CN118118907A - Multi-park wireless private network safety protection method and device and central node - Google Patents

Abstract

The embodiment of the application discloses a wireless private network safety protection method, a device and a central node for multiple parks, wherein the method comprises the following steps: acquiring total user ticket data of a plurality of branch nodes aiming at signaling flow interaction of a wireless private network signaling surface interface; wherein the plurality of branch nodes correspond to different parks or factories; based on the total quantity of user call ticket data, carrying out security collaborative management on the multi-branch nodes to generate wireless private network security protection information; therefore, the central node can control the network security and terminal equipment of each branch node, realize the unified control of the multi-branch nodes, and facilitate the security collaborative management of the multi-branch nodes and the security protection supervision of the wireless private network.

Description

A multi-campus wireless private network security protection method, device and central node

Technical Field

The present application relates to the field of communication technology, and in particular to a method, device and central node for protecting the security of a wireless private network in multiple campuses.

Background technique

Under the wave of the new generation of scientific and technological revolution and industrial transformation, the world's leading countries have all regarded the industrial Internet as a strategic direction to strengthen their future industrial competitiveness. The integration of the fifth-generation mobile communication technology (5th-Generation, 5G) and the industrial Internet has made it possible for massive industrial terminals to access the industrial Internet. However, there is currently a lack of security protection management solutions for private networks across multiple parks or factories.

Summary of the invention

The embodiments of the present application provide a multi-campus wireless private network security protection method, device and central node to solve the problem of the lack of security protection management solutions for private networks across multiple parks or between factories in the related technology. The central node manages the network security and terminal equipment of each branch node, and realizes unified control of multiple branch nodes, which facilitates the collaborative security management of multiple branch nodes and the security protection supervision of wireless private networks.

The technical solution of this application is implemented as follows:

A multi-campus wireless private network security protection method is applied to a central node of the wireless private network, the method comprising:

Obtaining full user call list data of signaling process interactions of multiple branch nodes for wireless private network signaling plane interfaces; wherein the multiple branch nodes correspond to different parks or factory areas;

Based on the full amount of user call record data, multi-branch nodes are managed in a secure and collaborative manner to generate wireless private network security protection information.

A multi-campus wireless private network security protection device, comprising:

An acquisition module is used to obtain the full amount of user call list data of the signaling process interaction of multiple branch nodes for the wireless private network signaling interface; wherein the multiple branch nodes correspond to different parks or factory areas;

The processing module is used to perform security collaborative management of multiple branch nodes based on the full amount of user call record data and generate wireless private network security protection information.

A central node of a wireless private network includes: a processor and a memory, the memory is used to store a computer program, and the processor is used to call and run the computer program stored in the memory to execute the steps of the multi-campus wireless private network security protection method as described above.

A storage medium storing one or more programs, wherein the one or more programs can be executed by one or more processors to implement the steps of the multi-campus wireless private network security protection method as described above.

A multi-campus wireless private network security protection method provided in an embodiment of the present application obtains full user call record data of signaling process interactions of multiple branch nodes for the wireless private network signaling plane interface; wherein, multiple branch nodes correspond to different campuses or factory areas; based on the full user call record data, multiple branch nodes are securely and collaboratively managed to generate wireless private network security protection information; in this way, the central node can manage the network security and terminal equipment of each branch node, realize unified control of multiple branch nodes, and facilitate secure collaborative management of multiple branch nodes and supervision of wireless private network security protection.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a schematic diagram of a flow chart of a multi-campus wireless private network security protection method provided in an embodiment of the present application;

FIG2 is a schematic diagram of the architecture of a 5G secure private network management platform provided in an embodiment of the present application;

FIG3 is a schematic diagram of a business flow of unified archiving and management provided in an embodiment of the present application;

FIG4 is a schematic diagram of the architecture of a 5G communication system provided in an embodiment of the present application;

FIG5 is a schematic diagram of a registration process provided in an embodiment of the present application;

FIG6 is a schematic diagram of an authentication process provided in an embodiment of the present application;

FIG7 is a schematic diagram of an initial terminal network access process provided by an embodiment of the present application;

FIG8 is a schematic diagram of another initial terminal network access process provided in an embodiment of the present application;

FIG9 is a schematic diagram of a service request process provided in an embodiment of the present application;

FIG10 is a schematic diagram of a service establishment process provided in an embodiment of the present application;

FIG11 is a schematic diagram of another service establishment process provided in an embodiment of the present application;

FIG12 is a schematic diagram of a PDU session initial establishment process provided in an embodiment of the present application;

FIG13 is a schematic diagram of another PDU session initial establishment process provided in an embodiment of the present application;

FIG14 is a schematic diagram of another PDU session initial establishment process provided in an embodiment of the present application;

FIG15 is a schematic diagram of another PDU session initial establishment process provided in an embodiment of the present application;

FIG16 is a schematic diagram of a regional security supervision business process provided by an embodiment of the present application;

FIG17 is a schematic diagram of positioning provided in an embodiment of the present application;

FIG18 is a schematic diagram of a process of multi-dimensional security protection of a 5G confidential private network management platform provided in an embodiment of the present application;

FIG19 is a schematic diagram of the architecture of establishing a security control and signaling management system based on user call records provided in an embodiment of the present application;

FIG20 is a schematic diagram of the structure of a multi-campus wireless private network security protection device provided in an embodiment of the present application;

Figure 21 is a structural diagram of a central node of a wireless private network provided in an embodiment of the present application.

Detailed ways

The technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application.

It should be understood that the "embodiment of the present application" or "the aforementioned embodiment" mentioned throughout the specification means that the specific features, structures or characteristics related to the embodiment are included in at least one embodiment of the present application. Therefore, "in the embodiment of the present application" or "in the aforementioned embodiment" appearing throughout the specification does not necessarily refer to the same embodiment. In addition, these specific features, structures or characteristics can be combined in one or more embodiments in any suitable manner. In the various embodiments of the present application, the size of the sequence number of the above-mentioned processes does not mean the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiment of the present application. The above-mentioned sequence numbers of the embodiments of the present application are for description only and do not represent the advantages and disadvantages of the embodiments.

The present application embodiment provides a multi-campus wireless private network security protection method, which is applied to the central node of the wireless private network. As shown in FIG. 1 , the method includes the following steps:

Step 101: Obtain full user call record data of signaling process interactions of multiple branch nodes for wireless private network signaling plane interfaces.

In an embodiment of the present application, the central node of the wireless private network is used to manage the network security and terminal equipment of each branch node. The business data and signaling of each branch node can access other node applications after being transferred through the central node. The signaling interface of the wireless private network includes but is not limited to the 5G mobile communication interface. The full user call list data includes a detailed session-level record of the signaling process and the service transmission process generated by the central node, which contains all the user's Internet access information. Among them, the full user call list data includes External Data Representation (XDR) call list data. Among them, each branch node corresponds to a different campus or factory area, and the present application realizes secure communication among private networks across multiple campuses or factories.

Step 102: Based on the full amount of user call record data, secure collaborative management of multiple branch nodes is performed to generate wireless private network security protection information.

In an embodiment of the present application, wireless private network security protection information includes but is not limited to data and signaling security collaborative management information of private networks across multiple campuses or factories, and specific area security control information across multiple campuses or factories; wherein, specific areas include but are not limited to areas where the regional confidentiality level is greater than the preset level, and areas where the regional attributes are preset attributes, where the preset attributes include but are not limited to preset locations and preset business service categories.

The embodiment of the present application provides a multi-campus wireless private network security protection method, which obtains the full amount of user call record data of the signaling process interaction of multiple branch nodes for the wireless private network signaling interface; the multiple branch nodes correspond to different campuses or factory areas; based on the full amount of user call record data, the multiple branch nodes are securely and collaboratively managed to generate wireless private network security protection information; in this way, the central node can manage the network security and terminal equipment of each branch node, realize unified control of multiple branch nodes, and facilitate the secure collaborative management of multiple branch nodes and the supervision of wireless private network security protection.

In other embodiments of the present application, step 101 obtains the full amount of user call list data of the signaling process interaction of multiple branch nodes for the wireless private network signaling plane interface, which can be implemented by the following steps:

A11. Receive the user plane collection and analysis equipment deployed in each branch node, and synthesize the user plane data of the server according to the data reported to the central node by the signaling process.

In the embodiment of the present application, each branch node is deployed with a user plane collection and analysis device to collect the user plane data of the branch node. The user plane data includes but is not limited to user-specific business information and data business events and traffic statistics (video, instant messaging, etc.). Among them, user-specific business information includes but is not limited to business information transmitted through the following protocols and/or services: Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS), Domain Name System (DNS), File Transfer Protocol (FTP), etc. It can be seen that each branch node in the present application can adopt a monitoring and collection method to record user plane events, i.e., data plane events, through the deployed user plane collection and analysis device.

The present application provides a 5G confidential private network management platform, and the overall architecture of the platform is shown in Figure 2. In Figure 2, the overall architecture of the 5G confidential private network management platform includes a central node and two branch nodes. User-plane collection and analysis devices are deployed in a sinking manner at branch node ① and branch node ② to collect user-specific service information and data service events and traffic statistics (video, instant messaging, etc.) of the branch nodes. The user-plane collection and analysis device and the switch VPN realize the copy between the two data sources through data mirroring. Among them, the central node is also called the master node or the central node confidential system. The central node is deployed with a converged core switch for collecting all control plane data, including but not limited to control plane signaling processes, fields and error information, and storing them in the 5G confidential private network management platform. The core network side of the central node includes the following control plane network elements: Authentication Server Function (AUSF), Unified Data Management (UDM), Policy Control Function (PCF), Access and Mobility Management Function (AMF), Session Management Function (SMF), Network Repository Function (NRF). Branch nodes include User Plane Function (UPF) devices, switch virtual private networks (Virtual Private Network), and Mobile Edge Computing (MEC) devices; MEC devices are also called Multi-access Edge Computing devices, which provide computing services on the edge side. The 5G confidential private network management platform supports unified archiving and control of multiple nodes. Figure 2 also shows the following data flows: the control plane signaling flow between the UPF in each branch node and the converged core switch in the main node; the flow of user plane data collection between the user plane collection and analysis device in each branch node and the data synthesis server in the main node; the flow of control plane data collection between the control plane collection and analysis device in the main node and the data synthesis server; the data flow of the main node reporting the full-field XDR to the platform. The data traffic of the 5G base station of the branch node can also be directly connected to the UPF device of the core network through the Slicing Packet Network (SPN) network, and the 5G base station of the branch node communicates with the device and the 5G module.

A12. The control plane parsing device of the central node parses the control plane data of each branch node to generate a control plane user call list.

As shown in Figure 2, the central node is also deployed with a control plane collection and analysis device, referred to as a control plane analysis device, which is used to analyze the control plane data of each branch node and generate control plane XDR call record data. The control plane collection and analysis device and the aggregation core switch realize the copy between the two data sources through data mirroring.

A13. The control plane user call record and the user plane data are correlated by the data synthesis server to obtain the full amount of user call record data.

As shown in Figure 2, the central node is also deployed with a data synthesis server, which is used to associate the control plane user call records uploaded by the control plane analysis device with the user plane data reported by the user plane collection and analysis device to obtain full user call record data such as full XDR call record data. In this way, unified archiving and unified management and control are achieved, which facilitates safe coordination and cooperation between multi-branch nodes in special industries and avoids the risk of 5G network signaling storm threats.

In other embodiments of the present application, step 102 performs security collaborative management of multiple branch nodes based on the full amount of user call record data to generate wireless private network security protection information, which can be achieved through the following steps:

B21. All user call record data are archived in a unified manner to generate a relational database.

In the embodiments of the present application, a relational database refers to a database that uses a relational model to organize data, and stores data in the form of rows and columns.

Exemplarily, in a feasible unified archiving scenario, in combination with Figures 2 and 3, the UPF of branch node ① and branch node ② forwards the user data collected by the data plane to the data synthesis server, and the core network control plane network element forwards the data collected by the central node control plane to the data synthesis server. The 5G confidential private network management platform establishes a relational database for the user identity field, data field and parameter value of the 5G mobile communication interface (such as N1, N2, N8, N11, N4 and other interfaces) provided by the data synthesis server according to the 5G private network signaling flow (such as user registration, authentication; service request and establishment, etc.).

B22. Generate wireless private network security protection information based on relational database.

In the embodiment of the present application, the wireless private network security protection information includes but is not limited to data and signaling security collaborative management information of private networks across multiple parks or factories, and specific area security control information across multiple parks or factories.

Here, referring to the above-mentioned unified archiving scenario example, combined with Figure 3, based on the relational database established above, data storage according to the time dimension, i.e., database archiving, and terminal error analysis can be derived. Furthermore, the stored data and/or terminal error analysis information can be visualized. Finally, the above-mentioned visual display content can be presented on the terminal accessed through the 5G core network.

In some embodiments of the present application, B22 generates wireless private network security protection information based on a relational database, which can be achieved through the following steps:

Based on the relational database, at least one security protection analysis is performed among user behavior analysis, sensitive area location information analysis, and terminal network access abnormal offline data analysis to obtain wireless private network security protection information.

Here, the wireless private network security protection information includes: terminal error analysis information obtained by analyzing abnormal offline data of terminal network access; wherein the error types in the terminal error analysis information include user registration, authentication errors, service request and establishment abnormality errors.

It should be noted that the data and signaling security collaborative management information across multiple campuses or inter-factory private networks includes the above-mentioned terminal error analysis information.

In some embodiments of the present application, the central node of the wireless private network may also perform the following operations: performing corresponding security protection management operations on the terminal based on the terminal error type through the core network of the wireless private network.

In a feasible security protection management scenario, the central node can also analyze and judge based on the terminal error type, and link the 5G core network to perform corresponding security protection management operations on the terminal, such as blacklist processing operations to protect network security. For example, when the terminal registers for network access, abnormal data is received and each terminal abnormality is an authentication vector problem. If the number reaches more than 20 times within 1 hour, it is confirmed that there is malicious access. At this time, the execution of the processing operation, that is, the solution includes: adding this user to the blacklist through the 5G core network to avoid malicious distributed denial of service attack (DDOS) access attacks.

Exemplarily, in the scenario of unified archiving and control, referring to the architectural diagram of the 5G communication system in FIG4 , the 5G communication system adopts a unified service-based architecture and interface, and has the characteristics of flexible arrangement, decoupling and openness. The 5G communication system includes an access network (AN) and a core network (CN), and may also include a terminal. The above-mentioned terminal may be a terminal with transceiver functions, or a chip or chip system that can be set in the terminal. The terminal may also be referred to as a user equipment (UE), an access terminal, a subscriber unit (subscriber unit), a user station, a mobile station (MS), a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a terminal, a wireless communication device, a user agent or a user device.

The above AN is used to implement access-related functions, can provide network access functions for authorized users in a specific area, and can determine transmission links of different qualities to transmit user data according to the user level, business requirements, etc. AN forwards control signals and user data between the terminal and CN. AN can include: access network equipment, also known as radio access network equipment (RAN) equipment.

In the embodiment of the present application, the decoupling of control plane and user plane analysis, mobility management and session management is realized, and the network elements involved include: AMF, SMF, PCF, UDM, AUSF, UPF and other network elements as shown in Figure 4. Among them, AMF network element function: access and mobility management function; SMF network element function: session management function; UDM network element function: unified data management; AUSF: authentication service; UPF: user data forwarding. The 5G mobile communication interface included in the 5G log retention system in the 5G communication system is as follows: the collectable interface N1 (such as AMF-UE, mobility management signaling), N2 (such as AMF-RAN, access management signaling), N4 (such as UPF-SMF, session forwarding control signaling), N8 (such as AMF-UDM, access contract data management), N11 (such as AMF-SMF, session management signaling). The interface signaling flows involved include but are not limited to registration and authentication processes, service requests and establishment processes. Among them, the UPF network element can receive user data from the data network (DN) and forward the user data to the terminal through the access network device. The 5G communication system also includes other network elements as shown in Figure 4: Network Slice Selection Function (NSSF), Application Function (AF). The 5G communication system also includes other interfaces as shown in Figure 4, such as N22 between NSSF and AMF, N12 between AUSF and AMF, N10 between UDM and SMF, N7 between SMF and PCF, N5 between PCF and AF, N14 of AMF, N15 between PCF and AMF, N3 between AN and UPF, N6 between UPF and DN, and N9 of UPF.

In the registration and authentication process scenario, the interaction process involved is shown in Figures 5 and 6.

Here, taking the terminal as UE as an example, the network elements involved include AMF and UDM; the registration process is implemented through steps 201 to 203:

Step 201: UE sends a registration request message to AMF;

Step 202: AMF sends a registration response (Registration accept) message to the UE;

Step 203: The UE sends a Registration complete message to the AMF to complete the registration.

The authentication process is implemented through steps 301 to 302:

Step 301, AMF sends PUT .../{ueId}/registrations/amf-3gpp-access (Amf3GppAccessRegistration) to UDM;

Step 302: UDM sends 204 No Content or 201 Created to AMF.

In the registration and authentication process scenario, the content of the abnormal error includes but is not limited to the information in the following abnormal error table 1.

Abnormal error form 1

Exemplarily, in a scenario process of an initial terminal accessing the network, as shown in FIG7 and FIG8, 5G registration management is mainly used for registration and deregistration between users and the network, so as to facilitate the network to establish user contexts. Trigger 5G users to establish user plane resources, implement 5G terminal IP allocation, protocol data unit (PDU) session establishment, and network service level.

When a user flies from Chengdu to Beijing, he will turn on the 5G UE, such as a mobile phone. The signaling interaction of the initial registration process is as follows:

First, see Figure 7:

Step 401: The UE initiates a 5G terminal registration request message to the Beijing AMF network element;

In a feasible scenario, the UE sends a Next Generation Application Protocol (NGAP): Iritial UE message to the Beijing AMF network element, including:

{UE current location information: NR-CGI/TAI

NAS-PDU: Message Type: Registration Request

Registration type: initial registration

Mobile identity: 5G-GUTI

UE Security capability: Support encryption and integrity protection algorithms

Requested-NSSAI: Requested slice ID}

Step 402: The Beijing AMF network element identifies the Chengdu AMF network element according to the globally unique AMF identifier (Globally Unique AMF Identifier, GUAMI) carried in the 5G-GUTI;

Step 403: The Beijing AMF network element requests the Chengdu AMF network element for UE context parameters;

Here, the Beijing AMF network element sends an HTTP2 POST request to the Chengdu AMF network element: Chengdu AMF's UE context {UeContextTransfer ReqData}.

