[go: up one dir, main page]

WO2011023097A1 - Method, apparatus and system for access control - Google Patents

Method, apparatus and system for access control Download PDF

Info

Publication number
WO2011023097A1
WO2011023097A1 PCT/CN2010/076290 CN2010076290W WO2011023097A1 WO 2011023097 A1 WO2011023097 A1 WO 2011023097A1 CN 2010076290 W CN2010076290 W CN 2010076290W WO 2011023097 A1 WO2011023097 A1 WO 2011023097A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
user equipment
group
network element
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2010/076290
Other languages
French (fr)
Chinese (zh)
Inventor
孙晓姬
吴问付
周汉
陈中平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2011023097A1 publication Critical patent/WO2011023097A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/084Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/086Access security using security domains
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/108Source integrity

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, and a system for access control. Background technique
  • MTC Machine Type Communications
  • M2M Machine to Machine
  • UE User Equipment
  • M2ME the user equipment
  • the multiple M2MEs are integrated into one group.
  • the network operator or the industry user can manage or control the group as a whole.
  • Group IDs can be used to identify and identify different groups.
  • Network operators and industry users can manage access control as a group.
  • FIG. 1 it is an existing network architecture, including: a mobility management network element 101, a server 102, and an access network 103; wherein the mobility management network element 101 is used for a non-access layer ( Non-Access Stratum (NAS) signaling and NAS signaling encryption and roaming, tracking and other functions, assigning user temporary identity, security functions, etc.; server 102, for storing UE or group related subscription data or information.
  • the access network 103 is configured to receive an access request of the UE, and help the UE complete the access network.
  • the subscription data of the UE refers to the subscription data of each UE as an individual; the subscription data of the group refers to data or subscription data common to each UE in the group.
  • NAS Non-Access Stratum
  • the inventor finds that: when an illegal UE maliciously attacks the network side or uses a malicious access point name (Access Point Name, ⁇ ) to maliciously attack the network, the network side cannot well stop the illegal UE from continuing to attack other network entities. And the network side does not investigate the illegal cause of the illegal UE, resulting in more and more illegal terminals appearing constantly, which poses a great threat to network security and seriously affects the experience of other normal users. Summary of the invention
  • the technical problem to be solved by the embodiments of the present invention is to provide a method, a device and a system for access control, which can control an illegal UE to access a network.
  • the method embodiment of the access control provided by the present invention can be implemented by the following technical solutions:
  • the embodiment of the present invention further provides a mobility management network element or an access network network element, including: a request receiving unit, configured to receive an access request;
  • the access right information acquiring unit is configured to acquire the access right information of the user equipment or the group or the access point name to which the user equipment belongs.
  • An access operation unit configured to perform an access operation if the access right information meets a condition for allowing access; otherwise, the access operation is refused;
  • An illegal determining unit configured to determine that the user equipment or the group where the user equipment is located or the name of the access point is illegal if the access right information does not meet the conditions for allowing access;
  • the illegal information sending unit is configured to send information about the user equipment or the group where the user equipment is located or an access point name to the server.
  • the embodiment of the invention further provides a server, including:
  • the illegal information receiving unit is configured to receive the user equipment or the group where the user equipment is located or the name of the access point that is sent by the mobility management network element or the access network element is illegal.
  • a troubleshooting unit configured to: check, by the server, the illegal user equipment or the group where the user equipment is located or the abnormal name of the access point;
  • a modifying unit configured to modify the corresponding parameter according to the cause of the abnormality to cause the user equipment
  • the group or the access point name is legal.
  • An embodiment of the present invention further provides an access control system, including:
  • a mobility management network element or an access network element for receiving an access request; obtaining access rights information of the user equipment or the group or access point name to which the user equipment belongs; If the access information meets the conditions for allowing access, the access operation is performed; if the access right information does not meet the conditions for allowing access, the access operation is refused, and the user equipment or the user equipment group or a certain group is determined.
  • the access point name is illegal; the user equipment or the group where the user equipment is located or the information whose name is illegal is sent to the server;
  • a server configured to receive information that the user equipment or the group where the user equipment is located or the name of the access point is illegal.
  • the network side determines the access right information of the user equipment that accesses the request or the access right information of the group or the access point name to which the user equipment belongs, and the user equipment that meets the access permission condition is The user is allowed to access, and the user equipment or the group where the user equipment is located or the name of the access point is illegal, and the information is sent to the server, so as to limit the access of the UE, and further prevent the UE from being on the network side. Conduct malicious attacks to improve the quality of service on the network.
  • FIG. 1 is a schematic diagram of a prior art network architecture
  • FIG. 2 is a schematic flowchart of a method embodiment of an embodiment of the present invention.
  • Embodiment 3 is a schematic flowchart of Embodiment 2 of a method according to an embodiment of the present invention.
  • FIG. 4 is a schematic flowchart of a third embodiment of a method according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of a mobility management network element according to Embodiment 4 of the present invention.
  • FIG. 6 is a schematic structural diagram of a mobility management network element according to Embodiment 4 of the present invention.
  • FIG. 7 is a schematic structural diagram of a server according to Embodiment 5 of the present invention.
  • FIG. 8 is a schematic structural diagram of a server according to Embodiment 5 of the present invention
  • FIG. 9 is a schematic structural diagram of an access control system according to Embodiment 6 of the present invention.
  • the first embodiment of the present invention provides a method for access control.
  • the execution entity of the technical solution in this embodiment may be a mobility management network element or an access network element. The following steps can be included:
  • Step 201 Receive an access request.
  • Step 202 Obtain access rights information of the user equipment or the group or access point name to which the user equipment belongs.
  • the foregoing access right information includes: the number of accesses of the group where the user equipment or the user equipment is located in a unit time, and the total number of accesses of the user equipment or the group where the user equipment is located (may be the total number of accesses on a certain network device)
  • the mobility management network element or the access network element may be the total number of accesses on a certain network device
  • the mobility management network element or the access network element at least one of the number of accesses per unit time under a certain APN, or the total number of accesses to an APN.
  • the process of obtaining the access right information may include: performing statistics by itself; or obtaining server statistics from the server.
  • the foregoing access rights information may be other, which is not limited by the embodiment of the present invention, and does not affect the implementation of the embodiments of the present invention.
  • Step 203 If the access right information meets the conditions for allowing access, perform an access operation, or not, and refuse to perform an access operation, and determine that the user equipment or the group of the user equipment or an access point name is Illegal
  • the conditions for allowing access include: the user equipment or the group in which the user equipment is located or the traffic model of an APN.
  • the traffic model specifically includes: the number of accesses of the group where the user equipment or the user equipment is located in the unit time, and the total number of accesses of the group where the user equipment or the user equipment is located on the network side (may be in a certain network)
  • the total number of accesses on the device such as the mobility management network element or the access network element.
  • the network side allows the number of accesses per unit time in an APN, or the total number of accesses allowed to access an APN on the network side. At least one of the number of entries.
  • Step 204 The user equipment or the group where the user equipment is located or an access point name is Illegal information is sent to the server.
  • the server sends the information about the UE or the group where the UE is located or the name of an access point to the corresponding mobility management network element or the access network when there is an access request from the UE or the intra-group UE or the APN.
  • the current mobility management network element or access network element or moved to a new mobility management network element or access network element, so that the mobility management network element or the access network element can be described
  • the illegal information rejects the access request of the user equipment or the group or access point name to which the user equipment belongs.
  • the user equipment or the group in which the user equipment is located or the APN is illegal may be saved, and the illegal information may be used to control the access request of the user equipment or the group of the user equipment or the APN.
  • the mobility management network element or the access network network element determines the access right of the user equipment that accesses the request, and the access request of the user equipment or the intra-group UE or the APN that is allowed to access the access condition is allowed to be accessed. Restricting the access of the UE or the group to which the UE belongs or accessing an APN, and by notifying the server of the illegal information of the user equipment or the group of the user equipment or an access point name, When the access management network element or the access network element receives the access request of the user equipment or the group of the user equipment or the name of an access point, the user equipment or the user equipment group obtained by the user equipment Or illegal information of an access point name, rejecting the access request. Further, the UE or the group or a specific APN is prevented from performing malicious attacks on the network side, improving the service quality of the network, and improving the reliability of the network device. In addition, network congestion can be reduced due to restrictions on UE access.
  • the server includes the first server and the second server, and the method includes: after the first server (for example, the HSS) receives the information of the user equipment or the group of the user equipment or the name of an access point is illegal, The first server sends a message to notify the second server (for example, the MTC Server), where the message carries the UE identifier (or the group identifier or the APN) and the indication information indicating that the UE (or the group or the APN) is illegal (the foregoing indication information may be a specific The message type or the specific cause value, etc., is used to notify the second server that the UE or the group or the APN is illegal.
  • the name of the message is not limited.
  • the second server may query, according to the illegal UE or the group or the APN, the information related to the UE or the group or the APN stored in the first server or the second server, where the information refers to affecting the UE or the group or the APN.
  • Information on access rights including but not It is limited to information such as the corresponding time point for allowing the UE or the group or the APN to access, or the total number of UEs that are allowed to access the group, or the time point at which the service is allowed to occur.
  • the reason for the abnormality of the UE or the group is found by the above information (for example, the total number of UEs allowed to access the group is too large, or the time access point required by the service is too busy, etc.), and the second server
  • the reason for the access abnormality is to modify the corresponding parameters to make the UE or the group or the APN legal (for example, reduce the number of UEs in the group or the time point of the service to perform distributed access control), and send a message to notify the first server that the UE or the group or APN is restored.
  • the foregoing message carries the UE identifier (or group identifier or APN) and indication information indicating that the UE (or group or APN) is legal (the indication information may be a specific message type or a specific cause value).
  • the mobility management network element subsequently obtains the information of the UE or the group or the APN from the first server, the information of the UE or the group is not found.
  • the access right information does not meet the condition for allowing access
  • the access request is a location update request
  • the source side mobility management network element, the user equipment, or the access network The above location update request is known to be used for load reassignment, and the access request is allowed.
  • the load redistribution process is used, and the load redistribution process ensures that the UE or the intra-group UE can register with other mobility management network elements to continue the corresponding service. Therefore, when the access request initiated by the UE or the intra-group UE due to Load Rebalancing is not within the scope of the traffic model allowed by the network side, the network side may accept the corresponding access request of the UE or the intra-group UE.
  • the mobility management network element in the embodiment of the present invention may be explained as follows:
  • the mobility management network element in the Evolved Universal Terrestrial Radio Access Network (E-UTRAN) network may be a mobility management entity.
  • MME Mobility Management Entity
  • the mobility management network element in the Universal Terrestrial Radio Access Network (UTRAN) / GSM/EDGE Radio Access Network (GERAN) may be a general packet The Serving General Packet Radio Service Supporting Node (SGSN);
  • the mobility management network element of the Third Generation Partnership Project (3GPP) network may be an access gateway (Acess Gateway, AGW).
  • the mobility management network element in the Wireless Local Area Network (WLAN) network refers to the mobility management logic function in the Evolved Packet Data Gateway (ePDG); Global mutual 3 ⁇ 4 ( Worldwide Interoperability for Microwave Access, Wimax) network, the mobile management network element may be an Access Serving Node Gateway (ASN GW); in a Code Division Multiple Access (CDMA) network, The mobility management network element may be a logical function of mobility management in a High Rate Packet Data Access Network (HRPD AN).
  • ePDG Evolved Packet Data Gateway
  • ASN GW Access Serving Node Gateway
  • CDMA Code Division Multiple Access
  • HRPD AN High Rate Packet Data Access Network
  • the access network element in the embodiment of the present invention may be explained as follows:
  • the access network element in the E-UTRAN network may be: an evolved NodeB (eNodeB) or a cellular base station (Honeycomb NodeB, HeNB);
  • the access network element in the UTRAN/GERAN network can be: a radio network controller (RC) or a base station controller (BSC); in a non-3GPP network, an access network in a WLAN network.
  • the element may be an access network logic function in the ePDG.
  • the access network element refers to an Access Serving Node Gateway (ASN BS).
  • ASN BS Access Serving Node Gateway
  • the access network element may be Access network logic in HRPD AN.
  • the server in the present invention can store UE or group related subscription data or information.
  • the subscription data or information of the UE refers to the subscription data or information of each UE as an individual; the subscription data or information of the group refers to the subscription data or information common to each UE in the group, and the server may be a Home Subscriber Server (HSS). Or an application server, such as Machine Type Communications (MTC Server).
  • HSS Home Subscriber Server
  • MTC Server Machine Type Communications
  • the server will be described by taking the HSS or the MTC Sever as an example. It can be understood that the server may also be a plurality of types of application servers HSS or MTC Sever. The examples are not to be construed as limiting the embodiments of the present invention.
  • the embodiment of the present invention is further described by taking the mobility management network element as an example of the access right information of the user equipment.
  • the first server and the second server may be used to save the server of the user subscription data, and the second server may also be used to check the server of the illegal APN or the illegal user or the illegal group.
  • the first server and the second server function can also be combined. If the functions are unified, the first server and the second server are The message belongs to the message interaction within the device. In this embodiment, the first or second server saves
  • the traffic model of the UE or the group refers to a model in which the UE or the intra-group UE initiates an access procedure to access the network, for example, the number of accesses per unit time allowed on the network side, allowing total on a certain device. Information such as the number of accesses.
  • the access process in the present invention includes but is not limited to the following processes: an attach process, a location update process, such as a Routing Area Update (RAU), a Location Area Update (LAU), or a Tracking Area Update (TAU). ), PDN connection establishment, PDP activation, or Service Request process, etc.
  • the mobility management network element obtains the traffic model from the first server or the second server, and accepts or rejects the UE according to the traffic model.
  • An access request where the first or second server stores a traffic model of the UE or the group, and the first or second server may be an HSS or an MTC Server. As shown in FIG. 3, the following steps may be included:
  • Step 301 The UE initiates an access request to the access network element.
  • the UE is in radio resource control (Radio Resource Control, RRC) layer message carrying indication to inform the access network element that the UE is performing Load Rebalancing
  • RRC Radio Resource Control
  • the mobility management network element ie, the source mobility management network element
  • the registered mobility management network element of the UE or the intra-group UE indicates the UE or the group.
  • the inner UE performs a location update process to complete Load Rebanlancing of the source mobility management network element.
  • the UE or the intra-group UE initiates a location update process, and the access network element selects a target mobility management network element different from the source mobility management network element for the UE or the intra-group UE, thereby completing Load Rebalancing (ie load redistribution).
  • Step 302 The access network element sends an access request to the mobility management network element.
  • the access network element carrying indication information is used to indicate that the UE is performing an access procedure for the load rebalancing of the mobility management network element, where the indication information may be a Load Rebalancing Indication, and the information may be used as a separate cell.
  • the reserved bits sent to the mobility management network element or as other cells are sent to the mobility management network element.
  • Step 303 The mobility management network element acquires subscription data of the UE or the group from the first or second server (which may be referred to as an HSS or an MTC Server, where the HSS or the MTC Server is used as an example).
  • the first or second server sends a traffic model of the UE or the group to the mobility management network element.
  • Traffic The model can also be statically configured in the mobility management network element, for example, configuring the number of access times allowed by a certain UE per unit time; or configuring the number of access times allowed in a certain group unit time; or configuring the mobility management in the unit time. The number of accesses of the network element, etc.
  • Step 304 The mobility management network element collects the access situation of the UE or the group, for example, the number of access times of the UE or the group in the statistical unit time, or the access times of all the access to the mobility management network element, and the mobility management network element. Determining whether the access of the UE or the group exceeds the allowed range of the traffic model. If the access times are within the range allowed by the traffic model, the mobility management network element may accept the access request of the UE or the UE in the group. Otherwise, The access request of the UE or the intra-group UE is rejected, and this step is implemented in step 306. Step 306 and steps 304 and 305 have no sequential relationship.
