Data control method
By analyzing the security risks of service data through NWDAF, identifying and generating corresponding instructions, and driving DC GW to implement dynamic security policy configuration, the problem of insufficient collaboration mechanism between NWDAF and DC GW is solved, and the security protection and response flexibility of 5G network are improved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- LIAONING MOBILE COMM
- Filing Date
- 2026-04-09
- Publication Date
- 2026-07-14
AI Technical Summary
The existing NWDAF analysis capabilities are limited to within the 5G network and lack a direct collaboration mechanism with external network elements such as DC GW. This results in the analysis results being unable to effectively empower the dynamic adjustment of the DC GW's security strategy, thus limiting the data-driven optimization capabilities of the 5G network at the boundary security level.
By performing security risk analysis on business data through NWDAF, abnormal business data is identified and corresponding instructions are generated. This indirectly drives the DC GW to achieve dynamic and granular security policy configuration, including instructions to block and unblock data, policy execution instructions, and the transmission of preset value information and supplementary related information, so as to optimize the security policy and configuration rules of the DC GW.
It enhances the security protection capabilities and response flexibility of the 5G network boundary, ensuring the efficient operation and security of the 5G network. Through the collaborative optimization of NWDAF and DC GW, it realizes the dynamic adjustment of DC GW security policies and the improvement of resource utilization.
Smart Images

Figure CN122395596A_ABST
Abstract
Description
Technical Field
[0001] This disclosure relates to the field of communication technology, and in particular to a data control method. Background Technology
[0002] Currently, the Data Center Gateway (DC GW) acts as a border router responsible for data forwarding and security control, while the Network Data Analytics Function (NWDAF) is responsible for collecting and analyzing service data within the 5G core network to optimize network performance and user experience.
[0003] However, the existing solution has the drawback that NWDAF's analysis capabilities are limited to within the 5G network and lack a direct collaboration mechanism with external network elements, especially DC GW. This results in its analysis results being unable to effectively empower the dynamic adjustment of the DC GW's security strategy, thus limiting the data-driven optimization capabilities of the 5G network at the boundary security level.
[0004] Therefore, a data control method is proposed, which enables NWDAF to indirectly drive DC GW to achieve dynamic and refined security policy configuration based on the security risk analysis of service data, thereby improving the security protection capability and response flexibility of 5G network boundary. Summary of the Invention
[0005] In order to solve the above-mentioned technical problems, or at least partially solve the above-mentioned technical problems, this disclosure provides a data control method.
[0006] A first aspect of this disclosure provides a data control method applied to a network data analysis module, comprising: Acquire business data and identify abnormal business data within the business data; The abnormal business data is analyzed based on a multi-dimensional security rule base to obtain the identified content; Send the identified content.
[0007] In one example, the method further includes: Based on the identified content, a blocking data instruction is generated; Send the data blocking command.
[0008] In one example, the method further includes: If it is determined that the abnormal business data does not exist in the business data, a data unblocking instruction is generated; Send the command to unblock the data.
[0009] A second aspect of this disclosure provides a data control method applied to a session management function module, comprising: Receive identified content, and determine the policy execution instruction associated with the identified content based on the identified content; Send the strategy execution command.
[0010] A third aspect of this disclosure provides a data control method applied to a user plane function device, comprising: Receive policy execution instructions; Obtain preset value information associated with the strategy execution instruction, and obtain supplementary association information based on the preset value information; Send the preset value information and the supplementary association information.
[0011] A fourth aspect of this disclosure provides a data control method applied to a data center gateway, comprising: Receive preset value information and supplementary association information; The corresponding security policy is activated based on the preset value information, and the configuration rules matching the corresponding security policy are executed based on the supplementary association information.
[0012] A fifth aspect of this disclosure provides a network data analysis module, comprising: An acquisition unit is used to acquire business data and identify abnormal business data in the business data. The analysis unit is used to analyze the abnormal business data according to a multi-dimensional security rule base to obtain the identified content; The first sending unit is used to send the identified content.
[0013] A sixth aspect of this disclosure provides a session management function module, including: The first receiving unit is configured to receive the identified content and determine the strategy execution instruction associated with the identified content based on the identified content. The second sending unit is used to send the strategy execution instruction.
[0014] A seventh aspect of this disclosure provides a user plane function device, including: The second receiving unit is used to receive policy execution instructions; The determining unit is used to obtain preset value information associated with the strategy execution instruction, and to obtain supplementary association information based on the preset value information; The fifth sending unit is used to send the preset value information and the supplementary association information.
[0015] An eighth aspect of this disclosure provides a data center gateway, including: The third receiving unit is used to receive preset value information and supplementary association information; The execution unit is used to initiate the corresponding security policy according to the preset value information, and to execute the configuration rules that match the corresponding security policy according to the supplementary association information.
[0016] A ninth aspect of this disclosure provides an electronic device, comprising: A processor and a memory, wherein the memory stores a computer program, and when the computer program is executed by the processor, the processor performs the methods described in the first to fourth aspects.
[0017] A tenth aspect of this disclosure provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the methods described in the first to fourth aspects.
[0018] This disclosure provides a data control method, which includes: acquiring service data, identifying abnormal service data within the service data, analyzing the abnormal service data according to a multi-dimensional security rule base to obtain identified content, and finally sending the identified content. This technical solution enables NWDAF to indirectly drive DC GW to achieve dynamic and refined configuration rule configuration based on security risk analysis of service data, thereby improving the security protection capabilities and response flexibility of the 5G network boundary. Attached Figure Description
[0019] The accompanying drawings, which are incorporated in and form a part of this specification, illustrate embodiments consistent with this disclosure and, together with the description, serve to explain the principles of this disclosure.
[0020] To more clearly illustrate the technical solutions in the embodiments of this disclosure or the prior art, the accompanying drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, for those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0021] Figure 1 This is a flowchart illustrating a data control method provided in an embodiment of this disclosure; Figure 2 This is a flowchart illustrating a data control method provided in an embodiment of this disclosure; Figure 3 This is a flowchart illustrating a data control method provided in an embodiment of this disclosure; Figure 4 This is a flowchart illustrating a data control method provided in an embodiment of this disclosure; Figure 5 This is a schematic diagram of the interaction process of a data control method provided in an embodiment of this disclosure; Figure 6 This is a schematic diagram of the structure of a network data analysis module provided in an embodiment of this disclosure; Figure 7 This is a schematic diagram of the structure of a session management function module provided in an embodiment of this disclosure; Figure 8 This is a schematic diagram of the structure of a user plane function device provided in an embodiment of this disclosure; Figure 9 This is a schematic diagram of the structure of a data center gateway provided in an embodiment of this disclosure; Figure 10 This is a schematic diagram of the structure of an electronic device according to an embodiment of this disclosure. Detailed Implementation
[0022] To better understand the above-mentioned objectives, features, and advantages of this disclosure, the solutions disclosed herein will be further described below. It should be noted that, unless otherwise specified, the embodiments and features described herein can be combined with each other.
[0023] Numerous specific details are set forth in the following description in order to provide a full understanding of this disclosure, but this disclosure may also be implemented in other ways different from those described herein; obviously, the embodiments in the specification are only some, and not all, of the embodiments of this disclosure.
[0024] Figure 1 This is a flowchart illustrating a data control method provided in an embodiment of this disclosure, which can be executed by a network data analysis module. Figure 1 As shown, the method provided in this embodiment includes the following steps: S101. Obtain business data and identify abnormal business data.
[0025] In one example, the service data is data received by the network data analysis module. Specifically, it could be service data from a 5G network. NWDAF analyzes this service data. Identify abnormal business data, which may include abnormal traffic patterns or potential security threats, such as abnormal traffic attacks, threat data sources, and untrusted authentication access.
[0026] S102. Analyze abnormal business data based on a multi-dimensional security rule base to obtain the identified content.
[0027] In one example, a multi-dimensional security rule base is used to characterize the mapping relationship between the anomaly type of abnormal business data and the identified content. For details, please refer to the multi-dimensional security rule base shown in Table 1.
[0028] Table 1 Multi-dimensional Security Rule Base
[0029] S103, Send the identification content.
[0030] In one example, the identified content is sent to the Session Management Function (SMF) or the Application Function (AF).
[0031] In one example, the method also includes: Based on the identified content, a data blocking instruction is generated; Send a data blocking command.
[0032] In one example, the data blocking instruction is used to instruct the DC GW to block at the source address.
[0033] In this embodiment, based on the network security risk analysis function introduced by NWDAF, the system comprehensively assesses current business traffic, risk database, and intelligence to identify existing security risks. For example, if NWDAF detects an abnormal security protocol, it accesses the source according to the abnormal protocol, generates a blocking data command, and transmits it through the path between NWDAF-SMF-UPF-DC GW. The DC GW then completes the blocking based on the blocking data command.
