A signaling transmission detection method, apparatus, device and medium

By intercepting signaling and updating the signaling encoding sequence using IMSI and service identifiers, the problem of incorrect signaling transmission order was solved, improving the efficiency and accuracy of signaling transmission detection.

CN116193469BActive Publication Date: 2026-06-30CHINA TELECOM NETWORK SECURITY TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA TELECOM NETWORK SECURITY TECH CO LTD
Filing Date
2022-12-23
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

In the 5GC of the fifth-generation mobile communication system, the existing technology suffers from the problem of incorrect signaling transmission sequence, which leads to low detection efficiency.

Method used

By intercepting signaling sent by network elements, the pre-saved encoding is obtained, and the encoding sequence of the signaling is updated using the International Mobile Subscriber Identity (IMSI) and the service identifier to determine whether the signaling transmission is carried out according to the standard procedure.

Benefits of technology

It improves the efficiency of signaling transmission detection, ensures that signaling is transmitted according to standard procedures, and reduces the possibility of transmission sequence errors.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116193469B_ABST
    Figure CN116193469B_ABST
Patent Text Reader

Abstract

This application provides a signaling transmission detection method, apparatus, device, and medium. In this application embodiment, if an electronic device detects that a network element is sending a target signaling, the electronic device intercepts the target signaling, obtains the first code corresponding to the network element, and updates the pre-saved target signaling detection code sequence based on the first code. This allows the electronic device to determine whether the transmission order of the current target signaling is incorrect based on the existing target code sequence and the pre-saved target code sequence corresponding to the target signaling when processing according to the standard process corresponding to the target signaling, thereby improving the efficiency of signaling transmission detection.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of communication technology, and in particular to a signaling transmission detection method, apparatus, device and medium. Background Technology

[0002] Service-oriented architecture is an important feature of fifth-generation mobile communication systems and a significant difference between the fifth-generation core network (5GC) and traditional core networks. The 5GC stores the standard procedures for each service. When the 5GC receives a signaling message carrying a service request from a user equipment (UE), it can process the request according to the service carried in the signaling message and the standard procedure corresponding to that service.

[0003] However, when 5GC processes signaling according to the standard procedure, each sub-procedure in the standard procedure is completed by a network element, and different sub-procedures may be completed at the service layer corresponding to different network elements. In other words, after receiving signaling, 5GC needs to transmit the signaling between different network elements, which may lead to the situation where the signaling transmission order is incorrect, that is, the signaling transmitted in 5GC is not transmitted according to its corresponding standard procedure.

[0004] In existing technologies, since network elements cannot obtain the content carried in the signaling, the 5GC can only determine whether there was an error during the signaling transmission process after the signaling transmission ends, based on the processing result of the service layer corresponding to each network element in the signaling. This results in low efficiency in detecting whether there is an error during the signaling transmission process. Summary of the Invention

[0005] This application provides a signaling transmission detection method, apparatus, device, and medium to solve the problem of low efficiency in detecting whether errors occur during signaling transmission in the prior art.

[0006] This application provides a signaling transmission detection method, the method comprising:

[0007] Intercept the target signaling sent by the network element and obtain the first code corresponding to the pre-saved network element;

[0008] Based on the International Mobile Subscriber Identity (IMSI) carried in the target signaling, obtain the stored target signaling corresponding to the detection code sequence, and update the detection code sequence according to the first code;

[0009] Based on the service identifier carried in the target signaling and the pre-saved correspondence between the service identifier and the encoding sequence, the target encoding sequence corresponding to the target signaling is determined. If the target encoding sequence contains the updated encoding sequence to be detected, it is determined that the target signaling transmission has not been erroneous.

[0010] Furthermore, the method for determining the first code includes:

[0011] Get the preset string template;

[0012] For each preset field in the string template, obtain the target attribute represented by the preset field and obtain the attribute value of the network element under the target attribute; use the attribute value to update the content of the preset field in the string template;

[0013] The string template for each preset field after update is determined to be the first encoding.

[0014] Furthermore, if the network element is the first network element to send the target signaling, after obtaining the pre-saved first code corresponding to the network element, the method further includes:

[0015] The header of the target signaling is updated using the first encoding;

[0016] Based on the address carried in the target signaling, the updated target signaling is sent to other network elements corresponding to the address.

[0017] Further, updating the header of the target signaling using the first encoding includes:

[0018] The first encoding is used to update the content of the first preset position in the routing extension header (SRH) of the message header.

[0019] Furthermore, if the network element is not the first network element to send the target signaling, after obtaining the pre-saved first code corresponding to the network element, the method further includes:

[0020] Obtain the second code corresponding to the network element that last sent the target signaling, carried in the header of the target signaling message;

[0021] The header of the target signaling is updated using the first encoding and the second encoding;

[0022] Based on the address carried in the target signaling, the updated target signaling is sent to other network elements corresponding to the address.

[0023] Further, updating the header of the target signaling using the first encoding and the second encoding includes:

[0024] The first encoding is used to update the content at the first preset position in the SRH extension header of the message header;

[0025] The second encoding is used to update the content at the second preset position in the SRH extension header of the message header.

[0026] Further, updating the detected coding sequence according to the first coding includes:

[0027] The first code is added to the end of the code sequence to be detected.

[0028] This application embodiment also provides a signaling transmission detection device, the device comprising:

[0029] The marking module is used to intercept target signaling sent by network elements, obtain a first code corresponding to the network element that is stored in advance; obtain the stored code sequence to be detected corresponding to the target signaling based on the International Mobile Subscriber Identity (IMSI) carried in the target signaling, and update the code sequence to be detected based on the first code.

