System and method for preventing intrusion of abnormal GTP packet

US 8,948,019 B2
Filed: 07/13/2012
Issued: 02/03/2015
Est. Priority Date: 12/12/2011
Status: Active Grant

First Claim

Patent Images

1. A system for preventing the intrusion of an abnormal GPRS tunneling protocol (GTP) packet, the system comprising:

a system management unit comprising a monitoring unit which monitors a state of the system and a mode changing unit which changes an operation mode of the system based on the state of the system;

a packet capture unit comprising a packet management unit which stores information about a GTP packet based on the operation mode of the system and a detection result checking unit which determines whether to drop the GTP packet; and

a packet detection unit comprising a packet parsing unit which parses the information about the GTP packet and a packet analysis unit which analyzes the parsed information about the GTP packet, wherein the operation mode of the system comprises an intrusion prevention system (IPS) mode or a bypass mode.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are a system and method for preventing the intrusion of an abnormal GPRS tunneling protocol (GTP) packet. The system includes: a system management unit including a monitoring unit which monitors a state of the system and a mode changing unit which changes an operation mode of the system based on the state of the system; a packet capture unit including a packet management unit which stores information about a GTP packet based on the operation mode of the system and a detection result checking unit which determines whether to drop the GTP packet; and a packet detection unit including a packet parsing unit which parses the information about the GTP packet and a packet analysis unit which analyzes the parsed information about the GTP packet, wherein the operation mode of the system is an intrusion prevention system (IPS) mode or a bypass mode.

4 Citations

18 Claims

1. A system for preventing the intrusion of an abnormal GPRS tunneling protocol (GTP) packet, the system comprising:
- a system management unit comprising a monitoring unit which monitors a state of the system and a mode changing unit which changes an operation mode of the system based on the state of the system;
  
  a packet capture unit comprising a packet management unit which stores information about a GTP packet based on the operation mode of the system and a detection result checking unit which determines whether to drop the GTP packet; and
  
  a packet detection unit comprising a packet parsing unit which parses the information about the GTP packet and a packet analysis unit which analyzes the parsed information about the GTP packet, wherein the operation mode of the system comprises an intrusion prevention system (IPS) mode or a bypass mode.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, further comprising a shared memory used by the packet capture unit, the system management unit, and the packet detection unit to communicate with each other, wherein the shared memory stores information about the operation mode of the system, the information about the GTP packet, and an analysis result of the packet analysis unit.
  - 3. The system of claim 2, wherein the monitoring unit determines that the system is in a failure state when the number of GTP packets unanalyzed by the packet analysis unit among GTP packets stored by the packet management unit is equal to or greater than a threshold value.
  - 4. The system of claim 2, wherein the monitoring unit identifies whether the packet detection unit is operating by periodically checking a process status (PS) command and determines that the system is in the failure state when the packet detection unit is malfunctioning.
  - 5. The system of claim 2, wherein the monitoring unit calculates a traffic input/output error by periodically checking inbound traffic and outbound traffic of the system and determines that the system is in the failure state when the traffic input/output error is equal to or greater than a threshold value, wherein the traffic input/output error is a value obtained by subtracting the amount of the outbound traffic and the number of GTP packets determined to be dropped by the detection result checking unit from the amount of the inbound traffic.
  - 6. The system of claim 2, wherein the packet capture unit further comprises a receiving unit which receives a GTP packet from a serving GPRS support node (SGSN) and a transmitting unit which transmits a GTP packet to a gateway GPRS support node (GGSN).
  - 7. The system of claim 6, wherein the packet management unit transmits the GTP packet received from the SGSN to the GGSN when the operation mode of the system stored in the shared memory is the bypass mode and stores information about the GTP packet received from the SGSN in the shared memory when the operation mode of the system stored in the shared memory is the IPS mode.
  - 8. The system of claim 2, wherein the packet analysis unit comprises a detection policy management unit which manages a detection policy, wherein the detection policy is comprised of a rule ID, a rule type, whether a GTP packet is an IP packet, whether the GTP packet is bound for a GTP-C port or a GTP-U port, a processing policy, and whether the detection policy is active.
  - 9. The system of claim 2, wherein the packet parsing unit loads the information about the GTP packet from the shared memory and structures the loaded information, wherein the structured information about the GTP packet comprises a packet ID, a GTP-U header tunnel endpoint identifier (TEID), whether the GTP packet is an IP packet, a destination port of the GTP packet, a length of a GTP-U packet, first 200 bytes of a payload of the GTP-U packet, and a length of the payload of the GTP-U packet.
  - 10. The system of claim 9, wherein the packet analysis unit determines whether the GTP packet is an abnormal GTP packet based on the length of the GTP-U packet, byte values of the payload of the GTP-U packet, and the length of the payload of the GTP-U packet.
  - 11. The system of claim 10, wherein when the GTP packet is an abnormal GTP packet, the packet analysis unit extracts an additional field, checks whether an active detection policy matching the GTP packet exists, and generates detection information, and the analysis result of the packet analysis unit comprises the detection information.

12. A method of preventing the intrusion of an abnormal GTP packet, the method comprising:
- monitoring a state of a system for preventing the intrusion of an abnormal GTP packet;
  
  changing an operation mode of the system based on the state of the system;
  
  storing information about a GTP packet based on the operation mode of the system;
  
  parsing the information about the GTP packet;
  
  analyzing the parsed information about the GTP packet; and
  
  determining whether to drop the GTP packet, wherein the operation mode of the system comprises an IPS mode or a bypass mode.

13. A method of detecting an abnormal GTP packet, the method comprising:
- classifying a GTP packet as a GTP-U packet;
  
  extracting a length of the GTP-U packet from the GTP-U packet;
  
  extracting a payload of the GTP-U packet from the GTP-U packet and extracting byte values of the payload and a length of the payload; and
  
  detecting an abnormal GTP packet based on the length of the GTP-U packet, the byte values of the payload, and the length of the payload;
  
  wherein the detecting of the abnormal GTP packet comprises,analyzing a value of first 2 bytes of the payload based on a first value;
  
  comparing the length of the payload with a second value; and
  
  comparing the length of the GTP-U packet with a value of 2 bytes from a third byte of the payload, wherein the first value is set based at least partially on a GTP version, and the second value is set based at least partially on an access point name (APN) field.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13, wherein the analyzing of the value of the first 2 bytes of the payload comprises analyzing 4 bytes from a fifth byte of the payload based on a third value which is set based at least partially on the GTP version, and the detecting of the abnormal GTP packet comprises detecting the GTP packet as the abnormal GTP packet when the first 2 bytes of the payload are 0x3210, when the 4 bytes from the fifth byte of the payload are all 0x00, when the length of the payload is greater than 170 and less than 180, and when a difference between the length of the GTP-U packet and the value of the 2 bytes from the third byte of the payload is 16.
  - 15. The method of claim 13, wherein the detecting of the abnormal GTP packet comprises detecting the GTP packet as the abnormal GTP packet when the first 2 bytes of the payload are 0x3212, when the length of the payload is greater than 80 and less than 100, and when the difference between the length of the GTP-U packet and the value of the 2 bytes from the third byte of the payload is 16.
  - 16. The method of claim 13, wherein the detecting of the abnormal GTP packet comprises detecting the GTP packet as the abnormal GTP packet when the first 2 bytes of the payload are 0x3214, when the length of the payload is greater than 20 and less than 25, and when the difference between the length of the GTP-U packet and the value of the 2 bytes from the third byte of the payload is 16.
  - 17. The method of claim 13, wherein the detecting of the abnormal GTP packet comprises detecting the GTP packet as the abnormal GTP packet when the first 2 bytes of the payload are 0x3201, when the length of the payload is 12, and when the difference between the length of the GTP-U packet and the value of the 2 bytes from the third byte of the payload is 16.
  - 18. The method of claim 13, wherein the detecting of the abnormal GTP packet comprises detecting the GTP packet as the abnormal GTP packet when the first 2 bytes of the payload are 0x30ff and when the difference between the length of the GTP-U packet and the value of the 2 bytes from the third byte of the payload is 16.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Korea Internet & Security Agency
Original Assignee
Korea Internet & Security Agency
Inventors
Kang, Dong Wan, Oh, Joo Hyung, Cho, Jung Sik, Im, Chae Tae, Kim, Se Kwon
Primary Examiner(s)
Thier, Michael
Assistant Examiner(s)
MENSAH, PRINCE AKWASI

Application Number

US13/549,273
Publication Number

US 20130148510A1
Time in Patent Office

935 Days
Field of Search

370/218, 370/230, 370/328, 370/352, 370/389, 370/390, 370/392, 370/395.41, 370/395.52, 370/516, 370/536, 370/241, 726/2, 726/3, 726/4, 726/5, 726/6, 726 11- 15, 726/21, 726 22- 33
US Class Current

370/241
CPC Class Codes

H04L 43/12 Network monitoring probes

H04L 63/1441 Countermeasures against mal...

System and method for preventing intrusion of abnormal GTP packet

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

4 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for preventing intrusion of abnormal GTP packet

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

4 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links