Step 404, the feedback parameters sent by the Chengdu AMF network element to the Beijing AMF network element include: user permanent identifier (SUbscription Permanent Identifier, SUPI), generic public subscription identifier (GPSI), public land mobile communication network (Public Land Mobile Network, PLMN), 5G system mobility management capability (5GS mobility management Capability, 5GMM Capability);

Here, the Chengdu AMF network element sends an HTTP2 feedback message to the Beijing AMF network element: {JSON[UEContextTransferRsp Data: SUPI, GPSI, PEI and contracted UE-AMBR and other MM Context parameters}.

Afterwards, step 405 to step 408: the Beijing AMF network element requests the Beijing NRF network element to select and feed back the IP address of the AUSF network element;

Step 405, the Beijing AMF network element sends NGAP: DOWNLINK NAS TRANSPORT to the UE, requesting the UE to conceal the user identifier (SUbs cription Concealed Identifier, SUCI) (optional); {NAS-PDU (Message type: Identity request, Identity type: SUCI)};

Step 406, UE sends NGAP:UPLINKNAS TRANSPORT; {NAS-PDU (Messagetype:identity response, Mobile Identity:SUCI)} to Beijing AMF network element;

Step 407, the Beijing AMF network element sends an HTTP2 GET to the Beijing NRF network element: select AUSF;

{service-name: nausf-auth, target-nf-type: AUSFLrequester-nf-type = AMF, requester-nf-instance: amfxxx, Routing indicator: SUCI);

Step 408, the Beijing NRF network element sends HTTP2{JSON[Nfinstances: IP address of AUSF, fully qualified domain name (FQDN), nf type (Nftype), NFServices, single network slice selection assistance information (Single Network Slice Selection Assistance information, SNSSAI) etc.} to the Beijing AMF network element;

Further, step 409 to step 411: the AMF network element requests the UE's authentication vector from the home network element AUSF/UDM to which the terminal belongs, and generates a 5G authentication vector group based on the root key K value. The authentication vector generated by UDM through the AES algorithm includes: message authentication code (Message Authentication Code, MAC), expected response (Expected Response, RES), encryption key (Cipher Key, CK), integrity key (Integrity Key, IK), anonymity key (anonymity key, AK) and authentication token, etc.;

Step 409: The Beijing AMF network element sends HTTP2_POST to the Chengdu AUSF/UDM network element: requesting AUSF/UDM to generate an authentication vector group for the UE;

SON{Supi or Sud:SUCI, serving newg name:5G:mncxxx.mcc460xx};

Step 410: The Chengdu UDM network element decrypts SUa into SUPI using a private key, and generates a 5G authentication vector group based on SUPI;

Step 411, Chengdu AUSF/UDM network element sends HTTP2 to Beijing AMF network element;

{JSON{Av 5G AKA(rand, autn, hxres*.Kseaf), Auth_type: 5G_AKA};

Secondly, see Figure 8:

Step 412 to Step 413: Beijing AMF initiates terminal-side authentication to the UE. The UE also performs authentication vector calculation, using the same AES algorithm, and then compares it at the AMF Security Anchor Function (SEAF) module. If the expected response values (HRES) are the same, the UE is authenticated successfully.

Step 412: The Beijing AMF network element sends NGAP: DOWNLINK NAS TRANSPORT to the UE to initiate authentication for the UE and obtain the UE authentication result.

NAS-PDU{Message aype:Authentication request, RAND, AUTH};

Step 413: The UE sends NGAP: UPLINK NAS TRANSPORT NAS-PDU {Messagetype: Authentication response, RES*} to the Beijing AMF network element;

Step 414: Beijing AMF network element uses the same algorithm to calculate Hres* and compares it with Hres* issued by AUSF; if they are consistent, AMF considers that the terminal authentication is successful from the perspective of network service;

Step 415, the Beijing AMF network element sends HTTP2_PUT to the Chengdu AUSF/UDM network element: the network side completes the authentication of the UE {JSON(RES*));

Step 416: Chengdu AUSF compares RES* with XRES* generated by UDM. If they are the same, AUSF considers that the terminal authentication is successful from the perspective of the home network.

Step 417, the Chengdu AUSF/UDM network element sends HTTP2{JSON{authResut:AUTHENTICATION_SUCCESS, SUP} to the Beijing AMF network element.

In the above-mentioned initial terminal network access scenario process, there is a problem: terminal authentication vector problem (AV_GENERATION_PROBLEM).

If the authentication algorithm module, K value, SQN of the terminal SIM card are inconsistent with the core network contract data, the above-mentioned business process will be repeatedly restarted. At the same time, the AUSF/UDM network element will repeatedly calculate and generate the 5G authentication vector group based on the root key K value according to the UE authentication request. If multiple malicious terminals repeatedly access the network, the AUSF/UDM network element will be attacked by DDOS, and resources will be occupied, making it impossible to provide authentication vector generation services for normal terminals. Similarly, the AMF SEAF function module will compare the expected response value HRES value on the terminal side and the network side. If malicious terminals repeatedly access the network, the AMF network element resources will be occupied, causing the AMF access function to be unable to be used normally, and network access services cannot be provided to normal terminals.

However, in the related art, in the edge computing scenario, when the UE sends a target PDU session establishment request to the SMF, it triggers the repetitive uplink classifier insertion operation of the SMF network element and the request signaling of the DHCP UE IP address allocation, causing the signaling of the 5G system to be occupied by DOS and unable to provide services to the UE. It can be seen that the related art does not take into account the repetitive initial registration request, terminal authentication signaling, UE context, etc. of the AMF network element when the UE terminal enters the network for registration and authentication, and the repetitive authentication vector generation signaling of the UDM network element, causing the AMF network element and the UDM network element to be occupied by DOS and unable to provide services to the UE.

In the scenario of service request and process establishment, the interaction processes involved are shown in Figures 9, 10 and 11.

Here, taking the terminal as UE as an example, the network elements involved include AMF, SMF, and UPF; the service request process is implemented through steps 501 to 502:

Step 501: UE sends a PDU session establishment request message to AMF;

Step 502: AMF sends a PDU session establishment response (PDU session establishment accept) message to the UE.

The establishment process is implemented through step 601 to step 602 and step 701 to step 702:

Step 601, NF service consumer (Service Consumer) sends POST .../sm-contexts (SmContextCreateData) to SMF;

Step 602: SMF sends 201Created (SmContextCreatedData) to Service Consumer.

Step 701: SMF sends a Packet Forwarding Control Protocol (PFCP) session establishment request message to UPF.

Step 702: UPF sends a PFCP session establishment response (Session Establishment Response) message to SMF.

In the scenario of service request and process establishment, the content of the exception report includes but is not limited to the information in the following exception report table 2.

Abnormal error form 2

Exemplarily, in a scenario process of initial establishment of a PDU session, as shown in Figures 12 to 15, the establishment of the PDU session in 5GC is triggered together with the completion of the registration process or triggered separately by the UE access service. The initial establishment process of the PDU session of 5GC implements 5G terminal IP allocation, session establishment, network service level, etc.;

When a user flies from Chengdu to Beijing, he will turn on his 5G mobile phone to use application services in Beijing. The signaling interaction is as follows:

First, see Figure 12:

Step 801 to step 804: The UE initiates a PDU session establishment and sends it to the AMF. The AMF network element requests the SM context of the user terminal based on the SMF IP address fed back by the NRF, including the PDU session number and the external data network DNN.

Step 801: UE sends NGAP:UL NAS Transport to Beijing AMF network element;

{UE current location information: NR-CGI/TAI NAS-PDU: Message Type: PDU Session establishment Request. PDU Session type: IPV4, Payload-Container Type: N1 SMinformation, Ppu Session ID: 5, Request Type: initial Request};

Step 802, Beijing AMF network element sends HTTP2_GET to Beijing NRF network element: select SMF;

{Target network element: SMF, requesting network element: AMF, DNN: XXXnet};

Step 803: Beijing NRF network element sends HTTP2 to Beijing AMF network element;

{JSON[SMF's IP address, FQDN, nfType, etc.};

Step 804: The Beijing AMF network element sends an HTTP2 POST to the Beijing SMF network element: requesting the SMF to create an SM context for the user;

{JSON[SUPI, PDUSessionID: 5, DNN, Request Type: initial Request, etc.};

Step 805 to Step 806: The SMF network element requests the NRF network element for the path of the UDM network element and obtains the UDM IP address of the home domain.

