[go: up one dir, main page]

CN109120917B - A kind of detection method and system of clone CM - Google Patents

A kind of detection method and system of clone CM Download PDF

Info

Publication number
CN109120917B
CN109120917B CN201810829684.4A CN201810829684A CN109120917B CN 109120917 B CN109120917 B CN 109120917B CN 201810829684 A CN201810829684 A CN 201810829684A CN 109120917 B CN109120917 B CN 109120917B
Authority
CN
China
Prior art keywords
feature
tested
features
legal
clone
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201810829684.4A
Other languages
Chinese (zh)
Other versions
CN109120917A (en
Inventor
赵健宏
李凯
孟繁家
周刚
黄长震
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Branch Of Hubei Radio & Television Inforamtion Network Co ltd
Original Assignee
Wuhan Branch Of Hubei Radio & Television Inforamtion Network Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Branch Of Hubei Radio & Television Inforamtion Network Co ltd filed Critical Wuhan Branch Of Hubei Radio & Television Inforamtion Network Co ltd
Priority to CN201810829684.4A priority Critical patent/CN109120917B/en
Publication of CN109120917A publication Critical patent/CN109120917A/en
Application granted granted Critical
Publication of CN109120917B publication Critical patent/CN109120917B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N17/00Diagnosis, testing or measuring for television systems or their details
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/10Adaptations for transmission by electrical cable

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明涉及有线电视领域,提供了一种克隆CM的检测方法和系统,其中,所述方法包括:通过采集全网CM信息来获取待测CM特征,通过特征数据库得到合法CM特征;计算待测CM与合法CM间CM特征的相似度,从而检测出克隆CM;CM特征包括CM本体特征和CM终端网络环境特征,CM本体特征包括CM厂商信息、CM端口数量、DHCP分配给CM的IP地址和DHCP分配给CM的网关中的一个或多个,CM终端网络环境特征包括CM上行电平值、CM下行电平值和CM下行SNR中的一个或多个。本发明从本体和终端网络环境两个维度来描述CM特征,基于多维特征可有效应对个别特征因子缺失、不准确的情形,具有较高的鲁棒性,且特征属性信息均直接采集自CM,具有较强的可移植性与可维护性。

Figure 201810829684

The invention relates to the field of cable television, and provides a method and system for detecting cloned CMs, wherein the method includes: acquiring CM features to be tested by collecting CM information of the entire network, obtaining legal CM features through a feature database; calculating the features of CMs to be tested; The similarity of CM features between CM and legitimate CM, so as to detect clone CM; CM features include CM ontology features and CM terminal network environment features, CM ontology features include CM manufacturer information, CM port number, IP address and DHCP is assigned to one or more of the gateways of the CM, and the network environment characteristics of the CM terminal include one or more of the CM upstream level value, the CM downstream level value, and the CM downstream SNR. The present invention describes CM features from two dimensions of ontology and terminal network environment. Based on multi-dimensional features, it can effectively deal with the situation that individual feature factors are missing and inaccurate, and has high robustness, and feature attribute information is directly collected from CM. It has strong portability and maintainability.

Figure 201810829684

Description

一种克隆CM的检测方法和系统A kind of detection method and system of clone CM

【技术领域】【Technical field】

本发明涉及有线电视领域,提供了一种克隆CM的检测方法和系统。The invention relates to the field of cable television, and provides a detection method and system for cloned CM.

【背景技术】【Background technique】

电缆调制解调器终端系统-电缆调制解调器(Cable Modem Terminal Systems-Cable modem,简写为CMTS-CM)组网方式是广电网络运营商广泛采用的组网方式之一,运营商通常通过介质访问控制(Media Access Control,简写为MAC)地址提供宽带接入认证等差异化服务,而许多非法用户可利用多种方式窃取运营商服务,造成资金损失。其中,克隆CM技术是窃取服务的主要技术之一,较其他窃取服务技术更难以防范,而且会对网络安全审计工作带来隐患。目前常用的克隆CM技术有三种,一种是弱克隆,即简单地更改CM的MAC地址,使其与合法CM的MAC一致;一种是强克隆,在D1.1规范完成之前,一些D1.0CM已被出售,运营商采用D1.0 CM自签名证书的方法作为兼容性解决方案,这为黑客窃取服务带来了可乘之机,可以进行自签名BPI+的D1.1克隆;还有一种为完美克隆,此类克隆通过复制MAC地址、导入合法X.509数字证书、进行串行/JTAG编程以及破解CM闪存芯片完成。Cable Modem Terminal Systems-Cable modem (Cable Modem Terminal Systems-Cable modem, abbreviated as CMTS-CM) networking method is one of the networking methods widely used by radio and television network operators. , abbreviated as MAC) address to provide differentiated services such as broadband access authentication, and many illegal users can use various methods to steal operator services, resulting in financial losses. Among them, cloning CM technology is one of the main technologies for stealing services, which is more difficult to prevent than other stealing services, and will bring hidden dangers to network security audit work. There are three commonly used cloning CM technologies at present, one is weak cloning, which simply changes the CM's MAC address to make it consistent with the legal CM's MAC; the other is strong cloning, before the D1.1 specification is completed, some D1.1. 0CM has been sold, and the operator adopts the method of D1.0 CM self-signed certificate as a compatibility solution, which brings an opportunity for hackers to steal the service, and can make a D1.1 clone of self-signed BPI+; there is also a For perfect cloning, such cloning is done by copying the MAC address, importing a legal X.509 digital certificate, serial/JTAG programming, and cracking the CM flash chip.

现有的克隆CM侦测技术中,常用的克隆CM侦测方法有两种,一种为BPI+技术,BPI+技术利用X.509数字证书实现克隆CM的识别与接入控制,是业界常用的防范克隆CM技术。通过开通、配置CM BPI+功能,可利用X.509数字证书实现克隆CM的识别与接入控制。该侦测方式有以下不足:(1)不能防范“完美克隆”。(2)设备需要具备并开通BPI+功能,非法用户可以禁用CM的BPI+功能或者使用不支持BPI+功能的旧DOCSIS版本的CM逃避侦测。(3)明显增加CMTS性能压力。另一种为基于特征匹配的克隆CM侦测方法,此类方法对可疑CM的相关特征与CM历史特征记录进行对比,从而区分出克隆CM,但是该方法通常以CM所对应的上行信道信息(CMTS上行端口号、负载均衡组)或者网关信息作为特征属性,单一化的特征匹配方式难于应对位置标识信息模糊、缺失等情形,而且特征值直接或者间接来源自CMTS,要求系统要与综合网管、BOSS系统对接,或者依托DHCP中继实现特征采集,导致系统耦合程度高、部署运维困难、兼容性与可移植性差。同时,由于现有克隆CM检测系统较强的耦合性,国外厂商克隆CM检测系统通常和相关系统配套销售,价格昂贵。Among the existing clone CM detection technologies, there are two commonly used clone CM detection methods. One is BPI+ technology. BPI+ technology uses X.509 digital certificates to realize clone CM identification and access control, which is a commonly used prevention method in the industry. Cloning CM technology. By enabling and configuring the CM BPI+ function, X.509 digital certificates can be used to realize the identification and access control of cloned CMs. This detection method has the following shortcomings: (1) It cannot prevent "perfect clone". (2) The device needs to have and enable the BPI+ function. Illegal users can disable the BPI+ function of the CM or use an old DOCSIS version of the CM that does not support the BPI+ function to evade detection. (3) Significantly increased CMTS performance pressure. The other is a clone CM detection method based on feature matching. This method compares the relevant features of the suspicious CM with the historical feature records of the CM, so as to distinguish the clone CM, but this method usually uses the upstream channel information corresponding to the CM ( CMTS uplink port number, load balancing group) or gateway information are used as feature attributes. The single feature matching method is difficult to deal with the situation that the location identification information is ambiguous or missing, and the feature values are directly or indirectly derived from the CMTS. BOSS system connection, or relying on DHCP relay to realize feature collection, lead to high degree of system coupling, difficult deployment, operation and maintenance, and poor compatibility and portability. At the same time, due to the strong coupling of the existing clone CM detection systems, the clone CM detection systems of foreign manufacturers are usually sold together with related systems, which are expensive.

比如,专利US7512969B2中从DHCP数据包内抽取GIADDR标识,使用CM MAC地址/giaddr元组历史数据记录来识别具有重复MAC地址的CM,但系统不能很好地应对CM对应的CMTS变更的情形;专利US7957305B2中对网络层次区域进行划分,利用CMTS、ROC、NOC三级系统对克隆CM进行层次性迭代识别,其中,ROC,NOC以CM上行端口号、负载均衡组、CMTS ID为特征识别克隆CM,但系统需要对DHCP中继、DHCP服务器做相应配置,需要组建专门的ROC、NOC服务器集群,并且CMTS与ROC之间、ROC与NOC之间需要建立物理网络链接,系统成本较高、部署运维困难;专利CN105100088A中采用CM所属用户的住址作为特征,其实际特征仍为CM所属的上行端口号与CMTS的ID。系统首先从综合网管与中获取MAC重复的CM作为侦测对象,根据CM的上行端口标识检索光节点名称,再根据光节点名称对BOSS系统内用户信息进行模糊匹配查询,得出用户住址,并以此作为克隆CM识别依据。其机制有以下几点不足:(1)现网中光节点名称与BOSS系统用户地址信息不对应的情况并非小概率事件,一旦模糊匹配失败便会影响识别准确度。(2)如果CMTS上行信道采用负载均衡配置,上行端口的动态变化将会打乱光节点与上行端口对应关系,会显著影响识别准确度。(3)特征数据从综合网管、BOSS系统获取,数据完整性受第三方系统制约。For example, in the patent US7512969B2, the GIADDR identifier is extracted from the DHCP data packet, and the CM MAC address/giaddr tuple historical data record is used to identify the CM with the duplicate MAC address, but the system cannot well cope with the change of the CMTS corresponding to the CM; patent In US7957305B2, the network hierarchical area is divided, and the three-level system of CMTS, ROC, and NOC is used to identify the cloned CM hierarchically. However, the system needs to configure the DHCP relay and DHCP server accordingly. It needs to set up a special ROC and NOC server cluster, and a physical network link needs to be established between the CMTS and the ROC, and between the ROC and the NOC. Difficulty; in the patent CN105100088A, the address of the user to which the CM belongs is used as a feature, and its actual feature is still the uplink port number to which the CM belongs and the ID of the CMTS. The system first obtains the CM with duplicate MAC from the integrated network management system as the detection object, retrieves the name of the optical node according to the upstream port identifier of the CM, and then performs a fuzzy matching query on the user information in the BOSS system according to the name of the optical node, and obtains the user's address. This was used as the basis for the identification of clone CM. Its mechanism has the following shortcomings: (1) The situation that the name of the optical node in the existing network does not correspond to the user address information of the BOSS system is not a small probability event, and once the fuzzy matching fails, the recognition accuracy will be affected. (2) If the CMTS uplink channel adopts the load balancing configuration, the dynamic change of the uplink port will disrupt the corresponding relationship between the optical node and the uplink port, which will significantly affect the identification accuracy. (3) The characteristic data is obtained from the integrated network management and BOSS system, and the data integrity is restricted by the third-party system.

