Iot card illegal data flow interception method and device, network equipment and storage medium
By identifying and intercepting illegal data streams from IoT cards in real time through user plane function network elements at the edge of the operator's network, the time lag problem of illegal use of IoT cards in existing technologies is solved, and fast and effective interception of illegal data streams is achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA TELECOM CORP LTD
- Filing Date
- 2021-12-17
- Publication Date
- 2026-06-26
AI Technical Summary
Existing technologies for identifying and intercepting the unauthorized use of IoT cards suffer from time lag, making it impossible to promptly prevent violations.
At the user plane function network element at the edge of the operator's network, illegal data streams are identified and blocked in real time through a deep packet analysis engine. Illegal data streams from IoT cards are identified using traffic splitting rules and blacklists, including traffic splitting and blocking of data streams in the basic network.
It enables real-time identification and interception of illegal data streams from IoT cards, avoiding delayed losses from illegal activities and improving network security and efficiency.
Smart Images

Figure CN116266792B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of network security technology, and in particular to methods, devices, network equipment and storage media for intercepting unauthorized data streams from Internet of Things (IoT) cards. Background Technology
[0002] In existing technologies for identifying and intercepting the misuse of IoT cards, a dedicated identification system needs to be built outside the operator's network to collect and analyze the physical network card's internet access logs, internet access data, and SMS messages. After identifying the IoT cards used in violation of the analysis results, the system is collected and then the holder is warned or the IoT card is suspended.
[0003] Therefore, a certain amount of data needs to be accumulated before violations can be identified and measures can be taken against them. There is a certain time lag, meaning that violations can only be stopped after they have occurred.
[0004] Invention News
[0005] In view of the shortcomings of the prior art described above, the purpose of this application is to provide a method, apparatus, network device and storage medium for intercepting illegal data streams of IoT cards, so as to solve the above problems.
[0006] The first aspect of this application provides a method for intercepting illegal data streams from IoT SIM cards, applied to a first user plane functional network element at the edge of the Internet of Things (IoT). The method includes: the first user plane functional network element acquiring a data stream from a terminal equipped with an IoT SIM card; the first user plane functional network element determining a diversion target for the data stream according to diversion rules; wherein the diversion target includes: an IoT private network and a basic network; the first user plane functional network element calling a deep packet inspection engine to analyze whether the data stream with the basic network as the diversion target is an illegal data stream that meets the illegality criteria, the illegality criteria including: the data stream originates from a user of the IoT SIM card and has application characteristics that match those in a blacklist; and the illegal data stream is intercepted.
[0007] In some embodiments, the analysis of whether a data flow with the basic network as the diversion target is a non-compliant data flow includes: the first user plane function network element only performs matching on a preset number of packets at the beginning of each data flow to determine whether the data flow is a non-compliant data flow; when the first user plane function network element receives a packet of the same data flow that has been determined to be a non-compliant data flow, it performs interception.
[0008] In some embodiments, the analysis of whether a data stream targeting the underlying network is a non-compliant data stream that meets the violation criteria includes: the deep packet analysis engine using an application feature library to identify whether the application features of the data stream belong to a blacklist.
[0009] In some embodiments, the first user plane function network element is implemented through a vector packet processing framework; the first user plane function network element calling the deep packet analysis engine includes: the first user plane function network element placing the packets of the data stream into the IP protocol stack for packet processing; when the packets reach the rule processing node, the deep packet analysis engine is called to analyze the packets; wherein, the rule processing node allows the packets to be forwarded when all packets meet the preset rules; each preset rule includes: non-violation rules, forwarding behavior rules, QoS execution rules, and usage reporting rules.
[0010] In some embodiments, the interception includes: performing packet loss processing on the data stream packets.
[0011] In some embodiments, the blacklist is sent by the network management system to the first user plane function network element through the gateway interface.
