Method and apparatus for detecting diameter protocol IDR message spoofing attack in mobile communication network

Abstract

Provided are methods of detecting a Diameter spoofing attack. According to an embodiment, the method comprises, obtaining a normal International Mobile Subscriber Identity (IMSI) from a packet of a Diameter S6a protocol transmitted from a Mobile Management Entity (MME) to a Home Subscriber Server (HSS) of a home network, adding a record comprising the normal IMSI to a session table, obtaining an Insert Subscriber Data Request (IDR) message of the Diameter S6a protocol and determining a category of the IDR message.

Claims

1. A method of detecting a Diameter spoofing attack, the method comprising: obtaining a normal International Mobile Subscriber Identity (IMSI) from a packet of a Diameter S6a protocol transmitted from a Mobile Management Entity (MME) to a Home Subscriber Server (HSS) of a home network; adding a record comprising the normal IMSI to a session table; obtaining an Insert Subscriber Data Request (IDR) message of the Diameter S6a protocol; and determining a category of the IDR message, wherein the determining the category of the IDR message comprises, determining that the IDR message is an abnormal IDR message based on an IMSI included in the IDR message not being found in the session table, and determining that the IDR message is a dangerous IDR message based on some of a bit (bit 2) indicating Evolved Packet System (EPS) User State Request of IDR-Flags, a bit (bit 3) indicating EPS Location Information Request and a bit (bit 4) indicating Current Location Request in the IDR message having a value of 1.

2. The method of claim 1, wherein the obtaining of the normal IMSI comprises obtaining the normal IMSI included in an Authentication Information Request (AIR) message of the Diameter S6a protocol transmitted from the MME to the HSS of the home network.

3. The method of claim 2, wherein the obtaining of the normal IMSI further comprises obtaining an IMSI, which is to be deleted, from a Cancel Location Request (CLR) message of the Diameter S6a protocol transmitted from the MME to the HSS of the home network, and the adding of the record comprising the normal IMSI to the session table comprises searching for a record related to the CLR message and deleting the found record.

4. The method of claim 1, wherein the determining the category of the IDR message comprises determining that the IDR message is an abnormal IDR message based on an origin-host attribute-value pair (AVP) and an origin-realm AVP included in the IDR message not being included in a preset normal host name list.

5. The method of claim 1, wherein the determining the category of the IDR message comprises determining that the IDR message is an abnormal IDR message based on all of the bit (bit 2) indicating EPS User State Request of IDR-Flags, the bit (bit 3) indicating EPS Location Information Request and the bit (bit 4) indicating Current Location Request in the IDR message having the value of 1.

6. The method of claim 1, wherein the MME is located in a visiting network.

7. A method of detecting a Diameter spoofing attack using a message of a GTP-C protocol, the method comprising: obtaining a normal IMSI from a Create Session Request message of a General Packet Radio Service (GPRS) Tunneling Protocol for Control plane (GTP-C) protocol generated by an MME; obtaining a first tunnel ID (Tunnel Endpoint Identifier (TEID)) from a Create Session Response message transmitted in response to the Create Session Request message, the first tunnel ID being a S11 Serving GateWay (SGW) GTP-C TEID; adding a record comprising the first tunnel ID and the normal IMSI to a session table; obtaining a second tunnel ID (TEID) included in a Delete Session Request message of the GTP-C protocol generated by the MME, the second tunnel ID being a S11 SGW GTP-C TEID, the Delete Session Request message not including an IMSI; deleting a record comprising the second tunnel ID included in the Delete Session Request message from the session table; obtaining an IDR message of a Diameter S6a protocol; and determining that the IDR message of the Diameter S6a protocol is an abnormal IDR message based on an IMSI included in the IDR message not being found in the session table, the session table not including information obtained from a packet of a Diameter S6a protocol.

8. The method of claim 7, wherein the obtaining the first tunnel ID comprises further obtaining an EPS bearer ID (EBI) from the Create Session Request message, and the record added to the session table comprises a value (IMSI+EBI), which is generated as a result of concatenating the normal IMSI and the EBI, as a field of the record.

9. The method of claim 8, wherein the determining that IDR message is an abnormal IDR message comprises: extracting an IMSI by extracting upper 34 bits from the IMSI+EBI field of each record of the session table; and determining the IDR message to be an abnormal IDR message based on the IMSI included in the IDR message not existing among the extracted IMSIs.