[0034] In one example, the method also includes: If it is determined that there is no abnormal business data, a data unblocking instruction is generated; Send a command to unblock data.
[0035] In one example, if NWDAF determines that the relevant risk has been eliminated, or that no new attacks have occurred within a threshold period, it will issue a command to unblock the data. Specifically, the analysis results and the command to unblock the data can be sent in JSON format.
[0036] This disclosure provides a data control method that introduces a configuration rule management mechanism through NWDAF (Network Data Wafer AF) to work collaboratively with 5G core network elements such as SMF (Software Name Function), AF (Automatic AF), and UPF (User-Defined AF) to indirectly influence the behavior and configuration of the DC GW (Distributed Generation Gateway), thereby optimizing configuration rules and dynamic security management capabilities. By leveraging the existing data analysis capabilities of NWDAF and incorporating a multi-dimensional security rule base, the method fully utilizes NWDAF's service analysis capabilities. Although NWDAF cannot directly control the DC GW, through these indirect influence paths, it effectively improves the service performance and security of the DC GW, ensuring the efficient operation of the 5G network.
[0037] Figure 2 This is a flowchart illustrating a data control method provided in an embodiment of this disclosure. This method can be executed by a session management function module. Figure 2 As shown, the method provided in this embodiment includes the following steps: S201. Receive the identified content and determine the policy execution instruction associated with the identified content based on the identified content.
[0038] In one example, the session management module determines the security policy based on the identified content and executes the policy execution instructions corresponding to the security policy.
[0039] Before deploying a 5G network, it is necessary to pre-negotiate and configure the mapping relationships for different requirements of UEs, electronic devices, service data flows, access data networks, security policy controls, N6 channel characteristics, 5G QoS, and slicing. The correspondence between the UPF and the DC GW for channel and service configurations must be defined on the N6 interface. This mapping relationship not only ensures that the DC GW can automatically adjust services based on the received security posture information such as UE configuration, electronic devices, service data flows, access data networks, security policy controls, N6 channel characteristics, 5G QoS, and slicing, but also, combined with the policies of the security hardening and monitoring system deployed in the DC GW, ensures the security and reliability of the configuration rules.
[0040] Based on different service requirements and Service Level Agreements (SLAs), different requirements are defined for 5G configurations, including UEs, electronic devices, service data flows, access data networks, security policy controls, N6 channel characteristics, 5G QoS levels, and slicing. These requirements are mapped to specific service configuration rules, security rule configurations, and security risk identification in the DC GW. Table 2 shows the mapping relationship between security policies and DC GW configuration rules.
[0041] Table 2 Mapping Relationship between Security Policies and DC GW Configuration Rules
[0042] Specifically, access control for critical devices: When the DC GW identifies that the IMSI or SUPI of a specific device is associated with the enterprise's critical business user devices, it will enable strict security policies to restrict access by unauthorized devices and optimize traffic priorities to ensure that critical business data flows are processed first.
[0043] High-security strategy: For PEI devices used by financial institutions, DC GW will implement high-security protection measures, encrypt and restrict access to specific ports, monitor device behavior, and detect and prevent potential security threats in a timely manner.
[0044] Deep Packet Inspection and Control: By analyzing IP address information, the DC GW can identify critical business data flows and allocate dedicated bandwidth and priority to them, ensuring data transmission stability and low latency. At the same time, it enables deep packet inspection to identify and filter abnormal traffic.
[0045] Security control requirements for business scenarios: Based on the business scenarios associated with the DNN, the DC GW can implement customized security policies, such as strict identity authentication and access control for internal network access, and optimize network resource allocation to ensure the efficient operation of internal business.
[0046] Default Configuration: When a packet identifier does not match any specific QoS, slicing, or N6 channel configuration, the DC GW will apply the default configuration. The default configuration typically includes standard bandwidth allocation, latency optimization, and basic firewall rules to ensure that data flows can still be processed even if no specific rule is matched.
[0047] In this embodiment, the session management module combines other data features, such as user identity, industry, and quintuple information, to generate corresponding security policies.
[0048] S202, Send the policy execution command.
[0049] In one example, a policy execution instruction is sent, which is received by the Userplane Function (UPF).
