[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN115696340A - Network information processing method and device, terminal and network side equipment - Google Patents

Network information processing method and device, terminal and network side equipment Download PDF

Info

Publication number
CN115696340A
CN115696340A CN202110875656.8A CN202110875656A CN115696340A CN 115696340 A CN115696340 A CN 115696340A CN 202110875656 A CN202110875656 A CN 202110875656A CN 115696340 A CN115696340 A CN 115696340A
Authority
CN
China
Prior art keywords
network
information
terminal
nas
security check
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110875656.8A
Other languages
Chinese (zh)
Inventor
韩鲁峰
吴晓波
康艳超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Vivo Mobile Communication Co Ltd
Original Assignee
Vivo Mobile Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vivo Mobile Communication Co Ltd filed Critical Vivo Mobile Communication Co Ltd
Priority to CN202110875656.8A priority Critical patent/CN115696340A/en
Publication of CN115696340A publication Critical patent/CN115696340A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The application discloses a network information processing method, a device, a terminal and network side equipment, belonging to the technical field of communication, wherein the network information processing method of the embodiment of the application comprises the following steps: and under the condition that the security check of the first information sent by the network side equipment fails, if the terminal meets a first condition, identifying the network side equipment as a target network, and executing a first operation.

Description

Network information processing method and device, terminal and network side equipment
Technical Field
The application belongs to the technical field of communication, and particularly relates to a network information processing method, a network information processing device, a terminal and network side equipment.
Background
In order to ensure that end-to-end security protection is performed on information sent to the UE by a Home Public Land Mobile Network (HPLMN), the information sent to the UE by the HPLMN is protected, for example, routing indication (Routing ID) information is protected, and the information sent by the HPLMN is forwarded to the UE through a Visited Public Land Mobile Network (Visited PLMN, VPLMN).
If the VPLMN modifies part of information sent by the HPLMN to the UE, such as Routing ID and Default-configured NSSAI (Default-configured NSSAI), in the prior art, after the UE finds that the corresponding information is tampered, the processing method is to discard the information. If the information is tampered all the time, the UE will not receive the correct information all the time.
Disclosure of Invention
The embodiment of the application provides a network information processing method, a device, a terminal and network side equipment, and solves the problem that after UE finds that information sent by HPLMN is tampered, the UE cannot receive correct information by using the existing processing method.
In a first aspect, a network information processing method is provided, which is applied to a terminal, and includes:
and under the condition that the security check of the first information sent by the network side equipment fails, if the terminal meets a first condition, identifying the network side equipment as a target network, and executing a first operation.
In a second aspect, a network information processing method is provided, and is applied to a network side device, where the method includes:
under the condition that network side equipment receives notification information of security check failure of NAS IE sent by a terminal, counting the tampered related behavior information of the NAS IE;
and executing a third operation according to the related behavior information.
In a third aspect, a network information processing apparatus is provided, which is applied to a terminal, and includes:
the first processing module is used for identifying the network side equipment as a target network and executing a first operation if the terminal meets a first condition under the condition that the first information security check sent by the network side equipment fails.
In a fourth aspect, a network information processing apparatus is provided, which is applied to a network side device, and includes:
the first receiving module is used for counting the tampered related behavior information of the NAS IE under the condition of receiving the notification information of the security check failure of the NAS IE sent by the terminal;
and the second processing module is used for executing a third operation according to the related behavior information.
In a fifth aspect, there is provided a terminal comprising a processor, a memory, and a program or instructions stored on the memory and executable on the processor, which when executed by the processor, performs the steps of the method according to the first aspect.
In a sixth aspect, a terminal is provided, including a processor and a communication interface, where the processor is configured to, when a security check of first information sent by a network-side device fails, identify the network-side device as a target network and execute a first operation if the terminal meets a first condition.
In a seventh aspect, a network-side device is provided, which includes a processor, a memory, and a program or an instruction stored on the memory and executable on the processor, and when executed by the processor, the program or the instruction implements the steps of the method according to the second aspect.
In an eighth aspect, a network side device is provided, which includes a processor and a communication interface, where the processor is configured to, in a case of receiving notification information that security check of an NAS IE fails, sent by a terminal, count information about a tampered behavior of the NAS IE; and executing a third operation according to the related behavior information.
In a ninth aspect, there is provided a readable storage medium having stored thereon a program or instructions which, when executed by a processor, carries out the steps of the method of the first aspect or carries out the steps of the method of the second aspect.
In a tenth aspect, a chip is provided, the chip comprising a processor and a communication interface, the communication interface being coupled to the processor, the processor being configured to execute a program or instructions to implement the method according to the first aspect, or to implement the method according to the second aspect.
In an eleventh aspect, there is provided a computer program/program product stored in a non-volatile storage medium, the program/program product being executed by at least one processor to implement the steps of the network information processing method according to the first or second aspect.
In this embodiment of the present application, under the condition that the first information security check fails, if the terminal satisfies the first condition, the network side device may be used as a target network to perform the first operation, and compared with the prior art in which the first information is directly discarded, it can be ensured that after the first information is tampered, the terminal can correctly receive information that the network side wants to acquire after performing the first operation, and normal communication is ensured.
Drawings
FIG. 1 is a block diagram of a wireless communication system to which embodiments of the present application are applicable;
fig. 2 is a schematic flowchart of a network information processing method according to an embodiment of the present application;
fig. 3 is a second schematic flowchart of a network information processing method according to an embodiment of the present application;
fig. 4 is a third schematic flowchart of a network information processing method according to an embodiment of the present application;
fig. 5 is a fourth schematic flowchart of a network information processing method according to an embodiment of the present application;
fig. 6 is a fifth schematic flowchart of a network information processing method according to an embodiment of the present application;
fig. 7 is a sixth schematic flowchart of a network information processing method according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a network information processing apparatus according to an embodiment of the present application;
fig. 9 is a second schematic structural diagram of a network information processing apparatus according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of a communication device provided in an embodiment of the present application;
fig. 11 is a schematic diagram of a terminal provided in an embodiment of the present application;
fig. 12 is a schematic diagram of a network-side device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below clearly with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application. All other embodiments that can be derived from the embodiments given herein by a person of ordinary skill in the art are intended to be within the scope of the present disclosure.
The terms first, second and the like in the description and in the claims of the present application are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the terms so used are interchangeable under appropriate circumstances such that the embodiments of the application are capable of operation in other sequences than those illustrated or otherwise described herein, and that the terms "first" and "second" are generally used herein in a generic sense to distinguish one element from another, and not necessarily from another element, such as a first element which may be one or more than one. In addition, "and/or" in the specification and the claims means at least one of connected objects, and a character "/" generally means that a preceding and succeeding related objects are in an "or" relationship.
It is noted that the techniques described in the embodiments of the present application are not limited to Long Term Evolution (LTE)/LTE-Advanced (LTE-a) systems, but may also be used in other wireless communication systems, such as Code Division Multiple Access (CDMA), time Division Multiple Access (TDMA), frequency Division Multiple Access (FDMA), orthogonal Frequency Division Multiple Access (OFDMA), single-carrier Frequency Division Multiple Access (SC-FDMA), and other systems. The terms "system" and "network" in the embodiments of the present application are often used interchangeably, and the described techniques can be used for both the above-mentioned systems and radio technologies, as well as for other systems and radio technologies. The following description describes a New Radio (NR) system for purposes of example, and NR terminology is used in much of the description below, but the techniques may also be applied to applications other than NR system applications, such as generation 6 (6) th Generation, 6G) communication system.
Fig. 1 shows a block diagram of a wireless communication system to which embodiments of the present application are applicable. The wireless communication system includes a terminal 11 and a network-side device 12. Wherein, the terminal 11 may also be called a terminal Device or a User Equipment (UE), the terminal 11 may be a Mobile phone, a Tablet Personal Computer (Tablet Personal Computer), a Laptop Computer (Laptop Computer) or a notebook Computer, a Personal Digital Assistant (PDA), a palmtop Computer, a netbook, a super-Mobile Personal Computer (UMPC), a Mobile Internet Device (MID), a Wearable Device (Wearable Device) or a vehicle-mounted Device (VUE), a pedestrian terminal (PUE), and other terminal side devices, the Wearable Device includes: smart watches, bracelets, earphones, glasses, and the like. It should be noted that the embodiment of the present application does not limit the specific type of the terminal 11. The network-side device 12 may be a Base Station or a core network, where the Base Station may be referred to as a node B, an enodeb, an access Point, a Base Transceiver Station (BTS), a radio Base Station, a radio Transceiver, a Basic Service Set (BSS), an Extended Service Set (ESS), a node B, an evolved node B (eNB), a home node B, a home enodeb, a WLAN access Point, a WiFi node, a Transmit Receive Point (TRP), or some other suitable term in the field, as long as the same technical effect is achieved, the Base Station is not limited to a specific technical vocabulary, and it should be noted that, in the embodiment of the present application, only the Base Station in the NR system is taken as an example, but the specific type of the Base Station is not limited.
The network information processing method, apparatus, terminal and network side device provided in the embodiments of the present application are described in detail below with reference to the accompanying drawings and application scenarios thereof.
As shown in fig. 2, an embodiment of the present invention provides a network information processing method, including:
step 201, under the condition that the security check of the first information sent by the network side device fails, if the terminal meets a first condition, identifying the network side device as a target network, and executing a first operation.
Optionally, before step 201, the method may further include: the terminal receives first information sent by the network side equipment. After receiving the first information, the terminal may perform security check on the first information.
In this embodiment, identifying the network side device as the target network means: and taking the network side equipment as a (provider) target network. The network side device may include a first network device and a second network device, and the first information is sent to the second network device by the first network device and forwarded to the first network device by the second network device. The identifying the network side device as the target network may be identifying the second network device as the target network.
The first network device, for example: a Home Public Land Mobile Network (HPLMN), the second Network device being, for example: a Visited public land mobile network (Visited PLMN, VPLMN), that is, the first information may be: and the HPLMN forwarded by the VPLMN sends the information to the terminal.
Specifically, the network may be a network element, a function, an entity (entity), and the like. The target network packet may include at least one of:
1) Network where information element IE security check is in error; that is, when the first information security check fails, if the terminal satisfies the first condition, the network side device may be used as the network in which the IE security check error occurs.
2) A low-priority network in the terminal network selection process; that is, under the condition that the first information security check fails, if the terminal satisfies the first condition, the network side device may be used as a low-priority network in the network selection process, and the priority number of the low priority may be preset. For example: the low priority refers to the last two bits in the priority sequence from high to low, when the first information security check fails and the terminal meets the first condition, if the priority of the network side equipment is higher, the priority sequence of the network side equipment is adjusted to be located in the last two bits of the priority sequence, and then the network with the higher priority can be accessed preferentially in the subsequent network selection, so that normal communication is ensured.
The network selection process may include at least one of:
the network selection process when the terminal is started (At switch on);
a network selection process after recovering network coverage from non-network coverage (following from lack of coverage);
