access capability of the terminal matches the user subscription data. If it does not match, the terminal is denied access to the network.
上述***还可具有以下特点, 所述网络侧还设置为: 从所述终端发送的 接入请求中获取所述终端的设备类型和 /或设备接入能力。  The above system may also have the following features: The network side is further configured to: obtain a device type and/or a device access capability of the terminal from an access request sent by the terminal.
上述***还可具有以下特点, 所述设备类型是指手机类设备或者机器类 设备;所述设备接入能力是指手机类设备接入能力或者机器类设备接入能力。  The above system may also have the following features: the device type refers to a mobile phone type device or a machine type device; the device access capability refers to a mobile phone type device access capability or a machine type device access capability.
上述***还可具有以下特点, 所述网络侧是设置为: 判断终端的设备类 型与所述用户签约数据中的设备类型不匹配, 或者, 终端的设备接入能力与 所述用户签约数据中的设备接入能力不匹配, 或者, 终端的设备类型与所述 用户签约数据中的设备接入能力不匹配, 或者, 终端的设备接入能力与所述 用户签约数据中的设备类型不匹配时, 则认为终端的设备类型和 /或设备接入 能力与用户签约数据不匹配。 The system may also have the following features: The network side is configured to: determine that the device type of the terminal does not match the device type in the user subscription data, or the device access capability of the terminal The device access capability in the user subscription data does not match, or the device type of the terminal does not match the device access capability in the user subscription data, or the device access capability of the terminal is in the subscription data of the user. If the device type does not match, it is considered that the device type and/or device access capability of the terminal does not match the user subscription data.
上述***还可具有以下特点, 所述网络侧还设置为: 在拒绝所述终端接 入到网络时, 返回拒绝原因值给所述终端, 指示所述终端为非法终端。 本发明还提供一种防止非法接入的终端, 所述终端, 其设置为: 在请求 接入到网络时, 在接入请求中携带所述终端的设备类型或 /与设备接入能力。  The system may also be configured to: the network side is further configured to: when the terminal is denied access to the network, return a reject reason value to the terminal, indicating that the terminal is an illegal terminal. The present invention further provides a terminal for preventing unauthorized access. The terminal is configured to: when requesting access to the network, carry the device type of the terminal or/and the access capability of the device in the access request.
上述终端还可具有以下特点 , 所述设备类型是指手机类设备或者机器类 设备;所述设备接入能力是指手机类设备接入能力或者机器类设备接入能力。  The foregoing terminal may also have the following features: the device type refers to a mobile phone type device or a machine type device; the device access capability refers to a mobile phone type device access capability or a machine type device access capability.
釆用本发明的方法, 当非法终端盗用其它 M2M设备的 USIM接入到网 络时, MME/SGSN 可以根据设备类型 /设备接入能力与签约数据的匹配关系 来进行判别是否是非法设备接入。 如果是 H2H终端, 而签约数据是 M2M终 端的签约, 就认为是非法设备接入, 反之亦然。 本方法可以有效的防止非法 用户恶意盗用 MTC设备的 USIM接入网络的问题, 保证 MTC通信的安全。  In the method of the present invention, when the USIM of the other M2M device is accessed by the illegal terminal to access the network, the MME/SGSN can determine whether the device is illegal according to the matching relationship between the device type/device access capability and the subscription data. If it is an H2H terminal and the subscription data is a subscription to the M2M terminal, it is considered to be an illegal device access, and vice versa. The method can effectively prevent the illegal user from stealing the USIM access network of the MTC device and ensure the security of the MTC communication.
附图概述 BRIEF abstract
图 1是现有技术中 GPRS网络***架构示意图;  1 is a schematic diagram of a GPRS network system architecture in the prior art;
图 2是现有技术中 EPS网络***架构示意图;  2 is a schematic diagram of an EPS network system architecture in the prior art;
图 3是现有技术中 MTC UE附着到 EPS网络的流程图;  3 is a flow chart of attaching an MTC UE to an EPS network in the prior art;
图 4是现有技术中 MTC UE附着到 GPRS网络的流程图;  4 is a flow chart of attaching an MTC UE to a GPRS network in the prior art;
图 5是本发明中非法 MTC UE附着到 PS网络的流程图;  5 is a flow chart of attaching an illegal MTC UE to a PS network in the present invention;
图 6是本发明中实施例 1非法 MTC UE附着到 EPS网络的流程图; 图 7是本发明中实施例 2非法 MTC UE附着到 EPS网络的流程图; 图 8是本发明中实施例 3非法 MTC UE附着到 GPRS网络的流程图; 图 9是本发明中实施例 4非法 MTC UE附着到 GPRS网络的流程图。 本发明的较佳实施方式 6 is a flowchart of attaching an illegal MTC UE to an EPS network according to Embodiment 1 of the present invention; FIG. 7 is a flowchart of attaching an illegal MTC UE to an EPS network according to Embodiment 2 of the present invention; FIG. 8 is an illegal embodiment 3 of the present invention; A flowchart of attaching an MTC UE to a GPRS network; FIG. 9 is a flow chart of attaching an illegal MTC UE to a GPRS network according to Embodiment 4 of the present invention. Preferred embodiment of the invention
下面结合附图和具体实施例对本发明所述技术方案作进一步的详细描 述, 以使本领域的技术人员可以更好的理解本发明并能予以实施, 但所举实 施例不作为对本发明的限定。  The technical solutions of the present invention are further described in detail below with reference to the accompanying drawings and specific embodiments to enable those skilled in the art to understand the invention. .
