Analytical methods, devices, systems, and readable storage media

By integrating an intrusion detection module and a security management platform into the virtualization function of 5G networks, and combining them with SDN controllers and security devices, the problem of difficult detection of security risks in virtualized network elements is solved, achieving the effect of rapid identification and protection against network security threats.

CN115967509BActive Publication Date: 2026-07-10CHINA MOBILE COMM LTD RES INST +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA MOBILE COMM LTD RES INST
Filing Date
2021-10-12
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

In existing technologies, the security risks of virtualized network elements within the resource pool of 5G networks are difficult to detect and protect against in a timely manner by boundary devices, leading to the horizontal expansion of security threats and a lack of means to detect abnormal behavior of network elements.

Method used

By embedding an intrusion detection module within the virtualized network functions, combined with the first network function and security management platform, intrusion behavior can be detected and analyzed, analysis results can be generated, and response strategies can be executed through the SDN controller and security devices.

Benefits of technology

It enables intrinsic security detection of 5G networks, quickly identifies security risks of network elements, and protects the network from attacks in a timely manner, thereby improving the network's security and protection capabilities.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115967509B_ABST
    Figure CN115967509B_ABST
Patent Text Reader

Abstract

The embodiment of the application provides an analysis method, device, system and readable storage medium, the analysis system comprises: a virtualized network function, a first network function and a security management platform, wherein the virtualized network function detects an intrusion behavior, and the virtualized network function reports the intrusion behavior to the first network function; the first network function analyzes the intrusion behavior reported by the virtualized network function to obtain an analysis result; and the first network function sends the analysis result to the security management platform.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of communication technology, specifically to an analysis method, apparatus, system, and readable storage medium. Background Technology

[0002] To meet the network demands of 5G and the Internet of Things (IoT), operators are using technologies such as Network Functions Virtualization (NFV), Software Defined Networking (SDN), and cloud computing to virtualize, cloudify, and SDN their networks. 5G, with its service-oriented architecture and support for slicing and edge computing, is better suited for virtualization and cloudification, enabling rapid and flexible deployment and reducing operational inefficiencies. Currently, operators are undertaking network cloudification transformation projects. Control plane network elements of the 5G Standalone (SA) core network (such as Network Exposure Function (NEF), Access and Mobility Management Function (AMF), Session Management Function (SMF), and Network Data Analytics Function (NWDAF)) have already been deployed using NFV and can be flexibly scaled up or down according to service needs. The deployment diagram of the 5G SA core network control plane elements is as follows: Figure 1 As shown.

[0003] In this architecture, the control plane network elements of 5G SA are deployed on virtual machines. Currently, resource pools deploying 5G core networks (5GC) typically use firewalls, intrusion prevention systems (IPS), web application protection systems (WAF), and distributed denial-of-service (DDoS) detection and mitigation devices at the perimeter for security protection. These security devices can provide relatively good protection against common malicious traffic and malicious code attacks from the Internet. However, because traffic between virtualized network functions within the 5GC in the resource pool may interact on virtual switches (vswitch) on the same host machine, it will not flow through the firewalls or WAFs on the core switches or SDN gateways connected in the resource pool, or the firewalls connected in series on the Internet egress router. In other words, it is difficult for perimeter devices to detect and take security measures against the security risks of 5GC network elements within the resource pool.

[0004] Because 5G carries the business of vertical industries such as the Internet of Things and the Industrial Internet, its value and importance also make 5G a key target for attackers. Once attacked, the impact is very large, so 5G security protection should be strengthened.

[0005] While the 3rd Generation Partnership Project (3GPP) 5G security technical standards and security assurance requirements specify the security functions and configurations that 5G network elements must possess, they lack detection methods for abnormal processes, files, and accounts inherent in the network elements themselves. Boundary security devices also cannot detect these abnormalities in a timely manner, leading to the east-west horizontal expansion of security risks. Furthermore, the relevant technologies provide detailed definitions of the services offered by the first network function, and their framework is as follows: Figure 2 As shown, Policy Control Function (PCF), AMF, etc., can be users of NWDAF analysis data, and can obtain NWDAF analysis results through subscription / notification or query methods.

