WO2017155280A2 - Système de sécurité pour service d'appel ip basé sur sdn/nfv et procédé d'exploitation d'un système de sécurité - Google Patents

Système de sécurité pour service d'appel ip basé sur sdn/nfv et procédé d'exploitation d'un système de sécurité Download PDF

Info

Publication number
WO2017155280A2
WO2017155280A2 PCT/KR2017/002448 KR2017002448W WO2017155280A2 WO 2017155280 A2 WO2017155280 A2 WO 2017155280A2 KR 2017002448 W KR2017002448 W KR 2017002448W WO 2017155280 A2 WO2017155280 A2 WO 2017155280A2
Authority
WO
WIPO (PCT)
Prior art keywords
security
voip
condition
information
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/KR2017/002448
Other languages
English (en)
Korean (ko)
Other versions
WO2017155280A3 (fr
Inventor
안태진
이세희
김우태
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
KT Corp
Original Assignee
KT Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by KT Corp filed Critical KT Corp
Publication of WO2017155280A2 publication Critical patent/WO2017155280A2/fr
Publication of WO2017155280A3 publication Critical patent/WO2017155280A3/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/54Organization of routing tables
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the present invention relates to a security system and a security processing method for IP-based call services such as wired or wireless voice over (VoIP) and voice over LTE (VoLTE), and more particularly, software-defined networking (SDN).
  • IP-based call services such as wired or wireless voice over (VoIP) and voice over LTE (VoLTE), and more particularly, software-defined networking (SDN).
  • VoIP voice over
  • VoIP voice over LTE
  • SDN software-defined networking
  • the present invention relates to a technology for detecting and blocking illegal use of IP-based call services in an NFV (Network Function Virtualization) environment.
  • NFV Network Function Virtualization
  • SDN Software defined network refers to a user-oriented network in which a user has control authority regardless of basic network equipment such as a router or a switch, and a separate software controller controls traffic flow.
  • ONF defines the interface between hardware (switch) and controller (Network OS). This is a protocol for interacting with the data plane by separating the control plane from the physical network to control how data packets are delivered through the network.
  • the IETF creates working groups that define and implement standard interfaces for providing Network Security Services in network environments that use Network Functions Virtualization (NFV) as the underlying infrastructure.
  • NFV Network Functions Virtualization
  • the structure and operation method of the flexible and centralized security service system in the SDN / NFV-based environment as described above have not yet been specified.
  • a first object of the present invention for solving the above problems is to provide a security system for detecting and blocking illegal use of IP-based call service (VoIP or VoLTE) in the SDN and NFV environment.
  • VoIP IP-based call service
  • a second object of the present invention for solving the above problems is to provide a security processing method for detecting and blocking the illegal use of IP-based call services in the SDN and NFV environment.
  • a third object of the present invention for solving the above problems is to generate a security policy as a predetermined information model for a security system that detects and blocks illegal use of IP-based call services in SDN and NFV environments.
  • the present invention provides a method of operating a security controller that controls security functions that provide security services.
  • VoIP Voice over IP
  • SDN software-defined networking
  • the VoIP security service A security service manager for setting and managing a security service policy required for use;
  • a VoIP security controller (VoIP Security Controller) for generating a security service policy received through the security service manager as a predetermined information model and transferring the security service policy to a VoIP security function;
  • at least one VoIP security function providing a VoIP security service based on the information model received from the VoIP security controller.
  • the security service manager may serve as an application gateway.
  • the VoIP security function may be connected to at least one SDN controller managing at least one SDN switch.
  • the VoIP security function interprets the information model received from the VoIP security controller, calls an API that the SDN controller can transfer to the SDN switch, or converts the message into a message conforming to the interworking standard of the SDN controller and the SDN switch. It can be delivered to the SN controller.
  • the information model defines a condition for determining whether a specific operation is applied to a packet transmitted and received through a network device or a packet belonging to a specific flow, and an operation to be performed when the condition is satisfied. May contain information.
  • the condition may include a packet value condition that can be determined in a single packet and a context condition that can be determined through a session or a flow.
  • the operation information may include a traffic ingress control operation, a traffic output control operation, and an advanced action for applying a function profile for controlling a security service.
  • the information model may further include event information defining an application target of the condition and the operation.
  • the event information may include event time information and user action information.
  • the VoIP security function may operate on a virtual machine.
  • a method for processing a centralized Voice over IP (VoIP) service security based on software-defined networking (SDN) is a security service manager.
  • SDN software-defined networking
  • a security service manager creating a security service policy required to use the VoIP security service; Receiving a security service policy by a VoIP security function, generating the security service policy as a predetermined information model, and delivering the security service policy to at least one VoIP security function; And the at least one VoIP security function, based on the received information model, providing a VoIP security service.
  • the security service manager may serve as an application gateway.
  • the VoIP security function may be connected to at least one SDN controller managing at least one SDN switch.
  • the VoIP security function interprets the information model received from the VoIP security controller to call an API that the SDN controller can transfer to the SDN switch, or the interworking standard between the SDN controller and the SDN switch.
  • the method may further include converting the message into a message form suitable for the SDN controller.
  • the information model defines a condition for determining whether a specific operation is applied to a packet transmitted and received through a network device or a packet belonging to a specific flow, and an operation to be performed when the condition is satisfied. May contain information.
  • the condition may include a packet value condition that can be determined in a single packet and a context condition that can be determined through a session or a flow.
  • the operation information may include a traffic ingress control operation, a traffic output control operation, and an advanced action for applying a function profile for controlling a security service.
  • the information model may further include event information defining an application target of the condition and the operation.
  • the event information may include event time information and user action information.
  • a security service manager and a method of operating a VoIP security controller interoperating with at least one VoIP security function, Receiving a security service policy required for using a VoIP security service from the security service manager; Generating the security service policy into a predetermined information model and transferring the security service policy to the at least one VoIP security function; And receiving a result of executing the security service policy performed according to the predetermined information model from the at least one VoIP security function.
  • the information model defines a condition for determining whether a specific operation is applied to a packet transmitted and received through a network device or a packet belonging to a specific flow, and an operation to be performed when the condition is satisfied. May contain information.
  • the condition may include a packet value condition that can be determined in a single packet and a context condition that can be determined through a session or a flow.
  • the operation information may include a traffic ingress control operation, a traffic output control operation, and an advanced action for applying a function profile for controlling a security service.
  • the information model may add event information defining objects to which the condition and the operation are applied.
  • the event information may include event time information and user action information.