本发明中终端需要携带设备类相关信息, 例如为设备类型信息, 指示设 备是机器类设备还是手机类设备; 或者为设备接入能力信息, 指示设备具有 机器类接入能力还是手机类接入能力。 当 SGSN/MME从用户数据库下载到 用户签约数据后, 可以根据用户签约数据判断出是机器类签约或是手机类签 约。判断方法有很多种,如在用户签约数据中可以签约 M2M接入能力或 H2H 接入能力, 也可以在用户签约数据中标记是 M2M设备签约信息还是 H2H设 备签约信息, 也可以通过不同的 IMSI划分的字段来进行识别, H2H设备与 M2M设备釆用不同的 IMSI号段, 这个可以由运营商自己定义。 MME/SGSN 判断出终端设备信息与签约数据不匹配, 就需要拒绝终端设备的接入, 保证 网络的安全, 同时向用户数据库及终端返回拒绝的原因。  In the present invention, the terminal needs to carry device-related information, such as device type information, indicating whether the device is a machine type device or a mobile phone type device; or is device access capability information, indicating whether the device has a machine type access capability or a mobile phone type access capability. . After the SGSN/MME downloads the user subscription data from the user database, it can determine whether it is a machine type subscription or a mobile phone type subscription according to the user subscription data. There are many methods for judging, for example, the M2M access capability or the H2H access capability can be signed in the user subscription data, and the M2M device subscription information or the H2H device subscription information can also be marked in the user subscription data, or can be divided by different IMSIs. The field is identified, and the H2H device and the M2M device use different IMSI number segments, which can be defined by the operator. If the MME/SGSN determines that the terminal device information does not match the subscription data, it needs to reject the access of the terminal device, ensure the security of the network, and return the reason for the rejection to the user database and the terminal.
本发明提供的防止非法终端接入的方法包括: 当终端请求接入到网络时, 网络侧判断终端的设备信息与用户签约数据是否匹配, 如果不匹配, 则拒绝 所述终端接入到网络。  The method for preventing the access of the illegal terminal provided by the present invention includes: when the terminal requests access to the network, the network side determines whether the device information of the terminal matches the subscription data of the user, and if not, rejects the terminal from accessing the network.
其中, 终端的设备信息由终端在接入请求中带给网络。  The device information of the terminal is brought to the network by the terminal in the access request.
其中, 所述设备信息可以是设备类型和 /或设备接入能力。 其中, 设备类 型可以是机器类设备 (或称 M2M设备 )或手机类设备 (或称 H2H设备 ) 。 设备接入能力为机器类设备接入能力 (或称 M2M接入能力)或手机类设备 接入能力 (或称 H2H接入能力) 。  The device information may be a device type and/or a device access capability. Among them, the device type can be a machine type device (or M2M device) or a mobile phone type device (or H2H device). The device access capability is machine type device access capability (or M2M access capability) or mobile device access capability (or H2H access capability).
其中, 用户签约数据中可以包^殳备类型信息和 /或设备接入能力信息。 其中, 终端的设备信息与用户签约数据不匹配是指: 终端的设备类型与 用户签约数据中包含的设备类型不匹配, 或, 终端的设备接入能力与用户签 约数据中包含的设备接入能力不匹配。 终端的设备信息与用户签约数据不匹 配也可以拓展为终端的设备类型与用户签约数据中包含的设备接入能力不匹 配, 或, 终端的设备接入能力与用户签约数据中包含的设备类型不匹配。 比 如说终端的设备类型是 H2H设备类型, 用户签约数据中是 M2M接入能力, 则认为二者不匹配。 The user subscription data may include the backup type information and/or the device access capability information. The device information of the terminal does not match the user subscription data. The device type of the terminal does not match the device type included in the user subscription data, or the device access capability of the terminal and the device access capability included in the user subscription data. Mismatch. If the device information of the terminal does not match the user subscription data, the device type that can be extended to the terminal does not match the device access capability included in the user subscription data, or the device access capability of the terminal and the device type included in the user subscription data are not match. Than For example, if the device type of the terminal is the H2H device type and the user subscription data is the M2M access capability, the two are considered to be mismatched.
进一步地, 网络拒绝所述终端接入时, 还返回非法接入的原因值给终端, 标识所述终端为非法终端。  Further, when the network refuses to access the terminal, the network also returns the cause value of the illegal access to the terminal, and identifies the terminal as an illegal terminal.
图 5是本发明所述方法的流程图, 具体包括如下步骤: Figure 5 is a flow chart of the method of the present invention, specifically comprising the following steps:
501 : MTC UE通过无线接入网络向 PS核心网络发起附着请求消息; 在附着请求消息中需扩展参数, 增加设备信息参数;  501: The MTC UE sends an attach request message to the PS core network through the radio access network; in the attach request message, the parameter needs to be extended, and the device information parameter is added;
设备信息参数可以是设备类型, 指示终端是机器类设备(MTC设备)还 是手机类设备(H2H设备) 。 设备类型也可以扩展定义不同类型的机器类设 备或不同类型的手机类设备, 具体可以根据运营商的需求定义;  The device information parameter may be a device type indicating whether the terminal is a machine type device (MTC device) or a mobile phone type device (H2H device). The device type can also be extended to define different types of machine-type devices or different types of mobile phone-type devices, which can be defined according to the requirements of the operator;
手机类设备的设备类型可以缺省参数为空;  The device type of the mobile phone device may have a default parameter of null;
设备信息参数还可以是设备接入能力, 指示终端具备机器类设备接入能 力还是手机类设备接入能力, 可以在终端网络能力的字段中扩展相关参数。 设备接入能力也可以扩展定义不同类型的机器类设备接入能力或不同类型的 手机类设备接入能力, 具体可以根据运营商的需求定义;  The device information parameter may also be a device access capability, indicating whether the terminal has a device-type device access capability or a mobile-type device access capability, and may expand related parameters in a field of the terminal network capability. The device access capability can also be extended to define different types of machine-type device access capabilities or different types of mobile phone-type device access capabilities, which can be defined according to the operator's needs;
手机类设备的设备接入能力可以缺省参数为空;  The device access capability of the mobile phone device may be null by default;
502: PS核心网络发送位置更新请求给 HLR/HSS, 携带 PS核心网络地 址、 IMSI等参数;  502: The PS core network sends a location update request to the HLR/HSS, and carries parameters such as a PS core network address and an IMSI.
其中, HLR/HSS为用户数据库。  Among them, HLR/HSS is the user database.