[0012] In some embodiments, the first user plane function network element is located in a 5G communication network; the first user plane function network element accesses the IoT private network through the N6 interface; the first user plane function network element accesses the basic network through the N9 interface, and accesses the basic network through the second user plane function network element of the basic network.
[0013] A second aspect of this application provides an interception device for illegal data streams from IoT cards, applied to a first user plane functional network element at the edge of the Internet of Things (IoT). The device includes: a traffic acquisition module for acquiring data streams from terminals equipped with IoT cards; a traffic splitting module for determining the splitting target of the data stream according to splitting rules; wherein the splitting target includes: IoT private networks and basic networks; an illegal analysis module for calling a deep packet inspection engine to analyze whether the data stream with the basic network as the splitting target is an illegal data stream that meets the illegal conditions, the illegal conditions including: the data stream originates from a user of the IoT card and has application characteristics that match those in a blacklist; and an interception module for intercepting the illegal data stream.
[0014] A third aspect of this application provides a network device, comprising: a communicator, a memory, and a processor; the communicator is used for communicating with an external source; the memory is used for storing program instructions; and the processor is used for executing the program instructions to perform the interception method as described in any of the first aspects.
[0015] A fourth aspect of this application provides a computer-readable storage medium storing program instructions that are executed to perform the interception method as described in any of the first aspects.
[0016] As described above, this application provides a method, apparatus, network device, and storage medium for intercepting illegal data streams from IoT cards. A first user plane function network element acquires a data stream from a terminal equipped with an IoT card. The first user plane function network element determines the diversion target of the data stream according to diversion rules. The diversion target includes: an IoT private network and a basic network. The first user plane function network element invokes a deep packet inspection engine to analyze whether the data stream with the basic network as the diversion target is an illegal data stream that meets the violation conditions. The violation conditions include: the data stream originates from a user of the IoT card and has application characteristics that match those in the blacklist. The illegal data stream is then intercepted. By using a user plane function network element at the edge of the operator network, illegal data streams can be identified and intercepted in real time, thereby solving the problem of delayed interception of illegal data streams from IoT cards in related technologies. Attached Figure Description
[0017] Figure 1 A structural schematic diagram illustrating an application scenario in one embodiment of this application is shown.
[0018] Figure 2 exhibit Figure 1 A schematic diagram of the basic network structure.
[0019] Figure 3 This is a flowchart illustrating a method for intercepting unauthorized data streams from an IoT card according to one embodiment of this application.
[0020] Figure 4 This illustration shows a schematic diagram of the principle of DPI detection implemented by the first user plane functional network element based on the VPP framework in one embodiment of this application.
[0021] Figure 5 This paper presents a schematic diagram of a module for intercepting illegal data streams from an IoT card in an application example of this application.
[0022] Figure 6 A schematic diagram of the circuit structure of a network device according to one embodiment of this application is shown. Detailed Implementation
[0023] The following specific examples illustrate the implementation methods of this application. Those skilled in the art can easily understand other advantages and effects of this application from the information disclosed herein. This application can also be implemented or applied through other different specific embodiments, and various details in this application can be modified or changed according to different viewpoints and application systems without departing from the spirit of this application. It should be noted that, unless otherwise specified, the embodiments and features in the embodiments of this application can be combined with each other.
[0024] The embodiments of this application will now be described in detail with reference to the accompanying drawings, so that those skilled in the art can easily implement the application. This application may be embodied in many different forms and is not limited to the embodiments described herein.
[0025] In this application, the terms "one embodiment," "some embodiments," "example," "specific example," or "some examples," etc., refer to specific features, structures, materials, or characteristics represented in connection with that embodiment or example, which are included in at least one embodiment or example of this application. Furthermore, the specific features, structures, materials, or characteristics represented may be combined in any suitable manner in one or more embodiments or examples. Moreover, without contradiction, those skilled in the art can combine and integrate different embodiments or examples represented in this application, as well as features of different embodiments or examples.
[0026] Furthermore, the terms "first" and "second" are used for illustrative purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one of that feature. In the representation of this application, "multiple" means two or more, unless otherwise explicitly specified.