  • an information model (Information model) based on SDN / NFV, it detects and blocks the illegal / malicious use of IP-based call services such as VoIP and VoLTE in real time. It is possible to provide centralized and flexible service at low cost because it provides service by dynamically configuring information model in SW-based SDN / NFV environment rather than existing HW-based security equipment.
  • FIG. 1 is a schematic diagram showing the configuration of an SDN / NFV-based IP call service security system according to an embodiment of the present invention.
  • FIG. 2 is a view for explaining an example of the components of the interworking information model between the VoIP security controller and VoIP security functions in the SDN / NFV-based IP call service security system according to an embodiment of the present invention.
  • FIG. 3 is a diagram for describing example information for each component of an information model according to an embodiment of the present invention illustrated in FIG. 2.
  • FIG. 4 is a flowchart illustrating a SDN / NFV based IP call service security processing method according to an embodiment of the present invention.
  • FIG. 5 illustrates an example of components of an interworking information model between a VoIP security controller and VoIP security functions in an SDN / NFV based IP call service security system according to another embodiment of the present invention.
  • FIG. 6 is a diagram for describing example information for each component of an information model according to another embodiment of the present invention illustrated in FIG. 5.
  • FIG. 7 is a flowchart illustrating a method of blocking an illegal authentication attempt by detecting a dual registration pattern in an illegal authentication attempt detection of a wired (including mobile VoIP such as WiFi) terminal according to another embodiment of the present invention.
  • FIG. 8 is a flowchart illustrating a method of blocking an illegal authentication attempt by detecting a dual registration pattern in detecting an illegal authentication attempt of a wireless terminal according to another embodiment of the present invention.
  • FIG. 9 is a flowchart illustrating a method of blocking an illegal authentication attempt by detecting an abnormal operation pattern of an authentication expiration time in detecting an illegal authentication attempt of a VoIP and VoLTE terminal according to another embodiment of the present invention.
  • first, second, A, and B may be used to describe various components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another.
  • the first component may be referred to as the second component, and similarly, the second component may also be referred to as the first component.
  • the 'controller' described in the specification means a functional entity that controls related components (eg, a switch, a router, etc.) in order to control the flow of traffic. It is not limited to an implementation position.
  • the controller may mean a controller function entity defined in ONF, IETF, ETSI, and / or ITU-T.
  • switch refers to a functional element that substantially forwards, switches, or routes traffic (or packets), and includes switches, routers, and the like defined in ONF, IETF, ETSI, and / or ITU-T. It may mean a switch element, a router element, a forwarding element, or the like.
  • VoIP service described in the specification refers to various IP network-based voice / video call services such as wired / WiFI / VoLTE.
  • FIG. 1 is a schematic diagram showing the configuration of an SDN / NFV-based IP call service security system according to an embodiment of the present invention.
  • an IP call service system 100 may include a security service manager (SSM) 110, a VoIP security controller (VSC) 120, and at least one VoIP security. It may be configured to include a function (VSF, VoIP Security Function; 130-1, ..., 130-N).
  • SSM security service manager
  • VSC VoIP security controller
  • VSF VoIP Security Function
  • the IP call service system 100 may include a wired / WiFi VoIP service network 210, a core network 220, and a wireless VoLTE service network 230.
  • each service network may include a plurality of switches.
  • the wired / WiFI VoIP service network 210 and the wireless VoLTE service network 230 are connected to the core network 220, respectively.
  • the security service manager 110 may serve as an application gateway for setting and managing a security service policy and / or control conditions necessary for a user or an administrator to use the VoIP security service.
  • a user or an administrator may request a security service policy to be used through a user interface screen or a command-line interface (CLI) through the security service manager 110.
  • CLI command-line interface
  • the VoIP security controller 120 is a security service policy received through the security service manager 110 at least one VoIP security functions (130-1, ..., 130-N) is the SDN controller 140 -1, ..., 140-M) and a predefined information model is generated and applied to at least one VoIP security function to be applied to switches controlled by the SDN controllers.
  • This information model contains a comparison condition for applying a specific action to a packet transmitted and received through a network device (such as a switch) and a packet belonging to this specific flow, and an operation procedure for how to perform the action when the condition is satisfied. It is defined.
  • the VoIP security controller 120 is configured to perform VoIP security service operations such as changing the calling number and detecting / blocking a device for hacking on the packets delivered by the VoIP security functions through the information model. Make a judgment. As illustrated in FIG. 1, one VoIP security controller may be connected to one or more VoIP security controllers.
  • the VoIP security functions 130-1,..., 130 -N interpret the information model received from the security controller 120 to provide an actual VoIP security service.
  • Each of the VoIP security functions calls an API that the SDN controllers 140-1, ..., 140-M can transfer to the SDN switches, or conforms to the interworking standard between the two information models received from the security controller 120. It converts the message into the SDN controller 140-1, ..., 140-M.
  • the VoIP security function may be implemented on an independent hardware server, or may be implemented on or on a virtual machine (VM) in a cloud environment. As illustrated in FIG. 1, one VoIP security function may be connected with one or more SDN controllers.
  • VM virtual machine
  • the SDN controllers 140-1, ..., 140-M refer to functional entities that control related components (e.g. switches, routers, etc.) to control the flow of traffic. It may mean various kinds of controllers such as controller function entities defined in IETF, ETSI and / or ITU-T.
  • a network device is a functional element that substantially forwards, switches, or routes traffic (or packets or flows), and is a switch, router, or switch defined in ONF, IETF, ETSI, and / or ITU-T. Element, router element, and forwarding element.
  • FIG. 2 is a view for explaining an example of the components of the interworking information model between the VoIP security controller and VoIP security functions in the SDN / NFV-based IP call service security system according to an embodiment of the present invention.
  • the information model according to an embodiment of the present invention may be configured to include all or part of four types of information of policy, rule, condition, and action.
  • the policy and the rules belonging to the policy, the conditions and the operation belonging to the rules may have a hierarchical structure.
  • policy 310 defines a security service policy at the service level.
  • the policy may be a unit security service such as an intrusion prevention system (or, service), an intrusion detection system (or, service), a web filter, etc.
  • the VoIP / VoLTE security policy may correspond to this policy
  • a policy may be defined including a name of a policy, an identifier of the policy, and the like.
  • the rule 320 identifies matching conditions for determining whether a specific operation is performed on the traffic / flow, and an action performed on the corresponding traffic and flow when the condition is satisfied.
  • one or more rules may be defined in one policy.
  • rules such as detection and control of 'VoIP / VoLTE account theft', 'calling number alteration', and 'sending a large number of messages' may be rules.
  • one rule may comprise at least one condition and at least one action. That is, the conditions may mean a matching condition for determining whether to perform a corresponding operation, and the operation may mean an operation procedure performed when the corresponding condition is satisfied.
  • a condition included in a rule is a set of one or more conditions for determining whether a particular rule is satisfied.
  • condition 330 may be divided into a packet value condition and a context condition.
  • packet value conditions are conditions that can be determined in a single packet.
  • MAC medium access control
  • VLAN virtual LAN
  • source and destination IP address source and destination port
  • packet header / payload value etc.
  • the situation condition is a condition related to a context that can be determined through a session or a flow.
  • a call call state, local location, etc. may be included, such as during a call attempt, a call cancellation, a call, and a call termination.