鉴于此,克服上述现有技术所存在的缺陷是本技术领域亟待解决的问题。In view of this, it is an urgent problem to be solved in the technical field to overcome the above-mentioned defects of the prior art.

【发明内容】[Content of the invention]

本发明需要解决的技术问题是:The technical problem that the present invention needs to solve is:

现有的基于特征匹配的克隆CM侦测中,单一化的特征匹配方式难于应对位置标识信息模糊、缺失等情形,而且现有系统耦合性强,需要与综合网管、BOSS系统对接,对第三方系统数据规范性要求很高。In the existing clone CM detection based on feature matching, the single feature matching method is difficult to deal with the situation that the location identification information is ambiguous and missing, and the existing system has strong coupling, so it needs to be connected with the integrated network management and BOSS system, and the third-party System data standardization requirements are very high.

本发明通过如下技术方案达到上述目的:The present invention achieves the above object through the following technical solutions:

第一方面,本发明提供了一种克隆CM的检测方法,包括:In a first aspect, the present invention provides a method for detecting cloned CM, comprising:

通过全网CM信息采集来获取待测CM特征,通过特征数据库提取得到合法CM特征;The characteristics of the CM to be tested are obtained through the collection of CM information of the whole network, and the legal CM characteristics are obtained through the extraction of the characteristic database;

利用相似度算法,计算待测CM与合法CM间CM特征的相似度,从而检测出克隆CM;Using the similarity algorithm, calculate the similarity of CM features between the CM to be tested and the legal CM, so as to detect the clone CM;

其中,所述待测CM与所述合法CM的MAC地址相同;所述CM特征包括CM本体特征和CM终端网络环境特征,所述CM本体特征包括CM厂商信息、CM端口数量、DHCP分配给CM的IP地址和网关中的一个或多个,所述CM终端网络环境特征包括CM上行电平值、CM下行电平值和CM下行SNR中的一个或多个。The CM to be tested has the same MAC address as the legal CM; the CM features include CM ontology features and CM terminal network environment features, and the CM ontology features include CM manufacturer information, the number of CM ports, and DHCP assignment to the CM. One or more of the IP address and gateway of the CM terminal, and the network environment characteristics of the CM terminal include one or more of the CM uplink level value, the CM downlink level value and the CM downlink SNR.

优选的,还包括以下方法:Preferably, the following methods are also included:

服务器和合法CM之间各自维护有一套相同的随机算法,其中所述随机算法以网络时间作为输入参数,计算出来的随机数被转换成数字序列,以便服务器和合法CM根据所述数字序列排序CM本体特征和CM终端网络环境特征;其中,服务器在验证待测CM与合法CM的特征排序相同时,再进行特征相似度的计算;若特征排序不相同,则将相应的待测CM确定为克隆CM。A set of the same random algorithm is maintained between the server and the legitimate CM, wherein the random algorithm takes the network time as an input parameter, and the calculated random number is converted into a sequence of numbers, so that the server and the legitimate CM can sort the CMs according to the sequence of numbers Ontology features and CM terminal network environment features; the server will calculate the feature similarity when verifying that the feature ranking of the CM to be tested and the legal CM are the same; if the feature ranking is not the same, the corresponding CM to be tested will be determined as a clone CM.

优选的,所述待测CM与合法CM间CM特征的相似度的计算方法具体为:Preferably, the method for calculating the similarity of the CM features between the CM to be tested and the legal CM is specifically:

根据公式

Figure BDA0001743250430000031
计算待测CM的本体特征Bi(V)与合法CM本体特征A(V)间的本体特征相似度
Figure BDA0001743250430000032
According to the formula
Figure BDA0001743250430000031
Calculate the similarity of the ontology feature between the ontology feature B i(V) of the CM to be tested and the ontology feature A ( V) of the legal CM
Figure BDA0001743250430000032

根据公式

Figure BDA0001743250430000033
计算待测CM的终端网络环境特征Bi(C)与合法CM终端网络环境特征A(c)间的终端网络环境特征相似度
Figure BDA0001743250430000041
其中,
Figure BDA0001743250430000042
为待测CM的终端网络环境特征Bi(C)与合法CM终端网络环境特征A(c)间的欧式距离,θ为调控因子;According to the formula
Figure BDA0001743250430000033
Calculate the similarity of terminal network environment characteristics between the terminal network environment characteristic B i(C) of the CM to be tested and the terminal network environment characteristic A (c) of the legitimate CM
Figure BDA0001743250430000041
in,
Figure BDA0001743250430000042
is the Euclidean distance between the terminal network environment characteristic B i(C) of the CM to be tested and the legal CM terminal network environment characteristic A (c) , and θ is the control factor;

根据公式

Figure BDA0001743250430000043
计算待测CM特征Bi与合法CM特征A的相似度SIM(Bi,A);其中,ω为CM终端网络环境特征占CM特征的比重。According to the formula
Figure BDA0001743250430000043
Calculate the similarity SIM(B i , A) of the CM feature B i to be tested and the legal CM feature A; where ω is the proportion of the CM terminal network environment feature to the CM feature.

优选的,所述检测出克隆CM的方法具体为:Preferably, the method for detecting cloned CM is specifically:

根据CM特征相似度的计算结果,将所述待测CM中与合法CM特征相似度最高的一个CM保留,其余的待测CM确定为克隆CM,并加入克隆CM列表。According to the calculation result of the similarity of CM features, one CM with the highest feature similarity with the legal CM among the CMs to be tested is reserved, and the remaining CMs to be tested are determined as clone CMs and added to the list of clone CMs.

优选的,所述通过全网CM信息采集来获取待测CM特征,通过特征数据库提取得到合法CM特征,包括以下方法:Preferably, the CM features to be tested are obtained through the collection of CM information of the whole network, and the legal CM features are obtained through the feature database extraction, including the following methods:

系统轮询DHCP服务器,获取全网CM的基础信息;其中,所述基础信息包括MAC地址以及IP地址;The system polls the DHCP server to obtain the basic information of the CM of the entire network; wherein, the basic information includes a MAC address and an IP address;

根据基础信息采集全网CM的特征,将合法CM特征存储至特征数据库;Collect the characteristics of the entire network CM according to the basic information, and store the legal CM characteristics in the characteristic database;

根据基础信息筛选待测CM并获取待测CM的特征,从特征数据库中提取合法CM特征。Screen the CM to be tested according to the basic information and obtain the features of the CM to be tested, and extract the legal CM features from the feature database.

优选的,所述根据基础信息采集全网CM的特征,将合法CM特征存储至特征数据库,包括以下步骤:Preferably, according to the basic information, the characteristics of the CMs of the whole network are collected, and the legal CM characteristics are stored in the characteristic database, including the following steps:

根据全网CM的MAC地址和IP地址,采集全网CM的本体特征与CM终端网络环境特征;According to the MAC addresses and IP addresses of the CMs in the entire network, collect the ontology characteristics of the CMs in the entire network and the network environment characteristics of the CM terminals;

对全网CM的本体特征量化处理,得到合法CM的本体特征A(V);对全网CM的终端网络环境特征量化处理,得到合法CM的终端网络环境特征A(C)To the ontology feature quantification processing of the whole network CM, obtain the ontology feature A (V) of the legal CM; To the terminal network environment feature quantification processing of the whole network CM, obtain the terminal network environment feature A (C) of the legal CM;

将得到的合法CM的本体特征A(V)和终端网络环境特征A(C)存储至特征数据库,A(V)和A(C)共同构成合法CM的特征A。The obtained ontology feature A (V) of the legal CM and the terminal network environment feature A (C) are stored in the feature database, and A (V) and A (C) together constitute the feature A of the legal CM.

优选的,所述根据基础信息筛选待测CM并获取待测CM的特征,从特征数据库中提取合法CM特征,具体包括以下步骤:Preferably, the CM to be tested is screened according to the basic information and the features of the CM to be tested are obtained, and legal CM features are extracted from the feature database, which specifically includes the following steps:

根据全网CM的MAC地址,筛选出MAC相同的一组或多组CM,其中,MAC相同的N个CM构成一个待测CM组;According to the MAC addresses of the CMs in the entire network, one or more groups of CMs with the same MAC are screened out, wherein N CMs with the same MAC constitute a CM group to be tested;

根据待测CM的MAC地址和IP地址,获取待测CM组中每个待测CM对应的本体特征与终端网络环境特征;According to the MAC address and IP address of the CM to be tested, obtain the corresponding ontology features and terminal network environment features of each CM to be tested in the CM group to be tested;

根据待测CM的MAC地址,从特征数据库中提取具有相同MAC的合法CM特征。According to the MAC address of the CM to be tested, legal CM features with the same MAC are extracted from the feature database.

优选的,在所述利用相似度算法,计算待测CM与合法CM间CM特征的相似度,从而检测出克隆CM之后,还包括以下方法:设置克隆CM的IP过滤器,对检测出的克隆CM实现服务关停。Preferably, after using the similarity algorithm to calculate the similarity of the CM features between the CM to be tested and the legal CM, so as to detect the cloned CM, the following method is also included: setting an IP filter of the cloned CM, and checking the detected clones CM implements service shutdown.

第二方面,本发明还提供了一种克隆CM的检测系统,用于实现第一方面所述的克隆CM的检测方法,所述系统包括:In a second aspect, the present invention also provides a detection system for cloned CM for realizing the detection method for cloned CM described in the first aspect, the system comprising:

CM特征采集模块,用于通过全网CM信息采集来获取待测CM特征,通过特征数据库提取得到合法CM特征;The CM feature collection module is used to obtain the CM features to be tested through the CM information collection of the whole network, and obtain the legal CM features through the feature database extraction;

克隆CM检测模块,用于利用相似度算法,计算待测CM与合法CM间CM特征的相似度,从而检测出克隆CM;The clone CM detection module is used to calculate the similarity of the CM features between the CM to be tested and the legitimate CM by using the similarity algorithm, so as to detect the clone CM;

其中,所述待测CM与所述合法CM的MAC地址相同;所述CM特征包括CM本体特征和CM终端网络环境特征,所述CM本体特征包括CM厂商信息、CM端口数量、DHCP分配给CM的IP地址和网关中的一个或多个,所述CM终端网络环境特征包括CM上行电平值、CM下行电平值和CM下行SNR中的一个或多个。The CM to be tested has the same MAC address as the legal CM; the CM features include CM ontology features and CM terminal network environment features, and the CM ontology features include CM manufacturer information, the number of CM ports, and DHCP assignment to the CM. One or more of the IP address and gateway of the CM terminal, and the network environment characteristics of the CM terminal include one or more of the CM uplink level value, the CM downlink level value and the CM downlink SNR.