  • the mobility management network element sends a message to notify the first server that the UE is an illegal UE, and the message carries the UE identifier and the indication information that the UE is an illegal UE, and the indication information may be a specific message type or a specific The reason value, etc.
  • the first server notifies the mobility management network element of the indication information that the UE is an illegal UE, and prevents the UE from being illegally accessed by other mobility management network elements;
  • the mobility management network element counts the access conditions of the UEs in the group that belong to the same group identifier (for example, the number of accesses of the UE in the group within a unit time, or access to the mobility management network element) The total number of accesses of the UEs in the group, etc.).
  • the mobility management network element obtains the group identity to which the UE belongs, and may acquire the group identity of the UE by acquiring the subscription data of the UE from the first or the second server by using the manner in which the UE carries the group identity or the mobility management network element.
  • the mobility management network element sends a message to notify the first server that the group is illegal, and the message carries the group identifier and indicates that the group is illegal.
  • the indication information may be a specific message type or a specific cause value or the like.
  • Step 305 the first server sends a message to notify the second server, where the message carries the UE identifier (or group identifier) and indication information indicating that the UE (or group) is illegal, and the foregoing indication information
  • the information may be a specific message type or a specific cause value.
  • the above message is used by the first server to notify the second server that the UE or the group is illegal.
  • the present invention does not limit the name of the message.
  • the second server may query, according to the illegal UE or the group, information related to the UE or the group that is saved in the first server or the second server, where the information refers to the access situation affecting the UE or the group.
  • the information includes, but is not limited to, a corresponding time point for allowing the UE or the group to access, or a total number of UEs that are allowed to access the group, or a time point at which the service is allowed to occur.
  • the reason for the abnormality of the UE or the group is found by the above information (for example, the total number of UEs allowed to access the group is too large, or the time access point required by the service is too busy, etc.), and the second server
  • the reason for the abnormality of the access is modified to make the UE or the group legal, and the message is sent to notify the first server that the UE or the group is normal.
  • the message carries the UE identifier (or group identifier) and the indication information indicating that the UE (or group) is legal.
  • the above indication information may be a specific message type or a specific cause value.
  • Step 306 If the access request of the UE or the group is not in the traffic model, the mobility management network element rejects the access request of the UE or the group, and the rejection message carries the indication information for indicating the access of the UE (or the group).
  • the request information that does not conform to the traffic model may be a specific cause value such as an illegal access request, or a specific indication such as an illegal indication.
  • the mobility management network element accepts an access request from a UE or a UE within the group. Steps 305 and 306 have no sequence.
  • the UE or the intra-group UE is performing the access procedure, mobility management for the load rebalancing of the mobility management network element.
  • the network element may be in accordance with the indication information of the access procedure that is performed by the access network element in step 302 indicating that the UE or the intra-group UE is performing Load Rebalancing for the mobility management network element, although the UE or the intra-group UE access is not in use.
  • the network side can still accept requests from UEs or UEs within the group.
  • the indication information indicating that the UE or the intra-group UE is performing the access procedure for the Load Rebalancing of the mobility management network element may also be brought by the UE or the intra-group UE to the mobility management network element by using the NAS message, Or the new mobility management network element learns from the mobility management network element on the source side in the context response (Context Response) that the foregoing indication process is performed by the UE or the intra-group UE for the Load Rebalancing of the mobility management network element.
  • the foregoing NAS message includes but is not limited to an attach request (Attach Request), a LAU Request. TAU Request, or a RAU Request message.
  • the network side determines the access right of the user equipment that requests the access, and the user equipment that is in compliance with the access condition is allowed to access, and the access of the UE is restricted, thereby further preventing the UE from maliciously attacking the network side. Improve the service quality of the network and improve the reliability of network equipment. In addition, network congestion can be reduced due to restrictions on UE access.
  • the embodiment of the present invention is further described by taking the access information of a certain APN as an example.
  • the traffic model of an APN is stored in the HSS or the MTC Server, or the mobility management network element statically configures the traffic model under an APN, for example, the number of accesses allowed under an APN per unit time, or The total number of accesses allowed to access a certain APN on a device.
  • the mobility management network element collects the access situation of an APN, for example, the number of accesses of an APN in a unit time, or the total access of the mobility management network element to the APN.
  • the access management situation the mobility management network element accepts or rejects the access request for an APN according to the traffic model of the APN; as shown in FIG. 4, the following steps are included:
  • Step 401 The UE initiates an access request to the access network element.
  • the UE is in radio resource control (Radio The resource control, RRC) layer carries the indication to inform the access network element that the UE is performing Load Rebalancing, and the access request also needs to carry the APN, where the APN indicates the APN that the UE wishes to access.
  • RRC Radio Resource control
  • the mobility management network element ie, the source mobility management network element
  • the registered mobility management network element of the UE or the intra-group UE indicates the UE or the group.
  • the inner UE performs a location update process to complete Load Rebanlancing of the source mobility management network element.
  • the UE or the intra-group UE initiates a location update process, and the access network element selects a target mobility management network element different from the source mobility management network element for the UE or the intra-group UE, thereby completing Load Rebalancing (ie load redistribution).
  • the load re-allocation process ensures that the UE or the intra-group UE can register with other mobility management network elements to continue the corresponding service. Therefore, when the UE or the intra-group UE initiates an access request initiated by Load Rebalancing, it is not allowed on the network side. When the service model is within the range, the network side can accept the corresponding access request of the UE or the UE in the group. Step 402: The access network element sends an access request to the mobility management network element.
  • the access network element carrying indication information is used to indicate that the UE is performing an access procedure for the load rebalancing of the mobility management network element, where the indication information may be a Load Rebalancing Indication, and the information may be used as a separate cell.
  • the reserved bits sent to the mobility management network element or as other cells are sent to the mobility management network element.
  • Step 403 The mobility management network element obtains subscription data of the UE or the group to the first server, where the server may be an HSS or an MTC Server.
  • the HSS or the MTC Server is used as an example to dynamically configure an APN traffic model.
  • the mobility management network element collects access conditions under an APN, such as the number of accesses in the APN in the unit time, or the total number of accesses of the APN in the mobility management network element, and the access situation.
  • the APN traffic model accepts or rejects the access request in the APN.
  • the step 406 and the step 404 and the step 405 have no sequential relationship.
  • Step 404 If the access of the U to an APN is within the scope of the access allowed by the traffic model, the mobility management network element allows the access request for the APN, optionally, the mobility management network element is carried. Notifying the first server of the indication information indicating that the APN is illegal, and the indication value such as the age value or the illegal indication may indicate that the APN is illegal. The next time the UE accesses the other mobility management network element, the first server notifies the mobility management network element of the indication information that the APN is a malicious APN, and prevents the user from being illegal in the other mobility management network element by using the APN. Access
  • Step 405 the first server sends a message to notify the second server, where the message carries the APN and the indication information indicating that the APN is illegal, and the indication information may be a specific message type or a specific cause value, etc.
  • Both a server and a second server can be used to store a server for subscriber subscription data, and the second server can also be used to check for a malicious APN or an illegal user or an illegal group of illegal servers.
  • the first server and the second server can also be functionally combined. If the functions are unified, the message between the first server and the second server belongs to the message interaction in the device. The foregoing message is used by the first server to notify the second server that the APN is illegal.
  • the present invention does not limit the name of the message.
  • the second server can query the first service according to the illegal APN.
  • Corresponding information related to the APN saved in the second server where the information refers to the information that affects the access situation of the APN, including but not limited to the corresponding time point for allowing the APN to access. Or the total number of UEs that are allowed to access the APN, or information such as the time point at which the service is allowed to occur.
  • the reason for the abnormality of the APN is found by the above information (for example, the total number of UEs that are allowed to access the APN is excessive, the time required for the service is too busy, etc.), and the second server is abnormal according to the access.
  • the reason value is modified to make the APN legal, and the message is sent to notify the first server that the APN is normal.
  • the message carries the APN and the indication information indicating that the APN is legal.
  • the indication information may be a specific message type or a specific cause value.
  • Step 406 If the access request under the APN is not in the traffic model, the mobility management network element rejects the access request in the APN, and the indication message carries the indication information to indicate that the access request of the APN is not in compliance with the traffic request.
  • the indication information of the model, the foregoing indication information may be a specific cause value illegal access request (or illegal access request), or a specific indication ⁇ illegal indication (inversely, the mobility management network element accepts the UE or the intra-group UE or Access request under APN. Steps 405 and 406 have no sequence.
  • the mobility management network element may access according to step 402.
  • the indication information of the access procedure carried by the network element indicating that the UE or the intra-group UE is performing Load Rebalancing for the mobility management network element, although the UE or the intra-group UE access is not within the range allowed by the traffic model, the network The side can still accept requests from UEs or UEs within the group.
  • the mobility management network element may be informed that the indication information indicating that the UE or the intra-group UE is performing the access re-flow for the mobility management network element may also be brought by the UE4 to the mobility management network element or the new mobile through the NAS message.
  • the sex management network element obtains, from the source side mobility management network element, the indication information indicating the access procedure that the UE is performing for the Load Rebalancing of the mobility management network element in the context response (Context Response).
  • Context Response Context Response
  • the foregoing NAS message includes but is not limited to an attach request (Attach Request), a LAU Request, a TAU Request, or a RAU Request.
  • the network side determines the access right of the user equipment that requests the access, and the user equipment that is in compliance with the access condition is allowed to access, and the access of the UE is restricted, thereby further preventing the UE from maliciously attacking the network side. Improve the service quality of the network and improve the reliability of network equipment. In addition Network congestion can also be reduced due to restrictions on access under the UE or group or APN.
  • the embodiment of the present invention further provides a mobility management network element, where the mobility management network element may also be an access network element, including:
  • a request receiving unit 501 configured to receive an access request
  • the access right information acquiring unit 502 is configured to acquire the access right information of the user equipment or the group or the APN to which the user equipment belongs.
  • the access operation unit 503 is configured to perform an access operation if the access request of the UE or the intra-group UE or the APN meets the conditions for allowing access, otherwise, the access operation is refused.
  • the illegal determining unit 504 is configured to determine that the user equipment or the group in which the user equipment is located or the APN is illegal if the foregoing access request does not meet the conditions for allowing access;
  • the illegal information sending unit 505 is configured to send the information about the user equipment or the group in which the user equipment is located or an access point name to the server.
  • the access request is a location update request
  • the mobility management network element may further include:
  • the load redistribution unit 601 is configured to perform the access operation when the location update request is used for the load reassignment from the source side mobility management network element, the user equipment, or the access network element.
  • the access right information acquiring unit 502 is specifically configured to collect the access situation of the user equipment or the user equipment or the access situation of the APN; or obtain the result of the server statistics from the server.
  • the user equipment of the access request or the group in which the user equipment is located or the access situation of the APN is determined, and the user equipment or the group or APN in which the user equipment is located is allowed to access.
  • the UE or the group or the UE using the illegal APN is further prevented from maliciously attacking the network side, improving the service quality of the network, and improving the reliability of the network device.
  • network congestion can be reduced due to restrictions on UE access or group access or access under APN.
  • Embodiment 5 As shown in FIG. 7, the embodiment of the present invention further provides a server, including: an illegal information receiving unit 701, configured to receive a mobility management network element or an access network element for sending The information of the group or access point where the user device or user device is located is illegal.
  • the checking unit 702 is configured to: perform a server to check whether the illegal user equipment or the group where the user equipment is located or the name of the access point is abnormal;
  • the modifying unit 703 is configured to modify the corresponding parameter according to the reason of the abnormality, so that the group where the user equipment is located or the name of the access point is legal.
  • the foregoing server may further include:
  • the access right information statistic unit 801 is configured to collect access rights information of a user equipment or a group or an access point name where the user equipment is located;
  • the access right query request receiving unit 802 is configured to receive a request for querying the user equipment or the group of the user equipment or the access right information under the name of the access point;
  • the querying unit 803 is configured to query the user equipment or the group or the access point name of the user equipment that is queried by the query request from the access information of the user equipment or the user equipment or the access point information of the user equipment. Access rights information;
  • the access right information sending unit 804 is configured to send the accessed access right information.
  • an embodiment of the present invention further provides an access control system, including: a mobility management network element or an access network element 901, configured to receive an access request; The access information of the requested user equipment or the group or the access point name to which the user equipment belongs; if the access right information meets the conditions for allowing access, the access operation is performed; if the access right information does not meet the permitted access The condition that the access operation is refused, and the name of the user equipment or the group or the access point of the user equipment is illegal; the information of the user equipment or the group of the user equipment or an access point is illegal.
  • the server 902 is configured to receive the information that the user equipment or the group or the access point name of the user equipment is illegal. If the user equipment or the group or the access point name of the user equipment is illegal, the subsequent illegal UE is rejected. The group or UE accesses the illegal APN.
  • the mobility management network element or the access network element 901 the access right information of the user equipment or the group or the access point name to which the user equipment belongs to obtain the access request includes: The user equipment of the access request or the access right information of the group or the access point name to which the user equipment belongs; or
  • the mobility management network element or the access network element 901, the access information of the user equipment or the group or access point name to which the user equipment belongs to obtain the access request includes:
  • the server 902 is further configured to collect the access situation of the user equipment or the group or the access point name, and send the result of the foregoing statistics to the mobility management network element or the access network element 901.
  • the server 902 is further configured to: check the illegal user equipment or the group where the user equipment is located or the reason that the access point name is abnormal; modify the corresponding parameter according to the abnormal reason to make the user equipment The group or the access point name is legal; the group in which the user equipment is located or the information of the access point name is sent to the mobility management network element or the access network element 901.
  • the foregoing receiving access request is a location update request
  • the mobility management network element 901 is further configured to perform the access operation when the location update request is used for the load re-allocation from the source-side mobility management network element, the user equipment, or the access network element.
  • the user equipment that accesses the request or the access group of the user equipment or the access rights of the APN is determined, and the user equipment that meets the access permission condition is allowed to access, and the access to the UE or the group is reached.
  • the access restriction on the APN is used to further prevent the UE from maliciously attacking the network side, improving the service quality of the network, and improving the reliability of the network device. Network congestion can also be reduced due to restrictions on UE access or group access or access under APN.
  • the related hardware can be instructed by a program, and the program can be stored in a computer readable storage medium.
  • the above mentioned storage medium can be a read only memory, a magnetic disk or an optical disk.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method, apparatus and system for access control are provided by the embodiment of the present invention. Wherein the method includes the following steps: receiving an access request; obtaining access right information of the UE or the cluster to which UE belongs or the APN in the access request; performing access operation if the access right information accords with the allowing access condition; refusing to perform access operation if the access right information does not accord with the allowing access condition, and determining the UE or the cluster to which UE belongs or some APN is illegal; transmitting the information that the UE or the cluster to which UE belongs or some APN is illegal to a server. The network side judges the access right information of the UE or the cluster to which UE belongs or the APN, allows the UE to access if the UE accords with the allowing access condition, and transmits the information that the UE or the cluster to which UE belongs or some APN is illegal to the server. So that the purpose of limiting the access of UE is achieved, the malice attack from UE to the network side is prevented farther, and the service quality of the network is improved.