[0027] For the purpose of clearly describing this application, devices that are not relevant to the description are omitted, and the same or similar components throughout the specification are given the same reference numerals.
[0028] Throughout this specification, when it is said that a device is "connected" to another device, this includes not only "direct connection" but also "indirect connection" by placing other components in between. Furthermore, when it is said that a device "comprises" a certain constituent element, unless otherwise stated otherwise, this does not exclude other constituent elements, but rather implies that other constituent elements may be included.
[0029] While the terms first, second, etc., are used in some examples herein to refer to various elements, these elements should not be limited by these terms. These terms are used only to distinguish one element from another. For example, first interface and second interface, etc., are used. Furthermore, as used herein, the singular forms “a,” “an,” and “the” are intended to also include the plural forms unless the context indicates otherwise. It should be further understood that the terms “comprising,” “including,” indicate the presence of the stated feature, step, operation, element, module, item, kind, and / or group, but do not exclude the presence, occurrence, or addition of one or more other features, steps, operations, elements, modules, items, kinds, and / or groups. The terms “or” and “and / or” as used herein are interpreted as inclusive, or mean any one or any combination thereof. Thus, “A, B, or C” or “A, B, and / or C” means “any one of: A; B; C; A and B; A and C; B and C; A, B, and C.” Exceptions to this definition will only occur if the combination of elements, functions, steps, or operations is inherently mutually exclusive in some way.
[0030] The technical terms used herein are for reference only to specific embodiments and are not intended to limit the scope of this application. The singular form used herein includes the plural form unless the statement explicitly indicates otherwise. The word "comprising" as used in the specification means to specify a particular characteristic, region, integer, step, operation, element, and / or component, and does not exclude the presence or addition of other characteristics, regions, integers, steps, operations, elements, and / or components.
[0031] Although not explicitly defined, all terms, including technical and scientific terms used herein, shall have the same meaning as commonly understood by one of ordinary skill in the art to which this application pertains. Terms defined in commonly used dictionaries shall be further interpreted as having a meaning consistent with the relevant technical literature and the message of the present invention, and shall not be over-interpreted as having an ideal or overly formulaic meaning unless otherwise defined.
[0032] Currently, with the increasing popularity of IoT applications, operators are issuing IoT SIM cards to IoT users. An IoT SIM card is an electronic card provided by operators to IoT users, storing the user's unique identity within the IoT ecosystem. IoT users can wirelessly access the IoT via IoT terminals equipped with the IoT SIM card, obtaining basic services such as wireless data, voice, or SMS, as well as operational services such as communication connection management and terminal management.
[0033] However, IoT SIM cards are sometimes used improperly. IoT SIM cards are essentially data SIM cards; using them as regular data SIM cards for network access on mobile devices such as smartphones and tablets constitutes a violation, and the resulting data flow is considered illegal and needs to be blocked.
[0034] Typical network traffic interception methods, such as building an independent IoT card violation analysis system outside the operator's network and connecting it to the operator's network, collect IoT users' internet access logs, internet access information, and SMS logs, including: internet access time, accessed network address, IoT card number, SMS sending time, SMS content, network element base station information, location area information, terminal device type, and IoT card registration user data. Analysis can only be performed after all this data has been collected in order to identify violations and take measures. This has a certain time lag problem, which may result in violations already being committed.
[0035] In view of this, in the embodiments of this application, by performing violation detection on traffic diverted to the basic network (also known as the operator's "big network") by the user plane function (UPF) network element at the edge of the operator's network, the violation can be intercepted before it occurs, thereby avoiding the problem of lag in the current violation interception technology.
[0036] like Figure 1 The diagram shown illustrates a structural schematic of an application scenario in one embodiment of this application.
[0037] exist Figure 1 The image illustrates a network system, which can be a 5G network system. The network system includes: a terminal 101, a base station 102, a first user plane functional network element 103, an IoT private network 104, an operator's basic network 105 (i.e., the main network), a public network 106, and a network management system 107.
