System and method for preventing intrusion of abnormal GTP packet
First Claim
1. A system for preventing the intrusion of an abnormal GPRS tunneling protocol (GTP) packet, the system comprising:
- a system management unit comprising a monitoring unit which monitors a state of the system and a mode changing unit which changes an operation mode of the system based on the state of the system;
a packet capture unit comprising a packet management unit which stores information about a GTP packet based on the operation mode of the system and a detection result checking unit which determines whether to drop the GTP packet; and
a packet detection unit comprising a packet parsing unit which parses the information about the GTP packet and a packet analysis unit which analyzes the parsed information about the GTP packet, wherein the operation mode of the system comprises an intrusion prevention system (IPS) mode or a bypass mode.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided are a system and method for preventing the intrusion of an abnormal GPRS tunneling protocol (GTP) packet. The system includes: a system management unit including a monitoring unit which monitors a state of the system and a mode changing unit which changes an operation mode of the system based on the state of the system; a packet capture unit including a packet management unit which stores information about a GTP packet based on the operation mode of the system and a detection result checking unit which determines whether to drop the GTP packet; and a packet detection unit including a packet parsing unit which parses the information about the GTP packet and a packet analysis unit which analyzes the parsed information about the GTP packet, wherein the operation mode of the system is an intrusion prevention system (IPS) mode or a bypass mode.
4 Citations
18 Claims
-
1. A system for preventing the intrusion of an abnormal GPRS tunneling protocol (GTP) packet, the system comprising:
-
a system management unit comprising a monitoring unit which monitors a state of the system and a mode changing unit which changes an operation mode of the system based on the state of the system; a packet capture unit comprising a packet management unit which stores information about a GTP packet based on the operation mode of the system and a detection result checking unit which determines whether to drop the GTP packet; and a packet detection unit comprising a packet parsing unit which parses the information about the GTP packet and a packet analysis unit which analyzes the parsed information about the GTP packet, wherein the operation mode of the system comprises an intrusion prevention system (IPS) mode or a bypass mode. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method of preventing the intrusion of an abnormal GTP packet, the method comprising:
-
monitoring a state of a system for preventing the intrusion of an abnormal GTP packet; changing an operation mode of the system based on the state of the system; storing information about a GTP packet based on the operation mode of the system; parsing the information about the GTP packet; analyzing the parsed information about the GTP packet; and determining whether to drop the GTP packet, wherein the operation mode of the system comprises an IPS mode or a bypass mode.
-
-
13. A method of detecting an abnormal GTP packet, the method comprising:
-
classifying a GTP packet as a GTP-U packet; extracting a length of the GTP-U packet from the GTP-U packet; extracting a payload of the GTP-U packet from the GTP-U packet and extracting byte values of the payload and a length of the payload; and detecting an abnormal GTP packet based on the length of the GTP-U packet, the byte values of the payload, and the length of the payload; wherein the detecting of the abnormal GTP packet comprises, analyzing a value of first 2 bytes of the payload based on a first value; comparing the length of the payload with a second value; and comparing the length of the GTP-U packet with a value of 2 bytes from a third byte of the payload, wherein the first value is set based at least partially on a GTP version, and the second value is set based at least partially on an access point name (APN) field. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification