CN117834732A

CN117834732A - Abnormality detection service subscription method, opening method, system and core network

Info

Publication number: CN117834732A
Application number: CN202211204688.6A
Authority: CN
Inventors: 冯佳新
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2022-09-29
Filing date: 2022-09-29
Publication date: 2024-04-05

Abstract

The embodiment of the application provides an anomaly detection service subscription method, an opening method, a system and a core network, which relate to the field of Internet of things in the field of communication, wherein the anomaly detection service subscription method comprises the following steps: receiving a subscription request message sent by an application server; the subscription request message is used for requesting M terminal devices managed by the application server to subscribe to an abnormality detection service; sending an opening request message to a core network; the opening request message is used for requesting a network element with data analysis capability in the core network to open the abnormality detection service for N terminal devices; n is less than or equal to M, N is an integer greater than 0. The method for subscribing the anomaly detection service not only can save network transmission resources of the terminal equipment and computing resources of the application server, but also can reduce anomaly detection cost and improve the performance of the terminal equipment.

Description

Abnormality detection service subscription method, opening method, system and core network

Technical Field

The embodiment of the application relates to the field of internet of things in the field of communication, and more particularly relates to an anomaly detection service subscription method, an opening method, a system and a core network.

Background

In the related art, in order to realize anomaly detection of an internet of things terminal, a service server acquires position information and a service state reported by the internet of things terminal through real-time communication with the internet of things terminal, and performs analysis and calculation on the service server according to the acquired information, thereby realizing detection of whether the state of the internet of things terminal is abnormal.

However, when the service server performs anomaly detection on the state of the internet of things terminal based on the reported information of the internet of things terminal, the internet of things terminal is required to report the position information of the internet of things terminal and the service state information in real time or periodically, so that a large amount of network transmission resources are occupied; in addition, the additional data acquisition and reporting functions are added to the internet of things terminal, so that an additional positioning module, such as a global positioning system (Global Position System, GPS) module, is needed, the anomaly detection cost is further increased, the data acquisition and reporting functions are also needed, the processing capacity of the internet of things terminal is further occupied, and the performance of the internet of things terminal is reduced. In addition, because the internet of things terminal is widely applied to scenes (such as mines, unmanned areas, emergency safety and other scenes) which are difficult for people to reach, the acquisition of the reporting information of the internet of things terminal cannot be realized.

Disclosure of Invention

The embodiment of the application provides an anomaly detection service subscription method, an anomaly detection service activation system and a core network, which not only can save network transmission resources of terminal equipment and computing resources of an application server, but also can reduce anomaly detection cost and improve performance of the terminal equipment.

In a first aspect, an embodiment of the present application provides an anomaly detection service subscription method, including:

receiving a subscription request message sent by an application server;

the subscription request message is used for requesting M terminal devices managed by the application server to subscribe to an abnormality detection service; m is an integer greater than 0;

sending an opening request message to a core network;

the opening request message is used for requesting a network element with data analysis capability in the core network to open the abnormality detection service for N terminal devices; n is less than or equal to M, N is an integer greater than 0.

In a second aspect, an embodiment of the present application provides an anomaly detection service opening method, including:

receiving an opening request message sent by an anomaly detection service subscription system;

the opening request message is used for requesting network elements with data analysis capability in the core network to open abnormal detection services for N terminal devices; n is an integer greater than 0;

And sending a response message of the opening request message to the anomaly detection service subscription system, wherein the response message of the opening request message is used for indicating successful opening terminal equipment in the N terminal equipment.

In a third aspect, an embodiment of the present application provides an anomaly detection service subscription system, including:

the receiving unit is used for receiving the subscription request message sent by the application server;

a sending unit, configured to send an opening request message to a core network;

In a fourth aspect, an embodiment of the present application provides a core network, including:

the receiving unit is used for receiving the opening request message sent by the anomaly detection service subscription system;

The sending unit is used for sending a response message of the opening request message to the abnormality detection service subscription system, wherein the response message of the opening request message is used for indicating successful opening terminal equipment in the N terminal equipment.

In a fifth aspect, embodiments of the present application provide an electronic device, including:

a processor adapted to implement computer instructions; the method comprises the steps of,

a computer readable storage medium storing computer instructions adapted to be loaded by a processor and to perform the method provided in the first or second aspect referred to above.

In a sixth aspect, embodiments of the present application provide a computer-readable storage medium storing computer instructions that, when read and executed by a processor of a computer device, cause the computer device to perform the method provided by the first or second aspects referred to above.

In a seventh aspect, embodiments of the present application provide a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, the processor executes the computer instructions, causing the computer device to perform the method provided in the first or second aspect referred to above.

In the embodiment of the application, the state of the terminal equipment can be detected abnormally by using the network element with data analysis capability in the core network by receiving the subscription request message sent by the application server and sending the opening request message to the core network; on the one hand, when the terminal equipment initiates service communication, various information of the terminal equipment can be acquired and managed by considering the network element in the core network, so that the network element with data analysis capability in the core network is utilized to perform anomaly detection on the state of the terminal equipment, the integration of additional data acquisition, reporting and other functional modules for the terminal equipment is avoided, the network transmission resources of the terminal equipment can be saved, the anomaly detection cost can be reduced, and the performance of the terminal equipment is improved; on the other hand, the state of the terminal equipment is detected abnormally by utilizing the network element with data analysis capability in the core network, so that whether an abnormal detection result is obtained by analyzing the data of the terminal equipment through the application server is avoided, and the computing resource of the application server is saved.

Drawings

Fig. 1 is an example of a system framework provided by an embodiment of the present application.

Fig. 2 is a schematic flowchart of an anomaly detection service subscription method provided in an embodiment of the present application.

Fig. 3 is an example of a system framework formed by an application server, an anomaly detection service subscription system, and a core network provided in an embodiment of the present application.

Fig. 4 is an example of providing correspondence between an application server, a terminal group, and a core network according to an embodiment of the present application.

Fig. 5 is an example of an allowed or forbidden active area provided by an embodiment of the present application.

Fig. 6 is an example of an anomaly detection service subscription system provided in an embodiment of the present application.

Fig. 7 is a schematic flowchart of a method for opening an anomaly detection service provided in an embodiment of the present application.

Fig. 8 is a schematic flow chart of a method for notifying an abnormal alarm message provided in an embodiment of the present application.

Fig. 9 is a schematic block diagram of an anomaly detection service subscription system provided in an embodiment of the present application.

Fig. 10 is a schematic block diagram of a core network provided in an embodiment of the present application.

Fig. 11 is a schematic block diagram of an electronic device provided in an embodiment of the present application.

Detailed Description

The technical scheme of the embodiment of the application can be applied to core networks of various network elements with data analysis capability. For example, when the network element with data analysis capability is a network data analysis function (Network Data Analytics Function, NWDAF), the core network may be a 5G core network (5G core,5 gc).

In other words, the technical solution of the embodiment of the present application may be applied to a 5GC system and various systems that may be connected to the 5 GC. Systems that may be connected to a 5GC, for example, include, but are not limited to: a New air interface (NR) system, a long term evolution (Long Term Evolution, LTE) system, or a 5G-based cellular internet of things (Celluar Internet of Things, C-IoT), etc.

In order to facilitate understanding of the technical solutions provided in the present application, the following description of related terms is provided.

Thing networking (Internet of Things): the network is defined for distinguishing Internet (Internet), and is one kind of network with radio frequency identification (radio frequency identification devices, RFID) and other information sensor to link any object to the network for information exchange and communication to realize the identification, locating, detection and management of the object. In other words, the internet of things can simply be an extension of the internet, the core of the internet is still the internet, people are connected with the internet through a computer (PC or a server), the connection of the internet of things is wider, people and people, people and things, even things and things can be used, and compared with the internet, the internet of things breaks away from the limitation of time and space, and really achieves the desire at any time and any place.