[0038] In some embodiments, the terminal 101 can access the base station 102. The terminal 101 may be a mobile terminal 101 or an Internet of Things (IoT) terminal 101. The terminal 101 may be equipped with an IoT SIM card. The terminal 101, equipped with the IoT SIM card, connects to the base station 102 for authentication. After successful authentication, it accesses the network and connects to the first user plane functional network element 103 via the base station 102. The uplink data stream from the terminal 101 is transmitted to the first user plane functional network element 103 via the base station 102. The target that the data stream from the terminal 101 needs to access may be a private IoT network 104 or a public network 106. The public network 106 is referred to as the "public network," such as the Internet.
[0039] In the first user plane functional network element 103, connected to the base station 102 via the N3 interface, the data stream from the base station 102 is routed according to its destination. This routed routing can be achieved by matching the user uplink classifier with the data stream's packet structure. If the data stream is determined to be destined for the IoT private network 104, then the IoT private network 104 routes the data, for example, by sending it to the connected IoT private network 104 via the local N6 interface, as shown by arrow A in the figure. If the data stream is determined to be from an IoT card to the public network 106, then the data stream is routed to the basic network 105, for example, by sending it to the connected basic network 105 via the local N6 interface, as shown by arrow B in the figure. Furthermore, before outputting the data stream to the basic network 105, the first user plane functional network element 103 performs violation detection on the data stream destined for the basic network 105. If a violation is detected (e.g., it is found that an IoT card user is using a mobile internet service application, such as a chat tool), then the data stream is intercepted.
[0040] Therefore, by using the first user plane function network element 103 at the edge of the operator network, it is possible to detect whether a data flow is illegal before it flows into the main network and to intercept illegal data flows in real time. This is efficient and fast, and effectively avoids the losses caused by the lag in intercepting illegal data flows after they have accessed the target network.
[0041] In some embodiments, the network management system 107 can send a blacklist to the first user plane functional network element 103 via the network management interface. The blacklist contains a list of non-compliant applications (such as chat software and short video software that can only be used by users of IoT cards using internet traffic). Optionally, the network management system 107 can dynamically send the blacklist to the first user plane functional network element 103, for example, by selecting a time when the network element is idle or active; or, for example, by dynamically updating the blacklist before sending it, it can more flexibly identify non-compliant data streams of changing types.
[0042] You can refer to them together, such as Figure 2As shown, exemplarily, the basic network 105 may include: a second user plane function (UPF) network element, which receives the data stream transmitted by the first user plane function network through the N9 interface, and transmits it to the connected public network 106 through its own N6 interface. Exemplarily, the basic network 105 may also include: an Access and Mobility Management Function (AMF) network element 201, a Session Management Function (SMF) network element 202, a Unified Data Management (UDM) network element 203, and a second user plane function network element 204. Specifically, UDM 203 connects to SMF 202 via interface N10 and to AMF 201 via interface N8. AMF 201 connects to SMF 202 via interface N11. SMF 202 connects to the second user plane function element 204 (i.e., the second UPF) via interface N4. AMF 201 connects to base station 102 via interface N2 and connects to the first user plane function element 103 (i.e., the first UPF) via interface N4. Compared to the second user plane function element of the main network, the first user plane function element 103 can also be referred to as the intermediate UPF, abbreviated as I-UPF.
[0043] It should be noted that, Figure 2 This is merely an example of a basic network 105 provided by an operator, and can be varied according to actual scenarios. It is not intended to be a limitation. In addition, the term "network element" in the above embodiments refers to a functional unit in the network. Each network element may be implemented in an independent hardware device (such as a server) or may be implemented as a software logic function in a hardware device.
[0044] like Figure 3 The diagram illustrates a flowchart of a method for intercepting unauthorized data streams from an IoT card, as shown in an embodiment of this application. This method can be exemplarily applied to applications such as... Figure 1 or Figure 2 The first user plane function element in the network.