Description

一种接入控制的方法、 装置和系统  Method, device and system for access control

本申请要求于 2009 年 08 月 24 日提交中国专利局、 申请号为 200910167128.6、 发明名称为 "一种接入控制的方法、 装置和系统" 的中国 专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  This application claims priority to Chinese Patent Application No. 200910167128.6, entitled "A Method, Apparatus and System for Access Control", filed on August 24, 2009, the entire contents of which is incorporated by reference. In this application. Technical field

本发明涉及通信技术领域,特别涉及一种接入控制的方法、装置和系统。 背景技术  The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, and a system for access control. Background technique

随着无线通讯技术的普及和发展, 终端大量涌现, 例如机器类型通讯 ( Machine Type Communications, MTC )应用; 在 MTC中, 一个或者多个 网元之间在不需要人为参与的情况下进行的网络通讯, 即机器对机器 ( Machine To Machine, M2M )应用; 具体的应用场景如: 交通控制与管理、 工厂监控、 远程抄表等。 MTC应用中, 用户设备(User Equipment, UE )在 MTC应用中称为 M2ME, 多个 M2ME组成一个整体, 可以称为群, 网络运 营商或者行业用户可以将群作为一个整体进行管理或控制, 群的群标识可以 用来标识和辨别不同群。 网络运营商和行业用户可以将该群作为一个整体进 行接入控制管理。  With the popularity and development of wireless communication technologies, terminals have emerged, such as Machine Type Communications (MTC) applications; in MTC, networks that do not require human intervention between one or more network elements. Communication, that is, Machine to Machine (M2M) application; specific application scenarios such as: traffic control and management, factory monitoring, remote meter reading, etc. In the MTC application, the user equipment (User Equipment, UE) is called M2ME in the MTC application. The multiple M2MEs are integrated into one group. The network operator or the industry user can manage or control the group as a whole. Group IDs can be used to identify and identify different groups. Network operators and industry users can manage access control as a group.

如图 1所示, 为现有的一种网络架构, 包括: 移动性管理网元 101、 月良 务器 102、接入网 103;其中移动性管理网元 101 ,用于非接入层(Non- Access Stratum, NAS )信令和 NAS信令加密以及漫游、 跟踪等功能, 分配用户临 时身份标识、 安全功能等; 服务器 102, 用于存储 UE或者群相关的签约数 据或者信息。接入网 103,用于接收 UE的接入请求,帮助 UE完成接入网络。 UE的签约数据指每个 UE作为个体的签约数据; 群的签约数据指群内各个 UE共同的数据或者签约数据。  As shown in FIG. 1 , it is an existing network architecture, including: a mobility management network element 101, a server 102, and an access network 103; wherein the mobility management network element 101 is used for a non-access layer ( Non-Access Stratum (NAS) signaling and NAS signaling encryption and roaming, tracking and other functions, assigning user temporary identity, security functions, etc.; server 102, for storing UE or group related subscription data or information. The access network 103 is configured to receive an access request of the UE, and help the UE complete the access network. The subscription data of the UE refers to the subscription data of each UE as an individual; the subscription data of the group refers to data or subscription data common to each UE in the group.

发明人在实现本发明的过程中发现: 非法 UE恶性攻击网络侧时或者利 用非法接入点名称( Access Point Name , ΑΡΝ )恶性攻击网络时, 网络侧不 能很好制止非法 UE继续攻击其他网络实体, 并且网络侧对非法 UE不进行 非法原因调查, 导致越来越多的非法终端不断涌现, 从而给网络安全造成很 大的威胁, 严重影响其他正常用户的体验。 发明内容 In the process of implementing the present invention, the inventor finds that: when an illegal UE maliciously attacks the network side or uses a malicious access point name (Access Point Name, ΑΡΝ) to maliciously attack the network, the network side cannot well stop the illegal UE from continuing to attack other network entities. And the network side does not investigate the illegal cause of the illegal UE, resulting in more and more illegal terminals appearing constantly, which poses a great threat to network security and seriously affects the experience of other normal users. Summary of the invention

本发明实施例要解决的技术问题是提供一种接入控制的方法、 装置和系 统 , 可以对非法 UE接入网络进行控制。  The technical problem to be solved by the embodiments of the present invention is to provide a method, a device and a system for access control, which can control an illegal UE to access a network.

为解决上述技术问题, 本发明所提供的接入控制的方法实施例可以通过 以下技术方案实现:  In order to solve the above technical problem, the method embodiment of the access control provided by the present invention can be implemented by the following technical solutions:

接收接入请求;  Receiving an access request;

获取所述接入请求的用户设备或者用户设备所属的群或者接入点名称的 接入权信息;  Obtaining access rights information of the user equipment or the group or access point name to which the user equipment belongs;

若所述接入权信息符合允许接入的条件则执行接入操作;  Performing an access operation if the access right information meets the conditions for allowing access;

若所述接入权信息不符合允许接入的条件, 拒绝执行接入操作, 确定所 述用户设备或所述用户设备所在群或者某个接入点名称为非法; 将所述用户 设备或所述用户设备所在群或者某个接入点名称为非法的信息发送给服务 器。  Determining that the user equipment or the group in which the user equipment is located or an access point name is illegal if the access right information does not meet the conditions for allowing the access, and the user equipment or the The information about the group where the user equipment is located or the name of an access point is illegal is sent to the server.

本发明实施例还提供了一种移动性管理网元或接入网网元, 包括: 请求接收单元 , 用于接收接入请求;  The embodiment of the present invention further provides a mobility management network element or an access network network element, including: a request receiving unit, configured to receive an access request;

接入权信息获取单元, 用于获取所述接入请求的用户设备或者用户设备 所属的群或者接入点名称的接入权信息;  The access right information acquiring unit is configured to acquire the access right information of the user equipment or the group or the access point name to which the user equipment belongs.

接入操作单元, 用于若所述接入权信息符合允许接入的条件则执行接入 操作, 否则, 拒绝执行接入操作;  An access operation unit, configured to perform an access operation if the access right information meets a condition for allowing access; otherwise, the access operation is refused;

非法确定单元, 用于若所述接入权信息不符合允许接入的条件, 则确定 所述用户设备或所述用户设备所在群或者所述接入点名称为非法;  An illegal determining unit, configured to determine that the user equipment or the group where the user equipment is located or the name of the access point is illegal if the access right information does not meet the conditions for allowing access;

非法信息发送单元, 用于将所述用户设备或所述用户设备所在群或者某 个接入点名称为非法的信息发送给服务器。  The illegal information sending unit is configured to send information about the user equipment or the group where the user equipment is located or an access point name to the server.

本发明实施例还提供了一种服务器, 包括:  The embodiment of the invention further provides a server, including:

非法信息接收单元, 用于接收移动性管理网元或接入网网元发送的用户 设备或者用户设备所在的群或者接入点名称为非法的信息  The illegal information receiving unit is configured to receive the user equipment or the group where the user equipment is located or the name of the access point that is sent by the mobility management network element or the access network element is illegal.

排查单元, 用于服务器排查所述非法的用户设备或所述用户设备所在的 群或者所述接入点名称异常的原因;  a troubleshooting unit, configured to: check, by the server, the illegal user equipment or the group where the user equipment is located or the abnormal name of the access point;

修改单元 , 用于根据所述异常的原因的修改相应参数使得所述用户设备 所在的群或者所述接入点名称合法。 a modifying unit, configured to modify the corresponding parameter according to the cause of the abnormality to cause the user equipment The group or the access point name is legal.

本发明实施例还提供了一种接入控制系统, 包括:  An embodiment of the present invention further provides an access control system, including:

移动性管理网元或接入网网元, 用于接收接入请求; 获取所述接入请求 的用户设备或者用户设备所属的群或者接入点名称的接入权信息; 若所述接 入权信息符合允许接入的条件则执行接入操作; 若所述接入权信息不符合允 许接入的条件, 拒绝执行接入操作, 确定所述用户设备或所述用户设备所在 群或者某个接入点名称为非法; 将所述用户设备或所述用户设备所在群或者 某个接入点名称为非法的信息发送给服务器;  a mobility management network element or an access network element for receiving an access request; obtaining access rights information of the user equipment or the group or access point name to which the user equipment belongs; If the access information meets the conditions for allowing access, the access operation is performed; if the access right information does not meet the conditions for allowing access, the access operation is refused, and the user equipment or the user equipment group or a certain group is determined. The access point name is illegal; the user equipment or the group where the user equipment is located or the information whose name is illegal is sent to the server;

服务器, 用于接收所述用户设备或所述用户设备所在群或者接入点名称 为非法的信息。  And a server, configured to receive information that the user equipment or the group where the user equipment is located or the name of the access point is illegal.

上述技术方案具有如下有益效果: 网络侧对接入请求的用户设备或者用 户设备所属的群或者接入点名称的接入权信息的接入权信息进行判断, 符合 允许接入条件的用户设备才被允许接入, 并且将所述用户设备或所述用户设 备所在群或者某个接入点名称为非法的信息发送给服务器, 达到对 UE的接 入进行限制的目的, 进一步防止 UE对网络侧进行恶意攻击, 提升网络的服 务质量。  The foregoing technical solution has the following beneficial effects: The network side determines the access right information of the user equipment that accesses the request or the access right information of the group or the access point name to which the user equipment belongs, and the user equipment that meets the access permission condition is The user is allowed to access, and the user equipment or the group where the user equipment is located or the name of the access point is illegal, and the information is sent to the server, so as to limit the access of the UE, and further prevent the UE from being on the network side. Conduct malicious attacks to improve the quality of service on the network.

附图说明 施例或现有技术描述中所需要使用的附图作筒单地介绍, 显而易见地, 下面 描述中的附图仅仅是本发明的一些实施例 , 对于本领域普通技术人员来讲, 在不付出创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。 BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are to be regarded as Other drawings may also be obtained from these drawings without the inventive labor.

图 1为现有技术网络架构示意图;  1 is a schematic diagram of a prior art network architecture;

图 2为本发明实施例方法实施例一流程示意图;  2 is a schematic flowchart of a method embodiment of an embodiment of the present invention;

图 3为本发明实施例方法实施例二流程示意图;  3 is a schematic flowchart of Embodiment 2 of a method according to an embodiment of the present invention;

图 4为本发明实施例方法实施例三流程示意图;  4 is a schematic flowchart of a third embodiment of a method according to an embodiment of the present invention;

图 5为本发明实施例四移动性管理网元结构示意图;  FIG. 5 is a schematic structural diagram of a mobility management network element according to Embodiment 4 of the present invention; FIG.

图 6为本发明实施例四移动性管理网元结构示意图;  6 is a schematic structural diagram of a mobility management network element according to Embodiment 4 of the present invention;

图 7为本发明实施例五服务器结构示意图;  7 is a schematic structural diagram of a server according to Embodiment 5 of the present invention;

图 8为本发明实施例五服务器结构示意图; 图 9为本发明实施例六接入控制系统结构示意图。 8 is a schematic structural diagram of a server according to Embodiment 5 of the present invention; FIG. 9 is a schematic structural diagram of an access control system according to Embodiment 6 of the present invention.

具体实施方式 detailed description

下面将结合本发明实施例中的附图 , 对本发明实施例中的技术方案进行 清楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而 不是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有作 出创造性劳动前提下所获得的所有其他实施例, 都属于本发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.

实施例一, 本发明实施例提供了一种接入控制的方法, 本实施例的技术 方案的执行主体可以为移动性管理网元, 也可以为接入网网元。 可以包括以 下步驟:  The first embodiment of the present invention provides a method for access control. The execution entity of the technical solution in this embodiment may be a mobility management network element or an access network element. The following steps can be included:

步驟 201: 接收接入请求;  Step 201: Receive an access request.

步驟 202: 获取上述接入请求的用户设备或者用户设备所属的群或者接入 点名称的接入权信息;  Step 202: Obtain access rights information of the user equipment or the group or access point name to which the user equipment belongs.

上述接入权信息包括: 用户设备或用户设备所在的群在单位时间的接入 次数、 用户设备或用户设备所在的群的总计接入次数(可以为在某个网络设 备上的总计接入次数, 例如移动性管理网元或者接入网元), 某个 APN下的单 位时间内的接入次数、 或者接入到某个 APN的总计接入次数的至少一项。 其 中获取接入权信息的过程具体可以包括: 自身进行统计; 或, 从服务器获取 服务器统计结果。 当然上述接入权信息还可以是其他, 本发明实施例对此不 作限定, 不影响本发明实施例的实现。  The foregoing access right information includes: the number of accesses of the group where the user equipment or the user equipment is located in a unit time, and the total number of accesses of the user equipment or the group where the user equipment is located (may be the total number of accesses on a certain network device) For example, the mobility management network element or the access network element, at least one of the number of accesses per unit time under a certain APN, or the total number of accesses to an APN. The process of obtaining the access right information may include: performing statistics by itself; or obtaining server statistics from the server. Of course, the foregoing access rights information may be other, which is not limited by the embodiment of the present invention, and does not affect the implementation of the embodiments of the present invention.

步驟 203:若上述接入权信息符合允许接入的条件则执行接入操作,否贝' J , 拒绝执行接入操作, 确定上述用户设备或上述用户设备所在群或者某个接入 点名称为非法;  Step 203: If the access right information meets the conditions for allowing access, perform an access operation, or not, and refuse to perform an access operation, and determine that the user equipment or the group of the user equipment or an access point name is Illegal

其中允许接入的条件包括: 用户设备或用户设备所在的群或者某个 APN 的话务模型。 其中, 话务模型具体包括: 网络侧允许用户设备或用户设备所 在的群在单位时间的接入次数、 网络侧允许用户设备或用户设备所在的群的 总计接入次数(可以为在某个网络设备上的总计接入次数, 例如移动性管理 网元或者接入网元), 网络侧允许某个 APN下的单位时间内的接入次数、 或者 网络侧允许接入到某个 APN的总计接入次数中至少一项。  The conditions for allowing access include: the user equipment or the group in which the user equipment is located or the traffic model of an APN. The traffic model specifically includes: the number of accesses of the group where the user equipment or the user equipment is located in the unit time, and the total number of accesses of the group where the user equipment or the user equipment is located on the network side (may be in a certain network) The total number of accesses on the device, such as the mobility management network element or the access network element. The network side allows the number of accesses per unit time in an APN, or the total number of accesses allowed to access an APN on the network side. At least one of the number of entries.

步驟 204: 将上述用户设备或上述用户设备所在群或者某个接入点名称为 非法的信息发送给服务器。 Step 204: The user equipment or the group where the user equipment is located or an access point name is Illegal information is sent to the server.

后续有相关 UE或者群内 UE或者 APN下的接入请求时, 服务器会将 UE或 者 UE所在的群或者某个接入点名称非法的信息发送给相应的移动性管理网元 或者接入网网元 (当前的移动性管理网元或者接入网元, 或者移动到新的移 动性管理网元或者接入网网元), 使得移动性管理网元或者接入网元可以才艮据 所述非法信息拒绝该用户设备或者用户设备所属的群或者接入点名称的接入 请求。  The server sends the information about the UE or the group where the UE is located or the name of an access point to the corresponding mobility management network element or the access network when there is an access request from the UE or the intra-group UE or the APN. The current mobility management network element or access network element, or moved to a new mobility management network element or access network element, so that the mobility management network element or the access network element can be described The illegal information rejects the access request of the user equipment or the group or access point name to which the user equipment belongs.

进一步自身也可以保存上述用户设备或上述用户设备所在群或者上述 APN为非法的信息 , 并可以 居该非法的信息对上述用户设备或上述用户设 备所在群或者上述 APN下的接入请求进行控制。  Further, the user equipment or the group in which the user equipment is located or the APN is illegal may be saved, and the illegal information may be used to control the access request of the user equipment or the group of the user equipment or the APN.

移动性管理网元或接入网网元通过对接入请求的用户设备的接入权进行 判断, 符合允许接入条件的用户设备或者群内 UE或者 APN的接入请求才被允 许接入, 达到对 UE或者对 UE所属的群或者对某个 APN的接入进行限制的目 的, 而且由于将用户设备或上述用户设备所在群或者某个接入点名称的非法 的信息通知给服务器, 当移动性管理网元或者接入网网元收到所述用户设备 或上述用户设备所在群或者某个接入点名称的接入请求时, 可以根据从服务 器上获取的用户设备或上述用户设备所在群或者某个接入点名称的非法的信 息, 拒绝该接入请求。 进一步防止 UE或者群或者某特定 APN对网络侧进行恶 意攻击, 提升网络的服务质量, 提升网络设备的可靠性。 另外由于对 UE的接 入进行了限制, 还可以减少网络拥塞。  The mobility management network element or the access network network element determines the access right of the user equipment that accesses the request, and the access request of the user equipment or the intra-group UE or the APN that is allowed to access the access condition is allowed to be accessed. Restricting the access of the UE or the group to which the UE belongs or accessing an APN, and by notifying the server of the illegal information of the user equipment or the group of the user equipment or an access point name, When the access management network element or the access network element receives the access request of the user equipment or the group of the user equipment or the name of an access point, the user equipment or the user equipment group obtained by the user equipment Or illegal information of an access point name, rejecting the access request. Further, the UE or the group or a specific APN is prevented from performing malicious attacks on the network side, improving the service quality of the network, and improving the reliability of the network device. In addition, network congestion can be reduced due to restrictions on UE access.

本发明的另一个实施例中, 服务器包括第一服务器和第二服务器, 包括: 第一服务器(例如 HSS )收到用户设备或上述用户设备所在群或者某个接入点 名称为非法的信息之后, 第一服务器发送消息通知第二服务器 (例如 MTC Server), 上述消息中携带 UE标识(或者群标识或者 APN )和指示 UE (或者群 或者 APN ) 非法的指示信息 (上述指示信息可以为某特定的消息类型或者特 定的原因值等, 用于通知第二 ^^务器上述 UE或者群或者 APN非法, 本实施例 不对消息的名称做限制)。第二服务器可以根据非法 UE或者群或者 APN, 查询 第一服务器或者第二服务器中保存的相应的与该 UE或者群或者 APN相关的信 息, 所述信息指的是影响所述 UE或者群或者 APN的接入权的信息, 包括但不 限于允许所述 UE或者群或者 APN接入的相应时间点, 或者允许接入所述群的 UE的总数, 或者允许业务发生的时间点等信息。 通过上述信息排查发现所述 UE或者群异常的原因(例如允许接入到所述群的 UE的总数过多, 或者业务要 求的时间接入点太过繁忙等), 第二服务器遂根据所述接入异常的原因修改相 应参数使得 UE或者群或者 APN合法(例如降低群内 UE数量, 或者业务要求的 时间点进行分散接入控制),发送消息通知第一服务器上述 UE或者群或者 APN 恢复正常, 上述消息中携带 UE标识(或者群标识或者 APN )和指示 UE (或群 或者 APN )合法的指示信息(指示信息可以为特定的消息类型或者特定的原 因值)。这样移动性管理网元后续从第一服务器获取 UE或者群或者 APN的信息 时, 就不会出现 UE或者群非法的信息。 In another embodiment of the present invention, the server includes the first server and the second server, and the method includes: after the first server (for example, the HSS) receives the information of the user equipment or the group of the user equipment or the name of an access point is illegal, The first server sends a message to notify the second server (for example, the MTC Server), where the message carries the UE identifier (or the group identifier or the APN) and the indication information indicating that the UE (or the group or the APN) is illegal (the foregoing indication information may be a specific The message type or the specific cause value, etc., is used to notify the second server that the UE or the group or the APN is illegal. In this embodiment, the name of the message is not limited. The second server may query, according to the illegal UE or the group or the APN, the information related to the UE or the group or the APN stored in the first server or the second server, where the information refers to affecting the UE or the group or the APN. Information on access rights, including but not It is limited to information such as the corresponding time point for allowing the UE or the group or the APN to access, or the total number of UEs that are allowed to access the group, or the time point at which the service is allowed to occur. The reason for the abnormality of the UE or the group is found by the above information (for example, the total number of UEs allowed to access the group is too large, or the time access point required by the service is too busy, etc.), and the second server The reason for the access abnormality is to modify the corresponding parameters to make the UE or the group or the APN legal (for example, reduce the number of UEs in the group or the time point of the service to perform distributed access control), and send a message to notify the first server that the UE or the group or APN is restored. The foregoing message carries the UE identifier (or group identifier or APN) and indication information indicating that the UE (or group or APN) is legal (the indication information may be a specific message type or a specific cause value). When the mobility management network element subsequently obtains the information of the UE or the group or the APN from the first server, the information of the UE or the group is not found.

本发明的另一个实施例中, 若上述接入权信息不符合允许接入的条件, 若上述接入请求为位置更新请求, 并且从源侧移动性管理网元、 用户设备或 接入网网元处获知上述位置更新请求用于负载重分配, 则允许所述接入请求。 釆用负载重分配流程,该负载重分配流程保证了 UE或者群内 UE可以注册到其 他的移动性管理网元从而继续进行相应的业务。所以当 UE或者群内 UE因进行 Load Rebalancing而发起的接入请求不在网络侧允许的话务模型范围内时, 网 络侧可以接受 UE或者群内 UE相应的接入请求。  In another embodiment of the present invention, if the access right information does not meet the condition for allowing access, if the access request is a location update request, and the source side mobility management network element, the user equipment, or the access network The above location update request is known to be used for load reassignment, and the access request is allowed. The load redistribution process is used, and the load redistribution process ensures that the UE or the intra-group UE can register with other mobility management network elements to continue the corresponding service. Therefore, when the access request initiated by the UE or the intra-group UE due to Load Rebalancing is not within the scope of the traffic model allowed by the network side, the network side may accept the corresponding access request of the UE or the intra-group UE.

本发明实施例中的移动性管理网元可做如下解释: 在演进的通用陆地无 线接入网络 ( Evolved Universal Terrestrial Radio Access Network, E-UTRAN ) 网络中的移动性管理网元可以为移动管理实体 ( Mobility Management Entity, MME ); 通用陆地无线接入网络 ( Universal Terrestrial Radio Access Network, UTRAN ) /GSM/EDGE无线接入网 (GSM/EDGE Radio Access Network , GERAN )中移动性管理网元可以为通用分组无线业务服务支持节点(Serving General Packet Radio Service Supporting Node, SGSN ); 非第三代移动通信伙 伴项目 ( Third Generation Partnership Project, 3GPP ) 网络的移动性管理网元 可以为接入网关 (Acess Gateway, AGW), 在无线局 i或网 ( Wireless Local Area Network, WLAN )网络中的移动性管理网元指演进的分組数据网关(Evolved Packet Data Gateway, ePDG ) 中的移动性管理逻辑功能; 在 波接入全球互 ¾ ( Worldwide Interoperability for Microwave Access, Wimax ) 网络, 移动生 管理网元可以为自动交换节点网关( Access Serving Node Gateway, ASN GW ); 码分多址接入( Code Division Multiple Access, CDMA ) 网络中, 移动性管理 网元可以为高速率数据包接入网 (High Rate Packet Data Access Network, HRPD AN ) 中移动性管理的逻辑功能。 The mobility management network element in the embodiment of the present invention may be explained as follows: The mobility management network element in the Evolved Universal Terrestrial Radio Access Network (E-UTRAN) network may be a mobility management entity. (Mobility Management Entity, MME); The mobility management network element in the Universal Terrestrial Radio Access Network (UTRAN) / GSM/EDGE Radio Access Network (GERAN) may be a general packet The Serving General Packet Radio Service Supporting Node (SGSN); the mobility management network element of the Third Generation Partnership Project (3GPP) network may be an access gateway (Acess Gateway, AGW). The mobility management network element in the Wireless Local Area Network (WLAN) network refers to the mobility management logic function in the Evolved Packet Data Gateway (ePDG); Global mutual 3⁄4 ( Worldwide Interoperability for Microwave Access, Wimax) network, the mobile management network element may be an Access Serving Node Gateway (ASN GW); in a Code Division Multiple Access (CDMA) network, The mobility management network element may be a logical function of mobility management in a High Rate Packet Data Access Network (HRPD AN).

本发明实施例中的接入网网元可做如下解释: 在 E-UTRAN网络中的接入 网网元可以为: 演进型基站 ( evolved NodeB , eNodeB ) 或者蜂窝基站 ( Honeycomb NodeB , HeNB ); UTRAN/GERAN网络中接入网网元可以为: 无线网络控制器 (Radio Network Controller, R C )或者基站控制器 (Base Station Controller, BSC ); 非 3GPP网络中, 在 WLAN网络中的接入网网元可以 为 ePDG中的接入网逻辑功能, 在 Wimax网络, 接入网网元指代自动交换节点 基站( Access Serving Node Gateway Base Station, ASN BS ); CDMA网络中 , 接入网网元可以为 HRPD AN中的接入网逻辑功能。  The access network element in the embodiment of the present invention may be explained as follows: The access network element in the E-UTRAN network may be: an evolved NodeB (eNodeB) or a cellular base station (Honeycomb NodeB, HeNB); The access network element in the UTRAN/GERAN network can be: a radio network controller (RC) or a base station controller (BSC); in a non-3GPP network, an access network in a WLAN network. The element may be an access network logic function in the ePDG. In the Wimax network, the access network element refers to an Access Serving Node Gateway (ASN BS). In the CDMA network, the access network element may be Access network logic in HRPD AN.

本发明中的服务器, 可以存储 UE或者群相关的签约数据或者信息。 UE的 签约数据或者信息指每个 UE作为个体的签约数据或者信息; 群的签约数据或 者信息指群内各个 UE共同的签约数据或者信息, 上述服务器可以是归属用户 服务器( Home Subscriber Server, HSS )或者应用服务器, 例如机器类型通讯 月良务器 ( Machine Type Communications , MTC Server )。  The server in the present invention can store UE or group related subscription data or information. The subscription data or information of the UE refers to the subscription data or information of each UE as an individual; the subscription data or information of the group refers to the subscription data or information common to each UE in the group, and the server may be a Home Subscriber Server (HSS). Or an application server, such as Machine Type Communications (MTC Server).

上述对移动性管理网元、 接入网网元以及服务器在各种系统中的具体指 代的设备, 可以理解的是这些举例并不是穷举, 不应理解为对本发明实施例 的限定; 在后续实施例中, 服务器将以 HSS或者 MTC Sever为例进行说明, 可 以理解的是服务器还可以是多种类型的应用服务器 HSS或者 MTC Sever的举 例不应理解为对本发明实施例的限定。 实施例二, 本实施例将以移动性管理网元统计用户设备的接入权信息为 例对本发明实施例进行进一步的说明。 本实施例中第一服务器和第二服务器 都可以用于保存用户签约数据的服务器, 所述第二服务器还可以用于排查非 法 APN或者非法用户或者非法群的非法原因的服务器。 当然第一服务器和第 二服务器功能也可以合一, 如果功能合一, 则第一服务器和第二服务器之间 的消息就属于设备内的消息交互。 本实施例中, 第一或者第二服务器中保存The above-mentioned examples of the mobility management network element, the access network element, and the server in the various systems are understood to be non-exhaustive and should not be construed as limiting the embodiments of the present invention; In the following embodiments, the server will be described by taking the HSS or the MTC Sever as an example. It can be understood that the server may also be a plurality of types of application servers HSS or MTC Sever. The examples are not to be construed as limiting the embodiments of the present invention. In the second embodiment, the embodiment of the present invention is further described by taking the mobility management network element as an example of the access right information of the user equipment. In this embodiment, the first server and the second server may be used to save the server of the user subscription data, and the second server may also be used to check the server of the illegal APN or the illegal user or the illegal group. Of course, the first server and the second server function can also be combined. If the functions are unified, the first server and the second server are The message belongs to the message interaction within the device. In this embodiment, the first or second server saves

UE或者群的话务模型, 本发明中的话务模型指 UE或者群内 UE发起接入流程 接入网络的模型, 例如网络侧允许的单位时间的接入次数, 允许在某个设备 上总的接入次数等信息。 本发明中的接入流程包括但不限于以下流程: 附着 流程、 位置更新流程 , 例如路由选择区域更新 ( Routing Area Update , RAU )、 位置区域更新 ( Location Area Update, LAU、或者 Tracking Area Update ( TAU )、 PDN连接建立、 PDP激活、 或者服务请求( Service Request ) 流程等。 移动性 管理网元从第一服务器或者第二服务器中获取上述话务模型, 并根据上述话 务模型接受或者拒绝 UE的接入请求。所述第一或者第二服务器中存储 UE或者 群的话务模型, 上述第一或者第二服务器可以指 HSS或者 MTC Server。 如图 3 所示, 可以包括以下步驟: The traffic model of the UE or the group, the traffic model in the present invention refers to a model in which the UE or the intra-group UE initiates an access procedure to access the network, for example, the number of accesses per unit time allowed on the network side, allowing total on a certain device. Information such as the number of accesses. The access process in the present invention includes but is not limited to the following processes: an attach process, a location update process, such as a Routing Area Update (RAU), a Location Area Update (LAU), or a Tracking Area Update (TAU). ), PDN connection establishment, PDP activation, or Service Request process, etc. The mobility management network element obtains the traffic model from the first server or the second server, and accepts or rejects the UE according to the traffic model. An access request, where the first or second server stores a traffic model of the UE or the group, and the first or second server may be an HSS or an MTC Server. As shown in FIG. 3, the following steps may be included:

步驟 301 : UE发起接入请求到接入网网元, 可选的, 如果 UE正在为移动 性管理网元的负载重分配( Load Rebalancing )而进行的接入, 则 UE在无线资 源控制( Radio Resource Control, RRC )层消息携带指示通知接入网网元上述 UE正在进行 Load Rebalancing  Step 301: The UE initiates an access request to the access network element. Optionally, if the UE is performing access for load re-balancing of the mobility management network element, the UE is in radio resource control (Radio Resource Control, RRC) layer message carrying indication to inform the access network element that the UE is performing Load Rebalancing

如果 UE或者群内 UE所注册的移动性管理网元(即相当于源移动性管理网 元)需要进行 Load Rebalancing, 则所述 UE或者群内 UE的注册的移动性管理 网元指示 UE或者群内 UE执行位置更新流程来完成源移动性管理网元的 Load Rebanlancing。 UE或者群内 UE收到所述指示后, 发起位置更新流程, 接入网 网元为所述 UE或者群内 UE选择一个不同于源移动性管理网元的目标移动性 管理网元, 从而完成 load Rebalancing (即负载重分配)。  If the mobility management network element (ie, the source mobility management network element) registered by the UE or the intra-group UE needs to perform Load Rebalancing, the registered mobility management network element of the UE or the intra-group UE indicates the UE or the group. The inner UE performs a location update process to complete Load Rebanlancing of the source mobility management network element. After receiving the indication, the UE or the intra-group UE initiates a location update process, and the access network element selects a target mobility management network element different from the source mobility management network element for the UE or the intra-group UE, thereby completing Load Rebalancing (ie load redistribution).

步驟 302: 接入网网元发送接入请求到移动性管理网元。 可选的, 接入网 网元携带指示信息用于指示 UE正在为移动性管理网元的 Load Rebalancing而 进行的接入流程, 上述指示信息可以为 Load Rebalancing Indication, 该信息可 以作为单独的信元发送给移动性管理网元或者作为其他信元的保留位发送给 移动性管理网元。  Step 302: The access network element sends an access request to the mobility management network element. Optionally, the access network element carrying indication information is used to indicate that the UE is performing an access procedure for the load rebalancing of the mobility management network element, where the indication information may be a Load Rebalancing Indication, and the information may be used as a separate cell. The reserved bits sent to the mobility management network element or as other cells are sent to the mobility management network element.

步驟 303: 移动性管理网元从第一或者第二服务器(可以指 HSS或者 MTC Server,这里以 HSS或者 MTC Server为例来说明)中获取 UE或者群的签约数据。 所述第一或者第二服务器发送 UE或者群的话务模型给移动性管理网元。 话务 模型还可以静态配置在移动性管理网元, 例如配置某个 UE单位时间允许的接 入次数; 或者配置某个群单位时间允许的接入次数; 或者配置单位时间内接 入到上述移动性管理网元的所有的接入次数等。 Step 303: The mobility management network element acquires subscription data of the UE or the group from the first or second server (which may be referred to as an HSS or an MTC Server, where the HSS or the MTC Server is used as an example). The first or second server sends a traffic model of the UE or the group to the mobility management network element. Traffic The model can also be statically configured in the mobility management network element, for example, configuring the number of access times allowed by a certain UE per unit time; or configuring the number of access times allowed in a certain group unit time; or configuring the mobility management in the unit time. The number of accesses of the network element, etc.

步驟 304: 移动性管理网元统计 UE或者群的接入情况,例如统计单位时间 UE或者群的接入次数, 或者所有接入到上述移动性管理网元的接入次数, 移 动性管理网元判断上述 UE或者群的接入是否会超过话务模型允许的范围, 如 果接入次数在话务模型允许的范围内, 则移动性管理网元可以接受 UE或者群 内 UE的接入请求, 否则拒绝上述 UE或者群内 UE的接入请求, 此步驟在步驟 306实现。 其中步驟 306和步驟 304、 305没有先后时序关系。  Step 304: The mobility management network element collects the access situation of the UE or the group, for example, the number of access times of the UE or the group in the statistical unit time, or the access times of all the access to the mobility management network element, and the mobility management network element. Determining whether the access of the UE or the group exceeds the allowed range of the traffic model. If the access times are within the range allowed by the traffic model, the mobility management network element may accept the access request of the UE or the UE in the group. Otherwise, The access request of the UE or the intra-group UE is rejected, and this step is implemented in step 306. Step 306 and steps 304 and 305 have no sequential relationship.

可选的, 如果上述话务模型是针对单个 UE, 并且该 UE的接入情况(例如 单位时间的接入次数, 或者连接到移动性管理网元的总的次数)超过上述话 务模型所允许的接入范围, 移动性管理网元发送消息通知第一服务器上述 UE 是非法 UE, 上述消息中携带 UE标识和指示 UE为非法 UE的指示信息, 上述指 示信息可以为特定的消息类型或者一个特定的原因值等。 下次 UE在其他的移 动性管理网元接入时 ,第一服务器将上述 UE为非法 UE的指示信息通知给移动 性管理网元, 防止上述 UE在其他移动性管理网元非法接入;  Optionally, if the foregoing traffic model is for a single UE, and the access situation of the UE (for example, the number of accesses per unit time, or the total number of times connected to the mobility management network element) exceeds that allowed by the foregoing traffic model. The access scope, the mobility management network element sends a message to notify the first server that the UE is an illegal UE, and the message carries the UE identifier and the indication information that the UE is an illegal UE, and the indication information may be a specific message type or a specific The reason value, etc. The next time the UE accesses the other mobile management network element, the first server notifies the mobility management network element of the indication information that the UE is an illegal UE, and prevents the UE from being illegally accessed by other mobility management network elements;

如果上述话务模型是针对群 , 移动性管理网元统计属于同一个群标识的 群内 UE的接入情况(例如单位时间内群内 UE的接入次数, 或者接入到移动性 管理网元上的群内 UE的总的接入次数等)。 移动性管理网元获取 UE所属的群 标识可以通过 UE接入时携带群标识的方式或者移动性管理网元从第一或者第 二服务器中获取 UE的签约数据从而获取 UE的群标识。如果该群的接入情况超 过上述群的话务模型所允许的范围, 则移动性管理网元发送消息通知第一服 务器上述群是非法的, 上述消息中携带群标识和指示上述群为非法的指示信 息, 上述指示信息可以为特定的消息类型或者一个特定的原因值等。 下次群 内 UE在其他的移动性管理网元接入时 ,第一服务器将上述群内 UE为非法的指 示信息通知给移动性管理网元, 防止上述群的群内 UE在其他移动性管理网元 非法接入;  If the traffic model is for a group, the mobility management network element counts the access conditions of the UEs in the group that belong to the same group identifier (for example, the number of accesses of the UE in the group within a unit time, or access to the mobility management network element) The total number of accesses of the UEs in the group, etc.). The mobility management network element obtains the group identity to which the UE belongs, and may acquire the group identity of the UE by acquiring the subscription data of the UE from the first or the second server by using the manner in which the UE carries the group identity or the mobility management network element. If the access situation of the group exceeds the range allowed by the traffic model of the group, the mobility management network element sends a message to notify the first server that the group is illegal, and the message carries the group identifier and indicates that the group is illegal. The indication information may be a specific message type or a specific cause value or the like. When the UE in the group accesses the other mobility management network element, the first server notifies the mobility management network element of the indication information that the UE in the group is illegal, and prevents the UE in the group of the group from being in other mobility management. The network element is illegally accessed;

步骤 305: 可选的, 第一服务器发送消息通知第二服务器, 上述消息中携 带 UE标识(或者群标识)和指示 UE (或者群)非法的指示信息, 上述指示信 息可以为某特定的消息类型或者特定的原因值等, 上述消息是第一服务器用 于通知第二服务器 上述 UE或者群非法,本发明不对消息的名称做限制。第二 服务器可以根据非法 UE或者群, 查询第一服务器或者第二服务器中中保存的 相应的与该 UE或者群相关的信息,所述信息指的是影响所述 UE或者群的接入 情况的信息, 包括但不限于允许所述 UE或者群接入的相应时间点, 或者允许 接入所述群的 UE的总数, 或者允许业务发生的时间点等信息。 通过上述信息 排查发现所述 UE或者群异常的原因 (例如允许接入到所述群的 UE的总数过 多, 或者业务要求的时间接入点太过繁忙等), 第二服务器遂根据所述接入异 常的原因值修改相应参数使得 UE或者群合法 , 发送消息通知第一服务器上述 UE或者群恢复正常, 上述消息中携带 UE标识(或者群标识)和指示 UE (或 群)合法的指示信息, 上述指示信息可以为特定的消息类型或者特定的原因 值。 这样移动性管理网元后续从第一服务器获取 UE或者群的信息时, 就不会 出现 UE或者群非法的信息。 Step 305: Optionally, the first server sends a message to notify the second server, where the message carries the UE identifier (or group identifier) and indication information indicating that the UE (or group) is illegal, and the foregoing indication information The information may be a specific message type or a specific cause value. The above message is used by the first server to notify the second server that the UE or the group is illegal. The present invention does not limit the name of the message. The second server may query, according to the illegal UE or the group, information related to the UE or the group that is saved in the first server or the second server, where the information refers to the access situation affecting the UE or the group. The information includes, but is not limited to, a corresponding time point for allowing the UE or the group to access, or a total number of UEs that are allowed to access the group, or a time point at which the service is allowed to occur. The reason for the abnormality of the UE or the group is found by the above information (for example, the total number of UEs allowed to access the group is too large, or the time access point required by the service is too busy, etc.), and the second server The reason for the abnormality of the access is modified to make the UE or the group legal, and the message is sent to notify the first server that the UE or the group is normal. The message carries the UE identifier (or group identifier) and the indication information indicating that the UE (or group) is legal. The above indication information may be a specific message type or a specific cause value. When the mobility management network element subsequently acquires the information of the UE or the group from the first server, the information of the UE or the group is not found.

步驟 306: 如果 UE或者群的接入请求不在上述话务模型,则移动性管理网 元拒绝 UE或者群的接入请求, 上述拒绝消息中携带指示信息用于指示 UE (或 者群) 的接入请求不符合话务模型的指示信息, 上述指示信息可以为一个特 定的原因值如非法访问请求( illegal access request )、 或者特定的指示如非法 指示(illegal Indication )。 反之, 移动性管理网元接受 UE或者群内 UE的接入 请求。 步驟 305和步驟 306没有先后时序。  Step 306: If the access request of the UE or the group is not in the traffic model, the mobility management network element rejects the access request of the UE or the group, and the rejection message carries the indication information for indicating the access of the UE (or the group). The request information that does not conform to the traffic model may be a specific cause value such as an illegal access request, or a specific indication such as an illegal indication. Conversely, the mobility management network element accepts an access request from a UE or a UE within the group. Steps 305 and 306 have no sequence.

可选的 , 虽然 UE或者群内 UE的接入请求不在网络侧设定的话务模型内 , 但是 UE或者群内 UE正在为移动性管理网元的 load Rebalancing进行的接入流 程, 移动性管理网元可以根据步骤 302中接入网网元携带的指示 UE或者群内 UE正在为移动性管理网元的 Load Rebalancing而进行的接入流程的指示信息, 虽然 UE或者群内 UE的接入不在话务模型允许的范围内 , 网络侧仍然可以接受 UE或者群内 UE的请求。 移动性管理网元获知指示 UE或者群内 UE正在为移动 性管理网元的 Load Rebalancing而进行的接入流程的指示信息 还可以由 UE或 者群内 UE通过 NAS消息带给移动性管理网元、 或者新的移动性管理网元在上 下文响应( Context Response )中从源侧的移动性管理网元获知上述指示 UE或 者群内 UE正在为移动性管理网元的 Load Rebalancing而进行的接入流程的指 示信息。上述 NAS消息包括但不限于附着请求( Attach Request )、 LAU Request. TAU Request, 或者 RAU Request等消息。 Optionally, although the access request of the UE or the intra-group UE is not in the traffic model set by the network, the UE or the intra-group UE is performing the access procedure, mobility management for the load rebalancing of the mobility management network element. The network element may be in accordance with the indication information of the access procedure that is performed by the access network element in step 302 indicating that the UE or the intra-group UE is performing Load Rebalancing for the mobility management network element, although the UE or the intra-group UE access is not in use. Within the scope allowed by the traffic model, the network side can still accept requests from UEs or UEs within the group. The indication information indicating that the UE or the intra-group UE is performing the access procedure for the Load Rebalancing of the mobility management network element may also be brought by the UE or the intra-group UE to the mobility management network element by using the NAS message, Or the new mobility management network element learns from the mobility management network element on the source side in the context response (Context Response) that the foregoing indication process is performed by the UE or the intra-group UE for the Load Rebalancing of the mobility management network element. Means Show information. The foregoing NAS message includes but is not limited to an attach request (Attach Request), a LAU Request. TAU Request, or a RAU Request message.

网络侧对接入请求的用户设备的接入权进行判断, 符合允许接入条件的 用户设备才被允许接入, 达到对 UE的接入进行限制的目的, 进一步防止 UE对 网络侧进行恶意攻击, 提升网络的服务质量, 提升网络设备的可靠性。 另外 由于对 UE的接入进行了限制, 还可以减少网络拥塞。 实施例三, 本实施例将以统计某个 APN下的接入信息为例对本发明实施 例进行进一步的说明。本实施例中 HSS或者 MTC Server中保存某个 APN的话务 模型, 或者移动性管理网元静态配置某个 APN下的话务模型, 例如单位时间 内允许某个 APN下的接入次数, 或者允许某个设备上接入到某个 APN下的总 的接入次数。 移动性管理网元统计某个 APN下的的接入情况, 例如统计单位 时间内某个 APN下的接入次数, 或者统计某移动性管理网元上接入到所述 APN的总的接入次数等接入情况 , 移动性管理网元根据所述 APN的话务模型 接受或者拒绝针对某个 APN的接入请求; 如图 4所示, 包括以下步驟:  The network side determines the access right of the user equipment that requests the access, and the user equipment that is in compliance with the access condition is allowed to access, and the access of the UE is restricted, thereby further preventing the UE from maliciously attacking the network side. Improve the service quality of the network and improve the reliability of network equipment. In addition, network congestion can be reduced due to restrictions on UE access. In the third embodiment, the embodiment of the present invention is further described by taking the access information of a certain APN as an example. In this embodiment, the traffic model of an APN is stored in the HSS or the MTC Server, or the mobility management network element statically configures the traffic model under an APN, for example, the number of accesses allowed under an APN per unit time, or The total number of accesses allowed to access a certain APN on a device. The mobility management network element collects the access situation of an APN, for example, the number of accesses of an APN in a unit time, or the total access of the mobility management network element to the APN. The access management situation, the mobility management network element accepts or rejects the access request for an APN according to the traffic model of the APN; as shown in FIG. 4, the following steps are included:

步驟 401 : UE发起接入请求到接入网网元, 可选的, 如果 UE正在为移动 性管理网元的负载重分配( Load Rebalancing )而进行的接入, 则 UE在无线资 源控制( Radio Resource Control, RRC )层消息携带指示通知接入网网元上述 UE正在进行 Load Rebalancing, 接入请求中还需携带 APN, 所述 APN表示 UE 希望接入的 APN。  Step 401: The UE initiates an access request to the access network element. Optionally, if the UE is performing access for load re-balancing of the mobility management network element, the UE is in radio resource control (Radio The resource control, RRC) layer carries the indication to inform the access network element that the UE is performing Load Rebalancing, and the access request also needs to carry the APN, where the APN indicates the APN that the UE wishes to access.

如果 UE或者群内 UE所注册的移动性管理网元(即相当于源移动性管理网 元)需要进行 Load Rebalancing, 则所述 UE或者群内 UE的注册的移动性管理 网元指示 UE或者群内 UE执行位置更新流程来完成源移动性管理网元的 Load Rebanlancing。 UE或者群内 UE收到所述指示后, 发起位置更新流程, 接入网 网元为所述 UE或者群内 UE选择一个不同于源移动性管理网元的目标移动性 管理网元, 从而完成 load Rebalancing (即负载重分配)。 当其注册的移动性管 理网元无法继续为 UE或者群内 UE月良务时 , 负载重分配流程保证了 UE或者群 内 UE可以注册在其他的移动性管理网元从而继续进行相应的业务。所以当 UE 或者群内 UE因进行 Load Rebalancing而发起的接入请求不在网络侧允许的话 务模型范围内时, 网络侧可以接受 UE或者群内 UE相应的接入请求。 步驟 402: 接入网网元发送接入请求到移动性管理网元。 可选的, 接入网 网元携带指示信息用于指示 UE正在为移动性管理网元的 Load Rebalancing而 进行的接入流程, 上述指示信息可以为 Load Rebalancing Indication, 该信息可 以作为单独的信元发送给移动性管理网元或者作为其他信元的保留位发送给 移动性管理网元。 If the mobility management network element (ie, the source mobility management network element) registered by the UE or the intra-group UE needs to perform Load Rebalancing, the registered mobility management network element of the UE or the intra-group UE indicates the UE or the group. The inner UE performs a location update process to complete Load Rebanlancing of the source mobility management network element. After receiving the indication, the UE or the intra-group UE initiates a location update process, and the access network element selects a target mobility management network element different from the source mobility management network element for the UE or the intra-group UE, thereby completing Load Rebalancing (ie load redistribution). When the registered mobility management network element cannot continue to be the UE or the intra-group UE, the load re-allocation process ensures that the UE or the intra-group UE can register with other mobility management network elements to continue the corresponding service. Therefore, when the UE or the intra-group UE initiates an access request initiated by Load Rebalancing, it is not allowed on the network side. When the service model is within the range, the network side can accept the corresponding access request of the UE or the UE in the group. Step 402: The access network element sends an access request to the mobility management network element. Optionally, the access network element carrying indication information is used to indicate that the UE is performing an access procedure for the load rebalancing of the mobility management network element, where the indication information may be a Load Rebalancing Indication, and the information may be used as a separate cell. The reserved bits sent to the mobility management network element or as other cells are sent to the mobility management network element.

步驟 403: 移动性管理网元到第一服务器获取 UE或者群的签约数据,上述 服务器可以指 HSS或者 MTC Server。本实施例以 HSS或者 MTC Server为例来说 性管理网元静态配置某个 APN的话务模型。  Step 403: The mobility management network element obtains subscription data of the UE or the group to the first server, where the server may be an HSS or an MTC Server. In this embodiment, the HSS or the MTC Server is used as an example to dynamically configure an APN traffic model.

移动性管理网元统计某 APN下的接入情况, 例如统计单位时间内该 APN 下的接入次数, 或者移动性管理网元下该 APN的接入的总次数等接入情况, 并根据所述 APN的话务模型, 接受或者拒绝在所述 APN的接入请求, 在步驟 406描述, 步驟 406与步驟 404、 步驟 405没有先后时序关系。  The mobility management network element collects access conditions under an APN, such as the number of accesses in the APN in the unit time, or the total number of accesses of the APN in the mobility management network element, and the access situation. The APN traffic model accepts or rejects the access request in the APN. In step 406, the step 406 and the step 404 and the step 405 have no sequential relationship.

步驟 404: 如果 U针对某个 APN的接入在话务模型所允许的接入的范围, 则移动性管理网元允许针对上述 APN的接入请求, 可选的, 移动性管理网元 携带用于指示上述 APN非法的指示信息通知第一服务器 , 如原因值 illegal access或者 illegal indication等可以表示所述 APN非法的指示信息。下次有 UE在 其他的移动性管理网元接入时, 第一服务器将上述 APN为非法 APN的指示信 息通知给移动性管理网元, 防止有用户通过上述 APN在其他移动性管理网元 非法接入;  Step 404: If the access of the U to an APN is within the scope of the access allowed by the traffic model, the mobility management network element allows the access request for the APN, optionally, the mobility management network element is carried. Notifying the first server of the indication information indicating that the APN is illegal, and the indication value such as the age value or the illegal indication may indicate that the APN is illegal. The next time the UE accesses the other mobility management network element, the first server notifies the mobility management network element of the indication information that the APN is a malicious APN, and prevents the user from being illegal in the other mobility management network element by using the APN. Access

步骤 405: 可选的, 第一服务器发送消息通知第二服务器, 上述消息中携 带 APN和指示 APN非法的指示信息, 上述指示信息可以为某特定的消息类型 或者特定的原因值等, 所述第一服务器和第二服务器都可以用于保存用户签 约数据的服务器, 所述第二服务器还可以用于排查非法 APN或者非法用户或 者非法群的非法原因的服务器。 当然第一服务器和第二服务器功能上也可以 合一, 如果功能合一, 则第一服务器和第二服务器之间的消息就属于设备内 的消息交互。 上述消息是第一服务器用于通知第二服务器 上述 APN非法, 本 发明不对消息的名称做限制。 第二服务器可以根据非法 APN, 查询第一服务 器或者第二服务器中中保存的相应的与该 APN相关的信息, 所述信息指的是 影响所述 APN的接入情况的信息, 包括但不限于允许所述 APN接入的相应时 间点, 或者允许接入所述 APN的 UE的总数, 或者允许业务发生的时间点等信 息。 通过上述信息排查发现所述 APN异常的原因 (例如允许接入到所述 APN 的 UE的总数过多, 业务要求的时间接入点太过繁忙等), 第二服务器遂根据所 述接入异常的原因值修改相应参数使得 APN合法, 发送消息通知第一服务器 上述 APN恢复正常, 上述消息中携带 APN和指示 APN合法的指示信息, 上述 指示信息可以为特定的消息类型或者特定的原因值。 Step 405: Optionally, the first server sends a message to notify the second server, where the message carries the APN and the indication information indicating that the APN is illegal, and the indication information may be a specific message type or a specific cause value, etc. Both a server and a second server can be used to store a server for subscriber subscription data, and the second server can also be used to check for a malicious APN or an illegal user or an illegal group of illegal servers. Of course, the first server and the second server can also be functionally combined. If the functions are unified, the message between the first server and the second server belongs to the message interaction in the device. The foregoing message is used by the first server to notify the second server that the APN is illegal. The present invention does not limit the name of the message. The second server can query the first service according to the illegal APN. Corresponding information related to the APN saved in the second server, where the information refers to the information that affects the access situation of the APN, including but not limited to the corresponding time point for allowing the APN to access. Or the total number of UEs that are allowed to access the APN, or information such as the time point at which the service is allowed to occur. The reason for the abnormality of the APN is found by the above information (for example, the total number of UEs that are allowed to access the APN is excessive, the time required for the service is too busy, etc.), and the second server is abnormal according to the access. The reason value is modified to make the APN legal, and the message is sent to notify the first server that the APN is normal. The message carries the APN and the indication information indicating that the APN is legal. The indication information may be a specific message type or a specific cause value.

步驟 406: 如果 APN下的接入请求不在上述话务模型, 则移动性管理网元 拒绝上述 APN下的接入请求, 上述拒绝消息中携带指示信息用于指示 APN的 接入请求不符合话务模型的指示信息 , 上述指示信息可以为一个特定的原因 值^口非法访问请求( illegal access request )、或者特定的指示^非法指示( illegal Indication 反之, 移动性管理网元接受 UE或者群内 UE或者 APN下的接入请 求。 步驟 405和步驟 406没有先后时序。  Step 406: If the access request under the APN is not in the traffic model, the mobility management network element rejects the access request in the APN, and the indication message carries the indication information to indicate that the access request of the APN is not in compliance with the traffic request. The indication information of the model, the foregoing indication information may be a specific cause value illegal access request (or illegal access request), or a specific indication ^ illegal indication (inversely, the mobility management network element accepts the UE or the intra-group UE or Access request under APN. Steps 405 and 406 have no sequence.

可选的, 虽然 UE接入请求不在网络侧设定的话务模型内, 但是 UE正在为 移动性管理网元的 load Rebalancing进行的接入流程, 移动性管理网元可以根 据步驟 402中接入网网元携带的指示 UE或者群内 UE正在为移动性管理网元的 Load Rebalancing而进行的接入流程的指示信息, 虽然 UE或者群内 UE的接入 不在话务模型允许的范围内, 网絡侧仍然可以接受 UE或者群内 UE的请求。 移 动性管理网元获知指示 UE或者群内 UE正在为移动性管理网元的 Load Rebalancing而进行的接入流程的指示信息 还可以由 UE4通过 NAS消息带给移 动性管理网元、 或者新的移动性管理网元在上下文响应 ( Context Response ) 中从源侧的移动性管理网元获知上述指示 UE正在为移动性管理网元的 Load Rebalancing而进行的接入流程的指示信息。 上述 NAS消息包括但不限于附着 请求(Attach Request )、 LAU Request、 TAU Request、 或者 RAU Request等消 息。  Optionally, although the UE access request is not in the traffic model set by the network, but the UE is performing an access procedure for the load rebalancing of the mobility management network element, the mobility management network element may access according to step 402. The indication information of the access procedure carried by the network element indicating that the UE or the intra-group UE is performing Load Rebalancing for the mobility management network element, although the UE or the intra-group UE access is not within the range allowed by the traffic model, the network The side can still accept requests from UEs or UEs within the group. The mobility management network element may be informed that the indication information indicating that the UE or the intra-group UE is performing the access re-flow for the mobility management network element may also be brought by the UE4 to the mobility management network element or the new mobile through the NAS message. The sex management network element obtains, from the source side mobility management network element, the indication information indicating the access procedure that the UE is performing for the Load Rebalancing of the mobility management network element in the context response (Context Response). The foregoing NAS message includes but is not limited to an attach request (Attach Request), a LAU Request, a TAU Request, or a RAU Request.

网络侧对接入请求的用户设备的接入权进行判断, 符合允许接入条件的 用户设备才被允许接入, 达到对 UE的接入进行限制的目的, 进一步防止 UE对 网络侧进行恶意攻击, 提升网络的服务质量, 提升网络设备的可靠性。 另外 由于对 UE或者群或者 APN下的接入进行了限制, 还可以减少网络拥塞。 实施例四, 如图 5所示, 本发明实施例还提供了一种移动性管理网元, 上 述移动性管理网元也可以为接入网网元, 包括: The network side determines the access right of the user equipment that requests the access, and the user equipment that is in compliance with the access condition is allowed to access, and the access of the UE is restricted, thereby further preventing the UE from maliciously attacking the network side. Improve the service quality of the network and improve the reliability of network equipment. In addition Network congestion can also be reduced due to restrictions on access under the UE or group or APN. Embodiment 4 As shown in FIG. 5, the embodiment of the present invention further provides a mobility management network element, where the mobility management network element may also be an access network element, including:

请求接收单元 501 , 用于接收接入请求;  a request receiving unit 501, configured to receive an access request;

接入权信息获取单元 502, 用于获取上述接入请求的用户设备或者用户设 备所属的群或者 APN的接入权信息;  The access right information acquiring unit 502 is configured to acquire the access right information of the user equipment or the group or the APN to which the user equipment belongs.

接入操作单元 503 , 用于若 UE或者群内 UE或者 APN下的接入请求符合允 许接入的条件则执行接入操作, 否则, 拒绝执行接入操作。  The access operation unit 503 is configured to perform an access operation if the access request of the UE or the intra-group UE or the APN meets the conditions for allowing access, otherwise, the access operation is refused.

非法确定单元 504, 用于若上述接入请求不符合允许接入的条件, 则确定 上述用户设备或上述用户设备所在群或者上述 APN为非法;  The illegal determining unit 504 is configured to determine that the user equipment or the group in which the user equipment is located or the APN is illegal if the foregoing access request does not meet the conditions for allowing access;

非法信息发送单元 505, 用于将上述用户设备或上述用户设备所在群或者 某个接入点名称为非法的信息发送给服务器。  The illegal information sending unit 505 is configured to send the information about the user equipment or the group in which the user equipment is located or an access point name to the server.

可选地, 如图 6所示, 所述接入请求为位置更新请求, 上述移动性管理网 元, 还可以包括:  Optionally, as shown in FIG. 6, the access request is a location update request, and the mobility management network element may further include:

负载重分配单元 601, 用于从源侧移动性管理网元、 用户设备或接入网网 元处获知位置更新请求用于负载重分配时, 则执行所述接入操作。  The load redistribution unit 601 is configured to perform the access operation when the location update request is used for the load reassignment from the source side mobility management network element, the user equipment, or the access network element.

具体地, 上述接入权信息获取单元 502, 具体用于统计上述用户设备或者 用户设备所在的群或者上述 APN下的接入情况; 或, 从服务器获取服务器统 计的结果。  Specifically, the access right information acquiring unit 502 is specifically configured to collect the access situation of the user equipment or the user equipment or the access situation of the APN; or obtain the result of the server statistics from the server.

上述实施方式, 对接入请求的用户设备或者用户设备所在的群或者 APN 下的接入情况进行判断, 符合允许接入条件的用户设备或者用户设备所在的 群或者 APN才被允许接入, 达到对 UE或者群或者 APN下的接入进行限制的目 的, 进一步防止 UE或者群或者利用非法 APN的 UE对网络侧进行恶意攻击, 提 升网络的服务质量, 提升网络设备的可靠性。 另外由于对 UE的接入或者群的 接入或者 APN下的接入进行了限制, 还可以减少网络拥塞。 实施例五, 如图 7所示, 本发明实施例还提供了一种服务器, 包括: 非法信息接收单元 701 , 用于接收移动性管理网元或接入网网元发送的用 户设备或者用户设备所在的群或者接入点名称为非法的信息 In the foregoing embodiment, the user equipment of the access request or the group in which the user equipment is located or the access situation of the APN is determined, and the user equipment or the group or APN in which the user equipment is located is allowed to access. For the purpose of restricting the access of the UE or the group or the APN, the UE or the group or the UE using the illegal APN is further prevented from maliciously attacking the network side, improving the service quality of the network, and improving the reliability of the network device. In addition, network congestion can be reduced due to restrictions on UE access or group access or access under APN. Embodiment 5 As shown in FIG. 7, the embodiment of the present invention further provides a server, including: an illegal information receiving unit 701, configured to receive a mobility management network element or an access network element for sending The information of the group or access point where the user device or user device is located is illegal.

排查单元 702, 用于服务器排查所述非法的用户设备或所述用户设备所在 的群或者所述接入点名称异常的原因;  The checking unit 702 is configured to: perform a server to check whether the illegal user equipment or the group where the user equipment is located or the name of the access point is abnormal;

修改单元 703 , 用于根据所述异常的原因修改相应参数使得所述用户设备 所在的群或者所述接入点名称合法。  The modifying unit 703 is configured to modify the corresponding parameter according to the reason of the abnormality, so that the group where the user equipment is located or the name of the access point is legal.

进一步地, 如图 8所示, 上述服务器还可以包括:  Further, as shown in FIG. 8, the foregoing server may further include:

接入权信息统计单元 801 , 用于统计用户设备或者用户设备所在的群或者 接入点名称的接入权信息;  The access right information statistic unit 801 is configured to collect access rights information of a user equipment or a group or an access point name where the user equipment is located;

接入权查询请求接收单元 802, 用于接收查询用户设备或者用户设备所在 的群或者接入点名称下的接入权信息的请求;  The access right query request receiving unit 802 is configured to receive a request for querying the user equipment or the group of the user equipment or the access right information under the name of the access point;

查询单元 803 , 用于从统计的用户设备或者用户设备所在的群或者接入点 名称下的接入权信息中查询上述查询请求查询的用户设备或者用户设备所在 的群或者接入点名称下的接入权信息;  The querying unit 803 is configured to query the user equipment or the group or the access point name of the user equipment that is queried by the query request from the access information of the user equipment or the user equipment or the access point information of the user equipment. Access rights information;

接入权信息发送单元 804, 用于发送上述查询到的接入权信息。  The access right information sending unit 804 is configured to send the accessed access right information.

上述实现方式提供了对用户设备的接入权进行判断的依据的获取方式。 实施例六,如图 9所示, 本发明实施例还提供了一种接入控制系统、 包括: 移动性管理网元或接入网网元 901 , 用于接收接入请求; 获取上述接入请 求的用户设备或者用户设备所属的群或者接入点名称的接入权信息; 若上述 接入权信息符合允许接入的条件则执行接入操作; 若上述接入权信息不符合 允许接入的条件, 拒绝执行接入操作, 确定上述用户设备或上述用户设备所 在群或者某个接入点名称为非法; 将上述用户设备或上述用户设备所在群或 者某个接入点名称为非法的信息发送给服务器 902, 使得网络拒绝后续的非法 接入;  The foregoing implementation manner provides an acquisition manner for determining the access right of the user equipment. Embodiment 6 As shown in FIG. 9, an embodiment of the present invention further provides an access control system, including: a mobility management network element or an access network element 901, configured to receive an access request; The access information of the requested user equipment or the group or the access point name to which the user equipment belongs; if the access right information meets the conditions for allowing access, the access operation is performed; if the access right information does not meet the permitted access The condition that the access operation is refused, and the name of the user equipment or the group or the access point of the user equipment is illegal; the information of the user equipment or the group of the user equipment or an access point is illegal. Sending to the server 902, causing the network to reject subsequent illegal access;

服务器 902, 用于接收上述用户设备或上述用户设备所在群或者接入点名 称为非法的信息 , 若上述用户设备或上述用户设备所在群或者接入点名称为 非法, 则拒绝后续非法 UE或者非法群或者 UE利用非法 APN接入。  The server 902 is configured to receive the information that the user equipment or the group or the access point name of the user equipment is illegal. If the user equipment or the group or the access point name of the user equipment is illegal, the subsequent illegal UE is rejected. The group or UE accesses the illegal APN.

更具体地, 上述移动性管理网元或接入网网元 901 , 用于获取上述接入请 求的用户设备或者用户设备所属的群或者接入点名称的接入权信息包括: 统 计上述接入请求的用户设备或者用户设备所属的群或者接入点名称的接入权 信息; 或, More specifically, the mobility management network element or the access network element 901, the access right information of the user equipment or the group or the access point name to which the user equipment belongs to obtain the access request includes: The user equipment of the access request or the access right information of the group or the access point name to which the user equipment belongs; or

上述移动性管理网元或接入网网元 901 , 用于获取上述接入请求的用户设 备或者用户设备所属的群或者接入点名称的接入情况包括:  The mobility management network element or the access network element 901, the access information of the user equipment or the group or access point name to which the user equipment belongs to obtain the access request includes:

从服务器 902获取服务器 92统计的结果;  Obtaining the results of the statistics of the server 92 from the server 902;

上述服务器 902, 还用于统计上述用户设备或上述群或上述接入点名称的 接入情况, 并将上述统计的结果发送给上述移动性管理网元或接入网网元 901。  The server 902 is further configured to collect the access situation of the user equipment or the group or the access point name, and send the result of the foregoing statistics to the mobility management network element or the access network element 901.

所述服务器 902, 还用于排查所述非法的用户设备或所述用户设备所在的 群或者所述接入点名称异常的原因; 根据所述异常的原因修改相应参数使得 所述用户设备所在的群或者所述接入点名称合法; 将所述用户设备所在的群 或者所述接入点名称合法的信息发送给所述移动性管理网元或接入网网元 901。  The server 902 is further configured to: check the illegal user equipment or the group where the user equipment is located or the reason that the access point name is abnormal; modify the corresponding parameter according to the abnormal reason to make the user equipment The group or the access point name is legal; the group in which the user equipment is located or the information of the access point name is sent to the mobility management network element or the access network element 901.

更具体地, 上述接收接入请求为位置更新请求;  More specifically, the foregoing receiving access request is a location update request;

上述移动性管理网元 901 , 还用于从源侧移动性管理网元、 用户设备或接 入网网元处获知位置更新请求用于负载重分配时, 则执行所述接入操作。  The mobility management network element 901 is further configured to perform the access operation when the location update request is used for the load re-allocation from the source-side mobility management network element, the user equipment, or the access network element.

上述实施方式, 对接入请求的用户设备或者用户设备所在的群或者 APN 下的接入权进行判断, 符合允许接入条件的用户设备才被允许接入, 达到对 UE或者群的接入或者 APN下的接入进行限制的目的,进一步防止 UE对网络侧 进行恶意攻击, 提升网络的服务质量, 提升网络设备的可靠性。 由于对 UE的 接入或者群的接入或者 APN下的接入进行了限制, 还可以减少网络拥塞。 是可以通过程序来指令相关的硬件完成, 所述的程序可以存储于一种计算机 可读存储介质中, 上述提到的存储介质可以是只读存储器, 磁盘或光盘等。  In the foregoing implementation manner, the user equipment that accesses the request or the access group of the user equipment or the access rights of the APN is determined, and the user equipment that meets the access permission condition is allowed to access, and the access to the UE or the group is reached. The access restriction on the APN is used to further prevent the UE from maliciously attacking the network side, improving the service quality of the network, and improving the reliability of the network device. Network congestion can also be reduced due to restrictions on UE access or group access or access under APN. The related hardware can be instructed by a program, and the program can be stored in a computer readable storage medium. The above mentioned storage medium can be a read only memory, a magnetic disk or an optical disk.

以上对本发明实施例所提供的一种接入控制的方法、 装置和系统进行了 以上实施例的说明只是用于帮助理解本发明的方法及其核心思想; 同时, 对 于本领域的一般技术人员, 依据本发明的思想, 在具体实施方式及应用范围 上均会有改变之处, 综上所述, 本说明书内容不应理解为对本发明的限制。  The foregoing description of the method, apparatus, and system for access control provided by the embodiments of the present invention is only for facilitating understanding of the method and core idea of the present invention. Meanwhile, for those skilled in the art, In view of the above, the description of the present invention is not limited to the scope of the present invention.

Claims

权利要求 Rights request 1、 一种接入控制的方法, 其特征在于, 包括: A method for access control, characterized in that it comprises: 接收接入请求;  Receiving an access request; 获取所述接入请求的用户设备或者用户设备所属的群或者接入点名称 的接入权信息;  Obtaining access rights information of the user equipment or the group or access point name to which the user equipment belongs; 若所述接入权信息符合允许接入的条件则执行接入操作;  Performing an access operation if the access right information meets the conditions for allowing access; 若所述接入权信息不符合允许接入的条件, 拒绝执行接入操作, 确定 所述用户设备或所述用户设备所在群或者某个接入点名称为非法; 将所述 用户设备或所述用户设备所在群或者某个接入点名称为非法的信息发送给 服务器。  Determining that the user equipment or the group in which the user equipment is located or an access point name is illegal if the access right information does not meet the conditions for allowing the access, and the user equipment or the The information about the group where the user equipment is located or the name of an access point is illegal is sent to the server. 2、 根据权利要求 1所述方法, 其特征在于,  2. The method of claim 1 wherein: 所述接入权信息包括以下至少一项: 用户设备或用户设备所在的群在 单位时间的接入次数、 用户设备或用户设备所在的群的总计接入次数, 接 入点名称下的单位时间内的接入次数、 或者接入到接入点名称的总计接入 次数;  The access right information includes at least one of the following: the number of accesses of the user equipment or the group where the user equipment is located in a unit time, the total access times of the user equipment or the group where the user equipment is located, and the unit time under the access point name. The number of accesses within, or the total number of accesses accessed to the access point name; 对应的所述允许接入的条件为用户设备或用户设备所在的群或者接入 点名称的话务模型, 包括以下至少一项: 允许用户设备或用户设备所在的 群在单位时间的接入次数、 允许用户设备或用户设备所在的群的总计接入 次数, 允许接入点名称下的单位时间内的接入次数、 或者允许接入到某个 接入点名称的总计接入次数。  The corresponding access permission condition is a traffic model of the group or the access point name of the user equipment or the user equipment, and includes at least one of the following: the number of access times of the group where the user equipment or the user equipment is allowed to be in unit time. The total number of accesses allowed for the user equipment or the group in which the user equipment is located, the number of accesses per unit time under the access point name, or the total number of accesses allowed to access an access point name. 3、 根据权利要求 1所述方法, 其特征在于, 所述确定用户设备或所述 用户设备所在群或者某个接入点名称为非法之后还包括:  The method according to claim 1, wherein the determining that the user equipment or the group of the user equipment or the name of the access point is illegal includes: 服务器排查所述非法的用户设备或所述用户设备所在的群或者所述接 入点名称异常的原因; 根据所述异常的原因修改相应参数使得所述用户设 备或者所述用户设备所在的群或者所述接入点名称合法。  The server is configured to check the illegal user equipment or the group where the user equipment is located or the reason for the abnormality of the access point name; modify the corresponding parameter according to the abnormality reason, so that the user equipment or the group where the user equipment is located or The access point name is legal. 4、 根据权利要求 3所述方法, 其特征在于, 所述当接入请求为位置更 新请求, 并且从源侧移动性管理网元、 用户设备或接入网网元处获知所述 位置更新请求用于负载重分配时, 则执行所述接入操作。  The method according to claim 3, wherein the access request is a location update request, and the location update request is obtained from a source-side mobility management network element, a user equipment, or an access network element. When used for load reassignment, the access operation is performed. 5、 根据权利要求 1至 4任意一项所述方法, 其特征在于, 所述获取所述 接入请求的用户设备的接入权信息包括:  The method according to any one of claims 1 to 4, wherein the access right information of the user equipment that obtains the access request comprises: 统计所述用户设备或者所述群或者所述接入点名称下的接入情况; 或 从服务器获取服务器统计的结果。 Counting the access situation of the user equipment or the group or the access point name; or Get the results of the server statistics from the server. 6、 一种移动性管理网元或接入网网元, 其特征在于, 包括: 请求接收单元, 用于接收接入请求;  A mobility management network element or an access network element, comprising: a request receiving unit, configured to receive an access request; 接入权信息获取单元 , 用于获取所述接入请求的用户设备或者用户设 备所属的群或者接入点名称的接入权信息;  An access right information acquiring unit, configured to acquire access rights information of the user equipment of the access request or the group or access point name to which the user equipment belongs; 接入操作单元, 用于若所述接入权信息符合允许接入的条件则执行接 入操作, 否则, 拒绝执行接入操作;  An access operation unit, configured to perform an access operation if the access right information meets a condition for allowing access; otherwise, the access operation is refused; 非法确定单元, 用于若所述接入权信息不符合允许接入的条件, 则确 定所述用户设备或所述用户设备所在群或者所述接入点名称为非法;  An illegal determining unit, configured to determine that the user equipment or the group where the user equipment is located or the name of the access point is illegal if the access right information does not meet the conditions for allowing access; 非法信息发送单元, 用于将所述用户设备或所述用户设备所在群或者 某个接入点名称为非法的信息发送给服务器。  The illegal information sending unit is configured to send information about the user equipment or the group where the user equipment is located or an access point name to the server. 7、 根据权利要求 6所述网元, 其特征在于, 所述网元为移动性管理网 元, 所述接入请求为位置更新请求还包括:  The network element according to claim 6, wherein the network element is a mobility management network element, and the access request is a location update request, further comprising: 负载重分配单元, 用于从源侧移动性管理网元、 用户设备或接入网网 元处获知所述位置更新请求用于负载重分配时, 则执行所述接入操作。  And a load redistribution unit, configured to perform the access operation when the location update request is used for load redistribution from the source side mobility management network element, the user equipment, or the access network element. 8、 根据权利要求 6至 7任意一项所述网元, 其特征在于,  8. The network element according to any one of claims 6 to 7, characterized in that 所述接入权信息获取单元 , 具体用于统计所述用户设备或者用户设备 所在的群或者接入点名称下的接入情况; 或, 从服务器获取服务器统计的 结果。  The access right information acquiring unit is specifically configured to collect the access situation of the user equipment or the group or the access point name of the user equipment; or obtain the result of the server statistics from the server. 9、 一种服务器, 其特征在于, 包括:  9. A server, comprising: 非法信息接收单元, 用于接收移动性管理网元或接入网网元发送的用 户设备或者用户设备所在的群或者接入点名称为非法的信息;  The illegal information receiving unit is configured to receive, by the mobility management network element or the user equipment sent by the network element of the access network, the group where the user equipment is located or the name of the access point is illegal; 排查单元, 用于服务器排查所述非法的用户设备或所述用户设备所在 的群或者所述接入点名称异常的原因;  a troubleshooting unit, configured to: check, by the server, the illegal user equipment or the group where the user equipment is located or the name of the access point is abnormal; 修改单元, 用于根据所述异常的原因的修改相应参数使得所述用户设 备所在的群或者所述接入点名称合法。  And a modifying unit, configured to modify the corresponding parameter according to the cause of the abnormality to make the group or the access point name where the user equipment is located legal. 10、 根据权利要求 9所述服务器, 其特征在于, 还包括:  The server according to claim 9, further comprising: 接入权信息统计单元, 用于统计用户设备或者用户设备所在的群或者 接入点名称的接入权信息;  An access right information statistic unit, configured to collect access rights information of a user equipment or a group or an access point name where the user equipment is located; 接入权查询请求接收单元, 用于接收查询用户设备或者用户设备所在 的群或者接入点名称下的接入权信息的请求; 查询单元 , 用于从统计的用户设备或者用户设备所在的群或者接入点 名称下的接入权信息中查询所述查询请求查询的用户设备或者用户设备所 在的群或者接入点名称下的接入权信息; The access right query request receiving unit is configured to receive a request for querying the user equipment or the group of the user equipment or the access right information under the name of the access point; The query unit is configured to query, from the access information of the user equipment or the user equipment or the access point information of the user equipment, the user equipment or the group or the access point name of the user equipment Access rights information; 接入权信息发送单元, 用于发送所述查询到的接入权信息。  The access right information sending unit is configured to send the queried access right information. 11、 一种接入控制系统、 其特征在于, 包括:  11. An access control system, characterized by comprising: 移动性管理网元或接入网网元, 用于接收接入请求; 获取所述接入请 求的用户设备或者用户设备所属的群或者接入点名称的接入权信息; 若所 述接入权信息符合允许接入的条件则执行接入操作; 若所述接入权信息不 符合允许接入的条件, 拒绝执行接入操作, 确定所述用户设备或所述用户 设备所在群或者某个接入点名称为非法; 将所述用户设备或所述用户设备 所在群或者某个接入点名称为非法的信息发送给服务器;  a mobility management network element or an access network element for receiving an access request; obtaining access rights information of the user equipment or the group or access point name to which the user equipment belongs; If the access information meets the conditions for allowing access, the access operation is performed; if the access right information does not meet the conditions for allowing access, the access operation is refused, and the user equipment or the user equipment group or a certain group is determined. The access point name is illegal; the user equipment or the group where the user equipment is located or the information whose name is illegal is sent to the server; 服务器, 用于接收所述用户设备或所述用户设备所在群或者接入点名 称为非法的信息。  And a server, configured to receive information that the user equipment or the group or the access point name of the user equipment is illegal. 12、 根据权利要求 11所述方法, 其特征在于, 所述移动性管理网元或 接入网网元, 用于获取所述接入请求的用户设备或者用户设备所属的群或 者接入点名称的接入权信息包括: 统计所述接入请求的用户设备或者用户 设备所属的群或者接入点名称的接入情况; 或,  The method according to claim 11, wherein the mobility management network element or the access network element is used to obtain the user equipment of the access request or the group or access point name to which the user equipment belongs. The access right information includes: the user equipment of the access request or the access status of the group or the access point to which the user equipment belongs; or 所述移动性管理网元或接入网网元, 用于获取所述接入请求的用户设 备或者用户设备所属的群或者接入点名称的接入权信息包括:  The mobility management network element or the access network network element, the access right information for obtaining the user equipment of the access request or the group or access point name to which the user equipment belongs includes: 从服务器获取服务器统计的结果;  Obtain the results of server statistics from the server; 所述服务器 , 还用于统计所述用户设备或所述群或所述接入点名称的 接入情况, 并将所述统计的结果发送给所述移动性管理网元或接入网网元。  The server is further configured to collect an access situation of the user equipment or the group or the access point name, and send the result of the statistics to the mobility management network element or an access network element. . 13、 根据权利要求 11所述系统, 其特征在于, 所述服务器, 还用于排 查所述非法的用户设备或所述用户设备所在的群或者所述接入点名称异常 的原因; 根据所述异常的原因修改相应参数使得所述用户设备所在的群或 者所述接入点名称合法; 将所述用户设备所在的群或者所述接入点名称合 法的信息发送给所述移动性管理网元或接入网网元。  The system according to claim 11, wherein the server is further configured to: check whether the illegal user equipment or the group where the user equipment is located or the name of the access point is abnormal; The reason for the abnormality is to modify the corresponding parameter to make the group or the access point name of the user equipment legal; and send the information of the group or the access point name of the user equipment to the mobility management network element. Or access network element. 14、 根据权利要求 11至 13任意一项所述系统, 其特征在于, 所述接收 接入请求为位置更新请求;  The system according to any one of claims 11 to 13, wherein the receiving access request is a location update request; 所述移动性管理网元, 还用于从源侧移动性管理网元、 用户设备或接入网网元处获知位置更新 请求用于负载重分配时, 则执行所述接入操作。  The mobility management network element is further configured to perform the access operation when the location update request is used for the load re-allocation from the source-side mobility management network element, the user equipment, or the access network element.
PCT/CN2010/076290 2009-08-24 2010-08-24 Method, apparatus and system for access control Ceased WO2011023097A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910167128.6 2009-08-24
CN2009101671286A CN101998575B (en) 2009-08-24 2009-08-24 Method, device and system for access control

Publications (1)

Publication Number Publication Date
WO2011023097A1 true WO2011023097A1 (en) 2011-03-03

Family

ID=43627258

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/076290 Ceased WO2011023097A1 (en) 2009-08-24 2010-08-24 Method, apparatus and system for access control

Country Status (2)

Country Link
CN (1) CN101998575B (en)
WO (1) WO2011023097A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019169626A1 (en) 2018-03-09 2019-09-12 Nokia Shanghai Bell Co., Ltd. Methods, devices and computer readable medium for authentication in communication
EP4664869A4 (en) * 2023-02-07 2025-12-17 Panasonic Ip Man Co Ltd INFORMATION END DEVICE, INFORMATION PROCESSING DEVICE, INFORMATION PROCESSING METHOD AND PROGRAM

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102740265B (en) * 2011-04-08 2017-06-13 中兴通讯股份有限公司 A kind of method and system of control mechanical type communication terminal transceiving data
CN104410972A (en) * 2014-10-30 2015-03-11 苏州德鲁森自动化系统有限公司 Method for monitoring running state of wireless local area network
CN104410988A (en) * 2014-10-30 2015-03-11 苏州德鲁森自动化系统有限公司 Wireless local area network operating state monitoring system
CN109548170B (en) * 2017-07-24 2024-11-05 中兴通讯股份有限公司 A connection establishment method, network element, storage medium and system
CN113099451A (en) * 2020-01-07 2021-07-09 上海诺基亚贝尔股份有限公司 Method, apparatus, device and computer readable medium for connecting to a network

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1378737A (en) * 1999-10-12 2002-11-06 西门子公司 Method for preventing un-authorised access to network
CN1728636A (en) * 2004-07-29 2006-02-01 华为技术有限公司 A method of client authentication
CN1802003A (en) * 2004-12-31 2006-07-12 北京三星通信技术研究有限公司 Downlink call access controlling method
JP2008021247A (en) * 2006-07-14 2008-01-31 Nec Software Kyushu Ltd Information processor, file access control method and program
CN101197670A (en) * 2006-12-08 2008-06-11 中兴通讯股份有限公司 Authentication device for providing authentication to users accessing by terminal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1378737A (en) * 1999-10-12 2002-11-06 西门子公司 Method for preventing un-authorised access to network
CN1728636A (en) * 2004-07-29 2006-02-01 华为技术有限公司 A method of client authentication
CN1802003A (en) * 2004-12-31 2006-07-12 北京三星通信技术研究有限公司 Downlink call access controlling method
JP2008021247A (en) * 2006-07-14 2008-01-31 Nec Software Kyushu Ltd Information processor, file access control method and program
CN101197670A (en) * 2006-12-08 2008-06-11 中兴通讯股份有限公司 Authentication device for providing authentication to users accessing by terminal

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019169626A1 (en) 2018-03-09 2019-09-12 Nokia Shanghai Bell Co., Ltd. Methods, devices and computer readable medium for authentication in communication
EP3763143A4 (en) * 2018-03-09 2021-11-17 Nokia Technologies Oy METHODS, DEVICES AND COMPUTER-READABLE MEDIA FOR AUTHENTICATION IN COMMUNICATIONS
US11765583B2 (en) 2018-03-09 2023-09-19 Nokia Technologies Oy Methods, devices and computer readable medium for authentication in communication
EP4664869A4 (en) * 2023-02-07 2025-12-17 Panasonic Ip Man Co Ltd INFORMATION END DEVICE, INFORMATION PROCESSING DEVICE, INFORMATION PROCESSING METHOD AND PROGRAM

Also Published As

Publication number Publication date
CN101998575B (en) 2013-04-24
CN101998575A (en) 2011-03-30

Similar Documents

Publication Publication Date Title
US12207344B2 (en) Communications method and apparatus
CN113785634B (en) Wireless device paging over wireless network
CN113994744B (en) Paging processing method, equipment, storage medium and system
JP7291245B2 (en) RAN paging process
JP6333994B2 (en) Network access blocking method by ACDC and user device
EP2829121B1 (en) Granular network access control and methods thereof
CN107439042B (en) Method and node for handling UE access to a network
CN102196531B (en) Method and device for selecting core network to be accessed
CN102388656B (en) Network congestion processing method, network equipment and network system
JP5982018B2 (en) Machine type communication (MTC) in networks using non-access layer (NAS) signals
CN103716761B (en) Method for controlling connection between user equipment and network and mobile management device
EP3866506B1 (en) Method and device for controlling terminal and network connection
EP4187856A1 (en) Communication method, device and system
WO2010133168A1 (en) Method and equipment for obtaining location update strategy, rejecting location update and paging
CN102223729A (en) Method and system for controlling network access of machine type communication equipment
WO2011006410A1 (en) Network access control method, network access control device and network access system
CN101998575B (en) Method, device and system for access control
WO2012083789A1 (en) Resource allocation method and device and network service system
US11805406B2 (en) Terminal identification method and apparatus
WO2011054251A1 (en) Method, system and terminal for preventing access from illegal terminals
WO2011054149A1 (en) Method, device and communication system for load control
CN107078914B (en) Telecommunications system and method
WO2011044816A1 (en) Monitoring method and monitoring device for user equipment
EP2989822B1 (en) Reducing location update signaling between network nodes of a mobile communication network
WO2011147362A1 (en) Method and apparatus for selecting public land mobile-communication network access network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10811257

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10811257

Country of ref document: EP

Kind code of ref document: A1