CN104869576B

CN104869576B - A kind of hotspot recognition methods and device

Info

Publication number: CN104869576B
Application number: CN201410062787.4A
Authority: CN
Inventors: 杨晓东
Original assignee: Beijing Qianxin Technology Co Ltd
Current assignee: Beijing Qianxin Technology Co Ltd
Priority date: 2014-02-24
Filing date: 2014-02-24
Publication date: 2019-07-26
Anticipated expiration: 2034-02-24
Also published as: CN104869576A

Abstract

The invention discloses a kind of hotspot recognition methods, are related to computer network field.The described method includes: intercepting each data packet of each network card equipment received in the driving of NDIS mid-level network;Protocol analysis is carried out to data packet, obtains the data content of each data packet;For the data content of a data packet, judge whether the data content has already appeared；If the data content occurs for the first time, then the first network card equipment information of corresponding data packet and the data content are recorded;If the data content has already appeared, then by the second network card equipment information of the correspondence data packet, it is compared with the first network card equipment information of the corresponding data content recorded;If the second network card equipment information is different from the first network card equipment information, then the network card equipment information of non-local network is identified as to the hotspot of unauthorized.The present invention can be accurately identified the hotspot of unauthorized, not have to block i.e. avoidable its use of influence of the interfaces such as USB.

Description

A kind of hotspot recognition methods and device

Technical field

The present invention relates to computer network fields, and in particular to a kind of hotspot recognition methods and device.

Background technique

At present due to the prevalence of carry-on wifi equipment, carry-on wifi equipment is taken to enterprise work by the increasingly employee of enterprise Environment realizes that the intelligent movables equipment such as mobile phone are connected to by the hot spot that carry-on wifi equipment is established by accessing computer Then enterprise network passes through enterprise network and surfs the Internet.Substantially process is to set hotspot for wifi equipment for it, is then passed through The interfaces such as USB access have connection inter net function internal unit (such as computer in enterprise local network), then its He can access inter net by the wireless device at mobile device.Above situation has been increasingly becoming a kind of universal phenomenon, for For enterprise, enterprise information security department can only be managed by blocking the interfaces such as USB, and the means and effect of management are not It is fine.It can not precisely identify hotspot, can not identify that the wifi equipments such as mobile phone are set as the mould of hotspot Formula, can only take to lead to and kill strategy, all disable to interfaces such as USB；And this kind strategy influences other and non-hot needs using USB etc. The equipment of interface accesses.

Summary of the invention

In view of the above problems, it proposes on the present invention overcomes the above problem or at least be partially solved in order to provide one kind State problem hotspot identification device and corresponding hotspot recognition methods.

According to one aspect of the present invention, a kind of hotspot recognition methods is provided, comprising:

Each data packet of each network card equipment received is intercepted in the driving of NDIS mid-level network;

Protocol analysis is carried out to data packet, obtains the data content of each data packet;

For the data content of a data packet, judge whether the data content has already appeared；

It, then will be in the first network card equipment information of corresponding data packet and the data if the data content occurs for the first time Appearance is recorded;

If the data content has already appeared, then by the second network card equipment information of the correspondence data packet, and remember First network card equipment information of the correspondence of the record data content is compared;

If the second network card equipment information is different from the first network card equipment information, then the network card equipment of non-local network is believed Breath is identified as the hotspot of unauthorized.

Optionally, described to carry out protocol analysis to data packet, the data content for obtaining each data packet includes:

The data packet is parsed, using the part except Ethernet stem in the data packet as data content.

Optionally, the data content for a data packet, judging whether the data content has already appeared includes:

The data content is done into MD5 calculating, obtains the cryptographic Hash of data content；

The cryptographic Hash is matched with the cryptographic Hash in record list；

If the cryptographic Hash does not match the cryptographic Hash in record list, judge that the data content occurs for the first time；

If the cryptographic Hash in the Hash values match in record list, judge that the data content has already appeared.

Optionally, if the data content occurs for the first time, by the first network card equipment information of corresponding data packet and The data content carries out record

Obtain the MAC Address in the source MAC structure in data packet in Ethernet head；

The MAC Address and cryptographic Hash correspondence are stored in the record list.

Optionally, if the data content has already appeared, by the second network card equipment information of the correspondence data packet, It is compared with the first network card equipment information of the corresponding data content recorded and includes:

Obtain the MAC Address of the source MAC structure in data packet in Ethernet head；

By the MAC Address in record list MAC Address and record list in correspond to the MAC Address of the cryptographic Hash It is compared.

Optionally, the record list is stored in memory.

Optionally, further includes:

The relevant information of the hotspot of the unauthorized is sent to network monitoring center to be shown.

Optionally, further includes:

By application layer acquire described in be identified as unauthorized hotspot network card equipment information, and by the unauthorized The network card equipment letter of hotspot be packaged and show.

Optionally, further includes:

It is instructed, is controlled among NDIS according to the disabling of the hotspot at least one unauthorized of network monitoring center Layer network driving disables the network card equipment of the hotspot for being identified as unauthorized.

Optionally, further includes:

Application layer receive at least one unauthorized hotspot disabling instruction, and by the control instruction to The driving of NDIS mid-level network is sent.

Optionally, further includes:

The network card equipment of the hotspot for being identified as unauthorized is disabled.

Optionally, the network card equipment by the hotspot for being identified as unauthorized, which disable, includes:

The data packet that the corresponding network card equipment of the hotspot for being identified as unauthorized is sent is abandoned.

Optionally, protocol analysis is carried out to data packet described, when obtaining the data content of each data packet, further includes:

Parse the serial number of data packet in the data content；

When it is first packet that the serial number, which identifies the data packet, into judging whether the data content has already appeared step Suddenly.

Optionally, if the network card equipment information of non-local network is identified as after the hotspot of unauthorized, further includes:

The network card equipment information of the hotspot of the unauthorized is marked；

Further, include: when being disabled the network card equipment of the hotspot for being identified as unauthorized

When it is not first packet that the serial number, which identifies the data packet, judge whether the network card equipment information of the data packet is right Answer the hotspot of unauthorized；If the network card equipment information of the data packet corresponds to the hotspot of unauthorized, directly will The data packet is abandoned.

Optionally, the network card equipment information of the local network includes:

Current execute intercepts the network card equipment information of the equipment of each packet movement itself in the driving of NDIS mid-level network, Or the network card equipment information in local grant column list.

Optionally, which is characterized in that further include:

For the hotspot of unauthorized, according to authorized order to the network card equipment information of the hotspot of the unauthorized It is authorized, the data packet for the hotspot of letting pass.

The invention also discloses a kind of hotspot identification devices, comprising:

Data package capture module, suitable for intercepting each number of each network card equipment received in the driving of NDIS mid-level network According to packet;

Protocol resolution module is suitable for carrying out protocol analysis to data packet, obtains the data content of each data packet;

Hotspot identification module, suitable for identifying the hotspot of unauthorized；The hotspot identification module includes:

Whether data content judgment module judge the data content suitable for the data content for a data packet Occur；

Logging modle judges that the data content occurs for the first time suitable for working as, then by the first network card equipment of corresponding data packet Information and the data content are recorded;

Comparison module judges that the data content has already appeared suitable for working as, then by the second network interface card of the correspondence data packet Facility information is compared with the first network card equipment information of the corresponding data content recorded;

Hotspot determining module is suitable for when judging that the second network card equipment information is different from the first network card equipment information, then The network card equipment information of non-local network is identified as to the hotspot of unauthorized.

Optionally, the protocol resolution module includes:

First protocol resolution module is suitable for parsing the data packet, by the portion except Ethernet stem in the data packet It is allocated as data content.

Optionally, the data content judgment module includes:

Hash calculation module obtains the cryptographic Hash of data content suitable for the data content is done MD5 calculating；

Matching module, suitable for matching the cryptographic Hash with the cryptographic Hash in record list；

First judgment module, suitable for when judging that the cryptographic Hash does not match the cryptographic Hash in record list, then judging institute Data content is stated to occur for the first time；

Second judgment module, described in when judging the cryptographic Hash in the Hash values match in record list, then judging Data content has already appeared.

Optionally, the logging modle includes:

First address acquisition module, suitable for obtaining the MAC in the source MAC structure in data packet in Ethernet head Location；

First logging modle, suitable for the MAC Address and cryptographic Hash correspondence to be stored in the record list.

Optionally, the comparison module includes:

Second address acquisition module, suitable for obtaining the MAC of source MAC structure in data packet in Ethernet head Location；

Second comparison module, suitable for by the MAC Address in record list MAC Address and record list in correspond to institute The MAC Address for stating cryptographic Hash is compared.

Optionally, the record list is stored in memory.

Optionally, further includes:

The relevant information of the hotspot of the unauthorized is sent to network monitoring center and opened up by the first sending module Show.

Optionally, further includes:

Hotspot acquisition module, suitable for being set by the network interface card for the hotspot for being identified as unauthorized described in application layer acquisition Standby information, and the network card equipment letter of the hotspot of the unauthorized is packaged and is shown.

Optionally, further includes:

First disabled module, suitable for the disabling according to the hotspot at least one unauthorized of network monitoring center Instruction, control NDIS mid-level network driving disable the network card equipment of the hotspot for being identified as unauthorized.

Optionally, further includes:

Hotspot manages module, suitable for referring in application layer reception for the disabling of the hotspot of at least one unauthorized It enables, and the control instruction is driven to NDIS mid-level network and is sent.

Optionally, further includes:

Hotspot management module, suitable for disabling the network card equipment of the hotspot for being identified as unauthorized.

Optionally, the hotspot management module includes:

First hotspot management module, suitable for sending out the corresponding network card equipment of the hotspot for being identified as unauthorized The data packet sent is abandoned.

Optionally, the protocol resolution module further include:

First packet judgment module, suitable for parsing the serial number of data packet in the data content, when the serial number identifies the number According to packet be first packet when, into hotspot identification module.

Optionally, after hotspot determining module, further includes:

Second logging modle, suitable for the network card equipment information of the hotspot of the unauthorized to be marked；

Further, the hotspot management module further include:

Second disabled module, suitable for judging the data packet when it is not first packet that the serial number, which identifies the data packet, Whether network card equipment information corresponds to the hotspot of unauthorized；If the network card equipment information of the data packet corresponds to unauthorized Hotspot then directly abandons the data packet.

Optionally, further includes:

Authorization module, suitable for being directed to the hotspot of unauthorized, according to authorized order by the hotspot of the unauthorized Network card equipment information local grant column list is added.

A kind of hotspot recognition methods according to the present invention, for being accessed not using the network equipment in local network The hotspot of authorization intercepts each of each network card equipment received in the NDIS mid-level network driving of local network device Then data packet carries out protocol analysis to data packet, the data packet using local network equipment forwarding hotspot does not change The content of data packet, only change Ethernet stem the characteristics of, when judge NDIS mid-level network drive in same data packet again Occur, then can tentatively judge that the data packet has the suspicion of hotspot of unauthorized, if the corresponding network interface card of the data packet is set Standby information is the network card equipment information of non-local network, then it is the hotspot of unauthorized, thus solves the prior art In block the interfaces such as USB the hotspot of unauthorized can not be accurately identified by way of carrying out network management the problem of, with And the prior art influences the problem of other non-hot equipment accesses needed using interfaces such as USB, achieves and is accurately identified USB Or the hotspot of the unauthorized of other interfaces access, it can not have to block the interfaces such as USB, avoid influencing other non-hot needs The beneficial effect accessed using the equipment of the interfaces such as USB.

The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention, And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, the followings are specific embodiments of the present invention.

Detailed description of the invention

By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:

Fig. 1 shows a kind of flow diagram of hotspot recognition methods according to an embodiment of the invention;

Fig. 2 shows a kind of flow diagrams of hotspot recognition methods according to an embodiment of the invention;

Fig. 3 shows a kind of flow diagram of hotspot recognition methods according to an embodiment of the invention;

Fig. 4 shows a kind of flow diagram of hotspot recognition methods according to an embodiment of the invention;

Fig. 5 shows a kind of structural schematic diagram of hotspot identification device according to an embodiment of the invention;

Fig. 6 shows a kind of structural schematic diagram of wireless hotspot recognition system according to an embodiment of the invention;

Fig. 7 shows a kind of structural schematic diagram of hotspot identification device according to an embodiment of the invention;

Fig. 7 a shows the logical hierarchy framework of each main modular according to an embodiment of the present invention；And

Fig. 8 shows a kind of structural schematic diagram of hotspot identification device according to an embodiment of the invention.

Specific embodiment

Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure It is fully disclosed to those skilled in the art.

Embodiment one

Referring to Fig.1, it illustrates a kind of flow diagram of hotspot recognition methods of the present invention, can specifically include:

Step 102, each data packet of each network card equipment received is intercepted in the driving of NDIS mid-level network;

To facilitate the understanding of the present invention, the application environment of the embodiment of the present invention is introduced first:

Firstly, the present invention be directed to the hotspot to have the setting of the equipment of wifi function, which passes through USB Then the network equipment in local network, the present invention then install dress of the invention in the local network equipment to equal interfaces in advance It sets.By taking computer as an example, if user is set as hotspot A with the mobile phone A for having wifi function, is accessed and calculated by USB line Machine A, then the data packet that the network interface card of hotspot A is sent by USB will drive by the NDIS mid-level network of computer B；And The data packet of hotspot A will to outgoing, must by computer network interface card B to the data packet of the hotspot A outward into Row forwarding, and the data packet that network interface card B is forwarded outward will also drive by the NDIS mid-level network of computer B.Therefore the present invention It can be driven in NDIS mid-level network and intercept all data packets received.