第三方面,本发明还提供了一种克隆CM的检测装置,所述装置包括至少一个处理器和存储器,所述至少一个处理器和存储器之间通过数据总线连接,所述存储器存储有可被所述至少一个处理器执行的指令,所述指令在被所述处理器执行后,用于完成第一方面所述的克隆CM的检测方法。In a third aspect, the present invention also provides an apparatus for detecting cloned CMs, the apparatus includes at least one processor and a memory, the at least one processor and the memory are connected through a data bus, and the memory stores data that can be accessed by The instructions executed by the at least one processor, after the instructions are executed by the processor, are used to complete the method for detecting a clone CM according to the first aspect.

本发明的有益效果是:The beneficial effects of the present invention are:

本发明提供的克隆CM的检测方法和系统中,从CM本体特征和CM终端网络环境特征两个维度来描述CM特征,每个维度又包括多个特征属性,基于多维特征的克隆CM检测方法和系统可有效应对个别特征因子缺失、不准确的情形,具有较高的鲁棒性,且特征属性信息均直接采集自CM,具有较强的可移植性与可维护性;同时,通过对特征排序进行比对的方式,也使得克隆CM的检测结果更具准确性。In the method and system for detecting cloned CMs provided by the present invention, CM features are described from two dimensions: CM ontology features and CM terminal network environment features, and each dimension includes multiple feature attributes. The cloned CM detection method based on multidimensional features and The system can effectively deal with the absence and inaccuracy of individual feature factors, and has high robustness, and the feature attribute information is directly collected from CM, which has strong portability and maintainability; at the same time, by sorting the features The way of comparison also makes the detection result of clone CM more accurate.

【附图说明】【Description of drawings】

为了更清楚地说明本发明实施例的技术方案,下面将对本发明实施例中所需要使用的附图作简单地介绍。显而易见地,下面所描述的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to describe the technical solutions of the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings that need to be used in the embodiments of the present invention. Obviously, the drawings described below are only some embodiments of the present invention, and for those of ordinary skill in the art, other drawings can also be obtained from these drawings without creative effort.

图1为本发明实施例提供的一种克隆CM的检测方法流程示意图;Fig. 1 is a kind of schematic flow chart of the detection method of clone CM provided in the embodiment of the present invention;

图2为本发明实施例提供的一种CM特征采集处理流程图;Fig. 2 is a kind of CM feature collection processing flow chart provided by the embodiment of the present invention;

图3为本发明实施例提供的一种克隆CM判定方法流程图;3 is a flowchart of a method for determining a clone CM provided by an embodiment of the present invention;

图4为本发明实施例提供的一种克隆CM检测过程的系统数据流图;4 is a system data flow diagram of a clone CM detection process provided by an embodiment of the present invention;

图5为本发明实施例提供的另一种克隆CM的检测方法流程图;Fig. 5 is another kind of detection method flow chart of clone CM provided by the embodiment of the present invention;

图6为本发明实施例提供的一种CM历史特征采集流程图;Fig. 6 is a kind of CM history feature collection flow chart provided by the embodiment of the present invention;

图7为本发明实施例提供的一种克隆CM的检测系统组成图;Fig. 7 is a kind of detection system composition diagram of clone CM provided by the embodiment of the present invention;

图8为本发明实施例提供的另一种克隆CM的检测系统组成图;Fig. 8 is another kind of detection system composition diagram of clone CM provided by the embodiment of the present invention;

图9为本发明实施例提供的一种CM特征采集模块的组成示意图;9 is a schematic diagram of the composition of a CM feature collection module provided by an embodiment of the present invention;

图10为本发明实施例提供的一种克隆CM检测模块的组成示意图;10 is a schematic diagram of the composition of a clone CM detection module provided by an embodiment of the present invention;

图11为本发明实施例提供的一种克隆CM的检测装置示意图。FIG. 11 is a schematic diagram of an apparatus for detecting a cloned CM according to an embodiment of the present invention.

【具体实施方式】【Detailed ways】

为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention.

此外,下面所描述的本发明各个实施方式中所涉及到的技术特征只要彼此之间未构成冲突就可以相互组合。下面就参考附图和实施例结合来详细说明本发明。In addition, the technical features involved in the various embodiments of the present invention described below can be combined with each other as long as they do not conflict with each other. The present invention will be described in detail below with reference to the accompanying drawings and embodiments.

实施例1:Example 1:

本发明实施例1提供了一种克隆CM的检测方法,如图1所示,方法包括:Embodiment 1 of the present invention provides a method for detecting cloned CM, as shown in Figure 1, the method includes:

步骤201,通过采集全网CM信息来获取待测CM特征,通过特征数据库提取得到合法CM特征;Step 201, acquiring the CM feature to be tested by collecting the CM information of the whole network, and obtaining the legal CM feature by extracting the feature database;

步骤202,利用相似度算法,计算待测CM与合法CM间CM特征的相似度,从而检测出克隆CM;Step 202, using the similarity algorithm, calculate the similarity of the CM feature between the CM to be tested and the legal CM, thereby detecting the clone CM;

其中,所述待测CM与所述合法CM的MAC地址相同;所述CM特征包括CM本体特征和CM终端网络环境特征,所述CM本体特征包括CM厂商信息、CM端口数量、DHCP分配给CM的IP地址和网关中的一个或多个,所述CM厂商信息又包括CM类型、固件版本和软件版本中的一个或多个;所述CM终端网络环境特征包括CM上行电平值、CM下行电平值和CM下行SNR中的一个或多个。The CM to be tested has the same MAC address as the legal CM; the CM features include CM ontology features and CM terminal network environment features, and the CM ontology features include CM manufacturer information, the number of CM ports, and DHCP assignment to the CM. One or more of the IP address and the gateway, the CM manufacturer information includes one or more of the CM type, firmware version and software version; the CM terminal network environment characteristics include CM upstream level value, CM downstream One or more of level value and CM downstream SNR.

CM本体特征选取的依据如下:利用网络嗅探技术获取MAC并进行仿造的“弱克隆”和伪造自签名证书的“强克隆”都难以复制CM厂商信息与端口数量值,这两个特征可用于侦测此类克隆CM;如果CM关机时间长度小于DHCP IP地址租期,CM IP地址就不会变更,因此CMIP可作为特征标识CM;网关地址标识了CM头端设备,具有描述CM物理位置的意义,可作为特征。The basis for the selection of CM ontology features is as follows: “Weak clones” that use network sniffing technology to obtain MAC and counterfeit “strong clones” and “strong clones” that forge self-signed certificates are difficult to copy CM vendor information and port number values. These two features can be used for Detect such cloned CMs; if the CM shutdown time is less than the DHCP IP address lease period, the CM IP address will not change, so the CMIP can be used as a feature to identify the CM; the gateway address identifies the CM headend device, with a description of the CM's physical location. Meaning, can be used as a feature.

CM终端网络环境特征选取的依据如下:因为不同CM客户端所处的网络环境存在差异性,其链路衰减、信号质量、头端设备的配置各不相同,导致CM客户端网络信号也存在差异性,而同一CM终端网络环境在阶段性时期内相对稳定,因此网络环境相关指标可用于标识CM。其中,CM特征的特征属性、采集方式及说明如下表1所示:The basis for selecting the characteristics of the CM terminal network environment is as follows: Because the network environments where different CM clients are located are different, their link attenuation, signal quality, and the configuration of the head-end equipment are different, resulting in differences in the network signals of the CM clients. However, the network environment of the same CM terminal is relatively stable in periodic periods, so the network environment-related indicators can be used to identify CMs. Among them, the feature attributes, collection methods and descriptions of CM features are shown in Table 1 below:

表1 CM特征的特征属性、采集方式及说明Table 1 Feature attributes, collection methods and descriptions of CM features

Figure BDA0001743250430000081
Figure BDA0001743250430000081

本发明提供的克隆CM的检测方法中,从CM本体特征和CM终端网络环境特征两个维度来描述CM特征,每个维度又包括多个特征属性,基于多维特征的克隆CM检测方法可有效应对个别特征因子缺失、不准确的情形,具有较高的鲁棒性,且特征属性信息均直接采集自CM,具有较强的可移植性与可维护性。In the method for detecting cloned CMs provided by the present invention, CM features are described from two dimensions: CM ontology features and CM terminal network environment features, each dimension includes multiple feature attributes, and the cloned CM detection method based on multi-dimensional features can effectively deal with In the case of missing and inaccurate individual characteristic factors, it has high robustness, and the characteristic attribute information is directly collected from CM, which has strong portability and maintainability.

在步骤201中,通过采集全网CM信息来获取待测CM特征,通过特征数据库提取得到合法CM特征;该步骤主要对步骤202中需要进行特征匹配的待测CM和合法CM提前进行特征采集,整个采集过程如图2所示,具体包括以下步骤:In step 201, the features of the CM to be tested are obtained by collecting the CM information of the whole network, and the legal CM features are obtained by extracting the feature database; this step mainly collects the features of the CM to be tested and the legal CM that need to be matched in feature in step 202 in advance, The entire acquisition process is shown in Figure 2, which includes the following steps:

步骤2011,系统轮询DHCP服务器,获取全网CM的基础信息;其中,所述基础信息包括MAC地址以及IP地址;Step 2011, the system polls the DHCP server to obtain basic information of the CM of the entire network; wherein, the basic information includes a MAC address and an IP address;

步骤2012,根据基础信息采集全网CM的特征,将合法CM特征存储至特征数据库。合法CM的本体特征以A(V)表示,合法CM的终端网络环境特征以A(C)表示,假设本发明实施例中选取m种本体特征属性和n种终端网络环境特征属性对CM进行特征描述,则有

Figure BDA0001743250430000091
则合法CM的特征A={A(V),A(C)};In step 2012, the characteristics of the CMs of the entire network are collected according to the basic information, and the legal CM characteristics are stored in the characteristics database. The ontology feature of a legal CM is represented by A (V) , and the terminal network environment feature of a legal CM is represented by A (C) . It is assumed that m types of ontology feature attributes and n types of terminal network environment feature attributes are selected to characterize the CM in the embodiment of the present invention. description, there is
Figure BDA0001743250430000091
Then the feature A of the legal CM = {A (V) , A (C) };

步骤2013,根据基础信息筛选待测CM并获取待测CM的特征,从特征数据库中提取合法CM特征。假设当前待测CM组内含有n个待测CM,用B表示该待测CM组,则B={B1,B2,...Bn},Bi表示其中某个待测CM,Bi∈B。Step 2013: Screen the CMs to be tested according to the basic information, acquire the features of the CMs to be tested, and extract legal CM features from the feature database. Assuming that the current CM group to be tested contains n CMs to be tested, and B represents the CM group to be tested, then B={B 1 , B 2 ,...B n }, Bi represents one of the CMs to be tested, B i∈B .