[0045] exist Figure 3 The method includes:
[0046] Step S301: The first user plane functional network element acquires the data stream from the terminal equipped with the IoT card.
[0047] For example, in Figure 1 In this process, the first user plane function network element receives uplink messages from the terminal from the base station.
[0048] Step S302: The first user plane functional network element determines the data flow diversion target according to the diversion rules.
[0049] The traffic diversion targets include: IoT private networks and basic networks. The traffic diversion rules include uplink classification diversion rules, which are matched with uplink packets in the data stream and forwarded accordingly to either the IoT private network or the basic network.
[0050] Step S303: The first user plane functional network element calls the deep packet analysis engine to analyze whether the data flow with the basic network as the diversion target is a non-compliant data flow that meets the violation conditions. The violation conditions include: the data flow originates from the user of the IoT card and has application characteristics that meet the blacklist.
[0051] In some embodiments, the Deep Packet Inspection (DPI) engine may be built into the first user plane function network element.
[0052] Typical network devices only examine the Ethernet and IP headers of packets, without analyzing the contents of the TCP / UDP fields; this is called shallow packet inspection. In contrast, DPI (Deep Packet Inspection) examines the contents of the TCP / UDP fields, hence the name. By inspecting packets using DPI, application layer protocols can be identified, and appropriate measures can be taken based on the identified protocols (such as logging HTTP access behavior). For the TCP protocol, it can identify the complete TCP interaction process, such as the multiple TCP packet transmissions between the request and response stages of an HTTP request.
[0053] The deep packet inspection engine may have an application feature library to identify application characteristics of data streams (such as the type of corresponding application software) and determine whether the application characteristics belong to a blacklist. For example, for IoT card users, applications that are blacklisted include domain names, IP addresses, or specific field values in messages from chat software and short video platforms. In some embodiments, a combination of whitelists and / or blacklists can be used to identify illegal data streams. For example, data streams identified by the deep packet inspection engine as belonging to the whitelist or unrecognizable can be allowed to pass, while those that are blocked (e.g., packet loss handling). Alternatively, data streams that match the characteristics of blacklisted applications can be blocked.
[0054] In some embodiments, the first user plane function network element can be implemented using a Vector Packet Processing (VPP) framework.
[0055] like Figure 4The image shows an example of a first user plane functional network element (FPF) invoking a deep packet analysis engine, implemented using VPP. The FPF element places data stream packets into the IP protocol stack for processing. The dpdk_input node inputs packets from the DPDK driver and then into the IP protocol stack. In the IP protocol stack, for an exemplary IPv4 packet, the process proceeds sequentially from the ip4-input node (handling IPv4 packet input), the ip4-lookup node (for IPv4 packet lookup), the ip4-local node (for local IPv4 packet processing), and then to the ip4-udp-lookup node (for IPv4 UDP packet lookup, corresponding to packets in mobile communication networks). For IPv4 UDP packets, the process proceeds sequentially from the upu-gtpu4-input node (forwarding plane IPv4 GTPU packet input), the upu-flow-proces node (forwarding plane data flow processing), or possibly the branch node upu-workers-handoff node (forwarding plane worker thread intervention), to the upu-rules-process node for forwarding plane rule processing. In a possible example, the rules can be logically related; the packet is forwarded only if it meets all the preset rules. Specifically, a preset rule can be established for DPI detection. When the packet reaches the upu-rules-process node, the DPI detection rule processing can be triggered, and the DPI analysis engine can be invoked to detect whether the packet violates regulations. The preset rules include: violation rules (i.e., no violation detected by the DPI analysis engine), forwarding behavior rules (FAR), QoS enforcement rules (QER), and usage reporting rules (URR), etc.