Step 805, the Beijing SMF network element sends an HTTP2 GET to the Beijing NRF network element: select UDM;

{service-nametnudm-auth, target-nf-typeUDM, requester-nf-

type=SMF,requester-nf-instance:smfxxx,Routing indicator:SUPI);

Step 806: The Beijing NRF network element sends an HTTP2 GET to the Beijing SMF network element: select UDM;

JSON{nfinstances:UDM IP address, FQDN, nfType, nfservices, SNSSAI and other information).

Next, see Figure 13:

Steps 807 to 8012: SMF registers in UDM and obtains terminal SM-related contract data, including: DNN network name, PDU session type, AMBR aggregation maximum bit rate, 5G Qos Profile; at the same time, locates 5G SM contract data changes and synchronizes with the UDM network element.

Step 807, the Beijing SMF network element sends HTTP2_PUT to the Chengdu UDM network element: SMF registers in the UDM;

USON{SMFid, DNN, PDUSesionID, PLMN ID};

Step 808, Chengdu UDM network element sends HTTP2 to Beijing SMF network element: SMF registers in UDM;

JSON{PDUSessionID,SMFinstanceID,DNN,PLMN ID};

Step 809: The Beijing SMF network element sends HTTP2_GET to the Chengdu UDM network element: obtain SM-related contract data {DNN, S-NSSAI};

Step 810: Chengdu UDM network element sends HTTP2 to Beijing SMF network element: obtain SM related contract data;

JSON{DNN, POUSessionType, SSCMode, sessionAMBR: uplink and downlink 5GQosProfile};

Step 811, the Beijing SMF network element sends HTTP2_POST to the Chengdu UDM network element: subscribe to the SM contract data change event;

JSON{monitoredResourceU ris:sm-data, callbackUri};

Step 812, Chengdu UDM network element sends HTTP2: Created subscription SM contract data change event to Beijing SMF network element;

Further, step 8013 to step 8018: select a PCF network element to obtain a user subscription policy, including DNN, PDU session ID, SUPI, UE IPV4, QOS level, etc.

Step 813, Beijing SMF network element sends HTTP2: Created to Beijing AMF network element;

Step 814: The Beijing SMF network element checks that the request type in step 804 is not equal to Existing PDUSession, and initiates PCF selection;

Step 815, the Beijing SMF network element sends HTTP2_GET to the Beijing NRF network element: select PCF;

{target-nf-type: PCF, requester-nf-type: SMF, requester-nf-instance: smfxxx, DNN};

Step 816, the Beijing NRF network element sends HTTP2 to the Beijing SMF network element: select PCE JSON {nfinstances: PCF's IP address, FQDN, nfType nfService, SNSSA/etc. information};

Step 817, the Beijing SMF network element sends HTTP2 POST to the Chengdu PCF network element: obtains the PDU session QoS policy USON {SUPI, PDUSessionID, DNN, UE's IPV4 address, etc.} from PCF;

Step 818, Chengdu PCF network element sends HTTP2:create to Beijing SMF network element;

JSON{sessRules:(sessRule ID, authSe ssAmbr, authDefault Qos)};

Again, see Figure 14:

Steps 819 to 823: The Beijing SMF network element selects a UPF and establishes a PFCP session link, including: user plane address, tunnel endpoint identifier (TEID), node ID, FAR forwarding rules, etc.

Step 819: The Beijing SMF network element selects a UPF;

Step 820, the Beijing SMF network element sends a PFCP: PFCP session establishment request to the Beijing UPF network element;

Various rules {PDR, FAR, URR, QER}, PDN type;

Step 821, Beijing UPF network element sends PFCP: PFCP session establishment response to Beijing SMF network element;

{PDR, F-SEID (UPF user plane address + TEID), Node ID};

Step 822, Beijing SMF network element sends HTTP2_GET to Beijing NRF network element: select Comm service of AMF; {target nF type: AMF, request nf: SMF};

Step 823, the Beijing NRF network element sends HTTP2 to the Beijing SMF network element: select the Comm service of AMF;

JSON{nfinstances:AMF's IP address, FQDN, etc.};

Step 824 to Step 825: Send N1 and N2 messages to AMF. The N2 message notifies the base station to establish a user plane channel. The N1 message notifies the UE of the successful establishment of the PDU session and its parameters.

Step 824, the Beijing SMF network element sends HTTP2 POST to the Beijing AMF network element;

{PDU session ID N2 message (PDU session ID, QFI, QoS profile, UPF tunnel address and ID, QoS parameters, PDU session type: IPV4);

N1 message (NAS-PDU: PDU Session Establish Accept, UE IP address, Session AMBR, DNN)};

Send N1 and N2 messages to AMF. N2 message notifies gNB to build user plane channel. N1 message notifies UE of successful PDU session establishment and parameters.

Step 825, the Beijing AMF network element sends HTTP2JSON{cause:N1_N2_TRANSFER_INITIATED} to the Beijing SMF network element.

Finally, see Figure 15:

Steps 826 to 828: The AMF network element establishes a user plane tunnel through the base station via the N2 message, and the N1 message notifies the UE of the successful establishment of the PDU session and parameters, including: DNN, UE's IP address, session AMBR aggregation maximum bit rate, etc.

Step 826: The Beijing AMF network element sends an NGAP:PDU Session Resource SetupRequest to the Beijing gNB.

N2 message parameters: [PDU Session ID, s-NSSAI, POU Session Type, UPFIP and TEID, Qps parameters;

NAS-PDU: (PDU Session establishment accept, select SSC mode, |DNN, UE IP address, Session-AMBR);

The N2 message notifies the gNB to establish a user plane channel, and the N1 message notifies the UE of the successful establishment of the PDU session and its parameters;

Step 827: Beijing gNB sends NAS: PDU Session establishment accept to the UE.

{s-NSSAI, DNN, UE IP address Session-AMBR parameters};

Step 828: Beijing gNB sends NGAP:PDU Session Resource SetupResponse to Beijing AMF network element.

N2 message parameters (PDU SessionID, gNB user plane IP and TEID);

At this point, the UE starts to send the first uplink data;

Steps 829 to 832: At this time, the UE sends the first uplink data. At the same time, the AMF network element sends the user plane IP and TEID value of the base station to the SMF network element. The SMF network element informs the UPF of the user plane message of the base station. Finally, the UPF sends a downlink data to the 5G terminal through the base station.

Step 829: The Beijing AMF network element sends HTTP2 POST to the Beijing SMF network element; JSON {UE Lacation, RequestType: Initial Request, gNB user plane IP and TEID};

Step 830: The Beijing SMF network element sends a PFCP to the Beijing UPF network element: PFCP Session ModificationRequest; {Updated FAR: gNB user plane IP and TEID}; and informs the UPF of the gNB user plane message.

Step 831, Beijing UPF network element sends PFCP-PFCP Session ModificationResponse to Beijing SMF network element; {Cause: Request accepted};

Step 832, the Beijing SMF network element sends HTTP2 to the Beijing AMF network element;

At this point, UPF starts sending the first downlink data.

In the above scenario process of initial establishment of PDU session, the problems are: unknown DNN network and invalid PDU session; when the user requests to establish PDU session service, the DNN, PDU session ID and other parameters of the 5G terminal will be brought to the 5G core network, and the connection between AMF and SMF regarding this terminal session will be established in the SM up and down request messages. If the DNN network is different or the PDU session ID exceeds the allowed value range, subsequent operations will not be performed, but the user SM context creation between AMF and SMF will be repeatedly triggered, resulting in the repeated occupation of this signaling program of the SMF network element, affecting the normal 5G terminal context creation, and no session establishment request will be initiated to UPF through the N4 interface.

This application builds a 5G private network architecture with unified archiving and control, and deploys "control plane collection and analysis equipment" at branch nodes to collect 5G control plane signaling processes, fields and error information of multiple branch nodes, so as to achieve unified archiving and unified control to facilitate the safe collaboration of multiple branch nodes in special industries and avoid signaling storms on the 5G network control plane.

In the related art, during the user-side PDU session establishment request process, the uplink classifier insertion operation of the SMF network element is triggered repeatedly, and the request signaling of the DHCP UE IP address allocation is triggered, causing the signaling of the 5G system to be occupied by DOS and unable to provide services to the UE. Compared with the solutions in the related art, this application not only considers the signaling attack of the PDU session establishment request, but also considers the terminal access authentication of the 5G control plane, which triggers the AMF network element's repeated initial registration, terminal authentication, UE context and other signaling requests, as well as the UDM network element's repeated authentication vector generation signaling requests, etc., causing the AMF network element and the UDM network element to be occupied by DOS and unable to provide services to the UE.

From the above content, it can be seen that the multi-campus wireless private network security protection method provided by this application sinks the 5G core network control plane network elements and user plane network elements to the user park, and conducts local deployment to form a set of secure private network systems that are physically isolated from the public network. In order to ensure the security and reliability of the entire network, this application implements proprietary physical isolation for the three core devices of base stations, transmission interactions, and core networks, and truly achieves secure isolation between application data. In addition, measures are taken to monitor and record network operation events and network security events, and relevant network logs must be retained for greater than or equal to 6 months in accordance with regulations to ensure network security and stable operation, and maintain the integrity, confidentiality and availability of network data.