[0006] The currently defined event types include:

[0007] 1) Load level of network slice instances;

[0008] 2) Service experience of applications or network slices;

[0009] 3) NF load analysis information for specific network functions (NFs) or NF lists;

[0010] 4) Pay attention to the network performance of the area;

[0011] 5) Expected behavior information for UE groups or specific UEs;

[0012] 6) Abnormal behavior information of UE groups or specific UEs;

[0013] 7) Mobility-related information for UE groups or specific UEs;

[0014] 8) Communication mode of UE group or specific UE;

[0015] 9) Congestion information for user data at specific locations

[0016] 10) Quality of Service (QoS) Sustainability

[0017] As can be seen from the event types above, NWDAF now has security-related analysis functions, but these focus on abnormal behavior of UE groups or specific UEs, as well as expected behavior information for UE groups or specific UEs. The standard defines 10 types of abnormal terminal behaviors: abnormal UE location, abnormal long-connection flow, abnormal high-rate flow, abnormal wake-up, potential DDoS attack, incorrect target address, excessively frequent service access, abnormal traffic volume, radio link failure, and cross-neighbor cell ping-pong. These anomalies observe and analyze terminal behavior from a network perspective to assess the terminal's health status, but they do not include the detection and analysis of the security status of network elements. Summary of the Invention

[0018] This application provides an analysis method, apparatus, system, and readable storage medium to address the problem of how to detect and analyze the security status of network elements.

[0019] In a first aspect, an analysis system is provided, comprising: a virtualized network function, a first network function, and a security management platform, wherein the virtualized network function detects intrusion behavior and reports the intrusion behavior to the first network function; the first network function analyzes the intrusion behavior reported by the virtualized network function to obtain analysis results; and the first network function sends the analysis results to the security management platform.

[0020] Optionally, the analysis system further includes: an OMC, wherein the virtualized network function reports the intrusion behavior to the OMC, and the OMC sends the intrusion behavior reported by multiple virtualized network functions to the first network function.

[0021] Optionally, the first network function subscribes to the intrusion behavior reported by the virtualized network function; or, the first network function subscribes to the intrusion behavior reported by multiple virtualized network functions from the OMC.

[0022] Optionally, the security management platform subscribes to the analysis results from the first network function.

[0023] Optionally, the analysis system further includes: an SDN controller and / or a security device;

[0024] The security management platform obtains security events and / or security logs from security devices. Based on the analysis results and the security events and / or security logs, the security management platform analyzes security threats. The security management platform sends the handling strategy for the security threats to the SDN controller and / or security devices. The SDN controller converts the handling strategy into a security flow table and sends it to the switch. The switch blocks or forwards traffic to the security devices. The security devices process the received traffic according to the handling strategy.

[0025] Optionally, the security management platform sends the security threat handling strategy to the SDN controller, including:

[0026] The security management platform directly calls or calls the northbound interface of the SDN controller through NFVO and VIM to send the security threat handling strategy to the SDN controller.

[0027] Optionally, the first network function sends the analysis results to the security management platform, including:

[0028] The first network function sends the analysis results to the security management platform via NEF.

[0029] Optionally, the analysis results include one or more of the following:

[0030] The scope of attacks on virtualized network functions;

[0031] The sources of attacks that compromise virtualized network functions;

[0032] Attacks that compromise virtualized network functions.

[0033] Optionally, the virtualized network functions include one or more of the following:

[0034] Virtualized AMF;

[0035] Virtualized NEF;

[0036] Virtualized NWDAF;

[0037] Virtualized SMF;

[0038] Virtualized NRF.