In embodiments of the present invention, as long as passing through each of the interfaces such as USB access in the network equipment of local network Hotspot, then the network equipment of local network can drive in NDIS mid-level network intercepts the network interface card for connecing each hotspot All data packets of the network card equipment of equipment and local network device.That is, the network equipment of local network of the present invention exists The driving of NDIS mid-level network intercepts all data packets of all network card equipments relevant to the machine.Wherein Ethernet data bag with For TCP bag data format, comprising: Ethernet stem, the portion IP, the portion TCP, using data.

For NDIS(Network Driver Interface Specification, network driver interface rule Model), it defines network interface card or NIC driver and upper-layer protocol drives journey across transport layer, network layer and data link layer Communication interface specification between sequence shields the difference of bottom physical hardware, allows the protocol driver and bottom on upper layer The network interface card of any model communicates.The network driver of NDIS support three types:

1.NDIS Miniport NIC Driver: micro- port NIC driving of bottom, here it is the physics of the network equipment Driver.

2.NDIS Protocol Driver: high-rise protocol-driven, for realizing some specific protocol stack, such as TCP/ IP protocol stack, and TDI interface is exported upwards.

3.NDIS Intermediate Driver: mid-level network driving, be located at Miniport Driver and Between Protocol Driver.Between NIC driver and protocol driver, it is provided interim driver upwards Portlet (Minport) collection of functions provides downwards agreement (protocol) collection of functions, therefore for upper layer drivers, It is miniport driver.For the driver of bottom, it is protocol driver.

The embodiment of the present invention then drives the hotspot identification function of realization unauthorized in NDIS mid-level network.It is described The driving of NDIS mid-level network is in inner nuclear layer.

Step 104, protocol analysis is carried out to data packet, obtains the data content of each data packet;

In the present invention, the data packet that network card equipment is sent is packaged with Ethernet protocol, such as 802 protocol suites Agreement, data packet include Ethernet stem and data content portion.The data format of upper-layer protocol is encapsulated in data content, Such as Transmission Control Protocol data format, udp data format etc..

Preferably, described to carry out protocol analysis to data packet, the data content for obtaining each data packet includes:

Sub-step A10 parses the data packet, using the part except Ethernet stem in the data packet as in data Hold.

So the present invention then carries out Ethernet protocol parsing to the data packet intercepted, and parses Ethernet stem, and Data content portion other than Ethernet stem.

In embodiments of the present invention, in now current technology, the data packet of Ethernet includes Ethernet stem and other Data segment does not carry out tail portion encapsulation, such as by taking TCP bag data format as an example, comprising: Ethernet stem, the portion IP, the portion TCP, application Data, then can be using the part except too net stem as data content.

In some cases, if the data packet of Ethernet includes Ethernet stem, other data segments, Ethernet tail portion, Such as by taking TCP bag data format as an example, comprising: Ethernet stem, the portion IP, the portion TCP, using data, Ethernet tail portion；So may be used Using the part in addition to Ethernet stem and Ethernet tail portion as data content portion of the invention.

Step 106, for the data content of a data packet, judge whether the data content has already appeared；If described Data content occurs for the first time, then enters step 108；If the data content has already appeared, then 110 are entered step；

It is appreciated that in embodiments of the present invention, first according to the data content recorded, sentencing to data content It is disconnected, if data content is to first appear, recorded, in case subsequent judgement；If data content is to go out again Existing, then the corresponding network card equipment of data packet where illustrating the data content is the hotspot of potential unauthorized.

The data content for a data packet, judging whether the data content has already appeared includes:

The data content is done MD5 calculating, obtains the cryptographic Hash of data content by sub-step A20；

Sub-step A22 matches the cryptographic Hash with the cryptographic Hash in record list；

Sub-step A24 judges the data content if the cryptographic Hash does not match the cryptographic Hash in record list It is first to occur；

Sub-step A26 has judged the data content if the cryptographic Hash in the Hash values match in record list Through occurring.

In embodiments of the present invention, in order to save memory space, save computing resource, the present invention carries out data content MD5(Message Digest Algorithm MD5, Message Digest Algorithm 5) it calculates, obtain its cryptographic Hash (HASH Value).When the HASH value being calculated does not record in record list, illustrate that data content occurs for the first time, needs to arrange in record It is recorded in table, that is, enters step 108.When the HASH value being calculated has record in record list, illustrate data content Occur again, illustrates that the network card equipment of the affiliated data packet of data content is the hotspot of potential unauthorized, after needing progress Continuous judgement, that is, enter step 110.

Preferably, in embodiments of the present invention, the record list is stored in memory.

Certainly the present invention can also be calculated data content using other algorithms, and the present invention does not limit it.

Step 108, if the data content occurs for the first time, by the first network card equipment information of corresponding data packet and institute Data content is stated to be recorded;

It is appreciated that meaning that the content in its data packet is among NDIS if the data content occurs for the first time The data packet in the new unknown source of the interception of layer network driving then needs to carry out the data content of the data packet to record and right The the first network card equipment information answered is recorded, in case subsequent use.The data packet can be then not processed, and then be let pass.

Preferably, if the data content occurs for the first time, by the first network card equipment information of corresponding data packet and The data content carries out record

Sub-step A30 obtains the MAC Address in the source MAC structure in data packet in Ethernet head；

In embodiments of the present invention, after carrying out protocol analysis to data packet in a step 102, Ethernet head can be kept in Data, the structure on Ethernet head include: mesh ground MAC Address, source MAC and type.Wherein source MAC (Media The address Access Control, also known as hardware address) it is the network card equipment information for sending data packet.When needing to record, then obtain Take the MAC Address in the source MAC structure in the Ethernet head.

The MAC Address and cryptographic Hash correspondence are stored in the record list by sub-step A32.

For the data content occurred for the first time in the embodiment of the present invention, by the source MAC and data content in data packet HASH value one-to-one correspondence stored in record list.At least there are two column i.e. in record list, one is classified as HASH value, and one is classified as MAC Address, in storage, the two of same data packet is corresponded.

In embodiments of the present invention, the record list is stored in memory.

Step 110, if the data content has already appeared, the second network card equipment of the correspondence data packet is believed Breath, is compared with the first network card equipment information of the corresponding data content recorded;

If the data content has already appeared, need further to judge corresponding second network card equipment of current data packet Whether information and the first network card equipment information of the corresponding data content record are identical, if identical, illustrate the data packet It is what the local network equipment was sent, does not have to processing, can let pass；If it is different, then illustrating the network card equipment pair of local network The data that hotspot network interface card is sent are forwarded.

Preferably, if the data content has already appeared, by the second network card equipment information of the correspondence data packet, It is compared with the first network card equipment information of the corresponding data content recorded and includes:

Sub-step 40 obtains the MAC Address of the source MAC structure in data packet in Ethernet head；

In embodiments of the present invention, after carrying out protocol analysis to data packet in a step 102, Ethernet head can be kept in Data, the structure on Ethernet head include: mesh ground MAC Address, source MAC and type.Wherein source MAC (Media The address Access Control, also known as hardware address) it is the network card equipment information for sending data packet.When needing to compare, then obtain Take the MAC Address in the source MAC structure in the Ethernet head.