Authentication server function (Authentication Server Function, AUSF): the function in the 5G network is responsible for authenticating the user and processing the relevant data.

Access and mobility management functions (Access and Mobility Management Function, AMF): functions in 5G networks for taking care of mobility and access management for users.

Session management function (Session Management Function, SMF): functions in the 5G network for managing user sessions.

Network open function (Network Exposure Function, NEF): and the function of the 5G network is responsible for opening network data to the outside.

Network storage function (Network Repository Function, NRF): functions in 5G networks for registering and managing NFs.

Policy control function (Policy Control function, PCF): functions in 5G networks for responsible for policy control.

Unified data management (Unified Data Management, UDM): and the function in the 5G network is used for being responsible for unified processing of foreground data. Optionally, the foreground data includes, but is not limited to: user identification, user subscription data, authentication data, etc.

User plane function (User Plane Function, UPF): functions in 5G networks for routing and forwarding responsible for the user plane.

Network data analysis function (Network Data Analytics Function, NWDAF): the logic functions of the operators in the 5G network for network analysis, NWDAF, may be used to provide load level network analysis.

Public land mobile network (Public Land Mobile Network, PLMN): a network established and operated for the purpose of providing land mobile services to the public by a government or its approved operators. The network must be interconnected with the Public Switched Telephone Network (PSTN) to form a communication network on a regional or national scale. PLMNs are wireless communication systems that tend to face mobile subscribers on land, such as in vehicles or walking. Such systems may be stand alone but are often connected to a fixed telephone system such as the Public Switched Telephone Network (PSTN). However, mobile and portable internet users are also becoming increasingly popular. An ideal PLMN system can provide mobile and portable subscribers with comparable services to the fixed network.

Data network name (Data Network Name, DNN): access point name (Access Point Name) in a fifth Generation mobile communication technology (5G) system.

APN: is the name of a gateway between a mobile network such as a general packet radio service (General Packet Radio Service, GPRS) or 3G and another computer network such as the internet. A mobile device must be provided with an access point name provided by the operator to establish a data connection. The operator uses this name to distinguish the type of network connection to be established, e.g. what IP address is to be assigned to the wireless device, or what security means is to be used, and whether or how to connect to certain private customer networks. Rather, the access point name specifies which public data network (Public Data Network, PDN) a mobile data subscriber wants to communicate with. In addition to this, the access point name can also be used to define the type of service provided by the PDN (e.g. connected to a WAP server). APNs have been used in third generation partnership project (The 3rd Generation Partnership Project,3GPP) data access networks, such as general packet radio service (General Packet Radio Service, GPRS) or evolved packet core (Evolved Packet Core network, EPC), etc. GPRS is a mobile data service available to mobile telephone subscribers of the global system for mobile communications (Global System for Mobile Communications, GSM) and belongs to the data transmission technology in second generation mobile communications. GSM is commonly called "global communication", which is a standard of mobile communication technology originating in europe, and is a second generation mobile communication technology, and is developed to enable a global area to commonly use a mobile phone network standard, so that a user can use a mobile phone to go through the world.

User permanent identification (Subscription Permanent Identifier, SUPI): for uniquely identifying the user.

Fig. 1 is an example of a system framework 100 provided by an embodiment of the present application.

As shown in fig. 1, communication system 100 may include a terminal device 110, a network device 120, a core network 130, an anomaly detection service subscription system 140, and a server 150. Network device 120 may communicate with terminal device 110 over the air interface. Multi-service transmission is supported between terminal device 110 and network device 120.

The terminal device 110 includes, but is not limited to, a mobile phone, a computer, an intelligent voice interaction device, an intelligent home appliance, a vehicle-mounted terminal, an aircraft, and the like. The terminal device 110 may be an internet of things terminal, which may be oriented to an industrial internet of things scenario, and provides a network experience with a large bandwidth, high reliability and low latency better than that of a 4G network, and is widely used in smart cities, smart agriculture, industrial internet, internet of vehicles, unmanned, home only, emergency security, etc. For example, the internet of things terminal is generally embedded in an internet of things device (such as a video graphics array (Video Graphics Array, VGA) trolley, a mining area information acquisition node, or a terminal for live broadcasting and pushing traffic) in the form of a 5G module and bears the function of communication data transmission.

Further, the network device 120 may be an access network device capable of establishing a connection with a core network of network elements having data analysis capabilities, such as an evolved base station (Evolutional Node B, eNB or eNodeB) in a long term evolution (Long Term Evolution, LTE) system, a next generation radio access network (Next Generation Radio Access Network, NG RAN) device, a base station (gNB) in an NR system, a radio controller in a cloud radio access network (Cloud Radio Access Network, CRAN), etc. The core network 130 may be a core network of a network element with data analysis capability, for example, when the network element with data analysis capability is NWDAF, the core network 140 may be a 5G core network (5G core,5 gc). The server 150 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server. The anomaly detection service subscription system 140 can open the anomaly detection service for the terminal device 110 by the core network 130 through the requirement of the server 150.

It is noted that, when the server 105 is a service server and the terminal device 110 is an internet of things terminal, the service server is configured to detect an anomaly of the internet of things terminal, obtain, by communicating with the internet of things terminal in real time, location information and a service state reported by the internet of things terminal, and perform analysis and calculation at the service server according to the obtained information, so as to detect whether the state of the internet of things terminal is abnormal.

In view of this, the embodiment of the application provides an anomaly detection service subscription method, an anomaly detection service subscription system and a core network, which not only can save network transmission resources of terminal equipment and computing resources of an application server, but also can reduce anomaly detection cost and improve performance of the terminal equipment. The abnormality detection service subscription method provided by the application can be applied to a scene that a core network can acquire a user identifier (such as SUPI) and terminal equipment has specific business behaviors. The terminal device having specific service behavior may refer to regular service behavior of the terminal device, for example, periodically reporting service data of the terminal device.

Fig. 2 is a schematic flowchart of an anomaly detection service subscription method 200 provided in an embodiment of the present application. It should be appreciated that the method 200 may be performed by any electronic device having data processing capabilities. For example, the method 200 may be performed by the anomaly detection service subscription system 140 shown in FIG. 1.

As shown in fig. 2, the method 200 may include:

s210, the anomaly detection service subscription system receives a subscription request message sent by an application server; the subscription request message is used for requesting M terminal devices managed by the application server to subscribe to an abnormality detection service; m is an integer greater than 0.

The abnormality detection service may include a mobility abnormality detection service and a communication abnormality detection service, for example. The mobility abnormality detection service is used for providing a detection service of whether or not there is an abnormality in a state such as a position of the terminal device, and the communication abnormality detection service is used for providing a detection service of whether or not there is an abnormality in a state such as a communication to the terminal device.

Illustratively, the anomaly detection service subscription system may be configured with or installed with a subscription application program interface (Application Programming Interface, API), which is a connector of the anomaly detection service subscription system to the application server, responsible for interacting with the different application servers. Specifically, the application server triggers the anomaly detection service subscription system to subscribe to the anomaly detection service for the M terminal devices by sending a subscription request message to the subscription API.

For the network data analysis capability of the terminal device, for example, the network data analysis capability of the NEF subscription (or activation) NWDAF for the terminal device may be docked by providing information such as identification information (such as SUPI) of the terminal device, network information (such as DNN), information of an application server (such as AppId) of the terminal device, and the like.