503: HLR/HSS找到与 IMSI对应的用户签约数据, 并将用户签约数据下 载给 PS核心网络;  503: The HLR/HSS finds the user subscription data corresponding to the IMSI, and downloads the user subscription data to the PS core network.
用户签约数据中根据运营商的需求可以包含设备接入能力信息, 如机器 类设备接入能力(M2M接入能力)与手机类设备接入能力(H2H接入能力); 用户签约数据中也可以包含设备类型信息, 如机器类设备(M2M设备) 与手机类设备(H2H设备) ;  User subscription data may include device access capability information, such as machine type device access capability (M2M access capability) and mobile device access capability (H2H access capability) according to the operator's requirements; user subscription data may also be included. Contains device type information, such as machine type equipment (M2M equipment) and mobile phone type equipment (H2H equipment);
504: PS核心网络对终端附着请求消息中携带的设备信息与从用户数据 库下载的用户签约数据进行匹配, 如果不匹配, 就拒绝终端的接入请求, 并 在***用户数据响应中向 HLR/HSS返回拒绝原因; 504: Device information and slave data carried in the PS core network to the terminal attach request message The user subscription data downloaded by the library is matched. If there is no match, the access request of the terminal is rejected, and the reason for rejecting is returned to the HLR/HSS in the response of inserting the user data;
其中, 不匹配可以是终端的设备类型与用户签约数据中指示的设备类型 不一致; 或者是终端的设备接入能力与用户签约数据中指示的设备接入能力 不一致; 或者, 终端的设备类型与用户签约数据中指示的设备接入能力不一 致; 或者, 终端的设备接入能力与用户签约数据中指示的设备类型不一致。  The device type of the terminal is inconsistent with the device type indicated in the user subscription data; or the device access capability of the terminal is inconsistent with the device access capability indicated in the user subscription data; or the device type and user of the terminal The device access capability indicated in the subscription data is inconsistent; or the device access capability of the terminal is inconsistent with the device type indicated in the user subscription data.
505: PS核心网络发现终端携带的设备信息与用户签约数据的设备信息 不匹配, 拒绝终端接入网络, 发送拒绝消息给终端。  505: The PS core network discovers that the device information carried by the terminal does not match the device information of the user subscription data, rejects the terminal accessing the network, and sends a reject message to the terminal.
其中, 拒绝消息中可以携带拒绝的原因值, 指示该终端是非法终端。  The reject message may carry a reason value of the reject, indicating that the terminal is an illegal terminal.
本发明实施例 1见图 6, 当终端接入到 EPS网络时携带设备类型参数, MME判断设备类型参数与签约数据是否匹配。 本发明具体流程如下: The embodiment of the present invention is shown in FIG. 6. When the terminal accesses the EPS network, the device carries the device type parameter, and the MME determines whether the device type parameter matches the subscription data. The specific process of the present invention is as follows:
601 , UE为了接入到 SAE网络, 向 eNodeB发起附着请求, 在其中携带 了 IMSI、 设备类型、 UE的网络接入能力、 请求分配 IP的指示等信息;  601. The UE initiates an attach request to the eNodeB to access the SAE network, and carries information such as an IMSI, a device type, a network access capability of the UE, and an instruction to allocate an IP.
设备类型可以标识终端是 M2M设备还是 H2H设备, 也可以扩展标识是 哪一类 M2M设备或是哪一类 H2H设备, 如抄表类、 监控类等 M2M设备类 型, 可以根据运营商需求进行定义;  The device type can be used to identify whether the terminal is an M2M device or an H2H device. It can also be extended to identify which type of M2M device or which type of H2H device. For example, the M2M device type such as meter reading and monitoring can be defined according to the operator's requirements.
对于 H2H设备可以缺省参数为空, 即将设备类型字段设为空;  For an H2H device, the default parameter is null, that is, the device type field is set to null.
602, eNodeB为 UE选择一个为之服务的 MME, 并将附着请求转发到该 MME, 同时将 UE的标识、 UE的设备类型等重要信息也携带给该 MME;  602, the eNodeB selects an MME for the UE, and forwards the attach request to the MME, and carries important information such as the identifier of the UE and the device type of the UE to the MME.
603 , MME向 HSS发送鉴权数据请求消息 (含 IMSI ) , HSS找到 IMSI 对应的签约数据, 并向 MME返回鉴权数据响应消息 (含鉴权向量) ;  603. The MME sends an authentication data request message (including IMSI) to the HSS, where the HSS finds the subscription data corresponding to the IMSI, and returns an authentication data response message (including an authentication vector) to the MME.
MME执行鉴权流程以验证终端 IMSI的合法性, 并执行安全模式流程以 启用安全连接。  The MME performs an authentication process to verify the legitimacy of the terminal IMSI and performs a secure mode procedure to enable secure connections.
604, MME向归属网的 HSS发送位置更新请求, 消息中携带 MME的标 识、 UE的标识, 以告知 UE当前所接入的区域;  604. The MME sends a location update request to the HSS of the home network, where the message carries the identifier of the MME and the identifier of the UE, to notify the UE of the currently accessed area.
605, HSS根据 UE的标识查找出 UE的用户签约数据, 发送给 MME。 用户签约数据中主要包含缺省接入点名称( Access Point Name , 简称 ΑΡΝ ) 、 带宽大小等信息; 605. The HSS searches for the user subscription data of the UE according to the identifier of the UE, and sends the data to the MME. User subscription data mainly includes information such as the default access point name (Access Point Name, ΑΡΝ for short) and bandwidth.
用户签约数据中可以包含设备类型, 指示该设备是 Μ2Μ设备还是 Η2Η 设备。若没有此信息,运营商可以通过分配不同的 IMSI号段来区分是哪一类 设备终端;  The user subscription data can include the device type, indicating whether the device is a device or a device. Without this information, the operator can distinguish which type of equipment terminal by assigning different IMSI number segments;
606, ΜΜΕ接收到用户签约数据, 检查 UE是否被允许接入到网络, 若 ΜΜΕ发现 UE有漫游限制或接入限制等问题, ΜΜΕ将禁止 UE附着, 并通 知 HSS。  606. The user receives the subscription data of the user, checks whether the UE is allowed to access the network, and if the UE finds that the UE has roaming restrictions or access restrictions, the UE is prohibited from attaching and the HSS is notified.