Sub-step 42, by the MAC Address in record list MAC Address and record list in correspond to the cryptographic Hash MAC Address be compared.

The MAC Address currently obtained is matched with MAC Address in the record list of memory, if matched, is said The bright MAC Address currently obtained is that the network card equipment information of local network illustrates the MAC currently obtained if do not matched Address may be the information of the hotspot of unauthorized, need that the identification of step 112 will be carried out.

Step 112, if the second network card equipment information is different from the first network card equipment information, by the net of non-local network Card apparatus information is identified as the hotspot of unauthorized.

It is appreciated that in embodiments of the present invention, the network card equipment information of local network can be understood as the network interface card of authorization Facility information, the network card equipment information of local network can include:

It is described that " current execute intercepts the network card equipment of the equipment of each packet movement itself in the driving of NDIS mid-level network Information " can be understood as the network card equipment information for the equipment that the tested hotspot is accessed itself, for example user is with hand Machine has accessed the computer of an in-company networking as hotspot, then this computer is the net of local network Card apparatus information.For this kind of situation, this computer itself be judge datum mark, from computer hardware information can or The network card equipment information of person's the machine, thus distinguish in two different second network card equipment information and the first network card equipment information, Which is unauthorized network card equipment information, so that it is determined that the hotspot of corresponding unauthorized, realizes that simply efficiency is fast.

" the network card equipment information in local grant column list ", in embodiments of the present invention, local grant column list are these What is set up inside at least one network card equipment information in ground network, such as company or other organizations is various accessible Local grant column list can be added for these network card equipment information in the network card equipment information of the equipment of internet.And for Such as the wireless device that company personnel individual brings into, since it is the equipment outside company, for guarantee company's network security, base Private will not be allowed to build hotspot on this, therefore, local award can be added for the network card equipment information of in-company equipment It weighs in list, then being disabled for the equipment of the hotspot for the building not entered into local grant column list.This kind of side Formula can be convenient company and the hotspot using mobile device setting be managed, such as the mobile device A of company, It is connecing when by it when any computer of company's internal network uses the hotspot function of A, due to being obtained based on abovementioned steps The the first network card equipment information and the second network card equipment information obtained is different, then needing to judge whether the two needs to disable.So The present invention then can be based on local with equipment registered in company's whole network (such as registered computer, also include A) building Grant column list then can determine whether A structure using local grant column list then which platform equipment no matter A access using its hotspot function When the hotspot built, network card equipment information is authorization, then can let pass its data packet, it is made normally to surf the Internet.Other situations Analogize, this will not be detailed here.

In embodiments of the present invention, one total local grant column list can be set in network monitoring center, then at each The table is updated in the network equipment of ground network.The local grant column list can be stored in memory by each network equipment, so as in NDIS Mid-level network driving executes multilevel iudge and identification function.Certain table may be present in the memory spaces such as hard disk, use When be restored again into memory.

In embodiments of the present invention, it for the network card equipment information of local grant column list, can not let pass to its data packet, no Do any other processing.

Preferably, the embodiment of the present invention can also include:

Step 114, for the hotspot of unauthorized, according to authorized order to the network interface card of the hotspot of the unauthorized Facility information is authorized, the data packet for the hotspot of letting pass.

It is appreciated that the embodiment of the present invention manages for convenience, for example for in-company network, to add new net The new hotspot of network device build, or some hotspot of temporarily letting pass, then can be for the net of the hotspot of unauthorized Card apparatus information is authorized, for example the data packet of the hotspot of interim access local computer is allowed normally to send.

In addition, in this clearly embodiment, for " current execution intercepts each data packet in the driving of NDIS mid-level network and moves The network card equipment information of the local network of the network card equipment information of the equipment of work itself ", with in-company every computer sheet As example, which is the network card equipment information for the computer for being intercepted and being analyzed itself, then this kind of situation Under, the hotspot can be awarded from the account executive for passing through computer or network monitoring center of the present invention transmission Power instruction, the data packet for the hotspot of directly letting pass.

For the network card equipment information of the local network of aforementioned " the network card equipment information in local grant column list ", Ke Yi Each is responsible for maintenance one local grant column list in the computer equipment for intercepting and analyzing, then the present invention can pass through computer The account executive or network monitoring center of equipment update each and are responsible for the local safeguarded in the computer equipment for intercepting and analyzing Grant column list, i.e., by the network card equipment information update for the hotspot for needing to let pass to local grant column list.

In embodiments of the present invention, hotspot accesses local network device by USB, can believe local network card equipment Breath is marked, then then utilizing the local network of label when the second network card equipment information and the first network card equipment information difference Card apparatus information and the second network card equipment information, or matched with the first network card equipment information, it will be non-according to matching result The network card equipment information of local network is identified as the hotspot of unauthorized.For example, if being carried out with the second network card equipment information Matching, if matched, illustrates that the first network card equipment information is the network card equipment information of non-local network, then identifies a network interface card Facility information is the hotspot of unauthorized；If do not matched, illustrate that second network card equipment information itself is as non-local The network card equipment information of network then identifies that two network card equipment information are the hotspot of unauthorized.Other identification methods are similar, This is no longer described in detail.

Embodiment two

Referring to Fig. 2, it illustrates a kind of flow diagrams of hotspot recognition methods of the present invention, can specifically include:

Step 202, each data packet of each network card equipment received is intercepted in the driving of NDIS mid-level network;

Step 204, protocol analysis is carried out to data packet, obtains the data content of each data packet;

Step 206, for the data content of a data packet, judge whether the data content has already appeared；

Step 208, if the data content occurs for the first time, by the first network card equipment information of corresponding data packet and institute Data content is stated to be recorded;

Step 210, if the data content has already appeared, the second network card equipment of the correspondence data packet is believed Breath, is compared with the first network card equipment information of the corresponding data content recorded;

By the second network card equipment information of the correspondence data packet, with the first net of the corresponding data content recorded Card apparatus information is compared.

Step 212, if the second network card equipment information is different from the first network card equipment information, by the net of non-local network Card apparatus information is identified as the hotspot of unauthorized；

Step 214, the relevant information of the hotspot of the unauthorized network monitoring center is sent to be shown；

In the embodiment of the present invention, the relevant information (such as the information such as MAC Address) of the hotspot of unauthorized can be sent out It send to network monitoring center and shows network management, network management can select to disable which hotspot according to demand.

In embodiments of the present invention, directly the MAC Address of the hotspot of unauthorized can be packaged, then passes through net Network is sent to network monitoring center, and after network monitoring center receives above-mentioned package, parsing is then in the application of network monitoring center Layer is assembled, to be shown.

Step 216, it is instructed according to the disabling of the hotspot at least one unauthorized of network monitoring center, control The driving of NDIS mid-level network disables the network card equipment of the hotspot for being identified as unauthorized.