S220, the anomaly detection service subscription system sends an opening request message to a core network; the opening request message is used for requesting a network element with data analysis capability in the core network to open the abnormality detection service for N terminal devices; n is less than or equal to M, N is an integer greater than 0. For example, the N terminal devices are the M terminal devices, or the N terminal devices include a terminal device selected from the M terminal devices that allows subscription to the abnormality detection service.

For example, after the subscription request message is received by the anomaly detection service subscription system, an anomaly detection service order for opening the anomaly detection service may be generated for the N terminal devices based on the subscription request message, and an opening request message may be sent to the core network, where the opening request message includes the anomaly detection service order.

The anomaly detection service subscription system is used for realizing anomaly detection of the terminal equipment by interacting with network elements in the core network.

Specifically, after receiving the opening request message, a network element with data analysis capability in the core network may open an abnormality detection service for the N terminal devices. After the network element with data analysis capability in the core network opens the abnormality detection service for the N terminal devices, when the state of one of the N terminal devices is determined to have abnormality through detection, an abnormality alarm message can be sent to the abnormality detection service subscription system, so that the abnormality detection service subscription system forwards the abnormality alarm message to the application server. That is, the abnormality detection service subscription system may provide the function of subscribing to the abnormality detection service for the application server, that is, after the application server subscribes to the abnormality detection service for a certain terminal device, the abnormality detection service subscription system may utilize the core network to open the abnormality detection service for the terminal device, so as to implement detection of data of the terminal device by the application server. Or after the application server subscribes to the abnormality detection service for a certain terminal device, the abnormality detection service subscription system can provide an abnormality warning message for the terminal device for the application server, so as to realize the detection of the data of the terminal device by the application server.

The network element with data analysis capability may be an NWDAF, for example.

Specifically, the anomaly detection service subscription system may send the open request message to NWDAF through the NEF in the interfacing core network. Or, the abnormality detection service subscription system may subscribe the NWDAF for data analysis and prediction capabilities through the NEF, and the NWDAF performs abnormality detection and analysis prediction on the terminal device and generates an abnormality alert message.

In some embodiments, the subscription request message includes operator information supported by each of the M terminal devices; wherein, the S210 may include:

the abnormality detection service subscription system divides the M terminal devices into K terminal groups based on the operator information supported by each terminal device; terminal devices with the same information of operators supported in the M terminal devices are positioned in the same terminal group; then, the abnormality detection service subscription system generates a request message of each of the K terminal groups for each of the terminal groups; the request message of each terminal group is used for requesting to open the abnormality detection service for the terminal equipment in each terminal group; determining a core network corresponding to each terminal group based on the operator information supported by the terminal equipment in each terminal group; then, the abnormality detection service subscription system transmits a request message of each terminal group to the core network corresponding to the each terminal group.

The operator information may be, for example, a public land mobile network (Public Land Mobile Network, PLMN). In other words, terminals in different PLMNs may be terminals in different terminal groups.

The operator information may be, for example, an operator identity. In other words, the operator identifies that the different terminals may be terminals in different terminal groups.

In this embodiment, the anomaly detection service subscription system may select a corresponding core network based on the operator information supported by the terminal devices in each terminal group, and interact with network elements in the selected core network, so that the anomaly detection service subscription system not only can provide a subscription function of anomaly detection service for the terminals under different operators, but also can utilize the network elements in different core networks to open the anomaly detection service for different terminal groups, thereby enabling anomaly detection for the supported terminal devices of different operator information.

In addition, the terminal group is divided, so that the abnormality detection service subscription system is also beneficial to managing the M terminal devices or the N terminal devices, and the abnormality detection service subscription system is also beneficial to simplifying the interaction flow through the division of the request message of the terminal group, so that the performance of the abnormality detection service subscription system is improved.

In some embodiments, the subscription request message includes an identification of an application supported by each of the M terminal devices; the abnormality detection service subscription system divides the M terminal devices into the K terminal groups based on the operator information supported by each terminal device and the identification of the application programs supported by each terminal device; the terminal devices with the same information of the supported operators and the same identification of the supported application programs in the M terminal devices are positioned in the same terminal group.

A large number of terminals are illustratively connected to the core network and run applications, and these terminals interact with the application server using the 5G network as a transport carrier. The terminal group comprises a plurality of terminals which run the same application program and interact with the same application server, wherein the interaction between the terminals in the terminal group and the application server comprises uploading application data by the terminals, issuing control instructions to the terminals by the application server, and the like, namely, providing services for users by running the application program. When the state of a certain terminal device is abnormal, the abnormality detection service subscription system sends an abnormality alarm message to an application server corresponding to the terminal device so as to alarm the state of the terminal to be abnormal to the application server corresponding to the terminal device.

As shown in fig. 3, it is assumed that the terminals 1 to n all support the PLMN1 and the application program installed in the application server 1, and the terminals n+1 to m all support the PLMN2 and the application program installed in the application server 2, at this time, the terminals 1 to n may be divided into one terminal group (i.e., the terminal group 1), and the terminals n+1 to m may be divided into one terminal group (i.e., the terminal group 2), so as to ensure that the terminal devices with the same information of the operators supported in the terminals 1 to m and the same identifier of the supported application program are located in the same terminal group. The abnormality detection service subscription system can open abnormality detection service for the terminals in the terminal group 1 through the docking core network 1, and open abnormality detection service for the terminals in the terminal group 2 through the docking core network 2.

As shown in fig. 4, it is assumed that the terminals managed by the application server 1 include terminals 1 to 4, wherein both the terminal 1 and the terminal 2 support PLMN1, and both the terminal 3 and the terminal 4 support PLMN2; further, it is assumed that the terminals managed by the application server 2 include terminals 5 to 8, wherein both terminals 5 and 6 support PLMN1, and both terminals 7 and 8 support PLMN3. In this case, if PLMN1 and PLMN2 are PLMNs provided by operator 1 and PLMN3 and PLMN4 are PLMNs provided by operator 2, the terminals 1 to 8 may be divided into 4 terminal groups, where terminal group 1 includes terminal 1 and terminal 2, terminal group 2 includes terminal 3 and terminal 4, terminal group 3 includes terminal 5 and terminal 6, terminal group 4 includes terminal 7 and terminal 8, and further, it is ensured that the terminal devices with the same information of operators supported by terminal 1 to terminal 8 and the same identifiers of the supported applications are located in the same terminal group.

In some embodiments, the subscription request message includes provisioning information for each of the M terminal devices; the opening information of each terminal device is used for opening the abnormality detection service for each terminal device; wherein prior to S210, the method 200 may further comprise:

The abnormality detection service subscription system selects the N terminal devices among the M terminal devices based on the activation information of the respective terminal devices.

The anomaly detection service subscription system determines terminal devices, of the M terminal devices, for which the opening information satisfies an opening requirement, as the M terminal devices based on the opening information of each terminal device.

The provisioning requirements may refer to requirements for provisioning information of each terminal device when a network element having data analysis capability in the core network performs anomaly detection, for example. For example, if the network element with data analysis capability in the core network can judge whether the network element is abnormal based on the opening information of each terminal device, the opening information of each terminal device is indicated to meet the opening requirement; if the network element with data analysis capability in the core network can not judge whether the network element is abnormal or not based on the opening information of each terminal device, the opening information of each terminal device is not satisfied with the opening requirement.

In the embodiment of the present application, before the abnormality detection service subscription system requests to open the abnormality detection service, the abnormality detection service subscription system selects the N terminal devices from the M terminal devices based on the opening information of each terminal device, and then opens the abnormality detection service for the N terminal devices by using the core network, which is favorable for reducing the probability that the core network refuses to open the abnormality detection service, so as to improve the efficiency of information interaction and the efficiency of opening the service by the core network.

