[go: up one dir, main page]

CN102595410A - System and method for detecting WAP (Wireless Application Protocol) hostile order - Google Patents

System and method for detecting WAP (Wireless Application Protocol) hostile order Download PDF

Info

Publication number
CN102595410A
CN102595410A CN2011100084060A CN201110008406A CN102595410A CN 102595410 A CN102595410 A CN 102595410A CN 2011100084060 A CN2011100084060 A CN 2011100084060A CN 201110008406 A CN201110008406 A CN 201110008406A CN 102595410 A CN102595410 A CN 102595410A
Authority
CN
China
Prior art keywords
value
added service
order
mobile user
request message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2011100084060A
Other languages
Chinese (zh)
Inventor
隋爱芬
郭代飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens Corp
Original Assignee
Siemens Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Corp filed Critical Siemens Corp
Priority to CN2011100084060A priority Critical patent/CN102595410A/en
Publication of CN102595410A publication Critical patent/CN102595410A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了检测无线应用协议(WAP)恶意订购的系统和方法。其中,检测WAP恶意订购的系统包括:订购消息监测模块(101),用于监测由WAP网关向移动信息服务中心(MISC)提交的增值业务订购请求消息,并获取与该增值业务订购请求消息对应的移动用户的标识;用户流量监测模块(102),用于监测由GGSN发送给WAP网关的增值业务订购请求消息,并获取与该增值业务订购请求消息对应的移动用户的标识;恶意订购分析和报警模块(103),用于检查订购消息监测模块(101)获取的移动用户的标识与用户流量监测模块(102)获取的移动用户的标识是否一致,如果不一致,则判定与不一致的移动用户标识对应的增值业务订购请求消息为攻击者伪造的增值业务订购请求。

Figure 201110008406

The invention discloses a system and a method for detecting malicious subscription of Wireless Application Protocol (WAP). Wherein, the system for detecting WAP malicious ordering includes: an ordering message monitoring module (101), which is used to monitor the value-added service ordering request message submitted by the WAP gateway to the Mobile Information Service Center (MISC), and obtain the value-added service ordering request message corresponding to the value-added service ordering request message. The identification of the mobile user; User traffic monitoring module (102), is used for monitoring the value-added service subscription request message sent to WAP gateway by GGSN, and obtains the mobile user identification corresponding to this value-added service subscription request message; Malicious order analysis and Alarm module (103), is used to check whether the identification of the mobile user that the order message monitoring module (101) obtains is consistent with the identification of the mobile user that the user flow monitoring module (102) obtains, if inconsistent, then judges the mobile user identification with inconsistency The corresponding value-added service subscription request message is a value-added service subscription request forged by an attacker.