After network management selection disables certain or whole hotspot, network monitoring center can pass disabling instruction It is defeated by the corresponding network equipment for intercepting corresponding data packet, is driven by corresponding network equipment control NDIS mid-level network by the knowledge Not Wei the network card equipment of hotspot of unauthorized disabled.

Preferably, the network card equipment by the hotspot for being identified as unauthorized, which disable, includes:

Step B10 loses the data packet that the corresponding network card equipment of the hotspot for being identified as unauthorized is sent It abandons.

Certainly, it in the embodiment of the present invention, when not receiving disabling instruction, can let pass to the data packet of all interceptions.

Optionally, further includes:

Step S220, for the hotspot of unauthorized, according to authorized order to the net of the hotspot of the unauthorized Card apparatus information is authorized, the data packet for the hotspot of letting pass.

It is appreciated that step principle as the embodiment of the present invention is a kind of with embodiment is similar, this will not be detailed here.

The embodiment of the present invention is accurately identified the hotspot of the unauthorized of USB or the access of other interfaces, can not have to envelope The interfaces such as stifled USB, avoid influencing other non-hot equipment needed using interfaces such as USB, and can be by the wireless of unauthorized The information of hot spot is sent to network monitoring center, is shown by network monitoring center or is initiated to refer to the disabling of hotspot It enables, to be disabled to hotspot.

Embodiment three,

Referring to Fig. 3, it illustrates a kind of flow diagrams of hotspot recognition methods of the present invention, can specifically include:

Step 302, each data packet of each network card equipment received is intercepted in the driving of NDIS mid-level network;

Step 304, protocol analysis is carried out to data packet, obtains the data content of each data packet;

Step 306, the data content is done into MD5 calculating, obtains the cryptographic Hash of data content；

Step 308, the cryptographic Hash is matched with the cryptographic Hash in record list；If the cryptographic Hash does not match Cryptographic Hash in upper record list, then enter step 310；If the cryptographic Hash in the Hash values match in record list, Enter step 312；

Step 310, the first network card equipment information of corresponding data packet and the cryptographic Hash are recorded;

After reordering, clearance data packet.

Step 312, by the second network card equipment information of the correspondence data packet, with the corresponding cryptographic Hash that has recorded First network card equipment information is compared;If the second network card equipment information is identical as the first network card equipment information, clearance data Packet；If the second network card equipment information is different from the first network card equipment information, 314 are entered step；

Step 314, if the second network card equipment information is different from the first network card equipment information, by the net of non-local network Card apparatus information is identified as the hotspot of unauthorized；

Step 316, by application layer acquire described in be identified as unauthorized hotspot network card equipment information, and by institute The network card equipment letter for stating the hotspot of unauthorized is packaged and shows；

NDIS mid-level network drives identify the hotspot of unauthorized after, if to show user, need by The information of the hotspot of unauthorized is realized by application layer, i.e., by hotspot information to being uploaded to TDI protocol-driven, TDI Protocol-driven calls user's interactive interface that hotspot information is sent to hotspot information collection module and is packaged and opens up Show.

Step 318, the disabling instruction for the hotspot of at least one unauthorized is received in application layer, and by the control System instruction drives to NDIS mid-level network to be sent；

And if administrative staff will disable the hotspot of some or certain a few unauthorizeds, button is disabled clicking Afterwards, it needs to be issued to the driving of NDIS mid-level network by application layer, is driven by DIS mid-level network and be identified as not awarding by described The network card equipment of the hotspot of power is disabled.

Step 320, after the driving of NDIS mid-level network receives the disabling instruction, by the nothing for being identified as unauthorized The network card equipment of line hot spot is disabled.

Optionally, further includes:

Step S322, for the hotspot of unauthorized, according to authorized order to the net of the hotspot of the unauthorized Card apparatus information is authorized, the data packet for the hotspot of letting pass.

It is appreciated that the step principle similar with embodiment one, two of the embodiment of the present invention is similar, this will not be detailed here.

The embodiment of the present invention is accurately identified the hotspot of the unauthorized of USB or the access of other interfaces, can not have to envelope The interfaces such as stifled USB avoid influencing other non-hot equipment needed using interfaces such as USB, and the present invention can be shown not in application layer The information of the hotspot of authorization, and the instruction disabled to the hotspot of each unauthorized is received, then control in NDIS Interbed network-driven disables the hotspot of unauthorized.

Example IV

Referring to Fig. 4, it illustrates a kind of flow diagrams of hotspot recognition methods of the present invention, can specifically include:

Step 402, each data packet of each network card equipment received is intercepted in the driving of NDIS mid-level network;

Step 404, protocol analysis is carried out to data packet, obtains the data content of each data packet, and parse the data The serial number of data packet in content；

In embodiments of the present invention, the data packet serial number in data content can be also further parsed for data packet, such as If data content is TCP data packet, the data sequence number of TCP data packet header can be parsed by Transmission Control Protocol.Certainly for other numbers According to content, such as UDP message packet, can still further accord with the serial number of its data packet of data in UDP packet use protocol analysis, Such as the serial number of the resolvers data packet such as smtp protocol, File Transfer Protocol.

Step 406, when it is first packet that the serial number, which identifies the data packet, judge whether the data content has gone out It is existing；

With the data sequence number of TCP data packet header in order to, for example serial number 1 is expressed as first packet, just then then judge this Whether data content occurs, if serial number 2, indicates that it is not first packet, then can not judge whether data content has already appeared.

Step 408, if the data content occurs for the first time, by the first network card equipment information of corresponding data packet and institute Data content is stated to be recorded;

Step 410, if the data content has already appeared, the second network card equipment of the correspondence data packet is believed Breath, is compared with the first network card equipment information of the corresponding data content recorded;

The i.e. described data content occurs again, then by the second network card equipment information of the correspondence data packet, and has recorded The first network card equipment information of the correspondence data content be compared.

Step 412, if the second network card equipment information is different from the first network card equipment information, by the net of non-local network Card apparatus information is identified as the hotspot of unauthorized,

Step 414, the network card equipment information of the hotspot of the unauthorized is marked.

The network card equipment information of the hotspot i.e. of the invention that will record unauthorized is that can be used in the subsequent disabling that carries out The network card equipment information of the hotspot of the unauthorized of above-mentioned record.

Step 416, by application layer acquire described in be identified as unauthorized hotspot network card equipment information, and by institute The network card equipment letter for stating the hotspot of unauthorized is packaged and shows；

Step 418, the disabling instruction for the hotspot of at least one unauthorized is received in application layer, and by the control System instruction drives to NDIS mid-level network to be sent；

Step 420, when it is not first packet that the serial number, which identifies the data packet, judge the network card equipment letter of the data packet Whether breath corresponds to the hotspot of unauthorized；If the network card equipment information of the data packet corresponds to the hotspot of unauthorized, Then directly the data packet is abandoned.