In addition, since some users in special industries share public network base stations, in order to address the danger of 5G network signaling storms, we need to focus on studying the overall architecture and business flows of 5G private networks with unified archiving and management to prevent a large number of 5G terminals with illegal identities from repeatedly accessing the network or legal 5G terminals from repeatedly accessing the network due to abnormal events, causing network congestion; a large number of legal 5G terminals are controlled by hackers, repeatedly turned on, and periodically send signaling and large amounts of data, causing network anomalies.

The wireless private network security protection method for multiple parks provided by this application can also be used for regional security supervision. According to the National Security Law, the levels of state secrets are divided into three levels: core, important, and general confidential personnel. According to the confidentiality level and nature of work of different employees in special industries, confidential military enterprises divide work areas to conduct regional management of large parks. However, with the increase in the number of users and confidential application services in the park, it is crucial to achieve supervision of personnel and business in the region while ensuring safety.

Exemplarily, in a scenario of regional security control that can be realized, in combination with FIG16, the UPF of branch node ① and branch node ② forwards the user data collected by the data plane to the data synthesis server, and the core network control plane network element forwards the data collected by the central node control plane to the data synthesis server. The 5G confidential private network management platform establishes a relational database for the user identity field, data field and parameter value of the 5G mobile communication interface (such as N1, N2, N8, N11, N4 and other interfaces) provided by the data synthesis server according to the 5G private network signaling flow (such as user registration, authentication; service request and establishment, etc.); for the personnel and business supervision security requirements in different regions, based on the data analysis and synthesis of the user plane collection and analysis device and the control plane collection and analysis device, the full amount of XDR raw data and the relational database list are generated, and all signaling processes, interface messages and fields are aggregated. In addition, as shown in FIG16, the network signal strength parameters on the terminal side can be collected and reported based on the 5G base station's policy report (Measurement Report, MR) report or the NR positioning protocol (NRPPa), or the 5G positioning service module.

As shown in Figure 16, this application is based on the collected "control plane data and user plane data of the 5G core network" and "basic positioning measurement data of 5G base stations", with the help of the two major functional modules of "positioning solution platform" and "user service analysis" supported by the 5G confidential private network management platform, to achieve user identification and service analysis in a specific area. Furthermore, the results of user identification and service analysis can be displayed visually. Here, the basic positioning measurement data of the 5G base station includes but is not limited to the user identity, cell ID, model allocation code (Tac), transmission/reception point identification (Trp ID), reference signal receiving power (RSRP), and arrival time difference (TDOA) shown in Figure 16.

As shown in Figure 16, user business analysis is based on the basic data of the business call list of the 5G log system, including: protocol identification and/or restoration interface processing of the data stream transmitted by the data synthesis server to obtain the user business analysis results. Among them, protocol identification includes but is not limited to the identification of the following user request protocols: HTTP, HTTPS, FTP, etc. The restoration interface includes but is not limited to the following interfaces: TEID, Session Initiation Protocol (SIP), Data Channel (Digital Path, DIP), Source Port (Sport), Destination Port (Dport), etc.

In some embodiments of the present application, the full user call list data includes wireless signal associated parameters on the terminal side measured by at least two base stations of the wireless private network and/or reported by the terminal to be tested in a specific area. Step 102 performs security collaborative management of multiple branch nodes based on the full user call list data to generate wireless private network security protection information, which can be achieved by the following steps:

C31. Establish an association relationship between the terminal to be tested and at least two base stations based on the wireless signal association parameter.

In the embodiment of the present application, the wireless signal associated parameters include but are not limited to TOA, TDOA, Time of Arrival (AOA), and Received Signal Strength Indication (RSSI).

The association relationship between the terminal to be tested and the at least two base stations includes a position association relationship between the terminal to be tested and the at least two base stations.

C32. Based on the association relationship, identify the location of the terminal to be tested in a specific area.

Among them, the wireless private network security protection information includes the location of the terminal to be tested in a specific area.

It should be noted that the specific area security management and control information across multiple parks or factories includes the location of the above-mentioned terminal to be tested.

In an embodiment of the present application, the positioning solution platform can establish a position association relationship between the terminal to be measured and the base station according to the wireless signal association parameters measured by the base station in the cellular network or reported by the terminal, and then derive the geographic coordinates of the terminal to be measured based on the position association relationship.

In a feasible scenario of regional security control, an example of a scenario of user identification in a specific area is given as an example:

Different positions have different work content and nature, and the information they are authorized to access is also different. Key confidential information must also be kept confidential for employees with different confidentiality levels. As an example, special industry users divide the park into: "Production Area", "Office Management Area", "R&D Area", etc. Each area has a different level of confidentiality and is adapted to the different levels of employees; in order to avoid intentional or unintentional entry into confidential areas that do not match the employees, and to avoid the risk of core data leakage. This application focuses on the regional positioning of 5G terminal users, providing special industry managers with a specific area user identification system and business analysis identification, while recording each user's trajectory and business services, providing basic data support for park security audits, and realizing regional user information security supervision based on 5G confidential private networks.

In some embodiments of the present application, C32 identifies the location of the terminal to be tested in a specific area based on the association relationship, which can be achieved by the following steps:

C321. Based on the wireless signal association parameter, obtain a time difference between at least two base stations in receiving an uplink sounding reference signal of the terminal to be tested.

C322. Obtain the corresponding time when the signal of the terminal to be tested arrives at every two base stations.

The association relationship includes the time difference and the corresponding time of each of every two base stations.

C323. Determine the position of the terminal to be measured based on the time difference, the corresponding time of each of the two base stations, the position of each base station and the speed of light.

The above positioning solution platform can establish the position association relationship between the unknown target, i.e. the terminal to be measured, and the base station based on the wireless signal related parameters measured by the base station in the cellular network or reported by the terminal, and derive the geographical coordinates of the unknown target terminal. The wireless signal related parameters include: one or more combinations of TOA, TDOA, AOA, and RSSI.

In a scenario where a realizable positioning solution platform determines the position of the terminal to be tested, taking the TDOA positioning method as an example, the time difference between two or more base stations and the position of the terminal to be tested is used as a calculation parameter, relying on the high synchronization of the clocks of each base station such as a micro radio remote unit/pico base station radio remote unit (Pico Remote Radio Unit, pRRu), here, referring to FIG. 17, taking three base stations as an example, the uplink sounding reference signal (UL-SRS) pilot signal is collected to obtain different timestamp information, for example: the arrival time ① Time_Stamp1 corresponding to the base station pRRu①, the arrival time ② Time_Stamp2 corresponding to the base station pRRu②, the arrival time ③ Time_Stamp3 corresponding to the base station pRRu③, etc. Time_Stamp1, Time_Stamp2, and Time_Stamp3 are the reporting timestamps of the UL-SRS pilot signals corresponding to the three base stations.

In the embodiment of the present application, as shown in FIG17, taking three base stations as an example, the coordinates of the three base stations are: ( _X1 , _Y1 ), ( _X2 , _Y2 ), ( _X3 , _Y3 ), and for the convenience of description, ( _Xi , _Yi ), ( _Xj , _Yj ) are used to distinguish the coordinates of any two base stations. In the present application, the time synchronization between multiple pRRUs ensures that under the same UL-SRS pilot signal, the time difference is the distance difference between the terminal and different pRRUs.

The distance between the terminal and the base station coordinate point can be expressed as formula 1:

R _i ² =(XX _i ) ² +(YY _i ) ² (Formula 1)

The distance difference between the terminal and each base station can be expressed as formula 2:

Simplifying the formula, we get formula 3:

Furthermore, the distance difference between the terminal and base station ① and base station ② can be expressed as formula 4:

The distance difference between the terminal UE and base station ① and base station ③ can be expressed as formula 5:

The distance difference between the terminal UE and base station ② and base station ③ can be expressed as formula 6:

The equation system is expressed in matrix form as follows:

Wherein, _Rj represents the distance from the terminal to base station j, _Ri represents the distance from the terminal to base station i, ( _Xi , _Yi ) and ( _Xj , _Yj ) represent the coordinates of different base stations (i≥2), X and Y are the terminal location information to be solved, C is the speed of light, Δt _i,1 is the time difference between base station i and base station 1 when the UL-SRS pilot signal is received, _TA1 is the time when the terminal arrives at base station 1, and _TAi is the time when the terminal arrives at base station i.

According to the above formula 3, Since the coordinates of the base station (X _i ,Y _i ) are known: Let/> Among them, R _i - R ₁ = c×Δt _i , R _i + R ₁ = c×(TA ₁ +TA _i );

The linear equation system is optimized as follows: M = ΑN;

Where, N = [X, Y] ^T ;

Q ^-1 is the covariance matrix (A Simple and Efficient Estimator);

By hyperbolic positioning estimation method (linear equation system):

N＝( ^{ATA ) -1ATM}

N＝( ^{ATQ -} 1A) ^{-1ATQ - 1M}

The solution of the equation group X under the condition of two base stations is obtained.

In the related technology, it is relatively simple to identify network attacks on terminals. The processing methods include PDU session release, UE deregistration, and UE-AMBR restriction. Identifiable network attacks include: number of DHCP requests, invalid DHCP requests, and DNS query request times. The related technology does not consider the network attack determination of requests such as SM context establishment and SM contract data acquisition during repetitive PDU session requests as in this application. In addition, it does not consider the control requirements for special industry areas, is not associated with the location of the terminal, and there is no regional restriction on user terminal network attacks.