a periodic network selection process in a public land mobile network (VPLMN);
selecting a network with a priority higher than that of the current network;
and (4) network selection process after releasing the link.
3) A lowest priority network in the terminal network selection process; that is, under the condition that the first information security check fails, if the terminal meets the first condition, the network side device can be used as the lowest priority network in the network selection process, and then the network with higher priority can be preferentially accessed in the subsequent network selection process, so that normal communication is ensured.
4) A network in a second list, the second list being a list of PLMNs where registration is terminated due to SOR (PLMNs where registration is terminated due to SOR). That is, when the first information security check fails, if the terminal satisfies the first condition, the network side device may be regarded as a network in the second list, for example: and adding the network side equipment into the second list.
5) A forbidden (forbidden) network; that is, under the condition that the first information security check fails, if the terminal satisfies the first condition, the network-side device may be used as a prohibited network, and the prohibited network may not be selected in the process that the terminal waits for a subsequent network.
6) Temporarily disabled networks. That is, when the first information security check fails, if the terminal satisfies the first condition, the network-side device may be regarded as a temporarily prohibited network. The temporarily prohibited network is not selected in the process that the terminal waits for the subsequent network.
Optionally, in a case that the lowest priority network includes at least two network-side devices, the manner of determining the priorities of the at least two network-side devices includes at least one of:
the determination is realized by the terminal;
determined according to a random (random) order;
the determination is based on the chronological order of the networks identified as the lowest priority, e.g., the longer the network identified as the lowest priority the higher or the lower the priority.
Optionally, the first operation comprises at least one of:
a) Sending notification information of security check failure of non-access stratum NAS IE to the network side equipment; the method is used for informing the network side equipment that: the network currently registered by the terminal and the selected network generate IE security check errors. Therefore, after receiving the information of the security check failure of the NAS IE, the network side equipment can analyze and count the behavior of the NAS IE tampered in the network side equipment, try to solve the reason which can cause the security check error of the NAS IE, and enable the terminal to receive correct information more quickly.
b) Releasing the network connection with the network side device, specifically, the network connection may include at least one of: NAS signaling connection, N1 NAS signaling connection, RRC connection. When the first information security check fails and the first condition is met, the terminal can release the network connection with the network side equipment and can search other accessible networks, so that the influence on normal communication is avoided.
c) Apply (apply) SOR procedure;
d) Applying the SOR-CMCI process; the terminal may apply the SOR-CMCI if the terminal supports the SOR-CMCI and has stored SOR-CMCI parameters after the security check of the first information fails.
e) A first list is applied, which is a user-controlled list of services exempt from release due to SOR. The terminal may apply the first list if the terminal supports and configures the first list after the security check of the first information fails.
In this embodiment, when the first information security check fails, if the terminal satisfies the first condition, the network-side device may be used as the network in 1) to 6) above, and then the first operation is performed.
Optionally, the first information comprises at least one of:
(1) The terminal parameters update the transparent container (UE parameters update transparent container). Wherein the terminal parameter update transparent container comprises at least one of the following information:
routing indicator update data (Routing indicator update data);
network Slice Selection Assistance Information (NSSAI) update data (Default configured NSSAI update data) of a Default configuration;
network information that the terminal can use in case of a Disaster situation (Disaster Condition).
(2) Roam to SOR transparent containers (SOR transparent containers). The roam-oriented SOR transparent container includes at least one of:
a preferred public land mobile network PLMN/access technology combinations list (a list of preferred PLMNs/access technology combinations);
roaming of control information in connected mode (SOR-CMCI).
(3) A Payload container (Payload container).
Optionally, the first condition may include at least one of:
(a) The count number of times that the first counter fails in the first information security check reaches a first maximum value. And when the count value of the first counter reaches the first maximum value, identifying the network side equipment as a target network, and executing a first operation.
The determination of the first maximum value may include at least one of:
determined according to a default value;
determining according to third information, wherein the third information is obtained by a terminal from network side equipment;
the determination is performed by the terminal.
(b) The terminal supports SOR-CMCI. Wherein, after the security check of the first information fails, if the terminal supports the SOR-CMCI, the SOR-CMCI may be applied.
(c) The terminal is configured with a first list, which is a user controlled list of services (user controlled list of services excluded from release to SOR) free from release by SOR. If the terminal has the first list, the first list is applied after the first information security check is found to fail.
(d) The first timer times out a count of a maximum time from the discovery of the failure of the security check to the execution of the first operation by the terminal.
The terminal may set a timing time of the first timer, where the timing time is: the maximum time from the discovery of the failure of the security check to the execution of said first operation by the terminal. And starting the first timer, identifying the network side equipment as target equipment when the first timer is overtime, and executing a first operation.
The determination of the timing time of the first timer may include at least one of:
as determined by default, default values may be used;
and determining according to second information, wherein the second information is obtained by the terminal from the network side equipment.
Optionally, the first timer is stopped when a third condition is met;
the third condition includes at least one of:
the target service is ended;
the service of the target priority is ended;
releasing the network connection between the terminal and the network side equipment;
the terminal is shut down;
removing a Universal Subscriber Identity Module (USIM);
the first information security check is successful.
Optionally, the method further comprises: and receiving second information transmitted by the network side equipment through a non-access stratum (NAS) message or a Radio Resource Control (RRC) message. That is, the second information is transmitted through NAS messages or RRC messages. Optionally, the second information is carried by a terminal parameter update transparent container or an SOR transparent container.
The determination is effected by the terminal.
Optionally, the timing time of the first timer is set in case that the terminal does not support SOR-CMCI or there is no SOR-CMCI available in the terminal.
(e) The first timer time is 0; namely, when the first information security check fails, the network side equipment is immediately (without time delay) identified as the target network, and the first operation is executed.
(f) The target service is ended; the target service may include at least one of an emergency service (e.g., a service of a special number provided by an operator);
conform to the service specifying the 5G quality of service indicator (5G QoS identifier, 5QI).
(g) The traffic of the target priority ends. The target priority service may be a high priority service;
optionally, the high priority traffic comprises at least one of:
services contained in the SOR-CMCI;
services contained in the first list.
Optionally, the first condition may be one or more of (a) to (g) above, and the first condition may also be determined by a terminal implementation (UE implementation).
As an alternative embodiment, the method further comprises: receiving first information sent by the network side equipment; and carrying out security check on the first information. The security check may include at least one of: message authentication code MAC check, for example: comparing whether the MAC calculated by the UE is equal to the MAC transmitted in the message; and (6) checking the integrity.
The performing security check on the first information may include: and carrying out security check on the first information in the network registration process or after the network registration is finished. Namely, the security check of the first information by the terminal occurs during registration or after the registration is completed.
In this embodiment, for example, to ensure that the information sent by the first network device to the terminal is end-to-end security protected, the first network device may protect the information sent by the first network device to the terminal, for example, protect Routing identification (Routing ID) information. The first network device may check the requirement of the route ID management information, and may include at least one of the following:
mandatory (regulatory) requirements: integrity protection between the home network and the UE;
and (3) forced demand: retransmission protection between the home network and the UE;
optional (Optional) requirements: privacy protection between the home network and the UE (note: the route ID will be sent in clear to the serving network at the next registration.
The receiving the first information sent by the network side device may include: and receiving first information transmitted by the network side equipment through NAS information or RRC information. That is, the first information is transmitted through a NAS message or an RRC message.
Optionally, the network side device includes a first network device and a second network device; the receiving the first information sent by the network side device may include: receiving first information sent by second network equipment; the first information is sent by the first network device to the second network device.
In particular, the second network device may comprise at least one of:
visiting a public land mobile network (VPLMN);
a stand-alone Non-Public Network (SNPN) currently selected by the terminal;
the independent non-public network SNPN that sends the certificate to the terminal.
In particular, the first network device may comprise at least one of:
a home network;
a home public land mobile network, HPLMN;
signing SNPN;
a certificate provider;
a certificate owner;
a subscription information owner;
a subscription information provider;
a Certificate Authority (CA).
As an optional embodiment, when the first information security check fails and the terminal meets the first condition, the network side device is used as a target network to execute the first operation. After the first operation is executed, if the subsequent terminal satisfies the second condition, it may no longer be the network side device as the target network. Specifically, the method further comprises: and under the condition that the terminal meets a second condition, canceling to identify the network side equipment as a target network, and executing a second operation.
In this embodiment, the cancellation may identify the network side device as the target network, and no longer take the network side device as the target network. For example: the network side equipment is no longer used as a network with IE security check errors; the network side equipment is not used as a low-priority network in the network selection process of the terminal any more; the network side equipment is not used as the lowest priority network in the network selection process of the terminal; the network side device is no longer taken as a network in the second list; the network side equipment is not taken as a forbidden network any more; and the network side equipment is not used as a temporarily forbidden network any more.
Specifically, in a case that the target network includes a network in which an IE security check error occurs, the canceling identifies the network-side device as the target network, which may include:
deleting the network side equipment from the information of the network with the IE security check error; or deleting the information of the network in which the IE security check is in error.
Optionally, when the target network includes a low-priority network in a terminal network selection process, the canceling identifying the network-side device as the target network includes:
deleting the network side equipment from the information of the low-priority network; alternatively, the network information of low priority is deleted.
Optionally, when the target network includes a lowest priority network in a terminal network selection process, the canceling identifying the network-side device as the target network includes:
deleting the network side equipment from the information of the lowest priority network; alternatively, the lowest priority network information is deleted.
Optionally, in a case that the target network includes a forbidden network, the canceling identifies the network-side device as the target network includes:
deleting the network side equipment from the forbidden network information; alternatively, the prohibited network information is deleted.
Optionally, in a case that the target network includes a temporarily prohibited network, the canceling identifies the network-side device as the target network includes:
deleting the network side equipment from the information of the temporarily forbidden network; alternatively, the information of the temporarily prohibited network is deleted.
In particular, the second condition may include at least one of:
1) The first counter is reset (reset); namely, after the first counter is reset, the terminal does not take the network side device as the target network. The scenario in which the first counter is reset is, for example: if the UE successfully passes the security check on the NAS IE at the network side equipment, successfully passing the integrity check (success passing the integrity check); or the terminal is powered off; or the USIM is removed.
2) The safety check of the first information is successful; namely, when the first information received by the terminal from the network side device can be successfully checked, the terminal no longer takes the network side device as a target network.
3) The second timer times out; for example, after a set time period, the terminal no longer takes the network-side device as the target network.
4) The terminal is turned off (switched off); and after the terminal is powered off, the network side equipment is not taken as a target network any more.
5) And removing the USIM (the USIM is removed), and after the USIM card is removed (namely pulled out), the terminal does not take the network side equipment as a target network any more.
As an alternative embodiment, the second operation may comprise at least one of:
sending notification information of successful security check of NAS IE to the network side equipment;