In some embodiments, the anomaly detection service subscription system first obtains an anomaly detection service activation template; wherein the anomaly detection service activation template includes at least one of the following information: terminal identification, supported operator information, supported application program identification, service type of requesting subscription, and description information for generating abnormal alarm message by the core network; then, the abnormality detection service subscription system determines, based on the activation information of the respective terminal devices, the terminal device whose information format of the activation information satisfies the abnormality detection service activation template among the M terminal devices as the terminal device among the N terminal devices.

When the application server subscribes to the abnormality detection service subscription system for the abnormality detection service through the terminal equipment managed by the abnormality detection service subscription system through the abnormality detection service subscription template, the abnormality detection service subscription system utilizes the core network to open the abnormality detection service for the abnormality detection service subscription system, and when the application server subscribes to the abnormality detection service subscription system for the terminal equipment managed by the application server without the abnormality detection service subscription template, the abnormality detection service subscription system refuses to open the abnormality detection service for the application server by utilizing the core network.

In the embodiment of the application, the abnormal detection service opening template is introduced, so that whether the terminal equipment requesting to subscribe to the abnormal detection service can be opened or not is detected by the abnormal detection service subscription system, the probability that the core network refuses to open the abnormal service detection is reduced, and the efficiency of information interaction is improved.

The anomaly detection service activation template may also include other information, for example, the anomaly detection service activation template may also include a callback interface of each terminal device, which is used to identify the application server. Therefore, after the abnormality detection service subscription system receives the abnormality alarm message sent by the core network, the abnormality detection service subscription system can determine the corresponding server by inquiring the callback interface of each terminal device and forward the abnormality alarm message to the corresponding server.

In some embodiments, if the service type to which the request is subscribed is a location anomaly detection service type, the description information for the core network to generate the anomaly alert message includes at least one of: allowed active area, forbidden active area, detection start time, detection end time, terminal identification; if the service type of the request subscription is a communication anomaly detection service type, the description information for the core network to generate the anomaly alarm message includes at least one of the following: the duration range of data transmission, the time period of data transmission, the frequency threshold of data transmission, the type of attack, the description information of data flow, the communication type, the maximum bandwidth and the terminal identification.

Illustratively, the allowed activity area is used to indicate an area in which the terminal device is allowed to be active. For network elements with data analysis capability in the core network, the network element may perform detection analysis on location information of the terminal device based on the allowed active area to determine whether there is an abnormality in the location of the terminal device. For example, if the terminal device is present in an area outside the allowed active area, it is determined that the location of the terminal device is abnormal.

The allowed active area may be an area composed of a plurality of position coordinates, for example.

The allowed active area may be indicated by a legal area or an illegal area, for example. The legal area may be a predefined or preconfigured area and the illegal area may be a predefined or preconfigured area. For example, when the permitted activity area is indicated by the legal area, the indicated area may be directly determined as the permitted activity area, and when the permitted activity area is indicated by the illegal area, an area other than the indicated area may be directly determined as the permitted activity area.

Illustratively, the prohibited active region is used to indicate a region in which the terminal device is prohibited from being active. For a network element with data analysis capability in the core network, the network element can detect and analyze the position information of the terminal equipment based on the area of forbidden activity to determine whether the position information of the terminal equipment is abnormal or not. For example, if the terminal device is present in the forbidden active region, determining that the location of the terminal device is abnormal.

The prohibited active area may be an area composed of a plurality of position coordinates, for example.

Illustratively, the prohibited active region may be indicated by a legal region or an illegal region. The legal area may be a predefined or preconfigured area and the illegal area may be a predefined or preconfigured area. For example, when the prohibited active area is indicated by a legal area, an area other than the indicated area may be directly determined as the prohibited active area, and when the prohibited active area is indicated by an illegal area, the indicated area may be directly determined as the prohibited active area.

As shown in fig. 5, for the permitted or prohibited active area, an area surrounded by a counterclockwise direction of a plurality of position coordinates may be used, for example, an area surrounded by a list of position coordinates of A, B, C, D, E, F points.

The detection start time may be used to indicate the start time of the core network for anomaly detection, for example.

The detection end time may be used for example to indicate the end time of the anomaly detection by the core network.

The terminal identity may be illustratively a SUPI, a general public user identity (Generic Public Subscription Identifier, GPSI) or other type of identity, such as a user hidden identity (Subscription Concealed Identifier, sui).

The duration range of the data transmission is used, for example, to indicate the range of the terminal device that is continuously transmitting data. For a network element with data analysis capability in the core network, the network element can detect and analyze the state of the terminal device based on the duration range of the data transmission so as to determine whether the state of the terminal device is abnormal. For example, if the duration of the continuous data transmission of the terminal device is outside the duration range of the data transmission, determining that the abnormality occurs in the terminal device.

The period of data transmission may be used to indicate a period of data transmission by the terminal device, for example. For a network element with data analysis capability in the core network, the network element can detect and analyze the state of the terminal device based on the data transmission time period to determine whether the state of the terminal device is abnormal. For example, if the terminal device performs data transmission in a period other than the data transmission period, it is determined that the terminal device is abnormal.

The frequency threshold of the data transmission may be used for example to indicate the maximum frequency at which the terminal device is transmitting data. For a network element with data analysis capability in the core network, the network element can detect and analyze the state of the terminal device based on the frequency threshold value of the data transmission to determine whether the state of the terminal device is abnormal. For example, if the data transmission frequency of the terminal device is greater than the frequency threshold of the data transmission, determining that the terminal device is abnormal.

The type of attack may be, for example, a distributed denial of service (Distributed Denial of Service) attack type or other attack type. For a network element with data analysis capability in the core network, the network element can detect and analyze the state of the terminal device based on the type of the attack to determine whether the state of the terminal device is abnormal. For example, when the terminal device is attacked by the type of attack, it is determined that the terminal device is abnormal.

For example, the description information of the data flow may be a target address triplet, and for a network element with data analysis capability in the core network, the network element may perform detection analysis on the state of the terminal device based on the description information of the data flow, so as to determine whether the state of the terminal device is abnormal. For example, if the target address triplet is a white list address, determining that the abnormality occurs in the terminal device when the target address of the terminal device does not belong to the target address triplet; if the target address triplet is a blacklist address, determining that the terminal equipment is abnormal when the target address of the terminal equipment belongs to the target address triplet.

The communication type may be used for indicating an allowed communication type or an disallowed communication type of the terminal device, for example.

The communication type may be, for example, a traffic type or a type divided based on a transmission scheme including, but not limited to, a Wireless LAN (WLAN), bluetooth, wireless-Fidelity (WiFi), etc.

This maximum bandwidth may be used for example to indicate the maximum bandwidth allowed by the terminal device. For a network element with data analysis capability in the core network, the network element can perform detection analysis on the state of the terminal device based on the maximum bandwidth to determine whether the state of the terminal device is abnormal. For example, when the bandwidth used by the terminal device for data transmission is greater than the maximum bandwidth, it may be determined that the terminal device is abnormal.

In some embodiments, the subscription request message includes a service type for which each of the M terminal devices requests subscription; the service types of each terminal device requesting subscription comprise a mobility anomaly detection service type and a communication anomaly detection service type; wherein, the S210 may include:

the abnormality detection service subscription system firstly determines the service type of each terminal device requesting to be opened based on the service type of each terminal device requesting to subscribe, and the network element is configured with the corresponding abnormality detection capability of the service type of each terminal device requesting to be opened; then, the abnormality detection service subscription system adds the service type requested to be opened by each terminal device to the opening request message, and transmits the opening request message to the core network.