In some embodiments of the present application, the full user call record data also includes service call record data. After C32 identifies the location of the terminal to be tested in a specific area based on the association relationship, the central node of the wireless private network can also perform the following operations:

Based on the location of the terminal to be tested and the service call data, the application service license of the user in the specific area is evaluated to generate an evaluation result. The service call data includes but is not limited to the basic service call data of the 5G log system.

In the embodiment of the present application, the evaluation results are retained and archived to ensure compliance audit of business usage in different confidential areas of users.

In a feasible regional security control scenario, an example of a user business analysis scenario is given as an example:

User business analysis is based on the basic data of business call records in the 5G log system, including: user request protocols (HTTP, HTTPS, DNS, MMS, FTP, SIP, Email, etc.), business call records (GTP-TEID, MSISDN, IMSI, IMEI, APN, source IP, source port, target IP, target port, occurrence time) and other basic data.

For example, by combining the location information of the positioning solution platform and the target IP address of the service call record, the application service license of the regional user is evaluated, and the following relationship can be established:

Business call bill basic data table

Application services are differentiated by reporting the target IP and port of user access services through business call records. The user's IMSI identity is verified and recorded according to the scope of use of the application service area, and archived to ensure compliance audit of business use in different confidential areas of users.

The dynamic management strategy for regional users can refer to the following methods:

On the platform side, two parameters are established for each user, the weight value K and the threshold value G. The weight value K is bound to the existing business types and different security areas. For example, the existing businesses include "mobile office OA", "5G automatic inspection system", "5G security system", etc. (according to the confidentiality level of the business, the weight values are k1, k2, k3 respectively), and the user's mobile area can have different weight values according to the confidentiality level: k100/k101/k102; then the confidentiality weight value of different users according to the business and area is K=K1×K100; then it is compared with the threshold value G. If the user's confidentiality weight exceeds the threshold value G, the relevant application will be remotely killed; in addition, the platform side can open up weight values and threshold values for users at different times according to actual conditions, and dynamically and flexibly control.

With this design, the signaling data of the 5G control plane and the business data of the data plane are collected as basic parameters and used as algorithm parameter inputs (such as network error fields, target IP addresses of user-side access services, data volume, and terminal signal strength on the base station side). After "signaling flow and abnormal conditions" analysis, DDOS attacks are prevented, and parameters such as the IP addresses of users accessing services are obtained through "business flow of the core network data plane" analysis, and user regional location coordinates are obtained through "base station terminal signal strength" analysis. By setting user weights, threshold values and other parameters on the platform side as algorithm process variables, dynamic regional security management and control of terminals can be achieved, so as to comprehensively judge whether the network security of the park is unstable or whether it has been seriously attacked by the above two aspects.

In some embodiments of the present application, time can also be included as a reference basis for implementation. For example, in different location information and different time periods, the source and target IPs obtained by analyzing the business call records match each other and are safe. The corresponding evaluation levels can be divided with reference to the "production area", "office management area" and "R&D area". It is recommended to divide the levels according to the actual scenarios. For example, the "production area" is divided into a "first-level security area", the "office management area" is divided into a "first-level security area", and the "R&D area" is divided into a "third-level security area". Therefore, the specific plan that needs to be clarified is: the dynamic evaluation strategy set is respectively adapted to the first-level security area, the second-level security area and the third-level security area. For example, for the "third-level security area", the "source and target IP" mismatch under any conditions cannot be allowed to occur. The source IP that should have belonged to this area goes to other areas to indicate the particularity of the "third-level security area". Please set the dynamic strategy based on the actual business needs in combination with the actual situation of the park.

This application builds a 5G private network architecture with unified archiving and control, and deploys "user plane collection and analysis equipment" at branch nodes to collect user business events and traffic statistics of multiple branch nodes, so as to achieve unified archiving and unified control to facilitate the safe collaboration of multiple branch nodes in special industries and avoid signaling storms on the user plane of 5G networks.

However, in the related technology, during the user-side PDU session establishment request process, the SMF network element repeatedly inserts uplink classifiers and the request signaling for DHCP UE IP address allocation is triggered, causing the 5G system's signaling to be occupied by DOS and unable to provide services to the UE. Compared with the solutions in the related technology, this application not only considers the network attack determination of requests such as repeated SM context establishment and SM contract data acquisition during the PDU session request process. In addition, in response to the requirements for special industry area management and control, it can be associated with the location of the terminal to provide special industry managers with a specific area user identification system and business analysis and identification, while recording each user's trajectory and business services, providing basic data support for campus security audits, and realizing regional user information security supervision based on 5G confidential private networks.

In the related art, when SMF identifies a network attack on a terminal, it restricts the terminal's use of a target protocol data unit PDU session; wherein the target PDU session carries a target message, which is a message that triggers the core network element to launch a network attack on the SMF. Through the multi-campus wireless private network security protection method provided by this application, the UE cannot send target messages with network attack capabilities to the core network without restriction, thereby preventing DOS attacks initiated by abnormal UEs and ensuring that the mobile communication system provides services to as many UEs as possible.

In other embodiments of the present application, "security capability integration" can also be carried out between the central node and each branch node to build a multi-dimensional security protection system. As shown in Figure 18, the security capability integration can be based on the existing "5G control plane security enhancement and encrypted transmission of user plane data" solution of Chengdu Research Institute. The self-developed 5G confidential private network security-enhanced network elements and algorithm encryption servers are deployed at the central node, and the customized security-enhanced customer identity card (Subscriber Identity Module, SIM) on the terminal side is used to achieve security enhancement of user master authentication in the private network.

The schematic diagram of multi-park networking and multi-dimensional security protection for users in special industries is shown in Figure 18. The protection system has the following characteristics: local applications on the user plane are terminated locally, and network protection and auditing are performed on local business data security; the central node can control the network security and terminals of each branch node; the control plane branch node signaling convergence center core network side is realized through the core switch; the business data and signaling of each node can access other node applications after being transferred through the central node. It should be noted that the central node and each branch node shown in Figure 18 have the same functions as the same modules in Figure 2.

Meanwhile, as shown in FIG18 , in terms of user data plane encryption and security protection, the “data VPN encryption”, “intrusion detection system”, “intrusion prevention system (IPS)”, “network security audit system (NSA)” and other equipment capabilities of the three-party partners can be embedded in the data exchangers of each node UPF and MEC. By performing protocol identification and parsing on the data stream from the network data link layer (L2, Data link layer) to the application layer (L7, Application layer), security threats such as viruses, Trojans, denial of service (Dos)/distributed denial of service (DDos), and scanning can be accurately identified and blocked in real time, and accurate blocking can be achieved based on unified security policy configuration, actively and efficiently protecting user network security. This application deploys multiple sets of equipment in serial access or bypass mode at the intranet boundary and intranet access point of each branch node (Chengdu, Nanjing), configures different security rule sets for each device physical interface through the centralized intrusion control platform provided by the third party, and detects conditions such as source IP and destination IP to protect the 5G private network from attacks and suppress malicious traffic in the intranet, thereby meeting the encrypted data tunnel and intrusion protection from the terminal side to the gateway side, and building a multi-dimensional security protection system.

The multi-campus wireless private network security protection method provided in this application supports at least the following three capabilities: unified archiving and control of the 5G private network overall architecture and business flows, signaling flows and abnormal situations, and user identification and business analysis in specific areas.

For the security of confidential areas across multiple parks or factories in special industries, the system provides traceability, analysis and recording of user services, and monitors the frequented locations, activity trajectories and terminal operation status of users in confidential areas. Group network managers of special industry customers can monitor, dispatch and analyze specific security events to ensure the coordinated security management of multiple terminals across parks and the control of sensitive areas.

Combined with the above content, it can be seen that the present application provides a security control and signaling management architecture based on user call records, also known as a security control and signaling management system based on user call records, as shown in Figure 19, the architecture includes a four-layer structure: a platform layer, namely a global wide area network (World Wide Web, WEB) platform, a 5G log retention system, a network layer, and a terminal layer; wherein the network layer includes 5G base stations and 5G core networks; the terminal layer includes 5G mobile phones, 5G customer premises equipment (5G Customer Premise Equipment, CPE), and 5G industrial modules; the platform layer of the architecture supports at least three functions: regional security control, unified archiving and anomaly analysis, map management, and visualization; based on the functions supported by the architecture, the 5G log retention system realizes data aggregation, including control plane data collection and user plane data collection. This architecture can solve the following high security problems that 5G private networks still face in special fields, including: lack of data and signaling security collaborative management of private networks across multiple parks or across factories, and lack of security control of special sensitive areas across multiple parks or across factories. The multi-park wireless private network security protection method provided in this application is aimed at the security protection scenarios of multiple parks in special industries. It jointly builds an industrial ecology and promotes industry development from aspects such as "building security control and signaling management based on user call records" and "security capability integration".