Figure 201110008406

Description

Detect the system and method that WAP malice is ordered
Technical field
The present invention relates to the order technology of employing wireless application protocol (WAP, Wireless Application Protocol), particularly detect the system and method that WAP malice is ordered.
Background technology
In mobile communications network, service provider (SP, Service Provider) provides many value-added services based on WAP/WEB through the network of operator for the mobile subscriber.The mobile subscriber can order these value-added services through WAP.Then, operator is according to from Mobile Information Service Center (MISC, Mobile Information Service Center) or the value increasing service ordering information of trusted SP and the record that the mobile subscriber uses value-added service the mobile subscriber being chargeed.Wherein, MISC is mainly used in and carries out SP management, Service Management, user management, service order management, accounting management, statistical analysis etc., is the hard core control platform that operator provides data service to serve for the client under new network environment.
Particularly; When portable terminal inserts general packet radio service technology (GPRS; General Packet Radio Service) behind the packet network; Will be through Gateway GPRS Support Node (GGSN; Gateway GPRS Support Node) the Radius server of the remote customer dialing authentication system on (Radius, Remote Authentication Dial In User Service) client on WAP gateway sends request/beginning (accounting-request/start) message of chargeing, in this case; WAP gateway will be stored travelling carriage International ISDN (MSISDN) number and Internet Protocol (IP, the Internet Protocol) address thereof of this portable terminal.Then, when the user inserts certain value-added service through this portable terminal, WAP gateway will be forwarded to MISC or trusted SP from the order/access request message (order/access request) of this portable terminal.MISC or trusted SP will verify this order/access request message according to the IP address of the order/access request message that is received; If the order/access request message that is received from WAP gateway, then should order/access request message will be accepted by MISC or trusted SP.MISC or trusted SP generate order relations and for charge information after receiving the subscription request that WAP gateway is sent.
But the order of above-mentioned value-added service and use may receive the SP or the assailant's of some malice attack.For example, some malice SP or assailant will send the value added service ordering request of a lot of personations at short notice to MISC or trusted SP through WAP gateway.For example, the SP of some malice or assailant can simulate other mobile subscribers, palm off these mobile subscribers and order value-added service or make the service recorder of value-added service through the Mobile Subscriber International ISDN Number of distorting in the value added service ordering request.The WAP malice that possibly occur at present in a word, is ordered possibly comprise following several kinds of situations:
1) assailant forges order request information, makes validated user crossed charge (Over Billing).
2) assailant is a purpose with the income that increases certain SP, distorts the SP sign in the order request information.
3) assailant has ordered business, but deletion or destruction charging message cause the assailant to accept service and but do not chargeed.For convenience, this malice order is called the order of walking around charging.
Summary of the invention
In view of this, embodiments of the invention provide and have detected the system and method that WAP malice is ordered, and order to detect WAP malice effectively.
The system that the detection WAP malice that the embodiment of the invention provides is ordered comprises:
Subscribe message monitoring modular 101 is used to monitor the value added service subscribing request message of being submitted to MISC by WAP gateway, and obtains the mobile subscriber's corresponding with this value added service subscribing request message sign;
Customer flow monitoring modular 102 is used to monitor the value added service subscribing request message that is sent to WAP gateway by GGSN, and obtains the mobile subscriber's corresponding with this value added service subscribing request message sign;
Malice is ordered and is analyzed and alarm module 103; Whether the mobile subscriber's who is used to check that subscribe message monitoring modular 101 obtains sign is consistent with the mobile subscriber's that customer flow monitoring modular 102 obtains sign; If inconsistent, then judge the value added service ordering request that the value added service subscribing request message corresponding with inconsistent mobile user identification forged for the assailant.
The system that the detection WAP WAP malice that another embodiment of the present invention provides is ordered comprises:
Order monitoring means 301, be used to monitor the value added service ordering request of submitting to by the mobile subscriber;
Charge information monitoring modular 302, be used to collect request order value-added service the mobile subscriber for charge information;
Malice is ordered and is analyzed and alarm module 303; 501; Be used to judge that ordering request that monitoring means 301 monitors orders the mobile subscriber of value-added service and whether have accordingly for charge information; If no, then judge this request order value-added service the mobile subscriber for charge information by deletion or revise, also promptly belong to the WAP malice of walking around charging and order.
The method that the detection WAP malice that the embodiment of the invention provides is ordered comprises:
The value added service subscribing request message that monitoring is submitted to MISC by WAP gateway, and obtain first mobile user identification, said first mobile user identification be with this by the sign of WAP gateway to the corresponding mobile subscriber of the value added service subscribing request message of MISC submission;
Monitoring sends to the value added service subscribing request message of WAP gateway by GGSN, and obtains second mobile user identification, and said second mobile user identification is for being sent to the corresponding mobile subscriber's of the value added service subscribing request message of WAP gateway sign with this by GGSN; And
Check whether said first mobile user identification is consistent with said second mobile user identification,, then judge the value added service subscribing request message that the value added service subscribing request message corresponding with this inconsistent mobile user identification forged for the assailant if inconsistent.
The method that the detection WAP malice that another embodiment of the present invention provides is ordered comprises:
The value added service subscribing request message that monitoring is submitted to by the mobile subscriber;
The request of collecting order value-added service the mobile subscriber for charge information; And
Judge that the request monitor orders the mobile subscriber of value-added service and whether have accordingly for charge information, if do not have, then judge request order value-added service the mobile subscriber for charge information by deletion or revise, belong to the WAP malice of walking around charging and order.
This shows that the system and method that the described detection of embodiment of the invention WAP malice is ordered can effectively detect and prevent the behavior of WAP malice order, thus protection mobile subscriber's legitimate rights and interests.
Description of drawings
Fig. 1 is the internal structure sketch map of the embodiment of the invention 1 described detection WAP malice order system;
Fig. 2 is the embodiment of the invention 1 a described detection WAP malice booking method flow chart;
Fig. 3 is the internal structure sketch map of the embodiment of the invention 2 described detection WAP malice order systems;
Fig. 4 is the embodiment of the invention 2 described detection WAP malice booking method flow charts;
Fig. 5 is the internal structure sketch map of the embodiment of the invention 3 and 4 described detection WAP malice order systems;
Fig. 6 is the embodiment of the invention 3 described detection WAP malice booking method flow charts;
Fig. 7 is the embodiment of the invention 4 described detection WAP malice booking method flow charts;
Fig. 8 is the internal structure sketch map of the embodiment of the invention 4 described detection WAP malice order systems.
Embodiment
In order to solve the problem that WAP malice is ordered; Embodiments of the invention provide and have detected the system and method that WAP malice is ordered; Can be to monitoring and analyze with value increasing service ordering information and/or charging relevant information; Thereby accomplish the detection that WAP malice is ordered, prevent the behavior of WAP malice order effectively.
To combine concrete embodiment and accompanying drawing specific embodiments of the invention to be elaborated below.
Embodiment 1
In order to detect the WAP malice order behavior that the assailant forges order request information, present embodiment discloses the system that a kind of WAP of detection malice is ordered.The internal structure of the described detection of present embodiment WAP malice order system is as shown in Figure 1, mainly comprises:
Subscribe message monitoring modular 101 is used to monitor the value added service subscribing request message of being submitted to MISC by WAP gateway, and obtains the mobile subscriber's corresponding with this value added service subscribing request message sign; Wherein, mobile subscriber's sign for example is Mobile Subscriber International ISDN number (MSISDN) or IMSI International Mobile Subscriber Identity (IMSI, International Mobile Subscriber Identity) of portable terminal as previously mentioned etc.;
Customer flow monitoring modular 102 is used to monitor the value added service subscribing request message that is sent to WAP gateway by GGSN, and obtains corresponding with this value added service subscribing request message mobile subscriber's sign;
Malice is ordered and is analyzed and alarm module 103; The mobile subscriber's whether mobile subscriber's who is used to check that subscribe message monitoring modular 101 obtains sign is obtained with customer flow monitoring modular 102 sign is consistent; If inconsistent, then judge the value added service ordering request that the value added service subscribing request message corresponding with inconsistent mobile user identification forged for the assailant.
In the present embodiment, malice the consistent concrete implementation of sign that order to analyze the mobile subscriber whether sign of checking the mobile subscriber that subscribe message monitoring modulars 101 obtain with alarm module 103 obtain with customer flow monitoring modular 102 has multiple.