10. A fifth generation (5G) mobile communication system comprising: a 5G core network which comprises a packet tapper in a virtual switch; an abnormal packet detection system which analyzes a packet obtained through the packet tapper, wherein the abnormal packet detection system is configured to: obtain a first normal IMSI from a packet of a Diameter S6a protocol transmitted from an MME to an HSS of a home network and add a record comprising the first normal IMSI to a first session table; obtain a second normal IMSI from a Create Session Request message packet of a GTP-C protocol generated by the MME and add a record comprising the second normal IMSI to a second session table, and based on an IDR message of the Diameter S6a protocol being included in the packet obtained through the packet tapper, determine the IDR message to be an abnormal IDR message based on an IMSI included in the IDR message being found in none of the first session table and the second session table, otherwise determine the IDR message to be a dangerous IDR message based on an IMSI included in the IDR message being found in either one of the first session table and the second session table.

11. The system of claim 10, wherein the abnormal packet detection system obtains the first normal IMSI included in an AIR message of the Diameter S6a protocol transmitted from the MME to the HSS of the home network.

12. The system of claim 10, wherein based on the IDR message of the Diameter S6a protocol being included in the packet obtained through the packet tapper, the abnormal packet detection system determines the IDR message to be an abnormal IDR message based on the IMSI included in the IDR message not being found in at least one of the first session table and the second session table or based on an origin-host AVP and an origin-realm AVP included in the IDR message not being included in a preset normal host name list.

13. The system of claim 10, wherein based on the IDR message of the Diameter S6a protocol being included in the packet obtained through the packet tapper, the abnormal packet detection system determines the IDR message to be a dangerous IDR message based on the IMSI included in the IDR message not being found in at least one of the first session table and the second session table or based on some of a bit (bit 2) indicating EPS User State Request of IDR-Flags, a bit (bit 3) indicating EPS Location Information Request and a bit (bit 4) indicating Current Location Request in the IDR message having a value of 1.

14. The system of claim 10, wherein the MME is located in a visiting network.

15. The system of claim 10, wherein the abnormal packet detection system further obtains an EBI from the Create Session Request message packet, and the record added to the second session table comprises a value (IMSI+EBI), which is generated as a result of concatenating the second normal IMSI and the EBI, as a field of the record.

16. The system of claim 10, wherein the abnormal packet detection system obtains a tunnel ID (TEID) included in a Delete Session Request message packet of the GTP-C protocol generated by the MME, searches for a record comprising the tunnel ID included in the Delete Session Request message packet, and deletes the found record.

17. The system of claim 10, wherein the tunnel ID (TEID) is an S11 SGW GTP-C TEID.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) These and/or other aspects will become apparent and more readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings in which:

(2) FIGS. 1 and 2 are diagrams for explaining an Insert Subscriber Data Request (IDR) message-based spoofing attack that can be detected according to embodiments;

(3) FIG. 3 illustrates the configuration of a fifth generation (5G) mobile communication system according to an embodiment;

(4) FIG. 4 is a flowchart illustrating a method of detecting a Diameter spoofing attack according to an embodiment;

(5) FIG. 5A illustrates the example configuration of a first session table that is generated and referred to in some embodiments;

(6) FIG. 5B illustrates the example configuration of a second session table that is generated and referred to in some embodiments;

(7) FIG. 6 illustrates an example S6a protocol message flow between a Mobile Management Entity (MME) and a Home Subscriber Server (HSS) based on a record of the first session table being added, updated, and deleted;

(8) FIG. 7 illustrates an example S6a protocol message flow between the MME, a Serving GateWay (GS-GW) and a Packet data network GateWay (P-GW) based on a record of the second session table being added, updated, and deleted; and

(9) FIG. 8 illustrates an example hardware structure for implementing a method according to embodiments.

DETAILED DESCRIPTION

(10) Hereinafter, embodiments of the present disclosure will be described with reference to the attached drawings. Advantages and features of the present disclosure and methods of accomplishing the same may be understood more readily by reference to the following detailed description of embodiments and the accompanying drawings. The present disclosure may, however, be embodied in many different forms and should not be construed as being limited to the embodiments set forth herein. Rather, these embodiments may be provided so that this disclosure will be thorough and complete and will fully convey the concept of the disclosure to those skilled in the art, and the present disclosure will be defined by the appended claims.

