Security Analysis of NGN services based on UML model (1)

Compared with traditional telecommunication networks, NGN faces many security threats, and its business security is also facing huge challenges. Business development and deployment require more security features and security functions. UMLsec uses UML Security Extension to analyze and model the security requirements of services in NGN. A fine-grained security requirement analysis method is proposed. Abstract abstract classes of security functions to describe the security requirements of NGN services. The security requirements based on security application interfaces are discussed through use cases, so that various security features can be integrated into the business more conveniently and flexibly.

The Next Generation Network (NGN) is a group network-based telecommunications network that integrates multiple services and opens up network capabilities. Its core network based on group exchange provides transmission infrastructure for business integration. Its open network capability improves service scalability, it provides a good opportunity for third-party business providers to enter the telecom business market. However, compared with traditional telecom networks, NGN's loosely coupled and open business structure features and rich business functions are built on the security architecture of NGN based on the general computing platform and IP transmission network infrastructure. conflict. Using an IP-based group network as the service bearer network makes it possible for many attacks against IP networks in the telecom network, general computing devices are used as control entities in the network to introduce computer security issues to each node in the network [1]. The openness of network and business capabilities also brings about a series of security issues unique to the business layer.

Currently, many security mechanisms have been used to ensure the security of networks and computing devices. However, these security mechanisms are designed for one or more specific security problems and specific environments, for example, key distribution, Entity authentication, confidentiality protection, and integrity protection, NGN businesses have different and comprehensive security requirements for different business characteristics and business execution environments. How to clarify business security requirements and try to pass the existing network security capabilities is a problem facing business developers.

In view of the complex security requirements faced by the business development process, this paper proposes to use the formal modeling language UMLsec [3, 4] to analyze the business security requirements, the Modeling Language abstracts the security features required by the business into security-aware classes, expresses fine-grained security functions through these classes, and expresses the security requirements of the business through the combination of these classes. The functions of these classes are implemented through secure application interfaces, such as GSS-API [5], NGSS-API [6], to integrate security features into the business. So that business developers can get rid of the security mechanism implementation details during business development, and make the developed business security features portable.

I. Analysis of NGN business security requirements

1. UMLsec Extension

UMLsec is an UMLprofile Based on the UML standard extension mechanism. By adding security-related constraints, labels, stereotypes, and other modeling elements to the UML meta-model, use UML diagrams to express security-related semantics and system requirements and constraints. However, the current UMLsec is defined based on the computer network environment and needs to be extended for applying it to the NGN business security analysis. The main extension is to add a definition related to the NGN Environment to the UMLsec element, so that it can more clearly and more specifically express the characteristics and needs of the NGN service. In this article, the bearer and execution nodes of the business are defined as the basic architecture of the business in NGN, and these elements are defined in the UML metadata model, as shown in 1.

Figure 1 NGN infrastructure model extension

This extension adds the bearing and Node stereotypes in NGN for links, nodes, and two Metadata classes. This model can be further expanded as needed, for example, the stereotypes about access network bearer can be added.

2. UMLsec-based Threat Analysis

For the stereotypes defined in figure 1 and the types of attackers that pose a threat to network security, the threat function TheatA (s) can be defined ). A Indicates the attacker type. Here, it is assumed that the attacker is an external attacker with general capabilities, that is, the attacker can intercept data traffic on the broadcast channel and insert or delete data traffic, attackers can exploit system vulnerabilities to intrude into the system. This parameter indicates that the value of the type threat function defined in the model is {delete, read, insert, access }. According to the characteristics of networks and computing nodes in NGN, we can obtain the following threat functions, as shown in table 1.

Table 1 threat functions of NGN infrastructure

Attackers can read, write, and delete data carried by IP addresses, so they can attack services hosted by IP addresses. For example, attackers can modify normal SIP messages to change the call route, send BYE and other SIP messages, remove normal SIP sessions, and intercept and decode the voice packets carried by RTP for eavesdropping, A large amount of data can be inserted in an IP network to reduce the QoS of VoIP for DoS attacks.

Software is usually based on general operating systems, databases, and other software. These general software and protocol stack implementations may all have vulnerabilities that attackers can exploit. Through these security vulnerabilities, attackers can initiate Denial of Service (DoS) attacks on these devices or gain device access.

Because the NGN infrastructure is generally not empty for attack function values of General attackers, security mechanisms must be used to ensure business security during service development and deployment.