  • the priority (priority) as an additional information element indicates the priority of the rule to apply the operation when a plurality of rules that the comparison is satisfied.
  • Operation 340 defines a method of processing for packets or flows for which a comparison condition is satisfied.
  • An action may be divided into a basic action and an advanced action.
  • the basic operation may mean a simple control operation such as packet blocking, passing, copying, etc.
  • the application operation may mean application of a function profile for controlling a security service.
  • the application operation may include a VoIP / VoLTE security profile, an IPS operation profile, a URL filtering profile, an anti-virus file, and the like.
  • FIG. 3 is a diagram for describing example information for each component of an information model according to an embodiment of the present invention illustrated in FIG. 2.
  • the packet value condition 331 is a call packet's origin / destination IP address, origin / destination port number, outgoing call number, session's call-id type (length, letter / number, domain representation, etc.), call It may include all or part of the information in the header description (From, To, Via, Cseq, etc.) of the signaling message and the Session Description Protocol (SDP) indicating voice / video call session information.
  • SDP Session Description Protocol
  • the situation condition 332 includes call call status information (call attempt, busy, call termination, call failure, etc.), subscriber terminal model information (OS version, manufacturer information, etc.) and source IP location information (assigned IP provisions). Business, country, etc.) may be included in whole or in part.
  • the priority indicates the priority of the rule to which the operation should be applied when there are a plurality of rules that satisfy the condition.
  • the basic action may include an operation of allowing the packet, an operation of blocking the packet, an operation of copying the packet and delivering the packet to the VoIP security controller 120 when the condition is satisfied. Can be.
  • an advanced action is a call control operation according to a call state and a network device of the VoIP security controller 120 or the VoIP security controller 130-1,..., 130-N. It may include a VoIP / VoLTE security profile application operation that can determine whether to directly block or allow traffic without additional control.
  • FIG. 4 is a flowchart illustrating a SDN / NFV based IP call service security processing method according to an embodiment of the present invention.
  • the security service manager 110 transmits a security service policy application command message including the VoIP security service policy to the VoIP security controller 120 (S410).
  • the message includes a security service policy set by a user or an administrator through a user interface screen or a command line interface.
  • the security service policy may include changing a calling number, scanning a device / device for hacking, sending a large amount of messages such as a DDOS attack, and detecting / blocking account theft.
  • the VoIP security controller 120 generates an information model for performing the security service policy received from the security service manager 110 (S420), and transmits the generated information model to the VoIP security functions 130. Transfer (S430).
  • the range of VoIP security functions that receive the information model may vary depending on the target to which the information model is applied.
  • the information model includes a condition for applying a specific operation to a packet transmitted and received through a network device (switch, etc.) and a packet belonging to this specific flow, and how to perform the operation when the condition is satisfied.
  • the operating procedure for whether or not to be defined is defined.
  • the VoIP security function 130 that has received the information model from the VoIP security controller 120 interprets the received information model and provides an API (eg, OpenFlow) of the SDN controller 140 that can provide a practical VoIP security service.
  • an API eg, OpenFlow
  • the interpretation of the information model may be delivered by converting the VoIP security function into a message format conforming to a predetermined interworking standard between the SDN controller.
  • the SDN controller 140 checks the API (or message) requested by the VoIP security function 130, converts the network device 150 into an interface (OpenFlow, NetConf, etc.) that the network device 150 can understand. Can be delivered to (S460).
  • the network device 150 generates a flow table or the like according to a command transmitted from the SDN controller 140, monitors whether a packet matching the condition is introduced, and blocks the packet if the packet meets the condition. Control such as permission and transfer is performed (S470).
  • the network device 150, the SDN controller 140, the VoIP security function 130, and the VoIP security controller 120 may deliver the results according to the received request to the upper layer, respectively (S481, S482, S483, S484).
  • braces ⁇ in square brackets [] are used to distinguish condition information from the operation information.
  • the parentheses () in braces indicate details of the information model. If the parentheses are null, this means that they are not applicable.
  • the VoIP security controller 120 allows the VoIP security function 130 to copy and forward the corresponding signaling packet when the call state is in a call attempt or call connection state according to rule 1 and rule 2 below.
  • rule 2 convey the defined information model.
  • the service port of outgoing or incoming packet is designated as 5060.
  • the port number 5060 is an example, and enter the port value used in the call service.
  • Priority 1000 (in one embodiment, a lower value is a higher priority)
  • the rule 2 is, before the VoIP security controller 130 applies the rule 3 (to be described later) to block the call while the VoIP security controller 120 determines whether the number is modified according to rule 1, If a call message (200 OK, etc.) indicating that the call status is changed to the busy state occurs in case of a call that changes the call state from the call attempt to the busy state, the call is transmitted to the VoIP security controller 120 before the call is blocked. It is a rule to block even the outgoing call number change call.
  • the VoIP security controller 120 is a source packet IP address (IP_1), caller ID (From URI number, caller ID_1), display name (Caller-ID, CID_1) in the signal packet copied and transmitted from the VoIP security function 130 ), And compare the display name that the subscriber applied for at the time of opening, discard the copied packet because it is normal in other cases, and if it is different, make rule 3 to conclude the call and end the call. Deliver to function 130.
  • IP_1 IP address
  • caller ID From URI number, caller ID_1
  • display name Caller-ID, CID_1
  • the VoIP security function 130 blocks the packet whose source IP is IP_1, the source number is calling number_1, and the CID_1. Since rule 3 has a priority of 100, rule 3 has priority over rule 1 and rule 2 having a priority of 1000.
  • IP_1, CID_1 is added to the block list by applying the VoIP / VoLTE security profile, which is an application operation, and the call is attempted with the corresponding IP and CID_1 in the future, the device is immediately blocked from the network device without the control of the VoIP security controller and the VoIP security function. Can be.
  • the VoIP security controller 120 forwards the rule 3 to the VoIP security function 130, the call is blocked when the call state condition is “Calling” in the situation comparison condition to block the call when the call is connected and busy.
  • Rule 4 is generated and forwarded to the VoIP security function 130 so that the call can be blocked using a message.
  • the VoIP security function 130 generates a signaling message (BYE, etc.) to block this call by call control operation, which is the application operation of Rule 4, and transmits it to the exchange equipment that was processing the source IP and the corresponding call, and corresponding call. Ends the process.
  • call control operation which is the application operation of Rule 4
  • the VoIP security controller 120 copies and transmits the corresponding signal packet when the VoIP security function 130 is a call attempt or authentication (SIP register, etc.) according to rule 1 and rule 2. Pass the following rules to).
  • context information SIP Options, etc.
  • SIP Options etc.
  • the service port of outgoing or incoming packet is designated as 5060.
  • the port number 5060 is an example, and enter the port value used in the call service.
  • ⁇ Default Action Copy the packet and forward it to the VoIP security controller.
  • ⁇ Default Action Copy the packet and forward it to the VoIP security controller.