(11) In adding reference numerals to the components of each drawing, it should be noted that the same reference numerals may be assigned to the same components as much as possible even though they are shown in different drawings. In addition, in describing the presently disclosed technology, based on it being determined that the detailed description of the related well-known configuration or function may obscure the gist of the presently disclosed technology, the detailed description thereof will be omitted.

(12) Unless otherwise defined, all terms used in the present specification (including technical and scientific terms) may be used in a sense that can be commonly understood by those skilled in the art. In addition, the terms defined in the commonly used dictionaries are not ideally or excessively interpreted unless they are specifically defined clearly. The terminology used herein may be for the purpose of describing embodiments and may not be intended to be limiting of the presently disclosed technology. In this specification, the singular also includes the plural unless specifically stated otherwise in the phrase.

(13) In addition, in describing the component of this presently disclosed technology, terms, such as first, second, A, B, (a), (b), can be used. These terms may be for distinguishing the components from other components, and the nature or order of the components may not be limited by the terms. Based on a component being described as being connected, coupled or contacted to another component, that component may be directly connected to or contacted with that other component, but it should be understood that another component also may be connected, coupled or contacted between each component.

(14) A Diameter spoofing attack based on an Insert Subscriber Data Request (IDR) message will be described with reference to FIG. 1. A Home Subscriber Server (HSS) 120 and a Mobile Management Entity (MME) 110 transmit and receive subscriber-related data and location information through S6a protocols 111 and 121 of a Diameter protocol, transmit and receive information used to authorize the access of a subscriber to a visiting network, or transmit and receive user authentication information.

(15) An DR message may be a message of an S6a protocol that the HSS 120 having a subscriber information database (DB) transmits based on requesting the MME 110 to provide subscriber information.

(16) An attacker who has stolen access information for the MME 110 transmits the IDR message to the MME 110 and attempts to steal information contained in an Insert Subscriber Data Request Answer (IDA) received in response to the DR message. That is, an attacker device 130 transmits the IDR message to the MME 110 and receives the IDA message in response to the IDR message. In other words, the attacker device 130 transmits the IDR message by disguising itself as the HSS 120. The IDA message may include sensitive information such as subscriber location information.

(17) In FIG. 1, the HSS 120, the attacker device 130, and the MME 110 may all be included in the same home network 100. However, the above-described IDR message-based Diameter spoofing attack may also be introduced from an external network. This will be described with reference to FIG. 2.

(18) Referring to FIG. 2, an HSS 210 of a visiting network 200 and an MME 110 of a home network 100 transmit and receive authentication, authorization and accounting (AAA)-related data through S6a protocols 211 and 111. This may be intended to support a so-called roaming service. By exploiting this situation, an attacker transmits an IDR message disguised as transmitted by the HSS 210 of the visiting network 200 to the MME 110 of the home network 100, thereby attempting to steal sensitive information such as subscriber location information.

(19) Since it may be difficult for the MME 110 of the home network 100 to exactly know information about the HSS 210 located in the external network, the IDR message may not be properly authenticated. It may be difficult for the MME 110 of the home network 100 to know the authenticity of the IDR message disguised as transmitted by the HSS 210 of the visiting network 200. As a result, an IDA message containing sensitive information such as subscriber location information may be transmitted to an attacker device 220.

(20) Until now, an IDR message-based Diameter spoofing attack has been described with reference to FIGS. 1 and 2. Generally, an attacker cannot attempt the above spoofing attack by stealing all information. At least some of the information contained in the IDR message may be inaccurate. In some embodiments, an IDR message packet containing inaccurate information may be detected to identify an IDR message-based Diameter spoofing attack.

(21) The configuration and operation of a fifth generation (5G) mobile communication system according to an embodiment will be described with reference to FIG. 3. The 5G mobile communication system according to the current embodiment operates in a non-stand-alone manner.

(22) A 5G Radio Access Network (RAN) 400 including a central unit (CU) 410 and one or more distributed units (DUs) 421 through 423 may be wirelessly connected to user equipment (UE) via a base station. The 5G RAN 400 may be connected to a virtual switch 310 of a 5G core network 300. The virtual switch 310 may be connected to an MME 320, a Serving GateWay (S-GW) 330, a Packet data network GateWay (P-GW) 340, and an HSS 350. Since the 5G RAN 400 and the 5G core network 300 may not be substantially different in configuration and operation from a non-stand-alone 5G mobile communication system, published documents may be referred to for details for understanding the technical spirit of the present disclosure.