and deleting the second list, wherein the second list is a PLMN list of which the registration is terminated due to the SOR.
For example: and the terminal identifies the network side equipment as the lowest priority network when the first information security check fails and meets a first condition. In the subsequent information interaction process with the network side equipment, the terminal receives the first information sent by the network side equipment again, and the first information is successfully subjected to security check, so that the network side equipment can not be used as the lowest priority network any more, and the notification information of successful security check of the NAS IE can be sent to the network side equipment.
For example: and the terminal identifies the network side equipment as the network in the second list under the condition that the first information security check fails and the first condition is met. And in the subsequent information interaction process with the network side equipment, the terminal receives the first information sent by the network side equipment again, and the security check of the first information is successful, so that the network side equipment can not be used as a network in the second list any more, and the second list is deleted.
For example: and the terminal identifies the network side equipment as a forbidden network under the condition that the first information security check fails and a first condition is met. And in the subsequent information interaction process with the network side equipment, the terminal receives the first information sent by the network side equipment again, and if the first information security check is successful, the network side equipment is not used as a forbidden network any more, and notification information of successful security check of the NAS IE can be sent to the network side equipment.
Optionally, in the embodiment of the present invention, the terminal sends the notification information to the network side device through an NAS message or an RRC message. Namely: the terminal sends notification information of security check failure of NAS IE to the network side equipment through NAS message or RRC message; and the terminal sends notification information of successful security check of the NAS IE to the network side equipment through the NAS message or the RRC message. Optionally, the second information and/or the third information may also be transmitted through NAS messages or RRC messages.
Taking the second information carried by NAS as an example, wherein the second information is carried in NAS message (e.g., DL NAS TRANSPORT, registration accept, configuration update instruction, 5GMM status message content), and the second information is used to instruct the UE to: the value of timer X is determined. The cell encoding format of the second information is, for example, table 1 or table 2:
table 1:
Figure BDA0003190405280000141
table 2:
Figure BDA0003190405280000142
in this embodiment, the timer 2 value is encoded as octet (octet) 2 of the timer 1 information element.
The cell encoding format of the third information is, for example, table 3:
table 3:
Figure BDA0003190405280000143
specifically, the NAS message may include at least one of:
(1) A message of a registration procedure; the method can comprise the following steps: registration accept (Registration accept), registration reject (Registration reject), and the like.
(2) A message of a de-registration process; for example: a deregistration request (UE terminated), a deregistration acceptance (UE terminated), etc.
(3) A message of a service procedure; for example: service reject (Service reject), service accept (Service accept).
(4) A Primary authentication and key authentication procedure (Primary authentication and key authentication procedure); for example: an authentication request, etc.
(5) A message identifying a procedure (Identification procedure); for example: for example: identify a request, etc.
(6) A secure mode control procedure (secure mode control procedure) message; for example: a Security mode command (Security mode command), and the like.
(7) NAS transport procedure (NAS transport procedure) message; for example: downstream NAS transport (DL NAS transport).
(8) A message of a terminal configuration update procedure (Generic UE configuration update procedure); for example: a Configuration update command (Configuration update command), and the like.
(9) 5G mobility management status (5 GMM status) procedure.
(10) A Notification (Notification) procedure message, such as a Notification message.
Specifically, the RRC message may include at least one of:
downlink Information Transfer (DL Information Transfer);
RRC Reconfiguration (RRC Reconfiguration);
RRC Reconfiguration Complete (RRC Reconfiguration Complete);
RRC Reject (RRC Reject);
RRC Release (RRC Release);
RRC recovery (RRC Resume);
RRC Resume Complete (RRC Resume Complete);
RRC Setup (RRC Setup);
a Security Mode Command (Security Mode Command);
UE Capability query (UE Capability inquiry);
a UE Information Request (UE Information Request);
the implementation of the method is illustrated by the specific examples below.
The first example is as follows: taking the first condition as an example that the number of times of the first counter that fails to perform the security check on the first information reaches a first maximum value, the first network device is an HPLMN, and the second network device is a VPLMN. Namely, when the security check of the first information fails, the counting number of the first counter reaches a first maximum value, the terminal identifies the network side device as a target network, and executes a first operation. As shown in fig. 3, specifically, the method includes:
step 1: the HPLMN sends Data1 (i.e. the first information) to the VPLMN. In Data1, the HPLMN integrity protects (integrity protection) information 1, and the Data1 includes information 1 (i.e. the first information, such as payload container, route indication update Data, default configured NSSAI update Data);
and 2, step: the VPLMN sends Data1 received from the HPLMN to the UE through a DL NAS TRANSPORT (TRANSPORT) procedure. The Data1 in the transmission process may be tampered by the VPLMN or a third party.
And step 3: after receiving Data1, the UE performs security check on Data1 or information contained in Data1, for example: checking the integrity; it is checked whether Data1 received by the UE is tampered, e.g. possibly tampered by VPLMN or by a third party.
Step 3a-4: if Data1 or Data1 contains information that fails the integrity check, i.e. Data1 security check fails, the UE may perform the following operations:
1) Discard the received information (e.g.: the payload container security check in Data1 fails, the contents in the payload container IE are discarded);
2) The number of times the NAS IE security check failed is recorded by counter 1.
Step 4a: judging whether the counting frequency of the counter 1 reaches the maximum value, if the counting value of the counter 1 is smaller than the maximum value, adding 1 to the counting of the counter 1; optionally, the UE may send information that the integrity check of the NAS IE fails to the network side device.
Alternatively, if the count value of the counter 1 reaches the maximum value, step 4b is entered.
And 4b: the UE performs a first operation, such as: reducing the priority of the current VPLMN, and identifying the VPLMN as the lowest priority;
or, the UE sends notification information of integrity check failure of the NAS IE to the network side device.
And 4c: and under the condition that the terminal meets a second condition, executing a second operation, where the second condition is that the UE succeeds in security check on the NAS IE on the VPLMN, for example: the information contained in Data1 or Data1 successfully passes the integrity check, or the terminal is turned off (the MS is switched off), or the USIM is removed (the USIM is removed). The second operation is, for example: the identifier of the network with the lowest priority of the VPLMN is cancelled, that is, the priority of the VPLMN is not reduced any more, and the terminal may further send notification information that the integrity check of the NAS IE is successful to the network side device.
Optionally, when the UE sends notification information to the network side device, the notification information may be transmitted through a NAS message, where the NAS message may include one or more of the following:
(1) A message of a registration procedure; the method can comprise the following steps: one or more of a Registration request (Registration request), registration completion (Registration complete), and the like.
(2) A message of a de-registration process; for example: a deregistration request (UE initiated), a deregistration acceptance (UE terminated), etc.
(3) A message of a service procedure; for example: one or more of a Service request (Service request), and a Control plane Service request (Control plane Service request).
(4) A Primary authentication and key authentication procedure (Primary authentication and key authentication procedure); such as authentication responses, etc.
(5) A message identifying a procedure (Identification procedure); for example: for example: identify a response, and the like.
(6) A secure mode control procedure (secure mode control procedure) message; for example: security mode complete (Security mode complete), security mode reject (Security mode reject), etc.
(7) NAS transport procedure (NAS transport procedure) message; for example: uplink NAS transport (UL NAS transport).
(8) A message of a terminal configuration update procedure (Generic UE configuration update procedure); for example: configuration update complete (Configuration update complete), and the like.
(9) 5G mobility management status (5 GMM status) procedure.
(10) A Notification (Notification) procedure message, such as a Notification response.
Example two: taking the first network device as an HPLMN, the second network device as a VPLMN, and the first operation is to send notification information of failure of security check of NAS IE to a network side device as an example. That is, when the security check of the first information fails and the first condition is satisfied, the terminal transmits the notification information of the security check failure of the NAS IE to the network side device. As shown in fig. 4, specifically, the method includes:
step 1: the HPLMN sends Data1 (i.e. said first information) to the VPLMN. In Data1, the HPLMN integrity protects information 1, and Data1 includes information 1 (i.e. the first information, for example, payload container, route indication update Data, default configured NSSAI update Data);
and 2, step: the VPLMN sends Data1 received from the HPLMN to the UE through a DL NAS TRANSPORT (TRANSPORT) procedure. Wherein, the Data1 in the transmission process can be tampered by the VPLMN or a third party.
And step 3: after receiving Data1, the UE performs security check on Data1 or information contained in Data1, for example: checking the integrity; it is checked whether Data1 received by the UE is tampered, e.g. possibly tampered by VPLMN or by a third party.
And 4, step 4: if the information contained in Data1 or Data1 does not successfully pass the integrity check, that is, the Data1 security check fails, the UE sends notification information of IE security check error to the network side device, for example: the integrity check of the NAS IE failed. The notification information may be transmitted via NAS messages, for example:
(1) A message of a registration procedure; the method can comprise the following steps: registration request (Registration request), registration completion (Registration complete), etc.
(2) A message of a de-registration process; for example: a deregistration request (UE initiated), a deregistration acceptance (UE terminated), etc.
(3) A message of a service procedure; for example: one or more of a Service request (Service request), and a Control plane Service request (Control plane Service request).
(4) A Primary authentication and key authentication procedure (Primary authentication and key authentication procedure); such as authentication responses, etc.
(5) A message identifying a procedure (Identification procedure); for example: for example: identify a response, and the like.
(6) A secure mode control procedure (secure mode control procedure) message; for example: security mode complete (Security mode complete), security mode reject (Security mode reject), etc.
(7) NAS transport procedure (NAS transport procedure) message; for example: uplink NAS transport (UL NAS transport).
(8) A message of a terminal configuration update procedure (Generic UE configuration update procedure); for example: configuration update complete (Configuration update complete), and the like.
(9) Messages of 5G mobility management state (5 GMM status) procedure.
(10) A message notifying (Notification) procedure, for example, a Notification response.
And 5: after the VPLMN receives the notification information of the IE security check error sent by the UE, the information can be analyzed by the VPLMN or forwarded to the HPLMN by the VPLMN. Step 6 or step 9 may be executed.
And 6: the VPLMN forwards the information that the integrity check of the NAS IE failed to the HPLMN.
And 7: the HPLMN analyzes and counts the tampered behavior of the NAS IE generated in the VPLMN, such as:
the times and frequency of the behavior of tampering the NAS IE in the VPLMN;
characteristics of the UE where the behavior of tampering the NAS IE occurs in the VPLMN, such as a terminal identity and a service type executed by the UE;
the number of UEs in the VPLMN where the NAS IE tampered with occurred;
under what scenario the UE behaves in this VPLMN that the NAS IE is tampered with, e.g. a specific TA zone, a specific slice.
The HPLMN may modify, update subscription information, e.g., subscription information of the HPLMN with the VPLMN, e.g., not allowing the UE to obtain service in a specific TA region or slice of the VPLMN, according to the statistics.
And 8: the HPLMN informs the VPLMN: IE security check error, e.g., integrity check failure of NAS IE.
And step 9: after the VPLMN receives the information of "IE security check error", it attempts to resolve the cause that may cause the IE security check error, for example: triggering the UE to re-register, triggering the UE to replace a cell, and the like.
Step 10: the HPLMN may perform one or more of the following third operations:
triggering SOR and SOR-CMCI processes;
triggering the UE to delete the VPLMN from the OPLMN;
triggering the UE to place the VPLMN into the forbidden PLMN;
triggering the UE to enter other networks.
Example three: taking the first network device as an HPLMN and the second network device as a VPLMN, and the first condition is that the UE supports SOR-CMCI and is configured with SOR-CMCI parameters, where the first operation includes: and releasing the network connection with the network side equipment by applying SOR-CMCI. Namely, when the security check of the first information fails, the terminal applies the SOR-CMCI procedure, applies the SOR procedure, and releases the network connection with the network side device. As shown in fig. 5, specifically, includes:
step 1: the HPLMN sends Data1 (i.e. said first information) to the VPLMN. In Data1, the HPLMN integrity protects information 1, and Data1 includes information 1 (i.e. the first information, for example, payload container, route indication update Data, default configured NSSAI update Data);
step 2: the VPLMN sends Data1 received from the HPLMN to the UE through the DL NAS TRANSPORT procedure. Wherein, data1 in the transmission process can be tampered by VPLMN or a third party.
And step 3: after receiving Data1, the UE performs security check on Data1 or information contained in Data1, for example: checking the integrity; it is checked whether Data1 received by the UE is tampered, for example, possibly tampered by VPLMN or by a third party.