The service type of each terminal device requesting subscription may be understood as a service type of an application server, and the service type of each terminal device requesting activation may be understood as a service type of a network element having data analysis capability in a core network. In other words, the types of anomaly detection services subscribed to the anomaly detection service subscription system by the application server are: the service types subscribed by the terminal equipment are requested; the types of services that can be provided by the network element with data analysis capability in the core network are: the respective terminal devices request an opened service type.

In this embodiment, the anomaly detection service subscription system converts the service type that each terminal device requests subscription into the service type that each terminal device requests opening, so that the service type that the anomaly detection service subscription system requests opening is matched with the service type that can be provided by a network element with data analysis capability in the core network, and the success rate of opening the service is ensured.

In some embodiments, if the service type that the respective terminal device requests to subscribe to is the mobility anomaly detection service type, the anomaly detection service subscription system determines that the service type that the respective terminal device requests to open includes at least one of:

Terminal LOCATION anomaly (inexpecified_ue_location);

access cell anomalies (ping_pong_admission_cells);

a wake exception (unexpectedjwake);

RADIO LINK failure anomaly (inexpecified_radio_link_failure).

The terminal position abnormality is used for indicating that abnormality occurs in the position of the terminal device, for example.

Illustratively, the access cell abnormality is used to indicate a cell abnormality to which the terminal device accesses. Wherein, the cell accessed by the terminal equipment can be used for reflecting the position of the terminal.

The wake anomaly is used to indicate that the terminal device is in a sleep state during a wake period and in a wake state during a non-wake period, for example.

Illustratively, the radio link failure exception is used to indicate that the radio link of the terminal device fails.

In some embodiments, if the service type that the respective terminal device requests to subscribe to is a communication anomaly detection service type, the anomaly detection service subscription system determines that the service type that the respective terminal device requests to open includes at least one of:

LONG connection exception (unexpectedjlong LIVE FLOW);

abnormal traffic (inexpecified_target_rate_flow);

is attacked by DDOS (SUSPICON_OF_DDOS_ATTACK);

Target ADDRESS error (WRONG_DESTINATION_ADDRESS);

SERVICE ACCESS is TOO FREQUENT (TOO_FREQUENT_SERVICE_ACCESS).

The long connection abnormality is used for indicating that the terminal device is in a non-connected state for a period of time that should be connected, for example.

The traffic abnormality is used for indicating traffic abnormality of the terminal device, for example, indicating that the traffic of the terminal device is too large when the traffic abnormality is a large traffic abnormality.

Illustratively, the denial of service attack is used to indicate that the terminal device is abnormal due to the denial of service attack.

The target address error is used, for example, to indicate that the target address of the terminal device is in error.

Illustratively, the service access is too frequent for indicating that the service access of the terminal device is too frequent.

In some embodiments, the method 200 may further comprise:

the anomaly detection service subscription system sends a response message of the subscription request message or a response message of the opening request message to the application server; the response message of the subscription request message is used for indicating the N terminal devices; the response message of the opening request message is used for indicating the successful opening terminal equipment in the N terminal equipment.

Illustratively, the response message of the subscription request message includes a list formed by the terminal identities of the N terminal devices.

The response message of the provisioning request message includes a list formed by terminal identifiers of terminal devices that are successfully provisioned out of the N terminal devices.

Illustratively, the anomaly detection service subscription system sends a response message of the subscription request message to the application server after generating the opening request message; or after the anomaly detection service subscription system receives the response message of the opening request message generated by the core network, forwarding the response message of the opening request message to the application server.

Of course, in other alternative embodiments, the response message of the subscription request message may also be used to indicate terminal devices other than the N terminal devices of the M terminal devices; or, the response message of the activation request message is used for indicating the terminal equipment with activation failure in the N terminal equipment. For example, the response message of the subscription request message includes a list formed by terminal identifiers of terminal devices except for the N terminal devices in the M terminal devices, and the response message of the provisioning request message includes a list formed by terminal identifiers of terminal devices that fail to provision in the N terminal devices. Even further, the response message of the subscription request message may indicate a terminal group for which subscription is successful or failed, and the response message of the provisioning request message may indicate a terminal group for which provisioning is successful or failed.

In some embodiments, the method 200 may further comprise:

the abnormality detection service subscription system receives the abnormality warning message sent by the core network and forwards the abnormality warning message to the application server; wherein, the abnormal alarm message comprises: the identity of the terminal device where the abnormality occurred, the time at which the abnormality occurred, and the type of abnormality detected.

When detecting that an abnormality occurs in a certain terminal device, a network element with data analysis in a core network sends an abnormality alert message to the abnormality detection service subscription system. After the anomaly detection service subscription system receives the anomaly alarm message sent by the core network, the anomaly detection service subscription system queries a server corresponding to the anomaly alarm message and forwards the anomaly alarm message to the server corresponding to the anomaly alarm message.

It should be noted that the detected anomaly type may be a service type that each terminal device requests to open, for example, when a network element with data analysis in a core network detects that an anomaly occurs in a certain terminal device, an anomaly alarm message is sent to the anomaly detection service subscription system; if the service type requested by the terminal device is a mobility anomaly detection service type, the detected anomaly type comprises at least one of the following: abnormal terminal position, abnormal access cell, abnormal wake-up and abnormal radio link failure; if the service type of the terminal equipment requesting subscription is a communication abnormality detection service type, the detected abnormality type comprises at least one of the following: long connection anomalies, traffic anomalies, distributed denial of service attacks, target address errors, and too frequent service accesses.

As shown in fig. 6, the anomaly detection service subscription system may include a subscription manager, a management module, an alert module, a subscription API, and a storage module.

Subscription API: the anomaly detection service subscription system interfaces with a connector of an application server and is responsible for interaction with different application servers. Specifically, the application server triggers the anomaly detection service subscription system to subscribe to the anomaly detection service for the M terminal devices by sending a subscription request message to the subscription API.

And a management module: and the terminal equipment management system is responsible for managing each terminal equipment, and dividing terminal groups and managing information of the terminal groups based on the carrier information and the identification of the application programs supported by each terminal equipment.

In addition, the management module is also used for determining whether to open the abnormal detection service for each terminal device according to the opening information of each terminal device.

Subscription manager: and selecting a corresponding core network according to the operator information supported by the terminal equipment in each terminal group, and acquiring network elements in the core network by butting the network elements in the core network to open an abnormality detection service for each terminal equipment.

And an alarm module: and the abnormal alarm message of each terminal device sent by the core network is received. In addition, the alarm module is also used for managing the abnormal alarm message and forwarding the abnormal alarm message to the corresponding application server.

Fig. 7 is a schematic flowchart of a method 300 for opening an anomaly detection service provided in an embodiment of the present application.

As shown in fig. 7, the method 300 of opening an anomaly detection service may include:

s301, an application server sends a subscription request message to a subscription API in an anomaly detection service subscription system according to business requirements for managed terminal equipment, wherein the subscription request message is used for requesting M terminal equipment managed by the application server to subscribe to anomaly detection services; m is an integer greater than 0.

Illustratively, the subscription request message includes provisioning information for each of the M terminal devices, including, but not limited to: the method includes supporting operator information (e.g., operator name or PLMN), terminal identification (e.g., SUPI, GPSI, etc.), service type requesting subscription (e.g., mobility anomaly detection service type or communication anomaly detection service type, etc.), identification of supported applications, and description information for generating an anomaly alert message. If the service type requested to be subscribed is a mobility anomaly detection service type, the description information for generating the anomaly alert message may include: allowed active area (such as an area surrounded by a plurality of longitude and latitude position coordinates), forbidden active area, detection start time, detection end time and terminal identification; if the service type requested to be subscribed is a communication anomaly detection service type, the description information for generating the anomaly alarm message may include: the duration range of the data transmission, the time period of the data transmission, the frequency threshold of the data transmission, the type of attack, the description information of the data flow (such as a target address triplet), the communication type and the maximum bandwidth.

S302, the subscription API forwards the subscription request message to the management module.

S303, the management module divides the terminal group according to the subscription request message and generates an opening request message.

Illustratively, the subscription request message includes an identification of an application supported by each of the M terminal devices; the management module divides the M terminal devices into the K terminal groups based on the operator information supported by each terminal device and the identification of the application programs supported by each terminal device; terminal devices with the same information of the operators supported in the M terminal devices and the same identification of the supported application programs are positioned in the same terminal group; then, the management module generates a request message of each terminal group for each terminal group in the K terminal groups; the request message of each terminal group is used for requesting to open the abnormality detection service for the terminal equipment in each terminal group.

Wherein the operator information may be a public land mobile network (Public Land Mobile Network, PLMN). In other words, terminals in different PLMNs may be terminals in different terminal groups. Alternatively, the operator information may be an operator identification. In other words, the operator identifies that the different terminals may be terminals in different terminal groups.

In addition, the management module firstly acquires an abnormality detection service opening template; wherein the anomaly detection service activation template includes at least one of the following information: terminal identification, supported operator information, supported application program identification, service type of requesting subscription, and description information for generating abnormal alarm message by the core network; then, the management module determines the terminal devices of which the information formats of the opening information in the M terminal devices meet the abnormal detection service opening template as N terminal devices based on the opening information of each terminal device.

If the service type of the request subscription is a location anomaly detection service type, the description information for the core network to generate the anomaly alarm message includes at least one of the following: allowed active area, forbidden active area, detection start time, detection end time, terminal identification; if the service type of the request subscription is a communication anomaly detection service type, the description information for the core network to generate the anomaly alarm message includes at least one of the following: the duration range of data transmission, the time period of data transmission, the frequency threshold of data transmission, the type of attack, the description information of data flow, the communication type, the maximum bandwidth and the terminal identification.

In addition, the management module can also determine the service type of each terminal device requesting to be opened based on the service type of each terminal device requesting to be subscribed, and the network element is configured with the corresponding abnormality detection capability of the service type of each terminal device requesting to be opened; then, the management module adds the service type requested to be opened by each terminal device to the opening request message, and sends the opening request message to the core network.

If the service type of each terminal device requesting subscription is the mobility anomaly detection service type, the anomaly detection service subscription system determines that the service type of each terminal device requesting to be opened comprises at least one of the following: terminal location anomaly, access cell anomaly, wake-up anomaly, and radio link failure anomaly. If the service type of each terminal device requesting subscription is a communication anomaly detection service type, the anomaly detection service subscription system determines that the service type of each terminal device requesting to be opened comprises at least one of the following: long connection anomalies, traffic anomalies, distributed denial of service attacks, target address errors, and too frequent service accesses.

Notably, the subscription manager can also maintain mappings between terminal groups, application servers, operators.

S304, the management module sends a response message of the subscription request message to the subscription API.

Illustratively, the response message of the subscription request message is used to instruct the N terminal devices; alternatively, the response message of the subscription request message may be used to indicate a terminal device other than the N terminal devices among the M terminal devices.

S305, the subscription API forwards a response message of the subscription request message to the application server.

S306, the management module sends the opening request message (including the request message of each terminal group) to the subscription manager.

S307, the subscription manager forwards the provisioning request message (including the request message of each terminal group) to the NEF in the core network.

The subscription manager determines, for example, a core network corresponding to each terminal group based on operator information supported by terminal devices in the terminal groups; then, the abnormal subscription manager sends the request message of each terminal group to the core network corresponding to each terminal group.

S308, after receiving the opening request message, the NEF forwards the opening request message to the NWDAF.

S309, the NWDAF acquires the data to be detected of the terminal equipment through information interaction with other network elements in the core network.

For example, after receiving the activation success message, the NWDAF may obtain, from the corresponding network element, the data to be detected of the terminal device according to the service type requested to be activated by each terminal device in the activation request message. For example, mobility information of the user is acquired from the AMF, and session information of the user is acquired from the SMF.

S310, NWDAF sends a response message of the open request message to NEF.

The response message of the provisioning request message is used for indicating successful provisioning of the N terminal devices; or the response message of the opening request message is used for indicating the terminal equipment which fails to be opened in the N terminal equipment.

S311, after the NEF receives the response message of the opening request message sent by the NWDAF, the NEF forwards the response message of the opening request message to the subscription manager.

S312, after the subscription manager saves the response message of the opening request message, the response message of the opening request message is forwarded to the subscription API.

In addition, the abnormality detection service subscription system can select a corresponding core network based on the information of the operators supported by the terminal equipment in each terminal group and interact with network elements in the selected core network, so that the abnormality detection service subscription system can provide the subscription function of the abnormality detection service for the terminals under different operators, and can open the abnormality detection service for different terminal groups by utilizing the network elements in different core networks, thereby realizing the abnormality detection of the supported terminal equipment of different operator information. In addition, the terminal group is divided, so that the abnormality detection service subscription system is also beneficial to managing the M terminal devices or the N terminal devices, and the abnormality detection service subscription system is also beneficial to simplifying the interaction flow through the division of the request message of the terminal group, so that the performance of the abnormality detection service subscription system is improved.

Fig. 8 is a schematic flow chart diagram of a method 400 for notifying an exception alert message provided by an embodiment of the present application.

As shown in fig. 8, the method 400 for notifying an abnormal alarm message includes:

s401, acquiring data to be detected.

Illustratively, after the terminal device is connected to the network, the network element in the core network may obtain the data to be detected of the terminal device. Such as location information (e.g., TAI, etc.) and communication information (registration status, session status, data transmission bandwidth, and time) of the terminal device.

S402, performing abnormality detection by NWDAF based on data to be detected.

Because the NWDAF has opened an abnormality detection service for the terminal device, the NWDAF may detect and analyze the state of the terminal device in real time based on the data to be detected provided by other network elements such as AMF/SMF, until an abnormality exists in the state of the terminal device, and generate an abnormality alarm message.

S403, the NWDAF sends the abnormal alarm message to an alarm module in the abnormal detection service subscription system.

For example, when the detected data of the terminal device is abnormal, the NWDAF is triggered to send an abnormal alarm message to the alarm module through the NEF. For example, the NWDAF is triggered to send an abnormal alarm message to the service callback interface provided by the alarm module through the NEF, where the abnormal alarm message may include a terminal identifier of the terminal device (such as SUPI), a time when the abnormality occurs, and a detected abnormality type.

S404, after receiving the abnormal alarm message sent by the NWDAF, the alarm module sends a query request message of the callback interface to the management module.

The alarm module sends a query request message to the management module according to the terminal identifier (such as SUPI) of the terminal device provided by the abnormal alarm message, where the query request message is used for querying a callback interface of a service server of the terminal device.

S405, after receiving the inquiry request message, the management module sends an inquiry response message to the alarm module.

The management module receives the query request message, and returns a callback interface of the service server of the terminal device according to the terminal identifier (such as SUPI) of the terminal device. In addition, the management module may update the locally stored state of the terminal device based on the abnormality alert message.

S406, the alarm module forwards the abnormal alarm message to the corresponding application server according to the callback interface.

In this embodiment, after the application server receives the abnormal alarm message, a maintainer of the application server may perform related processing on the terminal device based on the abnormal alarm message. For example, when the abnormality alert message indicates a location abnormality, a maintainer of the application server may find the terminal device and place it within the allowed activity area.