(23) The virtual switch 310 according to the current embodiment includes a packet tapper 315 that copies a packet passing along a network link in an electrical manner in real time. The packet tapper 315 provides an abnormal packet detection system 500 with packets transmitted and received in the 5G core network 300. The abnormal packet detection system 500 receives the packets and does not transmit any packets to the 5G core network 300.

(24) According to the configuration of the 5G mobile communication system according to the current embodiment, there may be no need for any configuration change or addition of logic to the 5G core network 300 for a stable operation, and no additional packets related to abnormal packet detection may be introduced into the 5G core network 300. Instead, by simply providing packets to the abnormal packet detection system 500 using the packet tapper 315, it may be possible to detect the above-described IDR message-based Diameter spoofing attack.

(25) The abnormal packet detection system 500 may obtain a normal International Mobile Subscriber Identity (IMSI) from a packet of a Diameter S6a protocol transmitted from an MME 320 to an HSS 350 of a home network and add a record including the normal IMSI to a first session table.

(26) In addition, the abnormal packet detection system 500 may obtain a normal IMSI, an Evolved-Universal Terrestrial Access Network (E-UTRAN) Cell Global Identifier (ECGI) and a Tracking Area Identity (TAI) from a Create Session Request message of a General Packet Radio Service (GPRS) Tunneling Protocol for Control plane (GTP-C) protocol generated by the MME 320 and add a record including the normal IMSI, the ECGI and the TAI to a second session table.

(27) The abnormal packet detection system 500 may manage at least one of the first session table and the second session table.

(28) Based on a packet obtained through the packet tapper 315 including an DR message of the Diameter S6a protocol, the abnormal packet detection system 500 may determine the IDR message to be an abnormal IDR message or a dangerous IDR message based on an IMSI included in the IDR message not being found in at least one of the first session table and the second session table, based on an origin-host attribute-value pair (AVP) and an origin-realm AVP included in the IDR message not being included in a preset normal host name list, or based on some of a bit (bit 2) indicating Evolved Packet System (EPS) User State Request of IDR-Flags, a bit (bit 3) indicating EPS Location Information Request and a bit (bit 4) indicating Current Location Request in the IDR message having a value of 1.

(29) For example, based on the IMSI included in the IDR message being found in one of the first session table and the second session table, the abnormal packet detection system 500 may determine the IDR message to be a dangerous IDR message.

(30) For example, based on the IMSI included in the IDR message being not found in any of the first session table and the second session table, the abnormal packet detection system 500 may determine the IDR message to be an abnormal IDR message.

(31) For example, based on some of the bit (bit 2) indicating EPS User State Request of IDR-Flags, the bit (bit 3) indicating EPS Location Information Request and the bit (bit 4) indicating Current Location Request in the IDR message having a value of 1, the abnormal packet detection system 500 may determine the IDR message to be a dangerous IDR message.

(32) For example, based on all of the bit (bit 2) indicating EPS User State Request of IDR-Flags, the bit (bit 3) indicating EPS Location Information Request and the bit (bit 4) indicating Current Location Request in the IDR message having a value of 1, the abnormal packet detection system 500 may determine the IDR message to be an abnormal IDR message.

(33) For example, based on the origin-host AVP and the origin-realm AVP included in the IDR message not being included in the preset normal host name list, the abnormal packet detection system 500 may determine the IDR message to be an abnormal IDR message.

(34) Based on the abnormal packet detection system 500 detecting a dangerous DR message or an abnormal DR message, it may package information related to the detected DR message by using the first session table or the second session table and provide the packaged information to a control system 600.

(35) In addition, in some embodiments, as described with reference to FIG. 3, based on the abnormal packet detection system 500 detecting a dangerous IDR message or an abnormal IDR message, it notifies the 5G core network 300 of the detected dangerous or abnormal IDR message so that the 5G core network 300 can take a defense process such as ignoring the dangerous IDR message or the abnormal IDR message.

