1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T Q.3913 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (08/2014) SERIES Q: SWITCHING AND SIGNALLING Signalling requirements and protocols for the NGN Testing for next generation networks Set of parameters for monitoring Int
2、ernet of things devices Recommendation ITU-T Q.3913 ITU-T Q-SERIES RECOMMENDATIONS SWITCHING AND SIGNALLING SIGNALLING IN THE INTERNATIONAL MANUAL SERVICE Q.1Q.3 INTERNATIONAL AUTOMATIC AND SEMI-AUTOMATIC WORKING Q.4Q.59 FUNCTIONS AND INFORMATION FLOWS FOR SERVICES IN THE ISDN Q.60Q.99 CLAUSES APPLI
3、CABLE TO ITU-T STANDARD SYSTEMS Q.100Q.119 SPECIFICATIONS OF SIGNALLING SYSTEMS No. 4, 5, 6, R1 AND R2 Q.120Q.499 DIGITAL EXCHANGES Q.500Q.599 INTERWORKING OF SIGNALLING SYSTEMS Q.600Q.699 SPECIFICATIONS OF SIGNALLING SYSTEM No. 7 Q.700Q.799 Q3 INTERFACE Q.800Q.849 DIGITAL SUBSCRIBER SIGNALLING SYST
4、EM No. 1 Q.850Q.999 PUBLIC LAND MOBILE NETWORK Q.1000Q.1099 INTERWORKING WITH SATELLITE MOBILE SYSTEMS Q.1100Q.1199 INTELLIGENT NETWORK Q.1200Q.1699 SIGNALLING REQUIREMENTS AND PROTOCOLS FOR IMT-2000 Q.1700Q.1799 SPECIFICATIONS OF SIGNALLING RELATED TO BEARER INDEPENDENT CALL CONTROL (BICC) Q.1900Q.
5、1999 BROADBAND ISDN Q.2000Q.2999 SIGNALLING REQUIREMENTS AND PROTOCOLS FOR THE NGN Q.3000Q.3999 General Q.3000Q.3029 Network signalling and control functional architecture Q.3030Q.3099 Network data organization within the NGN Q.3100Q.3129 Bearer control signalling Q.3130Q.3179 Signalling and control
6、 requirements and protocols to support attachment in NGN environments Q.3200Q.3249 Resource control protocols Q.3300Q.3369 Service and session control protocols Q.3400Q.3499 Service and session control protocols supplementary services Q.3600Q.3649 NGN applications Q.3700Q.3849 Testing for next gener
7、ation networks Q.3900Q.3999 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T Q.3913 (08/2014) i Recommendation ITU-T Q.3913 Set of parameters for monitoring Internet of things devices Summary Recommendation ITU-T Q.3913 identifies the set of parameters that indicate
8、 the status of devices, including traffic parameters, anomalous behaviour and events parameters, performance parameters and battery parameters. This Recommendation also provides measurement metrics for device monitoring. History Edition Recommendation Approval Study Group Unique ID* 1.0 ITU-T Q.3913
9、 2014-08-29 11 11.1002/1000/12219 Keywords Anomalous behaviour, device, monitoring, performance, traffic. _ * To access the Recommendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.100
10、2/1000/11830-en. ii Rec. ITU-T Q.3913 (08/2014) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a perma
11、nent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establis
12、hes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standa
13、rds are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recom
14、mendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents a
15、re used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTSITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Int
16、ellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not rece
17、ived notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ip
18、r/. ITU 2014 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T Q.3913 (08/2014) iii Table of Contents Page 1 Scope . 1 2 References . 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined i
19、n this Recommendation . 1 4 Abbreviations and acronyms 1 5 Measurement metrics 2 6 Monitoring parameters 2 6.1 Traffic parameters 2 6.2 Anomalous behaviour and events parameters 3 6.3 Performance parameters . 4 6.4 Battery parameters 6 Bibliography. 7 Rec. ITU-T Q.3913 (08/2014) 1 Recommendation ITU
20、-T Q.3913 Set of parameters for monitoring Internet of things devices 1 Scope This Recommendation provides measurement metrics for device monitoring and defines the set of parameters that indicate device status, including device traffic, anomalous behaviour, events, performance and power supply. The
21、se parameters may be generated by network elements, terminals and access gateways. The definitions provided here are dependent on next generation networks (NGN), which use Internet Protocol (IP) as the bearer protocol. How these parameters are monitored is outside of the scope of this Recommendation
22、. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revis
23、ion; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this
24、Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T Y.2060 Recommendation ITU-T Y.2060 (2012), Overview of the Internet of things. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following term defined elsewhere: 3.1.1 device ITU-T
25、 Y.2060: With regard to the Internet of things, this is a piece of equipment with the mandatory capabilities of communication and the optional capabilities of sensing, actuation, data capture, data storage and data processing. 3.2 Terms defined in this Recommendation This Recommendation defines the
26、following terms: 3.2.1 flow: A flow is defined as a set of IP packets passing an observation point in the network during a certain time interval. All packets belonging to a particular flow have a set of common properties. A packet is defined as belonging to a flow if it completely satisfies all the
27、defined properties of the flow. 3.2.2 observation point: The observation point is a location in the network where IP packets can be observed. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: IPv4 Internet Protocol version 4 IPv6 Internet Protocol versio
28、n 6 FEC Forwarding Equivalence Class ICMP Internet Control Message Protocol 2 Rec. ITU-T Q.3913 (08/2014) IMEI International Mobile Equipment Identity MEID Mobile Equipment Identifier MPLS Multi-Protocol Label Switching QoS Quality of Service TCP Transmission Control Protocol UDP User Datagram Proto
29、col 5 Measurement metrics Devices can be either stand-alone or situated in a local network. Devices in a local network can be monitored using monitors or probes, which are instruments that enable the transmission of monitoring data to a monitoring system in order to determine the status of a local a
30、rea network and devices. The monitors or probes can be integral to the devices or can be stand-alone. Probes usually record behaviour or measure the device traffic. This form of measurement is known as passive measurement. These probes often devote significant internal resources to device management
31、. Monitoring the performance of a device uplink is also known as traffic measurement. To determine the status of a device, monitoring software in the monitor or probe may periodically send a test message from a remote monitoring system. This is known as active measurement. Commonly measured metrics
32、include response time and availability. However, both consistency and reliability metrics are starting to gain popularity. In addition, these monitors/probes may be used by a network management service provider to access a remote device. 6 Monitoring parameters Monitoring parameters include: Traffic
33、 parameters (see clause 6.1) Anomalous behaviour and events parameters (see clause 6.2) Performance parameters (see clause 6.3) Battery parameters (see clause 6.4) 6.1 Traffic parameters 6.1.1 General Traffic measurement can be applied in usage-based accounting, traffic profiling, traffic engineerin
34、g, attack/intrusion detection and QoS monitoring. For example, flow-based traffic measurement can be used to help determine device performance or behaviour through the analysis of the measurement parameter values. 6.1.2 Flow-based IP traffic measurements Flow-based IP traffic measurements can be per
35、formed by a router while forwarding traffic, or by a traffic measurement probe attached to a link between the device and the network. A flow record contains measured properties of the flow (e.g., the total number of bytes of all packets of the flow) and usually also contains characteristic propertie
36、s of the flow (e.g., source IP address). The following attributes are required to be reported for each flow: the IP version number (this requirement only applies if the observation point is located at a device supporting more than one version of IP) Rec. ITU-T Q.3913 (08/2014) 3 the source IP addres
37、s the destination IP address the IP protocol type (TCP, UDP, ICMP, etc.) the source TCP/UDP port number (if the protocol type is TCP or UDP) the destination TCP/UDP port number (if the protocol type is TCP or UDP) the packet counter value (If a packet is fragmented, each fragment is counted as an in
38、dividual packet.) the byte counter value (The sum of the total length in bytes of all IP packets belonging to the flow. The total length of a packet covers the IP header and IP payload.) the type of service octet (in the case of IPv4) or the traffic class octet (in the case of IPv6) the flow label (
39、in the case of IPv6) the top multi-protocol label switching (MPLS) label if MPLS is supported at the observation point, or the corresponding forwarding equivalence class (FEC) bound to that label. The FEC is typically defined by an IP prefix the timestamp of the first packet of the flow the timestam
40、p of the last packet of the flow the sampling configuration if sampling is used the unique identifier of the observation point 6.2 Anomalous behaviour and events parameters Monitoring anomalous behaviour or events is an important aspect of security threat detection. A baseline of normal behaviour mu
41、st be identified over a period of time. Once certain parameters have been defined as normal, any departure from one or more of these parameters is flagged as anomalous. Many anomaly detection algorithms have been proposed that differ in the information used for analysis and in the techniques that ar
42、e employed to detect deviations from normal behaviour. Examples of anomaly detection methods include statistical methods, rule based methods, profiling methods and model-based approaches. 6.2.1 Abnormal service activity Abnormal service activity is an activity that is significantly above or below or
43、dinary service activity levels. The ordinary state of service is defined by a set of service rules. Parameters used to determine if the device is in ordinary state of service include: Service interval: The service interval should not be significantly above or below the normal interval. Data transmit
44、ted or received by the device: The amount of data transmitted or received should not be significantly above or below normal levels. Date and time: The date or time should not correspond to the device in activity state. 6.2.2 Mismatch between IMEI/MEID and IMSI If there is a change in the association
45、 between the IMEI/MEID of a device and the international mobile subscription identity (IMSI) of the universal integrated circuit card (UICC), the IMEI/MEID of the device will be unmatchable to the IMSI, which means that the device or the UICC could be used unlawfully. The association between the IME
46、I/MEID and the IMSI can be defined by the user profile. 4 Rec. ITU-T Q.3913 (08/2014) 6.2.3 Loss of connectivity A device is connected to the network when it is in active state, or if it is in an idle or dormant state and it can go into active state as the result of a specific command. If the connec
47、tivity of the device is lost and cannot be activated it means that the device has been either damaged or stolen. The network connectivity of devices should be monitored. 6.2.4 Change of location A device may change geographical position and/or point of attachment to the network. Such behaviour shoul
48、d be monitored if the point of attachment to the network is predefined by the profile. It is regarded as change of location if the position of the device is outside of the profile defined. 6.2.5 Unusual logon activities Since a device may regularly sign into an account from a fixed position or accor
49、ding to a schedule, it might at times be obvious that recent activity was unusual. There are a few parameters that can be used to determine if recent activity was unusual: Date and time: The date or time should not correspond to the device access logon to the account. Location: If the device signs-in from a physical location that differs from where the device is located or if the physical location where the sign-in took place is not recognized, then the activity may be conside