若 UE没有接入等限制, MME还需要检查终端携带的设备类型参数与用 户签约数据对应的设备类型是否匹配, 若不匹配, 比如终端携带的是 H2H设 备, 而用户签约数据指示的是 M2M设备, MME就需要拒绝此终端的接入, 并标识为非法终端接入。  If the UE does not have the access restriction, the MME needs to check whether the device type parameter carried by the terminal matches the device type corresponding to the user subscription data. If the device does not match, for example, the terminal carries the H2H device, and the user subscription data indicates the M2M device. The MME needs to reject the access of the terminal and identify the access as an illegal terminal.
607, MME向 HSS发送***用户数据响应消息,携带 UE是否允许接入、 是否是非法终端等信息;  607. The MME sends an insertion user data response message to the HSS, and carries information such as whether the UE allows access, whether it is an illegal terminal, or the like;
608 - 609, MME发现终端携带的设备类型与用户签约数据不匹配,就拒 绝终端的附着请求, 并携带非法终端接入的原因值给 UE, 指示 UE是非法终 端。  608 - 609, the MME finds that the type of the device carried by the terminal does not match the user subscription data, rejects the attachment request of the terminal, and carries the reason value of the illegal terminal access to the UE, indicating that the UE is an illegal terminal.
本发明实施例 2见图 7, 当终端接入到 EPS网络时携带设备接入能力参 数, MME判断设备接入能力参数与签约数据是否匹配。本发明具体流程如下:The embodiment 2 of the present invention is shown in FIG. 7. When the terminal accesses the EPS network, the device access capability parameter is carried, and the MME determines whether the device access capability parameter matches the subscription data. The specific process of the present invention is as follows:
701 , UE为了接入到 SAE网络, 向 eNodeB发起附着请求, 在其中携带 了 IMSI、 设备接入能力、 UE的网络接入能力、 请求分配 IP的指示等信息; 设备接入能力可以标识是终端具有 M2M接入能力还是 H2H接入能力, 具体可以在终端网络能力字段中扩展此接入能力参数。 设备接入能力指示也 可以扩展标识是哪一类 M2M接入能力或是哪一类 H2H接入能力 ,如 PS only 类、 高可用性类等 M2M接入能力类型, 可以根据运营商需求进行定义; 对于 H2H接入能力可以缺省参数为空; 701. The UE initiates an attach request to the eNodeB to access the SAE network, and carries information such as an IMSI, a device access capability, a network access capability of the UE, and an indication for requesting IP allocation. The device access capability may identify the terminal. Whether the M2M access capability or the H2H access capability is available, the access capability parameter may be extended in the terminal network capability field. The device access capability indication may also be extended to identify which type of M2M access capability or which type of H2H access capability, such as the PS only class, the high availability class, and the M2M access capability type, which may be defined according to the operator's requirements; The default parameter for the H2H access capability is null;
702, eNodeB为 UE选择一个为之服务的 MME, 并将附着请求转发到该 MME, 同时将 UE的标识、 UE的接入能力等重要信息也携带给该 MME;702. The eNodeB selects an MME for the UE to serve, and forwards the attach request to the MME. The MME also carries important information such as the identifier of the UE and the access capability of the UE to the MME;
703 , MME向 HSS发送鉴权数据请求消息 (含 IMSI ) , HSS找到 IMSI 对应的签约数据, 并向 MME返回鉴权数据响应消息 (含鉴权向量) ; 703. The MME sends an authentication data request message (including IMSI) to the HSS, where the HSS finds the subscription data corresponding to the IMSI, and returns an authentication data response message (including an authentication vector) to the MME.
MME执行鉴权流程以验证终端 IMSI的合法性, 并执行安全模式流程以 启用安全连接。  The MME performs an authentication process to verify the legitimacy of the terminal IMSI and performs a secure mode procedure to enable secure connections.
704 , MME向归属网的 HSS发送位置更新请求, 消息中携带 MME的标 识、 UE的标识, 以告知 UE当前所接入的区域;  704. The MME sends a location update request to the HSS of the home network, where the message carries the identifier of the MME and the identifier of the UE, to notify the UE of the currently accessed area.
705, HSS根据 UE的标识查找出 UE的用户签约数据, 发送给 MME。 用户签约数据中主要包含缺省接入点名称( Access Point Name , 简称 ΑΡΝ ) 、 带宽大小等信息;  705. The HSS searches for the user subscription data of the UE according to the identifier of the UE, and sends the data to the MME. User subscription data mainly includes information such as the default access point name (Access Point Name, ΑΡΝ for short) and bandwidth.
用户签约数据中可以包^殳备接入能力, 指示该设备签约了 M2M接入 能力还是 H2H接入能力;  The user subscription data may include a backup access capability, indicating whether the device subscribes to the M2M access capability or the H2H access capability;
706, MME接收到用户签约数据, 检查 UE是否被允许接入到网络, 向 HSS返回接收用户响应; 若 MME发现 UE有漫游限制或接入限制等问题, MME将禁止 UE附着, 并通知 HSS;  706, the MME receives the user subscription data, checks whether the UE is allowed to access the network, and returns a receiving user response to the HSS. If the MME finds that the UE has roaming restrictions or access restrictions, the MME will prohibit the UE from attaching and notify the HSS;
若 UE没有接入等限制, MME还需要检查终端携带的设备接入能力与用 户签约数据对应的设备接入能力是否匹配,若不匹配,比如终端携带的是 H2H 接入能力, 而用户签约数据指示的是 M2M接入能力, MME就需要拒绝该终 端的接入, 并标识为非法终端接入。  If the UE does not have access restrictions, the MME needs to check whether the access capability of the device carried by the terminal matches the access capability of the device corresponding to the user subscription data. If the device does not match, for example, the terminal carries the H2H access capability, and the user subscribes to the data. Indicates the M2M access capability, and the MME needs to reject the access of the terminal and identify it as an illegal terminal access.
707, MME向 HSS发送***用户数据响应消息,携带 UE是否允许接入、 是否是非法终端等信息;  707. The MME sends an insertion user data response message to the HSS, and carries information such as whether the UE allows access, whether it is an illegal terminal, or the like;