(36) The configuration and operation of the abnormal packet detection system 500 may be understood more clearly with reference to a method of detecting a Diameter spoofing attack which will be described below with reference to FIGS. 4 through 7.

(37) A method of detecting a Diameter spoofing attack will now be described with reference to FIGS. 4 through 7. The method of detecting a Diameter spoofing attack according to the current embodiment may be performed by a computing device. For example, the computing device may be one physical server or a plurality of virtual servers. For example, the computing device may be part of a computing device existing in the abnormal packet detection system 500 of FIG. 3.

(38) Based on the subject of each operation being omitted in the description of the method of detecting a Diameter spoofing attack according to the current embodiment, it may be the computing device.

(39) Referring to FIG. 4, in operation S110, packets may be collected in a 5G core network. Since the current embodiment may be for detecting a Diameter spoofing attack, packets may also be collected in a fourth generation (4G) core network to which a Diameter protocol may be applied.

(40) In operation S120, a session table may be constructed using the collected packets. The construction of the session table may be performed periodically or aperiodically. The construction of the session table may include at least part of the construction of a first session table and the construction of a second session table.

(41) The first session table may be constructed using packets collected based on normal messages of an S6a protocol being transmitted and received. In addition, the second session table may be constructed using packets collected based on normal messages according to a GTP-C protocol being transmitted and received.

(42) The normal messages of the S6a protocol and the normal messages according to the GTP-C protocol may be understood as being generated commonly based on user equipment UE connecting to a network, moves, and disconnects from the network.

(43) First, an operation of managing the first session table will be described using the example configuration of the first session table of FIG. 5A and a signal flowchart of a normal message of the S6a protocol of FIG. 6.

(44) Referring to FIG. 5A, a first session table 11 includes IMSI 11a. Since an IMSI may be user identification information not disclosed to the outside world, it may not be easy for an attacker to steal the IMSI. An IMSI that the attacker includes in an IDR message for a Diameter spoofing attack may be an IMSI generated arbitrarily. The DR message including the arbitrarily generated IMSI may be highly likely to be used for a spoofing attack.

(45) To determine whether an IMSI may be an arbitrarily generated IMSI or a normal IMSI without information provided by a mobile communication provider, normal messages of the S6a protocol may be collected, and normal IMSIs may be extracted from the collected normal messages and managed in the current embodiment. Later, based on an IDR message being checked, based on an IMSI included in the IDR message not existing among normal IMSIs 11a included in the first session table 11, the IMSI included in the IDR message may be determined to be abnormal.

(46) Referring to FIG. 6, an Authentication Information Request (AIR) message may be transmitted from an MME 320 to an HSS 350 in the process of authenticating a subscriber device attempting to connect to a network (operation S200). The AIR message includes, as parameters, an IMSI and a server name identifier (SN ID) (Public Land Mobile Network (PLMN) of a network to which the subscriber device may be connected). In response to the AIR message, an Authentication Information Answer (AIA) message may be transmitted from the HSS 350 to the MME 320 (operation S201).

(47) Based on an AIR message packet being found in the constructing of the session table using the collected packets (operation S120), the parameters of the AIR message may be temporarily stored in a buffer. Based on an AIA message packet being found, a new record including the IMSI stored in the buffer may be created based on the AIA message packet corresponding to the parameters of the AIR message stored in the buffer. The new record may be stored in the first session table 11 after whether a record of the same IMSI exists in the first session table 11 may be checked.

(48) The first session table 11 may further include MME ID 11b and Subscribe P-GW ID 11c to manage information about abnormal packets.

(49) Referring to FIG. 6, based on the handover of the subscriber device occurring, an Update Location Request (ULR) message may be transmitted from the MME 320 to the HSS 350 (operation S210). The ULR message includes, as parameters, an IMSI and an MME ID (an MME ID of a network to which the subscriber device may be newly connected). In response to the ULR message, an Update Location Answer (ULA) message may be transmitted from the HSS 350 to the MME 320 (operation S211).

(50) Based on an ULR message packet being found in the constructing of the session table using the collected packets (operation S120), the parameters of the ULR message may be temporarily stored in the buffer. Based on an ULA message packet being found, an existing record including the IMSI stored in the buffer may be searched for based on the ULA message packet corresponding to the parameters of the ULR message stored in the buffer. The MME ID included in the ULR message may be added as an MME ID of the found existing record. The ULA message packet includes a Subscribed P-GW ID as a parameter. The Subscribed P-GW ID included in the ULA message may also be added as a Subscribed P-GW ID of the found existing record.