The preferred embodiments of the present application have been described in detail above with reference to the accompanying drawings, but the present application is not limited to the specific details of the embodiments described above, and various simple modifications may be made to the technical solutions of the present application within the scope of the technical concept of the present application, and all the simple modifications belong to the protection scope of the present application. For example, the individual features described in the above-mentioned embodiments may be combined in any suitable manner, without contradiction, and various possible combinations are not described further in this application in order to avoid unnecessary repetition. As another example, any combination of the various embodiments of the present application may be made without departing from the spirit of the present application, which should also be considered as disclosed herein.

It should also be understood that, in the various method embodiments of the present application, the size of the sequence numbers of each process referred to above does not mean the order of execution, and the order of execution of each process should be determined by its functions and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present application.

The abnormality detection service subscription method and the abnormality detection service activation method provided in the embodiments of the present application are described above, and the abnormality detection service subscription system and the core network provided in the embodiments of the present application are described below.

Fig. 9 is a schematic block diagram of an anomaly detection service subscription system 500 provided by an embodiment of the present application.

As shown in fig. 9, the anomaly detection service subscription system 500 may include:

a receiving unit 510, configured to receive a subscription request message sent by an application server;

a sending unit 520, configured to send an opening request message to a core network;

In some embodiments, the subscription request message includes operator information supported by each of the M terminal devices; the sending unit 520 is specifically configured to:

dividing the M terminal devices into K terminal groups based on the operator information supported by each terminal device; terminal devices with the same information of operators supported in the M terminal devices are positioned in the same terminal group;

generating a request message of each terminal group for each terminal group in the K terminal groups; the request message of each terminal group is used for requesting to open the abnormality detection service for the terminal equipment in each terminal group;

determining a core network corresponding to each terminal group based on the operator information supported by the terminal equipment in each terminal group;

and sending the request message of each terminal group to the core network corresponding to each terminal group.

In some embodiments, the subscription request message includes an identification of an application supported by each of the M terminal devices;

the sending unit 520 is specifically configured to:

dividing the M terminal devices into the K terminal groups based on the operator information supported by each terminal device and the identification of the application programs supported by each terminal device; the terminal devices with the same information of the supported operators and the same identification of the supported application programs in the M terminal devices are positioned in the same terminal group.

In some embodiments, the subscription request message includes provisioning information for each of the M terminal devices; the opening information of each terminal device is used for opening the abnormality detection service for each terminal device;

wherein, before the sending unit 520 is configured to send the provisioning request message to the core network, the sending unit is further configured to:

and selecting the N terminal devices from the M terminal devices based on the opening information of each terminal device.

In some embodiments, the sending unit 520 is specifically configured to:

acquiring an abnormality detection service opening template;

wherein the anomaly detection service activation template includes at least one of the following information: terminal identification, supported operator information, supported application program identification, service type of requesting subscription, and description information for generating abnormal alarm message by the core network;

based on the opening information of each terminal device, determining the terminal device with the information format of the opening information meeting the abnormal detection service opening template in the M terminal devices as the terminal device in the N terminal devices.

In some embodiments, the subscription request message includes a service type for which each of the M terminal devices requests subscription; the service types of each terminal device requesting subscription comprise a mobility anomaly detection service type and a communication anomaly detection service type;

the sending unit 520 is specifically configured to:

determining the service type of each terminal device requesting to be opened based on the service type of each terminal device requesting to be subscribed, wherein the network element is configured with the corresponding abnormality detection capability of the service type of each terminal device requesting to be opened;

and adding the service type of each terminal equipment requesting to be opened to the opening request message, and sending the opening request message to the core network.

In some embodiments, the sending unit 520 is specifically configured to:

if the service type of each terminal device requesting subscription is the mobility anomaly detection service type, determining that the service type of each terminal device requesting opening comprises at least one of the following: abnormal terminal position, abnormal access cell, abnormal wake-up and abnormal radio link failure;

if the service type of each terminal device requesting subscription is a communication anomaly detection service type, determining that the service type of each terminal device requesting opening comprises at least one of the following: long connection anomalies, traffic anomalies, distributed denial of service attacks, target address errors, and too frequent service accesses.

In some embodiments, the sending unit 520 is further configured to:

sending a response message of the subscription request message or a response message of the opening request message to the application server; the response message of the subscription request message is used for indicating the N terminal devices; the response message of the opening request message is used for indicating the successful opening terminal equipment in the N terminal equipment.

In some embodiments, the receiving unit 510 is further configured to:

receiving an abnormal alarm message sent by the core network; the transmitting unit 520 is further configured to:

forwarding the abnormal alarm message to the application server; wherein, the abnormal alarm message comprises: the identity of the terminal device where the abnormality occurred, the time at which the abnormality occurred, and the type of abnormality detected.

Fig. 10 is a schematic block diagram of a core network 600 provided in an embodiment of the present application.

As shown in fig. 10, the core network 600 may include:

a receiving unit 610, configured to receive an activation request message sent by the anomaly detection service subscription system;

and a sending unit 620, configured to send a response message of the provisioning request message to the anomaly detection service subscription system, where the response message of the provisioning request message is used to indicate a terminal device that is successfully provisioned in the N terminal devices.

It should be understood that apparatus embodiments and method embodiments may correspond with each other and that similar descriptions may refer to the method embodiments. To avoid repetition, no further description is provided here. Specifically, the anomaly detection service subscription system 500 may correspond to a corresponding subject in executing the anomaly detection service subscription method provided in the present application, and each unit in the anomaly detection service subscription system 500 is not described herein for brevity in order to implement a corresponding flow in the anomaly detection service subscription method. Similarly, the core network 600 may correspond to a corresponding main body in executing the anomaly detection service provision method provided in the present application, and each unit in the core network 600 is not described herein for brevity in order to implement a corresponding flow in the anomaly detection service provision method.

It should also be understood that each element in the anomaly detection service subscription system 500 or the core network 600 according to the embodiments of the present application may be separately or all combined into one or several other elements, or some element(s) may be further split into a plurality of elements with smaller functions to form the same operation, which does not affect the implementation of the technical effects of the embodiments of the present application. The units referred to above are divided based on logic functions, and in practical applications, the functions of one unit may be implemented by a plurality of units, or the functions of a plurality of units may be implemented by one unit. In other embodiments of the present application, the anomaly detection service subscription system 500 or the core network 600 may also include other units, and in actual practice, these functions may also be implemented with assistance from other units, and may be implemented by cooperation of multiple units. According to another embodiment of the present application, the anomaly detection service subscription system 500 or the core network 600 related to the embodiments of the present application may be constructed by running a computer program (including program code) capable of executing the steps involved in the respective methods on a general-purpose computing device of a general-purpose computer including a processing element such as a Central Processing Unit (CPU), a random access storage medium (RAM), a read only storage medium (ROM), and the like, and implementing the methods provided in the embodiments of the present application. The computer program may be recorded on a computer readable storage medium, and loaded into an electronic device through the computer readable storage medium and executed therein to implement the corresponding method of the embodiments of the present application.

In other words, the units referred to above may be implemented in hardware, or may be implemented by instructions in software, or may be implemented in a combination of hardware and software. Specifically, each step of the method embodiments in the embodiments of the present application may be implemented by an integrated logic circuit of hardware in a processor and/or an instruction in software form, and the steps of the method disclosed in connection with the embodiments of the present application may be directly implemented as a hardware decoding processor or implemented by a combination of hardware and software in the decoding processor. Alternatively, the software may reside in a well-established storage medium in the art such as random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, and the like. The storage medium is located in a memory, and the processor reads information in the memory and, in combination with its hardware, performs the steps in the method embodiments referred to above.

Fig. 11 is a schematic structural diagram of an electronic device 700 provided in an embodiment of the present application.