[0056] In some embodiments, to reduce the impact of violation detection on the forwarding performance of the first user plane function network element, only a preset number of packets at the beginning of each data flow can be matched for compliance with violation conditions. For example, the first user plane function network element only checks the headers of the first 10 packets of each data flow (which can be determined based on the byte size, such as the first 64 or the first 128 bytes) to determine whether the data flow is a violation flow and intercepts the current packets. After determining that it is a violation flow, if a packet of the violation flow is received again, there is no need to perform violation detection again; it can be directly intercepted, thereby minimizing the forwarding delay caused by violation detection packets and ensuring that the normal forwarding performance of the first user plane function network element is not affected.
[0057] Step S304: Intercept the illegal data stream.
[0058] For example, packet loss processing can be performed on packets from illegal data streams.
[0059] like Figure 5The diagram illustrates a module schematic of an IoT card illegal data stream interception device according to an embodiment of this application. Since the principle of the interception device can be referenced from previous configuration methods, its technical features will not be repeated here.
[0060] The interception device 500 includes:
[0061] The traffic acquisition module 501 is used to acquire data streams from terminals equipped with IoT cards;
[0062] Traffic splitting module 502 is used to determine the splitting target of the data stream according to the splitting rules; wherein, the splitting target includes: IoT private network and basic network;
[0063] The violation analysis module 503 is used to call the deep packet analysis engine to analyze whether the data stream with the basic network as the diversion target is a violation data stream that meets the violation conditions. The violation conditions include: the data stream originates from the user of the IoT card and has application characteristics that meet the blacklist.
[0064] The interception module 504 is used to intercept the illegal data stream.
[0065] In some embodiments, the analysis of whether a data flow with the basic network as the diversion target is a non-compliant data flow includes: the first user plane function network element only performs matching on a preset number of packets at the beginning of each data flow to determine whether the data flow is a non-compliant data flow; when the first user plane function network element receives a packet of the same data flow that has been determined to be a non-compliant data flow, it performs interception.
[0066] In some embodiments, the analysis of whether a data stream targeting the underlying network is a non-compliant data stream that meets the violation criteria includes: the deep packet analysis engine using an application feature library to identify whether the application features of the data stream belong to a blacklist.
[0067] In some embodiments, the first user plane function network element is implemented through a vector packet processing framework; the violation analysis module 503 calls the deep packet analysis engine including: placing the data stream packets into the IP protocol stack for packet processing; when the packet reaches the rule processing node, calling the deep packet analysis engine to analyze the packet; wherein, the rule processing node allows the packet to be forwarded when all packets meet the preset rules; each preset rule includes: non-violation rules, forwarding behavior rules, QoS execution rules, and usage reporting rules.
[0068] In some embodiments, the interception includes: performing packet loss processing on the data stream packets.
[0069] In some embodiments, the blacklist is sent by the network management system to the first user plane function network element through the gateway interface.
[0070] In some embodiments, the first user plane function network element is located in a 5G communication network; the first user plane function network element accesses the IoT private network through the N6 interface; the first user plane function network element accesses the basic network through the N9 interface, and accesses the basic network through the second user plane function network element of the basic network.
[0071] It should be noted that, in Figure 5 The various functional modules in the embodiments can be implemented, in whole or in part, through software, hardware, firmware, or any combination thereof. When implemented in software, they can be implemented, in whole or in part, in the form of a program instruction product. A program instruction product includes one or more program instructions. When the program instructions are loaded and executed on a computer, all or part of the flow or function according to this application is generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The program instructions can be stored in a computer-readable storage medium or transferred from one computer-readable storage medium to another.
[0072] and, Figure 5 The apparatus disclosed in the embodiments can be implemented through other modular division methods. The apparatus embodiments shown above are merely illustrative. For example, the module division is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple modules or modules may be combined or dynamically integrated into another system, or some features may be ignored or not executed. Furthermore, the shown or discussed mutual coupling, direct coupling, or communication connection may be through some interfaces; the indirect coupling or communication connection between devices or modules may be electrical or other forms.