[0050] This disclosure provides a data control method that receives identified content, determines a policy execution instruction associated with the identified content, and sends the policy execution instruction. Using this technical solution, the policy execution instruction is transmitted through a session management function module, and can then be transmitted to the Data Center Gateway (DCGW) in real time, enabling the DCGW to make dynamic adjustments according to its requirements.
[0051] Figure 3 This is a flowchart illustrating a data control method provided in an embodiment of this disclosure, which can be executed by a user plane function device. Figure 3 As shown, the method provided in this embodiment includes the following steps: S301, Receive policy execution instructions.
[0052] In one example, the policy execution instruction is sent by the session management function module.
[0053] S302. Obtain the preset value information associated with the policy execution instruction, and obtain supplementary associated information based on the preset value information.
[0054] In one example, the preset value can be the value of Options. For instance, a preset value of 1 indicates critical device access control; the DC GW will enable strict access control policies for relevant channels / data traffic based on the received information during data flow. A preset value of 2 indicates a high-security policy; the DC GW will enable high-security firewall rules for relevant channels / data traffic based on the received information during data flow, and so on. Based on these rules, NWDAF can indirectly control the DC GW to implement various security policy controls, optimize traffic management, and dynamically adjust service quality.
[0055] In some specific embodiments, the associated information can be an identifier. For example, a preset value of 1 indicates critical device access control, and the associated information can be IMSI / SUPI (Enterprise Critical Business User Equipment).
[0056] S303, Send preset value information and supplementary association information.
[0057] In one example, preset value information and supplementary association information are sent to enable the DC GW to receive them.
[0058] This disclosure provides a data control method, which includes receiving a policy execution instruction, obtaining preset value information associated with the policy execution instruction, obtaining supplementary association information based on the preset value information, and finally sending the preset value information and the supplementary association information. By using this technical solution, and associating and sending preset value information, the amount of data during transmission can be reduced, and the transmission rate can be improved.
[0059] Figure 4 This is a flowchart illustrating a data control method provided in an embodiment of this disclosure, which can be executed by a data center gateway. Figure 4 As shown, the method provided in this embodiment includes the following steps: S401, Receive preset value information and supplementary association information.
[0060] In one example, the preset value information and supplementary association information are sent by the user plane function device.
[0061] S402. Start the corresponding security policy according to the preset value information, and execute the configuration rules that match the corresponding security policy according to the supplementary association information.
[0062] In one example, if the received preset value is 3, the DC GW will initiate a deep packet inspection and control strategy. Combining the IP 5-tuple information, it will allocate dedicated bandwidth and priority to specific critical business data flows to ensure the stability and low latency of data transmission, enable deep packet inspection, and identify and filter abnormal traffic.
[0063] For a clearer explanation, please refer to [link to relevant documentation]. Figure 5 The diagram illustrates the interactive process of a data control method.
[0064] This disclosure provides a data control method, which includes a DC GW receiving preset value information and supplementary association information, activating a corresponding security policy based on the preset value information, and executing configuration rules matching the corresponding security policy based on the supplementary association information. This technical solution improves the functionality and security of the DC GW while effectively enhancing resource utilization, quality of service assurance capabilities, and overall network security in the 5G network.
[0065] Figure 6 This is a schematic diagram of the structure of a network data analysis module provided in an embodiment of this disclosure. This network data analysis module can be understood as the aforementioned electronic device or a portion of the functional modules within the aforementioned electronic device. For example... Figure 6 As shown, the network data analysis module 60 includes: The acquisition unit 601 is used to acquire business data and identify abnormal business data in the business data.
[0066] Analysis unit 602 is used to analyze abnormal business data based on a multi-dimensional security rule base to obtain the identified content.
[0067] The first sending unit 603 is used to send identification content.
[0068] In one example, the network data analysis module 60 includes: The first generation unit 604 is used to generate blocking data instructions based on the identified content; The third transmitting unit 605 is used to transmit blocking data commands.
[0069] In one example, the network data analysis module 60 includes: The second generation unit 606 is used to generate a data unblocking instruction when it is determined that there is no abnormal business data in the business data. The fourth transmitting unit 607 is used to transmit an unblocking data command.
[0070] The apparatus provided in this embodiment can execute the methods of any of the above embodiments, and its execution method and beneficial effects are similar, so they will not be described again here.