(51) Referring to FIG. 6, a Cancel Location Request (CLR) message may be transmitted from the MME 320 to the HSS 350 based on the subscriber device getting detached from the network by, for example, cutting off the power (operation S220). The CLR message includes an IMSI as a parameter. In response to the CLR message, a Cancel Location Answer (CLA) message may be transmitted from the HSS 350 to the MME 320 (operation S221).

(52) Based on a CLR message packet being found in the constructing of the session table using the collected packets (operation S120), the parameters of the CLR message may be temporarily stored in the buffer. Based on a CLA message packet being found, an existing record including the IMSI stored in the buffer may be searched for based on the CLA message packet corresponding to the parameters of the CLR message stored in the buffer. The found existing record may be deleted from the first session table 11. It may be possible to detect a Diameter spoofing attack carried out using an IMSI of a subscriber who has already been detached or unsubscribed from the network.

(53) Next, an operation of managing the second session table will be described using the example configuration of the second session table of FIG. 5B and a signal flowchart of a normal message of the GTP-C protocol of FIG. 7.

(54) Referring to FIG. 5B, a second session table 12 includes a field 12a in which IMSI and EPS bearer ID (EBI) may be concatenated. Since an IMSI may be user identification information not disclosed to the outside world, it may not be easy for an attacker to steal the IMSI. An IMSI that the attacker includes in an IDR message for a Diameter spoofing attack may be an IMSI generated arbitrarily. The IDR message including the arbitrarily generated IMSI may be highly likely to be used for a spoofing attack.

(55) According to the GTP-C protocol, a plurality of EPS bearer IDs may be assigned to the same IMSI. Not IMSI but a value obtained by concatenating EBI to IMSI forms one field in the second session table 12.

(56) To determine whether an IMSI may be an arbitrarily generated IMSI or a normal IMSI without information provided by a mobile communication provider, normal messages of the GTP-C protocol may be collected, and normal IMSIs may be extracted from the collected normal messages and managed in the current embodiment. Later, based on an IDR message being checked, based on an IMSI included in the IDR message not existing among normal IMSIs obtained by extracting upper 34 bits (number of IMSI bits) from the IMSI+EBI field 12a included in the second session table 12, the IMSI included in the IDR message may be determined to be abnormal.

(57) Referring to FIG. 7, a Create Session Request message may be transmitted from the MME 320 to an S-GW 330 in the process of establishing an EPS session in which a subscriber device can connect to a network (operation S300) and then transmitted from the S-GW 330 to a P-GW 340 (operation S301). The Create Session Request message transmitted from the MME 320 to the S-GW 330 may include, as parameters, an IMSI and an EPS bearer ID, a Mobile Station International Subscriber Directory Number (MSISDN) (subscriber identification information), an ECGI, and a TAI. The Create Session Request message transmitted from the S-GW 330 to the P-GW 340 may include an S11 S-GW GTP-C Tunnel Endpoint Identifier (TEID) (tunnel ID) as a parameter.

(58) In some embodiments, the Create Session Request message transmitted from the S-GW 330 to the P-GW 340 may not include the S11 S-GW GTP-C TEID as a parameter, and a Create Session Response message transmitted from the P-GW 340 to the S-GW 330 may include the S11 S-GW GTP-C TEID as a parameter.

(59) The S11 S-GW GTP-C TEID may be understood as a tunnel ID for S11 interface-based communication between the MME and the S-GW. Since none of a Modify Bearer Request message and a Delete Session Request message to be described later includes an IMSI as a parameter, the S11 S-GW GTP-C TEID included in both the Modify Bearer Request message and the Delete Session Request message as a parameter may play a role in record search.

(60) The MSISDN may be subscriber identification information and may be included in the second session table as a field 12g to provide additional information about abnormal IDR packets.

(61) The ECGI and the TAI may be information used to identify a base station to which the subscriber device may be connected and may be included in the second session table as fields 12h and 12i to provide additional information about abnormal IDR packets.