[0073] in addition, Figure 5 The functional modules and sub-modules in the embodiments can be dynamically integrated within a single processing unit, or each module can exist physically independently, or two or more modules can be dynamically integrated within a single unit. These dynamic units can be implemented in hardware or as software functional modules. If these dynamic units are implemented as software functional modules and sold or used as independent products, they can also be stored in a computer-readable storage medium. This storage medium can be a read-only memory, a hard disk, or an optical disk, etc.
[0074] It should be specifically noted that the flowchart representations of the above embodiments of this application can be understood as representing modules, segments, or portions of code comprising one or more executable instructions for implementing a specific logical function or process. Furthermore, the scope of the preferred embodiments of this application includes other implementations in which functions may be performed not in the order shown or discussed, including substantially simultaneously or in reverse order depending on the functions involved.
[0075] For example, Figure 3 The order of the steps in the embodiments may vary in specific scenarios and is not limited to the above representation.
[0076] like Figure 6 The diagram shows a schematic of the circuit structure of a network device according to an embodiment of this application. The exception interpretation method can be implemented by a program running in the network device.
[0077] In some embodiments, the network device 600 is used to implement the first user plane function network element, for example, by running a computer program to implement the functions of the first user plane function network element. Possibly, the network device 600 may be, for example, a server.
[0078] The network device 600 includes a bus 601, a processor 602, a memory 603, and a communicator 604. The processor 602 and the memory 603 can communicate with each other via the bus 601. The memory 603 can store program instructions (such as system or application software). The processor 602 implements the steps of the interception method in this embodiment by running the program instructions in the memory 603.
[0079] Bus 601 can be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. Buses can be divided into address buses, data buses, control buses, etc. For ease of representation, although... Figure 1 The bus is represented by a single thick line, but this does not mean that there is only one bus or one type of bus.
[0080] In some embodiments, processor 602 may be implemented as a central processing unit (CPU), microprocessor unit (MCU), system-on-chip (System-on-Chip), or field-programmable array (FPGA). Memory 603 may include volatile memory for temporary data storage during program execution, such as random access memory (RAM).
[0081] The memory 603 may also include non-volatile memory for data storage, such as read-only memory (ROM), flash memory, hard disk drive (HDD), or solid-state disk (SSD).
[0082] The communicator 604 is used for external communication. In a specific example, the communicator 604 may include one or more wired and / or wireless communication circuit modules. For example, the wired communication circuit module may include one or more of the following: a wired network card, a USB module, a serial interface module, etc. As another example, the wireless communication protocol followed by the wireless communication module includes one or more of the following: Nearfield communication (NFC) technology, Infrared (IR) technology, Global System for Mobile Communications (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Time-Division Code Division Multiple Access (TD-SCDMA), Long Term Evolution (LTE), Bluetooth (BT), Global Navigation Satellite System (GNSS), etc.
[0083] This application embodiment may also provide a computer-readable storage medium storing program instructions, which, when executed, perform the aforementioned method embodiments (e.g., ...). Figure 3 The process steps executed.
[0084] That is, the method steps in the above embodiments are implemented as software or computer code that can be stored in a recording medium (such as CD ROM, RAM, floppy disk, hard disk or magneto-optical disk), or implemented as computer code that is originally stored in a remote recording medium or a non-transitory machine-readable medium and will be stored in a local recording medium after being downloaded via a network, so that the method represented herein can be stored in such software processing on a recording medium using a general-purpose computer, a special processor or programmable or special hardware (such as ASIC or FPGA).
[0085] In summary, this application provides a method, apparatus, network device, and storage medium for intercepting illegal data streams from IoT cards. The first user plane function network element acquires data streams from terminals equipped with IoT cards. The first user plane function network element determines the diversion target of the data stream according to diversion rules. The diversion targets include: IoT private networks and basic networks. The first user plane function network element invokes a deep packet inspection engine to analyze whether the data stream with the basic network as the diversion target is an illegal data stream that meets the violation conditions. The violation conditions include: the data stream originates from a user of the IoT card and has application characteristics that match those in the blacklist. The illegal data stream is then intercepted. By using a user plane function network element at the edge of the operator network, illegal data streams can be identified and intercepted in real time, thereby solving the problem of delayed interception of illegal data streams from IoT cards in related technologies.