在步骤202中,利用相似度算法,计算待测CM与合法CM间CM特征的相似度,从而检测出克隆CM;在本发明实施例中,从本体和终端网络环境两个维度来对CM特征进行描述,因此,在计算特征相似度时,需要综合考虑两个维度中的多个特征属性,如图3所示,步骤202具体又包括以下两个步骤:In step 202, a similarity algorithm is used to calculate the similarity of the CM features between the CM to be tested and the legitimate CM, so as to detect the cloned CM; Therefore, when calculating the feature similarity, it is necessary to comprehensively consider multiple feature attributes in two dimensions. As shown in FIG. 3, step 202 specifically includes the following two steps:

步骤2021,根据公式计算待测CM与合法CM间本体特征相似度和终端网络环境特征相似度,并综合得到待测CM与合法CM的特征相似度;具体计算相似度的过程如下:Step 2021, calculate the similarity of ontology features and the similarity of terminal network environment features between the CM to be tested and the legal CM according to the formula, and comprehensively obtain the similarity of the features of the CM to be tested and the legal CM; the specific process of calculating the similarity is as follows:

首先,根据公式

Figure BDA0001743250430000092
计算每个待测CM的本体特征Bi(V)与合法CM本体特征A(V)间的本体特征相似度
Figure BDA0001743250430000093
在步骤2012合法CM的本体特征采集过程中,由于需要剔除噪声数据,容易导致特征值数据的稀疏性增大,此处所选公式可用于比较有限样本集之间的相似性与差异性,特别适合布尔数据以及稀疏度过高的数据;其中,公式中符号“∩”表示两个集合取交集,符号“∪”表示两个集合取并集,符号“||”表示集合的大小,即集合内包含元素的数量,整个公式含义为两个集合的交集大小与并集大小的比值。First, according to the formula
Figure BDA0001743250430000092
Calculate the similarity of the ontology feature between the ontology feature B i(V) of each CM to be tested and the ontology feature A ( V) of the legal CM
Figure BDA0001743250430000093
In the process of collecting ontology features of legal CM in step 2012, since noise data needs to be eliminated, the sparsity of feature value data is likely to increase. The formula selected here can be used to compare the similarities and differences between limited sample sets, especially It is suitable for Boolean data and data with high sparseness; among them, the symbol "∩" in the formula represents the intersection of two sets, the symbol "∪" represents the union of the two sets, and the symbol "||" represents the size of the set, that is, the set The number of elements contained in it, and the whole formula means the ratio of the size of the intersection of the two sets to the size of the union.

其次,根据公式

Figure BDA0001743250430000101
计算每个待测CM的终端网络环境特征Bi(C)与合法CM终端网络环境特征A(c)间的终端网络环境特征相似度
Figure BDA0001743250430000102
其中,
Figure BDA0001743250430000103
为待测CM的终端网络环境特征Bi(C)与合法CM终端网络环境特征A(c)间的欧式距离,θ为调控因子。Second, according to the formula
Figure BDA0001743250430000101
Calculate the similarity of terminal network environment characteristics between the terminal network environment characteristic B i(C) of each CM to be tested and the terminal network environment characteristic A (c) of the legitimate CM
Figure BDA0001743250430000102
in,
Figure BDA0001743250430000103
is the Euclidean distance between the terminal network environment characteristic B i(C) of the CM to be tested and the legal CM terminal network environment characteristic A (c) , and θ is the control factor.

欧式距离d可广泛应用于电平信号之间的相似度计算,例如通过计算噪声信号与信号源之间的欧式距离,可判断噪声对信号源的干扰程度;采用类似方法,本发明实施例基于欧式距离d计算待测CM与合法CM间的终端网络环境特征相似度,又由于CM终端网络环境特征中各特征属性的度量单位和度量尺度均有所差异,因此采用加权欧式距离的方法来平衡各特征属性的度量单位和度量尺度的差异性,将用加权方法得到的待测CM终端网络环境特征Bi(C)与合法CM终端网络环境特征A(c)间的欧式距离记为

Figure BDA0001743250430000104
其计算方法为
Figure BDA0001743250430000105
其中,kj表示其中某个特征j对应的权重系数;The Euclidean distance d can be widely used in the calculation of the similarity between level signals. For example, by calculating the Euclidean distance between the noise signal and the signal source, the degree of interference of the noise to the signal source can be judged; using a similar method, the embodiment of the present invention is based on The Euclidean distance d calculates the similarity of the terminal network environment characteristics between the CM to be tested and the legal CM, and because the measurement units and measurement scales of each feature attribute in the terminal network environment characteristics of the CM are different, the weighted Euclidean distance method is used to balance The difference between the measurement unit and measurement scale of each feature attribute, the Euclidean distance between the network environment characteristic B i(C) of the CM terminal to be tested and the network environment characteristic A (c) of the legal CM terminal obtained by the weighting method is recorded as
Figure BDA0001743250430000104
Its calculation method is
Figure BDA0001743250430000105
Among them, k j represents the weight coefficient corresponding to one of the feature j;

按照欧式距离计算相似度的公式为

Figure BDA0001743250430000106
由于阶段时期内,CM终端网络环境特征存在波动,会影响到相似度计算结果的信度和效度,因此这里引入调控因子θ来减小波动带来的影响;调控因子θ的获取方法为:对现网CM终端网络环境特征进行采样,进行非线性回归处理,调控因子
Figure BDA0001743250430000107
其中α为非线性回归得到的指数系数,Sj为{y1,j,y2,j,...,yp,j}的方差之和;将调控因子
Figure BDA0001743250430000108
带入公式
Figure BDA0001743250430000109
公式4,得到
Figure BDA00017432504300001010
从而计算出待测CM与合法CM间终端网络环境特征的相似度。The formula for calculating similarity according to Euclidean distance is:
Figure BDA0001743250430000106
Due to the fluctuations in the network environment characteristics of the CM terminal during the stage period, it will affect the reliability and validity of the similarity calculation results. Therefore, the regulatory factor θ is introduced here to reduce the impact of fluctuations; the acquisition method of the regulatory factor θ is as follows: Sampling the network environment characteristics of the existing network CM terminal, and perform nonlinear regression processing to control factors.
Figure BDA0001743250430000107
where α is the exponential coefficient obtained by nonlinear regression, and S j is the sum of the variances of {y 1,j ,y 2,j ,...,y p,j };
Figure BDA0001743250430000108
Bring in formula
Figure BDA0001743250430000109
Equation 4, we get
Figure BDA00017432504300001010
Thereby, the similarity of the terminal network environment characteristics between the CM to be tested and the legitimate CM is calculated.

最后,根据公式

Figure BDA00017432504300001011
计算每个待测CM特征Bi与合法CM特征A的相似度SIM(Bi,A);其中,ω为CM终端网络环境特征占CM特征的比重。此处将本体特征相似度和终端网络环境特征相似度的结果进行综合,其中ω可通过多次经验或监督学习来获取。Finally, according to the formula
Figure BDA00017432504300001011
Calculate the similarity SIM(B i , A) of each CM feature B i to be tested and the legal CM feature A; where ω is the proportion of the CM terminal network environment feature to the CM feature. Here, the results of ontology feature similarity and terminal network environment feature similarity are integrated, where ω can be obtained through multiple experiences or supervised learning.

步骤2022,根据CM特征相似度的计算结果,将所述待测CM中与合法CM特征相似度最高的一个CM保留,其余的待测CM判定为克隆CM,并加入克隆CM列表。一般来说,当前n个待测CM中至多有一个为合法的,其余均为非法的克隆CM,则所述待测CM中与合法CM特征相似度最高的一个CM保留,保留的这一个CM即为合法CM,其余的待测CM加入克隆CM列表,其中克隆CM列表可用集合Clone来表示,

Figure BDA0001743250430000111
Step 2022, according to the calculation result of the similarity of the CM features, keep one CM with the highest feature similarity with the legal CM among the CMs to be tested, and determine the remaining CMs to be tested as clone CMs and add them to the clone CM list. Generally speaking, at most one of the current n CMs to be tested is legal, and the rest are illegal clone CMs, then the CM that has the highest similarity in characteristics with the legal CMs among the CMs to be tested is reserved, and the reserved CM That is, it is a legal CM, and the rest of the CMs to be tested are added to the list of clone CMs. The list of clone CMs can be represented by the set Clone.
Figure BDA0001743250430000111

通常来讲,一套完整的克隆CM检测方法中,进行克隆CM检测之后,还需要对检测出的非法克隆CM进行处理,如图1所示,所述方法还包括步骤203:设置克隆CM的IP过滤器,对检测出的克隆CM实现服务关停,并记录日志。以往克隆CM检测系统检测出克隆CM后,终止克隆CM服务的方法普遍采用操作CMTS命令下线CM,或者SNMP远程重启CM的方式,这种处理方式的成效取决于下线操作的频率。本发明实施例中采用设置克隆CM的IP过滤器实现服务关停,关停效果可在CM重启周期内有效,处理更为简洁有效,其中,IP过滤器配置如下表2所示。Generally speaking, in a complete set of clone CM detection methods, after the clone CM detection is performed, the detected illegal clone CM also needs to be processed. As shown in FIG. 1 , the method further includes step 203: setting the clone CM IP filter, implements service shutdown for detected clone CMs, and records logs. In the past, after the clone CM detection system detected the clone CM, the method of terminating the clone CM service generally adopted the method of operating the CMTS command to offline the CM, or SNMP to restart the CM remotely. The effect of this processing method depends on the frequency of the offline operation. In the embodiment of the present invention, setting the IP filter of the clone CM is adopted to realize the service shutdown, and the shutdown effect can be effective in the CM restart cycle, and the processing is more concise and effective. The configuration of the IP filter is shown in Table 2 below.

表2 IP过滤器具体配置表Table 2 IP filter specific configuration table

Figure BDA0001743250430000112
Figure BDA0001743250430000112

Figure BDA0001743250430000121
Figure BDA0001743250430000121

在整个克隆CM的检测过程中,系统数据流如图4所示,从图中可以更直观地了解到CM特征采集、克隆CM检测以及克隆CM处理的完整流程。During the entire detection process of clone CM, the system data flow is shown in Figure 4, from which we can more intuitively understand the complete flow of CM feature collection, clone CM detection and clone CM processing.

结合本发明实施例,还存在一种优选的实现方案,如图5所示,在进行特征相似度计算之前,可增加以下步骤:服务器验证待测CM与合法CM的特征排序,若特征排序相同,再进行特征相似度的计算;若特征排序不相同,则可直接跳过特征相似度计算步骤,将相应的待测CM判定为克隆CM。服务器和合法CM之间各自维护有一套相同的随机算法,其中所述随机算法以网络时间作为输入参数,计算出来的随机数被转换成数字序列,以便服务器和合法CM根据所述数字序列排序CM本体特征和CM终端网络环境特征;例如,若系统生成的随机数为54610941873,则相应的特征排列为优选的将最先出现的数值特征进行排列,而重复的数据则忽略补给,最后剩余的数据顺序补齐;因此,上面随机数对应的数字序列为546198732。其中,若特征项数量远超过单一随机数所能表征的10位,则进一步扩展随机数表征对象的功能;即对于一组随机数中,第一次重复出现的数据表征为带十位数的个位数(第二次重复出现的数据表征为带二十位数的个位数,以此类推),例如:54610941873123,其表征的序列为“5”“4”“6”“1”“9”“14”“11”“8”“7”“3”“21”“2”“13”。其中,0没有算进来,而如果表征的数据序列中标号超过特征项数,则和0处理一样直接忽略掉。In combination with the embodiment of the present invention, there is also a preferred implementation scheme. As shown in FIG. 5 , before the feature similarity calculation is performed, the following steps may be added: the server verifies the feature ranking of the CM to be tested and the legal CM, and if the feature ranking is the same , and then calculate the feature similarity; if the feature ranking is not the same, you can directly skip the feature similarity calculation step, and determine the corresponding CM to be tested as a clone CM. A set of the same random algorithm is maintained between the server and the legitimate CM, wherein the random algorithm takes the network time as an input parameter, and the calculated random number is converted into a sequence of numbers, so that the server and the legitimate CM can sort the CMs according to the sequence of numbers Ontology features and CM terminal network environment features; for example, if the random number generated by the system is 54610941873, the corresponding feature arrangement is preferred. The numerical features that appear first are arranged, and the repeated data ignores the replenishment, and the last remaining data Sequential padding; therefore, the sequence of numbers corresponding to the random numbers above is 546198732. Among them, if the number of feature items far exceeds the 10 digits that can be represented by a single random number, the function of the random number representation object is further expanded; that is, for a group of random numbers, the first repeated data is represented as a ten-digit number. The single digit (the second repeated data is represented as a single digit with twenty digits, and so on), for example: 54610941873123, which is represented by a sequence of "5" "4" "6" "1" " 9" "14" "11" "8" "7" "3" "21" "2" "13". Among them, 0 is not counted, and if the label in the represented data sequence exceeds the number of feature items, it will be ignored directly like 0 processing.

增加特征排序比对的方法,尤其适用于以下两种情况:一种是当前待测CM组中有至少两个待测CM与合法CM的特征相似度并列最高,在相似度最高的至少两个待测CM中难以确定哪个为合法CM;另一种是当前待测CM组中不包括合法CM,比如由突然断电引起的合法CM目前不在线情况,此时计算得到的相似度最高的CM仍为克隆CM,需加入克隆CM列表。在上述两种情况下,通过增加特征排序比对的步骤可使克隆CM的检测结果更具准确性,同时,提前将特征排序不相同的待测CM直接判定为克隆CM,也节省了一部分计算流程,减小了服务器的计算压力。The method of adding feature ranking and comparison is especially suitable for the following two situations: one is that there are at least two CMs to be tested and legal CMs in the current CM group that have the highest feature similarity, and at least two CMs with the highest similarity have the highest feature similarity. It is difficult to determine which of the CMs to be tested is a legitimate CM; the other is that the current CM group to be tested does not include a legitimate CM. For example, if a legitimate CM is currently offline due to a sudden power failure, the CM with the highest similarity is calculated at this time. It is still a clone CM and needs to be added to the clone CM list. In the above two cases, the detection results of cloned CMs can be more accurate by adding the step of feature ranking and comparison. At the same time, the CMs to be tested with different feature rankings are directly judged as cloned CMs in advance, which also saves part of the calculation. process, reducing the computing pressure of the server.

实施例2:Example 2:

针对实施例1步骤201中所述的CM特征采集和处理,本发明实施例2提供了一套具体的实施方法。For the CM feature collection and processing described in step 201 of Embodiment 1, Embodiment 2 of the present invention provides a set of specific implementation methods.

步骤2011,系统轮询DHCP服务器,获取全网CM的基础信息;其中,所述基础信息包括MAC地址以及IP地址;Step 2011, the system polls the DHCP server to obtain basic information of the CM of the entire network; wherein, the basic information includes a MAC address and an IP address;

步骤2012,根据基础信息采集全网CM的特征,将合法CM特征存储至特征数据库。该步骤中对CM特征的采集、整理和存储具体采用以下方法:In step 2012, the characteristics of the CMs of the entire network are collected according to the basic information, and the legal CM characteristics are stored in the characteristics database. In this step, the following methods are specifically adopted for the collection, arrangement and storage of CM features:

首先,根据全网CM的MAC地址和IP地址,采集全网CM的本体特征与CM终端网络环境特征。在本发明实施例中,通过SNMP采集CM特征,多数在线的CM设置SNMP超时时间为700毫秒时可采集到特征信息,但如果统一设置SNMP超时时间,不在线的CM和对SNMP超时时间要求过长的CM会明显拖慢整个采集进程。因此,为了提高特征采集速度,采用如下方式,如图6所示:首先设置SNMP超时时间为700毫秒,将采集到的CM特征信息量化存储,对于无法采集特征信息的CM,判断CM是否在线,如果在线,将SNMP超时时间设置为一较大值,比如本实施例中设置为8000毫秒,将此次采集到的CM特征信息量化存储。经测试,采用上述特征采集方法可使采集时间明显缩短。First, according to the MAC addresses and IP addresses of the CMs in the entire network, the ontology characteristics of the CMs in the entire network and the network environment characteristics of the CM terminals are collected. In the embodiment of the present invention, CM features are collected through SNMP, and most online CMs can collect feature information when the SNMP timeout period is set to 700 milliseconds. A long CM will significantly slow down the entire acquisition process. Therefore, in order to improve the speed of feature collection, the following method is adopted, as shown in Figure 6: First, set the SNMP timeout time to 700 milliseconds, and store the collected CM feature information quantitatively. For CMs that cannot collect feature information, determine whether the CM is online. If it is online, set the SNMP timeout time to a larger value, for example, set it to 8000 milliseconds in this embodiment, and quantify and store the CM feature information collected this time. After testing, the above feature acquisition method can significantly shorten the acquisition time.

其次,对全网CM的本体特征量化处理,得到合法CM的本体特征A(V);对全网CM的终端网络环境特征量化处理,得到合法CM的终端网络环境特征A(C)。假设本发明实施例中选取m种本体特征属性和n种终端网络环境特征属性对CM进行特征描述,则合法CM的本体特征

Figure BDA0001743250430000141
A(V)j表示其中某个本体特征属性,合法CM的终端网络环境特征
Figure BDA0001743250430000142
表示其中某个终端网络环境特征属性。Secondly, quantify the ontology features of the CMs in the entire network to obtain the ontology features A (V) of the legal CMs; quantify the terminal network environment features of the CMs in the entire network to obtain the terminal network environment features A (C) of the legal CMs. Assuming that m kinds of ontology feature attributes and n kinds of terminal network environment feature attributes are selected to describe the CM in the embodiment of the present invention, the ontology features of the legal CM are
Figure BDA0001743250430000141
A (V)j represents one of the ontology feature attributes, the terminal network environment characteristics of the legal CM
Figure BDA0001743250430000142
Indicates the characteristic attribute of the network environment of one of the terminals.

本体特征均为字符型数据,对CM本体特征的处理具体为:可选取最近u天每天v次共p次的CM历史本体特征记录,其中p=u×v,则对应CM每个本体特征属性记录有p个数据,CM选取了m种本体特征属性,则CM的历史本体特征记录构成数据集

Figure BDA0001743250430000143
历史本体特征数据中通常包含噪声数据,噪声数据会影响合法CM特征的整理,进而影响克隆CM的检测,噪声数据产生的原因主要有以下两种:一是合法CM本体特征的变更,比如CM物理位置变更、头端CMTS设备变更、CM版本号升级、DHCP租期到期IP地址变更等;二是历史本体特征数据中包含克隆CM的特征数据信息。本体特征数据中的噪声数据通常难以区分,因此这里采用发现噪声数据便弃用属性因子的方式,即对于某一本体特征属性,当多次采集的属性值不一致时,弃用该特征因子;当p次采集的属性值一致时,保留并使用该特征因子,并将对应的特征记录值记为合法CM特征,具体如公式1,根据公式1可计算得到每个本体特征属性A(V)j对应的合法特征值,进而得到合法CM的本体特征A(V)。Ontology features are all character data. The processing of CM ontology features is as follows: You can select the CM historical ontology feature records of p times per day in the last u days, where p=u×v, which corresponds to each ontology feature attribute of CM There are p data records, and the CM selects m types of ontology feature attributes, then the CM's historical ontology feature records constitute a dataset
Figure BDA0001743250430000143
Historical ontology feature data usually contains noise data. Noise data will affect the arrangement of legal CM features, which in turn affects the detection of cloned CMs. There are two main reasons for noise data generation: one is the change of legal CM ontology features, such as CM physics. Location change, headend CMTS equipment change, CM version number upgrade, DHCP lease expiration IP address change, etc.; Second, the historical ontology feature data contains the feature data information of the clone CM. Noise data in ontology feature data is usually indistinguishable, so here we use the method of discarding attribute factors when noise data is found, that is, for a certain ontology feature attribute, when the attribute values collected for multiple times are inconsistent, the feature factor is discarded; When the attribute values collected for p times are consistent, the feature factor is retained and used, and the corresponding feature record value is recorded as a legal CM feature, as shown in formula 1. According to formula 1, each ontology feature attribute A (V)j can be calculated. Corresponding legal feature values, and then obtain the ontology feature A (V) of the legal CM.

Figure BDA0001743250430000151
Figure BDA0001743250430000151

由于CM本体特征存在被克隆的可能性,例如完美克隆可以复制CM厂商信息等本体特征值,本实施例引入CM终端网络环境特征,与CM本体特征相结合描述CM,以提高克隆CM检测准确度。终端网络环境特征均为数值型数据,当历史特征数据量具有一定规模时,用均值的方式便可弱化噪声数据影响。对CM终端网络环境特征的处理具体为,选取最近u天每天v次共p次的CM历史终端网络环境特征记录,其中p=u×v,则对应CM每个终端网络环境特征属性记录有p个数据,CM选取了n种终端网络环境特征属性,则CM的历史终端网络环境特征记录构成数据集

Figure BDA0001743250430000152
根据公式2可计算得到每个终端网络环境特征属性A(C)j对应的合法特征值,进而得到合法CM的终端网络环境特征A(C)。Because the CM ontology feature may be cloned, for example, a perfect clone can copy ontology feature values such as CM manufacturer information. This embodiment introduces the CM terminal network environment feature, which is combined with the CM ontology feature to describe the CM, so as to improve the detection accuracy of the cloned CM. . The characteristics of the terminal network environment are all numerical data. When the amount of historical characteristic data has a certain scale, the influence of noise data can be weakened by means of the mean value. Specifically, the processing of the CM terminal network environment characteristics is to select the CM historical terminal network environment characteristic records of p times per day in the last u days, where p=u×v, then the corresponding CM terminal network environment characteristic attribute record contains p. The CM selects n kinds of terminal network environment characteristic attributes, then the CM's historical terminal network environment characteristic records constitute the data set
Figure BDA0001743250430000152
According to formula 2, the legal characteristic value corresponding to each terminal network environment characteristic attribute A (C)j can be calculated, and then the terminal network environment characteristic A (C) of the legal CM can be obtained.

Figure BDA0001743250430000153
Figure BDA0001743250430000153

最后,将得到的合法CM的本体特征A(V)和终端网络环境特征A(C)存储至特征数据库,A(V)和A(C)共同构成合法CM的特征A;其中,A={A(V),A(C)}。Finally, the obtained ontology feature A (V) of the legal CM and the terminal network environment feature A (C) are stored in the feature database, and A (V) and A (C) together constitute the feature A of the legal CM; where, A={ A (V) , A (C) }.

步骤2013,根据基础信息筛选待测CM并获取待测CM的特征,从特征数据库中提取合法CM特征。具体采用以下方法实现:Step 2013: Screen the CMs to be tested according to the basic information, acquire the features of the CMs to be tested, and extract legal CM features from the feature database. Specifically, the following methods are used to achieve:

首先,根据全网CM的MAC地址,筛选出MAC相同的一组或多组CM,其中,MAC相同的N个CM构成一个待测CM组:由此可以筛选出一个或多个待测CM组,假设当前待测CM组内含有n个待测CM,用B表示该待测CM组,则B={B1,B2,...Bn},Bi表示其中某个待测CM,Bi∈B。First, one or more groups of CMs with the same MAC MAC are screened out according to the MAC addresses of the CMs in the entire network. Among them, N CMs with the same MAC address constitute a CM group to be tested: from this, one or more CM groups to be tested can be screened out. , assuming that the current CM group to be tested contains n CMs to be tested, and B represents the CM group to be tested, then B={B 1 , B 2 ,...B n }, and B i represents one of the CMs to be tested , B i ∈ B.

其次,根据待测CM的MAC地址和IP地址,获取待测CM组中每个待测CM对应的本体特征与终端网络环境特征:在上述步骤2012中已经采集全网CM的特征,可根据当前待测CM组对应的MAC和IP基础信息,获取其中每个待测CM的本体特征与终端网络环境特征。Secondly, according to the MAC address and IP address of the CM to be tested, obtain the ontology features and terminal network environment features corresponding to each CM to be tested in the CM group to be tested: In the above step 2012, the features of the CMs of the entire network have been collected, and the current The basic MAC and IP information corresponding to the CM group to be tested are obtained, and the ontology characteristics and terminal network environment characteristics of each CM to be tested are obtained.

最后,根据待测CM的MAC地址,从特征数据库中提取具有相同MAC的合法CM特征:用于进行特征匹配的待测CM和合法CM应有相同的MAC地址,则在筛选确定好待测CM之后,根据待测CM的MAC地址从特征数据库中提取对应的合法CM特征,也就是具有相同MAC的合法CM对应的特征。Finally, according to the MAC address of the CM to be tested, the legal CM features with the same MAC are extracted from the feature database: the CM to be tested and the legal CM used for feature matching should have the same MAC address, then the CM to be tested is determined after screening. Then, according to the MAC address of the CM to be tested, the corresponding legal CM features are extracted from the feature database, that is, the features corresponding to legal CMs with the same MAC.

实施例3:Example 3:

在实施例1和实施例2的基础上,本发明还提供了一种克隆CM的检测系统,用于实现实施例1以及实施例2中所述的克隆CM的检测方法,如图7所示,本发明实施例2提供了一种克隆CM的检测系统,包括CM特征采集模块和克隆CM检测模块:On the basis of Embodiment 1 and Embodiment 2, the present invention also provides a detection system for cloned CM, which is used to realize the detection method for cloned CM described in Embodiment 1 and Embodiment 2, as shown in FIG. 7 . , Embodiment 2 of the present invention provides a detection system for cloned CM, including a CM feature acquisition module and a cloned CM detection module:

所述CM特征采集模块,用于通过全网CM信息采集来获取待测CM特征,通过特征数据库提取得到合法CM特征;The CM feature acquisition module is used to acquire the CM feature to be tested through the CM information collection of the whole network, and obtain the legal CM feature through the feature database extraction;

所述克隆CM检测模块,用于利用相似度算法,计算待测CM与合法CM间CM特征的相似度,从而检测出克隆CM;The cloned CM detection module is used to calculate the similarity of the CM feature between the CM to be tested and the legal CM by utilizing the similarity algorithm, thereby detecting the cloned CM;

其中,所述待测CM与所述合法CM的MAC地址相同;所述CM特征包括CM本体特征和CM终端网络环境特征,所述CM本体特征包括CM厂商信息、CM端口数量、DHCP分配给CM的IP地址和网关中的一个或多个,所述CM终端网络环境特征包括CM上行电平值、CM下行电平值和CM下行SNR中的一个或多个。The CM to be tested has the same MAC address as the legal CM; the CM features include CM ontology features and CM terminal network environment features, and the CM ontology features include CM manufacturer information, the number of CM ports, and DHCP assignment to the CM. One or more of the IP address and gateway of the CM terminal, and the network environment characteristics of the CM terminal include one or more of the CM uplink level value, the CM downlink level value and the CM downlink SNR.

在本发明实施例中,一个完整的克隆CM检测系统还包括克隆CM关停模块,如图7,所述克隆CM关停模块设置于克隆CM检测模块之后,用于设置克隆CM的IP过滤器,对检测出的克隆CM实现服务关停。In an embodiment of the present invention, a complete clone CM detection system further includes a clone CM shutdown module, as shown in FIG. 7 , the clone CM shutdown module is arranged after the clone CM detection module, and is used to set an IP filter for the clone CM , to implement service shutdown for the detected clone CM.

结合本发明实施例,还存在一种优选的实现方案,所述检测系统还包括排序比对模块,如图8所示,所述排序比对模块可设置在所述克隆CM检测模块之前。服务器和合法CM之间各自维护有一套相同的随机算法,其中所述随机算法以网络时间作为输入参数,计算出来的随机数被转换成数字序列,以便服务器和合法CM根据所述数字序列排序CM本体特征和CM终端网络环境特征;其中,所述排序比对模块用于服务器验证待测CM与合法CM的特征排序是否相同,若服务器验证待测CM与合法CM的特征排序相同,再由克隆CM检测模块进行特征相似度的计算;若特征排序不相同,则可直接跳过克隆CM检测模块,直接将相应的待测CM判定为克隆CM并进行服务关停。In combination with the embodiment of the present invention, there is also a preferred implementation solution, the detection system further includes a ranking and comparison module, as shown in FIG. 8 , the ranking and comparison module may be set before the clone CM detection module. A set of the same random algorithm is maintained between the server and the legitimate CM, wherein the random algorithm takes the network time as an input parameter, and the calculated random number is converted into a sequence of numbers, so that the server and the legitimate CM can sort the CMs according to the sequence of numbers Ontology features and CM terminal network environment features; wherein, the ranking comparison module is used by the server to verify whether the feature ranking of the CM to be tested and the legal CM are the same. The CM detection module calculates the feature similarity; if the feature rankings are not the same, the clone CM detection module can be skipped directly, and the corresponding CM to be tested is directly determined as a clone CM and the service is shut down.

如图9,所述CM特征采集模块包括:As shown in Figure 9, the CM feature acquisition module includes:

基础信息采集模块,用于系统轮询DHCP服务器,获取全网CM的基础信息;其中,所述基础信息包括MAC地址以及IP地址;The basic information collection module is used for the system to poll the DHCP server to obtain the basic information of the CM of the whole network; wherein, the basic information includes a MAC address and an IP address;

特征采集量化处理模块,用于根据基础信息采集全网CM的特征,将合法CM特征存储至特征数据库;首先,根据全网CM的MAC地址和IP地址,采集全网CM的本体特征与CM终端网络环境特征;其次,对全网CM的本体特征量化处理,得到合法CM的本体特征A(V),对全网CM的终端网络环境特征量化处理,得到合法CM的终端网络环境特征A(C);最后,将得到的合法CM的本体特征A(V)和终端网络环境特征A(C)存储至特征数据库,A(V)和A(C)共同构成合法CM的特征A。The feature collection and quantification processing module is used to collect the features of the CMs in the whole network according to the basic information, and store the legal CM features in the feature database; first, according to the MAC addresses and IP addresses of the CMs in the whole network, collect the ontology features and CM terminals of the CMs in the whole network. Network environment characteristics; secondly, quantify the ontology characteristics of the CMs in the whole network to obtain the ontology characteristics A (V) of the legal CMs, and quantify the terminal network environment characteristics of the CMs in the whole network to obtain the terminal network environment characteristics A (C ) of the legitimate CMs. ) ; Finally, the ontology feature A (V) of the obtained legal CM and the terminal network environment feature A (C) are stored in the feature database, and A (V) and A (C) together constitute the feature A of the legal CM.

特征提取模块,用于根据基础信息筛选待测CM并获取待测CM的特征,从特征数据库中提取合法CM特征。首先,根据全网CM的MAC地址,筛选出MAC相同的一组或多组CM,其中,MAC相同的N个CM构成一个待测CM组;其次,根据待测CM的MAC地址和IP地址,获取待测CM组中每个待测CM对应的本体特征与终端网络环境特征;最后,根据待测CM的MAC地址,从特征数据库中提取具有相同MAC的合法CM特征。The feature extraction module is used to screen the CM to be tested according to the basic information, obtain the features of the CM to be tested, and extract legal CM features from the feature database. First, one or more groups of CMs with the same MAC MAC are screened out according to the MAC addresses of the CMs in the entire network. Among them, N CMs with the same MAC address constitute a CM group to be tested; secondly, according to the MAC addresses and IP addresses of the CMs to be tested, Obtain the corresponding ontology features and terminal network environment features of each CM to be tested in the CM group to be tested; finally, according to the MAC address of the CM to be tested, extract legal CM features with the same MAC from the feature database.

如图10,所述克隆CM检测模块包括:As shown in Figure 10, the clone CM detection module includes:

相似度计算模块,用于根据公式计算待测CM与合法CM间本体特征相似度和终端网络环境特征相似度,并综合得到待测CM与合法CM的特征相似度;具体的,首先,根据公式

Figure BDA0001743250430000171
计算待测CM的本体特征Bi(V)与合法CM本体特征A(V)间的本体特征相似度
Figure BDA0001743250430000181
其次,根据公式
Figure BDA0001743250430000182
计算待测CM的终端网络环境特征Bi(C)与合法CM终端网络环境特征A(c)间的终端网络环境特征相似度
Figure BDA0001743250430000183
其中,
Figure BDA0001743250430000184
为待测CM的终端网络环境特征Bi(C)与合法CM终端网络环境特征A(c)间的欧式距离,θ为调控因子;最后,根据公式
Figure BDA0001743250430000185
计算待测CM特征Bi与合法CM特征A的相似度SIM(Bi,A);其中,ω为CM终端网络环境特征占CM特征的比重。The similarity calculation module is used to calculate the similarity of ontology features and the similarity of terminal network environment characteristics between the CM to be tested and the legal CM according to the formula, and to comprehensively obtain the similarity of the features of the CM to be tested and the legal CM; specifically, first, according to the formula
Figure BDA0001743250430000171
Calculate the similarity of the ontology feature between the ontology feature B i(V) of the CM to be tested and the ontology feature A ( V) of the legal CM
Figure BDA0001743250430000181
Second, according to the formula
Figure BDA0001743250430000182
Calculate the similarity of terminal network environment characteristics between the terminal network environment characteristic B i(C) of the CM to be tested and the terminal network environment characteristic A (c) of the legitimate CM
Figure BDA0001743250430000183
in,
Figure BDA0001743250430000184
is the Euclidean distance between the terminal network environment characteristic B i(C) of the CM to be tested and the legal CM terminal network environment characteristic A (c) , θ is the control factor; finally, according to the formula
Figure BDA0001743250430000185
Calculate the similarity SIM(B i , A) of the CM feature B i to be tested and the legal CM feature A; where ω is the proportion of the CM terminal network environment feature to the CM feature.

判断模块,用于根据CM特征相似度的计算结果,将所述待测CM中与合法CM特征相似度最高的一个CM保留,其余的待测CM判断为克隆CM,并加入克隆CM列表。The judgment module is used for, according to the calculation result of the similarity of the CM features, to keep the CM with the highest similarity with the legal CM features among the CMs to be tested, and to judge the rest of the CMs to be tested as clone CMs and add them to the list of clone CMs.

本发明提供的克隆CM的检测系统中,从CM本体特征和CM终端网络环境特征两个维度来描述CM特征,每个维度又包括多个特征属性,基于多维特征的克隆CM检测系统可有效应对个别特征因子缺失、不准确的情形,具有较高的鲁棒性,且特征属性信息均直接采集自CM,具有较强的可移植性与可维护性;同时,通过对特征排序进行比对的方式,也使得克隆CM的检测结果更具准确性。In the detection system for cloned CMs provided by the present invention, CM features are described from two dimensions: CM ontology features and CM terminal network environment features, each dimension includes multiple feature attributes, and the cloned CM detection system based on multi-dimensional features can effectively deal with In the case of missing or inaccurate individual feature factors, it has high robustness, and the feature attribute information is directly collected from CM, which has strong portability and maintainability. The method also makes the detection results of clone CM more accurate.

实施例4:Example 4:

在实施例1和实施例2提供了一种克隆CM的检测方法后,本发明实施例4还提供了一种运用上述方法进行克隆CM检测的装置,如图11所示,是本发明实施例的装置架构示意图。本实施例的克隆CM检测的装置包括一个或多个处理器21以及存储器22。其中,图11中以一个处理器21为例。After Embodiments 1 and 2 provide a method for detecting cloned CMs, Embodiment 4 of the present invention also provides an apparatus for detecting cloned CMs by using the above method, as shown in FIG. 11 , which is an embodiment of the present invention Schematic diagram of the device architecture. The apparatus for detecting clone CM in this embodiment includes one or more processors 21 and a memory 22 . Among them, one processor 21 is taken as an example in FIG. 11 .

处理器21和存储器22可以通过总线或者其他方式连接,图8中以通过总线连接为例。The processor 21 and the memory 22 may be connected by a bus or in other ways, and the connection by a bus is taken as an example in FIG. 8 .

存储器22作为一种克隆CM的检测方法和装置非易失性计算机可读存储介质,可用于存储非易失性软件程序、非易失性计算机可执行程序以及模块,如实施例1中的克隆CM的检测方法。处理器21通过运行存储在存储器22中的非易失性软件程序、指令以及模块,从而执行克隆CM检测的装置的各种功能应用以及数据处理,即实现实施例1的克隆CM的检测方法。The memory 22 is a non-volatile computer-readable storage medium for detecting a clone CM and a non-volatile computer-readable storage medium, which can be used to store non-volatile software programs, non-volatile computer-executable programs and modules, such as the clone in Embodiment 1. CM detection method. The processor 21 executes various functional applications and data processing of the clone CM detection apparatus by running the non-volatile software programs, instructions and modules stored in the memory 22, ie, implements the clone CM detection method of Embodiment 1.

存储器22可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件、闪存器件、或其他非易失性固态存储器件。在一些实施例中,存储器22可选包括相对于处理器21远程设置的存储器,这些远程存储器可以通过网络连接至处理器21。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。Memory 22 may include high speed random access memory, and may also include nonvolatile memory, such as at least one magnetic disk storage device, flash memory device, or other nonvolatile solid state storage device. In some embodiments, the memory 22 may optionally include memory located remotely from the processor 21, and these remote memories may be connected to the processor 21 through a network. Examples of such networks include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.

所述程序指令/模块存储在所述存储器22中,当被所述一个或者多个处理器21执行时,执行上述实施例1和实施例2中的克隆CM的检测方法,例如,执行以上描述的图1、图2、图3和图5所示的各个步骤。The program instructions/modules are stored in the memory 22, and when executed by the one or more processors 21, execute the methods for detecting cloned CMs in Embodiment 1 and Embodiment 2 above, for example, execute the above description Figure 1, Figure 2, Figure 3 and Figure 5 show the various steps.

本领域普通技术人员可以理解实施例的各种方法中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,该程序可以存储于一计算机可读存储介质中,存储介质可以包括:只读存储器(ROM,Read Only Memory)、随机存取存储器(RAM,Random AccessMemory)、磁盘或光盘等。Those of ordinary skill in the art can understand that all or part of the steps in the various methods of the embodiments can be completed by instructing relevant hardware through a program, and the program can be stored in a computer-readable storage medium, and the storage medium can include: Read memory (ROM, Read Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk, etc.

以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention and are not intended to limit the present invention. Any modifications, equivalent replacements and improvements made within the spirit and principles of the present invention shall be included in the protection of the present invention. within the range.

Claims (8)

1.一种克隆CM的检测方法,其特征在于,包括:1. a detection method of clone CM, is characterized in that, comprises: 通过全网CM信息采集来获取待测CM特征,通过特征数据库提取得到合法CM特征;The characteristics of the CM to be tested are obtained through the collection of CM information of the whole network, and the legal CM characteristics are obtained through the extraction of the characteristic database; 利用相似度算法,计算待测CM与合法CM间CM特征的相似度,从而检测出克隆CM;Using the similarity algorithm, calculate the similarity of CM features between the CM to be tested and the legal CM, so as to detect the clone CM; 其中,所述待测CM与所述合法CM的MAC地址相同;所述CM特征包括CM本体特征和CM终端网络环境特征,所述CM本体特征包括CM厂商信息、CM端口数量、DHCP分配给CM的IP地址和网关中的一个或多个,所述CM终端网络环境特征包括CM上行电平值、CM下行电平值和CM下行SNR中的一个或多个;The CM to be tested has the same MAC address as the legal CM; the CM features include CM ontology features and CM terminal network environment features, and the CM ontology features include CM manufacturer information, the number of CM ports, and DHCP assignment to the CM. One or more of the IP address and the gateway, the CM terminal network environment characteristics include one or more of the CM uplink level value, the CM downlink level value and the CM downlink SNR; 还包括以下步骤:Also includes the following steps: 服务器和合法CM之间各自维护有一套相同的随机算法,其中所述随机算法以网络时间作为输入参数,计算出来的随机数被转换成数字序列,以便服务器和合法CM根据所述数字序列排序CM本体特征和CM终端网络环境特征;其中,服务器在验证待测CM与合法CM的特征排序相同时,再进行特征相似度的计算;若特征排序不相同,则将相应的待测CM确定为克隆CM。A set of the same random algorithm is maintained between the server and the legitimate CM, wherein the random algorithm takes the network time as an input parameter, and the calculated random number is converted into a sequence of numbers, so that the server and the legitimate CM can sort the CMs according to the sequence of numbers Ontology features and CM terminal network environment features; the server will calculate the feature similarity when verifying that the feature ranking of the CM to be tested and the legal CM are the same; if the feature ranking is not the same, the corresponding CM to be tested will be determined as a clone CM. 2.根据权利要求1所述的克隆CM的检测方法,其特征在于,所述待测CM与合法CM间CM特征的相似度的计算方法具体为:2. the detection method of clone CM according to claim 1, is characterized in that, the calculating method of the similarity of CM feature between described CM to be tested and legal CM is specially: 根据公式
Figure FDA0002368048790000011
计算待测CM的本体特征Bi(V)与合法CM本体特征A(V)间的本体特征相似度
Figure FDA0002368048790000012
According to the formula
Figure FDA0002368048790000011
Calculate the similarity of the ontology feature between the ontology feature B i(V) of the CM to be tested and the ontology feature A ( V) of the legal CM
Figure FDA0002368048790000012
根据公式
Figure FDA0002368048790000013
计算待测CM的终端网络环境特征Bi(C)与合法CM终端网络环境特征A(C)间的终端网络环境特征相似度
Figure FDA0002368048790000014
其中,
Figure FDA0002368048790000015
为待测CM的终端网络环境特征Bi(C)与合法CM终端网络环境特征A(C)间的欧式距离,θ为调控因子;
According to the formula
Figure FDA0002368048790000013
Calculate the similarity of terminal network environment characteristics between the terminal network environment characteristic B i(C) of the CM to be tested and the terminal network environment characteristic A ( C) of the legitimate CM
Figure FDA0002368048790000014
in,
Figure FDA0002368048790000015
is the Euclidean distance between the terminal network environment characteristic B i(C) of the CM to be tested and the legal CM terminal network environment characteristic A (C) , and θ is the control factor;
根据公式
Figure FDA0002368048790000021
计算待测CM特征Bi与合法CM特征A的相似度SIM(Bi,A);其中,ω为CM终端网络环境特征占CM特征的比重;
According to the formula
Figure FDA0002368048790000021
Calculate the similarity SIM(B i , A) of the CM feature B i to be tested and the legal CM feature A; wherein, ω is the proportion of the CM terminal network environment feature to the CM feature;
其中,i表示待测CM的标号,符号“∩”表示两个集合取交集,符号“∪”表示两个集合取并集,符号“||”表示集合的大小。Among them, i represents the label of the CM to be tested, the symbol “∩” represents the intersection of two sets, the symbol “∪” represents the union of the two sets, and the symbol “||” represents the size of the set.
3.根据权利要求1所述的克隆CM的检测方法,其特征在于,所述检测出克隆CM的方法具体为:3. the detection method of clone CM according to claim 1, is characterized in that, the described method that detects clone CM is specially: 根据CM特征相似度的计算结果,将所述待测CM中与合法CM特征相似度最高的一个CM保留,其余的待测CM确定为克隆CM,并加入克隆CM列表。According to the calculation result of the similarity of CM features, one CM with the highest feature similarity with the legal CM among the CMs to be tested is reserved, and the remaining CMs to be tested are determined as clone CMs and added to the list of clone CMs. 4.根据权利要求1所述的克隆CM的检测方法,其特征在于,所述通过全网CM信息采集来获取待测CM特征,通过特征数据库提取得到合法CM特征,包括以下方法:4. the detection method of clone CM according to claim 1, is characterized in that, described obtains CM feature to be measured by whole network CM information collection, obtains legal CM feature by feature database extraction, comprises the following methods: 系统轮询DHCP服务器,获取全网CM的基础信息;其中,所述基础信息包括MAC地址以及IP地址;The system polls the DHCP server to obtain the basic information of the CM of the whole network; wherein, the basic information includes a MAC address and an IP address; 根据基础信息采集全网CM的特征,将合法CM特征存储至特征数据库;Collect the characteristics of the entire network CM according to the basic information, and store the legal CM characteristics in the characteristic database; 根据基础信息筛选待测CM并获取待测CM的特征,从特征数据库中提取合法CM特征。Screen the CMs to be tested according to the basic information and obtain the features of the CMs to be tested, and extract legal CM features from the feature database. 5.根据权利要求4所述的克隆CM的检测方法,其特征在于,所述根据基础信息采集全网CM的特征,将合法CM特征存储至特征数据库,包括以下步骤:5. the detection method of clone CM according to claim 4, is characterized in that, the described feature of collecting whole network CM according to basic information, legal CM feature is stored in feature database, comprises the following steps: 根据全网CM的MAC地址和IP地址,采集全网CM的本体特征与CM终端网络环境特征;According to the MAC addresses and IP addresses of the CMs in the entire network, collect the ontology characteristics of the CMs in the entire network and the network environment characteristics of the CM terminals; 对全网CM的本体特征量化处理,得到合法CM的本体特征A(V);对全网CM的终端网络环境特征量化处理,得到合法CM的终端网络环境特征A(C)To the ontology feature quantification processing of the whole network CM, obtain the ontology feature A (V) of the legal CM; To the terminal network environment feature quantification processing of the whole network CM, obtain the terminal network environment feature A (C) of the legal CM; 将得到的合法CM的本体特征A(V)和终端网络环境特征A(C)存储至特征数据库,A(V)和A(C)共同构成合法CM的特征A。The obtained ontology feature A (V) of the legal CM and the terminal network environment feature A (C) are stored in the feature database, and A (V) and A (C) together constitute the feature A of the legal CM. 6.根据权利要求4所述的克隆CM的检测方法,其特征在于,所述根据基础信息筛选待测CM并获取待测CM的特征,从特征数据库中提取合法CM特征,具体包括以下步骤:6. the detection method of clone CM according to claim 4, is characterized in that, described according to basic information screening CM to be tested and obtain the feature of CM to be tested, from feature database, extract legal CM feature, specifically comprises the following steps: 根据全网CM的MAC地址,筛选出MAC相同的一组或多组CM,其中,MAC相同的N个CM构成一个待测CM组;According to the MAC addresses of the CMs in the entire network, one or more groups of CMs with the same MAC are screened out, wherein N CMs with the same MAC constitute a CM group to be tested; 根据待测CM的MAC地址和IP地址,获取待测CM组中每个待测CM对应的本体特征与终端网络环境特征;According to the MAC address and IP address of the CM to be tested, obtain the corresponding ontology features and terminal network environment features of each CM to be tested in the CM group to be tested; 根据待测CM的MAC地址,从特征数据库中提取具有相同MAC的合法CM特征。According to the MAC address of the CM to be tested, legal CM features with the same MAC are extracted from the feature database. 7.根据权利要求1-6任一所述的克隆CM的检测方法,其特征在于,在所述利用相似度算法,计算待测CM与合法CM间CM特征的相似度,从而检测出克隆CM之后,还包括以下方法:设置克隆CM的IP过滤器,对检测出的克隆CM实现服务关停。7. according to the detection method of the arbitrary described clone CM of claim 1-6, it is characterized in that, in described utilization similarity algorithm, calculate the similarity of CM feature between CM to be measured and legal CM, thereby detect clone CM After that, the following method is also included: setting an IP filter of the clone CM, and realizing service shutdown of the detected clone CM. 8.一种克隆CM的检测系统,其特征在于,包括至少一个处理器和存储器,所述至少一个处理器和存储器之间通过数据总线连接,所述存储器存储有可被所述至少一个处理器执行的指令,所述指令在被所述处理器执行后,用于完成权利要求1-7任一所述的克隆CM的检测方法。8. A detection system for cloned CM, characterized in that it comprises at least one processor and a memory, and the at least one processor and the memory are connected by a data bus, and the memory stores a data that can be used by the at least one processor. The executed instruction, after the instruction is executed by the processor, is used to complete the method for detecting a clone CM according to any one of claims 1-7.
CN201810829684.4A 2018-07-25 2018-07-25 A kind of detection method and system of clone CM Expired - Fee Related CN109120917B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810829684.4A CN109120917B (en) 2018-07-25 2018-07-25 A kind of detection method and system of clone CM

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810829684.4A CN109120917B (en) 2018-07-25 2018-07-25 A kind of detection method and system of clone CM

Publications (2)

Publication Number Publication Date
CN109120917A CN109120917A (en) 2019-01-01
CN109120917B true CN109120917B (en) 2020-06-05

Family

ID=64863591

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810829684.4A Expired - Fee Related CN109120917B (en) 2018-07-25 2018-07-25 A kind of detection method and system of clone CM

Country Status (1)

Country Link
CN (1) CN109120917B (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7512969B2 (en) * 2003-11-21 2009-03-31 Time Warner Cable, A Division Of Time Warner Entertainment Company, L.P. System and method for detecting and reporting cable network devices with duplicate media access control addresses
US7716468B2 (en) * 2006-03-01 2010-05-11 Cisco Technology, Inc. Method and system for cloned cable modem detection
US20070276943A1 (en) * 2006-03-14 2007-11-29 General Instrument Corporation Prevention of Cloning Attacks in a DOCSIS Network
US7957305B2 (en) * 2006-08-16 2011-06-07 Cisco Technology, Inc. Hierarchical cable modem clone detection
US7986690B2 (en) * 2008-08-12 2011-07-26 Cisco Technology, Inc. Inter-gateway cloned device detector using provisioning request analysis
CN105100088B (en) * 2015-07-08 2018-06-05 广州珠江数码集团股份有限公司 A kind of method and system for preventing illegally clone CM accesses DOCSIS networks

Also Published As

Publication number Publication date
CN109120917A (en) 2019-01-01

Similar Documents

Publication Publication Date Title
CN110213227B (en) A kind of network data flow detection method and device
WO2021072887A1 (en) Abnormal traffic monitoring method and apparatus, and device and storage medium
US11528189B1 (en) Network device identification and categorization using behavioral fingerprints
US9794285B1 (en) System and method for detecting hacked modems
CN112184091A (en) Industrial control system security threat assessment method, device and system
CN110300027A (en) A kind of abnormal login detecting method
CN106778260A (en) Attack detection method and device
CN111478904B (en) A method and device for detecting communication anomalies of IoT devices based on concept drift
CN117997586A (en) Network security detection system based on data visualization
CN112671767B (en) Security event early warning method and device based on alarm data analysis
CN102469117A (en) Method and device for identifying abnormal access behaviors
CN118540151A (en) Automatic detection system and method for network security vulnerabilities
CN109726340A (en) The querying method and device of uniform resource locator classification
CN114091016B (en) Method, apparatus and computer program product for anomaly detection
CN119311655A (en) A data fusion and sharing method for multi-source heterogeneous power big data
CN109120917B (en) A kind of detection method and system of clone CM
CN108199878B (en) Personal identification information identification system and method in high-performance IP network
CN108174379B (en) Malicious user identification method and device based on support vector machine and threshold screening
CN115001724B (en) Network threat intelligence management method, device, computing equipment and computer readable storage medium
CN113746849A (en) Method, device, equipment and storage medium for identifying equipment in network
CN117879892A (en) Internet of things security risk event prediction method and device
CN113704763B (en) Pipelined device scanning detection method
CN116916194A (en) OLT fault identification method, device, equipment and storage medium
CN115344014A (en) Regression model-based method for analyzing abnormal state of wire making equipment
CN111565187B (en) DNS (Domain name System) anomaly detection method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20200605