US20220014550A1 - Monitor device, base station, monitoring method, control method, and non-transitory computer readable medium - Google Patents

Abstract

An object is to provide a monitor device capable of reducing threat of DoS attacks on a mobile network. A monitor device (10) according to the present invention includes a signal monitor unit (11) for estimating a specific base station communicating with a communication terminal (30) attacking a mobile network according to the number of times an ATTACH procedure is rejected, in which the ATTACH procedure is for registering information about a communication terminal (30) communicating with a base station (20) in a communication device (40) located in the mobile network, and a base station control unit (12) for causing the specific base station to determine whether to execute the ATTACH procedure related to a communication terminal served by the specific base station according to communication terminal identification information set in a signal transmitted from the communication terminal served by the specific base station.

Description

TECHNICAL FIELD
• The present invention relates to a monitor device, a base station, a monitor method, a control method, and a program. In particular, the present invention relates to a monitor device, a base station, a monitor method, a control method, and a program for monitoring an attack on a mobile network.
BACKGROUND ART
• A device constituting a mobile network executes various processes in order for communication terminals to communicate using a mobile network operated by a mobile phone carrier.Non Patent Literature 1 describes an ATTACH procedure of a communication terminal. By executing the ATTACH procedure, authentication of the communication terminal, setting of communication bearers used for the communication terminal to transmit and receive data, and the like are performed.
CITATION LISTNon Patent Literature
• Non Patent Literature 1: 3GPP TS23.401 V13.3.0 (2015-06)
SUMMARY OF INVENTIONTechnical Problem
• In recent years, the threat of DoS (Denial of Service) attacks on mobile networks has been increasing. For example, when many control signals are transmitted to the mobile network, a large load is imposed on a node device that is responsible for processing the control signals inside the mobile network. Further, many control signals transmitted inside the mobile network could cause congestion in a transmission line. In order to provide global roaming services from all over the world, mobile phone carriers need to perform control in cooperation with mobile networks operated by other mobile phone carriers when authenticating communication terminals and the like. Thus, the DoS attacks on the mobile network may affect not only the mobile network operated by one mobile phone carrier, but also the mobile networks operated by a plurality of mobile phone carriers.
• Therefore, in order to stably operate the mobile network, it is desired to reduce the threat of DoS attacks on the mobile network.
• An object of the present invention to provide a monitor device, a base station, a monitor method, a control method, and a program capable of reducing threat of DoS attacks on a mobile network.
Solution to Problem
• A first example aspect of the present invention is a monitor device including: a signal monitor unit configured to estimate a specific base station communicating with a communication terminal attacking a mobile network according to the number of times an ATTACH procedure is rejected, the ATTACH procedure being for registering information about the communication terminal communicating with a base station in a communication device located in the mobile network; and a base station control unit configured to cause the specific base station to determine whether to execute the ATTACH procedure related to a communication terminal served by the specific base station according to communication terminal identification information set in a signal transmitted from the communication terminal served by the specific base station.
• A second example aspect of the present invention is a base station including:
• a signal monitor unit configured to estimate whether there is a communication terminal attacking a mobile network in a communication area according to the number of times an ATTACH procedure is rejected, the ATTACH procedure being for registering information about the communication terminal located in a communication area formed by the base station in a communication device; and a signal control unit configured to determine whether to execute the ATTACH procedure related to a communication terminal according to communication terminal identification information set in a signal transmitted from the communication terminal located in the communication area.
• A third example aspect of the present invention is a monitor method including: estimating a specific base station communicating with a communication terminal attacking a mobile network according to the number of times an ATTACH procedure is rejected, the ATTACH procedure being for registering information about the communication terminal communicating with a base station in a communication device located in the mobile network; and causing the specific base station to determine whether to execute the ATTACH procedure related to a communication terminal served by the specific base station according to communication terminal identification information set in a signal transmitted from the communication terminal served by the specific base station.
• A fourth example aspect of the present invention is a control method including: estimating whether there is a communication terminal attacking a mobile network in a communication area according to the number of times an ATTACH procedure is rejected, the ATTACH procedure being for registering information about the communication terminal located in a communication area formed by a base station in a communication device; and determining whether to execute the ATTACH procedure related to a communication terminal according to communication terminal identification information set in a signal transmitted from the communication terminal located in the communication area.
• A fifth example aspect of the present invention is a program that causes a computer to: estimate a specific base station communicating with a communication terminal attacking a mobile network according to the number of times an ATTACH procedure is rejected, the ATTACH procedure being for registering information about the communication terminal communicating with a base station in a communication device located in the mobile network; and cause the specific base station to determine whether to execute the ATTACH procedure related to a communication terminal served by the specific base station according to communication terminal identification information set in a signal
Advantageous Effects of invention
• The present invention can provide a monitor device, a base station, a monitor method, a control method, and a program capable of reducing the threat of DoS attacks on a mobile network.
BRIEF DESCRIPTION OF DRAWINGS
• FIG. 1 is a configuration diagram of a communication system according to a first embodiment;
• FIG. 2 is a configuration diagram of a mobile network according to a second embodiment;
• FIG. 3 is a diagram showing an overview of an Initial Attach procedure according to the second embodiment;