[0071] Figure 7 This is a schematic diagram of the structure of a session management function module provided in an embodiment of this disclosure. This session management function module can be understood as the aforementioned electronic device or a portion of the functional modules within the aforementioned electronic device. For example... Figure 7 As shown, the session management function module 70 includes: The first receiving unit 701 is used to receive the identified content and determine the strategy execution instruction associated with the identified content based on the identified content. The second sending unit 702 is used to send policy execution instructions.
[0072] The apparatus provided in this embodiment can execute the methods of any of the above embodiments, and its execution method and beneficial effects are similar, so they will not be described again here.
[0073] Figure 8 This is a schematic diagram of the structure of a user plane function device provided in an embodiment of this disclosure. This user plane function device can be understood as the aforementioned electronic device or a portion of the functional modules within the aforementioned electronic device. For example... Figure 8 As shown, the user plane function device 80 includes: The second receiving unit 801 is used to receive policy execution instructions; The determining unit 802 is used to obtain preset value information associated with the strategy execution instruction, and to obtain supplementary associated information based on the preset value information; The fifth sending unit 803 is used to send preset value information and supplementary association information.
[0074] The apparatus provided in this embodiment can execute the methods of any of the above embodiments, and its execution method and beneficial effects are similar, so they will not be described again here.
[0075] Figure 9 This is a schematic diagram of a data center gateway provided in an embodiment of this disclosure. The data center gateway can be understood as the aforementioned electronic device or a functional module within the aforementioned electronic device. Figure 9 As shown, the data center gateway 90 includes: The third receiving unit 901 is used to receive preset value information and supplementary association information; The execution unit 902 is used to start the corresponding security policy according to the preset value information, and execute the configuration rules that match the corresponding security policy according to the supplementary association information.
[0076] The apparatus provided in this embodiment can execute the methods of any of the above embodiments, and its execution method and beneficial effects are similar, so they will not be described again here.
[0077] This disclosure also provides an electronic device, which includes: a memory storing a computer program; and a processor for executing the computer program, wherein when the computer program is executed by the processor, it can implement the methods of any of the above embodiments.
[0078] Example, Figure 10 This is a schematic diagram of the structure of an electronic device according to an embodiment of this disclosure. See below for details. Figure 10 The diagram illustrates a structural schematic suitable for implementing the electronic device 1000 in the embodiments of this disclosure. The electronic device 1000 in the embodiments of this disclosure may include, but is not limited to, mobile terminals such as mobile phones, laptops, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and fixed terminals such as digital TVs and desktop computers. Figure 10 The electronic device shown is merely an example and should not be construed as limiting the functionality and scope of the embodiments disclosed herein.
[0079] like Figure 10 As shown, the electronic device 1000 may include a processing unit (e.g., a central processing unit, a graphics processing unit, etc.) 1001, which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 1002 or a program loaded from a storage device 1008 into a random access memory (RAM) 1003. The RAM 1003 also stores various programs and data required for the operation of the electronic device 1000. The processing unit 1001, ROM 1002, and RAM 1003 are interconnected via a bus 1004. An input / output (I / O) interface 1005 is also connected to the bus 1004.
[0080] Typically, the following devices can be connected to the I / O interface 1005: input devices 1006 including, for example, a touchscreen, touchpad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; output devices 1007 including, for example, a liquid crystal display (LCD), speaker, vibrator, etc.; storage devices 1008 including, for example, magnetic tape, hard disk, etc.; and communication devices 1009. Communication device 1009 allows electronic device 1000 to communicate wirelessly or wiredly with other devices to exchange data. Although Figure 10 An electronic device 1000 with various devices is shown; however, it should be understood that it is not required to implement or possess all of the devices shown. More or fewer devices may be implemented or possessed alternatively.
[0081] In particular, according to embodiments of this disclosure, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of this disclosure include a computer program product comprising a computer program carried on a non-transitory computer-readable medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via communication device 1009, or installed from storage device 1008, or installed from ROM 1002. When the computer program is executed by processing device 1001, it performs the functions defined in the methods of embodiments of this disclosure.
[0082] It should be noted that the computer-readable medium described in this disclosure can be a computer-readable signal medium or a computer-readable storage medium, or any combination thereof. A computer-readable storage medium can be, for example,—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of a computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination thereof. In this disclosure, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In this disclosure, a computer-readable signal medium can include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code. Such propagated data signals can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A computer-readable signal medium can be any computer-readable medium other than a computer-readable storage medium, which can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device. The program code contained on the computer-readable medium can be transmitted using any suitable medium, including but not limited to: wires, optical fibers, RF (radio frequency), etc., or any suitable combination thereof.
[0083] In some implementations, clients and servers can communicate using any currently known or future-developed network protocol such as HTTP (Hypertext Transfer Protocol) and can interconnect with digital data communication (e.g., communication networks) of any form or medium. Examples of communication networks include local area networks (“LANs”), wide area networks (“WANs”), the Internet (e.g., the Internet of Things), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future-developed networks.
[0084] The aforementioned computer-readable medium may be included in the aforementioned electronic device; or it may exist independently and not assembled into the electronic device.
[0085] The aforementioned computer-readable medium carries one or more programs, which, when executed by the electronic device, cause the electronic device to: acquire business data, identify abnormal business data within the business data; analyze the abnormal business data according to a multi-dimensional security rule base to obtain the identified content; and send the identified content.
[0086] Computer program code for performing the operations of this disclosure can be written in one or more programming languages or a combination thereof, including but not limited to object-oriented programming languages such as Java, Smalltalk, and C++, as well as conventional procedural programming languages such as the "C" language or similar programming languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network—including a local area network (LAN) or a wide area network (WAN)—or can be connected to an external computer (e.g., via the Internet using an Internet service provider).
[0087] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this disclosure. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.
[0088] The units described in the embodiments of this disclosure can be implemented in software or hardware. The names of the units are not, in some cases, intended to limit the specific unit.
[0089] The functions described above in this document can be performed at least in part by one or more hardware logic components. For example, exemplary types of hardware logic components that can be used, without limitation, include: field-programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), application-specific standard products (ASSPs), system-on-a-chip (SoCs), complex programmable logic devices (CPLDs), and so on.
[0090] In the context of this disclosure, a machine-readable medium can be a tangible medium that may contain or store a program for use by or in conjunction with an instruction execution system, apparatus, or device. A machine-readable medium can be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium can be, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination of the foregoing. More specific examples of machine-readable storage media include electrical connections based on one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.
[0091] This disclosure also provides a computer-readable storage medium storing a computer program. When the computer program is executed by a processor, it can implement the methods of any of the above embodiments. The execution method and beneficial effects are similar, and will not be described again here.
[0092] It should be noted that, in this document, relational terms such as "first" and "second" are used merely to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Unless otherwise specified, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes the element.
[0093] The above are merely specific embodiments of this disclosure, enabling those skilled in the art to understand or implement this disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of this disclosure. Therefore, this disclosure is not to be limited to these embodiments, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims
1. A data control method, characterized in that, Applied to network data analysis modules, including: Acquire business data and identify abnormal business data within the business data; The abnormal business data is analyzed based on a multi-dimensional security rule base to obtain the identified content; Send the identified content.
2. The method according to claim 1, characterized in that, The method further includes: Based on the identified content, a blocking data instruction is generated; Send the data blocking command.
3. The method according to claim 2, characterized in that, The method further includes: If it is determined that the abnormal business data does not exist in the business data, a data unblocking instruction is generated; Send the command to unblock the data.
4. A data control method, characterized in that, Applied to the session management function module, including: Receive identified content, and determine the policy execution instruction associated with the identified content based on the identified content; Send the policy execution command.
5. A data control method, characterized in that, Applied to user plane function devices, including: Receive policy execution instructions; Obtain preset value information associated with the strategy execution instruction, and obtain supplementary association information based on the preset value information; Send the preset value information and the supplementary association information.
6. A data control method, characterized in that, Applications in data center gateways, including: Receive preset value information and supplementary association information; The corresponding security policy is activated based on the preset value information, and the configuration rules matching the corresponding security policy are executed based on the supplementary association information.
7. A network data analysis module, characterized in that, include: An acquisition unit is used to acquire business data and identify abnormal business data in the business data. The analysis unit is used to analyze the abnormal business data according to a multi-dimensional security rule base to obtain the identified content; The first sending unit is used to send the identified content.
8. A session management function module, characterized in that, include: A receiving unit is configured to receive identified content and determine a policy execution instruction associated with the identified content based on the identified content. The second sending unit is used to send the strategy execution instruction.
9. An electronic device, characterized in that, include: A processor and a memory, wherein the memory stores a computer program that, when executed by the processor, performs the method of any one of claims 1-6.
10. A computer-readable storage medium, characterized in that, The storage medium stores a computer program that, when executed by a processor, implements the method as described in any one of claims 1-6.