[0039] Secondly, an analysis method is provided, applied to the first network function, including:

[0040] Intrusion behavior reported by virtualized network functions or OMC;

[0041] The intrusion behavior reported by the virtualized network function is analyzed to obtain the intrusion behavior analysis results of the virtualized network function;

[0042] The analysis results are sent to the security management platform.

[0043] Optionally, the method further includes:

[0044] Intrusion activities reported to the virtualized network function or the OMC subscription virtualized network function.

[0045] Optionally, the method further includes:

[0046] The analysis results are sent to the security management platform via NEF.

[0047] Thirdly, an analysis device is provided for use in a first network function, including:

[0048] The receiving module is used to receive intrusion behavior reported by the virtualized network functions or OMC.

[0049] The analysis module is used to analyze the intrusion behavior reported by the virtualized network function and obtain the intrusion behavior analysis results of the virtualized network function.

[0050] The sending module is used to send the analysis results to the security management platform.

[0051] Optionally, the first network function further includes:

[0052] The subscription module is used to report intrusion behavior to the virtualized network function or the OMC subscription virtualized network function.

[0053] Fourthly, a communication device is provided, comprising: a processor, a memory, and a program stored in the memory and executable on the processor, wherein the program, when executed by the processor, performs the steps of the method described in the second aspect.

[0054] Fifthly, a readable storage medium is provided, on which a program is stored, which, when executed by a processor, implements the steps of the method as described in the second aspect.

[0055] In this embodiment, the inherent security detection capability of the network is realized through the network element's own detection capability and the analysis capability of the first network function, thereby ensuring that the network can detect security threats in a timely manner, quickly identify the security risks of network elements that cannot be identified by boundary devices in a timely manner, realize security threat detection, and comprehensively protect network security. Attached Figure Description

[0056] Various other advantages and benefits will become apparent to those skilled in the art upon reading the following detailed description of preferred embodiments. The accompanying drawings are for illustrative purposes only and are not intended to limit the scope of this application. Furthermore, the same reference numerals denote the same parts throughout the drawings. In the drawings:

[0057] Figure 1 This is a schematic diagram of the deployment of network elements in the 5G SA core network control plane;

[0058] Figure 2 This is a schematic diagram of the NWDAF data analysis service framework;

[0059] Figure 3 This is a schematic diagram of the analysis system provided in the embodiments of this application;

[0060] Figure 4 This is a flowchart of the network intrinsic security detection process provided in the embodiments of this application;

[0061] Figure 5 This is a flowchart of the network-inherent security handling process provided in the embodiments of this application;

[0062] Figure 6 This is a flowchart of the analysis method provided in the embodiments of this application;

[0063] Figure 7 This is a schematic diagram of the analysis device provided in the embodiments of this application;

[0064] Figure 8 This is a schematic diagram of the communication device provided in the embodiments of this application. Detailed Implementation

[0065] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0066] The term "comprising," and any variations thereof, used in the specification and claims of this application, is intended to cover a non-exclusive inclusion. For example, a process, method, system, product, or apparatus that includes a series of steps or units is not necessarily limited to those explicitly listed, but may include other steps or units not explicitly listed or inherent to such process, method, product, or apparatus. Furthermore, the use of "and / or" in the specification and claims indicates at least one of the connected objects, such as A and / or B, indicating the inclusion of A alone, B alone, or both A and B.

[0067] In the embodiments of this application, the terms "exemplary" or "for example" are used to indicate that something is an example, illustration, or description. Any embodiment or design that is described as "exemplary" or "for example" in the embodiments of this application should not be construed as being more preferred or advantageous than other embodiments or design. Specifically, the use of the terms "exemplary" or "for example" is intended to present the relevant concepts in a specific manner.

[0068] It is worth noting that the technologies described in this application are not limited to Long Term Evolution (LTE) / LTE-Advanced (LTE-A) systems, but can also be used in other wireless communication systems, such as Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), Frequency Division Multiple Access (FDMA), Orthogonal Frequency Division Multiple Access (OFDMA), Single-carrier Frequency-Division Multiple Access (SC-FDMA), and other systems. The terms "system" and "network" in this application are often used interchangeably, and the described technologies can be used with the systems and radio technologies mentioned above, as well as with other systems and radio technologies. However, the following description describes New Radio (NR) systems for illustrative purposes, and the term NR is used in most of the following description, although these technologies can also be applied to applications other than NR systems, such as 6th Generation (6G) communication systems.

[0069] It should be noted that the virtualized network functions in this article can also be described as virtualized network elements, that is, network elements and network functions can be used interchangeably in this article.

[0070] See Figure 3 This application provides an analysis system, including: a virtualized network function 31 (or described as a virtualized network function 31), a first network function 32, and a security management platform 33. The virtualized network function 31 detects intrusion behavior and reports the intrusion behavior to the first network function 32. The first network function 32 analyzes the intrusion behavior reported by the virtualized network function to obtain analysis results. The first network function 32 sends the analysis results to the security management platform 33.

[0071] In one embodiment of this application, the virtualized network function includes one or more of the following: (1) virtualized AMF; (2) virtualized NEF; (3) virtualized NWDAF; (4) virtualized SMF; (5) virtualized network storage function (NF Repository Function, NRF).

[0072] Optionally, the virtualized network function has a built-in intrusion detection module that supports the detection of intrusion behaviors, including abnormal files (such as deletion of critical files, illegal file downloads, etc.), abnormal processes (such as process privilege escalation, etc.), abnormal accounts (such as brute-force attacks, illegal logins, etc.), and malicious software (such as reverse shells, rootkits, etc.). It also supports the first network function to subscribe to the detected intrusion behaviors from the virtualized network element. After successful subscription, it supports reporting the detected intrusion behaviors to the first network function.

[0073] In one embodiment of this application, the first network function may be NWDAF, but it is not limited to this.

[0074] Optionally, NWDAF supports subscribing directly to intrusion behaviors of virtualized network elements; it also supports subscribing to intrusion behaviors of virtualized network elements from the Operation and Maintenance Center (OMC); and upon receiving intrusion behaviors, it performs correlation analysis to identify the scope of the attacked virtualized network elements, the attack source, and the attack event. NWDAF also supports accepting intrusion analysis results of virtualized network elements subscribed to by the security management platform through NEF.

[0075] In one embodiment of this application, the analysis system further includes: an OMC 34, wherein the virtualized network function 31 reports the intrusion behavior to the OMC 34, and the OMC 34 sends the intrusion behavior of multiple virtualized network functions 31 to the first network function 32.

[0076] In other words, OMC34 supports NWDAF in subscribing to the virtualized network function reporting intrusion behavior from OMC, and after successful subscription, it reports the received intrusion behavior to NWDAF.

[0077] In one embodiment of this application, the first network function 32 subscribes to the virtualized network function 31 for intrusion behavior reported by the virtualized network function; or, the first network function 32 subscribes to the OMC 34 for intrusion behavior reported by multiple virtualized network functions.

[0078] In one embodiment of this application, the security management platform 33 subscribes to the analysis results from the first network function 32.

[0079] Based on network functions defined by 3GPP standards, intrinsic security detection can be achieved through the aforementioned mechanisms. Since a threat, especially an advanced threat such as an Advanced Persistent Threat (APT), generally requires comprehensive analysis of multiple security event inputs for identification, a dedicated entity, such as a security management platform, is needed to further analyze and handle network-wide security events. The security management platform supports subscribing to intrusion analysis results of virtualized network elements through NEF (Network Functions), and combining this with security events and logs collected from virtualized and physical security devices to analyze security threats, issue alerts, and distribute handling strategies to the Software-Defined Network (SDN) controller and / or security devices for execution.