• FIG. 4 is a diagram showing an overview of the Initial Attach procedure according to the second embodiment;
• FIG. 5 is a diagram showing a flow of processing when a UE according to the second embodiment attacks;
• FIG. 6 is a diagram showing a flow of processing when the UE according to the second embodiment attacks;
• FIG. 7 is a diagram showing a flow of processing when the UE according to the second embodiment attacks;
• FIG. 8 is a configuration diagram of an eNB according to the second embodiment;
• FIG. 9 is a diagram showing a flow of process ng for defending against an attack from the UE in the eNB according to the second embodiment;
• FIG. 10 is a diagram shoving a flow of processing for defending against an attack from an ATT UE between the ATT UE and an eNB according to the second embodiment;
• FIG. 11 is a configuration diagram of a mobile network according to the second embodiment;
• FIG. 12 is a diagram showing a list of Cause values according to a third embodiment;
• FIG. 13 is a diagram showing a flow of processing for defending against an attack from an ATT UE between an ATT UE and an eNB according to a fourth embodiment;
• FIG. 14 is a configuration diagram of a mobile network according to a fifth embodiment;
• FIG. 15 is a configuration diagram of the mobile network according to the fifth embodiment;
• FIG. 16 is a configuration diagram of the mobile network according to the fifth embodiment; and
• FIG. 17 is a configuration diagram of a node device in each embodiment.
DESCRIPTION OF EMBODIMENTSFirst Embodiment
• Hereinafter, embodiments of the present invention will be described with reference to the drawings. A configuration example of a communication system according to a first embodiment of the present invention will be described with reference toFIG. 1. The communication system ofFIG. 1 includes amonitor device10, abase station20, acommunication terminal30, acommunication device40, and asubscriber data device50. Themonitor device10, thebase station20, thecommunication terminal30, thecommunication device40, and thesubscriber data device50 may be computer devices that operate when a processor executes a program stored in a memory.
• Thebase station20, thecommunication device40, and thesubscriber data device50 may be node devices defined by 3rd Generation Partnership Project (3GPP). For example, thebase station20 may be a NodeB or an eNB (evolved NodeB). Thecommunication device40 may be an SGSN (Serving GPRS Support Node) or an MME (Mobility Management Entity). Further, thesubscriber data device50 may be an HSS (Home Subscriber Server) or an HLR (Home Location Register).
• Thecommunication terminal30 is a terminal that performs radio communication with thebase station20. Thecommunication terminal30 may be, for example, a mobile phone terminal, a smartphone, a tablet terminal, or the like. Alternatively, thecommunication terminal30 may be an M2M (Machine to Machine) terminal, an MTC (Machine Type Communication) terminal, or the like.
• Next, a configuration example of themonitor device10 will be described. Themonitor device10 includes a signal monitor unit11 and a basestation control unit12. The signal monitor unit11 and the basestation control unit12 may be software or modules in which processing is executed by the processor executing the program stored in the memory. Alternatively, the signal monitor unit11 and the basestation control unit12 may be hardware such as circuits or chips.
• The signal monitor unit11 monitors the number of times an ATTACH procedure for registering information about thecommunication terminal30 communicating with thebase station20 in thecommunication device40 is rejected. Furthermore, the signal monitor unit11 estimates the base station that communicates with the. communication terminal attacking the mobile network according to a result of the monitoring. A base station that communicates with a communication terminal attacking the mobile network is hereinafter referred to as a specific base station. The specific base station may be a sector constituting a base station.
• The mobile network is, for example, a network including thebase station20, thecommunication device40, and thesubscriber data device50.
• The ATTACH procedure is processing to enable thecommunication terminal30 to use the mobile network. The information about thecommunication terminal30 may be, for example, information about the location of thecommunication terminal30.
• Thecommunication device40 rejects to register the information about thecommunication terminal30, for example, when authentication of thecommunication terminal30 cannot be performed or when thecommunication terminal30 cannot use the mobile network. Specifically, when thecommunication terminal30 spoofs identification information of another communication terminal, it is determined that authentication of thecommunication terminal30 cannot be performed. Thecommunication device40 may reject the registration of information about thecommunication terminal30 by communicating with thesubscriber data device50 that holds subscriber information about thecommunication terminal30.
• For example, when the number of times of rejecting the registration of the information about the communication terminal served by thebase station20 in thecommunication device40 exceeds a predetermined threshold, the signal monitor unit11 estimates that there is a communication terminal attacking the mobile network served by thebase station20. That is, the signal monitor unit11 estimates thebase station20 as the specific base station.
• The basestation control unit12 instructs thebase station20 to determine whether to execute processing for registering the information about thecommunication terminal30 and the like in thecommunication device40 according to communication terminal identification information that is set in a signal transmitted from thecommunication terminal30 or the like served by thebase station20, which is estimated to be the specific base station.
• Thebase station20 does not execute the processing for registering the information about all the communication terminals served by thebase station20 in thecommunication device40. Instead, it does not execute the processing for registering the information about some or all of the communication terminals served by thebase station20 in thecommunication device40 based on the communication terminal identification information.
• As described above, themonitor device10 can estimate the specific base station that communicates with the communication terminal attacking the mobile network using the communication system ofFIG. 1, Further, themonitor device10 can cause the specific base station to determine whether to execute the processing for registering the information about the communication terminal in thecommunication device40.
• This reduces the number of times that thebase station20 has to register the information about the communication terminals in thecommunication device40. Therefore, even when there is a communication terminal that attacks the mobile network, it is possible to reduce an increase in the number of signals.
Second Embodiment
• Next, a configuration example of a mobile network according to a second embodiment of the present invention will be described with reference toFIG. 2. The mobile network ofFIG. 2 is configured using a node device defined by 3GPP. The mobile network shown inFIG. 2 includes UEs (User Equipments)31 to33, an ATT (ATTACKER)UE34, aneNB21, aneNB22, anMME41, anHSS51, an SGW (Serving Gateway)61, a PGW (Packet Data Network Gateway)62, and a PCRF (Policy and Charging Rule Function)63.