As shown in fig. 11, the electronic device 700 includes at least a processor 710 and a computer readable storage medium 720. Wherein the processor 710 and the computer-readable storage medium 720 may be connected by a bus or other means. The computer readable storage medium 720 is for storing a computer program 721, the computer program 721 comprising computer instructions, and the processor 710 is for executing the computer instructions stored by the computer readable storage medium 720. Processor 710 is a computing core and a control core of electronic device 700 that are adapted to implement one or more computer instructions, in particular to load and execute one or more computer instructions to implement a corresponding method flow or a corresponding function.

By way of example, the processor 710 may also be referred to as a central processing unit (Central Processing Unit, CPU). Processor 710 may include, but is not limited to: general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field Programmable Gate Array, FPGA) or other programmable logic devices, discrete element gate or transistor logic devices, discrete hardware components, and so forth.

By way of example, computer readable storage medium 720 may be high speed RAM memory or Non-volatile memory (Non-VolatileMemorye), such as at least one magnetic disk memory; alternatively, it may be at least one computer-readable storage medium located remotely from the aforementioned processor 710. In particular, computer-readable storage media 720 include, but are not limited to: volatile memory and/or nonvolatile memory. The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable EPROM (EEPROM), or a flash Memory. The volatile memory may be random access memory (Random Access Memory, RAM) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (Double Data Rate SDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), and Direct memory bus RAM (DR RAM).

As shown in fig. 11, the electronic device 700 may also include a transceiver 730.

The processor 710 may control the transceiver 730 to communicate with other devices, and in particular, may send information or data to other devices or receive information or data sent by other devices. Transceiver 730 may include a transmitter and a receiver. Transceiver 730 may further include antennas, the number of which may be one or more.

It should be appreciated that the various components in the electronic device 700 are connected by a bus system that includes a power bus, a control bus, and a status signal bus in addition to a data bus. It is noted that the electronic device 700 may be any electronic device having data processing capabilities; for example, the computer-readable storage medium 720 has stored therein first computer instructions; loading and executing, by the processor 710, first computer instructions stored in the computer-readable storage medium 720 to perform corresponding steps in the anomaly detection service subscription method provided herein; in particular implementations, first computer instructions in computer-readable storage medium 720 are loaded by processor 710 and perform the corresponding steps; for another example, the computer-readable storage medium 720 has stored therein second computer instructions; loading and executing, by the processor 710, second computer instructions stored in the computer-readable storage medium 720 to perform corresponding steps in the anomaly detection service activation method provided herein; in particular implementations, the second computer instructions in the computer-readable storage medium 720 are loaded by the processor 710 and perform the corresponding steps; to avoid repetition, no further description is provided here.

According to another aspect of the present application, embodiments of the present application also provide a computer-readable storage medium (Memory), which is a Memory device in the electronic device 700, for storing programs and data. Such as computer readable storage medium 720. It is understood that the computer readable storage medium 720 herein may include a built-in storage medium in the electronic device 700, and may include an extended storage medium supported by the electronic device 700. The computer-readable storage medium provides storage space that stores an operating system of the electronic device 700. Also stored in this memory space are one or more computer instructions, which may be one or more computer programs 721 (including program code), adapted to be loaded and executed by the processor 710.

According to another aspect of the present application, embodiments of the present application also provide a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. Such as a computer program 721. At this point, the data processing apparatus 700 may be a computer, and the processor 710 reads the computer instructions from the computer-readable storage medium 720, and the processor 710 executes the computer instructions so that the computer performs the various methods provided in the various alternatives referred to above. In other words, when implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, runs the processes or implements the functions of the embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, from one website, computer, server, or data center by wired (e.g., coaxial cable, fiber optic, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means.

Those of ordinary skill in the art will appreciate that the elements and process steps of the examples described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or as a combination of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

Finally, it should be noted that the above is only a specific embodiment of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about the changes or substitutions within the technical scope of the present application, and the changes or substitutions are covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. An anomaly detection service subscription method, comprising:

receiving a subscription request message sent by an application server;

Sending an opening request message to a core network;

2. The method according to claim 1, wherein the subscription request message comprises operator information supported by each of the M terminal devices;

wherein, the sending the opening request message to the core network includes:

dividing the M terminal devices into K terminal groups based on the operator information supported by each terminal device; terminal devices with the same operator information supported in the M terminal devices are positioned in the same terminal group;

and sending request messages of the terminal groups to core networks corresponding to the terminal groups.

3. The method of claim 2, wherein the subscription request message includes an identification of applications supported by each of the M terminal devices;

the dividing the M terminal devices into K terminal groups based on the operator information supported by the respective terminal devices includes:

dividing the M terminal devices into the K terminal groups based on the operator information supported by each terminal device and the identification of the application programs supported by each terminal device; and the terminal devices with the same information of the supported operators and the same identification of the supported application programs in the M terminal devices are positioned in the same terminal group.

4. The method of claim 1, wherein the subscription request message includes provisioning information for each of the M terminal devices; the opening information of each terminal device is used for opening the abnormality detection service for each terminal device;

before sending the opening request message to the core network, the method further comprises:

5. The method of claim 4, wherein selecting the N terminal devices from the M terminal devices based on the provisioning information for the respective terminal devices comprises:

acquiring an abnormality detection service opening template;

and determining the terminal equipment with the information format of the opening information meeting the abnormal detection service opening template in the M terminal equipment as the terminal equipment in the N terminal equipment based on the opening information of each terminal equipment.

6. The method of claim 5, wherein if the service type to which subscription is requested is a location anomaly detection service type, the description information for the core network to generate the anomaly alert message includes at least one of: allowed active area, forbidden active area, detection start time, detection end time, terminal identification; if the service type of the subscription request is a communication abnormality detection service type, the description information for generating the abnormality warning message by the core network includes at least one of the following: the duration range of data transmission, the time period of data transmission, the frequency threshold of data transmission, the type of attack, the description information of data flow, the communication type, the maximum bandwidth and the terminal identification.

7. The method according to claim 1, wherein the subscription request message includes a service type for which each of the M terminal devices requests subscription; the service types of the terminal equipment requesting subscription comprise a mobility anomaly detection service type and a communication anomaly detection service type;

wherein, the sending the opening request message to the core network includes:

and adding the service type of each terminal device requesting to be opened to the opening request message, and sending the opening request message to the core network.

8. The method of claim 7, wherein the determining the service type that each terminal device requests to open based on the service type that each terminal device requests to subscribe to, comprises:

9. The method according to any one of claims 1 to 8, further comprising:

sending a response message of the subscription request message or a response message of the opening request message to the application server; the response message of the subscription request message is used for indicating the N terminal devices; the response message of the opening request message is used for indicating successful opening terminal equipment in the N terminal equipment;

receiving an abnormal alarm message sent by the core network and forwarding the abnormal alarm message to the application server; wherein the abnormality alert message includes: the identity of the terminal device where the abnormality occurred, the time at which the abnormality occurred, and the type of abnormality detected.

10. An abnormality detection service opening method, characterized by comprising:

The opening request message is used for requesting network elements with data analysis capability in a core network to open abnormal detection services for N terminal devices; n is an integer greater than 0;

11. An anomaly detection service subscription system, comprising:

12. A core network, comprising:

The opening request message is used for requesting network elements with data analysis capability in a core network to open the abnormality detection service for N terminal devices; n is an integer greater than 0;

13. An electronic device, comprising:

a processor adapted to execute a computer program;

a computer readable storage medium having stored therein a computer program which, when executed by the processor, implements the method of any one of claims 1 to 9 or the method of claim 10.

14. A computer readable storage medium storing a computer program for causing a computer to perform the method of any one of claims 1 to 9 or the method of claim 10.