For example: subscribe message monitoring modular 101 can be monitored by predefined time period segmentation with customer flow monitoring modular 102.Concrete; Subscribe message monitoring modular 101 is monitored the value added service subscribing request message of being submitted to MISC by WAP gateway in the predefined time period; Obtain the mobile subscriber's corresponding sign, and the mobile subscriber's that will in this time period, obtain sign reports analysis of malice order and alarm module 103 with this value added service subscribing request message.Customer flow monitoring modular 102 is monitored the value added service subscribing request message that is sent to WAP gateway by GGSN in this time period; Obtain the mobile subscriber's corresponding sign, and the mobile subscriber's that will in this time period, obtain sign reports analysis of malice order and alarm module 103 with this value added service subscribing request message.Malice order to be analyzed and the mobile subscriber's that alarm module 103 reports subscribe message monitoring modular 101 sign and the mobile subscriber's that customer flow monitoring modular 102 reports sign compare; If find special mobile user's sign, then think the value added service subscribing request message corresponding value added service ordering request for assailant's forgery with this special mobile user's sign.Preferably, this special mobile user's sign belongs to the mobile subscriber's who is reported by subscribe message monitoring modular 101 sign and does not belong to the mobile subscriber's who is reported by customer flow monitoring modular 102 sign.Possibility in the value added service subscribing request message that MISC submits to is bigger because the value added service ordering request that the assailant forges appears at WAP gateway.Perhaps, this special mobile user's sign belongs to the mobile subscriber's who is reported by customer flow monitoring modular 102 sign and does not belong to the mobile subscriber's who is reported by subscribe message monitoring modular 101 sign.Sign through the contrast mobile subscriber can judge whether the value added service ordering request that the assailant forges, thereby has avoided chargeing for crossing of user, has guaranteed network security, has improved user's use experience.And mobile subscriber's sign is sent to analysis of malice order and alarm module 103; Reduced the transmission capacity of information; If the load that this information then can alleviate network through network delivery if this information is internal delivery information, can reduce the live load of whole device.
For example; Subscribe message monitoring modular 101 is used to monitor the value added service subscribing request message of being submitted to MISC by WAP gateway; Obtain the mobile subscriber's corresponding sign, and according to the order of sequence the said mobile subscriber's who obtains sign is sent to malice and order and analyze and alarm module 103 with this value added service subscribing request message.Customer flow monitoring modular 102; Be used to monitor the value added service subscribing request message that sends to WAP gateway by GGSN; Obtain the mobile subscriber's corresponding sign, and according to the order of sequence the said mobile subscriber's who obtains sign is sent to malice and order and analyze and alarm module 103 with this value added service subscribing request message.Analysis of malice order and alarm module 103 are used for the mobile subscriber's of the mobile subscriber's of subscribe message monitoring modular 101 transmissions identifier and 102 transmissions of customer flow monitoring modular identifier is compared; If find incorrect order mobile subscriber's sign, then think the value added service subscribing request message corresponding value added service ordering request for assailant's forgery with this incorrect order mobile subscriber's sign.
For example; Subscribe message monitoring modular 101 is used to monitor the value added service subscribing request message of being submitted to MISC by WAP gateway; Obtain the mobile subscriber's corresponding sign, and the said mobile subscriber's who obtains sign and acquisition time sent to analysis of malice order and alarm module 103 with this value added service subscribing request message.Customer flow monitoring modular 102; Be used to monitor the value added service subscribing request message that sends to WAP gateway by GGSN; Obtain the mobile subscriber's corresponding sign, and the said mobile subscriber's who obtains sign and acquisition time sent to analysis of malice order and alarm module 103 with this value added service subscribing request message.Analysis of malice order and alarm module 103 are used for the mobile subscriber's of the mobile subscriber's of subscribe message monitoring modular 101 transmissions sign and 102 transmissions of customer flow monitoring modular sign is compared according to time corresponding; If the mobile subscriber's who finds to be sent by subscribe message monitoring modular 101 sign is different from the moment of the mobile subscriber's that customer flow monitoring modular 102 sends sign, then think the value added service subscribing request message corresponding value added service ordering request for assailant's forgery with this moment.
In conjunction with above-mentioned example, malice is ordered the SP sign in analysis and the alarm module 103 all right further contrast value added service subscribing request message in the system that the detection WAP malice that the embodiment of the invention provides is ordered.At this moment; Subscribe message monitoring modular 101 is used to monitor the value added service subscribing request message of being submitted to MISC by WAP gateway; Obtain the mobile subscriber's corresponding sign and SP sign, and the mobile subscriber's who obtains sign and SP sign reported analysis of malice order and alarm module 103 with this value added service subscribing request message; Customer flow monitoring modular 102 is used to monitor the value added service subscribing request message that is sent to WAP gateway by GGSN; Obtain the mobile subscriber's corresponding sign and SP sign, and the mobile subscriber's who obtains sign and SP sign reported analysis of malice order and alarm module 103 with this value added service subscribing request message.Malice order to be analyzed and the mobile subscriber's that alarm module 103 reports subscribe message monitoring modular 101 sign and the mobile subscriber's that customer flow monitoring modular 102 reports sign compare; If a mobile subscriber's who is reported by subscribe message monitoring modular 101 sign not in the mobile subscriber's who is reported by customer flow monitoring modular 102 sign, is then thought the value added service subscribing request message corresponding with this mobile subscriber's the sign value added service ordering request for assailant's forgery; In the sign that is identified at the mobile subscriber who reports by customer flow monitoring modular 102 as if a mobile subscriber who reports by subscribe message monitoring modular 101; Further judge then whether the corresponding SP sign of SP sign that this mobile subscriber's who is reported by subscribe message monitoring modular 101 sign is corresponding and this mobile subscriber's who is reported by customer flow monitoring modular 102 sign is consistent; If inconsistent, then think the value added service ordering request that the value added service subscribing request message corresponding with this mobile subscriber's sign forged for the assailant.Thus, can further improve the security performance of network, monitor out the value added service ordering request of the replacing SP that forges by the assailant, better avoid the user to be crossed and charge.
Further; Can also contrast the other guide of value added service subscribing request message; At this moment, when subscribe message monitoring modular 101 is monitored value added service subscribing request message with customer flow monitoring modular 102, except sign, the SP that obtains the mobile subscriber who asks the order value-added service identifies; Also will further obtain the other guide in this value added service ordering request, and report analysis of malice order and alarm module 103.Malice order to be analyzed the mobile subscriber's who at first subscribe message monitoring modular 101 is reported with alarm module 103 sign and the mobile subscriber's that customer flow monitoring modular 102 reports sign compares the value added service ordering request of exclusive segment assailant forgery; Then, again that identical mobile user identification is corresponding SP sign compares, and gets rid of the value added service ordering request that a part of assailant forges again; At last; Content with the value added service ordering request of the identical mobile user identification of correspondence and SP sign compares again; If content is inconsistent, then think the value added service ordering request that the value added service subscribing request message corresponding with this mobile subscriber's sign forged for the assailant.That is to say to have only the identical subscribe message of content of mobile subscriber's sign, SP sign and value added service ordering request to be only legal subscribe message.
In order to monitor the value added service subscribing request message of submitting to MISC by WAP gateway; Can directly subscribe message monitoring modular 101 be deployed in the value added service subscribing request message of being submitted to MISC by WAP gateway with direct detection between WAP gateway and the MISC system; Perhaps between WAP gateway and MISC system, disposing one is used to gather by the information gathering point of WAP gateway to the value added service subscribing request message of MISC submission; At this moment, above-mentioned subscribe message monitoring modular 101 can be deployed in one independently on the server.
Similarly; In order to monitor the value added service subscribing request message that sends to WAP gateway by GGSN; Can be directly customer flow monitoring modular 102 be deployed between gprs system and the WAP gateway value added service subscribing request message that is sent to WAP gateway with direct monitoring by GGSN; Perhaps between gprs system and WAP gateway, dispose one and be used to gather the information gathering point that sends to the value added service subscribing request message of WAP gateway by GGSN; At this moment, above-mentioned customer flow monitoring modular 102 can be deployed in one independently on the server.
Malice order to be analyzed and alarm module 103 can directly be deployed in one independently on the server.