• FIG. 2 shows communication paths of control data or C-Plane data mainly used for setting PDN Connections or communication bearers regarding theUEs31 to33 and theATT UE34.
• TheUEs31 to33 and theATT UE34 correspond to thecommunication terminal30 inFIG. 1. The UE is a generic term for communication terminals in 3GPP. Further, theATT UE34 indicates a UE that attacks the mobile network.
• TheeNB21 and theeNB22 correspond to thebase station20 inFIG. 1. TheeNB21 and theeNB22 are base stations that support LTE as a radio communication scheme.
• TheMME41 corresponds to thecommunication device40 inFIG. 1. TheMME41 manages the location information of theUEs31 to33 and theATT UE34. TheHSS51 corresponds to thesubscriber data device50 inFIG. 1. TheHSS51 manages the subscriber information of theUEs31 to33 and theATT UE34.
• TheSGW61 and thePGW62 are gateway devices that transmit user data related to theUEs31 to33 and theATT UE34. The user data may be referred to as U-Plane data.
• ThePCRF63 is a device that executes QoS (Quality of Service) control and accounting control related to theUEs31 to33 and theATT UE34. Further, thePCRF63 may be referred to as a PCRF entity, a PCRF device, or the like.
• Here, an attack on the mobile network executed by theATT UE34 will be described. TheATT UE34 performs, for example, a DoS attack on the mobile network. Specifically, theATT UE34 repeatedly executes the Initial Attach procedure to increase the amount of the control data transmitted in the, mobile network, The increase in the amount of the control data causes an increase in the amount of processing for each node device in the mobile network to execute, thereby increasing the processing load of the node device.
• An overview of the Initial Attach procedure defined by 3GPP will be described with reference toFIGS. 3 and 4. InFIGS. 3 and 4, an overview of the initial Attach procedure of thecommon UE31 that does not attack the mobile network is described. The Initial Attach procedure is executed when theUE31 is powered on for the first time or when theUE31 roams from a foreign country and communicates with theeNB21 for the first time.
• First, theUE31 transmits an RRC (Radio Resource Control) connection Request message to the eNB21 (S21). When theUE31 communicates with theeNB21 for the first time, security is not ensured for a radio section between theUE31 and theeNB21. Thus, in Step S21, theUE31 sets a predetermined value in an RRC connection request message as the identification information of theUE31. The predetermined value may be referred to as, for example, a random value. TheUE31 sets, for example, the information of UE identity=random value in the RRC connection request message.
• Next, theeNB21 transmits an RRC connection setup message to theUE31 as a response message to the RRC connection request message (S22). Next, theUE31 transmits an RRC connection setup complete message including a NAS message used in the NAS (Non-Access Stratum) protocol to the eNB21 (S23). For example, an ATTACH request message is set as the NAS message. TheUE31 sets an IMSI (International Mobile Subscriber Identity) as the identification information of theUE31 in the ATTACH request message. Specifically, theUE31 sets Mobile Identity=IMSI in the ATTACH request message. The IMSI is an identification number uniquely identifying a UE in all mobile networks operated by a communication carrier.
• Next, theeNB21 selects an MME that manages the location information about the UE31 (S24). For example, theeNB21 may select the MME in consideration of the load status and the like of the MME. In this example, it is assumed that theeNB21 has selected theMME41.
• Next. theeNB21 transmits, to theMME41, an Initial UE message including the ATTACH request message in which Mobile Identity=IMSI is set (S25).
• Next, theMME41 transmits, to theHSS51, an Authentication Information Request message in which the IMSI of theUE31 is set in order to execute authentication processing on the UE31 (S26). Next, theHSS51 transmits, to theMME41, an Authentication Information Answer message including Authentication Vectors associated with the IMSI of the UE31 (S27). Authentication Vectors include parameters necessary for theMME41 to perform the authentication on theUE31. Authentication Vectors include, for example, parameters such as RAND (Random challenge), AUTN (Authentication token), and XRES (Expected user response).
• Next, theMME41 transmits to theUE31, an Authentication Request message including RAND and AUTN transmitted from the HSS51 (S28). Next, theUE31 calculates a RES (User response) using the RAND and AUTN transmitted from theMME41. TheUE31 transmits an Authentication Response message including the calculated RES to the MME41 (S29).
• Next, theMME41 executes the authentication processing on theUE31 using the RES transmitted from theUE31 and the XRES transmitted from the HSS51 (S30). Specifically, theMME41 determines whether the RES and XRES match. When the RES and the XRES match, theMME41 permits theUE31 to use the mobile network. In Step S30, theMME41 permits theUE31 to use the mobile network.
• Next, in order to establish a security association, theMME41 transmits, to theUE31, a SECURITY MODE COMMAND message including a security algorithm used in the security association (S31). Next, theUE31 transmits a SECURITY MODE COMPLETE message to theMME41 as a response message to the SECURITY MODE COMMAND message (S32).
• Next, theMME41 transmits an Update Location Request message to theHSS51 in order to update the location information about theUE31 held in the HSS51 (S33), Next, theHSS51 transmits an Update Location Ack message to theMME41 as a response message to the Update Location Request message (S34).
• Next, theMME41 transmits a Create Session Request message to theSGW61 in order to set a communication bearer (S35). Further, theSGW61 transmits the Create Session Request message to the PGW62 (S36). Next, thePGW62 exchanges messages related to QoS negotiation with the PCRF63 (S37) in order to determine QoS applied to the PDN (Packet Data Network) Connection related to theUE31.
• Next, thePGW62 transmits a Create Session Response message to theSGW61 as a response message to the Create Session Request message in Step S36 (S38). Further, theSGW61 transmits a Create Session Response message to theMME41 as a response message to the Create Session Request message in Step S35 (S39).
• Next, theMME41 performs wireless setting between theUE31 and the eNB21 (S40). Next, after the wireless setting, theMME41 transmits and receives a Modify Bearer Request message and a Modify Bearer Response message to and from theSGW61 in order to update the communication hearer (S41 and S42).
• Next, theMME41 allocates a GUTI (Globally Unique Temporary Identity) as temporary identification information of theUE31 to the UE31 (S43). Next, theMME41 transmits an ATTACH Accept message including the GUTI to the UE31 (S44).
• When the processing up to Step S44 is executed and the ATTACH processing is successfully completed, theUE31 has the GUTI. After that, when theUE31 executes the ATTACH procedure, again, theUE31 sets UP identity=S-TMSI (SAE-Temporary Mobile Subscriber Identity) in the RRC connection Request message transmitted in Step S21. The S-TMSI is a value included in the GUTI as information for identifying theUE31. That is, when theUE31. executes the ATTACH procedure again, UE identity=S-TMSI is set instead of setting UE identity=random value.