[0030] The analysis and detection module is used to determine the target encoding sequence corresponding to the target signaling based on the service identifier carried in the target signaling and the pre-saved correspondence between the service identifier and the encoding sequence. If the target encoding sequence contains the updated encoding sequence to be detected, it is determined that the target signaling transmission has not been erroneous.

[0031] Furthermore, the tagging module is also used to obtain a preset string template; for each preset field in the string template, obtain the target attribute represented by the preset field and obtain the attribute value of the network element under the target attribute; update the content of the preset field in the string template using the attribute value; and determine the string template after each preset field update is the first code.

[0032] Furthermore, the marking module is also used to update the header of the target signaling using the first encoding if the network element is the first network element to send the target signaling; and to send the updated target signaling to other network elements corresponding to the address according to the address carried in the target signaling.

[0033] Furthermore, the marking module is specifically used to update the content of the first preset position in the routing extension header (SRH) of the message header using the first encoding.

[0034] Furthermore, the marking module is also configured to, if the network element is not the first network element to send the target signaling, obtain the second code corresponding to the network element that last sent the target signaling carried in the header of the target signaling; update the header of the target signaling using the first code and the second code; and send the updated target signaling to other network elements corresponding to the address according to the address carried in the target signaling.

[0035] Furthermore, the marking module is specifically used to update the content at a first preset position in the SRH extension header of the message header using the first encoding; and to update the content at a second preset position in the SRH extension header of the message header using the second encoding.

[0036] Furthermore, the analysis and detection module is specifically used to add the first code to the end of the code sequence to be detected.

[0037] This application also provides an electronic device, which includes a processor, which executes a computer program stored in a memory to implement the steps of any of the signaling transmission detection methods described above.

[0038] This application also provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the steps of any of the signaling transmission detection methods described above.

[0039] In this embodiment, the electronic device intercepts the target signaling sent by a network element and obtains a pre-saved first code corresponding to the network element. Based on the International Mobile Subscriber Identity (IMSI) carried in the target signaling, it obtains the stored target signaling-to-be-detected code sequence and updates it according to the first code. Based on the service identifier carried in the target signaling and the pre-saved correspondence between the service identifier and the code sequence, it determines the target code sequence corresponding to the target signaling. If the target code sequence contains the updated target code sequence, it is determined that the target signaling transmission is error-free. In this embodiment, if the electronic device detects a target signaling sent by a network element, it intercepts the target signaling, obtains the stored first code corresponding to the network element, and updates the pre-saved target signaling-to-be-detected code sequence based on the first code. This allows the electronic device to determine whether the transmission order of the current target signaling is incorrect based on the existing target code sequence and the pre-saved target code sequence corresponding to the target signaling when processed according to the standard procedure, thus improving the efficiency of signaling transmission detection. Attached Figure Description

[0040] To more clearly illustrate the technical solutions of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0041] Figure 1 A schematic diagram of a signaling transmission detection process provided in an embodiment of this application;

[0042] Figure 2 This is a schematic diagram of the monitoring system provided in the embodiments of this application;

[0043] Figure 3 A schematic diagram of an IMSI structure provided in an embodiment of this application;

[0044] Figure 4 A schematic diagram of the preset fields corresponding to the string template provided in the embodiments of this application;

[0045] Figure 5 This is a schematic diagram illustrating the values ​​of each preset field provided in the embodiments of this application;

[0046] Figure 6 A schematic diagram of the pre-process message types provided in the embodiments of this application;

[0047] Figure 7 A schematic diagram illustrating the triggering method provided in an embodiment of this application;

[0048] Figure 8 A schematic diagram of the message header of the target signaling provided in the embodiments of this application;

[0049] Figure 9 A schematic diagram of the fields corresponding to the Optional TLV provided in the embodiments of this application;

[0050] Figure 10 A schematic diagram of the newly defined Optional TLV provided in the embodiments of this application;

[0051] Figure 11 A schematic diagram of a signaling transmission process provided in an embodiment of this application;

[0052] Figure 12 A schematic diagram of a signaling transmission detection device provided in an embodiment of this application;

[0053] Figure 13 This is a schematic diagram of an electronic device structure provided in an embodiment of this application. Detailed Implementation

[0054] To make the objectives, technical solutions, and advantages of this application clearer, the application will be further described in detail below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments in this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0055] To improve the efficiency and accuracy of signaling transmission detection, embodiments of this application provide a signaling transmission detection method, apparatus, device, and medium.

[0056] In this embodiment, the electronic device intercepts the target signaling sent by the network element and obtains the first code corresponding to the network element that is stored in advance; according to the International Mobile Subscriber Identity (IMSI) carried in the target signaling, it obtains the stored code sequence to be detected corresponding to the target signaling and updates the code sequence to be detected according to the first code; according to the service identifier carried in the target signaling and the correspondence between the service identifier and the code sequence stored in advance, it determines the target code sequence corresponding to the target signaling; if the target code sequence contains the updated code sequence to be detected, it is determined that the target signaling transmission has not been erroneous.

[0057] Example 1:

[0058] Figure 1 A schematic diagram of a signaling transmission detection process provided in this application embodiment is shown, the process including:

[0059] S101: Intercept the target signaling sent by the network element and obtain the first code corresponding to the network element that has been saved in advance.

[0060] The signaling transmission detection method provided in this application is applied to an electronic device, which may be a PC or a server, wherein a monitoring system is deployed in the electronic device.

