引用本文
  • 张伟露,吉立新,刘树新,李星,潘菲,胡鑫鑫.IBNAD:一种基于交互的5G核心网网络功能异常检测模型[J].信息安全学报,2024,9(3):94-112    [点击复制]
  • ZHANG Weilu,JI Lixin,LIU Shuxin,LI Xing,PAN Fei,HU Xinxin.IBNAD: An Interaction-based Model for Anomaly Detection of Network Function in 5G Core Network[J].Journal of Cyber Security,2024,9(3):94-112   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭

←前一篇|后一篇→

过刊浏览    高级检索

本文已被:浏览 1190次   下载 732 本文二维码信息
码上扫一扫!
IBNAD:一种基于交互的5G核心网网络功能异常检测模型
张伟露1, 吉立新1,2, 刘树新1,2, 李星1,2, 潘菲1,2, 胡鑫鑫1
0
(1.中国人民解放军战略支援部队信息工程大学 郑州 中国 450001;2.国家数字交换系统工程技术研究中心 郑州 中国 450002)
摘要:
现有 5G(5th Generation Mobile Communication Technology)核心网异常检测主要基于信令流量深度解析, 但较少利用核心网网络功能交互关系的作用。针对上述问题, 提出一种基于交互的 5G 核心网网络功能异常检测模型。首先, 该模型以行为分析为驱动, 基于信令流量和网络功能注册数据提取多维属性, 通过行为画像来表征网络功能行为模式, 并采用集成学习算法RFECV(Recursive Feature Elimination with Cross-Validation)进行属性特征选择, 降低特征维度的同时筛选出与区分网络功能行为模式高度相关的属性特征。然后, 模型基于网络功能交互关系对核心网进行图建模, 建模后的图数据融合了网络功能属性信息和交互信息。最后, 模型通过基于空间域的图卷积网络聚合邻域节点属性信息和结构信息来融合行为模式特征, 新生成的节点表示用于分类, 从而将核心网网络功能异常检测问题转化为图节点分类问题。通过在 free5GC 仿真平台上采集数据, 并在搭建的异常检测系统中的实验表明, 该模型的异常检测性能优于基于属性特征分析的传统机器学习模型、基于结构特征分析的图嵌入模型及部分 5G 核心网异常检测模型。10%数据集作为训练集时, 所提模型的准确率比支持向量机模型提高 6.6%, 比Struc2vec 模型提高 13%, 比深度神经网络模型提高 8%。
关键词:  5G核心网  异常检测  行为画像  网络建模  图神经网络
DOI:10.19363/J.cnki.cn10-1380/tn.2024.05.07
投稿时间:2022-07-08修订日期:2022-10-13
基金项目:本课题得到河南省重大科技专项项目(No. 221100210100)资助。
IBNAD: An Interaction-based Model for Anomaly Detection of Network Function in 5G Core Network
ZHANG Weilu1, JI Lixin1,2, LIU Shuxin1,2, LI Xing1,2, PAN Fei1,2, HU Xinxin1
(1.PLA Strategic Support Force Information Engineering University, Zhengzhou 450001, China;2.National Digital Switching System Engineering and Technological R&D Center, Zhengzhou 450002, China)
Abstract:
The existing 5G (5th Generation Mobile Communication Technology) core network anomaly detection is mainly based on the deep analysis of signaling traffic. However, the existing researches seldom consider the interaction of core network functions. Aiming at the above problems, an interaction-based model for anomaly detection of network function in 5G core network is proposed. First of all, driven by behavior analysis, this model extracts multidimensional attributes based on signaling traffic and network function registration data, and characterizes the network function behavior mode through behavior portraits. In addition, the model also uses the integrated learning algorithm RFECV (Recursive Feature Elimination with Cross Validation) to select attribute features, so as to reduce the feature dimension and screen out the attribute features highly related to the differentiated network function behavior mode. Then, the core network is modeled as a graph based on the network function interaction relationship, and the graph structure data after modeling integrates the network function attribute information and interaction information. Finally, this model uses graph convolution network based on spatial domain to aggregate attribute information and structure information of neighborhood nodes to fuse behavior pattern features. The newly generated node representation is used for classification, thereby transforming the core network function anomaly detection problem into the graph node classification problem. Through the data collection on the free5GC simulation platform and the experiments in the built anomaly detection system, it is shown that the anomaly detection performance of this model is superior to the traditional machine learning model based on attribute feature analysis, graph embedding model based on structural feature analysis and some 5G core network anomaly detection models. When 10% of the data set is used as the training set, the accuracy of the proposed model is higher than that of support vector. The machine model is improved by 6.6%, 13% higher than the Struc2vec model, and 8% higher than the deep neural network model.
Key words:  5G core network  anomaly detection  behavioral portraits  network modeling  graph neural network