708 ~ 709, MME发现终端携带的设备接入能力与用户签约数据不匹配, 就拒绝终端的附着请求, 并携带非法终端接入的原因值给 UE, 指示 UE是非 法终端。  708 ~ 709, the MME finds that the access capability of the device carried by the terminal does not match the subscription data of the user, and rejects the attach request of the terminal, and carries the cause value of the illegal terminal access to the UE, indicating that the UE is an illegal terminal.
本发明实施例 3见图 8, 当终端接入到 GPRS网络时携带设备类型参数, SGSN判断设备类型参数与签约数据是否匹配。 本发明具体流程如下: Embodiment 3 of the present invention is shown in FIG. 8. When the terminal accesses the GPRS network, the device type parameter is carried, and the SGSN determines whether the device type parameter matches the subscription data. The specific process of the present invention is as follows:
801 ,用户首次通过 RNS 向 SGSN发起附着请求,携带附着类型、 IMSI、 设备类型等参数。 RNS 根据其负载情况, 以用户的国际移动用户标识 ( International Mobile subscriber Identity, IMSI )为请求标识将该消息路由到 SGSN; 801. The user initiates an attach request to the SGSN through the RNS for the first time, carrying the attachment type, IMSI, Parameters such as device type. The RNS routes the message to the SGSN according to the load condition of the user, using the International Mobile Subscriber Identity (IMSI) of the user as the request identifier;
设备类型可以标识终端是 M2M设备还是 H2H设备, 也可以扩展标识是 哪一类 M2M设备或是哪一类 H2H设备, 如抄表类、 监控类等 M2M设备, 可以根据运营商需求进行定义;  The device type can be used to identify whether the terminal is an M2M device or an H2H device, or which type of M2M device or which type of H2H device, such as meter reading and monitoring, can be defined according to the operator's requirements.
对于 H2H设备可以缺省参数为空;  The default parameter for the H2H device is null.
802 , SGSN向 HLR请求对 IMSI进行鉴权 , HLR根据 IMSI下载鉴权认 证参数, SGSN对 UE进行鉴权与认证;  802. The SGSN requests the HLR to authenticate the IMSI, and the HLR downloads the authentication authentication parameter according to the IMSI, and the SGSN authenticates and authenticates the UE.
803 , SGSN发送位置更新请求给 HLR, 携带 SGSN号码与地址、 IMSI 等参数;  803. The SGSN sends a location update request to the HLR, and carries the SGSN number and address, IMSI, and the like;
804, HLR将与 IMSI相对应的用户签约数据下载给 SGSN, 用户签约数 据中除包含带宽大小等信息, 还可以包含设备类型, 指示该设备是 M2M设 备还是 H2H设备。 若没有此信息, 运营商可以通过分配不同的 IMSI号段来 区分是哪一类设备类型;  804. The HLR downloads the user subscription data corresponding to the IMSI to the SGSN. The user subscription data includes information such as the bandwidth and the device type, and indicates whether the device is an M2M device or an H2H device. Without this information, the operator can distinguish which type of device is by assigning different IMSI segments;
805, SGSN对 ME进行接入控制检查, 检查 UE是否有区域限制或接入 限制, 同时 SGSN还需要检查终端携带的设备类型与用户签约数据对应的设 备类型是否匹配, 若不匹配, 比如终端携带的是 H2H设备, 而用户签约数据 指示的是 M2M设备, MME就需要拒绝此终端的接入, 并标识为非法终端接 入。  805, the SGSN performs an access control check on the ME, and checks whether the UE has an area restriction or an access restriction. The SGSN also needs to check whether the device type carried by the terminal matches the device type corresponding to the user subscription data. If the SGSN does not match, for example, the terminal carries The H2H device, and the user subscription data indicates the M2M device, and the MME needs to deny access to the terminal and identify the access as an illegal terminal.
806 , SGSN向 HLR发送***用户数据响应消息, 携带 UE是否允许接 入、 是否是非法终端等信息;  806. The SGSN sends an insertion user data response message to the HLR, and carries information such as whether the UE is allowed to access, whether it is an illegal terminal, or the like;
807, SGSN发现终端携带的设备类型与用户签约数据不匹配, 就拒绝终 端的附着请求, 并携带非法终端接入的原因值给 UE, 指示 UE是非法终端。  807. The SGSN finds that the type of the device carried by the terminal does not match the user subscription data, and rejects the connection request of the terminal, and carries the reason value of the illegal terminal access to the UE, indicating that the UE is an illegal terminal.
本发明实施例 4见图 9, 当终端接入到 GPRS网络时携带设备接入能力 参数, SGSN判断设备接入能力与签约数据是否匹配。 本发明具体流程如下:Embodiment 4 of the present invention is shown in FIG. 9. When the terminal accesses the GPRS network, the device access capability parameter is carried, and the SGSN determines whether the device access capability matches the subscription data. The specific process of the present invention is as follows:
901 , 用户首次通过 RNS 向 SGSN发起附着请求,携带附着类型、IMSI、 设备接入能力等参数。 RNS根据其负载情况, 以用户的 IMSI为请求标识 将该消息路由到 SGSN; 901. The user initiates an attach request to the SGSN through the RNS for the first time, carrying an attachment type, an IMSI, Parameters such as device access capability. The RNS routes the message to the SGSN according to its load condition, using the IMSI of the user as the request identifier;
设备接入能力可以标识终端具有 M2M接入能力还是 H2H接入能力, 具 体可以在终端网络能力字段中扩展此接入能力参数。 接入能力参数也可以扩 展标识是哪一类 M2M接入能力或是哪一类 H2H接入能力, 如 PS only类、 高可用性类等 M2M接入能力类型, 可以根据运营商需求进行定义;  The device access capability can identify whether the terminal has M2M access capability or H2H access capability, and the access capability parameter can be extended in the terminal network capability field. The access capability parameter can also be extended to identify which type of M2M access capability or which type of H2H access capability, such as the PS only class, high availability class, etc., can be defined according to the operator's requirements;
对于 H2H接入能力可以缺省参数为空;  The default parameter for the H2H access capability is null.
902, SGSN向 HLR请求对 IMSI进行鉴权, HLR根据 IMSI下载鉴权认 证参数, SGSN对 UE进行鉴权与认证;  902. The SGSN requests the HLR to authenticate the IMSI, and the HLR downloads the authentication authentication parameter according to the IMSI, and the SGSN authenticates and authenticates the UE.
903 , SGSN发送位置更新请求给 HLR, 携带 SGSN号码与地址、 IMSI 等参数;  903. The SGSN sends a location update request to the HLR, and carries the SGSN number and address, IMSI, and the like;
904, HLR将与 IMSI相对应的用户签约数据下载给 SGSN, 用户签约数 据中除包含带宽大小等信息, 还可以包含设备接入能力, 指示该设备签约了 M2M接入能力还是 H2H接入能力;  904. The HLR downloads the user subscription data corresponding to the IMSI to the SGSN. The user subscription data includes information about the bandwidth and the device access capability, and indicates whether the device subscribes to the M2M access capability or the H2H access capability.
905, SGSN对 ME进行接入控制检查, 检查 UE是否有区域限制或接入 限制, 同时 SGSN还需要检查终端携带的设备接入能力与用户签约数据对应 的设备接入能力是否匹配, 若不匹配, 比如终端携带的是 H2H接入能力, 而 用户签约数据指示的是 M2M接入能力, MME就需要拒绝该终端的接入, 并 标识为非法终端接入。  905, the SGSN performs an access control check on the ME, and checks whether the UE has an area restriction or an access restriction. The SGSN also needs to check whether the device access capability carried by the terminal matches the device access capability corresponding to the user subscription data. For example, the terminal carries the H2H access capability, and the user subscription data indicates the M2M access capability, and the MME needs to reject the access of the terminal and identify the access as an illegal terminal.
906 , SGSN向 HLR发送***用户数据响应消息,携带 UE是否允许接入、 是否是非法终端等信息;  906. The SGSN sends an insertion user data response message to the HLR, and carries information such as whether the UE allows access, whether it is an illegal terminal, or the like;
907, SGSN发现终端携带的设备接入能力与用户签约数据不匹配, 就拒 绝终端的附着请求, 并携带非法终端接入的原因值给 UE, 指示 UE是非法终 端。  907. The SGSN finds that the access capability of the device carried by the terminal does not match the subscription data of the user, and rejects the attach request of the terminal, and carries the reason value of the illegal terminal access to the UE, indicating that the UE is an illegal terminal.
本发明还提供一种防止非法终端接入的***, 包括: 网络侧, 用于在终 端请求接入到网络时, 判断终端的设备类型和 /或设备接入能力与用户签约数 据是否匹配, 如果不匹配, 拒绝所述终端接入到网络。 所述设备类型是指手 机类设备或者机器类设备; 所述设备接入能力是指手机类设备接入能力或者 机器类设备接入能力。 The present invention also provides a system for preventing unauthorized terminal access, comprising: a network side, configured to determine, when the terminal requests access to the network, whether the device type and/or the device access capability of the terminal matches the user subscription data, if If the match does not match, the terminal is denied access to the network. The device type refers to a mobile phone type device or a machine type device; the device access capability refers to a mobile phone type device access capability or Machine type equipment access capability.
其中, 所述网络侧, 用于从所述终端发送的接入请求中获取所述终端的 设备类型和 /或设备接入能力。  The network side is configured to obtain, by using an access request sent by the terminal, a device type and/or a device access capability of the terminal.
其中, 所述网络侧, 判断终端的设备类型与所述用户签约数据中的设备 类型不匹配, 或者, 终端的设备接入能力与所述用户签约数据中的设备接入 能力不匹配, 或者, 终端的设备类型与所述用户签约数据中的设备接入能力 不匹配, 或者, 终端的设备接入能力与所述用户签约数据中的设备类型不匹 配时, 则认为终端的设备类型和 /或设备接入能力与用户签约数据不匹配。  The network side determines that the device type of the terminal does not match the device type in the user subscription data, or the device access capability of the terminal does not match the device access capability in the user subscription data, or The device type of the terminal does not match the device access capability in the user subscription data, or the device access capability of the terminal does not match the device type in the user subscription data, and the device type of the terminal is considered and/or The device access capability does not match the user subscription data.
其中, 所述网络侧, 还用于在拒绝所述终端接入到网络时, 返回拒绝原 因值给所述终端, 指示所述终端为非法终端。  The network side is further configured to: when the terminal is denied access to the network, return a reject reason value to the terminal, and indicate that the terminal is an illegal terminal.
本发明还提供一种防止非法接入的终端, 所述终端, 用于在请求接入到 网络时, 在接入请求中携带所述终端的设备类型或 /与设备接入能力。 所述设 备类型是指手机类设备或者机器类设备; 所述设备接入能力是指手机类设备 接入能力或者机器类设备接入能力。 The present invention further provides a terminal for preventing unauthorized access, wherein the terminal is configured to carry the device type of the terminal or/and the device access capability in the access request when requesting access to the network. The device type refers to a mobile phone type device or a machine type device; the device access capability refers to a mobile phone type device access capability or a machine type device access capability.
本发明通过对用户设备信息进行检验, 防止了非法终端的接入。 The invention prevents the access of the illegal terminal by checking the user equipment information.
以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本 领域的技术人员来说, 本发明可以有各种更改和变化。 凡在本发明的精神和 原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护 范围之内。 The above description is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.
工业实用性 Industrial applicability
釆用本发明的方法, 当非法终端盗用其它 M2M设备的 USIM接入到网 络时, MME/SGSN 可以根据设备类型 /设备接入能力与签约数据的匹配关系 来进行判别是否是非法设备接入。 如果是 H2H终端, 而签约数据是 M2M终 端的签约, 就认为是非法设备接入, 反之亦然。 本方法可以有效的防止非法 用户恶意盗用 MTC设备的 USIM接入网络的问题, 保证 MTC通信的安全。  In the method of the present invention, when the USIM of the other M2M device is accessed by the illegal terminal to access the network, the MME/SGSN can determine whether the device is illegal according to the matching relationship between the device type/device access capability and the subscription data. If it is an H2H terminal and the subscription data is a subscription to the M2M terminal, it is considered to be an illegal device access, and vice versa. The method can effectively prevent the illegal user from stealing the USIM access network of the MTC device and ensure the security of the MTC communication.