Need to prove that in the present embodiment, subscribe message monitoring modular 101, customer flow monitoring modular 102 and malice are ordered to analyze and can be deployed on the identical or different hardware devices with alarm module 103.
The system that corresponding above-mentioned detection WAP malice is ordered, the method that present embodiment also provides a kind of WAP of detection malice to order as shown in Figure 2ly mainly may further comprise the steps:
Step 201 is monitored the value added service subscribing request message of being submitted to MISC by WAP gateway, and obtains the mobile subscriber's corresponding with this value added service subscribing request message sign, and also promptly the mobile subscriber's of value-added service sign is ordered in request;
Step 202, monitoring sends to the value added service subscribing request message of WAP gateway by GGSN, and obtains the mobile subscriber's corresponding with this value added service subscribing request message sign, and also promptly the mobile subscriber's of value-added service sign is ordered in request;
Need to prove that above-mentioned steps 201 and 202 does not have the restriction on the execution sequence, also promptly both can first execution in step 201, also can first execution in step 202, or carry out above-mentioned steps 201 and 202 simultaneously;
Step 203; Whether inspection step 201 is consistent with the sign that step 202 is obtained; Also i.e. inspection with by WAP gateway to the corresponding mobile subscriber's of the value added service subscribing request message of MISC submission sign whether and with the value added service subscribing request message that sends to WAP gateway by GGSN corresponding mobile subscriber's sign consistent; If inconsistent, then judge the value added service ordering request that the value added service subscribing request message corresponding with inconsistent mobile user identification forged for the assailant.At this moment, can further produce warning information reminds operator to note this WAP malice order behavior.
On the contrary, in above-mentioned steps 203, if consistent, could preliminary judgement should not the value added service ordering request that the assailant forges to the value added service ordering request that MISC submits to then by WAP gateway.
This shows; The system and method that above-mentioned detection WAP malice is ordered is through monitoring and the value added service subscribing request message of being submitted to MISC by WAP gateway; Monitor the value added service subscribing request message that sends to WAP gateway by GGSN simultaneously and judge by WAP gateway whether really submitted the value-added service request to the corresponding mobile subscriber of value added service subscribing request message that MISC submits to; Thereby can detect the WAP malice order behavior that the assailant forges order request information effectively, thereby protection mobile subscriber's legitimate rights and interests.
In the present embodiment, the concrete realization of step 203 can be with reference to the description of analysis of malice order and alarm module 103 method of works in the system of monitoring WAP malice order as shown in Figure 1.Accordingly, step 201,202 also can be with reference to the description in embodiment illustrated in fig. 1.
Can find out from the foregoing description 1; Above-mentioned two kinds of technical schemes all be through monitoring by WAP gateway to the value added service subscribing request message that MISC submits to, detect value added service subscribing request message that whether the corresponding mobile subscriber of this service order request message submitted to the value added service ordering request to detect to be submitted to MISC by WAP gateway then and whether be value added service ordering message that the assailant forges.
Embodiment 2
Order behavior in order to detect the WAP malice of walking around charging, embodiments of the invention provide another to detect the system that WAP malice is ordered.Fig. 3 has shown the internal structure sketch map of the described detection of present embodiment WAP malice order system, and as shown in Figure 3, this system mainly comprises:
Order monitoring means 301, be used to monitor the value added service ordering request of submitting to by the mobile subscriber;
Charge information monitoring modular 302, be used to collect request order value-added service the mobile subscriber for charge information;
Malice is ordered and is analyzed and alarm module 303; Be used to judge whether the mobile subscriber of request order value-added service has accordingly for charge information; If do not have; Then having been deleted or modification for charge information of the mobile subscriber of judgement request order value-added service also promptly belongs to the WAP malice order of walking around charging.
Particularly; In the present embodiment; Order monitoring means 301 need further obtain the corresponding mobile subscriber of institute's value added service ordering request of monitor when the value added service ordering request that monitoring is submitted to by the mobile subscriber sign, like this malice order analyze and the mobile subscriber's that alarm module 303 will obtain according to order monitoring means 301 sign check 302 collections of charge information monitoring modular for charge information in this mobile subscriber's sign charge information of pairing generation whether.Wherein, comprise mobile subscriber's sign (for example MSISDN number or IMSI number) at least, can also comprise one or more of time period, charge type (for example monthly payment, press bar number etc.) etc. of SP sign, service identifiers, subscribed services for charge information.
With reference to embodiment illustrated in fig. 1; Analysis of malice order and alarm module 303 also can have multiple implementation in the present embodiment; The mobile subscriber's in a period of time sign relatively for example, the perhaps sequence of mobile subscriber's sign relatively, perhaps relatively mobile subscriber's sign and the time of obtaining.Further, except comparing mobile subscriber's sign, can also be further relatively, the other guide in SP mark and/or the value added service ordering request, for example concrete service content etc.Thus, whether can judge more accurately for charge information by deletion or modification.
Order to analyze with alarm module 303 in malice and to judge when belonging to the WAP malice order of walking around charging; This malice is ordered to analyze and can be produced warning information with alarm module 303 and remind operator to notice that this WAP malice orders behavior, and can further ask MISC to generate for charge information or cancel value added service ordering.
In the present embodiment; Ordering monitoring means 301 can comprise: subscribe message monitoring modular 101 is monitored the value added service ordering request by mobile subscriber submitted by WAP gateway to the mode of the value added service subscribing request message of MISC submission in order to monitoring; At this moment; Can directly subscribe message monitoring modular 101 be deployed in the value added service ordering of being submitted to MISC by WAP gateway with direct detection between WAP gateway and the MISC system please; Perhaps between WAP gateway and MISC system, disposing one is used to gather by the value added service ordering information requested collection point of WAP gateway to the MISC submission; At this moment, subscribe message monitoring modular 101 can be deployed in one independently on the server.
Perhaps; In the present embodiment; Ordering monitoring means 301 can comprise: customer flow monitoring modular 102 is monitored the value added service ordering request of being submitted to by the mobile subscriber in order to monitoring by the mode that GGSN sends to the value added service subscribing request message of WAP gateway; At this moment; Can be directly customer flow monitoring modular 102 be deployed between gprs system and the WAP gateway value added service subscribing request message that is sent to WAP gateway with direct monitoring by GGSN; Perhaps between gprs system and WAP gateway, dispose one and be used to gather the information gathering point that is sent to the value added service subscribing request message of WAP gateway by GGSN, at this moment, customer flow monitoring modular 102 can be deployed in one independently on the server.
In addition; Order for the request of collecting value-added service the mobile subscriber for charge information; Can be directly with charge information monitoring modular 302 be deployed among the MISC with direct collection request order value-added service the mobile subscriber for charge information; Perhaps in MISC, dispose one and be used to the information gathering point for charge information that the mobile subscriber of value-added service is ordered in the request of collecting, at this moment, charge information monitoring modular 302 can be deployed in one independently on the server.
Malice order to be analyzed and alarm module 303 can directly be deployed in one independently on the server.
Need to prove, in the present embodiment, order monitoring means 301, charge information monitoring modular 302 and the analysis of malice order and can be deployed on the identical or different servers with alarm module 303.
The system that corresponding above-mentioned detection WAP malice is ordered, the method that present embodiment also provides a kind of WAP of detection malice to order as shown in Figure 4ly mainly may further comprise the steps:
Step 401, the value added service subscribing request message that monitoring is submitted to by the mobile subscriber;
As previously mentioned; In this step; Can monitor the value added service subscribing request message of submitting to by the mobile subscriber by WAP gateway to the mode of the value added service subscribing request message of MISC submission through monitoring, can also monitor the value added service subscribing request message of submitting to by the mobile subscriber by the mode that GGSN sends to the value added service subscribing request message of WAP gateway through monitoring;
Step 402, the request of collecting order value-added service the mobile subscriber for charge information;
Step 403; Whether the mobile subscriber who judges the value-added service of request order has accordingly for charge information; If no, then having been deleted or modification for charge information of the mobile subscriber of decision request order value-added service also promptly belongs to the WAP malice of walking around charging and orders.
In this case, said method can further include and produces warning information and remind operator to notice that this WAP malice orders behavior, and further request MISC generates the step for charge information or cancellation value added service ordering.
The system that the concrete realization of step 403 can be ordered with reference to Fig. 3 and detection WAP malice shown in Figure 1.
This shows; The system and method that above-mentioned detection WAP malice is ordered is through monitoring and the value added service subscribing request message of being submitted to MISC by WAP gateway; Collection is for charge information; And judge request order the mobile subscriber of value-added service whether have accordingly for charge information judge request order value-added service the mobile subscriber for charge information by deletion or revise, order behavior thereby can detect the WAP malice of walking around charging effectively, protection mobile subscriber's legitimate rights and interests.
Embodiment 3
In order to detect the WAP malice order behavior that the assailant forges order request information and walks around charging simultaneously; The system that present embodiment discloses a kind of WAP of detection malice order combines the foregoing description 1 with embodiment 2, whether also promptly detect the value added service ordering request simultaneously is whether value added service ordering request and the value added service ordering request that the assailant forges is that the WAP malice of walking around charging is ordered behavior.The internal structure sketch map of the described detection of present embodiment WAP malice order system is also as shown in Figure 5, mainly comprises:
Subscribe message monitoring modular 101 is used to monitor the value added service ordering request of being submitted to MISC by WAP gateway, and obtains the mobile subscriber's corresponding with this value added service ordering request sign; Wherein, mobile subscriber's sign for example is MSISDN or IMSI of portable terminal etc.;
Customer flow monitoring modular 102 is used to monitor the value added service subscribing request message that is sent to WAP gateway by GGSN, and obtains the mobile subscriber's corresponding with this value added service ordering request sign;
Charge information monitoring modular 302, be used to collect request order value-added service the mobile subscriber for charge information; Wherein, for the sign that comprises the mobile subscriber in the charge information at least;
Malice is ordered and is analyzed and alarm module 501; The mobile subscriber's whether mobile subscriber's who is used to check that subscribe message monitoring modular 101 obtains sign is obtained with customer flow monitoring modular 102 sign is consistent; If inconsistent, then judge the value added service ordering request that the corresponding value added service subscribing request message of inconsistent mobile user identification is forged for the assailant; If it is consistent; Whether the mobile subscriber who then further judges the value-added service of request order has accordingly for charge information; If no, then having been deleted or modification for charge information of the mobile subscriber of judgement request order value-added service also promptly belongs to the WAP malice order of walking around charging.
Particularly; In the present embodiment, malice sign inspection that order to analyze the mobile subscriber that will obtain according to subscribe message monitoring modular 101 or customer flow monitoring modular 102 with alarm module 501 302 collections of charge information monitoring modular for charge information in this mobile subscriber's sign charge information of pairing generation whether.
In addition; Of embodiment 1; In the present embodiment; Subscribe message monitoring modular 101 can be monitored by predefined time period segmentation with customer flow monitoring modular 102, and except obtaining the corresponding mobile user identification of value added service subscribing request message, can also further obtain the other guide of SP sign and/or value added service ordering request.Malice is ordered analysis and alarm module 501 can be judged by predefined time period segmentation; And when the information that contrast subscribe message monitoring modular 101 and customer flow monitoring modular 102 report; Except contrast mobile subscriber's sign, the other guide of all right further SP sign and/or value added service ordering request.
Need to prove; Malice orders analysis and alarm module 501 judges whether value added service subscribing request message is the value added service ordering request that the assailant forges earlier, and the back judges whether value added service ordering is to belong to the WAP malice of walking around charging to order just example.In practical application; Do not limit the execution sequence of these two processes; Also be that malice order to be analyzed can to carry out earlier with alarm module 501 and judged that whether value added service ordering is to belong to the WAP malice order of walking around charging, judges then whether value added service subscribing request message is the value added service ordering request that the assailant forges; Perhaps can also above-mentioned two processes of executed in parallel.
After detecting the behavior of WAP malice order; Analysis of malice order and alarm module can send alarm signal and remind operator to note; Especially, after finding to walk around the WAP malice order behavior of charging, further request MISC generates the order for charge information or cancellation value-added service.
Described in embodiment 1 and 2; Can directly subscribe message monitoring modular 101 be deployed between WAP gateway and the MISC system; Perhaps between WAP gateway and MISC system, disposing one is used to gather by the value added service ordering information requested collection point of WAP gateway to the MISC submission; At this moment, subscribe message monitoring modular 101 can be deployed in one independently on the server.
Can directly customer flow monitoring modular 102 be deployed between gprs system and the WAP gateway; Perhaps between gprs system and WAP gateway, dispose one and be used to monitor the information gathering point that sends to the value added service subscribing request message of WAP gateway by GGSN; At this moment, customer flow monitoring modular 102 can be deployed in one independently on the server.
In addition; Can also directly charge information monitoring modular 302 be deployed among the MISC; Perhaps in MISC, dispose one and be used to the information gathering point that the mobile subscriber of value-added service is ordered in the request of collecting for charge information; At this moment, charge information monitoring modular 302 can be deployed in one independently on the server.
Malice order to be analyzed and 501 of alarm modules can directly be deployed in one independently on the server.
Need to prove that in the present embodiment, subscribe message monitoring modular 101, customer flow monitoring modular 102, charge information monitoring modular 302 and malice are ordered to analyze and can be deployed on the identical or different servers with alarm module 501.
The system that corresponding above-mentioned detection WAP malice is ordered, the method that present embodiment also provides a kind of WAP of detection malice to order as shown in Figure 6ly mainly may further comprise the steps:
Step 601 is monitored the value added service subscribing request message of being submitted to MISC by WAP gateway, and obtains the corresponding mobile subscriber's of this value added service subscribing request message sign, also promptly obtains the mobile subscriber's who orders value-added service sign;
Step 602, monitoring sends to the value added service subscribing request message of WAP gateway by GGSN, and obtains the corresponding mobile subscriber's of this value added service subscribing request message sign, and the mobile subscriber's of value-added service sign is ordered in the request of also promptly obtaining;
Need to prove that above-mentioned steps 601 and 602 does not have the restriction on the execution sequence, also promptly both can first execution in step 801, also can first execution in step 602, execution in step 601 and 602 simultaneously;
Step 603; Whether inspection step 601 is consistent with the sign that step 602 is obtained; Also i.e. inspection with by WAP gateway to the corresponding mobile subscriber's of the value added service subscribing request message of MISC submission sign whether and with the value added service subscribing request message that sends to WAP gateway by GGSN corresponding mobile subscriber's sign consistent; If inconsistent, then execution in step 604; If consistent, then execution in step 605;
Step 604 is judged the value added service ordering request that the corresponding value added service subscribing request message of inconsistent mobile user identification is forged for the assailant; At this moment, can further produce warning information reminds operator to note this WAP malice order behavior;
Step 605, the request of collecting order value-added service the mobile subscriber for charge information;
Step 606; Whether the mobile subscriber who judges the value-added service of request order has accordingly for charge information; If no, then having been deleted or modification for charge information of the mobile subscriber of judgement request order value-added service also promptly belongs to the WAP malice order of walking around charging.
In this case, said method can further include request MISC and generates the step for charge information or cancellation value added service ordering.
Need to prove; In the said method; Judge that earlier whether value added service subscribing request message is the process (step 601 to step 604) of assailant's value added service ordering request of forging, the back is carried out and is judged that whether value added service ordering is that the process (step 605 to step 606) that belongs to the WAP malice order of walking around charging is an example.In practical application; Do not limit the execution sequence of these two processes; Also promptly can carry out earlier and judge that whether value added service ordering is to belong to the process (step 605 to step 606) that the WAP malice of walking around charging is ordered, then carry out and judge that whether value added service subscribing request message is the process (step 601 to step 604) of assailant's value added service ordering request of forging; Perhaps above-mentioned two processes of executed in parallel.
The realization that above-mentioned steps is concrete can be with reference to the description among the embodiment 1.
This shows that the system and method that above-mentioned detection WAP malice is ordered can detect the WAP malice order behavior that the assailant forges the WAP malice order behavior of order request information and walks around charging effectively, thereby ensure mobile subscriber's legitimate rights and interests.
The foregoing description 3 be at first through monitoring by WAP gateway to the value added service subscribing request message that MISC submits to, whether detecting the corresponding mobile subscriber of this service order request message, whether submitted to the value added service ordering request to detect by WAP gateway be the value added service ordering message that the assailant forges to the value added service subscribing request message that MISC submits to.Then, through judging that request orders the mobile subscriber of value-added service and whether have accordingly for charge information, judge that belonging to the WAP malice of walking around charging orders again.
As the replacement scheme of the foregoing description 3, embodiments of the invention also provide a kind of can detect the system and method that the assailant forges the WAP malice order behavior of order request information and walks around the WAP malice order behavior of charging simultaneously.
Embodiment 4
In order to detect the WAP malice order behavior that the assailant forges order request information and walks around charging simultaneously; Present embodiment discloses the system that a kind of WAP of detection malice is ordered, and whether detect the value added service ordering request simultaneously is whether value added service ordering request and the value added service ordering request that the assailant forges is that the WAP malice of walking around charging is ordered behavior.The internal structure of the system that the detection WAP malice that present embodiment proposed is ordered is also as shown in Figure 8, mainly comprises:
Subscribe message monitoring modular 101 be used to monitor the value added service subscribing request message of being submitted to MISC by WAP gateway, and the mobile subscriber's of value-added service sign is ordered in the request of obtaining; Wherein, the MSISDN of portable terminal or IMSI etc.;
User Status monitoring modular 801 is used for the online or off-line state according to this mobile subscriber of sign monitoring of the mobile subscriber who orders value-added service;
Particularly, the customer flow monitoring modular can judge that this mobile subscriber is in line states or is in off-line state through the last offline information of the mobile subscriber who comprises in the Radius message;
Charge information monitoring modular 302, be used to collect request order value-added service the mobile subscriber for charge information;
Malice is ordered and is analyzed and alarm module 802; Be used for when subscribe message monitoring modular 101 monitors by WAP gateway to value added service subscribing request message that MISC submits to; Judge according to the monitoring result of User Status monitoring modular 801 whether the mobile subscriber who orders value-added service is in off-line state; Be in off-line state if order the user of value-added service, judge that then this is the value added service ordering request that the assailant forges by WAP gateway to the value added service ordering request that MISC submits to, be in line states if order the mobile subscriber of value-added service; Whether the mobile subscriber who then further judges the value-added service of request order has accordingly for charge information; If no, then having been deleted or modification for charge information of the mobile subscriber of judgement request order value-added service also promptly belongs to the WAP malice order of walking around charging.
Particularly, in the present embodiment, malice order to analyze with alarm module 802 will according to 101 inspections of subscribe message monitoring modular 302 collections of charge information monitoring modular for charge information in whether this mobile subscriber's sign charge information of pairing generation is arranged.
After detecting the behavior of WAP malice order; Analysis of malice order and alarm module 802 can send alarm signal and remind operator to note; Especially, after finding to walk around the WAP malice order behavior of charging, further request MISC generates the order for charge information or cancellation value-added service.
Need to prove; Malice orders analysis and alarm module 802 judges whether value added service subscribing request message is the value added service ordering request that the assailant forges earlier, and the back judges whether value added service ordering is to belong to the WAP malice of walking around charging to order just example.In practical application; Do not limit the execution sequence of these two processes; Also be that malice order to be analyzed can to carry out earlier with alarm module 802 and judged that whether value added service ordering is to belong to the WAP malice order of walking around charging, judges then whether value added service subscribing request message is the value added service ordering request that the assailant forges; Perhaps can also above-mentioned two processes of executed in parallel.
In the present embodiment; Can directly subscribe message monitoring modular 101 be deployed between WAP gateway and the MISC system; Perhaps between WAP gateway and MISC system, disposing one is used to gather by the value added service ordering information requested collection point of WAP gateway to the MISC submission; At this moment, subscribe message monitoring modular 101 can be deployed in one independently on the server.
In addition; Can also directly charge information monitoring modular 302 be deployed among the MISC; Perhaps in MISC, dispose one and be used to the information gathering point that the mobile subscriber of value-added service is ordered in the request of collecting for charge information; At this moment, charge information monitoring modular 302 can be deployed in one independently on the server.
Malice order to be analyzed and 802 of alarm modules can directly be deployed in one independently on the server.During concrete the realization, malice is ordered analysis and alarm module 802 may be embodied as two sub-module, i.e. first malice order analysis and alarm module and second malice are ordered and analyzed and alarm module.First malice orders analysis and alarm module is responsible for judging crossing to charge, and second malice orders analysis and alarm module is responsible for judging walking around to charge.When two judgements are carried out simultaneously; Above-mentioned two malice order analysis and alarm module works alone respectively; When one of them judged based on another judged result, above-mentioned two malice were ordered to analyze with alarm module and can after judging, be notified another malice to order analysis and alarm module.
Need to prove that in the present embodiment, subscribe message monitoring modular 101, User Status monitoring modular 801, charge information monitoring modular 302 and malice are ordered to analyze and can be deployed on the identical or different hardware devices with alarm module 802.
The system that corresponding above-mentioned detection WAP malice is ordered, the method that present embodiment also provides a kind of WAP of detection malice to order as shown in Figure 7ly mainly may further comprise the steps:
Step 701, the value added service subscribing request message that monitoring is submitted to MISC by WAP gateway, and the mobile subscriber's of value-added service sign is ordered in the request of obtaining;
Step 702 is monitored this mobile subscriber according to the mobile subscriber's who orders value-added service sign and whether is in off-line state, if this mobile subscriber is in off-line state, then execution in step 703; If this mobile subscriber is in line states, judge that then this is not the value added service ordering request that the assailant forges by WAP gateway to the value added service ordering request that MISC submits to, execution in step 704 then;
In this step, can go up offline information through the mobile subscriber who comprises in the Radius message and judge that this mobile subscriber is in line states or is in off-line state;
Step 703 judges that this is the value added service ordering request that the assailant forges by WAP gateway to the value added service ordering request that MISC submits to; At this moment, can further produce warning information reminds operator to note this WAP malice order behavior;
Step 704, the request of collecting order value-added service the mobile subscriber for charge information;
Step 705 judges that request orders the mobile subscriber of value-added service and whether have accordingly for charge information, if do not have, then judge request order value-added service the mobile subscriber for charge information by deletion or revise, belong to the WAP malice of walking around charging and order.
In this case, said method can further include request MISC and generates the step for charge information or cancellation value added service ordering.
Need to prove; In the said method; Judge that earlier whether value added service subscribing request message is the process (step 701 to step 703) of assailant's value added service ordering request of forging, the back is carried out and is judged that whether value added service ordering is that the process (step 704 to step 705) that belongs to the WAP malice order of walking around charging is an example.In practical application; Do not limit the execution sequence of these two processes; Also promptly can carry out earlier and judge that whether value added service ordering is to belong to the process (step 704 to step 705) that the WAP malice of walking around charging is ordered, then carry out and judge that whether value added service subscribing request message is the process (step 701 to step 703) of assailant's value added service ordering request of forging; Perhaps above-mentioned two processes of executed in parallel.
This shows that the system and method that above-mentioned detection WAP malice is ordered can detect the WAP malice order behavior that the assailant forges the WAP malice order behavior of order request information and walks around charging effectively, thereby ensure mobile subscriber's legitimate rights and interests.
Can find out that through the foregoing description 1 to 4 system and method that the detection WAP malice that the embodiment of the invention provides is ordered can effectively detect and prevent the behavior of WAP malice order, ensure mobile subscriber's legitimate rights and interests.
In addition; The solution that system that detection WAP malice proposed by the invention is ordered and method are based on network; New software need be installed on hardware devices such as WAP gateway or MISC; And this system and method can pass through the service traffics simple realization of monitoring WAP gateway, and needn't be connected on the communication line of WAP gateway, therefore can not influence the performance of WAP service.

Claims (14)

1.一种检测WAP恶意订购的系统,所述系统包括:1. A system for detecting WAP malicious orders, said system comprising: 订购消息监测模块(101),用于监测由WAP网关向MISC提交的增值业务订购请求消息,并获取与该增值业务订购请求消息对应的移动用户的标识;Order message monitoring module (101), for monitoring the value-added service order request message submitted to MISC by the WAP gateway, and obtain the identification of the mobile user corresponding to the value-added service order request message; 用户流量监测模块(102),用于监测由GGSN发送给WAP网关的增值业务订购请求消息,并获取与该增值业务订购请求消息对应的移动用户的标识;User flow monitoring module (102), used for monitoring the value-added service subscription request message sent to WAP gateway by GGSN, and obtaining the identification of the mobile user corresponding to the value-added service subscription request message; 恶意订购分析和报警模块(103,303),用于检查所述订购消息监测模块(101)获取的移动用户的标识与所述用户流量监测模块(102)获取的移动用户的标识是否一致,如果不一致,则判定与不一致的移动用户标识对应的增值业务订购请求消息为攻击者伪造的增值业务订购请求。Malicious order analysis and alarm module (103, 303), for checking whether the identification of the mobile user obtained by the order message monitoring module (101) is consistent with the identification of the mobile user obtained by the user traffic monitoring module (102), if If they are inconsistent, it is determined that the value-added service subscription request message corresponding to the inconsistent mobile user ID is a forged value-added service subscription request by an attacker. 2.根据权利要求1所述的系统,其特征在于,所述系统进一步包括:2. The system according to claim 1, wherein the system further comprises: 计费信息监测模块(302),用于收集请求订购增值业务的移动用户的代计费信息;A billing information monitoring module (302), used to collect billing information on behalf of mobile users who request to order value-added services; 所述恶意订购分析和报警模块(103,303)进一步用于判断请求订购增值业务的移动用户是否有相应的代计费信息,如果没有,则判断该请求订购增值业务的移动用户的代计费信息已经被删除或修改。The malicious order analysis and alarm module (103, 303) is further used to judge whether the mobile user requesting to order value-added services has corresponding billing information, if not, then judge the billing charges of the mobile user requesting to order value-added services Information has been removed or modified. 3.一种检测WAP恶意订购的系统,所述系统包括:3. A system for detecting WAP malicious orders, said system comprising: 订购监测单元(301),用于监测由移动用户提交的增值业务订购请求;A subscription monitoring unit (301), configured to monitor value-added service subscription requests submitted by mobile users; 计费信息监测模块(302),用于收集请求订购增值业务的移动用户的代计费信息;A billing information monitoring module (302), used to collect billing information on behalf of mobile users who request to order value-added services; 第一恶意订购分析和报警模块(303,501),用于判断所述订购监测单元(301)监测到的请求订购增值业务的移动用户是否有相应的代计费信息,如果没有,则判断该请求订购增值业务的移动用户的代计费信息已经被删除或修改。The first malicious order analysis and alarm module (303, 501), is used to determine whether the mobile user requesting to order value-added services monitored by the order monitoring unit (301) has corresponding billing information, and if not, then determine the The billing information of the mobile user requesting to subscribe the value-added service has been deleted or modified. 4.根据权利要求3所述的系统,其特征在于,所述订购监测单元(301)包括以下之一或其任意组合:4. The system according to claim 3, characterized in that, the order monitoring unit (301) comprises one of the following or any combination thereof: 订购消息监测模块(101),用于监测由WAP网关向MISC提交的增值业务订购请求消息,并获取请求订购该增值业务的移动用户的标识;Subscribe message monitoring module (101), be used for monitoring the value-added service subscription request message submitted to MISC by WAP gateway, and obtain the identification of the mobile user who requests to order this value-added service; 用户流量监测模块(102),用于监测由GGSN发送给WAP网关的增值业务订购请求消息,并获取请求订购该增值业务的移动用户的标识;User traffic monitoring module (102), for monitoring the value-added service subscription request message sent to WAP gateway by GGSN, and obtaining the identification of the mobile user requesting to subscribe to the value-added service; 用户状态监测模块(801),用于根据订购增值业务的移动用户的标识监测所述移动用户的在线或离线状态。A user state monitoring module (801), configured to monitor the online or offline state of the mobile user subscribing to the value-added service according to the identifier of the mobile user. 5.根据权利要求4所述的系统,其特征在于,所述订购监测单元(301)至少包括所述订购消息监测模块(101)和所述用户状态检测模块(801);5. The system according to claim 4, characterized in that, the order monitoring unit (301) comprises at least the order message monitoring module (101) and the user status detection module (801); 且所述系统进一步包括:第二恶意订购分析和报警模块,用于在所述订购消息监测模块(101)监测到有由WAP网关向MISC提交的增值业务订购请求消息时,根据所述用户状态监测模块(801)的监测结果判断订购该增值业务的移动用户是否处于离线状态,如果所述订购增值业务的用户处于离线状态,则判定该由WAP网关向MISC提交的增值业务订购请求为攻击者伪造的增值业务订购请求。And the system further includes: a second malicious order analysis and alarm module, for when the order message monitoring module (101) detects that there is a value-added service order request message submitted by the WAP gateway to the MISC, according to the user status The monitoring result of monitoring module (801) judges whether the mobile user ordering this value-added service is in an offline state, if the user ordering the value-added service is in an offline state, then it is determined that the value-added service ordering request submitted by the WAP gateway to the MISC is an assailant Fake VAS order requests. 6.根据权利要求5所述的系统,其特征在于,所述第二恶意订购分析和报警模块进一步用于,如果所述订购增值业务的用户处于在线状态,则通知所述第一恶意订购分析和报警模块判断该请求订购增值业务的移动用户的代计费信息是否被删除或修改。6. The system according to claim 5, wherein the second malicious order analysis and alarm module is further configured to notify the first malicious order analysis if the user ordering the value-added service is online And the alarm module judges whether the billing information of the mobile user requesting to order the value-added service is deleted or modified. 7.一种检测WAP恶意订购的方法,所述方法包括:7. A method for detecting WAP malicious ordering, said method comprising: 监测由WAP网关向MISC提交的增值业务订购请求消息,并获取第一移动用户标识,所述第一移动用户标识为与该由WAP网关向MISC提交的增值业务订购请求消息对应的移动用户的标识;Monitoring the value-added service subscription request message submitted by the WAP gateway to the MISC, and obtaining the first mobile user identification, the first mobile user identification is the identification of the mobile user corresponding to the value-added service subscription request message submitted by the WAP gateway to the MISC ; 监测由GGSN发送给WAP网关的增值业务订购请求消息,并获取第二移动用户标识,所述第二移动用户标识为与该由GGSN发送给WAP网关的增值业务订购请求消息对应的移动用户的标识;以及Monitoring the value-added service subscription request message sent to the WAP gateway by the GGSN, and obtaining a second mobile user identifier, the second mobile user identifier being the identifier of the mobile user corresponding to the value-added service subscription request message sent by the GGSN to the WAP gateway ;as well as 检查所述第一移动用户标识是否和所述第二移动用户标识一致,如果不一致,则判定与该不一致的移动用户标识对应的增值业务订购请求消息为攻击者伪造的增值业务订购请求消息。Check whether the first mobile user ID is consistent with the second mobile user ID, and if not, determine that the value-added service subscription request message corresponding to the inconsistent mobile user ID is a value-added service subscription request message forged by an attacker. 8.根据权利要求7所述的方法,其特征在于,所述方法进一步包括:8. The method of claim 7, further comprising: 收集请求订购增值业务的移动用户的代计费信息;以及Collect billing information on behalf of mobile users who request to subscribe to value-added services; and 根据所述第一移动用户标识和/或所述第二移动用户标识判断请求订购增值业务的移动用户是否有相应的代计费信息,如果没有,则判断该请求订购增值业务的移动用户的代计费信息已经被删除或修改。According to the first mobile user identification and/or the second mobile user identification, it is judged whether the mobile user who requests to subscribe to the value-added service has corresponding billing information on behalf of the mobile user, and if not, then it is judged that the mobile user who requests to subscribe to the value-added service has the corresponding billing information. Billing information has been deleted or modified. 9.根据权利要求8所述的方法,其特征在于,所述方法进一步包括:9. The method of claim 8, further comprising: 在判断为该请求订购增值业务的移动用户的待计费信息已经被删除或修改时,请求MISC生成代计费信息或取消增值业务订购。When it is judged that the billable information of the mobile user requesting to subscribe to the value-added service has been deleted or modified, the MISC is requested to generate billing information on behalf of or cancel the value-added service subscription. 10.一种检测WAP恶意订购的方法,所述方法包括:10. A method for detecting WAP malicious ordering, said method comprising: 监测由移动用户提交的增值业务订购请求消息;Monitoring value-added service subscription request messages submitted by mobile users; 收集请求订购增值业务的移动用户的代计费信息;以及Collect billing information on behalf of mobile users who request to subscribe to value-added services; and 判断监测到的请求订购增值业务的移动用户是否有相应的代计费信息,如果没有,则判断该请求订购增值业务的移动用户的代计费信息已经被删除或修改。Judging whether the monitored mobile user requesting to order value-added services has corresponding billing information, if not, then judging that the billing information of the mobile user requesting to order value-added services has been deleted or modified. 11.根据权利要求10所述的方法,其特征在于,所述监测由移动用户提交的增值业务订购请求消息,包括:监测由WAP网关向MISC提交的增值业务订购请求消息或监测由GGSN发送给WAP网关的增值业务订购请求消息。11. The method according to claim 10, wherein said monitoring the value-added service subscription request message submitted by the mobile user includes: monitoring the value-added service subscription request message submitted by the WAP gateway to the MISC or monitoring the value-added service subscription request message sent by the GGSN to the MISC A value-added service subscription request message of the WAP gateway. 12.根据权利要求10所述的方法,其特征在于,所述方法进一步包括:在判断为该请求订购增值业务的移动用户的待计费信息已经被删除或修改时,请求MISC生成代计费信息或取消增值业务订购。12. The method according to claim 10, characterized in that the method further comprises: when it is judged that the billable information of the mobile user requesting to subscribe to the value-added service has been deleted or modified, requesting the MISC to generate a billing fee information or to cancel a value-added service subscription. 13.根据权利要求10所述的方法,其特征在于,13. The method of claim 10, wherein, 所述监测由移动用户提交的增值业务订购消息,包括:监测由WAP网关向MISC提交的增值业务订购请求消息,并获取请求订购增值业务的移动用户的标识;The monitoring the value-added service subscription message submitted by the mobile user includes: monitoring the value-added service subscription request message submitted by the WAP gateway to the MISC, and obtaining the identification of the mobile user who requests to subscribe to the value-added service; 所述方法进一步包括:根据所述请求订购增值业务的移动用户的标识监测该移动用户是否处于离线状态,如果该移动用户处于离线状态,则判定该由WAP网关向MISC提交的增值业务订购请求消息为攻击者伪造的增值业务订购请求消息。The method further includes: monitoring whether the mobile user is offline according to the identifier of the mobile user requesting to subscribe to the value-added service, and if the mobile user is offline, then judging the value-added service order request message submitted by the WAP gateway to the MISC Value-added service subscription request message forged for the attacker. 14.根据权利要求13所述的方法,其特征在于,所述方法进一步包括:在所述根据所述请求订购增值业务的移动用户的标识监测该移动用户是否处于离线状态后,如果该移动用户处于在线状态,则执行所述判断监测到的请求订购增值业务的移动用户是否有相应的代计费信息的步骤。14. The method according to claim 13, characterized in that the method further comprises: after monitoring whether the mobile user is offline according to the identifier of the mobile user who requested to subscribe to the value-added service, if the mobile user In the online state, execute the step of judging whether the monitored mobile user requesting to order the value-added service has corresponding billing information on behalf of the user.
CN2011100084060A 2011-01-14 2011-01-14 System and method for detecting WAP (Wireless Application Protocol) hostile order Pending CN102595410A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2011100084060A CN102595410A (en) 2011-01-14 2011-01-14 System and method for detecting WAP (Wireless Application Protocol) hostile order

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2011100084060A CN102595410A (en) 2011-01-14 2011-01-14 System and method for detecting WAP (Wireless Application Protocol) hostile order

Publications (1)

Publication Number Publication Date
CN102595410A true CN102595410A (en) 2012-07-18

Family

ID=46483520

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2011100084060A Pending CN102595410A (en) 2011-01-14 2011-01-14 System and method for detecting WAP (Wireless Application Protocol) hostile order

Country Status (1)

Country Link
CN (1) CN102595410A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932780A (en) * 2011-08-11 2013-02-13 西门子公司 System and method for detecting impersonation attack
CN105792265A (en) * 2014-12-23 2016-07-20 中国电信股份有限公司 Malicious traffic detection method and system and monitoring platform
CN107835190A (en) * 2017-11-28 2018-03-23 广东华仝九方科技有限公司 A kind of malice SP orders check method
CN111506445A (en) * 2020-04-21 2020-08-07 北京思特奇信息技术股份有限公司 Method and system for preventing repeated malicious ordering of commodities based on REDIS cache
CN113850602A (en) * 2021-08-23 2021-12-28 天翼数字生活科技有限公司 A method for preventing malicious subscription of IPTV value-added services

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101056185A (en) * 2007-03-26 2007-10-17 华为技术有限公司 Processing method for service subscription, system and its gateway device
US20100291899A1 (en) * 2009-05-12 2010-11-18 Diversinet Corp. Method and system for delivering a command to a mobile device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101056185A (en) * 2007-03-26 2007-10-17 华为技术有限公司 Processing method for service subscription, system and its gateway device
US20100291899A1 (en) * 2009-05-12 2010-11-18 Diversinet Corp. Method and system for delivering a command to a mobile device

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932780A (en) * 2011-08-11 2013-02-13 西门子公司 System and method for detecting impersonation attack
CN102932780B (en) * 2011-08-11 2015-08-19 西门子公司 Detect the system and method for spoof attack
CN105792265A (en) * 2014-12-23 2016-07-20 中国电信股份有限公司 Malicious traffic detection method and system and monitoring platform
CN105792265B (en) * 2014-12-23 2019-04-26 中国电信股份有限公司 Malicious traffic stream detection method and system, monitor supervision platform
CN107835190A (en) * 2017-11-28 2018-03-23 广东华仝九方科技有限公司 A kind of malice SP orders check method
CN111506445A (en) * 2020-04-21 2020-08-07 北京思特奇信息技术股份有限公司 Method and system for preventing repeated malicious ordering of commodities based on REDIS cache
CN113850602A (en) * 2021-08-23 2021-12-28 天翼数字生活科技有限公司 A method for preventing malicious subscription of IPTV value-added services

Similar Documents

Publication Publication Date Title
CN100553196C (en) Apparatus and method for integrated billing management through real-time session management in wired/wireless integrated service network
US7426381B2 (en) Device billing agent
US10015676B2 (en) Detecting fraudulent traffic in a telecommunications system
JP5394570B2 (en) Traffic counting method, its counting device, network connection charge automatic calculating method, and its calculating device
US9699676B2 (en) Policy controller based network statistics generation
JP6407170B2 (en) Method, apparatus and system for aggregating billing information
US7974602B2 (en) Fraud detection techniques for wireless network operators
WO2013108138A1 (en) Method and apparatus for performing charging control to application- layer data
EP3753273B1 (en) Msisdn request handling for identity fraud management
CN103220158A (en) Method and equipment for carrying out charging control on sponsorship data
CN108337652A (en) A kind of method and device of detection flows fraud
CN102595410A (en) System and method for detecting WAP (Wireless Application Protocol) hostile order
CN104703162B (en) A kind of method, apparatus and system by application access third party's resource
EP4246891A1 (en) System and method for detecting fraudulent network traffic
US20060130147A1 (en) Method and system for detecting and stopping illegitimate communication attempts on the internet
WO2012174829A1 (en) Short message processing method and device
CN111885586A (en) Roaming management method based on block chain and network access node
CN101742477B (en) Information processing system, device and method thereof
CN108370371A (en) Fight the detection method of charging fraud
CN109391913B (en) NB-IoT (NB-IoT) network resource slice management method and system
CN102438244B (en) Detection method and checkout gear
CN111294311B (en) A traffic accounting method and system for preventing traffic fraud
JP2009296494A (en) Information communication network, gateway, charging server, charging method for the information communication network, and charging program
CA2475207C (en) System, method and terminal for measuring the quality of service in a telecommunications network
WO2015059715A2 (en) Method and system for revenue maximization in a communication network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C05 Deemed withdrawal (patent law before 1993)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20120718