• Here, the Initial Attach procedure executed by theATT UE34 intending to attack the mobile network will be described. For example, as an attack method using theATT UE34, there may be the following attacks.
• (1) The Initial Attach procedure is executed using an IMSI, in which the number of bits, the number form, or the like is illegal, as the identification information of theATT UE34.
  (2) An IMSI having a value not managed by any mobile network operated by the communication carrier is set as the identification information of theATT UE34, and the Initial Attach procedure is executed.
  (3) An IMSI of another UE is set as the identification information of theATT UE34, and theATT UE34 spoofs the other UE and executes the Initial Attach procedure.
• A flow of processing when theATT UE34 executes the above-described attack (1) will be described with reference toFIG. 5. Steps S51 to S55 are the same as Steps S21 to S25 inFIG. 3, respectively, and thus a detailed description thereof will be omitted.
• When theMME41 receives the Initial UE message including the ATTACH request message in which an illegal IMSI is set in Step S55, theMME41 transmits an Initial Context Setup Request message including an ATTACH reject message to the eNB21 (S56). Next, theeNB21 transmits an RRC connection Reconfiguration message including the ATTACH reject message to the ATT UE34 (S57).
• As described above, when theATT UE34 executes the above-described attack (1), the processing of Steps S51 to S57 is executed.
• Next, a flow of processing when theATT UE34 executes the above-described attack (2) will be described with reference toFIG. 6. Steps S61 to S66 are the same as Steps S21 to S26 inFIG. 3, respectively, and thus a detailed description thereof will be omitted. In Step S66, theHSS51 receives an IMSI with a value that is not managed in any mobile network operated by the communication carrier, in this case, theHSS51 transmits, to theMME41, the Authentication Information Answer message in which a Cause indicating that the value of the received IMSI does not exist is set (S67). The Cause indicating that the value of the received IMSI does not exist may be, for example, EPS services and non-EPS services not allowed.
• Next, when theMME41 receives the Authentication Information Answer message in which the Cause indicating that the value of the received IMSI does not exist is set, theMME41 transmits an Initial Context Setup message including the. ATTACH reject message to the eNB21 (S68). Next, theeNB21 transmits the RRC connection reconfiguration message including the ATTACH reject message to the ATT UE34 (S69).
• As described above, when theATT UE34 executes the above-described attack (2), the processing of Steps S61 to S69 is executed.
• Next, a flow of processing when theATT UE34 executes the above-described attack (3) will be described with reference toFIG. 7. Steps S71 to S79 are the same as Steps S21 to S29 ofFIG. 3, respectively, and thus a detailed description thereof will be omitted.
• TheATT UE34 sets the IMSI of another UE to spoof the other UE. Thus, even when the RAND and AUTN transmitted in Step S78 are used, theATT UE34 cannot generate the RES having the same value as that of the XRES generated by theHSS51. Thus, in authentication of theATT UE34, theMME41 determines that the RES transmitted in Step S79 is different from the XRES transmitted in Step S77 (S80). That is, theMME41 rejects theATT UE34 to use the mobile network.
• Next, theeNB21 transmits an Authentication reject message to the ATT UE34 (S81).
• As described above, when theATT UE34 executes the above-described attack (3), the processing of Steps S71 to S81 is executed.
• Next, a configuration example of theeNB21 according to the second embodiment of the present invention will be described with reference toFIG. 8. TheeNB21 includes an RRCsignal monitor unit71 and an NASsignal control unit72. The NASsignal control unit72 includes an NASsignal monitor unit73 and asignal control unit74.
• The NASsignal monitor unit73 corresponds to the signal monitor unit11 ofFIG. 1. Thesignal control unit74 corresponds to the basestation control unit12 inFIG. 1. That is, the NASsignal control unit72 executes the same function as the function executed by themonitor device10 inFIG. 1. In other words,FIG. 8 shows a configuration in which themonitor device10 inFIG. 1 is included in theeNB21, which is thebase station20.
• The RRCsignal monitor unit71 monitors RRC signals transmitted from a plurality of UEs camping on a communication area formed by theeNB21. The RRCsignal monitor unit71 may monitor the RRC signals transmitted and received by theeNB21 at a predetermined time, such as every day, every week, every month, or every year, and generate statistical data about the number of RRC signals. By generating the statistical data, the RRCsignal monitor unit71 can know, for example, at what time of the day a large amount of traffic occurred, or on what day of the week a large amount of traffic occurred.
• Further, the RRCsignal monitor unit71 may associate the statistical data with weather information, event information, and the like as a cause of the large amount of traffic. The event information may be, for example, an event where many people gather such as concerts and gatherings.
• When the RRCsignal monitor unit71 detects an unusual trend of traffic by the generated statistical data, that is, when the RRCsignal monitor unit71 detects an abnormality in a network operation, it may execute processing to verify the presence of theATT UE34. The processing to verify the presence of theATT UE34 is executed by the NASsignal control unit72. Thus, the RRCsignal monitor unit71 may activate the NASsignal control unit72 when an abnormality in the network operation is detected. In this case, the NASsignal control unit72 is usually in a stopped state.
• The NASsignal monitor unit73 monitors messages transmitted to and received from theMME41. For example, the NASsignal monitor unit73 counts the number of ATTACH reject messages received in Step S56 ofFIG. 5 or Step S68 ofFIG. 6. Further, the NASsignal monitor unit73 counts the number of Authentication reject messages transmitted from theMME41 in Step S81 ofFIG. 7.
• The NASsignal monitor unit73 estimates that there is anATT UE34 when the number of ATTACH reject messages and the number of Authentication reject messages transmitted and received in a unit time exceed a predetermined threshold. The predetermined threshold may be a constant value or may be dynamically changed.
• For example, the predetermined threshold may be dynamically changed based on the statistical data generated by the RRCsignal monitor unit71. Specifically, an analysis on the statistical data generated by the RRCsignal monitor unit71 enables an estimation about a time period, a day of the week, a season, a weather condition, or the like where a large amount or a small amount of traffic occurs. Thus, the threshold may be set high in a time period where the amount of traffic is large, and may be set low in a time period where the amount of traffic is small.
• When the schedule for holding an event where many people gather is known beforehand, the threshold for the date at which the event is held may be set high.