[0061] Figure 2 This is a schematic diagram of the monitoring system provided in the embodiments of this application, as shown below. Figure 2 As shown, the detection system includes, but is not limited to, a user equipment (UE), a 5G radio access network (NG Radio Access Network, NG-RAN), a 5GC, a tagging module, a protocol stack, a relay, a data acquisition module, an analysis and detection module, and an execution module. The UE interacts with the 5GC using NAS signaling; the NG-RAN establishes NAS signaling bearers for the UE and 5GC; the 5GC network element acts as both a 5GC signaling producer and consumer; the data acquisition module collects signaling traffic from the network; the analysis and detection module analyzes signaling behavior based on tagging information in the collected traffic; and the execution module traces and locates abnormal signaling and executes predetermined strategies.

[0062] In practical applications, 5G core network signaling (5GC signaling) has been fully IP-based. Segment routing IPv6 (SRv6) is one of the means to implement 5G network slicing. For 5GC networks deploying SRv6, in addition to the schemes described in the embodiments of this application, the radio access process, authentication process, and core network signaling flow can be mapped by optionally completing, encapsulating, and parsing the segment routing header (SRH) using (Type, Length, Value, TLV) definitions. This can mark 5GC signaling flows, which can be used to identify the meaning and relationships of signaling messages and to judge signaling anomalies. For example, when 5GC service fails, is infected, or when signaling is lost, tampered with, ghosted, flooded, illegally requested, or leaked, signaling analysis can be performed in the message relay based on SRv6 markings to detect anomalies.

[0063] Based on this, in this embodiment, the user sends a target signaling message to the 5GC through the UE. This target signaling message carries the services required by the UE. After receiving the target signaling message, the 5GC will respond to it. In practical application scenarios, the UE initiates network attached storage (NAS) signaling to the 5GC. In this example, the initiation to the 5GC is a sending network element to the 5GC. Alternatively, the 5GC can initiate a NAS message to the UE to trigger the UE to initiate NAS signaling to the 5GC.

[0064] However, when 5GC responds to the target signaling, it may include multiple sub-processes, and different sub-processes may be completed at the service layer corresponding to different network elements. In other words, after receiving the target signaling, 5GC needs to transmit the target signaling between different network elements, which may lead to the situation where the target signaling transmission order is incorrect, that is, the signaling transmitted in 5GC is not transmitted according to its corresponding standard process.

[0065] Based on this, in the embodiments of this application, during the process of a network element executing a sub-process in 5GC sending target signaling to the next network element executing the next sub-process, the electronic device will intercept the target signaling sent by the network element and mark the network element that sent the target signaling with a preset identifier, so that it can be determined whether there is an error in the transmission of the target signaling according to the mark corresponding to the target signaling sent by each network element.

[0066] Specifically, the network element's network operation service (NF Service, NF) normally sends out the target signaling, which is then encapsulated using the Hypertext Transfer Protocol (HTTP) and intercepted by the electronic device in the kernel space of 5GC. The electronic device then obtains and stores the first code corresponding to that network element. This first code can be the sequence number of the network element in the standard process corresponding to the service executing the target signaling, or it can be other content; no restrictions are placed here.

[0067] S102: Based on the International Mobile Subscriber Identity (IMSI) carried in the target signaling, obtain the stored code sequence to be detected corresponding to the target signaling, and update the code sequence to be detected according to the first code.

[0068] In this embodiment, for each signaling sent by a UE, the electronic device stores the response order of each network element when the 5GC responds to the signaling sent by the UE. Specifically, in this embodiment, the electronic device stores the corresponding order of each network element in the code sequence to be detected.

[0069] Specifically, in the embodiments of this application, when the UE sends target signaling to the 5GC, the UE will also send the International Mobile Subscriber Identity (IMSI) to the 5GC. The UE may send the target signaling and the IMSI to the 5GC at the same time, or it may add the IMSI to the target signaling and then send the target signaling carrying the IMSI to the 5GC.

[0070] In this embodiment, when the electronic device saves the sequence code to be detected for each UE, it saves the correspondence between the IMSI of each UE and the sequence code to be detected. Based on this, in this embodiment, the electronic device needs to determine the IMSI corresponding to the target signaling and determine the sequence code to be detected corresponding to the target signaling through the IMSI.

[0071] Specifically, in this embodiment, the electronic device can send a request to the network element that sent the target signaling to obtain the IMSI corresponding to the target signaling, and determine the IMSI corresponding to the target code sequence based on the IMSI carried in the response information of the network element and the pre-saved correspondence between the target code sequence and the IMSI. The electronic device can update the target code sequence according to the first code corresponding to the network element.

[0072] Figure 3 This is a schematic diagram of the structure of an IMSI provided in an embodiment of this application. Figure 3It is known that the IMSI has 15 or 16 strings (Digits). The IMSI consists of the Mobile Country Code (MCC), the Mobile Network Code (MNC), and the Mobile Subscriber Identification Number (MSIN). The MCC, MNC, and MSIN are arranged in sequence to form the IMSI. The MCC has 3 Digits, the MNC has 2 or 3 Digits, and the MSIN has 9 or 10 Digits.

[0073] In this embodiment, IMSI can be represented by 56 bits, MCC by 6 bits, MNC by 6 bits, and MSIN by 20 bits. S103: Based on the service identifier carried in the target signaling and the pre-stored correspondence between the service identifier and the encoding sequence, determine the target encoding sequence corresponding to the target signaling. If the target encoding sequence contains the updated encoding sequence to be detected, then determine that the target signaling transmission has not been erroneous.