Claims

权 利 要 求 书 Claim
1、 一种防止非法终端接入的方法, 包括: 网络侧在终端请求接入到网络 时, 判断终端的设备类型和 /或设备接入能力与用户签约数据是否匹配, 如果 不匹配, 所述网络侧拒绝所述终端接入到网络。 A method for preventing unauthorized terminal access, comprising: determining, by the network side, whether the device type and/or the device access capability of the terminal matches the user subscription data when the terminal requests access to the network, and if not, the The network side refuses to access the terminal to the network.
2、 如权利要求 1所述的方法,其中, 所述网络侧从所述终端发送的接入 请求中获取所述终端的设备类型和 /或设备接入能力。  2. The method according to claim 1, wherein the network side acquires a device type and/or a device access capability of the terminal from an access request sent by the terminal.
3、 如权利要求 1所述的方法,其中, 所述设备类型是指手机类设备或者 机器类设备; 所述设备接入能力是指手机类设备接入能力或者机器类设备接 入能力。  3. The method according to claim 1, wherein the device type refers to a mobile phone type device or a machine type device; and the device access capability refers to a mobile phone type device access capability or a machine type device access capability.
4、 如权利要求 3所述的方法, 其中, 所述不匹配是指, 终端的设备类型 与所述用户签约数据中的设备类型不匹配, 或者, 终端的设备接入能力与所 述用户签约数据中的设备接入能力不匹配; 或者, 终端的设备类型与所述用 户签约数据中的设备接入能力不匹配, 或者, 终端的设备接入能力与所述用 户签约数据中的设备类型不匹配。  The method of claim 3, wherein the device mismatch does not match the device type in the user subscription data, or the device access capability of the terminal is contracted with the user. The device access capability in the data does not match; or the device type of the terminal does not match the device access capability in the user subscription data, or the device access capability of the terminal does not match the device type in the user subscription data. match.
5、 如权利要求 1至 4任一所述的方法,其中, 所述网络侧拒绝所述终端 接入到网络时, 该方法还包括: 返回拒绝原因值给所述终端, 指示所述终端 为非法终端。  The method according to any one of claims 1 to 4, wherein, when the network side refuses to access the network to the terminal, the method further includes: returning a rejection reason value to the terminal, indicating that the terminal is Illegal terminal.
6、 一种防止非法终端接入的***, 包括: 网络侧, 其设置为: 在终端请 求接入到网络时, 判断终端的设备类型和 /或设备接入能力与用户签约数据是 否匹配, 如果不匹配, 拒绝所述终端接入到网络。  A system for preventing unauthorized terminal access, comprising: a network side, configured to: when the terminal requests access to the network, determine whether the device type and/or the device access capability of the terminal matches the user subscription data, if If the match does not match, the terminal is denied access to the network.
7、 如权利要求 6所述的***, 其中, 所述网络侧还设置为: 从所述终端 发送的接入请求中获取所述终端的设备类型和 /或设备接入能力。  The system of claim 6, wherein the network side is further configured to: obtain a device type and/or a device access capability of the terminal from an access request sent by the terminal.
8、 如权利要求 6所述的***,其中, 所述设备类型是指手机类设备或者 机器类设备; 所述设备接入能力是指手机类设备接入能力或者机器类设备接 入能力。  8. The system according to claim 6, wherein the device type refers to a mobile phone type device or a machine type device; and the device access capability refers to a mobile phone type device access capability or a machine type device access capability.
9、 如权利要求 8所述的***, 其中, 所述网络侧是设置为: 判断终端的 设备类型与所述用户签约数据中的设备类型不匹配, 或者, 终端的设备接入 能力与所述用户签约数据中的设备接入能力不匹配, 或者, 终端的设备类型 与所述用户签约数据中的设备接入能力不匹配, 或者, 终端的设备接入能力 与所述用户签约数据中的设备类型不匹配时, 则认为终端的设备类型和 /或设 备接入能力与用户签约数据不匹配。 The system of claim 8, wherein the network side is configured to: determine that the device type of the terminal does not match the device type in the user subscription data, or the device access capability of the terminal and the The device access capability in the user subscription data does not match, or the device type of the terminal. If the device access capability in the user subscription data does not match, or the device access capability of the terminal does not match the device type in the user subscription data, the device type and/or device access capability of the terminal is considered. The subscription data does not match the user.
10、 如权利要求 6至 9任一所述的***, 其中, 所述网络侧还设置为: 在拒绝所述终端接入到网络时, 返回拒绝原因值给所述终端, 指示所述终端 为非法终端。  The system according to any one of claims 6 to 9, wherein the network side is further configured to: when the terminal is denied access to the network, return a reject reason value to the terminal, indicating that the terminal is Illegal terminal.
11、 一种防止非法接入的终端, 所述终端, 其设置为: 在请求接入到网 络时, 在接入请求中携带所述终端的设备类型或 /与设备接入能力。  A terminal for preventing unauthorized access, wherein the terminal is configured to: when requesting access to the network, carry the device type of the terminal or/and the access capability of the device in the access request.
12、 如权利要求 11所述的终端,其中, 所述设备类型是指手机类设备或 者机器类设备; 所述设备接入能力是指手机类设备接入能力或者机器类设备 接入能力。  The terminal according to claim 11, wherein the device type refers to a mobile phone type device or a machine type device; and the device access capability refers to a mobile phone type device access capability or a machine type device access capability.
PCT/CN2010/077919 2009-11-05 2010-10-20 Method, system and terminal for preventing access from illegal terminals WO2011054251A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2009102112458A CN102056169A (en) 2009-11-05 2009-11-05 Method and system for preventing illegal terminal from accessing as well as terminal
CN200910211245.8 2009-11-05