When needing the hotspot to unauthorized to disable, then disabled in combination with the serial number of data packet, if The data packet is not first packet, then illustrates its corresponding network card equipment information it is determined that mistake, then only needing again aforementioned to not awarding It is matched in the network card equipment information record of the hotspot of power, that is, can determine whether not to be the data packet of first packet whether to be unauthorized Hotspot send data packet.If the network card equipment information of the data packet corresponds to the hotspot of unauthorized, directly It connects and abandons the data packet.For first packet, directly first packet can be abandoned.

If the network card equipment Asymmetry information of the data packet answers the hotspot of unauthorized, the data packet of letting pass.

In embodiments of the present invention, judge whether the network card equipment information of the data packet corresponds to using local grant column list The hotspot of unauthorized.

Optionally, further includes:

Step S420, for the hotspot of unauthorized, according to authorized order to the net of the hotspot of the unauthorized Card apparatus information is authorized, the data packet for the hotspot of letting pass.

It is appreciated that step principle as the embodiment of the present invention and embodiment one, two, three classes is similar, this will not be detailed here.

The embodiment of the present invention can only analysis be first packet data packet whether be the transmission of external hot spot data packet, if It is the network card equipment information for then marking the hotspot of unauthorized, it, then can be based on the unauthorized of label in subsequent disabled The network card equipment information of hotspot subsequent packet is disabled.The embodiment of the present invention is accurately identified USB or other connect The hotspot of the unauthorized of mouthful access, can not have to block the interfaces such as USB, avoid influencing other and non-hot need using USB The equipment of equal interfaces.

Embodiment five

Referring to Fig. 5, it illustrates a kind of structural schematic diagrams of hotspot identification device of the present invention, comprising:

Data package capture module 510, suitable for intercepting each of each network card equipment received in the driving of NDIS mid-level network A data packet;

Protocol resolution module 520 is suitable for carrying out protocol analysis to data packet, obtains the data content of each data packet;

Hotspot identification module 530, suitable for identifying the hotspot of unauthorized；The hotspot identification module 530 Include:

Whether data content judgment module 531 judge the data content suitable for the data content for a data packet Through occurring；

Logging modle 532, suitable for when judging that the data content occurs for the first time, then setting the first network interface card of corresponding data packet Standby information and the data content are recorded;

Comparison module 533 judges that the data content has already appeared suitable for working as, then by the second net of the correspondence data packet Card apparatus information is compared with the first network card equipment information of the corresponding data content recorded;

Hotspot determining module 534 judges that the second network card equipment information is different from the first network card equipment information suitable for working as, The network card equipment information of non-local network is then identified as to the hotspot of unauthorized.

Certainly, the data content judgment module 531 in the embodiment of the present invention, logging modle 532, comparison module 533, wireless Hot spot determining module 534 can be not included in hotspot identification module 530 among, can directly with data package capture module 510, protocol resolution module 520 side by side, that is, presses precedence relationship, and data content judges that mould 531 is directly connected to protocol resolution module 520, behind be linked in sequence other modules arranged side by side.

Optionally, the protocol resolution module 520(is not shown in the figure) include:

Optionally, the data content judgment module 531(is not shown in the figure) include:

Optionally, the logging modle 532(is not shown in the figure) include:

Optionally, the comparison module 533(is not shown in the figure) include:

Optionally, the record list is stored in memory.

Optionally, further includes:

Step S520, for the hotspot of unauthorized, according to authorized order to the net of the hotspot of the unauthorized Card apparatus information is authorized, the data packet for the hotspot of letting pass.

Embodiment six

Referring to Fig. 6, it illustrates a kind of structural schematic diagrams of wireless hotspot recognition system of the present invention, comprising:

Hotspot identification device 600 and network monitoring center 700；

The hotspot identification device 600 includes:

Data package capture module 610, suitable for intercepting each of each network card equipment received in the driving of NDIS mid-level network A data packet;

Protocol resolution module 620 is suitable for carrying out protocol analysis to data packet, obtains the data content of each data packet;

Hotspot identification module 630, suitable for identifying the hotspot of unauthorized；The hotspot identification module 630 Include:

Whether data content judgment module 631 judge the data content suitable for the data content for a data packet Through occurring；

Logging modle 632, suitable for when judging that the data content occurs for the first time, then setting the first network interface card of corresponding data packet Standby information and the data content are recorded;

Comparison module 633 judges that the data content has already appeared suitable for working as, then by the second net of the correspondence data packet Card apparatus information is compared with the first network card equipment information of the corresponding data content recorded;

Hotspot determining module 634 judges that the second network card equipment information is different from the first network card equipment information suitable for working as, The network card equipment information of non-local network is then identified as to the hotspot of unauthorized；

First sending module 640, by the relevant information of the hotspot of the unauthorized be sent to network monitoring center into Row is shown；

First disabled module 650, suitable for according to the hotspot at least one unauthorized of network monitoring center The network card equipment of the hotspot for being identified as unauthorized is prohibited in disabling instruction, control NDIS mid-level network driving With.

The first disabled module block includes:

The network card equipment information of the local network includes:

Optionally, further includes:

Embodiment seven

Referring to Fig. 7, it illustrates a kind of structural schematic diagrams of hotspot identification device of the present invention, comprising:

Data package capture module 710, suitable for intercepting each of each network card equipment received in the driving of NDIS mid-level network A data packet;

Protocol resolution module 720 is suitable for carrying out protocol analysis to data packet, obtains the data content of each data packet;

Hotspot identification module 730, suitable for identifying the hotspot of unauthorized；The hotspot identification module 730 Include:

Whether data content judgment module 731 judge the data content suitable for the data content for a data packet Through occurring；The data content judgment module 731 includes:

Hash calculation module 7311 obtains the cryptographic Hash of data content suitable for the data content is done MD5 calculating；

Matching module 7312, suitable for matching the cryptographic Hash with the cryptographic Hash in record list；

First judgment module 7313, suitable for when judging that the cryptographic Hash does not match the cryptographic Hash in record list, then sentencing The data content that breaks occurs for the first time；

Second judgment module 7314, suitable for when judging the cryptographic Hash in the Hash values match in record list, then judging The data content has already appeared.

Logging modle 732 judges that the cryptographic Hash occurs for the first time suitable for working as, then by the first network card equipment of corresponding data packet Information and the cryptographic Hash are recorded;

Comparison module 733 judges that the cryptographic Hash has already appeared suitable for working as, then by the second network interface card of the correspondence data packet Facility information is compared with the first network card equipment information of the corresponding cryptographic Hash recorded;

Hotspot determining module 734 judges that the second network card equipment information is different from the first network card equipment information suitable for working as, The network card equipment information of non-local network is then identified as to the hotspot of unauthorized.

Hotspot acquisition module 740, the net suitable for the hotspot by being identified as unauthorized described in application layer acquisition Card apparatus information, and the network card equipment letter of the hotspot of the unauthorized is packaged and is shown.

Hotspot manages module 750, suitable for receiving the taboo of the hotspot at least one unauthorized in application layer With instruction, and the control instruction is driven to NDIS mid-level network and is sent；

Hotspot management module 760, suitable for prohibiting the network card equipment of the hotspot for being identified as unauthorized With.