Step 3a-4: if Data1 or Data1 contains information that fails the integrity check, i.e. Data1 security check fails, the UE may perform the following operations:
1) Discard the received information (e.g.: the payload container security check in Data1 fails, the contents in the payload container IE are discarded);
2) The VPLMN priority is reduced. For example: the VPLMN is currently considered the lowest priority.
Step 5a: and judging whether the UE supports SOR-CMCI, if so, executing the step 5, otherwise, executing the step 7.
And 5: and judging whether the available SOR-CMCI is stored in the UE, if so, executing the step 6, otherwise, executing the step 7.
Step 6: the UE applies SOR-CMCI.
And 7: a timer value X is set.
And 8: and judging whether the value of the timer X is 0 or not. If yes, go to step 11, otherwise go to step 9.
And step 9: the timer X is started.
Step 10: timer X times out and step 11 is performed.
Step 11: and when the terminal meets the first condition, releasing the link and reselecting the network by the UE. The step 5a, the step 5 and the step 10 are all steps in which the terminal determines whether a first condition is met; the step 6 and the step 11 are steps of executing the first operation by the terminal.
Step 12: and judging whether the terminal meets the second condition, and if so, executing step 13.
Step 13: the priority of the VPLMN is not lowered any more.
Optionally, in step 3a-4, when Data1 security check fails, the current VPLMN identity may be stored in a target list, where the target list stores the VPLMN with security check failure of NAS IE, and the networks in the list are prioritized down when the terminal selects the network subsequently. Wherein the list may be deleted after the terminal fulfils the second condition in step 12.
Example four: and taking the first network device as an HPLMN and the second network device as a VPLMN, wherein the failure of the security check of the first information is as follows: in the NAS DL TRANSPORT process, as shown in fig. 6, the security check error of the SOR-CMCI parameter is, for example, specifically includes:
step 1: the HPLMN sends Data1 (i.e. said first information) to the VPLMN. In the Data1, the HPLMN integrity protects the information 1, and the Data1 includes the information 1 (i.e. the first information, such as an SOR transparent container (SOR transparent container));
step 2: the VPLMN sends Data1 received from the HPLMN to the UE through the DL NAS TRANSPORT procedure. Wherein, the Data1 in the transmission process can be tampered by the VPLMN or a third party.
And step 3: after receiving Data1, the UE performs security check on Data1 or information contained in Data1, for example: checking the integrity; it is checked whether Data1 received by the UE is tampered.
Step 4a: data1 is tampered with, then the current VPLMN is considered the lowest priority.
And 4, step 4: and storing the current VPLMN to a list.
Optionally, the method for storing the VPLMN to the list includes:
1) Stored into the existing list: storing the VPLMN identification in a 'PLMN terminated by registration due to SOR' list, namely storing the VPLMN identification in the list in case Data1 is tampered in step 3; or
2) Store into the new list: and storing the VPLMN identifications in a new list, wherein the VPLMN with the NAS IE failed in security check is stored in the list, and the networks in the list are subjected to priority reduction when the terminal selects the network subsequently. Wherein the list may be deleted after the terminal satisfies the second condition in step 12.
Step 5a: and judging whether the UE supports SOR-CMCI, if so, executing the step 5, otherwise, executing the step 7.
And 5: and when the UE supports the SOR-CMCI, judging whether the available SOR-CMCI is stored in the UE, if so, executing the step 6, otherwise, executing the step 7.
Step 6: the UE applies SOR-CMCI.
And 7: a timer value X is set. The timer X may be: tsor-cm, for example: when the UE supports SOR-CMCI but does not have available SOR-CMCI information, the timer is Tsor-cm; other timers are also possible, such as a newly defined timer. The value of the timer X may be a default value, a value sent by the network side device to the UE, a random value, or a random value within a certain range.
And step 8: and judging whether the value of the timer X is 0 or not. If yes, go to step 11, otherwise go to step 9.
And step 9: the timer X is started.
Step 10: timer X times out and step 11 is performed.
Step 11: and when the terminal meets the first condition, releasing the link and reselecting the network by the UE.
Step 12: and judging whether the terminal meets the second condition, and if so, executing the step 13.
Step 13: the priority of the VPLMN is not lowered any more.
According to the embodiment of the application, under the condition that the first information security check fails, if the terminal meets the first condition, the network side device can be used as a target network to execute the first operation, and compared with the prior art that the first information is directly discarded, the terminal can be guaranteed to correctly receive the information which the network side expects to obtain after the first information is tampered, and normal communication is guaranteed.
As shown in fig. 7, an embodiment of the present application further provides a network information processing method, applied to a network side device, including:
step 701, when the network side device receives notification information of security check failure of the NAS IE sent by the terminal, the network side device counts tampered related behavior information of the NAS IE.
And step 702, executing a third operation according to the relevant behavior information.
In this embodiment, the network-side device may include a first network device and a second network device; the first network device may include at least one of:
a home network;
a home public land mobile network, HPLMN;
signing SNPN;
a certificate provider;
a certificate owner;
a subscription information owner;
a subscription information provider;
the certificate authority CA.
The second network device may include at least one of:
visiting a public land mobile network (VPLMN);
the terminal selects the independent non-public network SNPN currently;
an independent non-public network SNPN that sends the certificate to the terminal.
The first information sent to the terminal by the first network side device needs to be forwarded to the terminal by the second network side device. And after receiving the first information, the terminal performs security check on the first information, and if the first information security check fails, if the terminal meets a first condition, the terminal performs a first operation with the network side device as a target network, wherein the network side device can be used as a network with error in IE security check, and sends notification information of security check failure of NAS IE to the network side device.
The network side device, on condition that notification information of security check failure of the NAS IE sent by the terminal is received, counts tampered related behavior information of the NAS IE, where the tampered related behavior information of the NAS IE may include at least one of the following:
the number of times of the behavior of tampering the NAS IE in the network side equipment;
the frequency of occurrence of behavior in the network side device that the NAS IE is tampered with;
the number of terminals where the behavior of the NAS IE is tampered in the network side equipment;
a characteristic that behavior of the NAS IE is tampered in the network side equipment; the method can comprise the following steps: the terminal identity and/or the type of service performed by the terminal.
The scenario in which the terminal has a behavior of tampering the NAS IE in the network side device, that is, the scenario under which the terminal has a behavior of tampering the NAS IE in the network side device, may include tracking area TA information and/or slice information, for example: a particular Tracking Area (TA), a particular slice, etc.
The network side device may modify and update subscription information according to the statistical information, for example, subscription information between the HPLMN and the VPLMN, for example: the UE is not allowed to acquire service in a specific TA region or slice of the VPLMN.
Optionally, the executing, according to the relevant behavior information, a third operation includes: a first process of the first network device and/or a second process of the second network device.
Wherein the first processing may include at least one of:
triggering the terminal to register;
triggering the terminal to register again;
triggering the terminal to perform cell reselection;
triggering a terminal to replace an access cell;
and triggering the terminal to select the network.
Wherein the second processing may include at least one of:
triggering an SOR process;
triggering an SOR-CMCI process;
the triggering terminal deletes the second network device from Operator Controlled PLMN (OPLMN);
triggering the terminal to use the second network equipment as a forbidden PLMN;
and triggering the terminal to access other networks.
Taking the first network device as the HPLMN and the second network device as the VPLMN as an example, the terminal sends the notification information of the NAS IE that the security check fails to the VPLMN, and the VPLMN may analyze the notification information, or forward the notification information to the HPLMN, and the HPLMN analyzes the notification information. In parsing the notification information, attempts are made to resolve the cause that may cause the IE security check error, such as: triggering UE to register and re-register, triggering UE cell reselection, cell replacement, network selection and the like.
The HPLMN may perform actions to reduce the VPLMN priority, such as: triggering SOR and SOR-CMCI processes; and triggering the UE to put the VPLMN into the forbidden PLMN, and triggering the UE to enter other networks.
And when the terminal succeeds in the security check of the first information sent by the network side equipment, the terminal does not take the network side equipment as a target network any more. The terminal sends the notification information that the security check of the NAS IE is successful to the network side equipment, and the network side equipment receives the notification information that the security check of the NAS IE is successful, which is sent by the terminal.
In the embodiment of the application, when the terminal fails to perform the first information security check, if the terminal meets the first condition, the network side device may be used as a target network, and the notification information of the security check failure of the NAS IE may be sent to the network side device. After the network side equipment receives the notification information of the security check failure of the NAS IE, the behavior of the NAS IE tampered in the network side equipment is analyzed and counted, the reason for tampering the NAS IE can be solved through a third operation, the terminal can be guaranteed to correctly receive the information expected to be obtained by the network side, and normal communication is guaranteed.
In the network information processing method provided in the embodiment of the present application, the execution main body may be a network information processing apparatus, or a control module in the network information processing apparatus for executing the network information processing method. In the embodiment of the present application, a network information processing apparatus executing a network information processing method is taken as an example, and the network information processing apparatus provided in the embodiment of the present application is described.
As shown in fig. 8, an embodiment of the present application provides a network information processing apparatus 800, applied to a terminal, including:
the first processing module 810 is configured to, under the condition that the security check of the first information sent by the network side device fails, identify the network side device as a target network if the terminal meets a first condition, and execute a first operation.
Optionally, the first information comprises at least one of:
updating the transparent container by the terminal parameter;
a roam-oriented SOR transparent container;
a payload container.
Optionally, the terminal parameter update transparent container includes at least one of the following information:
route indication update data;
network slice selection auxiliary information NSSAI updating data configured by default;
network information that the terminal can use in case of a disaster.
Optionally, the roam-directed SOR transparent container includes at least one of:
a preferred public land mobile network PLMN/access technology combination list;
roaming of control information in connected mode leads to SOR-CMCI.
Optionally, the first condition comprises at least one of:
the counting times of the first counter for the first information security check failure reach a first maximum value;
the terminal supports SOR-CMCI;
the terminal is configured with a first list, wherein the first list is a service list controlled by a user and free from being released due to SOR;
the first timer times out the timing of the longest time from the discovery of the failure of the security check to the execution of the first operation by the terminal;
the first timer time is 0;
the target service is ended;
the traffic of the target priority ends.
Optionally, the target traffic comprises at least one of:
emergency services;
service conforming to the designation 5 QI.
Optionally, the target priority service is a high priority service;
the high priority traffic comprises at least one of:
services contained in the SOR-CMCI;
services contained in the first list.
Optionally, the first condition is determined by a terminal implementation.
Optionally, the determining manner of the first maximum value includes at least one of:
determined according to a default value;
determining according to the third information;
the determination is effected by the terminal.
Optionally, the determination manner of the timing time of the first timer includes at least one of the following:
determined according to a default value;
determining according to the second information;
the determination is effected by the terminal.
Optionally, the first timer is stopped when a third condition is met;
the third condition includes at least one of:
the target service is ended;
the service of the target priority is ended;
releasing the network connection between the terminal and the network side equipment;
the terminal is shut down;
removing a Universal Subscriber Identity Module (USIM);
the first information security check is successful.
Optionally, the apparatus further comprises:
a second receiving module, configured to receive second information transmitted by the network side device through a non-access stratum NAS message or a radio resource control RRC message.
Optionally, the apparatus further comprises:
a first setting module, configured to set the timing time of the first timer when the terminal does not support the SOR-CMCI or there is no SOR-CMCI available in the terminal
Optionally, the first operation comprises at least one of:
sending notification information of security check failure of non-access stratum NAS IE to the network side equipment;
releasing the network connection with the network side equipment;
applying an SOR process;
applying the SOR-CMCI process;
a first list is applied, which is a user-controlled list of services exempt from release due to SOR.
Optionally, the apparatus further comprises:
and the third processing module is used for canceling the identification of the network side equipment as the target network and executing a second operation under the condition that the terminal meets a second condition.