The multi-park wireless private network security protection method provided by this application also takes into account the large number of users and the frequency of personnel movement across multiple parks or multiple factories in special industries. It analyzes and records the user's frequented places, activity tracks, and terminal operation status, etc., to ensure the security of confidential areas within the park and data traceability. With the terminal user access to the network, the group network management personnel of users in special industries can conduct network monitoring, scheduling, and analysis for specific security incidents to ensure the safe collaborative management of multiple terminals across parks and the control of sensitive areas.

The multi-campus wireless private network security protection method provided by this application divides the 5G interface XDR call record data into two categories: signaling plane and data plane. Among them, this application archives and retains the data fields of the signaling process interaction of the 5G signaling plane (N1/N2, N4, N8, N11) interface, and performs user behavior analysis, sensitive location information analysis, and abnormal offline data analysis of terminal network access based on the archived retained data. Adopting technologies such as "5G private network unified management and control framework and business flow" and "signaling anomaly analysis", unified archiving and unified management are realized to facilitate the safe coordination of multi-branch nodes in special industries and avoid the threat risk of 5G network signaling storms. This innovation needs to be protected.

The multi-campus wireless private network security protection method provided in this application establishes a relational database for the user identity fields, data fields and parameter values of the N1, N2, N8 and other interfaces provided by the data synthesis server according to the 5G private network signaling flow (user registration, service establishment request, etc.). Based on this relational database, data storage and terminal error analysis according to the time dimension can be derived for unified visual display. In addition, according to the UE terminal error type, analysis and judgment can be made to link the 5G core network to perform blacklist processing operations on the terminal to protect network security.

The multi-campus wireless private network security protection method provided in this application is based on the collection of "control plane data and user plane data of the 5G core network" and "basic positioning measurement data of 5G base stations", and adopts "positioning solution platform" and "user business analysis" technologies to provide user identification and business analysis in specific areas for users in special industries.

From the above content, it can be seen that the multi-park wireless private network security protection method provided by this application is aimed at special industries. The work content and nature of different positions have different permissions to access different information, and key confidential information also needs to be kept confidential for employees with different confidentiality levels. Many users in special industries divide the park into: "production area", "office management area", "R&D area", etc. The confidentiality level of each area is different and adapted to the different confidentiality levels of employees; in order to avoid intentional or unintentional entry into confidential areas that do not match the employees, and to avoid the risk of core data leakage. This application focuses on the regional positioning of 5G terminal users, providing special industry managers with a specific area user identification system and business analysis and identification, while recording each user's trajectory and business services, providing basic data support for park security audits, and realizing regional user information security supervision based on 5G confidential private networks.

An embodiment of the present application provides a gateway device, which can be applied to a multi-campus wireless private network security protection method provided in the embodiment corresponding to FIG. 1. As shown in FIG. 20, the multi-campus wireless private network security protection device 900 includes:

The acquisition module 901 is used to obtain the full amount of user call list data of the signaling process interaction of multiple branch nodes for the wireless private network signaling interface; the multiple branch nodes correspond to different parks or factory areas;

The processing module 902 is used to perform security collaborative management of multiple branch nodes based on the full amount of user call record data and generate wireless private network security protection information.

In some embodiments of the present application, the obtaining module 901 is used to receive the user plane data of the data synthesis server reported to the central node by the user plane collection and analysis device deployed in a sinking manner at each branch node for the signaling process;

Processing module 902, configured to parse the control plane data of each branch node through the control plane parsing device of the central node to generate a control plane user call list;

The processing module 902 is used to associate the control plane user call record and the user plane data through the data synthesis server to obtain the full amount of user call record data.

In some embodiments of the present application, the processing module 902 is used to uniformly archive all user call record data to generate a relational database; and generate wireless private network security protection information based on the relational database.

In some embodiments of the present application, the processing module 902 is used to perform at least one security protection analysis of user behavior analysis, sensitive area location information analysis, and terminal network access abnormal offline data analysis based on a relational database to obtain wireless private network security protection information.

In some embodiments of the present application, wireless private network security protection information includes: terminal error analysis information obtained by analyzing abnormal offline data of terminal network access; wherein, the error types in the terminal error analysis information include user registration, authentication errors, service requests and establishment abnormal errors.

In some embodiments of the present application, the processing module 902 is used to perform corresponding security protection management operations on the terminal based on the terminal error type through the core network of the wireless private network.

In some embodiments of the present application, the full user call record data includes wireless signal association parameters on the terminal side measured by at least two base stations of the wireless private network and/or reported by the terminal to be tested in a specific area; a processing module is used to establish an association relationship between the terminal to be tested and at least two base stations based on the wireless signal association parameters; based on the association relationship, identify the location of the terminal to be tested in the specific area; wherein the wireless private network security protection information includes the location of the terminal to be tested in the specific area.

In some embodiments of the present application, the processing module 902 is used to obtain a time difference between each two base stations in at least two base stations in receiving an uplink sounding reference signal of the terminal to be tested based on the wireless signal association parameter;

The obtaining module 901 is used to obtain the corresponding time when the signal of the terminal to be tested reaches each two base stations; wherein the association relationship includes the time difference and the corresponding time of each base station in each two base stations;

The processing module 902 is used to determine the position of the terminal to be measured based on the time difference, the corresponding time of each base station in every two base stations, the position of each base station and the speed of light.

In some embodiments of the present application, the full user call bill data also includes business call bill data, and the processing module is used to evaluate the application service license of users in a specific area based on the location of the terminal to be tested and the business call bill data, and generate an evaluation result.

It should be noted that, for the description of the same steps and the same contents in this embodiment as those in other embodiments, reference can be made to the description in other embodiments and will not be repeated here.

The embodiment of the present application provides a central node of a wireless private network. The central node 1000 of the wireless private network can be applied to a multi-campus wireless private network security protection method provided in the embodiment corresponding to FIG. 1 . As shown in FIG. 21 , the central node of the wireless private network includes: a processor 1001, a memory 1002, and a communication bus 1003, wherein: the communication bus 1003 is used to realize the communication connection between the processor 1001 and the memory 1002;

The processor 1001 is used to execute the cloud service access program stored in the memory 1002 to implement the following steps:

Obtain the full amount of user call list data of the signaling process interaction of multiple branch nodes for the wireless private network signaling interface; multiple branch nodes correspond to different parks or factory areas;

Based on the full amount of user call record data, multi-branch nodes are managed in a secure and collaborative manner to generate wireless private network security protection information.

In some embodiments of the present application, the processor 1001 is used to execute the access program of the cloud service stored in the memory 1002 to implement the following steps: receiving the user plane collection and analysis device deployed in a sinking manner at each branch node, and reporting the user plane data of the data synthesis server of the central node for the signaling process; parsing the control plane data of each branch node through the control plane analysis device of the central node to generate a control plane user call list; and associating the control plane user call list and the user plane data through the data synthesis server to obtain the full amount of user call list data.

In some embodiments of the present application, the processor 1001 is used to execute the access program of the cloud service stored in the memory 1002 to implement the following steps: uniformly archiving all user call record data to generate a relational database; and generating wireless private network security protection information based on the relational database.

In some embodiments of the present application, the processor 1001 is used to execute the access program of the cloud service stored in the memory 1002 to implement the following steps: based on the relational database, perform at least one security protection analysis of user behavior analysis, sensitive area location information analysis, and terminal network access abnormal offline data analysis to obtain wireless private network security protection information.

In some embodiments of the present application, wireless private network security protection information includes: terminal error analysis information obtained by analyzing abnormal offline data of terminal network access; wherein, the error types in the terminal error analysis information include user registration, authentication errors, service requests and establishment abnormal errors.

In some embodiments of the present application, the processor 1001 is used to execute the access program of the cloud service stored in the memory 1002 to implement the following steps: performing corresponding security protection management operations on the terminal based on the terminal error type through the core network of the wireless private network.

In some embodiments of the present application, the full user call list data includes wireless signal associated parameters on the terminal side measured by at least two base stations of the wireless private network and/or reported by the terminal to be tested in a specific area, and the processor 1001 is used to execute the access program of the cloud service stored in the memory 1002 to implement the following steps:

Establishing an association relationship between the terminal to be tested and at least two base stations based on the wireless signal association parameter;

Based on the association relationship, the location of the terminal to be tested in the specific area is identified; wherein the wireless private network security protection information includes the location of the terminal to be tested in the specific area.

In some embodiments of the present application, the processor 1001 is used to execute the access program of the cloud service stored in the memory 1002 to implement the following steps: based on the wireless signal association parameter, obtain the time difference of receiving the uplink sounding reference signal of the terminal to be tested between each two base stations in at least two base stations;

Obtaining the corresponding time when the signal of the terminal to be tested reaches each two base stations; wherein the association relationship includes the time difference and the corresponding time of each of the two base stations;

The position of the terminal to be measured is determined based on the time difference, the corresponding time of each of the two base stations, the position of each base station and the speed of light.

In some embodiments of the present application, the full user call bill data also includes business call bill data, and the processor 1001 is used to execute the access program of the cloud service stored in the memory 1002 to implement the following steps: based on the location of the terminal to be tested and the business call bill data, the application service license of the user in the specific area is evaluated to generate an evaluation result.