• When the NASsignal monitor unit73 determines that the number of ATTACH reject messages and the number of Authentication reject messages transmitted and received in a unit time exceed a predetermined threshold, thesignal control unit74 rejects the Initial Attach procedure for some UEs among UEs located in the communication area formed by theeNB21. For example, some UEs for which the Initial Attach procedure is rejected may be UEs in which the UE identity=random value is set in the RRC connection Request message. In other words, some UEs for which the initial Attach procedure is rejected may be UEs in which the S-TMSI is not set in the UE identity in the RRC connection Request message.
• Further, thesignal control unit74 may set a time for executing the processing for rejecting the Initial Attach procedure for sonic of the UEs located in the communication area formed by theeNB21. When the set time has elapsed, thesignal control unit74 cancels the processing for rejecting the Initial Attach procedure for some of the UEs located in the communication area formed by theeNB21.
• The UE in which the UE identity=random value is set in the RRC connection Request message is the UE that is powered on for the first time, or the UE that roamed from another mobile network such as overseas. Further,many ATT UEs34 cannot successfully complete the Initial Attach procedure as described inFIGS. 5 to 7. For this reason, when theATT UE34 repeatedly performs the Initial Attach procedure in order to attack the mobile network, the S-TMSI cannot be set in the UE identity. This is because the S-TMSI is the identification information included in the GUTI allocated to the UE when the Initial Attach procedure is completed successfully.
• By rejecting the Initial Attach procedure of the UE in which the UE identity=random value is set in the RRC connection request message, the number of attacks executed by theATT UE34 can be reduced.
• The Initial Attach procedure of the UEs that have no intention of attacking the mobile network and that have been powered on for the first time, or UEs roaming from other mobile networks, such as overseas, could also be rejected. With respect to such a UE, the processing for rejecting the Initial Attach procedure is canceled after a lapse of a certain time, and then the Initial Attach procedure can be successfully completed. The operation of rejecting the Initial Attach procedure of the UE in which the UE identity=random value is set is performed only on the specific base station. Thus, when the UE having no intention of attacking the mobile network moves to an area outside the specific base station, the Initial Attach procedure of the UE having no intention of attacking the mobile network can be successfully completed. However, the operation of rejecting the initial Attach procedure of the UE in which the UE identity=random value is set may be performed on a plurality of base stations including neighbor base stations of the specific base station.
• Next, a flow of processing for defending against attacks from theATT UE34 in theeNB21 will be described with reference toFIG. 9. Firstly, the RRCsignal monitor unit71 determines whether an abnormality in the network operation has been detected from the generated statistical data (91). When RRCsignal monitor unit71 has not detected an abnormality in the network operation, it repeats the processing of Step S91. When the RRCsignal monitor unit71 detects an abnormality in the network operation, the NASsignal monitor unit73 determines whether there is any ATT UE34 (S92).
• When the NASsignal monitor unit73 determines that there is noATT UE34, it repeats the processing of Step S91. When the NASsignal monitor unit73 estimates that there is anATT UE34, thesignal control unit74 rejects the Initial Attach procedure of some of the UEs located in the communication area formed by the eNB21 (S93).
• Next, a flow of processing when attacks from theATT UE34 are defended against between theATT UE34 and theeNB21 will be described with reference toFIG. 10.FIG. 10 is a sequence related to Step S93 inFIG. 9. Firstly, theATT UE34 transmits the RRC connection Request message in which the UE identity=random value is set to the eNB21 (S101).
• Next, theeNB21 determines that the UE identity=random value is set in the received RRC connection request message (S102). Next, theeNB21 transmits an RRC connection Reject message to the ATT UE34 (S103).
• As described above, theeNB21 according to the second embodiment of the present invention monitors the number of ATTACH reject messages and the number of Authentication reject messages received in a unit time to thereby estimate whether there is anyATT UE34. When theeNB21 estimates that there is anATT UE34, theeNB21 rejects the Initial Attach procedure of the UE that has transmitted the RRC connection Request message in which the UE identity=random value is set. TheATT UE34 is likely to be included in the UEs that have transmitted the RRC connection request message in which the UE identity random value. For this reason, theeNB21 can defend against the attack by theATT UE34.
• When the Initial Attach procedure of the UE having no intention of attacking the mobile network is rejected, the processing for rejecting the Initial Attach procedure on the UE that has transmitted the RRC connection Request message in which the UE identity=random value is set is canceled. Then, when the UE executes the Initial Attach procedure again, the Initial Attach procedure can be successfully completed. The operation of rejecting the Initial Attach procedure of the UE in which the UE identity=random value is set is performed only on the specific base station. Thus, when the UE having no intention of attacking the mobile network moves to an area outside the specific base station, the Initial Attach procedure of the UEs having no intention of attacking the mobile network can be successfully completed.
• The UE that has transmitted the RRC connection Request message in which the UE identity=random value is set is the UE that is powered on for the first time, or the UE that roamed from another mobile network such as overseas. Thus, there is no influence on the service of the UE, on which the Initial Attach procedure has been successfully completed in the mobile network.
• In the second embodiment, the configuration of the mobile network supporting the LTE inFIG. 2 has mainly been described. However, a mobile network supporting a second generation mobile phone system or a third generation mobile phone system shown inFIG. 11 may be used instead. The mobile network ofFIG. 11 includesUEs31 to33, anATT34, NB (Node B)23, anNB24, anRNC25, anSGSN42, aGGSN43 anHSS51, and aPCRF63. TheNB23 and theNB24 are base stations supporting the wireless scheme used for the second generation mobile phone system and the third generation mobile phone system. TheRNC25 corresponds to theeNB21 or theeNB22, and is a control device for controlling a radio base station. TheeNB21 and theeNB22 operate as base stations having functions corresponding to that of theRNC25. TheSGSN42 corresponds to theMME41. TheSGSN42 is a device that manages the location information of the UEs and transmits user data and the like. TheGGSN43 corresponds to thePGW62.
• InFIG. 11, theRNC25 includes the RRCsignal monitor unit71 and the NASsignal control unit72 inFIG. 8, and thus it can execute processing similar to that of theeNB21 inFIG. 2.