[0074] S103: Based on the service identifier carried in the target signaling and the pre-saved correspondence between the service identifier and the encoding sequence, determine the target encoding sequence corresponding to the target signaling. If the target encoding sequence contains the updated encoding sequence to be detected, then determine that the target signaling transmission has not been erroneous.

[0075] In this embodiment, the electronic device stores the standard process of 5GC providing services for each service. That is, the electronic device stores the encoding sequence corresponding to each service identifier. The encoding sequence is the order of the first encoding of each network element processed sequentially by 5GC when it processes the signaling corresponding to each service identifier according to the standard process.

[0076] The business includes, but is not limited to, main business and sub-business. The main business includes, but is not limited to, initial registration process, periodic registration process, deregistration process, authentication process, session establishment process, session change process, session release process, slice selection process, policy download process, etc. The sub-business is other process business nested in the main business.

[0077] Based on this, in this embodiment of the application, for the target signaling sent by the intercepted network element, the electronic device can determine the target encoding sequence corresponding to the target sequence based on the service identifier carried in the target signaling and the pre-stored correspondence between the service identifier and the encoding sequence. If the electronic device determines that the target encoding sequence contains the updated encoding sequence to be detected, then the electronic device determines that the transmission of the target signaling has not been erroneous.

[0078] In this embodiment, if the electronic device detects that a network element is sending a target signaling, it intercepts the target signaling, obtains the first code corresponding to the network element, and updates the pre-saved detection code sequence corresponding to the target signaling based on the first code. This allows the electronic device to determine whether the transmission order of the current target signaling is incorrect based on the existing detection code sequence and the pre-saved target code sequence corresponding to the target signaling when processing according to the standard procedure corresponding to the target signaling, thereby improving the efficiency of signaling transmission detection.

[0079] Example 2:

[0080] To better identify network elements, based on the above embodiments, in this application embodiment, the method for determining the first code includes:

[0081] Get the preset string template;

[0082] For each preset field in the string template, obtain the target attribute represented by the preset field and obtain the attribute value of the network element under the target attribute; use the attribute value to update the content of the preset field in the string template;

[0083] The string template for each preset field after update is determined to be the first encoding.

[0084] In this embodiment of the application, the electronic device stores a preset string template, and the electronic device can determine the first code corresponding to each network element based on the preset string template.

[0085] Specifically, in this embodiment, the string template includes at least one preset field, and each preset field represents a different attribute. For example, preset field 1 represents the triggering method, preset field 2 represents the first message flag, etc. For each preset field, the electronic device obtains the saved target attribute represented by the preset field, obtains the saved attribute value of the network element under the target attribute, and uses the attribute value to update the content of the preset field in the string template. The electronic device determines the first code corresponding to the network element based on the string template after each preset field has been updated.

[0086] In this embodiment, each preset field of the string template includes, but is not limited to: preprocess message type, triggering method, first message flag, optional process, main process, sub-process, and message number. The preprocess message type includes, but is not limited to, 5GC message, NAS message, AF message, B domain, and O domain; the triggering method includes, but is not limited to, UE triggering, RAN triggering, 5GC triggering, and management triggering; the first message flag can be either the first message or a non-first message; the optional process can be either an optional process or a non-optional process, meaning that in the service corresponding to the target signaling, the target signaling can be sent to the network element or not.

[0087] Figure 4 This is a schematic diagram of the preset fields corresponding to the string template provided in the embodiments of this application, as shown below. Figure 4 As shown, the string template includes 7 preset fields, namely, the type of the preceding process message, the triggering method, the first message flag, the optional process, the main process, the sub-process, and the message number.

[0088] exist Figure 4 On this basis, Figure 5 This is a schematic diagram illustrating the values ​​of each preset field provided in the embodiments of this application, as shown below. Figure 5 As shown, the message type of the preceding process corresponds to positions 0-3 of the string template, the triggering method corresponds to positions 4-5, the first message instruction corresponds to position 6, the optional process corresponds to position 7, the main process corresponds to positions 8-16, the sub-process corresponds to positions 17-24, and the message number corresponds to positions 25-32. The trigger flag for the first message is 0 or 1, the optional process is 0 or 1, and the main process, sub-process, and message number are all numbered according to 3GPP specifications.

[0089] exist Figure 4 and Figure 5 On this basis, Figure 6 This is a schematic diagram of the pre-process message type provided in the embodiments of this application, as shown below. Figure 6 As shown, the front-end message processing flow includes 5GC messages, NAS messages, AF messages, B domains, and O domains. If the front-end message processing flow is a 5GC message, the corresponding attribute value is 0001; if it is a NAS message, the corresponding attribute value is 0010; if it is an AF message, the corresponding attribute value is 1000; if it is a B domain, the corresponding attribute value is 1001; and if it is an O domain, the corresponding attribute value is 1011.

[0090] exist Figure 4 , Figure 5 and Figure 6 On this basis, Figure 7 This is a schematic diagram of the triggering method provided in the embodiments of this application, as shown below. Figure 7 As shown, the triggering methods include UE triggering, RAN triggering, 5GC triggering, and management triggering. If the triggering method is UE triggering, the corresponding attribute value is 00. If the triggering method is RAN triggering, the corresponding attribute value is 01. If the triggering method is 5GC triggering, the corresponding attribute value is 10. If the triggering method is management triggering, the corresponding attribute value is 11.