The network card equipment information of the local network includes:

Optionally, further includes:

Such as Fig. 7 a, the logical hierarchy framework of each main modular of the embodiment of the present invention are as follows:

Network card equipment sends up data packet；The NDIS mid-level network of inner nuclear layer drives the data on the network equipment Packet blocking module 710, protocol resolution module 720, hotspot identification module 730, hotspot management module 760 are in NDIS Mid-level network driving is TDI protocol-driven on the driving of NDIS mid-level network, belongs to application layer, and hotspot is known Other module 730 passes the letter of hotspot by TDI protocol-driven and user's interactive interface to hotspot acquisition module 740 Breath, hotspot manages module 750 and passes control instruction to TDI by user's interactive interface, and then is sent to hotspot management Module.

Embodiment eight

Referring to Fig. 8, it illustrates a kind of structural schematic diagrams of hotspot identification device of the present invention, comprising:

Data package capture module 810, suitable for intercepting each of each network card equipment received in the driving of NDIS mid-level network A data packet;

Protocol resolution module 820 is suitable for carrying out protocol analysis to data packet, obtains the data content of each data packet, and Parse the serial number of data packet in the data content；

Hotspot identification module 830 is suitable for identifying unauthorized when it is first packet that the serial number, which identifies the data packet, Hotspot；The hotspot identification module 830 includes:

Whether data content judgment module 831 judge the data content suitable for the data content for a data packet Through occurring；

Logging modle 832, suitable for when judging that the data content occurs for the first time, then setting the first network interface card of corresponding data packet Standby information and the data content are recorded;

Comparison module 833 judges that the data content has already appeared suitable for working as, then by the second net of the correspondence data packet Card apparatus information is compared with the first network card equipment information of the corresponding data content recorded;

Hotspot determining module 834 judges that the second network card equipment information is different from the first network card equipment information suitable for working as, The network card equipment information of non-local network is then identified as to the hotspot of unauthorized；

Second logging modle 835, suitable for the network card equipment information of the hotspot of the unauthorized to be marked；

Hotspot acquisition module 840, the net suitable for the hotspot by being identified as unauthorized described in application layer acquisition Card apparatus information, and the network card equipment letter of the hotspot of the unauthorized is packaged and is shown.

Hotspot manages module 850, suitable for receiving the taboo of the hotspot at least one unauthorized in application layer With instruction, and the control instruction is driven to NDIS mid-level network and is sent；

Hotspot management module 860, suitable for prohibiting the network card equipment of the hotspot for being identified as unauthorized With；The hotspot management module 860 further include:

Second disabled module 861, suitable for judging the data packet when it is not first packet that the serial number, which identifies the data packet, Network card equipment information whether correspond to the hotspot of unauthorized；If the network card equipment information of the data packet corresponds to unauthorized Hotspot, then directly the data packet is abandoned.

The network card equipment information of the local network includes:

Optionally, further includes:

Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein. Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.

In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this specification.

Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects, Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself All as a separate embodiment of the present invention.

Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose It replaces.

In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed Meaning one of can in any combination mode come using.

Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice Microprocessor or digital signal processor (DSP) are according to an embodiment of the present invention to realizeA kind of hotspot identificationIn equipment Some or all components some or all functions.The present invention is also implemented as executing side as described herein Some or all device or device programs (for example, computer program and computer program product) of method.It is such It realizes that program of the invention can store on a computer-readable medium, or can have the shape of one or more signal Formula.Such signal can be downloaded from an internet website to obtain, and perhaps be provided on the carrier signal or with any other shape Formula provides.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame Claim.

The invention discloses a kind of hotspot recognition methods of A1, comprising:

A2, method as described in a1, which is characterized in that it is described that protocol analysis is carried out to data packet, obtain each data packet Data content include:

A3, method as described in a1 or a2, which is characterized in that the data content for a data packet, described in judgement Whether data content has already appeared

The cryptographic Hash is matched with the cryptographic Hash in record list；

A4, the method as described in A3, which is characterized in that if the data content occurs for the first time, by corresponding data The the first network card equipment information and the data content of packet carry out record

A5, the method as described in A3, which is characterized in that, will the corresponding number if the data content has already appeared According to the second network card equipment information of packet, packet is compared with the first network card equipment information of the corresponding data content recorded It includes:

A6, the method as described in A3, which is characterized in that the record list is stored in memory.

A7, method as described in a1, which is characterized in that further include:

A8, method as described in a1, which is characterized in that further include:

A9, the method as described in A7, which is characterized in that further include:

A10, the method as described in A7 or A8, which is characterized in that further include:

A11, the method as described in A1 or A10, which is characterized in that further include:

A12, the method as described in A8 or A11, which is characterized in that described by the hotspot for being identified as unauthorized Network card equipment carries out disabling

A13, the method as described in A1 or A11, which is characterized in that protocol analysis is carried out to data packet described, is obtained each When the data content of a data packet, further includes:

Parse the serial number of data packet in the data content；

A14, the method as described in A13, which is characterized in that if the network card equipment information of non-local network is identified as not awarding After the hotspot of power, further includes:

A15, method as described in a1, which is characterized in that the network card equipment information of the local network includes:

A16, the method as described in one of A1, A7, A8, A15, which is characterized in that further include:

The invention also discloses a kind of hotspot identification devices of B17, comprising:

B18, the device as described in B17, which is characterized in that the protocol resolution module includes:

B19, the device as described in B17 or B18, which is characterized in that the data content judgment module includes:

B20, the device as described in B19, which is characterized in that the logging modle includes:

B21, the device as described in B19, which is characterized in that the comparison module includes:

B22, the device as described in B19, which is characterized in that the record list is stored in memory.

B23, the device as described in B17, which is characterized in that further include:

B24, the device as described in B17, which is characterized in that further include:

B25, the device as described in B23, which is characterized in that further include:

B26, the device as described in B23 or B24, which is characterized in that further include:

B27, the device as described in B17 or B26, which is characterized in that further include:

B28, the device as described in B24 or B27, which is characterized in that the hotspot management module includes:

B29, the device as described in B17 or B27, which is characterized in that the protocol resolution module further include:

B30, the device as described in B29, which is characterized in that after hotspot determining module, further includes:

Further, the hotspot management module further include:

B31, the device as described in B17, which is characterized in that the network card equipment information of the local network includes:

B32, the device as described in one of B17, B23, B24, B31, which is characterized in that further include:

Claims

1. a kind of hotspot recognition methods, comprising:

Each data packet of each network card equipment received is intercepted in the driving of NDIS mid-level network；

Protocol analysis is carried out to data packet, obtains the data content of each data packet；

If the data content occurs for the first time, then by the first network card equipment information of corresponding data packet and the data content into Row record；

If the data content has already appeared, then by the second network card equipment information of the correspondence data packet, and record First network card equipment information of the corresponding data content is compared；

If the second network card equipment information is different from the first network card equipment information, then the network card equipment information of non-local network is known Not Wei unauthorized hotspot.