Optionally, the second condition comprises at least one of:
the first counter is reset;
the safety check of the first information is successful;
the second timer times out;
the terminal is shut down;
the universal subscriber identity card USIM is removed.
Optionally, the target network comprises at least one of:
network where information element IE security check is in error;
a low-priority network in the terminal network selection process;
a lowest priority network in the terminal network selection process;
a network in a second list, the second list being a list of PLMNs that registration terminated due to SOR;
a forbidden network;
temporarily disabled networks.
Optionally, the second operation comprises at least one of:
sending notification information of successful security check of NAS IE to the network side equipment;
and deleting the second list, wherein the second list is a PLMN list of which the registration is terminated due to the SOR.
Optionally, in a case that the target network includes a network in which an information element IE security check error occurs, the third processing module is specifically configured to:
deleting the network side equipment from the information of the network with the IE security check error; or alternatively
The information of the network where the IE security check is in error is deleted.
Optionally, in a case that the target network includes a low-priority network in a terminal network selection process, the third processing module is specifically configured to:
deleting the network side equipment from the information of the low-priority network; or
And deleting the network information with low priority.
Optionally, in a case that the target network includes a lowest priority network in a terminal network selection process, the third processing module is specifically configured to:
deleting the network side equipment from the information of the lowest priority network; or alternatively
And deleting the network information with the lowest priority.
Optionally, in a case that the target network includes a prohibited network, the third processing module is specifically configured to:
deleting the network side equipment from the forbidden network information; or
The prohibited network information is deleted.
Optionally, in a case that the target network includes a temporarily prohibited network, the third processing module is specifically configured to:
deleting the network side equipment from the information of the temporarily forbidden network; or
The information of the temporarily prohibited network is deleted.
Optionally, the terminal sends the notification information to the network side device through an NAS message or an RRC message.
Optionally, the network selection process includes at least one of:
a network selection process when the terminal is started;
a network selection process after recovering network coverage from non-network coverage;
a periodic network selection process in a public land mobile network (VPLMN);
selecting a network with a priority higher than that of the current network;
and (5) network selection process after releasing the link.
Optionally, in a case that the lowest priority network includes at least two network-side devices, the determination manner of the priorities of the at least two network-side devices includes at least one of:
the determination is realized by the terminal;
determining according to a random order;
determined according to the chronological order identified as the lowest priority network.
Optionally, the apparatus further comprises:
a third receiving module, configured to receive the first information sent by the network side device;
and the safety check module is used for carrying out safety check on the first information.
Optionally, the security check module is specifically configured to: and carrying out security check on the first information in the network registration process or after the network registration is finished.
Optionally, the security check comprises at least one of:
checking a message authentication code MAC;
and (6) checking the integrity.
Optionally, the third receiving module is specifically configured to: and receiving first information transmitted by the network side equipment through NAS information or RRC information.
Optionally, the NAS message comprises at least one of:
a message of a registration procedure;
a message of a de-registration process; a message in a service process;
a message of a master authentication and key agreement process;
a message identifying a process;
a message of a security mode control procedure;
a message of a NAS transport procedure;
the terminal configures the information of the updating process;
5G mobility management state procedure messages;
a message informing of the process.
Optionally, the second information is carried by a terminal parameter update transparent container or an SOR transparent container.
Optionally, the network side device includes a first network device and a second network device;
the receiving the first information sent by the network side device includes:
receiving first information sent by second network equipment; the first information is sent by the first network device to the second network device.
Optionally, the second network device comprises at least one of:
visiting a public land mobile network (VPLMN);
the terminal selects the independent non-public network SNPN currently;
the independent non-public network SNPN that sends the certificate to the terminal.
Optionally, the first network device comprises at least one of:
a home network;
a home public land mobile network, HPLMN;
signing SNPN;
a certificate provider;
a certificate owner;
a subscription information owner;
a subscription information provider;
the certificate authority CA.
In this embodiment of the application, under the condition that the first information security check fails, if the terminal meets the first condition, the network side device may be used as a target network to perform the first operation, and compared with the prior art in which the first information is directly discarded, it can be ensured that after the first information is tampered, the terminal can correctly receive the information that the network side desires to obtain after performing the first operation, and ensure normal communication.
The network information processing apparatus provided in the embodiment of the present application can implement each process implemented by the method embodiments in fig. 1 to fig. 6, and achieve the same technical effect, and is not described here again to avoid repetition.
As shown in fig. 9, an embodiment of the present application provides a network information processing apparatus 900, which is applied to a network side device, and includes:
a first receiving module 910, configured to, in a case that notification information of security check failure of the NAS IE sent by the terminal is received, count modified related behavior information of the NAS IE;
the second processing module 920 is configured to execute a third operation according to the relevant behavior information.
Optionally, the tampered behavior information of the NAS IE includes at least one of:
the number of times of behavior of tampering of the NAS IE in the network side equipment;
the frequency of occurrence of behavior in the network side device that the NAS IE is tampered with;
a characteristic that behavior of the NAS IE is tampered in the network side equipment;
the number of terminals where the behavior of the NAS IE is tampered in the network side equipment;
and the terminal generates a scene of behavior that the NAS IE is tampered in the network side equipment.
Optionally, the characteristic of the behavior of the network side device in which the NAS IE is tampered with includes: the terminal identity and/or the type of service performed by the terminal.
Optionally, a scenario in which the terminal has a behavior of tampering the NAS IE in the network side device includes:
tracking area TA information and/or slice information.
Optionally, the network-side device includes a first network device and a second network device;
the third operation includes: a first process of the first network device and/or a second process of the second network device.
Optionally, the first processing comprises at least one of:
triggering the terminal to register;
triggering the terminal to register again;
triggering a terminal to reselect a cell;
triggering a terminal to replace an access cell;
and triggering the terminal to select the network.
Optionally, the second processing comprises at least one of:
triggering an SOR process;
triggering an SOR-CMCI process;
triggering the terminal to delete the second network equipment from the PLMN controlled by the operator;
triggering the terminal to use the second network equipment as a forbidden PLMN;
and triggering the terminal to access other networks.
Optionally, the apparatus further comprises: and the fourth receiving module is used for receiving the notification information of the successful security check of the NAS IE sent by the terminal.
In the embodiment of the application, when the terminal fails to perform the first information security check, if the terminal meets the first condition, the network side device may be used as a target network, and the notification information of the security check failure of the NAS IE may be sent to the network side device. After receiving the notification information of the security check failure of the NAS IE, the network side equipment analyzes and counts the behavior of the NAS IE tampered in the network side equipment, and can solve the reason causing the NAS IE to be tampered through a third operation, so that the terminal can correctly receive the information which the network side expects to obtain, and normal communication is guaranteed.
The network information processing apparatus provided in the embodiment of the present application can implement each process implemented in the method embodiment of fig. 7, and achieve the same technical effect, and is not described here again to avoid repetition.
The network information processing apparatus in the embodiment of the present application may be an apparatus, an apparatus or an electronic device having an operating system, or may be a component, an integrated circuit, or a chip in a terminal. The device or the electronic equipment can be a mobile terminal or a non-mobile terminal. For example, the mobile terminal may include, but is not limited to, the above-listed type of terminal 11, and the non-mobile terminal may be a server, a Network Attached Storage (NAS), a Personal Computer (PC), a Television (TV), a teller machine, a kiosk, or the like, and the embodiments of the present application are not limited in particular.
Optionally, as shown in fig. 10, an embodiment of the present application further provides a communication device 1000, which includes a processor 1001, a memory 1002, and a program or an instruction stored in the memory 1002 and executable on the processor 1001, for example, when the communication device 1000 is a terminal, the program or the instruction is executed by the processor 1001 to implement the processes of the network information processing method embodiment applied to the terminal, and the same technical effect can be achieved. When the communication device 1000 is a network-side device, the program or the instruction is executed by the processor m01 to implement the processes of the network information processing method embodiment applied to the network-side device, and the same technical effect can be achieved.
The embodiment of the present application further provides a terminal, which includes a processor and a communication interface, where the processor is configured to identify, when a security check of first information sent by a network-side device fails, the network-side device as a target network and execute a first operation if the terminal meets a first condition. The terminal embodiment corresponds to the terminal-side method embodiment, and all implementation processes and implementation manners of the method embodiment can be applied to the terminal embodiment and can achieve the same technical effect. Specifically, fig. 11 is a schematic diagram of a hardware structure of a terminal for implementing the embodiment of the present application.
The terminal 1100 includes, but is not limited to: at least some of the components of the radio frequency unit 1101, the network module 1102, the audio output unit 1103, the input unit 1104, the sensor 1105, the display unit 1106, the user input unit 1107, the interface unit 1108, the memory 1109, the processor 1110, and the like.
Those skilled in the art will appreciate that terminal 1100 can also include a power supply (e.g., a battery) for powering the various components, which can be logically coupled to processor 1110 via a power management system to facilitate managing charging, discharging, and power consumption via the power management system. The terminal structure shown in fig. 11 does not constitute a limitation of the terminal, and the terminal may include more or less components than those shown, or combine some components, or have a different arrangement of components, and thus will not be described again.
It should be understood that, in the embodiment of the present application, the input Unit 1104 may include a Graphics Processing Unit (GPU) 11041 and a microphone 11042, and the Graphics processor 11041 processes image data of still pictures or video obtained by an image capturing device (such as a camera) in a video capturing mode or an image capturing mode. The display unit 1106 may include a display panel 11061, and the display panel 11061 may be configured in the form of a liquid crystal display, an organic light emitting diode, or the like. The user input unit 1107 includes a touch panel 11071 and other input devices 11072. A touch panel 11071, also called a touch screen. The touch panel 11071 may include two portions of a touch detection device and a touch controller. Other input devices 11072 may include, but are not limited to, a physical keyboard, function keys (e.g., volume control keys, switch keys, etc.), a trackball, a mouse, and a joystick, which are not described in detail herein.
In this embodiment, the radio frequency unit 1101 receives downlink data from a network device and processes the downlink data to the processor 1110; in addition, the uplink data is sent to the network side equipment. In general, radio frequency unit 1101 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier, a duplexer, and the like.
The memory 1109 may be used to store software programs or instructions as well as various data. The memory 1109 may mainly include a program or instruction storage area and a data storage area, wherein the program or instruction storage area may store an operating system, application programs or instructions required for at least one function (such as a sound playing function, an image playing function, etc.), and the like. In addition, the Memory 1109 may include a high-speed random access Memory and may also include a nonvolatile Memory, which may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable Programmable PROM (EPROM), an Electrically Erasable Programmable ROM (EEPROM), or a flash Memory. Such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device.
Processor 1110 may include one or more processing units; alternatively, processor 1110 may integrate an application processor that primarily handles operating systems, user interfaces, and applications or instructions, etc. and a modem processor that primarily handles wireless communications, such as a baseband processor. It will be appreciated that the modem processor described above may not be integrated into processor 1110.
The processor 1110 is configured to, under the condition that the security check of the first information sent by the network side device fails, identify the network side device as a target network if the terminal meets a first condition, and execute a first operation.