[0091] Example 3:

[0092] To better detect the signaling transmission process, based on the above embodiments, in this embodiment, if the network element is the first network element to send the target signaling, after obtaining the pre-saved first code corresponding to the network element, the method further includes:

[0093] The header of the target signaling is updated using the first encoding;

[0094] Based on the address carried in the target signaling, the updated target signaling is sent to other network elements corresponding to the address.

[0095] In order to better detect signaling transmission and enable electronic devices to better update the detection code sequence corresponding to the target signaling, in this embodiment of the application, the electronic device will encapsulate the first code corresponding to the network element into the message header of the target signaling.

[0096] Specifically, in this embodiment of the application, if the network element is the first network element to send the target signaling, the electronic device updates the header of the target signaling using the first code corresponding to the network element, and sends the updated target signaling to other network elements corresponding to the address according to the address carried in the target signaling.

[0097] In this embodiment of the application, the target signaling is generally an SRv6 message.

[0098] Furthermore, in this embodiment of the application, when the electronic device updates the header of the target signaling using the first encoding, it can also add the IMSI corresponding to the target signaling to the header.

[0099] To better detect the signaling transmission process, based on the above embodiments, in this embodiment, updating the header of the target signaling using the first encoding includes:

[0100] The first encoding is used to update the content of the first preset position in the routing extension header (SRH) of the message header.

[0101] Based on the above, in this embodiment of the application, the electronic device updates the message header corresponding to the target signaling by using the first encoding as follows: the electronic device updates the first preset position of the SegmentRouting Header (SRH) of the message header by using the first encoding.

[0102] Example 4:

[0103] To better detect the signaling transmission process, based on the above embodiments, in this embodiment, if the network element is not the first network element to send the target signaling, after obtaining the pre-saved first code corresponding to the network element, the method further includes:

[0104] Obtain the second code corresponding to the network element that last sent the target signaling, carried in the header of the target signaling message;

[0105] The header of the target signaling is updated using the first encoding and the second encoding;

[0106] Based on the address carried in the target signaling, the updated target signaling is sent to other network elements corresponding to the address.

[0107] In order to better detect signaling transmission and enable electronic devices to better update the detection code sequence corresponding to the target signaling, in this embodiment of the application, the electronic device encapsulates the first code corresponding to the network element and the second code corresponding to the network element that last sent the target signaling, which is carried in the header of the target signaling, into the header of the target signaling.

[0108] Specifically, in this embodiment of the application, if the network element is not the first network element to send the target signaling, the electronic device obtains the second code corresponding to the network element that last sent the target signaling carried in the header of the target signaling, updates the header of the target signaling using the first code and the second code corresponding to the network element, and sends the updated target signaling to other network elements corresponding to the address according to the address carried in the target signaling.

[0109] In this embodiment, the target signaling is generally an SRv6 message. Furthermore, in this embodiment, when the electronic device updates the header of the target signaling using the first encoding and the second encoding, it can also add the IMSI corresponding to the target signaling to the header.

[0110] To better detect the signaling transmission process, based on the above embodiments, in this embodiment, updating the header of the target signaling using the first encoding and the second encoding includes:

[0111] The first encoding is used to update the content at the first preset position in the SRH extension header of the message header;

[0112] The second encoding is used to update the content at the second preset position in the SRH extension header of the message header.

[0113] The first encoding is used to update the content of the first preset position in the routing extension header (SRH) of the message header.

[0114] Based on the above, in this embodiment of the application, the electronic device updates the message header corresponding to the target signaling using the first encoding and the second encoding as follows: the electronic device updates the first preset position of the SRH in the message header using the first encoding, and updates the content of the second preset position in the SRH extension header of the message header using the second encoding.

[0115] Figure 8 This is a schematic diagram of the message header of the target signaling provided in the embodiments of this application, as shown below. Figure 8 As shown, the target signaling is an SRv6 message. The message header includes an IPv6 header, an SRH (Search Engine Response) field, and an IPv6 payload. The IPv6 header is the same as in existing technologies, consisting of 40 bytes. If the electronic device recognizes that the type of the next header in this IPv6 header is SRH (i.e., the electronic device recognizes that the value of the field corresponding to the type of the next header in this IPv6 header is 43), then the electronic device will access the field corresponding to the SRH field in the header of the target signaling. The SRH field is the same as in existing technologies, including but not limited to Optional Type Length Value (OptionalTLV).

[0116] exist Figure 8 On this basis, Figure 9 This is a schematic diagram of the fields corresponding to the Optional TLV provided in the embodiments of this application, as shown below. Figure 9 As shown, the Optional TLV includes multiple subfields, and each subfield has a different meaning. The first subfield corresponding to the 7th to 123rd positions and the second subfield corresponding to the 128th to 251st positions are unassigned subfields. The electronic device can add the first code, the second code, and the IMSI to these two subfields.

[0117] Based on this, in the embodiments of this application, a technician can select a preset number of bits to customize the two sub-fields, and mark the meaning of the preset number of bits as the signaling context protocol type, which is used to write the first code, the second code, and the IMSI or to write the first code and the IMSI.

[0118] For example, technicians can define a subfield starting from the 7th bit of the SRH's Optional TLV, with a length of (16+32+32+64) / 8, as the subfield corresponding to the signaling context protocol type. That is, the Type of this subfield is 7, the Length is (16+32+32+64) / 8, and the Value is the first code + the second code + the IMSI.

[0119] Figure 10 A schematic diagram of the newly defined Optional TLV provided in the embodiments of this application, as shown below. Figure 10 As shown, the Optional TLV includes Type, Length, Reserved, First Encoding (MSG-Seq-Info), Second Encoding (PreMSG-Seq-Info), and IMSI.

[0120] Example 5:

[0121] To improve the efficiency of signaling transmission detection, based on the above embodiments, in this embodiment, updating the code sequence to be detected according to the first code includes:

[0122] The first code is added to the end of the code sequence to be detected.

[0123] In this embodiment, after intercepting the target signaling sent by the gateway, the electronic device adds the first number corresponding to the gateway to the detection encoding sequence. Since, in this embodiment, the electronic device needs to determine whether there is an error in the signaling transmission process based on the detection encoding sequence corresponding to the actual gateway transmission signaling order and the target encoding sequence corresponding to the standard procedure, the electronic device needs to add the detection encoding sequence to the end according to the actual transmission order.

[0124] Figure 11 This is a schematic diagram of a signaling transmission process provided in an embodiment of this application.

[0125] 1. UE generates NAS signaling.

[0126] 2. The UE initiates NAS signaling to network element 1 of 5GC, or network element 1 of 5GC initiates a trigger message to obtain the NAS message of the UE.

[0127] In this way, the transmitting network element can obtain the UE's IMSI.

[0128] 3. Network element 1 sends out target signaling (5GC signaling), which is encapsulated via HTTP and intercepted by the marking module in kernel space. The purpose of the interception is to prevent it from being directly sent to network element 2.

[0129] 4-5. The tagging module calls the network service interface to obtain the corresponding IMSI based on the message body, process ID, etc.

[0130] 6. The marking module obtains the first code corresponding to the saved network element 1, and fills the first code, the second code of the previous network element, and the IMSI into the preset position of the IPv6 SRH Optional TLV.

[0131] 7-8. Target signaling transmission.

[0132] 9. The protocol stack of Network Element 2 processes messages and, based on the meaning of the optional fields, hands them over to the parsing module and the proxy interface of the network service.

[0133] 10-11. The parsing module of network element 2 calls the IP layer interface to obtain the necessary fields.

[0134] 12. The parsing module of network element 2 retains the IMSI, first code, and necessary access process information and passes them to the marking module.

[0135] 13. The parsing module of network element 2 delivers the regular signaling message (5GC signaling) to the application layer.

[0136] 14. Network element 2 performs signaling logic processing for its network services, sends out the next signaling message, encapsulates it via HTTP, and is intercepted by the tagging module in the kernel space.

[0137] 15-17. The marking module of network element 2 repeats steps 4-6.

[0138] 18. The protocol stack of network element 2 repeatedly executes step 7.

[0139] 19. The acquisition module of the electronic device acquires data in the host kernel protocol stack or network relay, extracts the source IP and destination IP, SRH Optional TLV, obtains the first code, IMSI, and second code, and performs data processing.

[0140] 20. The monitoring system's detection and analysis module, based on the processed data, plots message sequences at the IMSI level, compares them with the standard process definition, and analyzes the reasons for deviations.

[0141] The inspection and analysis module uses the processed data to plot message sequences at the IMSI level, compares them with the standard process definition, and analyzes the reasons for deviations.

[0142] Specifically, this can be achieved in the following way:

[0143] Establish a standard process message number index and message mapping.

[0144] The standard process mainly includes a main process and sub-processes. The main process includes the initial registration process, periodic registration process, deregistration process, authentication process, session establishment process, session modification process, session release process, slice selection process, and policy download process. Sub-processes include other main processes nested within each main process, or optional processes for different cases. Message sequence numbers are arranged sequentially according to the time order of each main process and sub-process. By analyzing the collected signaling message HTTP headers, the correlation between signaling messages is interpreted, and the standard process is compared using message number indexes.

[0145] The identification of anomalies mainly includes signaling anomalies, user anomalies, and process anomalies. Signaling anomalies include erroneous signaling, ghost signaling, missing signaling, and signaling flooding; user anomalies include registration anomalies, session anomalies, policy anomalies, handover anomalies, and access anomalies; process anomalies include process blocking, signaling loops, concatenation errors, and illegal requests.

[0146] 21. For anomalies in specific terminals or network services, further analyze the behavioral characteristics. If they match the network security feature database, take action, such as blocking the terminal or migrating the network service through 5G network management.

[0147] Compared to related technologies that primarily analyze message content by decapsulating HTTP messages, the embodiments described above, based on the network layer SRv6 SRH, can obtain the necessary information for signaling monitoring without decapsulating HTTP messages, thus improving collection efficiency. Furthermore, all network elements (network devices) can be used as collection points, making the collection method more flexible. Moreover, the signaling flow of the 3GPP standard is described based on message encoding, and an anomaly analysis method for comparing the signaling flow with the standard process is designed. Compared to existing log-based problem tracing and troubleshooting solutions, the embodiments of this application can quickly locate signaling flow anomalies and identify access fraud using certain methods.

[0148] Example 6:

[0149] Figure 12 A schematic diagram of a signaling transmission detection device provided in this application embodiment is shown. The device includes:

[0150] The marking module 1201 is used to intercept the target signaling sent by the network element, obtain the first code corresponding to the network element that is saved in advance; obtain the saved code sequence to be detected corresponding to the target signaling according to the International Mobile Subscriber Identity (IMSI) carried in the target signaling, and update the code sequence to be detected according to the first code.

[0151] The analysis and detection module 1202 is used to determine the target encoding sequence corresponding to the target signaling based on the service identifier carried in the target signaling and the pre-saved correspondence between the service identifier and the encoding sequence. If the target encoding sequence contains the updated encoding sequence to be detected, it is determined that the target signaling transmission has not been erroneous.