Publications (1)

Publication Number Publication Date
WO2011054251A1 true WO2011054251A1 (en) 2011-05-12

Family

ID=43959981

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/077919 WO2011054251A1 (en) 2009-11-05 2010-10-20 Method, system and terminal for preventing access from illegal terminals

Country Status (2)

Country Link
CN (1) CN102056169A (en)
WO (1) WO2011054251A1 (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102348214A (en) * 2010-08-02 2012-02-08 ***通信集团公司 Terminal type determination method, network congestion alleviation method and related devices
CN102833733B (en) * 2011-06-13 2017-10-17 中兴通讯股份有限公司 A kind of method and system for monitoring the movement of Hypomobility terminal location
CN103220642B (en) * 2012-01-19 2016-03-09 华为技术有限公司 A kind of security processing of short message and device
CN103020531B (en) * 2012-12-06 2015-05-27 中国科学院信息工程研究所 Method and system for trusted control of operating environment of Android intelligent terminal
CN104639509B (en) * 2013-11-14 2018-06-01 ***通信集团公司 A kind of method for processing business and equipment
CN103745353A (en) * 2014-01-23 2014-04-23 福建联迪商用设备有限公司 Electronic payment terminal verification method and system
CN110324274B (en) * 2018-03-28 2022-05-31 华为技术有限公司 Method and network element for controlling terminal to access network
CN110769424B (en) * 2018-07-27 2023-05-26 中国联合网络通信集团有限公司 Illegal terminal identification method and device
CN110881020B (en) * 2018-09-06 2021-07-23 大唐移动通信设备有限公司 Authentication method for user subscription data and data management network element
CN112134828A (en) * 2019-06-25 2020-12-25 中国信息通信研究院 Method and system for controlling user access

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1874595A (en) * 2005-10-31 2006-12-06 华为技术有限公司 Control system and control method for terminal to use network
GB2445004A (en) * 2006-11-22 2008-06-25 Vodafone Plc Controlling the use of access points in a telecommunications network
CN100417296C (en) * 2005-09-20 2008-09-03 华为技术有限公司 Method for controlling terminal accessing to 3G network
CN101345988A (en) * 2007-07-13 2009-01-14 大唐移动通信设备有限公司 Resource allocation method and device of multi-carrier system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100417296C (en) * 2005-09-20 2008-09-03 华为技术有限公司 Method for controlling terminal accessing to 3G network
CN1874595A (en) * 2005-10-31 2006-12-06 华为技术有限公司 Control system and control method for terminal to use network
GB2445004A (en) * 2006-11-22 2008-06-25 Vodafone Plc Controlling the use of access points in a telecommunications network
CN101345988A (en) * 2007-07-13 2009-01-14 大唐移动通信设备有限公司 Resource allocation method and device of multi-carrier system

Also Published As

Publication number Publication date
CN102056169A (en) 2011-05-11

Similar Documents

Publication Publication Date Title
WO2011054251A1 (en) Method, system and terminal for preventing access from illegal terminals
US11706705B2 (en) Multimedia priority service
EP2566199B1 (en) Method and system for transmitting small data packets
US9271222B2 (en) Method and apparatus for implementing access to machine to machine (M2M) core network
CN110495214B (en) Method and AMF node for handling PDU session establishment procedures
US20200374698A1 (en) Communication method and communications apparatus
US9473877B2 (en) Uplink/downlink transmission method for small amount of data, and corresponding terminal and mobility management unit
WO2012051890A1 (en) Terminal access limit method and system
KR102604893B1 (en) Supporting multiple concurrent service contexts with a single connectivity context
WO2016155298A1 (en) Relay ue access control method and apparatus
WO2011057541A1 (en) Method, mobile management unit and gateway for restricting mtc device to access and communicate
WO2011000315A1 (en) Method, network device and network system for group management
WO2012094957A1 (en) Method and system for performing mobility management on mtc terminal
EP4135371A1 (en) User equipment (ue) and communication method for ue
RU2304853C2 (en) Method for transferring service data to users of wireless local network
CN109792435B (en) Network access authorization method, related equipment and system
WO2011147156A1 (en) Method and system for restricting access to specific area
WO2011023097A1 (en) Method, apparatus and system for access control
US11956750B2 (en) Communication method for controlling packet data unit session
EP4175403A1 (en) User equipment (ue) and communication control method for ue
WO2015044371A1 (en) ON-DEMAND QOs FOR DATA CONNECTIONS
US20230284128A1 (en) Method of slice support for vehicle-to-everything service
EP4195864A1 (en) User equipment (ue)
EP4175402A1 (en) User equipment (ue) and communication method for ue
WO2022233030A1 (en) A method for network slice admission control

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10827865

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10827865

Country of ref document: EP

Kind code of ref document: A1