(62) Various tunnel IDs (TEIDs) collected from parameters of GTP for User plane (GTP-U) protocol messages, such as an S1-U S-GW GTP-U TEID, may also be included in the second session table as a field to provide information about the abnormal IDR packets. In FIG. 5B, an S1-U S-GW GTP-U TEID field 12e may be illustrated as an example field.

(63) In response to the Create Session Request, the Create Session Response message may be transmitted from the P-GW 340 to the S-GW 330 and then from the S-GW 330 to the MME 320 (operation S302).

(64) Based on a Create Session Request message packet being found in the constructing of the session table using the collected packets (operation S120), the parameters of the Create Session Request message may be temporarily stored in the buffer. Based on a Create Session Response message packet being found, a new record including the IMSI+EBI stored in the buffer may be created based on the Create Session Response message packet corresponding to the parameters of the Create Session Request message stored in the buffer. The new record may be stored in the second session table 12 after whether a record of the same IMSI+EBI exists in the second session table 12 may be checked.

(65) In addition, in some embodiments, a new record including the IMSI+EBI field generated using the IMSI and the EBI included in the Create Session Request message transmitted from the MME 320 to the S-GW 330 may be created, and an S11 S-GW GTP-C TEID value of the new record may be obtained from the S11 S-GW GTP-C TEID parameter included in the Create Session Response message transmitted from the P-GW 340 to the S-GW 330.

(66) It may be understood that in the record of the second session table 12, the two fields IMSI+EBI 12a and S11 S-GW GTP-C TEID 12d may be required fields, and the other fields may be reference information.

(67) Referring to FIG. 7, based on a handover of the subscriber device occurring, a Modify Bearer Request message may be transmitted from the MME 320 to the S-GW 330 (operation S310). The Modify Bearer Request message may include, as parameters, an EPS bearer ID, an S11 S-GW GTP-C TEID, and an ECGI and a TAI related to a newly connected base station. In response to the Modify Bearer Request message, a Modify Bearer Response message may be transmitted from the S-GW 330 to the MME 320 (operation S311).

(68) Based on a Modify Bearer Request message packet being found in the constructing of the session table using the collected packets (operation S120), the parameters of the Modify Bearer Request message may be temporarily stored in the buffer. Based on a Modify Bearer Response message packet being found, an existing record including the S11 S-GW GTP-C TEID stored in the buffer may be searched for based on the Modify Bearer Response message packet corresponding to the parameters of the Modify Bearer Request message stored in the buffer.

(69) The values of the ECGI field 12h and the TAI field 12i of the found existing record may be updated to those included in the Modify Bearer Request message. Through this operation, each record of the second session table 12 may be updated with the latest information related to a connected cell in each session.

(70) Referring to FIG. 7, a Delete Session Request message may be transmitted from the MME 320 to the S-GW 330 based on the subscriber device getting detached from the network by, for example, cutting off the power (operation S320) and then transmitted from the S-GW 330 to the P-GW 340 (operation S321). The Delete Session Request message may include an EPS bearer ID and an S11 S-GW GTP-C TEID as parameters.

(71) In response to the Delete Session Request message, a Delete Session Response message may be transmitted from the P-GW 340 to the S-GW 330 and then from the S-GW 330 to the MME 320 (operation S322).

(72) Based on a Delete Session Request message packet being found in the constructing of the session table using the collected packets (operation S120), an existing record including the S11 S-GW GTP-C TED which may be a parameter of the Delete Session Request message may be searched for. The found existing record may be deleted from the second session table 12. It may be possible to detect a Diameter spoofing attack carried out using an IMSI of a subscriber who has already been detached or unsubscribed from the network.

(73) Until now, the operations related to constructing and updating the first session table 11 and the second session table 12 have been described. The following operations will be described by returning to FIG. 4.

(74) In operation S130, packet inspection may be started. The packet inspection may be performed in real time or may be performed in a batch manner based on a predetermined number of packets being collected.

(75) Based on a packet to be inspected being an IDR message (command code 319) of the S6a protocol, parameters of the IDR message may be inspected.

(76) In inspection of an IMSI parameter in operation S150, based on an IMSI parameter not being found in at least one of the first session table 11 and the second session table 12 may be detected, the IDR message may be determined to be an abnormal message or a dangerous message and thus added to detection information in operation S151.

(77) In inspection of an origin-host parameter and an origin-realm parameter in operation S160, based on information about a host not registered with a public institution being detected in the IDR message, the IDR message may be determined to be an abnormal message or a dangerous message and thus added to detection information in operation S161.

(78) In inspection of a flag parameter in operation S170, based on some of a bit (bit 2) indicating EPS User State Request of IDR-Flags, a bit (bit 3) indicating EPS Location Information Request and a bit (bit 4) indicating Current Location Request in the IDR message having a value of 1, the IDR message may be determined to be a dangerous DR message. Here, based on all of the bit (bit 2) indicating EPS User State Request of IDR-Flags, the bit (bit 3) indicating EPS Location Information Request and the bit (bit 4) indicating Current Location Request in the DR message having a value of 1, the IDR message may be determined to be an abnormal IDR message. The flag parameter information of the dangerous or abnormal IDR message may be added to the detection information in operation S171.

(79) Next, the detection information may be packaged in a predetermined format and then stored or transmitted to an external device in operation S180.

(80) So far, various embodiments included in the technical features of the present disclosure and effects according to the embodiments have been described. The computer readable recording medium may be, for example, a removable recording medium (CD, DVD, Blu-ray disc, USB storage device, removable hard disk) or a fixed recording medium (ROM, RAM, computer equipped hard disk). The computer program recorded on the computer readable recording medium may be transmitted to other computing device via a network such as internet and installed in the other computing device, thereby being used in the other computing device.

(81) Hereinafter, an exemplary computing device 500 that can implement an apparatus and a system, according to various embodiments of the present disclosure will be described with reference to FIG. 8.

(82) FIG. 8 is an example hardware diagram illustrating a computing device 500.

(83) As shown in FIG. 8, the computing device 500 may include one or more processors 510, a bus 550, a communication interface 570, a memory 530, which loads a computer program 591 executed by the processors 510, and a storage 590 for storing the computer program 591. However, FIG. 8 illustrates the components related to the embodiment of the present disclosure. It should be appreciated by those skilled in the art that the present disclosure may further include other general purpose components in addition to the components shown in FIG. 8.

(84) The processor 510 controls overall operations of each component of the computing device 500. The processor 510 may be configured to include at least one of a Central Processing Unit (CPU), a Micro Processor Unit (MPU), a Micro Controller Unit (MCU), a Graphics Processing Unit (GPU), or any type of processor well known in the art. Further, the processor 510 may perform calculations on at least one application or program for executing a method/operation according to various embodiments of the present disclosure. The computing device 500 may have one or more processors.

(85) The memory 530 stores various data, instructions and/or information. The memory 530 may load one or more programs 591 from the storage 590 to execute methods/operations according to various embodiments of the present disclosure. For example, based on the computer program 591 being loaded into the memory 530, the logic (or the module) as shown in FIG. 4 may be implemented on the memory 530. An example of the memory 530 may be a RAM, but is not limited thereto.

(86) The bus 550 provides communication between components of the computing device 500. The bus 550 may be implemented as various types of bus such as an address bus, a data bus and a control bus.

(87) The communication interface 570 supports wired and wireless internet communication of the computing device 500. The communication interface 570 may support various communication methods other than internet communication. To this end, the communication interface 570 may be configured to comprise a communication module well known in the art of the present disclosure.

(88) The storage 590 can non-temporarily store one or more computer programs 591. The storage 590 may be configured to comprise a non-volatile memory, such as a Read Only Memory (ROM), an Erasable Programmable ROM (EPROM), an Electrically Erasable Programmable ROM (EEPROM), a flash memory, a hard disk, a removable disk, or any type of computer readable recording medium well known in the art.

(89) The computer program 591 may include one or more instructions, on which the methods/operations according to various embodiments of the present disclosure may be implemented. Based on the computer program 591 being loaded on the memory 530, the processor 510 may perform the methods/operations in accordance with various embodiments of the present disclosure by executing the one or more instructions.

(90) Although the operations may be shown in an order in the drawings, those skilled in the art will appreciate that many variations and modifications can be made to the embodiments without substantially departing from the principles of the presently disclosed technology. The disclosed embodiments of the presently disclosed technology may be used in a generic and descriptive sense and not for purposes of limitation. The scope of protection of the presently disclosed technology should be interpreted by the following claims, and all technical ideas within the scope equivalent thereto should be construed as being included in the scope of the technical idea defined by the present disclosure.