• As the attack methods other than the above (1) to (3), there may be the following attack methods. When theMME41 transmits the Authentication Request message to theA UE34 in Step S78 ofFIG. 7, theATT UE34 disconnects the connection with theeNB21 or intentionally avoids the processing and does not transmit a response message to the Authentication Request message. In this case, theMME41 maintains a session with theATT UE34 for a certain period of time, so that the number of sessions managed by theMME41 increases.
• In such a case, theMME41 retransmits the Authentication Request message after a lapse of a certain period of time. When theMME41 does not receive a response message after the retransmission, it disconnects the session with theATT UE34 due to timeout. Thus, the NASsignal monitor unit73 may estimate that there is theATT34 when the number of retransmitted messages or the number of time-outs exceeds a predetermined threshold per unit time.
Third Embodiment
• Next, processing for estimating whether there is anyATT UE34 according to the third embodiment will be described. The configuration of theeNB21 according to the third embodiment is the same as that inFIG. 8, and thus a detailed description thereof will be omitted. In the third embodiment, the NASsignal monitor unit73 monitors the number of ATTACH reject messages and the number of Authentication reject messages having a predetermined Cause value.
• The Cause value indicates the reason for transmitting the ATTACH reject message or the Authentication reject message. For example, the NASsignal monitor unit73 may monitor the number of ATTACH reject messages and the number of Authentication reject messages having a Cause value indicating that the UE executing the Initial Attach procedure is an illegal UE. The Cause value indicating that the UE is illegal may be, for example, the values shown inFIG. 12.FIG. 12 shows the Cause values indicating an illegal UE extracted from the Cause values shown in 3GPP TS 24.301 V13.3.0 (2015-09) Table 9.9.3.9.1: EMM cause information element.
• As described above, the NASsignal monitor unit73 counts only the number of ATTACH reject messages and the number of Authentication reject messages having the Cause value indicating that the UE is illegal among all the ATTACH reject messages and Authentication reject messages. Thus, for example, theeNB21 does not count the Authentication reject message or the like that are generated, for example, when a failure occurs in the HSS. Therefore, when the number of ATTACH reject messages and the number of Authentication reject messages having the Cause value indicating that the UE is illegal exceeds the threshold, theeNB21 can estimate the possibility that there is anATT UE34 more accurately as compared with the case where the number of all ATTACH reject messages and Authentication reject messages exceeds the threshold.
Fourth Embodiment
• Next, a flow of processing when attacks from theATT UE34 are defended against between theATT UE34 and theeNB21 will be described with reference toFIG. 13. Steps S111 to S113 are the same as Steps S21 to S23 ofFIG. 2, respectively, and thus a detailed description thereof will be omitted.
• When theeNB21 receives the RRC connection setup complete message in Step S113, it determines that an IMSI within the range (specific range) of specific values is set in the UE identity that is set in the RRC connection setup complete message (S114), Next, theeNB21 discards the RRC connection setup complete message received in Step S113 and stops the Initial Attach procedure (S115).
• TheeNB21 may set the values of the specific range used in Step S114 as follows. For example, in the Initial Attach procedure in which the ATTACH reject message and the Authentication reject message are to be transmitted in Step S56 ofFIG. 5, Step S67 ofFIG. 6, and Step S81 ofFIG. 7, theeNB21 sets the width of the range values so as to include the IMSI. The number of IMSIs included in the range may be any number.
• As described above, theeNB21 discards the RRC connection setup complete message in which the IMSI, which falls within a specific range where theATT UE34 is likely to be included, is set. This enables the21 to defend against attacks from theATT UE34 on the mobile network.
• Even when the method of defending against attacks from theATT UE34 inFIGS. 10 and 13 is executed, if the number of messages related to the Initial Attach procedure does not decrease in theeNB21, the Initial Attach procedures may be rejected uniformly for a certain period of time regardless of the UE identity set in the RRC connection request message in Step S21 ofFIG. 5.
• Further, even when the Initial Attach procedure is rejected for a certain period of time, if the number of messages related to the Initial Attach procedure does not decrease in theeNB21, the transmission of radio waves of theeNB21 estimated to be communicating with theATT UE34 may be stopped for a certain period of time or messages related to the Attach procedure may not be received in order to effectively defend against attacks from theATT UE34. Alternatively, when the NASsignal monitor unit73 detects the frequency band accessed by the UE in the Initial Attach procedure in which the ATTACH reject message and the Authentication reject message have been transmitted the transmission of radio waves of only the sector that supports the frequency band detected by theeNB21 may be stopped.
• Commonly, when theATT UE34 performs a DoS attack, and the processing load of theMME41 increases, outgoing calls and the like are restricted in all the eNBs served by theMME41, thereby exerting the influence of the DoS attack over a wide range. On the other hand, by stopping the transmission of radio waves of theeNB21 estimated to be communicating with theATT UE34 for a certain period of time or stopping the transmission of radio waves of only some sectors of theeNB21, the range on which the influence of the DoS attack is exerted can be narrowed.
Fifth Embodiment
• Next, a configuration example of a mobile network different. from those inFIGS. 2 and 11 will be described with reference to FIG.14. The mobile network ofFIG. 14 is the same as the mobile network ofFIG. 2 except that the mobile network ofFIG. 14 further includes aSecurity GW81 and amonitor device91. TheSecurity GW81 is connected to theeNB21 and theeNB22. Themonitor device91 relays communication between theSecurity GW81 and theMME41.
• The communication paths between theeNB21 and theSecurity GW81 and between theeNB22 and theSecurity GW81 may be secured by IPsec.
• Themonitor device91 is a device including the RRCsignal monitor unit71 and the NASsignal control unit72 inFIG. 8. That is, themonitor device91 determines whether there is anyATT LTE34, and decides to reject the Initial Attach procedures of some UEs served by the eNB communicating, with theATT UE34.
• Further, themonitor device91 may be provided inside theSecurity GW81 or inside theMME41.
• Next, a configuration example of a mobile network different from those inFIGS. 2, 11, and 14 will be described with reference toFIG. 15. A configuration of the mobile network ofFIG. 15 is the same as that of the mobile network ofFIG. 11 except that the mobile network ofFIG. 15 further includes aSecurity GW81 and amonitor device91. TheSecurity GW81 is connected to theRNC25. Themonitor device91 relays communication between theSecurity GW81 and theSGSN42.
• Themonitor device91 may be provided inside theSecurity81 or inside theSGSN42.