  • the VoIP security controller 120 extracts source IP address (IP_1), source number (From URI number, source number_1) information from the signal packet copied and transferred from the VoIP security function 130. Similar messages may be transferred from the plurality of VoIP security functions 130 to the VoIP security controller 120 because the hacker can send messages to a large number of terminals / devices during scanning. Accordingly, the VoIP security controller 120 may determine scanning by integrating messages transmitted from one or more VoIP security functions 130 to determine scanning. The VoIP security controller 120 accumulates and sums each source IP address (IP_1) and source number (From URI number, source number_1) in cycle time (seconds / minutes, etc.) for each VSF. If the value exceeds the set threshold, it is determined as a scanning attempt. There are two control operation methods for the case determined by scanning.
  • the first method generates rule 3 to block the packet of the call with the source IP_1 and the source number_1 and delivers it to the VoIP security function 130.
  • the second method may pass the Session Description Protocol (SDP) of the call determined by scanning to the VoIP security function 130 to add it to the VoIP / VoLTE security profile and immediately block it at the network device.
  • SDP Session Description Protocol
  • the VoIP security function 130 blocks all packets for the call whose source IP is IP_1 and the caller ID_1.
  • the network device can be immediately blocked without controlling the VoIP security controller and the VoIP security function.
  • FIG. 5 illustrates an example of components of an interworking information model between a VoIP security controller and VoIP security functions in an SDN / NFV based IP call service security system according to another embodiment of the present invention.
  • An information model according to another embodiment of the present invention may be configured to include all or part of five pieces of information of a policy, a rule, an event, a condition, and an action. .
  • the policies, rules belonging to the policies, events belonging to the rules, conditions, and actions may take a hierarchical structure.
  • the difference between the information model illustrated in FIG. 2 and the information model illustrated in FIG. 5, in the case of the information model illustrated in FIG. 5, further includes event information, and is somewhat different in the definition of motion information. Is that there is.
  • policy 510 defines a security service policy at the service level.
  • the policy may be a unit security service such as IPS, IDS, web filter, IP call security, and so on.
  • the VoIP / VoLTE security policy may correspond thereto.
  • a policy may be defined including a name of the policy, an identifier of the policy, and the like.
  • the rule 520 may include matching conditions 540 for detecting a specific policy, an action performed on the corresponding traffic and flow when the condition is satisfied, and the action 550. It may include an event 530 that defines a target of the condition and the action.
  • one or more rules may be defined in one policy. In the present embodiment, rules such as detection and control of 'illegal authentication attempt through VoIP / VoLTE account theft', 'change of calling number', and 'change of authentication expiration time' may be rules.
  • one rule may comprise at least one event, at least one condition and at least one action.
  • the event is to specify the main targets for operating by comparing the conditions.
  • condition refers to a condition for determining whether to perform a corresponding operation
  • operation may refer to an operation procedure performed when the corresponding condition is satisfied.
  • a condition included in a rule is a set of one or more conditions for determining whether a particular rule is satisfied.
  • an event 530 may be divided into an event time and a user action.
  • event time it means information on the time of occurrence of an event (eg, authentication or call), and in the case of a user action, it means an action (ie, event) performed by the user (eg, terminal registration / authentication and call origination / reception).
  • action ie, event
  • Etc terminal registration / authentication and call origination / reception
  • condition 540 may be divided into a packet value condition and a context condition.
  • packet value conditions are conditions that can be determined in a single packet.
  • MAC medium access control
  • VLAN virtual LAN
  • source and destination IP address source and destination port
  • packet header / payload value etc.
  • the situation condition is a condition related to a context that can be determined through a session or a flow.
  • the location information (geographic location or country unit) of the terminal IP may be included in the authentication attempt, authentication, and call.
  • the priority (priority) as an additional information element of the condition 540 indicates the priority of the rule to apply the operation when there are a plurality of rules for which the comparison is satisfied.
  • Operation 550 defines a method of processing for packets or flows in which the condition is met.
  • the operation may be classified into a traffic ingress control operation, a traffic output control operation, and an application operation.
  • a traffic ingress control operation is a control operation for traffic entering a specific network device such as packet accepting, blocking, and copying.
  • the traffic output control operation is a control operation for traffic output to a specific network device such as packet forwarding.
  • the application operation may mean the application of a function profile that controls security services other than ingress / output control of traffic.
  • the application operation may include a VoIP / VoLTE security profile, an IPS operation profile, a URL filtering profile, an anti-virus file, and the like.
  • motion information is divided into a basic operation and an application operation.
  • information model according to the embodiments described with reference to FIGS. are classified into traffic ingress control operation, traffic output control operation, and application operation.
  • traffic ingress control operation and the traffic output control operation may be understood as more subdivided the basic operation.
  • FIG. 6 is a diagram for describing example information for each component of an information model according to another embodiment of the present invention illustrated in FIG. 5.
  • an event may be divided into an event time and a user action as mentioned above.
  • the authentication time may include authentication / call time information.
  • the user operation 632 may include terminal registration / authentication and call origination / reception.
  • the packet value condition 6411 includes the originating / destination IP address of the call packet, the originating / destination port number, the calling telephone number, the call-id type of the session (length, letter / number, domain representation, etc.), call signaling message. It may include all or part of the information in the header order (From, To, Via, Cseq, etc.) and the Session Description Protocol (SDP) indicating the voice / video call session information.
  • SDP Session Description Protocol
  • Situation condition 642 includes call call status information (call attempt, busy, call termination, call failure, etc.), subscriber terminal model information (OS version, manufacturer information, etc.) and source IP location information (assigned IP provider, country). Etc.), authentication expiration time, dual registration status, and all or part of cell location information.
  • Priority indicates the priority of a rule to which an action should be applied when there are a plurality of rules that satisfy a condition.
  • the traffic ingress control operation 651 may include an operation of allowing a corresponding packet, an operation of blocking a packet, and an operation of mirroring when the condition is satisfied.
  • the traffic output control operation 652 may include copying the packet and then mirroring the packet to the VoIP security controller 120.
  • the application operation 653 is an operation when authentication fails, call control operation by call status according to the above situation condition
  • the network device is VoIP security controller 120 or VoIP security controller 130-1, ..., 130- It may include a VoIP / VoLTE security profile application operation for determining whether to directly block or allow traffic without N).
  • event information is added to the information model, and the type of specific information included in the information model varies depending on the application purpose. Except, the method according to the embodiment described with reference to FIG. 4 is not significantly different.
  • the SDN / NFV based IP call service security processing method according to another embodiment of the present invention will be described.
  • the security service manager 110 transmits a security service policy application command message including the VoIP security service policy to the VoIP security controller 120 (S410).
  • the message includes a security service policy set by a user or an administrator through a user interface screen or a command line interface.
  • the security service policy may include authentication attempts, location information of the terminal IP during authentication and call, change of calling number, scanning of devices / devices for hacking, sending of a large amount of messages such as DDOS attack, detection and blocking of account theft. have.
  • the VoIP security controller 120 generates an information model for performing the security service policy received from the security service manager 110 (S420), and transmits the generated information model to the VoIP security functions 130. Transfer (S430).
  • the range of VoIP security functions that receive the information model may vary depending on the target to which the information model is applied.
  • the information model includes events, conditions, and conditions for applying specific operations to packets transmitted and received through network devices (switches, routers, etc.) and to packets belonging to a particular flow.
  • network devices switches, routers, etc.
  • an operation procedure for how to perform the action is defined.
  • the VoIP security function 130 that has received the information model from the VoIP security controller 120 interprets the received information model and provides an API (eg, OpenFlow) of the SDN controller 140 that can provide a practical VoIP security service.
  • an API eg, OpenFlow
  • the interpretation of the information model may be delivered by converting the VoIP security function into a message format conforming to a predetermined interworking standard between the SDN controller.
  • the SDN controller 140 checks the API (or message) requested by the VoIP security function 130, converts the network device 150 into an interface (OpenFlow, NetConf, etc.) that the network device 150 can understand. Can be delivered to (S460).
  • the network device 150 generates a flow table or the like according to a command transmitted from the SDN controller 140, monitors whether a packet matching the condition is introduced, and blocks the packet if the packet meets the condition. Control such as permission and transfer is performed (S470).
  • the network device 150, the SDN controller 140, the VoIP security function 130, and the VoIP security controller 120 may deliver the results according to the received request to the upper layer, respectively (S481, S482, S483, S484).
  • the VoIP security controller 120 may copy (mirror) the corresponding signal packet and deliver only the copied packet to the VoIP security controller 120 when an authentication challenge event occurs in the terminal according to the rule 1 below.
  • the original packet may be delivered along the routing path to set up a rule such that the call service proceeds without signal delay.
  • the packet is transmitted to the VoIP security controller 120 as it is without copying the packet to set the call / authentication flow only in the case of normal call / authentication. You can also set rules to make them work.
  • Rule 1 may be interpreted to mean:
  • Event time Event occurrence time (terminal authentication attempt time in this example)
  • Rule 2 is to block immediately when the authentication attempt message is received from the IP address, port value, terminal type, etc. designated by the black list, or when the authentication expiration time is less than the threshold value. This is a rule for applying a packet blocking policy in traffic ingress control because it is an illegal authentication attempt. Therefore, Rule 2 may be defined in the following form according to the defined information model.
  • Event time Time of occurrence (time of terminal authentication attempt in this application)
  • Packet value condition IP, port, authentication expiration time value, condition value corresponding to terminal type stored in black list among authentication messages
  • the VoIP security controller 120 is copied to the VoIP security controller 120 from a network device in a network area (such as a cloud area such as a data center or an SDN control area) managed by the VoIP security function 130 according to rule 1 above.
  • a network area such as a cloud area such as a data center or an SDN control area
  • the base station ID (cell-id, Cell_1), source IP address (IP_1), port number (port_1), caller ID (From URI number, caller ID_1), authentication expiration time (expire time, ET_1), display name (Caller-ID, CID_1)) may be extracted to determine whether to attempt normal authentication, and control may be determined according to the result.
  • FIG. 7 is a flowchart illustrating a method of blocking an illegal authentication attempt by detecting a dual registration pattern in an illegal authentication attempt detection of a wired (including mobile VoIP such as WiFi) terminal according to another embodiment of the present invention.
  • a process of detecting an illegal authentication attempt by detecting a dual registration pattern of a wired (including mobile VoIP such as WiFi) terminal is as follows.
  • the VoIP security controller 120 may extract the originating IP (IP2) and the originating number (From number) from the authentication challenge packet copied / delivered from the network device (S710).
  • step S720 After determining the inquiry result at step S720 (S730), if the extracted caller ID does not exist in the authentication DB, the terminal requesting the first authentication of the terminal sending the corresponding authentication attempt packet due to a new subscription or the like. In operation S740, the processor 100 determines that the authentication DB is added to the authentication DB. If the extracted calling number is retrieved from the authentication DB, the next step is to determine whether the registration is double.
  • the sender IP (IP2) of the current authentication request packet is compared with the caller IP (eg, IP1) that previously sent the authentication request message to the corresponding number (S750). If both are the same, it is determined that the message is a reauthentication request message sent periodically according to the authentication period of the authentication expiration time value (ET1) under the condition that there is no movement of the terminal (eg, IP change, etc.), and the next process is performed. .
  • step S750 when it is determined that the originating IP IP2 of the current authentication request packet does not match the originating IP IP1 previously sent to the corresponding number, the normal terminal moves (eg, IP). In order to determine whether the change is made or a negative authentication attempt, ET2 (expire expiration time value of the current authentication request message) and ET1 (authentication expiration time value of the previous authentication request message) are extracted, respectively (S760).
  • ET2 expiration time value of the current authentication request message
  • ET1 authentication expiration time value of the previous authentication request message
  • step S770 when the authentication request message is flowed in from IP1 within the ET1 time range, the existing terminal may be known to remain intact without changing its location. In this case, the authentication request message introduced from IP2 may be hacked. It may be determined that authentication is attempted by another terminal or device for negative use.
  • the authentication request message flows from IP1 within the ET1 time range in step S770, it is determined that the authentication request message from IP2 is a negative authentication request, and the authentication request from IP2 is blocked or the previous authentication is successfully processed.
  • the authentication IP of the terminal number in the authentication DB is maintained as IP1.
  • IP2 (or port (port2)), authentication expiration time value (ET2), terminal type (UserAgent2) value, and combination of values) for which a negative authentication attempt is made for blacklist IP management are stored / managed in the blacklist candidate DB. Can be. If the authentication or call attempt at IP2 exceeds a certain number, it can be added to the blacklist information. When added to the blacklist DB, authentication or call attempt messages coming from IP2 (or port (port2)), authentication expiration time value (ET2), terminal type (UserAgent2) value, and combination of values) will be added to Rule 2. All are blocked.
  • step S770 if the authentication request message does not flow in IP1 within the ET1 time range, it is determined that the IP of the terminal is normally moved from IP1 to IP2 (or changed to DHCP, etc.), and the authentication flowed in from IP2.
  • the request message is normally processed (S790), and the authentication IP of the corresponding terminal number is then managed by IP2 in the authentication DB.
  • the VoIP security function 130 may notify the security controller 120 that an unauthorized authentication attempt has occurred at IP2 in order to block the authentication request and the call request message flowing from IP2.
  • the security controller 120 may transfer the following rules 3 and 4 to the VoIP security function 130 to block authentication and calls attempted from IP2 in the VoIP security function 130.
  • Packet value condition Condition value (or port (port2)), authentication expiration time value (ET2), terminal type (UserAgent2) value and combination of values that the source IP corresponds to IP2 among authentication messages
  • Packet value condition Condition value (or port (port2)), authentication expiration time value (ET2), terminal type (UserAgent2) value, and combination of values of the source IP corresponding to IP2 in the call message
  • FIG. 8 is a flowchart illustrating a method of blocking an illegal authentication attempt by detecting a dual registration pattern in detecting an illegal authentication attempt of a wireless terminal according to another embodiment of the present invention.
  • a process of detecting an illegal authentication attempt by detecting a dual registration pattern of a wireless terminal is as follows.
  • the VoIP security controller 120 is based on Rule 1 described above, is based on the base station ID (base station code value, SIP P-Access-) from the authentication challenge packet copied and forwarded from the network device.
  • a Network-Info header value, Cell-ID2) and a calling number (From number) may be extracted (S810).
  • step S820 when the search result is determined (S830), if the extracted caller ID does not exist in the authentication DB, the terminal requesting the first authentication of the terminal sending the authentication attempt packet for a new subscription or the like, may be necessary.
  • step S840 the authentication is added to the authentication DB and authentication is performed. If the extracted calling number is retrieved from the authentication DB, the next step is to determine whether the registration is double.
  • the base station ID (Cell-ID2) of the current authentication request message is compared with the base station ID (Cell-ID1) previously sent to the corresponding authentication request message (S850). If both are the same, it is determined that the message is a reauthentication request message that is periodically sent according to the authentication period of the authentication expiration time value (ET1) under the condition that there is no movement of the terminal (ie, base station change; handover) and the next processing is performed. Proceed.
  • E1 authentication expiration time value
  • step S850 if it is determined that the base station ID (Cell-ID2) of the current authentication request message and the base station ID (Cell-ID1) of the previous authentication request message do not match, it is normal terminal movement (base station change) or negative.
  • ET1 expiration time value of current authentication request message
  • ET2 authentication expiration time value of previous authentication request message
  • the authentication request message is no longer introduced from the existing base station (Cell-ID1), the authentication request message is only introduced from the new base station (Cell-ID2).
  • the authentication request message is sent, it is checked whether the authentication request message flows from the Cell-ID1 within the ET1 time range (S870).
  • step S870 when the authentication request message is transmitted from the Cell-ID1 within the ET1 time range, it can be seen that the existing terminal remains intact without changing the location. In this case, the authentication request message flowed from the Cell-ID2. May be determined to attempt authentication at another terminal or device for negative use by hacking or the like.
  • the authentication request message from Cell-ID2 is determined to be a negative authentication request, and the authentication request from Cell-ID2 is blocked, If authentication is successful, authentication is blocked by transmitting an authentication failure message (S880).
  • step S870 If the authentication request message is not transmitted from Cell-ID1 within the ET1 time range in step S870, it is determined that the base station ID of the terminal is normally changed from Cell-ID1 to Cell-ID2, and the authentication flows from Cell-ID2.
  • the request message is normally processed (S890), and then the authentication base station ID of the corresponding terminal number is managed by Cell-ID2 in the authentication DB.
  • FIG. 9 is a flowchart illustrating a method of blocking an illegal authentication attempt by detecting an abnormal operation pattern of an authentication expiration time in detecting an illegal authentication attempt of a VoIP and VoLTE terminal according to another embodiment of the present invention.
  • a process of detecting an illegal operation pattern of an authentication expiration time of a VoIP and VoLTE terminal to block illegal authentication attempts is as follows.
  • the VoIP security controller 120 based on Rule 1 described above, the originating IP (IP2) and the originating number (From number) from the authentication challenge packet copied and forwarded from the network device It may be extracted (S910).
  • the caller IP (IP2) of the current authentication request message is compared with the caller IP (IP1) that previously sent the authentication request message to the corresponding number (S950). If the two are the same, it is determined that the re-authentication request message is periodically sent according to the authentication period of the authentication expiration time value (ET1) in the absence of the movement of the terminal (for example, IP change, etc.) and proceeds to the next process.
  • step S950 when it is determined that the originating IP IP2 of the current authentication request packet does not match the originating IP IP1 previously sent to the corresponding number, the normal terminal moves (eg, IP). In order to determine whether the change is made or a negative authentication attempt, ET2 (expire expiration time value of the current authentication request message) and ET1 (authentication expiration time value of the previous authentication request message) are extracted, respectively (S960).
  • ET2 expiration time value of the current authentication request message
  • ET1 authentication expiration time value of the previous authentication request message
  • the purpose of attempting a negative authentication is to make a call without paying a call after successful authentication, to interrogate network access fees that must be settled between operators, or to a number that is subject to expensive charges (eg, international calls, etc.). It is the purpose of monetizing the charges by making illegal calls. Therefore, when attempting a negative authentication, it is used by manipulating the authentication expiration time value which is much smaller than the normal authentication expiration time.
  • step S970 the ET1 value and the ET2 value are compared with each other.
  • step S970 if it is determined that ET2 is equal to or larger than ET1 (that is, the authentication expiration time value of the current authentication request message is not set smaller than the authentication expiration time value of the previous authentication request message), it is not a negative authentication. Judgment proceeds to the next process.
  • step S970 if ET2 is determined to be smaller than ET1 (i.e., the authentication expiration time value of the current authentication request message is set smaller than the authentication expiration time value of the previous authentication request message), there is a possibility of negative authentication. It can be judged that. In this case, the actual occurrence period of the authentication request message can be measured later for more accurate determination. In normal cases, reauthentication is requested within 1/3 ⁇ 1/2 hours of ET2, but in case of negative authentication, reauthentication is requested in a much shorter time period. Therefore, it may be determined whether the re-authentication request occurs at a shorter period than the threshold period value (1/5, 1/10, 1/100, etc.) designated by the operator (S980).
  • the threshold period value (1/5, 1/10, 1/100, etc.
  • step S980 when the reauthentication request period is not shorter than the threshold value, it is determined that the normal period value is changed and the authentication process is performed.
  • step S980 If it is determined in step S980 that the re-authentication request period is shorter than the threshold value, it is determined to be a negative authentication request, and the authentication request transmitted from the IP (IP2) fails or the authentication is performed if the authentication is successful.
  • the authentication message is blocked by transmitting a failure message (S990).
  • the authentication IP of the terminal number in the authentication DB is maintained as IP1.
  • IP2 that has a negative authentication attempt for blacklist IP management can be stored / managed in the blacklist candidate DB. If the authentication or call attempt at IP2 exceeds a certain number, it can be added to the blacklisted IP. When added to the blacklist DB, authentication or call attempt messages coming from IP2 in the future are all blocked by rule 2.
  • the methods according to the invention can be implemented in the form of program instructions that can be executed by various computer means and recorded on a computer readable medium.
  • Computer-readable media may include, alone or in combination with the program instructions, data files, data structures, and the like.
  • the program instructions recorded on the computer readable medium may be those specially designed and constructed for the present invention, or may be known and available to those skilled in computer software.
  • Examples of computer readable media include hardware devices that are specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like.
  • Examples of program instructions include machine language code, such as produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like.
  • the hardware device described above may be configured to operate with at least one software module to perform the operations of the present invention, and vice versa.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Telephonic Communication Services (AREA)
  • Exchange Systems With Centralized Control (AREA)