2. the method as described in claim 1, which is characterized in that it is described that protocol analysis is carried out to data packet, obtain each data The data content of packet includes:

3. method according to claim 1 or 2, which is characterized in that the data content for a data packet, described in judgement Whether data content has already appeared

The cryptographic Hash is matched with the cryptographic Hash in record list；

4. method as claimed in claim 3, which is characterized in that if the data content occurs for the first time, by corresponding number Carrying out record according to the first network card equipment information of packet and the data content includes:

5. method as claimed in claim 3, which is characterized in that if the data content has already appeared, described in corresponding Second network card equipment information of data packet is compared with the first network card equipment information of the corresponding data content recorded Include:

By the MAC Address in record list MAC Address and record list in correspond to the cryptographic Hash MAC Address carry out Compare.

6. method as claimed in claim 3, which is characterized in that the record list is stored in memory.

7. the method as described in claim 1, which is characterized in that further include:

8. the method as described in claim 1, which is characterized in that further include:

By application layer acquire described in be identified as unauthorized hotspot network card equipment information, and by the nothing of the unauthorized The network card equipment letter of line hot spot is packaged and shows.

9. the method for claim 7, which is characterized in that further include:

It is instructed according to the disabling of the hotspot at least one unauthorized of network monitoring center, controls NDIS middle layer net Network driving disables the network card equipment of the hotspot for being identified as unauthorized.

10. method as claimed in claim 7 or 8, which is characterized in that further include:

The disabling instruction for the hotspot of at least one unauthorized is received in application layer, and the disabling is instructed to NDIS Mid-level network driving is sent.

11. the method as described in claim 1, which is characterized in that further include:

12. method as claimed in claim 11, which is characterized in that the net by the hotspot for being identified as unauthorized Card apparatus carries out disabling

13. the method as described in claim 1, which is characterized in that carry out protocol analysis to data packet described, obtain each number According to packet data content when, further includes:

Parse the serial number of data packet in the data content；

When it is first packet that the serial number, which identifies the data packet, into judging whether the data content has already appeared step.

14. method as claimed in claim 13, which is characterized in that if the network card equipment information of non-local network is identified as not After the hotspot of authorization, further includes:

When it is not first packet that the serial number, which identifies the data packet, judge whether the network card equipment information of the data packet corresponds to not The hotspot of authorization；It, directly will be described if the network card equipment information of the data packet corresponds to the hotspot of unauthorized Data packet is abandoned.

15. the method as described in claim 1, which is characterized in that the network card equipment information of the local network includes:

Current execute intercepts the network card equipment information of the equipment of each packet movement itself in the driving of NDIS mid-level network, or Network card equipment information in local grant column list.

16. the method as described in one of claim 1,7,8,15, which is characterized in that further include:

For the hotspot of unauthorized, carried out according to network card equipment information of the authorized order to the hotspot of the unauthorized Authorization, the data packet for the hotspot of letting pass.

17. a kind of hotspot identification device, comprising:

Data package capture module, suitable for intercepting each data of each network card equipment received in the driving of NDIS mid-level network Packet；

Protocol resolution module is suitable for carrying out protocol analysis to data packet, obtains the data content of each data packet；

Data content judgment module judges whether the data content has already appeared suitable for the data content for a data packet；

Logging modle judges that the data content occurs for the first time suitable for working as, then by the first network card equipment information of corresponding data packet It is recorded with the data content；

Comparison module judges that the data content has already appeared suitable for working as, then by the second network card equipment of the correspondence data packet Information is compared with the first network card equipment information of the corresponding data content recorded；

Hotspot determining module is suitable for when judging that the second network card equipment information is different from the first network card equipment information, then will be non- The network card equipment information of local network is identified as the hotspot of unauthorized.

18. device as claimed in claim 17, which is characterized in that the protocol resolution module includes:

First protocol resolution module is suitable for parsing the data packet, the part except Ethernet stem in the data packet is made For data content.

19. the device as described in claim 17 or 18, which is characterized in that the data content judgment module includes:

First judgment module, suitable for when judging that the cryptographic Hash does not match the cryptographic Hash in record list, then judging the number Occur for the first time according to content；

Second judgment module, suitable for when judging the cryptographic Hash in the Hash values match in record list, then judging the data Content has already appeared.

20. device as claimed in claim 19, which is characterized in that the logging modle includes:

First address acquisition module, suitable for obtaining the MAC Address in the source MAC structure in data packet in Ethernet head；

21. device as claimed in claim 19, which is characterized in that the comparison module includes:

Second address acquisition module, suitable for obtaining the MAC Address of the source MAC structure in data packet in Ethernet head；

Second comparison module, suitable for by the MAC Address in record list MAC Address and record list in correspond to the Kazakhstan The MAC Address of uncommon value is compared.

22. device as claimed in claim 19, which is characterized in that the record list is stored in memory.

23. device as claimed in claim 17, which is characterized in that further include:

The relevant information of the hotspot of the unauthorized is sent to network monitoring center and is shown by the first sending module.

24. device as claimed in claim 17, which is characterized in that further include:

Hotspot acquisition module, suitable for being believed by the network card equipment for the hotspot for being identified as unauthorized described in application layer acquisition Breath, and the network card equipment letter of the hotspot of the unauthorized is packaged and is shown.

25. device as claimed in claim 23, which is characterized in that further include:

First disabled module, the disabling suitable for the hotspot at least one unauthorized according to network monitoring center refer to It enables, control NDIS mid-level network driving disables the network card equipment of the hotspot for being identified as unauthorized.

26. the device as described in claim 23 or 24, which is characterized in that further include:

Hotspot manages module, suitable for receiving the disabling instruction for the hotspot of at least one unauthorized in application layer, And disabling instruction is driven to NDIS mid-level network and is sent.

27. device as claimed in claim 17, which is characterized in that further include:

28. device as claimed in claim 27, which is characterized in that the hotspot management module includes:

First hotspot management module, suitable for send the corresponding network card equipment of the hotspot for being identified as unauthorized Data packet is abandoned.

29. device as claimed in claim 17, which is characterized in that the protocol resolution module further include:

First packet judgment module, suitable for parsing the serial number of data packet in the data content, when the serial number identifies the data packet When for first packet, into hotspot identification module.

30. device as claimed in claim 29, which is characterized in that after hotspot determining module, further includes:

Further, the hotspot management module further include:

Second disabled module, suitable for judging the network interface card of the data packet when it is not first packet that the serial number, which identifies the data packet, Whether facility information corresponds to the hotspot of unauthorized；If the network card equipment information of the data packet corresponds to the wireless of unauthorized Hot spot then directly abandons the data packet.

31. device as claimed in claim 17, which is characterized in that the network card equipment information of the local network includes:

32. the device as described in one of claim 17,23,24,31, which is characterized in that further include:

Authorization module, suitable for being directed to the hotspot of unauthorized, according to authorized order by the net of the hotspot of the unauthorized Local grant column list is added in card apparatus information.