• As shown inFIGS. 14 and 15, themonitor device91 may be arranged in a previous stage of theMME41 or theSGSN42. This eliminates the need to incorporate the functions executed by themonitor device91 into all the eNBs or RNCs in the mobile network as shown inFIG. 8. Thus, it is possible to easily incorporate the function for defending against the DoS attacks into the mobile network as compared with the case where the eNB executes the function of themonitor device91 as shown inFIG. 8.
• As shown inFIG. 16, thenetwork management device100 may be configured to collectively manage a plurality ofmonitor devices91. Thenetwork management device100 may be referred to as an EMS (Element Management System) or an NMS (Network Management System). For example, inFIG. 14, theeNB21 andeNB22 may communicate with MMEs other thanMME41 in some cases. For example, theeNB21 can select an MME for each UE in Step S54 ofFIG. 5, and thus theeNB21 can communicate with a plurality of MMEs.
• Themonitor device91 connected to theSecurity GW81 monitors the number of messages generated for each eNB by monitoring the messages transmitted from the eNB and the messages addressed to the eNB. However, as each eNB communicates with a plurality of MMEs, a message when an eNB communicates with another MME is monitored by another monitor device different from themonitor device91.
• Thus, the number of Messages generated for each eNB cannot be accurately monitored by only onemonitor device91. For this reason, thenetwork management device100 that aggregates and manages a plurality ofmonitor devices91 is used. Thenetwork management device100 collects information about the number of messages generated for each eNB from the monitor devices91_1 and91_2, and91_n(n is an integer of one or greater). Thenetwork management device100 collects the information from a plurality of monitor devices and adds up the number of messages generated for each eNB, so that it can accurately monitor the number of messages generated for each eNB
• Next, a configuration of the node device constituting the communication systems shown inFIGS. 12,11,14,15, and16 described in the above embodiments will be described with reference toFIG. 17.FIG. 17 is a block diagram showing a configuration example of thenode device140. Referring toFIG. 17, thenode device140 includes anetwork interface1201, aprocessor1202, and amemory1203. Thenetwork interface1201 is used to communicate with other network node devices constituting the communication system. Thenetwork interface1201 may include, for example, a network interface card (NIC) compliant with IEEE 802.3 series.
• Theprocessor1202 reads out and executes software (computer program) from thememory1203 to thereby perform processing of thenode device140 described with reference to the sequence diagrams and flowcharts in the above embodiments. Theprocessor1202 may be, for example, a microprocessor, an MPU or a CPU. Theprocessor1202 may include a plurality of processors.
• Thememory1203 is composed of a combination of a volatile memory and a non-volatile memory. Thememory1203 may include a storage physically separated from theprocessor1202. In this case, theprocessor1202 may access thememory1203 via an I/O interface not shown.
• In the example ofFIG. 17, thememory1203 is used to store software modules. By reading and executing these software modules from thememory1203, theprocessor1202 can perform the processing of theserver140 described in the above embodiments.
• As described with reference toFIG. 17, each of the processors of the node devices constituting the communication system executes one or more programs including instructions for causing a computer to execute the algorithm described with reference to the drawings.
• In the above example, the program can be stored and provided to a computer using any type of non-transitory computer readable media. Non-transitory computer readable media include any type of tangible storage media. Examples of non-transitory computer readable media include magnetic storage media (such as floppy disks, magnetic tapes, hard disk drives, etc.), optical magnetic storage media (e.g. magneto-optical disks), Compact Disc Read Only Memory (CD-ROM), CD-R, CD-R/W semiconductor memories (such as Mask ROM, Programmable ROM (PROM), Erasable PROM (EPROM), flash ROM, Random Access Memory(RAM)). This program can be stored and provided to a computer using any type of non-transitory computer readable media. Non-transitory computer readable media include any type of tangible storage media. Non-transitory computer readable media can provide the program to a computer via a wired communication line (e.g. electric wires, and optical fibers) or a wireless communication line.
• Note that the present invention is not limited to the above-described embodiments, and modifications can be made as appropriate without departing from the scope of the invention. The contents described in the first to fifth embodiments may be combined as appropriate. For example, the processing to estimate the presence of theATT UE34 in the second embodiment may be replaced with the processing to estimate the presence of theATT UE34 in the third embodiment. Moreover, the processing to defend against attacks from theATT UE34 in the second embodiment may be replaced with the processing to defend against attacks from theATT UE34 in the fourth embodiment.
• Although the present invention has been described with reference to the embodiments, the present invention is not limited by the above. Various changes that can be understood by those skilled in the art within the scope of the invention can be made to the configuration and details of the present invention.
• The present application is based upon and claims the benefit of priority from Japanese Patent Application No. 2015-203626, filed on Oct. 15, 2015, the entire contents of which are hereby incorporated by reference.
• The whole or part of the exemplary embodiments disclosed above can be described as, but not limited to, the following supplementary notes.
Supplementary Note 1
• A monitor device comprising:
• a signal monitor unit, configured to estimate a specific base station communicating with a communication terminal attacking a mobile network according to the number of times an ATTACH procedure is rejected, the ATTACH procedure being for registering information about the communication terminal communicating with a base station in a communication device located in the mobile network; and
• a base station control unit configured to cause the specific base station to determine whether to execute the ATTACH procedure related to a communication terminal served by the specific base station according to communication terminal identification information set in a signal transmitted from the communication terminal served by the specific base station.
Supplementary Note 2
• The monitor device according toSupplementary note 1, wherein the communication device rejects the registration of the information about the communication terminal in which illegal communication terminal identification information is set in the communication device.
Supplementary Note 3
• The monitor device according toSupplementary note 1, wherein the communication device rejects the registration of the communication terminal in the communication device when authentication information generated by the communication terminal does not match authentication information generated inside the mobile network.