It should be noted that, for the description of the same steps and the same contents in this embodiment as those in other embodiments, reference can be made to the description in other embodiments and will not be repeated here.

An embodiment of the present application provides a computer storage medium, which stores one or more programs. The one or more programs can be executed by one or more processors to implement the following steps:

Obtain the full amount of user call list data of the signaling process interaction of multiple branch nodes for the wireless private network signaling interface; multiple branch nodes correspond to different parks or factory areas;

Based on the full amount of user call record data, multi-branch nodes are managed in a secure and collaborative manner to generate wireless private network security protection information.

In some embodiments of the present application, the one or more programs may be executed by one or more processors to implement the following steps: receiving user plane collection and analysis equipment deployed in a sinking manner at each branch node, and reporting user plane data of the data synthesis server of the central node for the signaling process; parsing the control plane data of each branch node through the control plane analysis equipment of the central node to generate a control plane user call list; and associating the control plane user call list and the user plane data through the data synthesis server to obtain the full amount of user call list data.

In some embodiments of the present application, the one or more programs may be executed by one or more processors to implement the following steps: uniformly archiving all user call record data to generate a relational database;

Generate wireless private network security protection information based on relational database.

In some embodiments of the present application, the one or more programs may be executed by one or more processors to implement the following steps: based on a relational database, perform at least one security protection analysis of user behavior analysis, sensitive area location information analysis, and terminal network access abnormal offline data analysis to obtain wireless private network security protection information.

In some embodiments of the present application, wireless private network security protection information includes: terminal error analysis information obtained by analyzing abnormal offline data of terminal network access; wherein, the error types in the terminal error analysis information include user registration, authentication errors, service requests and establishment abnormal errors.

In some embodiments of the present application, the one or more programs may be executed by one or more processors to implement the following steps: performing corresponding security protection management operations on the terminal based on the terminal error type through the core network of the wireless private network.

In some embodiments of the present application, the full user call record data includes wireless signal association parameters on the terminal side measured by at least two base stations of the wireless private network and/or reported by the terminal to be tested in a specific area; the one or more programs can be executed by one or more processors to implement the following steps: based on the wireless signal association parameters, establishing an association relationship between the terminal to be tested and at least two base stations; based on the association relationship, identifying the location of the terminal to be tested in the specific area; wherein, the wireless private network security protection information includes the location of the terminal to be tested in the specific area.

In some embodiments of the present application, the one or more programs may be executed by one or more processors to implement the following steps: based on the wireless signal association parameter, obtaining a time difference between at least two base stations in receiving an uplink sounding reference signal of the terminal to be tested between each two base stations;

Obtaining the corresponding time when the signal of the terminal to be tested reaches each two base stations; wherein the association relationship includes the time difference and the corresponding time of each of the two base stations;

The position of the terminal to be measured is determined based on the time difference, the corresponding time of each of the two base stations, the position of each base station and the speed of light.

In some embodiments of the present application, the full amount of user call record data also includes service call record data, and the one or more programs may be executed by one or more processors to implement the following steps:

Based on the location of the terminal to be tested and the service call record data, the application service license of the user in the specific area is evaluated and the evaluation result is generated.

It should be noted that, for the description of the same steps and the same contents in this embodiment as those in other embodiments, reference can be made to the description in other embodiments and will not be repeated here.

It should be noted that the above-mentioned computer storage medium/memory can be a read-only memory (ROM), a programmable read-only memory (PROM), an erasable programmable read-only memory (EPROM), an electrically erasable programmable read-only memory (EEPROM), a magnetic random access memory (FRAM), a flash memory (Flash Memory), a magnetic surface memory, an optical disc, or a compact disc read-only memory (CD-ROM) and other memories; it can also be various terminals including one or any combination of the above-mentioned memories, such as mobile phones, computers, tablet devices, personal digital assistants, etc.

In the several embodiments provided in the present application, it should be understood that the disclosed devices and methods can be implemented in other ways. The device embodiments described above are only schematic. For example, the division of units is only a logical function division. There may be other division methods in actual implementation, such as: multiple units or components can be combined, or can be integrated into another system, or some features can be ignored or not executed. In addition, the coupling, direct coupling, or communication connection between the components shown or discussed can be through some interfaces, and the indirect coupling or communication connection of devices or units can be electrical, mechanical or other forms.

The units described above as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units; some or all of the units may be selected according to actual needs to achieve the purpose of the present embodiment.

In addition, all functional units in the embodiments of the present application can be integrated into one processing module, or each unit can be a separate unit, or two or more units can be integrated into one unit; the above integrated unit can be implemented in the form of hardware or in the form of hardware plus software functional units. A person of ordinary skill in the art can understand that all or part of the steps of implementing the above method embodiments can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium, which, when executed, executes the steps of the above method embodiments; and the aforementioned storage medium includes: mobile storage devices, read-only memory (ROM), random access memory (RAM), disks or optical disks, and other media that can store program codes.

The methods disclosed in several method embodiments provided in this application can be arbitrarily combined without conflict to obtain new method embodiments.

The features disclosed in several product embodiments provided in this application can be arbitrarily combined without conflict to obtain new product embodiments.

The features disclosed in several method or device embodiments provided in this application can be arbitrarily combined without conflict to obtain new method embodiments or device embodiments.

The above are only specific implementations of the present application, but the protection scope of the present application is not limited thereto. Any technician familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the present application, which should be included in the protection scope of the present application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.

Claims (11)

1. A multi-campus wireless private network security protection method, characterized in that it is applied to the central node of the wireless private network, and the method includes: Obtaining full user call list data of signaling process interactions of multiple branch nodes for wireless private network signaling plane interfaces; wherein the multiple branch nodes correspond to different parks or factory areas; Based on the full amount of user call record data, multi-branch nodes are managed in a secure and collaborative manner to generate wireless private network security protection information. 2. The method according to claim 1, characterized in that the step of obtaining the full amount of user call record data of the signaling process interaction of multiple branch nodes for the wireless private network signaling plane interface comprises: Receiving user plane data collected and analyzed by the user plane collection and analysis device deployed in a sinking manner at each branch node, and synthesizing user plane data reported to the central node according to the signaling process; The control plane parsing device of the central node parses the control panel data of each branch node to generate a control plane user call list; The control plane user call record and the user plane data are associated with each other through the data synthesis server to obtain the full amount of user call record data. 3. The method according to claim 1 or 2, characterized in that the secure collaborative management of multiple branch nodes based on the full amount of user call list data to generate wireless private network security protection information includes: Archiving all the user call record data in a unified manner to generate a relational database; Based on the relational database, the wireless private network security protection information is generated. 4. The method according to claim 3, characterized in that the generating the wireless private network security protection information based on the relational database comprises: Based on the relational database, at least one security protection analysis among user behavior analysis, sensitive area location information analysis, and terminal network access abnormal offline data analysis is performed to obtain the wireless private network security protection information. 5. The method according to claim 4 is characterized in that the wireless private network security protection information includes: terminal error analysis information obtained by analyzing abnormal offline data of terminal network access; wherein the error types in the terminal error analysis information include user registration, authentication errors, service requests and establishment abnormal errors. 6. The method according to claim 5, characterized in that the method further comprises: Based on the terminal error type, the core network of the wireless private network performs corresponding security protection management operations on the terminal. 7. The method according to claim 1 or 2, characterized in that the full user call list data includes wireless signal association parameters on the terminal side measured by at least two base stations of the wireless private network and/or reported by the terminal to be tested in a specific area, and the security collaborative management of multiple branch nodes based on the full user call list data to generate wireless private network security protection information includes: Establishing an association relationship between the terminal to be tested and at least two base stations based on the wireless signal association parameter; Based on the association relationship, the location of the terminal to be tested in the specific area is identified; wherein the wireless private network security protection information includes the location of the terminal to be tested in the specific area. 8. The method according to claim 7, wherein determining the location of the terminal to be tested based on the association relationship comprises: Based on the wireless signal association parameter, obtaining a time difference between each two base stations in at least two base stations for receiving an uplink sounding reference signal of the terminal to be tested; Obtaining the corresponding time when the signal of the terminal to be tested reaches each of the two base stations; wherein the association relationship includes the time difference and the corresponding time of each of the two base stations; The position of the terminal to be measured is determined based on the time difference, the corresponding time of each of the two base stations, the position of each base station and the speed of light. 9. The method according to claim 7 or 8, characterized in that the full amount of user call bill data also includes service call bill data, and after identifying the location of the terminal to be tested in the specific area based on the association relationship, the method further includes: Based on the location of the terminal to be tested and the service call record data, the application service permission of the user in the specific area is evaluated to generate an evaluation result. 10. A multi-campus wireless private network security protection device, characterized by comprising: An acquisition module is used to obtain the full amount of user call list data of the signaling process interaction of multiple branch nodes for the wireless private network signaling interface; wherein the multiple branch nodes correspond to different parks or factory areas; The processing module is used to perform security collaborative management of multiple branch nodes based on the full amount of user call record data and generate wireless private network security protection information. 11. A central node of a wireless private network, characterized in that it comprises: a processor and a memory, the memory being used to store a computer program, the processor being used to call and run the computer program stored in the memory to execute the method as described in any one of claims 1 to 9.