Search

US-12627703-B2 - Method for obtaining security classification result and communication apparatus

US12627703B2US 12627703 B2US12627703 B2US 12627703B2US-12627703-B2

Abstract

Embodiments of this application provide a method for obtaining a security classification result for a location area. A security function network element receives an identifier of a target location area and determines to perform security analytics on the target location area based on the identifier of the target location area. The security function network element may determine a security classification result of the target location area based on first information, where the security classification result indicates a degree to which a potential attack exists in the target location area. The first information is related to behavior information of a terminal device in the target location area, where the behavior information includes traffic data and/or movement track information.

Inventors

  • Ao LEI
  • Yizhuang Wu
  • Yang CUI
  • Taoran Sun

Assignees

  • HUAWEI TECHNOLOGIES CO., LTD.

Dates

Publication Date
20260512
Application Date
20240509
Priority Date
20211111

Claims (18)

  1. 1 . A method for obtaining a security classification result, wherein the method comprises: receiving, by a security function network element, an identifier of a target location area; determining, by the security function network element, based on the identifier of the target location area, to perform security analytics on the target location area; determining, by the security function network element, a security classification result of the target location area based on first information, wherein the security classification result indicates a degree to which a potential attack exists in the target location area, the first information is related to behavior information of a terminal device in the target location area, and the behavior information comprises at least one of traffic data or movement track information; receiving third information from an application function network element, wherein the third information indicates to perform security analytics on all location areas in a public land mobile network (PLMN); and the determining to perform security analytics on the target location area further comprises: determining, based on the third information, to perform security analytics on all the location areas in the PLMN, wherein all the location areas in the PLMN comprise the target location area.
  2. 2 . The method according to claim 1 , wherein the first information comprises the behavior information of the terminal device in the target location area, and the determining, by the security function network element, a security classification result of the target location area based on first information comprises: performing, by the security function network element, at least one of statistical analytics on the behavior information of the terminal device in the target location area to obtain first statistical information or abnormal behavior prediction on the behavior information of the terminal device in the target location area to obtain a first abnormal behavior prediction result; and determining, by the security function network element, the security classification result of the target location area based on at least one of the first statistical information or the first abnormal behavior prediction result.
  3. 3 . The method according to claim 2 , wherein the method further comprises: sending, by the security function network element, a data collection request message to a data collection network element in the target location area, wherein the data collection request message is used to request behavior information of a terminal device served by the data collection network element; and receiving, by the security function network element from the data collection network element, the behavior information of the terminal device served by the data collection network element.
  4. 4 . The method according to claim 3 , wherein the data collection request message further comprises at least one of a first time interval parameter or a first threshold, where the first time interval parameter indicates a periodicity for reporting the behavior information of the terminal device, and the first threshold indicates a minimum value or a maximum value for triggering reporting of the behavior information of the terminal device.
  5. 5 . The method according to claim 1 , wherein the first information comprises second information sent by a security analytics network element, and the second information comprises at least one of second statistical information, a second abnormal behavior prediction result, or a security classification result of a location area managed by the security analytics network element; and the second statistical information is obtained by performing statistical analytics on behavior information of a terminal device in the location area managed by the security analytics network element, the second abnormal behavior prediction result is obtained by performing abnormal behavior prediction on the behavior information of the terminal device in the location area managed by the security analytics network element, the security classification result of the location area managed by the security analytics network element is determined based on the behavior information of the terminal device in the location area managed by the security analytics network element, and the location area managed by the security analytics network element corresponds to the target location area.
  6. 6 . The method according to claim 5 , wherein the method further comprises: sending, by the security function network element, a security analytics request message to the security analytics network element based on the target location area, wherein the security analytics request message is used to request the security analytics network element to perform security analytics on the location area managed by the security analytics network element.
  7. 7 . The method according to claim 6 , wherein the security analytics request message further comprises an analytics identifier, the second information further comprises the analytics identifier, and the analytics identifier identifies security analytics performed on the target location area.
  8. 8 . The method according to claim 5 , wherein the method further comprises: sending, by the security function network element to the security analytics network element, the security classification result of the location area managed by the security analytics network element.
  9. 9 . The method according to claim 1 , wherein the third information comprises an identifier of each of all the location areas in the PLMN.
  10. 10 . The method according to claim 1 , wherein the identifier of the target location area is received by the security function network element from a first network element.
  11. 11 . The method according to claim 1 , wherein the method further comprises: receiving, by the security function network element, a security policy request message, wherein the security policy request message comprises location area information of a first terminal device, and the location area information of the first terminal device indicates that the first terminal device is located in the target location area; and sending, by the security function network element, a security protection mode determined for the first terminal device, wherein the security protection mode is determined based on the security classification result of the target location area.
  12. 12 . The method according to claim 1 , wherein the method further comprises: receiving, by the security function network element, a first identifier of a first terminal device and location area information of the first terminal device, wherein the location area information of the first terminal device indicates that the first terminal device is located in the target location area; and the determining, by a security function network element, based on the identifier of the target location area, to perform security analytics on the target location area comprises: determining, by the security function network element based on the first identifier of the first terminal device, that a security enhancement service is allowed to be performed on the first terminal device; and determining, by the security function network element based on the location area information of the first terminal device, to perform security analytics on the target location area.
  13. 13 . A method for obtaining a security classification result, wherein the method is performed by a policy control function network element or a unified data management network element, and the method comprises: determining to perform security analytics on a target location area; sending a first security analytics request message to a security analytics network element, wherein the first security analytics request message comprises an identifier of the target location area; and receiving a security classification result that is of the target location area and that is from the security analytics network element, wherein the security classification result indicates a degree to which a potential attack exists in the target location area; receiving third information from an application function network element, wherein the third information indicates to perform security analytics on all location areas in a public land mobile network (PLMN); and the determining to perform security analytics on the target location area comprises: determining, based on the third information, to perform security analytics on all the location areas in the PLMN, wherein all the location areas in the PLMN comprise the target location area.
  14. 14 . The method according to claim 13 , wherein the determining to perform security analytics on the target location area comprises: determining to perform security analytics on the target location area for a target attack, wherein the first security analytics request message further comprises an identifier of the target attack; and the security classification result of the target location area comprises a security classification result of the target location area for the target attack, and the security classification result of the target location area for the target attack indicates a degree to which the potential target attack exists in the target location area.
  15. 15 . The method according to claim 14 , wherein the method further comprises: receiving the identifier of the target attack from an application function network element; and the determining to perform security analytics on the target location area for the target attack comprises: determining, based on the identifier of the target attack, to perform security analytics on the target location area for the target attack.
  16. 16 . The method according to claim 13 , wherein the method further comprises: receiving an identifier of the target location area from an application function network element; and the determining to perform security analytics on the target location area comprises: determining, based on the identifier of the target location area, to perform security analytics on the target location area.
  17. 17 . A method for obtaining a security classification result, wherein the method comprises: receiving, by a security analytics network element, a first security analytics request message from a policy control function network element or a unified data management network element, wherein the first security analytics request message comprises an identifier of a target location area; determining, by the security analytics network element, a security classification result of the target location area based on first information, wherein the security classification result indicates a degree to which a potential attack exists in the target location area, the first information is related to behavior information of a terminal device in the target location area, and the behavior information comprises at least one of traffic data or movement track information; sending, by the security analytics network element, a first mapping relationship to the policy control function network element or the unified data management network element, wherein the first mapping relationship comprises the identifier and the security classification result of the target location area; receiving information from an application function network element, wherein the information indicates to perform security analytics on all location areas in a public land mobile network (PLMN); and determining, based on the information, to perform security analytics on all the location areas in the PLMN, wherein all the location areas in the PLMN comprise the target location area.
  18. 18 . The method according to claim 17 , wherein the first security analytics request message further comprises an identifier of a target attack, the security classification result of the target location area comprises a security classification result of the target location area for the target attack, and the security classification result of the target location area for the target attack indicates a degree to which the potential target attack exists in the target location area.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application is a continuation of International Application No. PCT/CN2022/130474, filed on Nov. 8, 2022, which claims priority to Chinese Patent Application No. 202111331286.8, filed on Nov. 11, 2021. The disclosures of the aforementioned applications are hereby incorporated by reference in their entireties. TECHNICAL FIELD Embodiments of this application relate to the communication field, and more specifically, to a method for obtaining a security classification result and a communication apparatus. BACKGROUND In a 5th generation (5G) mobile network, an attacker may have a mobility capability, and may move to different geographical locations to attack a network or a user equipment (UE), threatening security and privacy of the UE. For example, in a fake base station (FBS) attack, a fake base station is an attacker of a man-in-the-middle (MITM) attack. As shown in FIG. 2, a UE and a base station are connected through a Uu interface, and radio resource control (RRC) signaling and user plane data may be transmitted between the UE and the base station. The base station and an access and mobility management function (AMF) network element are connected through an N2 interface, and communicate with each other by using an N2 interface protocol. An attacker may deploy a fake base station to attract a UE to camp on the fake base station. If a UE camps on the fake base station, a fake UE part of the fake base station may forward or modify some information about the genuine UE camping on the fake base station, access a genuine base station as the genuine UE, and communicate with the AMF by using the N2 interface protocol. In this way, communication content between a genuine terminal and a network can be sniffed, tampered with, or forged. A fake base station device is similar to a laptop in size and is easy to move. Therefore, an attacker can randomly move to different locations to launch attacks. As mentioned above, it is important to analyze and evaluate security of different location areas when an attacker can move randomly. SUMMARY Embodiments of this application provide a method for obtaining a security classification result, to perform security analytics on a location area, so as to obtain a security classification result of the location area. According to a first aspect, a method for obtaining a security classification result is provided. The method includes: A security function network element determines to perform security analytics on a target location area; and the security function network element determines a security classification result of the target location area based on first information, where the security classification result indicates a degree to which a potential attack exists in the target location area, the first information is related to behavior information of a terminal device in the target location area, and the behavior information includes traffic data and/or movement track information. The security function network element is a network element having a security analytics function. For example, the security function network element may be a network element that is completely responsible for security analytics, or may be a network element having some security-related functions. According to the foregoing technical solution, after determining to perform security analytics on the target location area, the security function network element may perform security analytics on the target location area based on the first information determined by using the behavior information of the terminal device in the target location area, to obtain the security classification result of the target location area. When the security classification result of the target location area is obtained, this helps determine a security protection mode of the terminal device in the target location area based on the security classification result of the target location area, to better ensure security of a network and the terminal device. For example, when the security classification result of the target location area indicates that the degree to which the potential attack exists in the target location area is high, security protection is forcibly enabled, to prevent the network or the terminal device from being attacked to some extent. In a possible implementation, the first information includes the behavior information of the terminal device in the target location area, and that the security function network element determines a security classification result of the target location area based on first information includes: The security function network element performs statistical analytics on the behavior information of the terminal device in the target location area to obtain first statistical information; and/or performs abnormal behavior prediction on the behavior information of the terminal device in the target location area to obtain a first abnormal behavior prediction re