[0080] In one embodiment of this application, the analysis system further includes: an SDN controller and / or a security device;

[0081] The security management platform obtains security events and / or security logs from security devices. Based on the analysis results and the security events and / or security logs, the security management platform analyzes security threats. The security management platform sends the handling strategy for the security threats to the SDN controller and / or security devices. The SDN controller converts the handling strategy into a flow table and sends it to the switch. The switch blocks or forwards traffic to the security device according to the flow table. The security device processes the received traffic according to the handling strategy.

[0082] The SDN controller supports an open northbound interface. Security management platform policies can be distributed to the SDN controller's northbound interface via the Network Functions Virtualization Orchestrator (NFVO) and Virtualized Infrastructure Manager (VIM), or directly from the security management platform. The SDN controller can convert these policies into security flow tables and distribute them to switches for blocking attack traffic or redirecting traffic to security devices.

[0083] Security devices include virtualized security devices and physical security devices. They support reporting security events and security logs to the security management platform and handling received traffic according to the security policies issued by the security management platform.

[0084] In one embodiment of this application, the security management platform directly calls or calls the northbound interface of the SDN controller through NFVO and VIM to send the security threat handling strategy to the SDN controller.

[0085] In one embodiment of this application, the first network function sends the analysis results to the security management platform via NEF.

[0086] Optionally, the analytics system may also include cloud infrastructure.

[0087] Optionally, cloud infrastructure includes physical servers, network devices (routers, switches), virtualization layers, and MANO, providing computing, storage, and network resources, as well as orchestration functions for virtual resources, to upper-layer applications (5G virtualized network elements, virtualized security devices, etc.).

[0088] In one embodiment of this application, the analysis results include one or more of the following:

[0089] (1) The scope of attacks on virtualized network functions;

[0090] (2) The sources of attacks that compromise virtualized network functions;

[0091] (3) Attacks that compromise virtualized network functions.

[0092] In one embodiment of this application, the virtualized network functions include one or more of the following:

[0093] The virtualized network functions include one or more of the following: (1) virtualized AMF; (2) virtualized NEF; (3) virtualized NWDAF; (4) virtualized SMF; (5) virtualized NRF.

[0094] In this embodiment, the inherent security detection capability of the network is realized through the network element's own detection capability and the analysis capability of the first network function, thereby ensuring that the network can detect security threats in a timely manner, quickly identify the security risks of network elements that cannot be identified by boundary devices in a timely manner, realize security threat detection, and comprehensively protect network security.

[0095] See Figure 4 The specific steps of the network-intrinsic security detection process include:

[0096] Step 1: The NWDAF subscribes to the intrusion behavior reported by the virtualized network functions. The virtualized network functions authenticate and authorize the NWDAF.

[0097] Step 1': To avoid interaction between NWDAF and multiple virtualized network functions and improve the efficiency of NWDAF in obtaining intrusion behavior reports from virtualized network functions, the intrusion behavior information reported by virtualized network functions can be uniformly reported to OMC, and then OMC reports it to NWDAF. In this scenario, NWDAF needs to subscribe to the intrusion behavior reports from virtualized network functions from OMC. OMC authenticates and authorizes NWDAF.

[0098] Step 2: The virtualized network function detects its own intrusion behavior, including detecting abnormal files (such as deletion of critical files, illegal file downloads, etc.), abnormal processes (such as process privilege escalation, etc.), abnormal accounts (such as brute-force attacks, unauthorized logins, etc.), and malicious software (such as reverse shells, rootkits, etc.), and reports the detected intrusion behavior to NWDAF.

[0099] Step 2': The virtualized network function detects its own intrusion behavior, including detecting abnormal files (such as deletion of critical files, illegal file downloads, etc.), abnormal processes (such as process privilege escalation, etc.), abnormal accounts (such as brute-force attacks, unauthorized logins, etc.), and malware (such as reverse shells, rootkits, etc.), and reports the detected intrusion behavior to the OMC. The OMC then reports the intrusion behavior reported by the virtualized network function to the NWDAF.

[0100] Step 3: NWDAF performs correlation analysis on the intrusion behaviors reported by the virtualized network functions to identify the scope of the attack, the source of the attack, and the attack events of the virtualized network functions.

[0101] See Figure 5The specific steps of the network-intrinsic security handling process are as follows:

[0102] Step 1: The security management platform subscribes to the intrusion behavior analysis results reported by the virtualized network functions from NWDAF via NEF. NWDAF then authenticates and authorizes the security management platform.

[0103] Step 2: After NWDAF successfully authenticates and authorizes its subscription to the security management platform, it sends the intrusion behavior analysis results reported by the virtualized network functions to the security management platform through the capability open interface.

[0104] Step 3: The security management platform analyzes the intrusion behavior results of the collected virtualized network functions, as well as the security events and security logs collected by virtualized security devices and physical security devices, identifies security threats, and issues alerts.

[0105] Step 4: The security management platform generates a handling policy on the switch (such as blocking attack traffic on a virtualized network function), and directly calls or calls the northbound interface of the SDN controller through NFVO and VIM to send the handling policy to the SDN controller.

[0106] Step 5: The SDN controller parses the handling policy, generates flow tables, and sends them to the switch, which then handles the attack traffic.

[0107] Step 6: When the security device needs to handle the situation, the security management platform can generate a traffic redirection policy and send it directly to the SDN controller or via NFVO and VIM.

[0108] Step 7: The SDN controller parses the handling policy, generates flow tables and sends them to the switch. The switch then directs the traffic to the security device according to the flow tables.

[0109] Step 8: The security management platform generates a disposal strategy for the security device and distributes it to the security device.

[0110] Step 9: The security device processes the received traffic according to its handling policy. In practice, to avoid the security management platform having to interface with each security device, the security management platform can also distribute the handling policy to the network management system of the security device. The network management system then translates the handling policy into a security policy that the security device can recognize before distributing it to the security device.

[0111] Steps 4 and 5 can coexist with steps 6, 7, 8, and 9, or only steps 4 and 5, or only steps 6, 7, 8, and 9. The specific decision depends on the handling strategy and whether both the switch and security equipment are required for handling.

[0112] See Figure 6This application provides an analysis method, the execution subject of which is a first network function, such as NWDAF, and the specific steps include: step 601, step 602 and step 603.

[0113] Step 601: Receive intrusion reports from the virtualized network function or OMC;

[0114] Step 602: Analyze the intrusion behavior reported by the virtualized network function to obtain the intrusion behavior analysis results of the virtualized network function;

[0115] Step 603: Send the analysis results to the security management platform.

[0116] In one embodiment of this application, the method further includes:

[0117] Intrusion activities reported to the virtualized network function or the OMC subscription virtualized network function.

[0118] In one embodiment of this application, the method further includes:

[0119] The analysis results are sent to the security management platform via NEF.

[0120] In this embodiment, the inherent security detection capability of the network is realized through the network element's own detection capability and the analysis capability of the first network function, thereby ensuring that the network can detect security threats in a timely manner, quickly identify the security risks of network elements that cannot be identified by boundary devices in a timely manner, realize security threat detection, and comprehensively protect network security.

[0121] See Figure 7 This application provides an analysis device for a first network function, the device 700 including:

[0122] The receiving module 701 is used to receive intrusion behavior reported by the virtualized network function or OMC;

[0123] Analysis module 702 is used to analyze the intrusion behavior reported by the virtualized network function and obtain the intrusion behavior analysis result of the virtualized network function;

[0124] The sending module 703 is used to send the analysis results to the security management platform.

[0125] In one embodiment of this application, the first network function further includes:

[0126] The subscription module is used to report intrusion behavior to the virtualized network function or the OMC subscription virtualized network function.