[0152] Furthermore, the marking module 1201 is also used to obtain a preset string template; for each preset field in the string template, obtain the target attribute represented by the preset field and obtain the attribute value of the network element under the target attribute; update the content of the preset field in the string template using the attribute value; and determine the string template after each preset field is updated as the first code.

[0153] Furthermore, the marking module 1201 is also used to update the header of the target signaling using the first encoding if the network element is the first network element to send the target signaling; and to send the updated target signaling to other network elements corresponding to the address according to the address carried in the target signaling.

[0154] Furthermore, the marking module 1201 is specifically used to update the content of the first preset position in the routing extension header (SRH) of the message header using the first encoding.

[0155] Furthermore, the marking module 1201 is also configured to, if the network element is not the first network element to send the target signaling, obtain the second code corresponding to the network element that last sent the target signaling carried in the header of the target signaling; update the header of the target signaling using the first code and the second code; and send the updated target signaling to other network elements corresponding to the address according to the address carried in the target signaling.

[0156] Furthermore, the marking module 1201 is specifically used to update the content of a first preset position in the SRH extension header of the message header using the first encoding; and to update the content of a second preset position in the SRH extension header of the message header using the second encoding.

[0157] Furthermore, the analysis and detection module 1202 is specifically used to add the first code to the end of the code sequence to be detected.

[0158] Example 7:

[0159] Based on the above embodiments, this application also provides an electronic device. Figure 13 This application provides a schematic diagram of an electronic device structure, such as... Figure 13As shown, it includes: processor 1301, communication interface 1302, memory 1303 and communication bus 1304, wherein processor 1301, communication interface 1302 and memory 1303 communicate with each other through communication bus 1304;

[0160] The memory 1303 stores a computer program. When the program is executed by the processor 1301, the processor 1301 performs the following steps:

[0161] Intercept the target signaling sent by the network element and obtain the first code corresponding to the pre-saved network element;

[0162] Based on the International Mobile Subscriber Identity (IMSI) carried in the target signaling, obtain the stored target signaling corresponding to the detection code sequence, and update the detection code sequence according to the first code;

[0163] Based on the service identifier carried in the target signaling and the pre-saved correspondence between the service identifier and the encoding sequence, the target encoding sequence corresponding to the target signaling is determined. If the target encoding sequence contains the updated encoding sequence to be detected, it is determined that the target signaling transmission has not been erroneous.

[0164] In one possible implementation, the processor is further configured to:

[0165] Get the preset string template;

[0166] For each preset field in the string template, obtain the target attribute represented by the preset field and obtain the attribute value of the network element under the target attribute; use the attribute value to update the content of the preset field in the string template;

[0167] The string template for each preset field after update is determined to be the first encoding.

[0168] In one possible implementation, the processor is further configured to:

[0169] The header of the target signaling is updated using the first encoding;

[0170] Based on the address carried in the target signaling, the updated target signaling is sent to other network elements corresponding to the address.

[0171] In one possible implementation, the processor is further configured to:

[0172] The first encoding is used to update the content of the first preset position in the routing extension header (SRH) of the message header.

[0173] In one possible implementation, the processor is further configured to:

[0174] Obtain the second code corresponding to the network element that last sent the target signaling, carried in the header of the target signaling message;

[0175] The header of the target signaling is updated using the first encoding and the second encoding;

[0176] Based on the address carried in the target signaling, the updated target signaling is sent to other network elements corresponding to the address.

[0177] In one possible implementation, the processor is further configured to:

[0178] The first encoding is used to update the content at the first preset position in the SRH extension header of the message header;

[0179] The second encoding is used to update the content at the second preset position in the SRH extension header of the message header.

[0180] In one possible implementation, the processor is further configured to:

[0181] The first code is added to the end of the code sequence to be detected.

[0182] Since the principle of the above-mentioned electronic device in solving the problem is similar to that of the signaling transmission detection method, the implementation of the above-mentioned electronic device can be found in the embodiments of the method, and repeated details will not be repeated.

[0183] The communication bus mentioned in the above-mentioned electronic device can be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. This communication bus can be divided into address bus, data bus, control bus, etc. For ease of illustration, only one thick line is used in the figure, but this does not indicate that there is only one bus or one type of bus. The communication interface 1302 is used for communication between the above-mentioned electronic device and other devices. The memory can include random access memory (RAM) or non-volatile memory (NVM), such as at least one disk storage device. Optionally, the memory can also be at least one storage device located remotely from the aforementioned processor.

[0184] The processors mentioned above can be general-purpose processors, including central processing units, network processors (NPs), etc.; they can also be digital signal processors (DSPs), application-specific integrated circuits, field-programmable gate arrays or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.

[0185] Example 8:

[0186] Based on the above embodiments, this invention also provides a computer-readable storage medium storing a computer program executable by a processor. When the program runs on the processor, it causes the processor to perform the following steps:

[0187] Intercept the target signaling sent by the network element and obtain the first code corresponding to the pre-saved network element;

[0188] Based on the International Mobile Subscriber Identity (IMSI) carried in the target signaling, obtain the stored target signaling corresponding to the detection code sequence, and update the detection code sequence according to the first code;

[0189] Based on the service identifier carried in the target signaling and the pre-saved correspondence between the service identifier and the encoding sequence, the target encoding sequence corresponding to the target signaling is determined. If the target encoding sequence contains the updated encoding sequence to be detected, it is determined that the target signaling transmission has not been erroneous.