Supplementary Note 4
• The monitor device according to any one ofSupplementary notes 1 to 3, wherein the signal monitor unit estimates the specific base station communicating with the communication terminal that attacks the mobile network according to the number of messages in which a predetermined Cause value is set among messages transmitted when the ATTACH procedure is rejected.
Supplementary Note 5
• The monitor device according to any one ofSupplementary notes 1 to 4, wherein the base station control unit causes the specific base station to reject processing for registering the information about the communication terminal which has transmitted the signal in which the communication terminal identification information indicating that the communication terminal performs communication in the mobile network for the first time is set, in the communication device.
Supplementary Note 6
• The monitor device according to any one ofSupplementary notes 1 to 4, wherein the base station control unit causes the specific base station to reject processing for registering the information about the communication terminal, which has transmitted a signal in which an IMSI included in a determination value including at least one value is set, in the communication device as the communication terminal identification information.
Supplementary Note 7
• The monitor device according to any one ofSupplementary notes 1 to 6, wherein the base station control unit does not cause the specific base station to execute the processing for registering the information about the communication terminal served by the specific base station in the communication device.
Supplementary Note 8
• The monitor device according to Supplementary note wherein the base station control unit stops transmission of radio waves of the specific base station.
Supplementary Note 9
• The monitor device according to any one ofSupplementary notes 1 to 8, further comprising a radio signal monitor unit configured to generate statistical data related to the number of messages transmitted and received by the base station and activating the signal monitor unit and the base station control unit when there is a trend of traffic different from a trend of traffic indicated by the statistical data.
Supplementary Note 10
• A base station comprising:
• a signal monitor unit configured to estimate whether there is a communication terminal attacking a mobile network in a communication area according to the number of times an ATTACH procedure is rejected, the ATTACH procedure being for registering information about the communication terminal located in a communication area formed by the base station in a communication device; and
• a signal control unit configured to determine whether to execute the ATTACH procedure related to a communication terminal according to communication terminal identification information set in a signal transmitted from the communication terminal located in the communication area.
Supplementary Note 11
• A monitor method comprising:
• estimating a specific base station communicating with a communication terminal attacking a mobile network according to the number of times an ATTACH procedure is rejected, the ATTACH procedure being for registering information about the communication terminal communicating with a base station in a communication device located in the mobile network; and
• causing the specific base station to determine whether to execute the ATTACH procedure related to a communication terminal served by the specific base station according to communication terminal identification information set in a signal transmitted from the communication terminal served by the specific base station.
Supplementary Note 12
• A control method comprising:
• estimating whether there is a communication terminal attacking a mobile network in a communication area according to the number of times an ATTACH procedure is rejected, the ATTACH procedure being for registering information about the communication terminal located in a communication area formed by a base station in a communication device; and
• determining whether to execute the ATTACH procedure related to a communication terminal according to communication terminal identification information set in a signal transmitted from the communication terminal located in the communication area.
Supplementary Note 13
• A program that causes a computer to:
• estimate a specific base station communicating with a communication terminal attacking a mobile network according to the number of times an ATTACH procedure is rejected, the ATTACH procedure being for registering information about the communication terminal communicating with a base station in a communication device located in the mobile network; and
• cause the specific base station to determine whether to execute the ATTACH procedure related to a communication terminal served by the specific base station according to communication terminal identification information set in a signal transmitted from the communication terminal served by the specific base station.
Supplementary Note 14
• A program that causes a computer to:
• estimate whether there is a communication terminal attacking a mobile network in a communication area according to the number of times an ATTACH procedure is rejected, the ATTACH procedure being for registering information about the communication terminal located in a communication area formed by a base station in a communication device; and
• determine whether to execute the ATTACH procedure related to a communication terminal according to communication terminal identification information set in a signal transmitted from the communication terminal located in the communication area.
REFERENCE SIGNS LIST
• 10 MONITOR DEVICE
• 11 SIGNAL MONITOR UNIT
• 12 BASE STATION CONTROL UNIT
• 20 BASE STATION
• 21 eNB
• 22 eNB
• 23 NB
• 24 NB
• 25 RNC
• 30 COMMUNICATION TERMINAL
• 31 UE
• 32 UE
• 33 UE
• 34 ATT UE
• 40 COMMUNICATION DEVICE
• 41 MME
• 42 SGSN
• 43 GGSN
• 50 SUBSCRIBER DATA DEVICE
• 51 HSS
• 61 SGW
• 62 PGW
• 63 PCRF
• 71 RRC SIGNAL MONITOR UNIT
• 72 NAS SIGNAL CONTROL UNIT
• 73 NAS SIGNAL MONITOR UNIT
• 74 SIGNAL CONTROL UNIT
• 81 Security GW
• 91 MONITOR DEVICE
• 100 NETWORK MANAGEMENT DEVICE

Claims (3)

1.-14. (canceled)

15. A communication method of a first network node in a mobile communication system comprising a second network node, and a User Equipment (UE), the communication method comprising:

receiving, from the second network node, a first message including information to enable identification of the UE as a UE performing a Denial of Service (DoS) attack;

analyzing the received information; and

sending, to the second network node, a second message based on the analysis to avoid a threat of the UE performing the DoS attack.

16. A first network node in a mobile communication system comprising a second network node, and a User Equipment (UE), the first network node comprising:

at least one memory storing instructions; and

at least one processor configured to execute the instructions to:

receive, from the second network node, a first message including information to enable identification of the UE as a UE performing a Denial of Service (DoS) attack,

analyze the received information, and

send, to the second network node, a second message based on the analysis to avoid threat of the UE performing the DoS attack.

Images