[0086] The above embodiments are merely illustrative of the principles and effects of this application and are not intended to limit this application. Any person skilled in the art can modify or alter the above embodiments without departing from the spirit and scope of this application. Therefore, all equivalent modifications or alterations made by those skilled in the art without departing from the spirit and technical concept disclosed in this application should still be covered by the claims of this application.
Claims
1. A method for intercepting unauthorized data streams from an IoT card, characterized in that, The method, applied to a first user plane functional network element at the edge of the Internet of Things, includes: The first user plane functional network element acquires a data stream from a terminal equipped with an IoT card; The first user plane functional network element determines the data flow distribution target according to the distribution rules; wherein, the distribution target includes: IoT private network and basic network; The first user plane functional network element calls the deep packet analysis engine to analyze whether the data flow with the basic network as the diversion target is a non-compliant data flow that meets the violation conditions. The violation conditions include: the data flow originates from the user of the IoT card and has application characteristics that meet the blacklist. The illegal data stream was intercepted.
2. The interception method according to claim 1, characterized in that, The analysis, which targets the underlying network for traffic diversion, determines whether the data streams are illegal data streams that meet the violation criteria. The first user plane function network element only matches a preset number of packets at the beginning of each data stream to determine whether the data stream is an illegal data stream; When a first-user-plane function network element receives a packet from the same data stream that has been determined to be an illegal data stream, it will intercept it.
3. The interception method according to claim 1, characterized in that, The analysis, which targets the underlying network for traffic diversion, determines whether the data streams are illegal data streams that meet the violation criteria. The deep packet inspection engine uses an application feature library to identify whether the application features of the data stream belong to a blacklist.
4. The interception method according to claim 1, characterized in that, The first user plane functional network element is implemented through a vector packet processing framework; the first user plane functional network element calls the deep packet analysis engine including: The first user plane functional network element places the data stream packets into the IP protocol stack for packet processing; Upon reaching the rule processing node, the deep packet analysis engine is invoked to analyze the packet; The rule processing node allows a message to be forwarded when all messages meet the preset rules. The preset rules include: non-violation rules, forwarding behavior rules, QoS execution rules, and usage reporting rules.
5. The interception method according to claim 1 or 2, characterized in that, The interception includes: performing packet loss processing on data stream packets.
6. The interception method according to claim 1, characterized in that, The blacklist is sent by the network management system to the first user plane functional network element through the gateway interface.
7. The interception method according to claim 1, characterized in that, The first user plane function network element is located in the 5G communication network; the first user plane function network element accesses the IoT private network through the N6 interface; the first user plane function network element accesses the basic network through the N9 interface, and accesses the basic network through the second user plane function network element of the basic network.
8. A device for intercepting illegal data streams from an IoT card, characterized in that, A first user plane functional network element applied at the edge of the Internet of Things, the device comprising: The traffic acquisition module is used to acquire data streams from terminals equipped with IoT cards; A traffic offloading module is used to determine the offloading target of the data stream according to offloading rules; wherein, the offloading target includes: IoT private network and basic network; The violation analysis module is used to call the deep packet inspection engine to analyze whether the data stream with the basic network as the target of diversion is a violation data stream that meets the violation conditions. The violation conditions include: the data stream originates from the user of the IoT card and has application characteristics that meet the blacklist. The interception module is used to intercept the illegal data stream.
9. A network device, characterized in that, include: Communicators, memory, and processors; The communicator is used for communication with the outside world; The memory is used to store program instructions; the processor is used to run the program instructions to perform the interception method as described in any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that, The system stores program instructions that are executed to perform the interception method as described in any one of claims 1 to 7.