[0127] The apparatus provided in this application embodiment can achieve... Figure 6 The various processes implemented in the method embodiments shown achieve the same technical effects, and will not be described again here to avoid repetition.

[0128] like Figure 8 As shown, this application embodiment also provides a communication device 800, including a processor 801, a memory 802, and a program or instructions stored in the memory 802 and executable on the processor 801. When the program or instructions are executed by the processor 801, they implement the above-mentioned... Figure 6 The various processes in the method embodiments can achieve the same technical effect. To avoid repetition, they will not be described again here.

[0129] This application embodiment also provides a readable storage medium storing a program or instructions that, when executed by a processor, implement the above-described functionality. Figure 6 The various processes of the method embodiments shown can achieve the same technical effect, and will not be described again here to avoid repetition.

[0130] The processor is the processor in the first or second communication device described in the above embodiments. The readable storage medium includes computer-readable storage media, such as a computer read-only memory (ROM), random access memory (RAM), magnetic disk, or optical disk.

[0131] The steps of the methods or algorithms described in this application can be implemented in hardware or by executing software instructions on a processor. The software instructions can consist of corresponding software modules, which can be stored in RAM, flash memory, ROM, EPROM, EEPROM, registers, hard disk, portable hard disk, read-only optical disk, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor, enabling the processor to read information from and write information to the storage medium. Of course, the storage medium can also be a component of the processor. The processor and storage medium can be housed in an ASIC. Alternatively, the ASIC can be housed in a core network interface device. Of course, the processor and storage medium can also exist as discrete components in the core network interface device.

[0132] Those skilled in the art will recognize that, in one or more of the examples above, the functions described in this application can be implemented using hardware, software, firmware, or any combination thereof. When implemented in software, these functions can be stored in a computer-readable medium or transmitted as one or more instructions or code on a computer-readable medium. Computer-readable media include computer storage media and communication media, wherein communication media include any medium that facilitates the transfer of a computer program from one place to another. Storage media can be any available medium accessible to a general-purpose or special-purpose computer.

[0133] The specific embodiments described above further illustrate the purpose, technical solution, and beneficial effects of this application. It should be understood that the above description is only a specific embodiment of this application and is not intended to limit the scope of protection of this application. Any modifications, equivalent substitutions, improvements, etc., made on the basis of the technical solution of this application should be included within the scope of protection of this application.

[0134] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, embodiments of this application can take the form of entirely hardware embodiments, entirely software embodiments, or embodiments combining software and hardware aspects. Furthermore, embodiments of this application can take the form of computer program products implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0135] This application describes embodiments of methods, apparatus (systems), and computer program products according to embodiments of this application with reference to flowchart illustrations and / or block diagrams. It should be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0136] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1The function specified in one or more boxes.

[0137] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0138] Obviously, those skilled in the art can make various modifications and variations to the embodiments of this application without departing from the spirit and scope of this application. Therefore, if these modifications and variations to the embodiments of this application fall within the scope of the claims of this application and their equivalents, this application also intends to include these modifications and variations.

Claims

1. An analysis system, characterized in that, include: Virtualized network functions, primary network functions, and security management platform. The virtualized network function detects its own intrusion behavior and reports the intrusion behavior to the first network function. The intrusion behavior includes at least one of the following: abnormal file operation, abnormal process operation, abnormal account operation, and malware intrusion. The first network function analyzes the intrusion behavior reported by the virtualized network function and obtains analysis results, which include one or more of the following: the scope of the attack on the virtualized network function; the attack source of the attack on the virtualized network function; and the attack event of the attack on the virtualized network function. The first network function sends the analysis results to the security management platform; The analysis system further includes: an Operation and Maintenance Center (OMC), the virtualized network functions report the intrusion behavior to the OMC, and the OMC sends the intrusion behavior reported by multiple virtualized network functions to the first network function; The first network function subscribes to the intrusion behavior reported by the virtualized network function; or, the first network function subscribes to the intrusion behavior reported by multiple virtualized network functions by the OMC.