Optionally, the first information comprises at least one of:
updating the transparent container by the terminal parameter;
a roaming oriented SOR transparent container;
a payload container.
Optionally, the terminal parameter update transparent container includes at least one of the following information:
route indication update data;
network slice selection auxiliary information NSSAI updating data configured by default;
network information that the terminal can use in case of a disaster.
Optionally, the roam-directed SOR transparent container includes at least one of:
a preferred public land mobile network PLMN/access technology combination list;
roaming-oriented SOR-CMCI for control information in connected mode.
Optionally, the first condition comprises at least one of:
the counting times of the first counter for the first information security check failure reach a first maximum value;
the terminal supports SOR-CMCI;
the terminal is configured with a first list, wherein the first list is a service list controlled by a user and free from being released due to SOR;
the first timer times out the timing of the longest time from the discovery of the failure of the security check to the execution of the first operation by the terminal;
the first timer time is 0;
the target service is ended;
the traffic of the target priority ends.
Optionally, the target traffic comprises at least one of:
emergency services;
conforming to a service designated 5 QI.
Optionally, the target priority service is a high priority service;
the high priority traffic comprises at least one of:
services contained in the SOR-CMCI;
the services contained in the first list.
Optionally, the first condition is determined by a terminal implementation.
Optionally, the determining manner of the first maximum value includes at least one of:
determined according to default values;
determining according to the third information;
the determination is performed by the terminal.
Optionally, the determination manner of the timing time of the first timer includes at least one of the following:
determined according to a default value;
determining according to the second information;
the determination is effected by the terminal.
Optionally, the first timer is stopped when a third condition is met;
the third condition includes at least one of:
the target service is ended;
the service of the target priority is ended;
releasing the network connection between the terminal and the network side equipment;
the terminal is shut down;
removing a Universal Subscriber Identity Module (USIM);
the first information security check is successful.
Optionally, the radio frequency unit 1101 is configured to: and receiving second information transmitted by the network side equipment through a non-access stratum (NAS) message or a Radio Resource Control (RRC) message.
Optionally, the processor 1110 is further configured to: and setting the timing time of the first timer under the condition that the terminal does not support SOR-CMCI or no SOR-CMCI is available in the terminal.
Optionally, the first operation comprises at least one of:
sending notification information of security check failure of non-access stratum NAS IE to the network side equipment;
releasing the network connection with the network side equipment;
applying an SOR process;
applying the SOR-CMCI procedure;
a first list is applied, which is a user-controlled list of services exempt from release due to SOR.
Optionally, the processor 1110 is further configured to: and under the condition that the terminal meets a second condition, canceling the identification of the network side equipment as a target network, and executing a second operation.
Optionally, the second condition comprises at least one of:
the first counter is reset;
the safety check of the first information is successful;
the second timer times out;
the terminal is shut down;
and removing the universal subscriber identity card USIM.
Optionally, the target network comprises at least one of:
network where information element IE security check is in error;
a low-priority network in the terminal network selection process;
a lowest priority network in the terminal network selection process;
a network in a second list, the second list being a list of PLMNs that registration terminated due to SOR;
a forbidden network;
temporarily disabled networks.
Optionally, the second operation comprises at least one of:
sending notification information of successful security check of NAS IE to the network side equipment;
and deleting the second list, wherein the second list is a PLMN list of which the registration is terminated due to the SOR.
Optionally, in a case that the target network includes a network in which an information element IE security check error occurs, the processor 1110 is further configured to:
deleting the network side equipment from the information of the network with IE security check errors; or alternatively
The information of the network where the IE security check is in error is deleted.
Optionally, in a case that the target network includes a low-priority network in a network selection process of a terminal, the processor 1110 is further configured to:
deleting the network side equipment from the information of the low-priority network; or
And deleting the network information with low priority.
Optionally, in a case that the target network includes a lowest priority network in a terminal network selection process, the processor 1110 is further configured to:
deleting the network side equipment from the information of the lowest priority network; or
The network information of the lowest priority is deleted.
Optionally, in a case that the target network includes a forbidden network, the processor 1110 is further configured to:
deleting the network side equipment from the forbidden network information; or
The forbidden network information is deleted.
Optionally, in a case that the target network includes a temporarily prohibited network, the processor 1110 is further configured to:
deleting the network side equipment from the information of the temporarily forbidden network; or
The information of the temporarily prohibited network is deleted.
Optionally, the terminal sends the notification information to the network side device through an NAS message or an RRC message.
Optionally, the network selection process includes at least one of:
a network selection process when the terminal is started;
a network selection process after recovering network coverage from non-network coverage;
a periodic network selection process in a public land mobile network (VPLMN);
selecting a network with a priority higher than that of the current network;
and (4) network selection process after releasing the link.
Optionally, in a case that the lowest priority network includes at least two network-side devices, the manner of determining the priorities of the at least two network-side devices includes at least one of:
the determination is realized by the terminal;
determining according to a random order;
determined according to the chronological order identified as the lowest priority network.
Optionally, the radio frequency unit 1101 is further configured to: receiving first information sent by the network side equipment;
the processor 1110 is further configured to: and carrying out security check on the first information.
Optionally, the processor 1110 is further configured to: and carrying out security check on the first information in the network registration process or after the network registration is finished.
Optionally, the security check comprises at least one of:
checking a message authentication code MAC;
and (6) checking the integrity.
Optionally, the radio frequency unit 1101 is further configured to:
and receiving first information transmitted by the network side equipment through NAS information or RRC information.
Optionally, the NAS message comprises at least one of:
a message of a registration procedure;
a message of a de-registration process; a message in a service process;
a message of a master authentication and key agreement process;
a message identifying a process;
a message of a security mode control procedure;
message of NAS transmission process;
the terminal configures the information of the updating process;
5G mobility management state procedure messages;
a message informing of the process.
Optionally, the second information is carried by a terminal parameter update transparent container or an SOR transparent container.
Optionally, the network-side device includes a first network device and a second network device;
the receiving the first information sent by the network side device includes:
receiving first information sent by second network equipment; the first information is sent by the first network device to the second network device.
Optionally, the second network device comprises at least one of:
visiting a public land mobile network (VPLMN);
the terminal selects the independent non-public network SNPN currently;
the independent non-public network SNPN that sends the certificate to the terminal.
Optionally, the first network device comprises at least one of:
a home network;
a home public land mobile network, HPLMN;
signing SNPN;
a certificate provider;
a certificate owner;
a subscription information owner;
a subscription information provider;
the certificate authority CA.
In this embodiment of the application, under the condition that the first information security check fails, if the terminal meets the first condition, the network side device may be used as a target network to perform the first operation, and compared with the prior art in which the first information is directly discarded, it can be ensured that after the first information is tampered, the terminal can correctly receive the information that the network side desires to obtain after performing the first operation, and ensure normal communication.
The embodiment of the application further provides a network side device, which comprises a processor and a communication interface, wherein the processor is used for counting tampered related behavior information of the NAS IE under the condition that the processor receives notification information of security check failure of the NAS IE, which is sent by a terminal; and executing a third operation according to the related behavior information. The embodiment of the network side device corresponds to the embodiment of the method of the network side device, and all implementation processes and implementation manners of the embodiment of the method can be applied to the embodiment of the network side device and can achieve the same technical effect.
Specifically, the embodiment of the application further provides a network side device. As shown in fig. 12, the network-side device 120 includes: antenna 121, rf device 122, and baseband device 123. The antenna 121 is connected to a radio frequency device 122. In the uplink direction, the rf device 122 receives information through the antenna 121 and sends the received information to the baseband device 123 for processing. In the downlink direction, the baseband device 123 processes information to be transmitted and transmits the information to the rf device 122, and the rf device 122 processes the received information and transmits the processed information through the antenna 121.
The above band processing means may be located in the baseband device 123, and the method performed by the network side device in the above embodiment may be implemented in the baseband device 123, where the baseband device 123 includes a processor 124 and a memory 125.
The baseband device 123 may include, for example, at least one baseband board, on which a plurality of chips are disposed, as shown in fig. 12, wherein one chip, for example, the processor 124, is connected to the memory 125 to call up the program in the memory 125 to perform the network device operation shown in the above method embodiment.
The baseband device 123 may further include a network interface 126 for exchanging information with the radio frequency device 122, for example, a Common Public Radio Interface (CPRI).
Specifically, the network side device of the embodiment of the present invention further includes: the instructions or programs stored in the memory 125 and capable of being executed on the processor 124, and the processor 124 calls the instructions or programs in the memory 125 to execute the methods executed by the modules shown in fig. 9, and achieve the same technical effects, which are not described herein for avoiding repetition.
The embodiments of the present application further provide a readable storage medium, where a program or an instruction is stored on the readable storage medium, and when the program or the instruction is executed by a processor, the program or the instruction implements each process of the above network information processing method embodiment, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here.
Wherein, the processor is the processor in the terminal described in the above embodiment. The readable storage medium includes a computer readable storage medium, such as a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and so on.
The embodiment of the present application further provides a chip, where the chip includes a processor and a communication interface, the communication interface is coupled to the processor, and the processor is configured to execute a program or an instruction to implement each process of the foregoing network information processing embodiment, and can achieve the same technical effect, and is not described here again to avoid repetition.
It should be understood that the chips mentioned in the embodiments of the present application may also be referred to as a system-on-chip, a system-on-chip or a system-on-chip, etc.
The embodiments of the present application further provide a computer program/program product, where the computer program/program product is stored in a non-volatile storage medium, and the program/program product is executed by at least one processor to implement each process of the foregoing network information processing embodiment, and the same technical effects can be achieved, and are not described herein again to avoid repetition.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a component of' 8230; \8230;" does not exclude the presence of another like element in a process, method, article, or apparatus that comprises the element. Further, it should be noted that the scope of the methods and apparatus of the embodiments of the present application is not limited to performing the functions in the order illustrated or discussed, but may include performing the functions in a substantially simultaneous manner or in a reverse order based on the functions involved, e.g., the methods described may be performed in an order different than that described, and various steps may be added, omitted, or combined. In addition, features described with reference to certain examples may be combined in other examples.
Through the description of the foregoing embodiments, it is clear to those skilled in the art that the method of the foregoing embodiments may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but in many cases, the former is a better implementation. Based on such understanding, the technical solutions of the present application or portions thereof that contribute to the prior art may be embodied in the form of a computer software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to execute the method according to the embodiments of the present application.
While the present embodiments have been described with reference to the accompanying drawings, it is to be understood that the present embodiments are not limited to those precise embodiments, which are intended to be illustrative rather than restrictive, and that various changes and modifications may be effected therein by one skilled in the art without departing from the scope of the appended claims.