[0190] In one possible implementation, the method for determining the first code includes:

[0191] Get the preset string template;

[0192] For each preset field in the string template, obtain the target attribute represented by the preset field and obtain the attribute value of the network element under the target attribute; use the attribute value to update the content of the preset field in the string template;

[0193] The string template for each preset field after update is determined to be the first encoding.

[0194] In one possible implementation, if the network element is the first network element to send the target signaling, after obtaining the pre-saved first code corresponding to the network element, the method further includes:

[0195] The header of the target signaling is updated using the first encoding;

[0196] Based on the address carried in the target signaling, the updated target signaling is sent to other network elements corresponding to the address.

[0197] In one possible implementation, updating the header of the target signaling using the first encoding includes:

[0198] The first encoding is used to update the content of the first preset position in the routing extension header (SRH) of the message header.

[0199] In one possible implementation, if the network element is not the first network element to send the target signaling, after obtaining the pre-saved first code corresponding to the network element, the method further includes:

[0200] Obtain the second code corresponding to the network element that last sent the target signaling, carried in the header of the target signaling message;

[0201] The header of the target signaling is updated using the first encoding and the second encoding;

[0202] Based on the address carried in the target signaling, the updated target signaling is sent to other network elements corresponding to the address.

[0203] In one possible implementation, updating the header of the target signaling using the first encoding and the second encoding includes:

[0204] The first encoding is used to update the content at the first preset position in the SRH extension header of the message header;

[0205] The second encoding is used to update the content at the second preset position in the SRH extension header of the message header.

[0206] In one possible implementation, updating the detected coding sequence according to the first coding includes:

[0207] The first code is added to the end of the code sequence to be detected.

[0208] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0209] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to this application. It should be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0210] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0211] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0212] Obviously, those skilled in the art can make various modifications and variations to this application without departing from the spirit and scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this application and their equivalents, this application also intends to include such modifications and variations.

Claims

1. A signaling transmission detection method, characterized in that, The method includes: Intercept the target signaling sent by the network element and obtain the first code corresponding to the network element that is saved in advance; the first code is the sequence number of the network element in the standard process corresponding to the service when the network element executes the service corresponding to the target signaling; Based on the International Mobile Subscriber Identity (IMSI) carried in the target signaling, obtain the stored target signaling corresponding to the detection code sequence, and update the detection code sequence according to the first code; Based on the service identifier carried in the target signaling and the pre-saved correspondence between the service identifier and the encoding sequence, the target encoding sequence corresponding to the target signaling is determined. If the target encoding sequence contains the updated encoding sequence to be detected, it is determined that the target signaling transmission has not been erroneous. The target encoding sequence is the order of the first encoding of each network element processed sequentially when 5GC processes the target signaling corresponding to the service identifier according to the standard procedure. The step of updating the code sequence to be detected according to the first code includes: The first code is added to the end of the code sequence to be detected.

2. The method according to claim 1, characterized in that, The method for determining the first code includes: Get the preset string template; For each preset field in the string template, obtain the target attribute represented by the preset field and obtain the attribute value of the network element under the target attribute; use the attribute value to update the content of the preset field in the string template; The string template for each preset field after update is determined to be the first encoding.

3. The method according to claim 1, characterized in that, If the network element is the first network element to send the target signaling, after obtaining the pre-saved first code corresponding to the network element, the method further includes: The header of the target signaling is updated using the first encoding; Based on the address carried in the target signaling, the updated target signaling is sent to other network elements corresponding to the address.

4. The method according to claim 3, characterized in that, The step of updating the header of the target signaling using the first encoding includes: The first encoding is used to update the content of the first preset position in the routing extension header (SRH) of the message header.

5. The method according to claim 1, characterized in that, If the network element is not the first network element to send the target signaling, after obtaining the pre-saved first code corresponding to the network element, the method further includes: Obtain the second code corresponding to the network element that last sent the target signaling, carried in the header of the target signaling message; The header of the target signaling is updated using the first encoding and the second encoding; Based on the address carried in the target signaling, the updated target signaling is sent to other network elements corresponding to the address.

6. The method according to claim 5, characterized in that, The step of updating the header of the target signaling using the first encoding and the second encoding includes: The first encoding is used to update the content at the first preset position in the SRH extension header of the message header; The second encoding is used to update the content at the second preset position in the SRH extension header of the message header.

7. A signaling transmission detection device, characterized in that, The device includes: The marking module is used to intercept target signaling sent by a network element, obtain a first code corresponding to the network element that is pre-saved; obtain a stored code sequence to be detected corresponding to the target signaling based on the International Mobile Subscriber Identity (IMSI) carried in the target signaling, and update the code sequence to be detected based on the first code; the first code is the sequence number of the network element in the standard process corresponding to the service when the network element executes the service corresponding to the target signaling. The analysis and detection module is used to determine the target encoding sequence corresponding to the target signaling based on the service identifier carried in the target signaling and the pre-saved correspondence between the service identifier and the encoding sequence. If the target encoding sequence contains the updated encoding sequence to be detected, it is determined that the target signaling transmission has not been erroneous. The target encoding sequence is the order of the first encodings of each network element processed sequentially when 5GC processes the target signaling corresponding to the service identifier according to the standard procedure. Specifically, the marking module is used to add the first code to the end of the code sequence to be detected.

8. An electronic device, characterized in that, The electronic device includes a processor that executes a computer program stored in a memory to implement the steps of the signaling transmission detection method as described in any one of claims 1-6.

9. A computer-readable storage medium, characterized in that, It stores a computer program that, when executed by a processor, implements the steps of the signaling transmission detection method as described in any one of claims 1-6.