2. The analysis system according to claim 1, characterized in that, The security management platform subscribes to the analysis results from the first network function.

3. The analysis system according to claim 1, characterized in that, The analysis system also includes: a software-defined networking (SDN) controller and / or a security device; The security management platform obtains security events and / or security logs from security devices. Based on the analysis results and the security events and / or security logs, the security management platform analyzes security threats. The security management platform sends the handling strategy for the security threats to the SDN controller and / or security devices. The SDN controller converts the handling strategy into a flow table and sends it to the switch. The switch blocks or forwards traffic to the security device according to the flow table. The security device processes the received traffic according to the handling strategy.

4. The analysis system according to claim 3, characterized in that, The security management platform sends the security threat handling strategy to the SDN controller, including: The security management platform directly calls, or calls the northbound interface of the SDN controller through the Network Functions Virtualization Orchestrator (NFVO) and the Virtual Infrastructure Manager (VIM), to send the security threat handling strategy to the SDN controller.

5. The analysis system according to claim 1, characterized in that, The first network function sends the analysis results to the security management platform, including: The first network function sends the analysis results to the security management platform via NEF.

6. The analysis system according to claim 1, characterized in that, The virtualized network functions include one or more of the following: Virtualized Access and Mobility Management Functions (AMF); Network Open Function (NEF) for virtualization; Virtualized network data analysis function NWDAF; Virtualized Session Management Function (SMF); Network storage functionality (NRF) for virtualization.

7. An analysis method applied to a first network function, characterized in that, include: The system receives intrusion behavior reports from virtualized network functions or OMCs within the analysis system. These virtualized network functions are used to detect their own intrusion behavior, which includes at least one of the following: abnormal file operations, abnormal process operations, abnormal account operations, or malware intrusion. The intrusion behaviors reported by the virtualized network functions are analyzed to obtain the intrusion behavior analysis results of the virtualized network functions. The analysis results include one or more of the following: the scope of the attack on the virtualized network functions; the attack source of the attack on the virtualized network functions; and the attack events that attacked the virtualized network functions. The analysis results are sent to the security management platform within the analysis system. The method further includes: Subscribe to the intrusion behavior reported by the virtualized network function; Alternatively, subscribe to multiple virtualized network functions reported intrusion behavior by the OMC.

8. The method according to claim 7, characterized in that, The method further includes: The analysis results are sent to the security management platform via NEF.

9. An analysis device applied to a first network function, characterized in that, include: The receiving module is used to receive intrusion behavior reported by the virtualized network function in the analysis system or the OMC. The virtualized network function is used to detect its own intrusion behavior. The intrusion behavior includes at least one of the following: abnormal file operation, abnormal process operation, abnormal account operation, and malware intrusion. The analysis module is used to analyze the intrusion behaviors reported by the virtualized network functions to obtain the intrusion behavior analysis results of the virtualized network functions. The analysis results include one or more of the following: the scope of the attack on the virtualized network functions; the attack source of the attack on the virtualized network functions; and the attack events that attacked the virtualized network functions. The sending module is used to send the analysis results to the security management platform in the analysis system; The first network function also includes: The subscription module is used to subscribe to the intrusion behavior reported by the virtualized network function; or, to subscribe to the intrusion behavior reported by multiple virtualized network functions from the OMC, wherein the OMC can obtain the intrusion behavior reported by the virtualized network functions.

10. A communication device, characterized in that, include: A processor, a memory, and a program stored in the memory and executable on the processor, wherein the program, when executed by the processor, implements the steps of the method as described in any one of claims 7 to 8.

11. A readable storage medium, characterized in that, The readable storage medium stores a program that, when executed by a processor, implements the steps of the method as described in any one of claims 7 to 8.