Claims (48)

1. A network information processing method, comprising:
under the condition that the security check of the first information sent by the network side equipment fails, if the terminal meets a first condition, the network side equipment is identified as a target network, and a first operation is executed.
2. The method of claim 1, wherein the first information comprises at least one of:
updating the transparent container by the terminal parameter;
a roaming oriented SOR transparent container;
a payload container.
3. The method of claim 2, wherein the terminal parameter update transparent container comprises at least one of the following information:
route indication update data;
network slice selection auxiliary information NSSAI updating data configured by default;
network information that the terminal can use in case of a disaster.
4. The method of claim 2, wherein the roam-directed SOR transparent container includes at least one of:
a preferred public land mobile network PLMN/access technology combination list;
roaming-oriented SOR-CMCI for control information in connected mode.
5. The method of claim 1, wherein the first condition comprises at least one of:
the counting times of the first counter for the first information security check failure reach a first maximum value;
the terminal supports SOR-CMCI;
the terminal is configured with a first list, wherein the first list is a service list controlled by a user and free from being released due to SOR;
the first timer times out the timing of the longest time from the discovery of the failure of the security check to the execution of the first operation by the terminal;
the first timer time is 0;
the target service is ended;
the traffic of the target priority ends.
6. The method of claim 5, wherein the target traffic comprises at least one of:
emergency services;
conforming to a service designated 5 QI.
7. The method of claim 5, wherein the target priority traffic is high priority traffic;
the high priority traffic comprises at least one of:
services contained in the SOR-CMCI;
services contained in the first list.
8. The method according to claim 1 or 5, characterized in that the first condition is determined by the terminal implementation.
9. The method of claim 5, wherein the first maximum value is determined in a manner that includes at least one of:
determined according to a default value;
determining according to the third information;
the determination is effected by the terminal.
10. The method of claim 5, wherein the timing time of the first timer is determined in a manner comprising at least one of:
determined according to default values;
determining according to the second information;
the determination is performed by the terminal.
11. The method of claim 5, wherein the first timer is stopped when a third condition is satisfied;
the third condition includes at least one of:
the target service is ended;
the service of the target priority is ended;
releasing the network connection between the terminal and the network side equipment;
the terminal is shut down;
removing a Universal Subscriber Identity Module (USIM);
the first information security check is successful.
12. The method of claim 10, further comprising:
and receiving second information transmitted by the network side equipment through a non-access stratum (NAS) message or a Radio Resource Control (RRC) message.
13. The method of claim 10, further comprising:
and setting the timing time of the first timer under the condition that the terminal does not support SOR-CMCI or no SOR-CMCI is available in the terminal.
14. The method of claim 1, wherein the first operation comprises at least one of:
sending notification information of security check failure of non-access stratum NAS IE to the network side equipment;
releasing the network connection with the network side equipment;
applying an SOR process;
applying the SOR-CMCI procedure;
a first list is applied, which is a user-controlled list of services exempt from release due to SOR.
15. The method of claim 1, further comprising:
and under the condition that the terminal meets a second condition, canceling to identify the network side equipment as a target network, and executing a second operation.
16. The method of claim 15, wherein the second condition comprises at least one of:
the first counter is reset;
the safety check of the first information is successful;
the second timer times out;
the terminal is shut down;
and removing the universal subscriber identity card USIM.
17. The method according to claim 1 or 15, wherein the target network comprises at least one of:
network where information element IE security check is in error;
a low-priority network in the terminal network selection process;
a lowest priority network in the terminal network selection process;
a network in a second list, the second list being a list of PLMNs for which registration is terminated due to SOR;
a forbidden network;
temporarily disabled networks.
18. The method of claim 15, wherein the second operation comprises at least one of:
sending notification information of successful security check of NAS IE to the network side equipment;
deleting a second list, the second list being a list of PLMNs registration terminated due to SOR.
19. The method of claim 17, wherein, in the case that the target network includes a network in which an IE security check error occurs, canceling the identification of the network-side device as the target network comprises:
deleting the network side equipment from the information of the network with the IE security check error; or
The information of the network in which the IE security check occurred is deleted.
20. The method of claim 17, wherein, in a case that the target network includes a low-priority network in a network selection process of a terminal, canceling the identification of the network-side device as the target network comprises:
deleting the network side equipment from the information of the low-priority network; or
And deleting the network information with low priority.
21. The method according to claim 17, wherein, in a case that the target network includes a lowest priority network in a terminal network selection process, canceling the identification of the network-side device as the target network comprises:
deleting the network side equipment from the information of the lowest priority network; or alternatively
The network information of the lowest priority is deleted.
22. The method according to claim 17, wherein, in a case that the target network includes a forbidden network, canceling the identification of the network-side device as a target network comprises:
deleting the network side equipment from the forbidden network information; or
The prohibited network information is deleted.
23. The method of claim 17, wherein, in a case that the target network includes a temporarily prohibited network, canceling the identification of the network-side device as the target network comprises:
deleting the network side equipment from the information of the temporarily forbidden network; or
The information of the temporarily prohibited network is deleted.
24. The method according to claim 14 or 18, wherein the terminal sends the notification information to the network side device through a NAS message or an RRC message.
25. The method of claim 17, wherein the network selection process comprises at least one of:
a network selection process when the terminal is started;
a network selection process after network coverage is recovered from the non-network coverage;
a periodic network selection process in a public land mobile network (VPLMN);
selecting a network with a priority higher than that of the current network;
and (5) network selection process after releasing the link.
26. The method according to claim 17, wherein in the case that the lowest priority network comprises at least two network-side devices, the determination of the priorities of the at least two network-side devices comprises at least one of:
the determination is realized by the terminal;
determining according to a random order;
determined according to the chronological order identified as the lowest priority network.
27. The method of claim 1, further comprising:
receiving first information sent by the network side equipment;
and carrying out security check on the first information.
28. The method of claim 27, wherein said performing a security check on the first information comprises:
and carrying out security check on the first information in the network registration process or after the network registration is finished.
29. The method of claim 1, wherein the security check comprises at least one of:
checking a message authentication code MAC;
and (6) checking the integrity.
30. The method according to claim 27, wherein the receiving the first information sent by the network-side device includes:
and receiving first information transmitted by the network side equipment through NAS information or RRC information.
31. The method according to claim 12 or 24, wherein the NAS message comprises at least one of:
a message of a registration procedure;
a message of a de-registration process; a message in a service process;
a message of a master authentication and key agreement process;
a message identifying a process;
a message of a security mode control procedure;
message of NAS transmission process;
the terminal configures the information of the updating process;
5G mobility management state procedure messages;
a message informing of the process.
32. The method of claim 10, wherein the second information is carried by a terminal parameter update transparent container or an SOR transparent container.
33. The method of claim 27, wherein the network-side device comprises a first network device and a second network device;
the receiving the first information sent by the network side device includes:
receiving first information sent by second network equipment; the first information is sent by the first network device to the second network device.
34. The method of claim 33, wherein the second network device comprises at least one of:
visiting a public land mobile network (VPLMN);
the terminal selects the independent non-public network SNPN currently;
the independent non-public network SNPN that sends the certificate to the terminal.
35. The method of claim 33, wherein the first network device comprises at least one of:
a home network;
a home public land mobile network, HPLMN;
signing SNPN;
a certificate provider;
a certificate owner;
a subscription information owner;
a subscription information provider;
the certificate authority CA.
36. A network information processing method, comprising:
under the condition that network side equipment receives notification information of security check failure of NAS IE sent by a terminal, the network side equipment counts the tampered related behavior information of the NAS IE;
and executing a third operation according to the related behavior information.
37. The method of claim 36, wherein the tampered related behavior information of the NAS IE comprises at least one of:
the number of times of behavior of tampering of the NAS IE in the network side equipment;
frequency of occurrence of a tampered behavior of the NAS IE in the network side device;
a characteristic that a behavior that the NAS IE is tampered with occurs in the network side equipment;
the number of terminals where the behavior of tampering the NAS IE occurs in the network side equipment;
and the terminal generates a scene of behavior that the NAS IE is tampered in the network side equipment.
38. The method of claim 37, wherein the characterization of the behavior of the network side device in which the NAS IE was tampered with comprises: the terminal identity and/or the type of service performed by the terminal.
39. The method of claim 37, wherein the scenario in which the terminal performs the NAS IE tampering behavior in the network-side device includes:
tracking area TA information and/or slice information.
40. The method of claim 36, wherein the network-side device comprises a first network device and a second network device;
the third operation includes: a first process of the first network device and/or a second process of the second network device.
41. The method of claim 40, wherein the first processing comprises at least one of:
triggering the terminal to register;
triggering the terminal to register again;
triggering the terminal to perform cell reselection;
triggering a terminal to replace an access cell;
and triggering the terminal to select the network.
42. The method of claim 40, wherein the second processing comprises at least one of:
triggering an SOR process;
triggering an SOR-CMCI process;
triggering the terminal to delete the second network equipment from the PLMN controlled by the operator;
triggering the terminal to use the second network equipment as a forbidden PLMN;
and triggering the terminal to access other networks.
43. The method of claim 36, further comprising:
and receiving the notification information of the successful security check of the NAS IE sent by the terminal.
44. A network information processing apparatus characterized by comprising:
the first processing module is used for identifying the network side equipment as a target network and executing a first operation if the terminal meets a first condition under the condition that the first information security check sent by the network side equipment fails.
45. A network information processing apparatus characterized by comprising:
the first receiving module is used for counting the tampered related behavior information of the NAS IE under the condition of receiving the notification information of the security check failure of the NAS IE sent by the terminal;
and the second processing module is used for executing a third operation according to the relevant behavior information.
46. A terminal comprising a processor, a memory and a program or instructions stored on the memory and executable on the processor, the program or instructions when executed by the processor implementing the steps of the network information processing method according to any one of claims 1 to 35.
47. A network-side device comprising a processor, a memory, and a program or instructions stored on the memory and executable on the processor, wherein the program or instructions, when executed by the processor, implement the steps of the network information processing method according to any one of claims 36 to 43.
48. A readable storage medium, characterized in that the readable storage medium stores thereon a program or instructions which, when executed by a processor, implement the steps of the network information processing method according to any one of claims 1 to 43.
CN202110875656.8A 2021-07-30 2021-07-30 Network information processing method and device, terminal and network side equipment Pending CN115696340A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110875656.8A CN115696340A (en) 2021-07-30 2021-07-30 Network information processing method and device, terminal and network side equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110875656.8A CN115696340A (en) 2021-07-30 2021-07-30 Network information processing method and device, terminal and network side equipment