Abstract

L'invention concerne un système de sécurité et un procédé de traitement de sécurité pour détecter si un service d'appel basé sur IP (VoIP ou VoLTE) dans un environnement SDN et NFV est utilisé illégalement et pour bloquer une telle utilisation illégale. Un système de sécurité pour un service VoIP centralisé basé sur SDN comprend : un gestionnaire de service de sécurité pour configurer et gérer une politique de service de sécurité nécessaire pour utiliser un service de sécurité VoIP; un contrôleur de sécurité VoIP pour générer la politique de service de sécurité reçue par l'intermédiaire du gestionnaire de service de sécurité, en tant que modèle d'informations prédéfini et pour fournir le modèle d'informations généré à une fonction de sécurité VoIP; et au moins une fonction de sécurité VoIP pour fournir le service de sécurité VoIP, sur la base du modèle d'informations reçu du contrôleur de sécurité VoIP. Par conséquent, il est possible de fournir des services centralisés et flexibles car le service de sécurité est fourni en établissant de façon dynamique le modèle d'informations dans un environnement SDN/NFV basé sur un logiciel, sans utiliser d'équipement de sécurité basé sur un matériel existant.
PCT/KR2017/002448 2016-03-08 2017-03-07 Système de sécurité pour service d'appel ip basé sur sdn/nfv et procédé d'exploitation d'un système de sécurité Ceased WO2017155280A2 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR20160027900 2016-03-08
KR10-2016-0027900 2016-03-08
KR20160081195 2016-06-28
KR10-2016-0081195 2016-06-28

Publications (2)

Publication Number Publication Date
WO2017155280A2 true WO2017155280A2 (fr) 2017-09-14
WO2017155280A3 WO2017155280A3 (fr) 2018-09-07

Family

ID=59789580

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2017/002448 Ceased WO2017155280A2 (fr) 2016-03-08 2017-03-07 Système de sécurité pour service d'appel ip basé sur sdn/nfv et procédé d'exploitation d'un système de sécurité

Country Status (2)

Country Link
KR (1) KR102299225B1 (fr)
WO (1) WO2017155280A2 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112839007A (zh) * 2019-11-22 2021-05-25 深圳布洛城科技有限公司 一种网络攻击的防御方法及装置

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12341809B2 (en) * 2022-11-16 2025-06-24 Zscaler, Inc. Defending against volumetric attacks

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8295188B2 (en) * 2007-03-30 2012-10-23 Extreme Networks, Inc. VoIP security
KR100862050B1 (ko) * 2007-11-23 2008-10-09 한국정보보호진흥원 VoIP 보안 통신을 제공하는 사용자 에이전트 및 이를이용한 보안 통신 제공 방법
KR101580185B1 (ko) * 2009-06-29 2015-12-24 삼성전자주식회사 VoIP 서비스에서 스팸 제어 방법 및 장치
CN105745886B (zh) * 2013-09-23 2019-06-04 迈克菲有限公司 在两个实体之间提供快速路径
KR101535502B1 (ko) * 2014-04-22 2015-07-09 한국인터넷진흥원 보안 내재형 가상 네트워크 제어 시스템 및 방법
CN106416131B (zh) * 2014-05-22 2020-02-21 科锐安特股份有限公司 网元和管理该网元的控制器
KR101466895B1 (ko) * 2014-08-12 2014-12-10 주식회사 크레블 VoIP 불법 검출 방법, 이를 수행하는 VoIP 불법 검출 장치 및 이를 저장하는 기록매체

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112839007A (zh) * 2019-11-22 2021-05-25 深圳布洛城科技有限公司 一种网络攻击的防御方法及装置
CN112839007B (zh) * 2019-11-22 2022-11-01 深圳布洛城科技有限公司 一种网络攻击的防御方法及装置

Also Published As

Publication number Publication date
KR102299225B1 (ko) 2021-09-07
WO2017155280A3 (fr) 2018-09-07
KR20170104947A (ko) 2017-09-18

Similar Documents

Publication Publication Date Title
WO2021060857A1 (fr) Système de gestion de flux de commande de nœud à base de code d'exécution à distance et procédé associé
WO2021054747A1 (fr) Appareil et procédé de relocalisation d'upf psa dans un système de communication sans fil
WO2020218843A1 (fr) Procédé et système pour fournir une protection de message de strate de non-accès (nas)
WO2021133092A1 (fr) Procédé et appareil permettant de gérer une procédure de transfert intercellulaire dans un système de communication sans fil
WO2018101565A1 (fr) Structure de gestion de sécurité dans un environnement de virtualisation de réseau
WO2021235880A1 (fr) Procédé et dispositif de fourniture d'informations d'un réseau de données local à un terminal dans un système de communication sans fil
WO2011056034A2 (fr) Procédé de commande de session et serveur utilisant celui-ci
WO2016023148A1 (fr) Procédé de régulation de paquets, commutateur et contrôleur
WO2012091529A2 (fr) Terminal
WO2015016627A1 (fr) Procédé et dispositif permettant de connecter un seul dispositif ap parmi de multiples dispositifs ap dans le même réseau sur un terminal
WO2014209075A1 (fr) Système et procédé multi-connexion pour exécuter des services au moyen du protocole internet
WO2018048230A1 (fr) Procédé de gestion de short data service (sds) dans un système de communication de données critiques pour la mission (données mc)
WO2019098678A1 (fr) Procédé permettant de fournir un service de sécurité et dispositif associé
WO2018038412A1 (fr) Procédé et équipement utilisateur permettant la connexion au moyen d'une pluralité d'accès dans un réseau de nouvelle génération
WO2012165809A2 (fr) Dispositif et procédé pour un service de transmission de données simultanée dans un réseau hétérogène
WO2023059127A1 (fr) Procédé et appareil de traitement de trafic faisant appel à la classification de trafic dans un système de communication sans fil
WO2016013846A1 (fr) Procédé de traitement de message de demande dans un système de communications sans fil, et appareil associé
WO2014171727A1 (fr) Appareil et procédé pour générer une hiérarchie de clés dans un réseau sans fil
WO2021071316A1 (fr) Procédé et appareil de service informatique périphérique
WO2022203465A1 (fr) Dispositif et procédé de construction d'un réseau d'entreprise virtuel
WO2012165805A2 (fr) Dispositif et procédé destinés à un service de transmission de données simultanée en utilisant deux réseaux ou plus
WO2019088671A1 (fr) Procédé de fourniture de service de sécurité de réseau et appareil pour cela
WO2017155280A2 (fr) Système de sécurité pour service d'appel ip basé sur sdn/nfv et procédé d'exploitation d'un système de sécurité
WO2017131285A1 (fr) Système de gestion de réseau conteneur et procédé de mise en réseau conteneur
WO2018097422A1 (fr) Procédé et système d'orientation de trafic déclenchée par une fonction de sécurité de réseau, et dispositif associé

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17763541

Country of ref document: EP

Kind code of ref document: A2

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 12/04/2019)

122 Ep: pct application non-entry in european phase

Ref document number: 17763541

Country of ref document: EP

Kind code of ref document: A2