Publications (1)

Publication Number Publication Date
CN115696340A true CN115696340A (en) 2023-02-03

Family

ID=85059806

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110875656.8A Pending CN115696340A (en) 2021-07-30 2021-07-30 Network information processing method and device, terminal and network side equipment

Country Status (1)

Country Link
CN (1) CN115696340A (en)

Similar Documents

Publication Publication Date Title
TWI705721B (en) Method and apparatus of maintaining forbidden tracking area list
CN114423064B (en) Communication method, access network equipment and communication device
US11197267B2 (en) Communication method, access network device, and terminal
US20120178449A1 (en) Apparatuses and methods for handling mobility management (mm) back-offs
CN113940106A (en) Method and system for processing closed access group related procedures
DE102011054071B4 (en) Devices and Methods for Coordinating Circuit Switched (CS) Services in Packet Transfer Mode (PTM)
EP3163927B1 (en) Handling authentication failures in wireless communication systems
EP2822327B1 (en) Core network access control method und network device
CN108617033B (en) Communication method, terminal and access network equipment
CN108293259B (en) NAS message processing and cell list updating method and equipment
EP3525520B1 (en) Method and terminal for network switching
US10869351B2 (en) Methods and user equipment for recovering from issues of connectivity between a PLMN and a UE
US20170295523A1 (en) Handover method between heterogeneous wireless communication techniques and device for same
CN113411913B (en) Communication method and terminal equipment
US20230199633A1 (en) Network selection method, information sending method, information obtaining method, and apparatus
CN114339814A (en) Relay communication information configuration method and device and electronic equipment
CN115696340A (en) Network information processing method and device, terminal and network side equipment
CN116438867A (en) Periodic registration update procedure for non-allowed service areas
CN115209492A (en) Communication processing method, device and related equipment
EP3174331A1 (en) Method and device for initiating mobility management process
US20230345340A1 (en) Network-changing method and apparatus, and terminal
US20240381288A1 (en) Disaster roaming control method and apparatus, terminal, and network side device
CN115250510B (en) Method, device, terminal and network equipment for selecting network
WO2024037512A1 (en) Network access methods and apparatuses, terminal and communication device
CN115209449A (en) Processing method, sending method, related equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination