[go: up one dir, main page]

CN114422203A - Method and apparatus for identifying illegal broadband access - Google Patents

Method and apparatus for identifying illegal broadband access Download PDF

Info

Publication number
CN114422203A
CN114422203A CN202111631379.2A CN202111631379A CN114422203A CN 114422203 A CN114422203 A CN 114422203A CN 202111631379 A CN202111631379 A CN 202111631379A CN 114422203 A CN114422203 A CN 114422203A
Authority
CN
China
Prior art keywords
http request
request message
different destination
addresses
threshold
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111631379.2A
Other languages
Chinese (zh)
Other versions
CN114422203B (en
Inventor
李成尧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202111631379.2A priority Critical patent/CN114422203B/en
Publication of CN114422203A publication Critical patent/CN114422203A/en
Application granted granted Critical
Publication of CN114422203B publication Critical patent/CN114422203B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本公开涉及用于识别宽带违规接入的方法和装置。提供了一种用于识别宽带违规接入的方法,包括:由计算终端从核心路由器获取来自与特定用户关联的源IP地址的GET方式的HTTP请求报文;由所述计算终端对所获取的HTTP请求报文进行分析以统计单位时间内所述HTTP请求报文中包含的不同目的IP地址的数量;由所述计算终端将所述不同目的IP地址的数量与阈值进行比较;以及响应于确定所述不同目的IP地址的数量大于阈值,所述计算终端识别出所述特定用户有宽带违规接入行为。

Figure 202111631379

The present disclosure relates to methods and apparatus for identifying broadband violation access. Provided is a method for identifying illegal broadband access, comprising: obtaining, by a computing terminal, a GET request message from a source IP address associated with a specific user from a core router; The HTTP request message is analyzed to count the number of different destination IP addresses contained in the HTTP request message per unit time; the computing terminal compares the number of the different destination IP addresses with a threshold value; and in response to determining If the number of different destination IP addresses is greater than the threshold, the computing terminal identifies that the specific user has illegal broadband access behavior.

Figure 202111631379

Description

用于识别宽带违规接入的方法和装置Method and apparatus for identifying illegal broadband access

技术领域technical field

本公开总体上涉及宽带接入,更具体地涉及一种用于识别宽带违规接入的方法、装置和计算机可读存储介质。The present disclosure relates generally to broadband access, and more particularly to a method, apparatus, and computer-readable storage medium for identifying broadband violation access.

背景技术Background technique

由于互联网上的内容大多数都是在一级运营商(诸如中国电信、中国联通)的骨干网上(即,在一级运营商及其合作商的机房中),其他的二级运营商(诸如广电有线运营商和其他民营运营商)都有着与一级运营商互联互通的需求,并向一级运用上支付费用。在目前的中国互联网架构中,一级运营商是骨干网运营商,它们之间的互联互通不需要相互支付费用,而其他的二级或三级运营商在与一级运营商的骨干网接入都需要支付较为昂贵的互联互通费用。很多第三方公司从一级运营商处购买接入带宽,但是并不自己使用,而是转卖给其它运营商赚取差价。Since most of the content on the Internet is on the backbone networks of first-tier operators (such as China Telecom and China Unicom) (that is, in the computer rooms of the first-tier operators and their partners), other second-tier operators (such as Radio and television cable operators and other private operators) have the need for interconnection with first-level operators, and pay fees for first-level applications. In the current Chinese Internet architecture, the first-tier operators are backbone network operators, and they do not need to pay each other for interconnection, while other second- or third-tier operators are connected to the backbone network of the first-tier operators. You need to pay more expensive interconnection fees. Many third-party companies buy access bandwidth from first-tier operators, but do not use it themselves, but resell it to other operators to earn the difference.

第三方公司从一级运营商购买大带宽后转卖给其它运营商,这种方式违反了现行通信行业法规,在一定范围内造成不正当市场竞争,扰乱了通信市场秩序。由于第三方公司在一级运营商处购买带宽的门槛较低,又很难通过事前的资料审核进行判断,需要突破传统检测技术。Third-party companies buy large bandwidth from first-tier operators and then resell them to other operators. This method violates current communication industry regulations, causes unfair market competition within a certain range, and disrupts the order of the communication market. Because the threshold for third-party companies to purchase bandwidth from first-tier operators is low, and it is difficult to make judgments through prior data review, it is necessary to break through traditional detection techniques.

目前,现有技术的一种思路是通过对特定应用报文内容进行识别,来确定宽带违规接入行为的发生。所述识别例如可以包括统计特定应用的累积使用账号数量,统计特定应用的累积账号登录次数,或者统计网络地址转换(NAT)系统的并发NAT会话数量。At present, an idea in the prior art is to determine the occurrence of illegal broadband access by identifying the content of a specific application packet. The identification may include, for example, counting the cumulative number of accounts used by a specific application, counting the cumulative account login times of a specific application, or counting the number of concurrent NAT sessions of a network address translation (NAT) system.

发明内容SUMMARY OF THE INVENTION

在下文中给出了关于本公开的简要概述,以便提供关于本公开的一些方面的基本理解。但是,应当理解,这个概述并不是关于本公开的穷举性概述。它并不是意图用来确定本公开的关键性部分或重要部分,也不是意图用来限定本公开的范围。其目的仅仅是以简化的形式给出关于本公开的某些概念,以此作为稍后给出的更详细描述的前序。The following presents a brief summary of the disclosure in order to provide a basic understanding of some aspects of the disclosure. It should be understood, however, that this summary is not an exhaustive overview of the present disclosure. It is not intended to identify key or critical parts of the disclosure nor to limit the scope of the disclosure. Its sole purpose is to present some concepts related to the disclosure in a simplified form as a prelude to the more detailed description that is presented later.

根据本公开的一个方面,提供了一种用于识别宽带违规接入的方法,包括:由计算终端从核心路由器获取来自与特定用户关联的源IP地址的GET方式的HTTP请求报文;由所述计算终端对所获取的HTTP请求报文进行分析以统计单位时间内所述HTTP请求报文中包含的不同目的IP地址的数量;由所述计算终端将所述不同目的IP地址的数量与阈值进行比较;以及响应于确定所述不同目的IP地址的数量大于阈值,所述计算终端识别出所述特定用户有宽带违规接入行为。According to one aspect of the present disclosure, there is provided a method for identifying illegal broadband access, comprising: obtaining, by a computing terminal, a GET request message from a source IP address associated with a specific user from a core router; The computing terminal analyzes the obtained HTTP request message to count the number of different destination IP addresses contained in the HTTP request message per unit time; the computing terminal compares the number of the different destination IP addresses with the threshold making a comparison; and in response to determining that the number of different destination IP addresses is greater than a threshold, the computing terminal identifies that the particular user has broadband access violations.

根据本公开的另一个方面,提供了一种用于识别宽带违规接入的装置,包括其上存储有指令的存储器以及处理器。该处理器被配置为执行存储在所述存储器上的指令以执行:由该装置从核心路由器获取来自与特定用户关联的源IP地址的GET方式的HTTP请求报文;由所述装置对所获取的HTTP请求报文进行分析以统计单位时间内所述HTTP请求报文中包含的不同目的IP地址的数量;由所述装置将所述不同目的IP地址的数量与阈值进行比较;以及响应于确定所述不同目的IP地址的数量大于阈值,所述装置识别出所述特定用户有宽带违规接入行为。According to another aspect of the present disclosure, there is provided an apparatus for identifying broadband violation access including a memory having instructions stored thereon and a processor. The processor is configured to execute instructions stored on the memory to perform: obtaining, by the apparatus, a GET-style HTTP request message from a source IP address associated with a particular user from the core router; The HTTP request message is analyzed to count the number of different destination IP addresses contained in the HTTP request message per unit time; the device compares the number of the different destination IP addresses with a threshold value; and in response to determining The number of the different destination IP addresses is greater than the threshold, and the apparatus identifies that the specific user has illegal broadband access behavior.

根据本公开的又一个方面,提供了一种计算机可读存储介质,其包括计算机可执行指令,所述计算机可执行指令在由一个或多个处理器执行时,使得所述一个或多个处理器执行根据本公开的上述方面所述的方法。According to yet another aspect of the present disclosure, there is provided a computer-readable storage medium comprising computer-executable instructions that, when executed by one or more processors, cause the one or more processors to process The device performs the method according to the above-mentioned aspects of the present disclosure.

附图说明Description of drawings

构成说明书的一部分的附图描述了本公开的实施例,并且连同说明书一起用于解释本公开的原理。The accompanying drawings, which form a part of the specification, illustrate embodiments of the present disclosure and together with the description serve to explain the principles of the present disclosure.

参照附图,根据下面的详细描述,可以更清楚地理解本公开,其中:The present disclosure may be more clearly understood from the following detailed description with reference to the accompanying drawings, wherein:

图1示出了根据本发明的一个实施例的用于识别宽带违规接入的方法的流程图;FIG. 1 shows a flowchart of a method for identifying broadband illegal access according to an embodiment of the present invention;

图2示出了根据本公开的一个实施例的对用户的流量进行镜像操作的示意图;FIG. 2 shows a schematic diagram of a mirroring operation for user traffic according to an embodiment of the present disclosure;

图3示出了对单台主机的接入点进行根据本公开的实施例的检测得到的结果的示例;FIG. 3 shows an example of a result obtained by performing detection on an access point of a single host according to an embodiment of the present disclosure;

图4示出了对大带宽用户的接入点进行根据本公开的实施例的检测得到的结果的示例;FIG. 4 shows an example of a result obtained by performing detection on an access point of a large-bandwidth user according to an embodiment of the present disclosure;

图5示出了对另一大带宽用户的接入点进行根据本公开的实施例的检测得到的结果的示例;以及FIG. 5 shows an example of a result of detection according to an embodiment of the present disclosure on an access point of another high-bandwidth user; and

图6示出了可以实现根据本公开的实施例的计算设备的示例性配置。6 illustrates an exemplary configuration of a computing device in which embodiments in accordance with the present disclosure may be implemented.

具体实施方式Detailed ways

参考附图进行以下详细描述,并且提供以下详细描述以帮助全面理解本公开的各种示例实施例。以下描述包括各种细节以帮助理解,但是这些细节仅被认为是示例,而不是为了限制本公开,本公开是由随附权利要求及其等同内容限定的。在以下描述中使用的词语和短语仅用于能够清楚一致地理解本公开。另外,为了清楚和简洁起见,可能省略了对公知的结构、功能和配置的描述。本领域普通技术人员将认识到,在不脱离本公开的精神和范围的情况下,可以对本文描述的示例进行各种改变和修改。The following detailed description is made with reference to the accompanying drawings and is provided to assist in a comprehensive understanding of various example embodiments of the present disclosure. The following description includes various details to aid in understanding, but these details are to be regarded as examples only and not for the purpose of limiting the disclosure, which is defined by the appended claims and their equivalents. The words and phrases used in the following description are only used to enable a clear and consistent understanding of the present disclosure. Also, descriptions of well-known structures, functions, and configurations may be omitted for clarity and conciseness. Those of ordinary skill in the art will recognize that various changes and modifications of the examples described herein can be made without departing from the spirit and scope of the present disclosure.

本发明的发明人发现现有技术使用的宽带违规接入识别技术存在一定局限性。例如,当统计特定应用的使用账号数量或者账号登录次数并以此作为判断依据时,由于互联网的用户众多,无法统一要统计的特定应用,即使是常见应用也可能存在统计偏差。例如,存在宽带违规接入行为的用户可能完全不使用被进行统计的一种或多种应用。此外,当统计NAT会话数量并以此作为判断依据时,不容易得到用户的NAT会话数量,并且可以通过NAT设备或第三方软件修改特定字段以达到规避检查的目的。所以如何解决检测的普遍性以及防止篡改字段来规避检查是本发明的课题。The inventor of the present invention finds that the broadband illegal access identification technology used in the prior art has certain limitations. For example, when counting the number of accounts used or the number of account logins for a specific application and using this as a judgment basis, due to the large number of Internet users, it is impossible to unify the specific applications to be counted, and even common applications may have statistical deviations. For example, a user with broadband access violations may not use one or more of the applications being counted at all. In addition, when the number of NAT sessions is counted and used as a judgment basis, it is not easy to obtain the number of NAT sessions of users, and specific fields can be modified through NAT devices or third-party software to avoid inspection. Therefore, how to solve the universality of detection and prevent tampering with fields to avoid checking is the subject of the present invention.

基于此,发明人提出了本发明。本发明是聚焦于电信带宽违规私接,基于用户行为的大数据分析,自动识别违规接入行为,从技术上实现了对宽带违规接入的有效监控。Based on this, the inventors propose the present invention. The invention focuses on illegal private connection of telecommunication bandwidth, and based on big data analysis of user behavior, automatically identifies illegal access behavior, and technically realizes effective monitoring of illegal broadband access.

现在参看图1,图1示出了根据本发明的一个实施例的用于识别宽带违规接入的方法100的流程图。该方法100例如由图6所述的计算设备1200执行。该方法100可以包括HTTP请求报文获取步骤110、IP地址统计步骤120、比较步骤130、以及违规接入识别步骤140。Referring now to FIG. 1, FIG. 1 shows a flow diagram of a method 100 for identifying broadband violation access in accordance with one embodiment of the present invention. The method 100 is performed, for example, by the computing device 1200 described in FIG. 6 . The method 100 may include an HTTP request message acquisition step 110 , an IP address statistics step 120 , a comparison step 130 , and a violation access identification step 140 .

方法100开始于HTTP请求报文获取步骤110。在HTTP请求报文获取步骤110中,由计算终端从核心路由器获取来自与特定用户关联的源IP地址的GET方式的HTTP请求报文。根据本公开的一个实施例,所述计算终端可以通过网线被连接到城域网机房的核心路由器。该计算终端例如可以被部署在大带宽上层的城域网机房中作为监控终端,从而使用单台终端就可以覆盖更多的用户接入点。具体地,在一个例子中,可以将该计算终端的网线连接到城域网机房的核心出口路由器的千兆网线接口上。The method 100 begins with the HTTP request message acquisition step 110 . In the HTTP request message obtaining step 110, the computing terminal obtains the HTTP request message in the GET mode from the source IP address associated with the specific user from the core router. According to an embodiment of the present disclosure, the computing terminal may be connected to a core router of a metropolitan area network computer room through a network cable. For example, the computing terminal can be deployed in a large-bandwidth upper-layer metropolitan area network computer room as a monitoring terminal, so that a single terminal can cover more user access points. Specifically, in one example, the network cable of the computing terminal may be connected to the Gigabit network cable interface of the core egress router in the MAN computer room.

在这里,获取的是GET方式的HTTP请求报文。这样的请求可被缓存并且只用于取回数据。根据本公开的一个实施例,HTTP请求报文获取步骤110可以包括:通过对所述核心路由器进行命令配置来实现HTTP协议流量的镜像,针对所述源IP地址,通过策略将GET方式的HTTP请求报文镜像至所述计算终端。根据本公开的一个实施例,HTTP协议下的HTTP请求报文例如可以使用80端口来传送。Here, what is obtained is the HTTP request message in the GET method. Such requests can be cached and used only to retrieve data. According to an embodiment of the present disclosure, the step 110 of obtaining the HTTP request message may include: implementing command configuration on the core router to mirror the HTTP protocol traffic, and for the source IP address, using a policy to convert the HTTP request in the GET method The message is mirrored to the computing terminal. According to an embodiment of the present disclosure, the HTTP request message under the HTTP protocol may be transmitted using port 80, for example.

图2示出了根据本公开的一个实施例的对用户的流量进行镜像操作的示意图。在图2中,用户210接入其本地的路由器(用户接入路由器220)。用户210发出的HTTP请求经由本地路由器220和核心路由器230而被发送到互联网250(参见图2中使用点划线箭头标注的数据流)。根据本公开的一个实施例,通过在运营商的城域网机房中的监控终端240(即,计算终端)处执行用于识别宽带违规接入的方法100的各个步骤来实现本发明。具体地,核心路由器230通过命令配置实现HTTP协议流量的镜像,针对用户的源IP地址,通过策略将GET方式的HTTP请求报文镜像至监控终端(参见图2中使用虚线箭头标注的数据流)。由于使用了镜像方式,不会影响用户网络访问操作,用户不会感知HTTP请求报文被获取。根据本公开的一个实施例,对所述核心路由器进行命令配置包括使用双线程实镜像功能。FIG. 2 shows a schematic diagram of a mirroring operation of user traffic according to an embodiment of the present disclosure. In Figure 2, user 210 accesses its local router (user access router 220). The HTTP request issued by the user 210 is sent to the Internet 250 via the local router 220 and the core router 230 (see the data flow marked with the dashed arrow in FIG. 2). According to one embodiment of the present disclosure, the present invention is implemented by executing the various steps of the method 100 for identifying illegal broadband access at a monitoring terminal 240 (ie, a computing terminal) in an operator's metropolitan area network computer room. Specifically, the core router 230 implements the mirroring of HTTP protocol traffic through command configuration, and mirrors the HTTP request message in the GET mode to the monitoring terminal through the policy for the source IP address of the user (refer to the data flow marked with the dotted arrow in FIG. 2 ) . Because the mirroring method is used, the user's network access operation will not be affected, and the user will not perceive that the HTTP request packet is obtained. According to an embodiment of the present disclosure, the command configuration of the core router includes using a dual-threaded real image function.

由于GET方式的HTTP请求报文较小,实测10万在网用户镜像流量带宽大约在100M左右,因此性能一般的机房监控终端就可以执行根据本发明的实施例的方法100,从而本方案的整体投资几乎为零。Since the HTTP request packet in the GET mode is small, the actual measured mirror traffic bandwidth of 100,000 online users is about 100M, so a computer room monitoring terminal with average performance can execute the method 100 according to the embodiment of the present invention. Investment is almost zero.

现在返回参照图1,在图1的IP地址统计步骤120中,由所述计算终端对所获取的HTTP请求报文进行分析以统计单位时间内所述HTTP请求报文中包含的不同目的IP地址的数量。Referring back now to FIG. 1, in the IP address statistics step 120 of FIG. 1, the computing terminal analyzes the obtained HTTP request message to count different destination IP addresses contained in the HTTP request message per unit time quantity.

图3示出了对单台主机的接入点进行根据本公开的实施例的检测得到的结果的示例。从图3中可以看出,该单台主机的接入点在大部分时间统计结果为0,偶尔会出现小于每分钟100个IP地址的数据。这种情况也印证了用户的真实使用情况,即,在大部分间用户没有网页浏览操作,而在偶尔浏览网页的时候,由于大部分主流网站页面链接较多,单个用户在每分钟内访问的不同IP地址大概在几十的数量级。FIG. 3 shows an example of a result obtained by performing detection on an access point of a single host according to an embodiment of the present disclosure. As can be seen from Figure 3, the statistical result of the access point of the single host is 0 most of the time, and occasionally data less than 100 IP addresses per minute occurs. This situation also confirms the real usage of users, that is, most of the time users do not have web browsing operations, but when they occasionally browse web pages, due to the large number of links on most mainstream websites, a single user visits within a minute. Different IP addresses are probably on the order of tens of magnitudes.

图4示出了对大带宽用户的接入点进行根据本公开的实施例的检测得到的结果的示例。在图4的示例中,该大带宽用户例如具有80台主机。大带宽用户(例如具有80台主机)的接入点在大部分时间的统计结果在大约每分钟300个IP地址。虽然单台主机的贡献值根据经验在大约每分钟30个IP地址,但考虑到浏览网页的时间差和主流网站的重复性,所统计的每分钟的IP地址总数并不是简单的80台主机的数据进行叠加,因此每分钟300个IP地址的数量级应该在合理的范围内。FIG. 4 shows an example of a result obtained by performing detection according to an embodiment of the present disclosure on an access point of a high-bandwidth user. In the example of FIG. 4 , the high-bandwidth user has, for example, 80 hosts. Access points for high-bandwidth users (eg, with 80 hosts) will count at around 300 IP addresses per minute most of the time. Although the contribution value of a single host is about 30 IP addresses per minute according to experience, considering the time difference of browsing the web and the repetition of mainstream websites, the total number of IP addresses per minute is not simply the data of 80 hosts. Do stacking, so the order of 300 IP addresses per minute should be in the reasonable range.

图5示出了对另一大带宽用户的接入点进行根据本公开的实施例的检测得到的结果的示例。为了验证本文提出识别方法的可用性,在新发现的某违规接入大带宽用户的接入点被关停前进行了测试,结果显示一个源IP地址每分钟访问的目的IP地址(即,网站服务器)的数量在1200个以上。图5中的违规接入大带宽用户同样具有80台主机。从图5中可以看出,与同样带宽和用户数量级的正常大带宽用户(例如,图4中被检测的用户)相比,其访问量是正常访问量的4倍以上。综合考虑用户浏览网页的时间离散程度和主流网站的重复性,保守估计真实用户数至少在1万以上。FIG. 5 shows an example of a result of detection according to an embodiment of the present disclosure on an access point of another large-bandwidth user. In order to verify the usability of the identification method proposed in this paper, a test was conducted before a newly discovered illegal access point accessing a large-bandwidth user was shut down. ) is more than 1200. The illegal access user with large bandwidth in Figure 5 also has 80 hosts. As can be seen from Fig. 5, compared with normal high-bandwidth users (eg, the detected users in Fig. 4) with the same bandwidth and user order, the traffic volume is more than 4 times that of the normal traffic volume. Taking into account the time dispersion of users browsing web pages and the repeatability of mainstream websites, it is conservatively estimated that the number of real users is at least 10,000.

根据本公开的一个实施例,IP地址统计步骤120可以包括统计多个时段内的所述HTTP请求报文中包含的不同目的IP地址的数量,以及求取所统计的多个时段内的所述HTTP请求报文中包含的不同目的IP地址的数量的中位数。例如,在图4的例子中,连续的三个检测时段的检测结果依次为282、270和314(个/分钟)。此时,多个时段内检测到的IP地址的数量的中位数是282。在图5的例子中,连续的三个检测时段的检测结果依次为1240、1254和1252(个/分钟)。此时,多个时段内检测到的IP地址的数量的中位数是1252。在另一个例子中,也可以求取所统计的多个时段内的HTTP请求报文中包含的不同目的IP地址的数量的平均数,作为判断指标。According to an embodiment of the present disclosure, the IP address statistics step 120 may include counting the number of different destination IP addresses included in the HTTP request packets in multiple time periods, and obtaining the statistics in the multiple time periods. The median number of different destination IP addresses contained in HTTP request packets. For example, in the example of FIG. 4 , the detection results of three consecutive detection periods are 282, 270 and 314 (pieces/minute) in sequence. At this time, the median of the number of detected IP addresses in a plurality of time periods was 282. In the example of FIG. 5 , the detection results of three consecutive detection periods are 1240, 1254 and 1252 (pieces/minute) in sequence. At this time, the median of the number of detected IP addresses in a plurality of time periods was 1252. In another example, the average number of the numbers of different destination IP addresses included in the HTTP request packets in the collected multiple time periods may also be obtained as the judgment index.

现在返回参照图1,在图1的比较步骤130中,由所述计算终端将不同目的IP地址的数量与阈值进行比较。根据本公开的一个实施例,所述阈值可以基于与所述特定用户在同节点下的其他同带宽同规模的用户的统计数据确定。例如,可以根据以图4的例子中示出的正常大带宽用户的检测结果确定阈值,从而判断图5的例子中示出的大带宽用户的HTTP访问行为是否异常。Referring now back to FIG. 1, in a comparison step 130 of FIG. 1, the number of different destination IP addresses is compared to a threshold by the computing terminal. According to an embodiment of the present disclosure, the threshold may be determined based on statistical data of other users with the same bandwidth and scale under the same node as the specific user. For example, the threshold can be determined according to the detection result of the normal high-bandwidth user shown in the example of FIG. 4 , so as to determine whether the HTTP access behavior of the high-bandwidth user shown in the example of FIG. 5 is abnormal.

根据本公开的一个实施例,所述阈值可以是与所述特定用户在同节点下的其他同带宽同规模的用户的单位时间内的HTTP请求报文中包含的不同目的IP地址的数量的倍数。例如,可以将以图4的例子中示出的正常大带宽用户的检测结果的两倍作为阈值。例如,可以将图4中显示的282、270或314的两倍作为阈值。According to an embodiment of the present disclosure, the threshold may be a multiple of the number of different destination IP addresses included in the HTTP request packets of the specific user and other users with the same bandwidth and the same scale under the same node within a unit time. . For example, twice the detection result of the normal high-bandwidth user shown in the example of FIG. 4 may be used as the threshold. For example, twice the 282, 270, or 314 shown in Figure 4 can be used as the threshold.

需要说明的是,这里的两倍仅仅是作为说明的例子,也可以将正常用户的检测结果的三倍或四倍或更高倍数作为阈值,这取决于实际应用经验。此外,阈值可以不必是正常用户的检测结果的整数倍数。It should be noted that the double here is just an example for illustration, and three times or four times or higher multiples of the detection result of a normal user may also be used as the threshold, which depends on practical application experience. In addition, the threshold value may not necessarily be an integer multiple of the detection result of normal users.

尽管在上面的说明中仅利用一个正常用户(图4的示例中的用户)的检测结果来确定阈值。在其他实施例中,可以利用多个正常用户的检测结果来确定阈值。例如,使用多个正常用户的检测结果的平均值的倍数作为阈值。Although in the above description only the detection result of one normal user (the user in the example of FIG. 4 ) is used to determine the threshold. In other embodiments, the detection results of multiple normal users may be used to determine the threshold. For example, a multiple of the average value of the detection results of a plurality of normal users is used as the threshold.

现在返回参照图1,在图1的违规接入识别步骤140中,响应于确定所述不同目的IP地址的数量大于阈值,所述计算终端识别出所述特定用户有宽带违规接入行为。例如,可以将图4的例子中显示的检测结果282的两倍作为阈值。当使用282*2=564作为阈值时,图5的例子中的用户的检测结果1240、1254和1252都超过了该阈值,从而可以确定图5的例子中的用户涉嫌宽带违规接入。根据一个实施例,在一个用户的任一检测结果超过阈值的情况下,可以确定该用户可能具有宽带违规接入行为。Referring now back to FIG. 1, in the violation access identification step 140 of FIG. 1, in response to determining that the number of different destination IP addresses is greater than a threshold, the computing terminal identifies that the particular user has broadband violation access behavior. For example, twice the detection result 282 shown in the example of FIG. 4 may be used as the threshold. When 282*2=564 is used as the threshold, the detection results 1240, 1254 and 1252 of the user in the example of FIG. 5 all exceed the threshold, so it can be determined that the user in the example of FIG. 5 is suspected of illegal broadband access. According to one embodiment, when any detection result of a user exceeds a threshold, it may be determined that the user may have illegal broadband access behavior.

根据本公开的一个实施例,将所述不同目的IP地址的数量与阈值进行比较可以包括将所述中位数与所述阈值进行比较。在利用图4和图5中的例子进行说明的情况下,图5的例子中的用户的检测结果的中位数1252超过了阈值564,从而可以确定图5的例子中的用户涉嫌宽带违规接入。According to one embodiment of the present disclosure, comparing the number of different destination IP addresses to a threshold may include comparing the median to the threshold. In the case of using the examples in FIG. 4 and FIG. 5 for illustration, the median 1252 of the detection results of the user in the example in FIG. 5 exceeds the threshold 564, so it can be determined that the user in the example in FIG. 5 is suspected of illegal broadband connection enter.

根据本公开的一个实施例,方法100还可以包括将与所述特定用户关联的统计数据和分析结果以列表或图表的形式呈现。该呈现可以在监控终端240上实现。也可以通过网络由监控终端240将所述特定用户关联的统计数据和分析结果发送到其它终端或服务器上以用于呈现,从而可以为管理部门提供一个统一、直观的结果展现。根据本公开的一个实施例,所述呈现例如可以使用echart组件来实现,从而方便监管部门的查看和统计。According to an embodiment of the present disclosure, the method 100 may further include presenting statistical data and analysis results associated with the specific user in the form of a list or a graph. This presentation may be implemented on the monitoring terminal 240 . The monitoring terminal 240 can also send the statistical data and analysis results associated with the specific user to other terminals or servers for presentation through the network, so that a unified and intuitive result presentation can be provided for the management department. According to an embodiment of the present disclosure, the presentation may be implemented using, for example, the echart component, so as to facilitate the viewing and statistics of the regulatory authority.

本发明可以是装置、方法和/或计算机程序产品。计算机程序产品可以包括计算机可读存储介质,其上载有用于使处理器实现本发明的各个方面的计算机可读程序指令。The present invention may be an apparatus, method and/or computer program product. The computer program product may include a computer-readable storage medium having computer-readable program instructions loaded thereon for causing a processor to implement various aspects of the present invention.

根据本发明的一个实施例,提供了一种用于识别宽带违规接入的装置,包括其上存储有指令的存储器以及处理器。该处理器被配置为执行存储在所述存储器上的指令以执行:由该装置从核心路由器获取来自与特定用户关联的源IP地址的GET方式的HTTP请求报文;由所述装置对所获取的HTTP请求报文进行分析以统计单位时间内所述HTTP请求报文中包含的不同目的IP地址的数量;由所述装置将所述不同目的IP地址的数量与阈值进行比较;以及响应于确定所述不同目的IP地址的数量大于阈值,所述装置识别出所述特定用户有宽带违规接入行为。According to one embodiment of the present invention, there is provided an apparatus for identifying broadband violation access including a memory having instructions stored thereon and a processor. The processor is configured to execute instructions stored on the memory to perform: obtaining, by the apparatus, a GET-style HTTP request message from a source IP address associated with a particular user from the core router; The HTTP request message is analyzed to count the number of different destination IP addresses contained in the HTTP request message per unit time; the device compares the number of the different destination IP addresses with a threshold value; and in response to determining The number of the different destination IP addresses is greater than the threshold, and the apparatus identifies that the specific user has illegal broadband access behavior.

根据本发明的一个实施例,提供了一种计算机可读存储介质,包括计算机可执行指令,所述计算机可执行指令在由一个或多个处理器执行时,使得所述一个或多个处理器执行:由计算终端从核心路由器获取来自与特定用户关联的源IP地址的GET方式的HTTP请求报文;由所述计算终端对所获取的HTTP请求报文进行分析以统计单位时间内所述HTTP请求报文中包含的不同目的IP地址的数量;由所述计算终端将所述不同目的IP地址的数量与阈值进行比较;以及响应于确定所述不同目的IP地址的数量大于阈值,所述计算终端识别出所述特定用户有宽带违规接入行为。According to one embodiment of the present invention, there is provided a computer-readable storage medium comprising computer-executable instructions that, when executed by one or more processors, cause the one or more processors to Execution: the computing terminal obtains from the core router a GET request message from the source IP address associated with the specific user; the computing terminal analyzes the obtained HTTP request message to count the HTTP request messages per unit time. the number of different destination IP addresses contained in the request message; comparing the number of different destination IP addresses with a threshold by the computing terminal; and in response to determining that the number of different destination IP addresses is greater than the threshold, the computing The terminal identifies that the specific user has illegal broadband access behavior.

通过本发明的结合用户网络访问必然存在的行为特点,通过对用户行为分析的方法识别违规行为的准确率高,解决了第三方技术修改IP报文头信息来规避检测的问题。同时由于发明方法采用客户端/服务器C/S架构,充分利用了机房终端,减少了由于异网部署探针导致投资大的问题。The method of the present invention combines the inevitable behavior characteristics of user network access, and the method of analyzing user behavior has high accuracy in identifying illegal behaviors, and solves the problem of avoiding detection by modifying IP packet header information by third-party technology. At the same time, because the inventive method adopts the client/server C/S architecture, the terminal in the computer room is fully utilized, and the problem of large investment caused by the deployment of probes in different networks is reduced.

本发明针对用户上网的HTTP报文中必不可少且无法修改的信息(目的IP地址)进行分析和统计,避免了现有技术针对特定应用或账号进行统计带来的局限性,也避免了被第三方设备或程序修改报文头的字段导致检测被规避的风险。通过实践验证,本发明能够准确地发现存在违规私接的大带宽用户。此外,本发明的技术方案部署方便,充分利用了监控机房终端的计算能力,同时可以提供直观且高效的结果展示。The present invention analyzes and counts the essential and unmodifiable information (destination IP address) in the HTTP message of the user surfing the Internet, avoids the limitation brought by the prior art for statistics on specific applications or accounts, and avoids being The third-party device or program modifies the fields of the packet header, resulting in the risk of detection being avoided. Through practical verification, the present invention can accurately find large-bandwidth users with illegal private connections. In addition, the technical solution of the present invention is convenient to deploy, makes full use of the computing power of the terminal in the monitoring computer room, and can provide intuitive and efficient display of results.

图6示出了能够实现根据本公开的实施例的计算设备1200的示例性配置。6 illustrates an exemplary configuration of a computing device 1200 capable of implementing embodiments in accordance with the present disclosure.

计算设备1200是能够应用本公开的上述方面的硬件设备的实例。计算设备1200可以是被配置为执行处理和/或计算的任何机器。计算设备1200可以是但不限制于工作站、服务器、台式计算机、膝上型计算机、平板计算机、个人数据助手(PDA)、智能电话、车载计算机或以上组合。Computing device 1200 is an example of a hardware device to which the above-described aspects of the present disclosure can be applied. Computing device 1200 may be any machine configured to perform processing and/or computation. Computing device 1200 may be, but is not limited to, a workstation, server, desktop computer, laptop computer, tablet computer, personal data assistant (PDA), smartphone, vehicle-mounted computer, or combinations thereof.

如图6所示,计算设备1200可以包括可以经由一个或多个接口与总线1202连接或通信的一个或多个元件。总线2102可以包括但不限于,工业标准架构(Industry StandardArchitecture,ISA)总线、微通道架构(Micro Channel Architecture,MCA)总线、增强ISA(EISA)总线、视频电子标准协会(VESA)局部总线、以及外设组件互连(PCI)总线等。计算设备1200可以包括例如一个或多个处理器1204、一个或多个输入设备1206以及一个或多个输出设备1208。一个或多个处理器1204可以是任何种类的处理器,并且可以包括但不限于一个或多个通用处理器或专用处理器(诸如专用处理芯片)。计算设备1200例如可以对应于图2中的监控终端240,被配置为实现用于识别宽带违规接入的方法100。输入设备1206可以是能够向计算设备输入信息的任何类型的输入设备,并且可以包括但不限于鼠标、键盘、触摸屏、麦克风和/或远程控制器。输出设备1208可以是能够呈现信息的任何类型的设备,并且可以包括但不限于显示器、扬声器、视频/音频输出终端、振动器和/或打印机。As shown in FIG. 6, computing device 1200 may include one or more elements that may connect or communicate with bus 1202 via one or more interfaces. The bus 2102 may include, but is not limited to, an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an enhanced ISA (EISA) bus, a Video Electronics Standards Association (VESA) local bus, and an external bus. Set up component interconnect (PCI) bus and so on. Computing device 1200 may include, for example, one or more processors 1204 , one or more input devices 1206 , and one or more output devices 1208 . The one or more processors 1204 may be any kind of processors, and may include, but are not limited to, one or more general-purpose processors or special-purpose processors (such as special-purpose processing chips). Computing device 1200, which may correspond to monitoring terminal 240 in FIG. 2, for example, is configured to implement method 100 for identifying broadband violation access. Input device 1206 may be any type of input device capable of inputting information to a computing device, and may include, but is not limited to, a mouse, keyboard, touch screen, microphone, and/or remote controller. Output device 1208 may be any type of device capable of presenting information, and may include, but is not limited to, displays, speakers, video/audio output terminals, vibrators, and/or printers.

计算设备1200还可以包括或被连接至非暂态存储设备1214,该非暂态存储设备1214可以是任何非暂态的并且可以实现数据存储的存储设备,并且可以包括但不限于盘驱动器、光存储设备、固态存储器、软盘、柔性盘、硬盘、磁带或任何其他磁性介质、压缩盘或任何其他光学介质、缓存存储器和/或任何其他存储芯片或模块、和/或计算机可以从其中读取数据、指令和/或代码的其他任何介质。计算设备1200还可以包括随机存取存储器(RAM)1210和只读存储器(ROM)1212。ROM 1212可以以非易失性方式存储待执行的程序、实用程序或进程。RAM 1210可提供易失性数据存储,并存储与计算设备1200的操作相关的指令。计算设备1200还可包括耦接至数据链路1218的网络/总线接口1216。网络/总线接口1216可以是能够启用与外部装置和/或网络通信的任何种类的设备或系统,并且可以包括但不限于调制解调器、网络卡、红外线通信设备、无线通信设备和/或芯片集(诸如蓝牙TM设备、802.11设备、WiFi设备、WiMax设备、蜂窝通信设施等)。Computing device 1200 may also include or be connected to non-transitory storage device 1214, which may be any storage device that is non-transitory and may implement data storage, and may include, but is not limited to, disk drives, optical storage device, solid state memory, floppy disk, flexible disk, hard disk, magnetic tape or any other magnetic medium, compact disk or any other optical medium, cache memory and/or any other memory chip or module, and/or from which a computer can read data , instructions and/or code in any other medium. Computing device 1200 may also include random access memory (RAM) 1210 and read only memory (ROM) 1212 . ROM 1212 may store programs, utilities or processes to be executed in a non-volatile manner. RAM 1210 may provide volatile data storage and store instructions related to the operation of computing device 1200 . Computing device 1200 may also include a network/bus interface 1216 coupled to data link 1218 . The network/bus interface 1216 may be any kind of device or system capable of enabling communication with external devices and/or networks, and may include, but is not limited to, modems, network cards, infrared communication devices, wireless communication devices, and/or chipsets (such as Bluetooth devices, 802.11 devices, WiFi devices, WiMax devices, cellular communication facilities, etc.).

本公开可以被实现为装置、系统、集成电路和非瞬时性计算机可读介质上的计算机程序的任何组合。可以将一个或多个处理器实现为执行本公开中描述的部分或全部功能的集成电路(IC)、专用集成电路(ASIC)或大规模集成电路(LSI)、系统LSI,超级LSI或超LSI组件。The present disclosure may be implemented as any combination of apparatus, system, integrated circuit, and computer program on a non-transitory computer-readable medium. One or more processors may be implemented as integrated circuits (ICs), application specific integrated circuits (ASICs) or large scale integrated circuits (LSIs), system LSIs, super LSIs or ultra LSIs that perform some or all of the functions described in this disclosure components.

本公开包括软件、应用程序、计算机程序或算法的使用。可以将软件、应用程序、计算机程序或算法存储在非瞬时性计算机可读介质上,以使诸如一个或多个处理器的计算机执行上述步骤和附图中描述的步骤。例如,一个或多个存储器以可执行指令存储软件或算法,并且一个或多个处理器可以关联执行该软件或算法的一组指令,以根据本公开中描述的实施例提供各种功能。The present disclosure includes the use of software, applications, computer programs or algorithms. Software, applications, computer programs or algorithms may be stored on a non-transitory computer readable medium to cause a computer, such as one or more processors, to perform the steps described above and described in the figures. For example, one or more memories store software or algorithms in executable instructions, and one or more processors may be associated with a set of instructions that execute the software or algorithms to provide various functions in accordance with the embodiments described in this disclosure.

软件和计算机程序(也可以称为程序、软件应用程序、应用程序、组件或代码)包括用于可编程处理器的机器指令,并且可以以高级过程性语言、面向对象编程语言、功能性编程语言、逻辑编程语言或汇编语言或机器语言来实现。术语“计算机可读介质”是指用于向可编程数据处理器提供机器指令或数据的任何计算机程序产品、装置或设备,例如磁盘、光盘、固态存储设备、存储器和可编程逻辑设备(PLD),包括将机器指令作为计算机可读信号来接收的计算机可读介质。Software and computer programs (also referred to as programs, software applications, applications, components, or code) include machine instructions for programmable processors and can be written in high-level procedural languages, object-oriented programming languages, functional programming languages , logic programming language or assembly language or machine language. The term "computer-readable medium" refers to any computer program product, apparatus, or device for providing machine instructions or data to a programmable data processor, such as magnetic disks, optical disks, solid-state storage devices, memories, and programmable logic devices (PLDs) , including a computer-readable medium receiving machine instructions as computer-readable signals.

举例来说,计算机可读介质可以包括动态随机存取存储器(DRAM)、随机存取存储器(RAM)、只读存储器(ROM)、电可擦只读存储器(EEPROM)、紧凑盘只读存储器(CD-ROM)或其他光盘存储设备、磁盘存储设备或其他磁性存储设备,或可以用于以指令或数据结构的形式携带或存储所需的计算机可读程序代码以及能够被通用或专用计算机或通用或专用处理器访问的任何其它介质。如本文中所使用的,磁盘或盘包括紧凑盘(CD)、激光盘、光盘、数字多功能盘(DVD)、软盘和蓝光盘,其中磁盘通常以磁性方式复制数据,而盘则通过激光以光学方式复制数据。上述的组合也包括在计算机可读介质的范围内。Computer-readable media may include, for example, dynamic random access memory (DRAM), random access memory (RAM), read only memory (ROM), electrically erasable read only memory (EEPROM), compact disk read only memory ( CD-ROM) or other optical disk storage devices, magnetic disk storage devices or other magnetic storage devices, or may be used to carry or store the desired computer readable program code in the form of instructions or data structures and capable of being used by a general purpose or special purpose computer or general purpose or any other medium accessed by a dedicated processor. As used herein, a magnetic disk or disk includes compact disk (CD), laser disk, optical disk, digital versatile disk (DVD), floppy disk and blu-ray disk, where disks usually reproduce data magnetically, while disks reproduce data by laser Copy data optically. Combinations of the above are also included within the scope of computer-readable media.

提供本公开的主题作为用于执行本公开中描述的特征的装置、系统、方法和程序的示例。但是,除了上述特征之外,还可以预期其他特征或变型。可以预期的是,可以用可能代替任何上述实现的技术的任何新出现的技术来完成本公开的部件和功能的实现。The subject matter of the present disclosure is provided as examples of apparatuses, systems, methods, and programs for performing the features described in this disclosure. However, in addition to the features described above, other features or variations are also contemplated. It is contemplated that implementation of the components and functions of the present disclosure may be accomplished with any emerging technology that may replace any of the above-implemented technologies.

另外,以上描述提供了示例,而不限制权利要求中阐述的范围、适用性或配置。在不脱离本公开的精神和范围的情况下,可以对所讨论的元件的功能和布置进行改变。各种实施例可以适当地省略、替代或添加各种过程或部件。例如,关于某些实施例描述的特征可以在其他实施例中被结合。Additionally, the above description provides examples, and does not limit the scope, applicability, or configuration set forth in the claims. Changes may be made in the function and arrangement of elements discussed without departing from the spirit and scope of the disclosure. Various embodiments may omit, substitute or add various procedures or components as appropriate. For example, features described with respect to some embodiments may be combined in other embodiments.

另外,在本公开的描述中,术语“第一”、“第二”、“第三”等仅用于描述目的,而不能理解为指示或暗示相对重要性和顺序。In addition, in the description of the present disclosure, the terms "first", "second", "third", etc. are used for descriptive purposes only and should not be construed as indicating or implying relative importance and order.

类似地,虽然在附图中以特定次序描绘了操作,但是这不应该被理解为要求以所示的特定次序或者以顺序次序执行这样的操作,或者要求执行所有图示的操作以实现所希望的结果。在某些情况下,多任务处理和并行处理可以是有利的。Similarly, although operations are depicted in the figures in a particular order, this should not be construed as requiring that such operations be performed in the particular order shown or in a sequential order, or that all illustrated operations be performed to achieve the desired the result of. In some cases, multitasking and parallel processing can be advantageous.

Claims (12)

1. A method for identifying broadband illegal access, comprising:
acquiring a GET mode HTTP request message from a source IP address associated with a specific user from a core router by a computing terminal;
analyzing the acquired HTTP request message by the computing terminal to count the number of different destination IP addresses contained in the HTTP request message in unit time;
comparing, by the computing terminal, the number of different destination IP addresses to a threshold; and
in response to determining that the number of different destination IP addresses is greater than a threshold, the computing terminal identifies that the particular user has a broadband illegal access behavior.
2. The method of claim 1, wherein the computing terminal is connected to a core router of a metropolitan area network room by a network cable.
3. The method of claim 2, wherein obtaining a GET-mode HTTP request message from a source IP address associated with a particular user comprises:
and mirroring HTTP request messages in a GET mode to the computing terminal through a strategy according to the source IP address.
4. The method of claim 1, wherein counting the number of different destination IP addresses contained in the HTTP request message per unit time comprises:
counting the number of different destination IP addresses contained in the HTTP request message in a plurality of time periods; and
and calculating the median of the number of different destination IP addresses contained in the HTTP request message in a plurality of counted time intervals.
5. The method of claim 4, wherein comparing the number of different destination IP addresses to a threshold comprises comparing the median to the threshold.
6. The method of claim 1, wherein the threshold is determined based on statistics of other users of the same bandwidth and scale under the same node as the particular user.
7. The method of claim 6, wherein the threshold is a multiple of the number of different destination IP addresses contained in HTTP request messages per unit time of other users of the same bandwidth and size under the same node as the particular user.
8. The method of claim 1, further comprising:
presenting the statistical data and analysis results associated with the particular user in a list or graph.
9. The method of claim 8, wherein the presenting is implemented using an echart component.
10. The method of claim 3, wherein command configuring the core router comprises using a dual-thread real mirror function.
11. An apparatus for identifying broadband illegal access, comprising:
a memory having instructions stored thereon; and
a processor configured to execute instructions stored on the memory to perform the method of any of claims 1 to 10.
12. A computer-readable storage medium comprising computer-executable instructions that, when executed by one or more processors, cause the one or more processors to perform the method of any one of claims 1-10.
CN202111631379.2A 2021-12-28 2021-12-28 Method and device for identifying illegal broadband access Active CN114422203B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111631379.2A CN114422203B (en) 2021-12-28 2021-12-28 Method and device for identifying illegal broadband access

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111631379.2A CN114422203B (en) 2021-12-28 2021-12-28 Method and device for identifying illegal broadband access

Publications (2)

Publication Number Publication Date
CN114422203A true CN114422203A (en) 2022-04-29
CN114422203B CN114422203B (en) 2024-12-27

Family

ID=81270217

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111631379.2A Active CN114422203B (en) 2021-12-28 2021-12-28 Method and device for identifying illegal broadband access

Country Status (1)

Country Link
CN (1) CN114422203B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116781371A (en) * 2023-07-06 2023-09-19 中国电信股份有限公司技术创新中心 Abnormal broadband identification method, device, computer equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120023562A1 (en) * 2010-07-26 2012-01-26 David Harp Systems and methods to route network communications for network-based services
CN111970234A (en) * 2020-06-30 2020-11-20 浙江远望信息股份有限公司 Cookie-based evidence obtaining method for NAT private network access illegal external connection equipment
CN113381967A (en) * 2020-03-09 2021-09-10 中国移动通信集团设计院有限公司 Broadband private connection prevention judgment method and device, electronic equipment and storage medium
CN113489738A (en) * 2021-07-15 2021-10-08 恒安嘉新(北京)科技股份公司 Violation handling method, device, equipment and medium for broadband account

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120023562A1 (en) * 2010-07-26 2012-01-26 David Harp Systems and methods to route network communications for network-based services
CN113381967A (en) * 2020-03-09 2021-09-10 中国移动通信集团设计院有限公司 Broadband private connection prevention judgment method and device, electronic equipment and storage medium
CN111970234A (en) * 2020-06-30 2020-11-20 浙江远望信息股份有限公司 Cookie-based evidence obtaining method for NAT private network access illegal external connection equipment
CN113489738A (en) * 2021-07-15 2021-10-08 恒安嘉新(北京)科技股份公司 Violation handling method, device, equipment and medium for broadband account

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116781371A (en) * 2023-07-06 2023-09-19 中国电信股份有限公司技术创新中心 Abnormal broadband identification method, device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN114422203B (en) 2024-12-27

Similar Documents

Publication Publication Date Title
US11113412B2 (en) System and method for monitoring and verifying software behavior
WO2022017249A1 (en) Programmable switch, traffic statistics method, defense method, and packet processing method
CN103229479B (en) A website identification method, device and network system
CN110198248B (en) Method and device for detecting IP address
CN103095530B (en) The monitoring of a kind of sensitive information based on preposition gateway and leakage prevention method and system
CN102884764A (en) Message receiving method, deep packet inspection device, and system
CN105338016B (en) Data high-speed caching method and device and resource request response method and device
CN110661776A (en) Sensitive data tracing method, device, security gateway and system
CN110737726A (en) A method and device for determining test data of an interface to be tested
CN112235248B (en) A Web application firewall protection site collection method, device and electronic device
CN106789413B (en) Method and device for detecting proxy internet surfing
CN114422203A (en) Method and apparatus for identifying illegal broadband access
CN119382916A (en) System and method for file scanning between source and client in a zero-trust environment
CN116260643A (en) Security testing method, device and equipment for web service of Internet of things
CN114978970B (en) Data testing system, method, equipment and medium based on custom mock platform
CN111585830A (en) A user behavior analysis method, device, equipment and storage medium
CN103856373B (en) Web system robustness testing method based on HTTP mutation
TW202020707A (en) Systems and methods for management of software connections
CN111294856B (en) A shared traffic terminal identification method, device, equipment and readable storage medium
CN117834213A (en) A method and device for detecting illegal PCDN accounts of home broadband users
CN119382919A (en) System and method for client-based service control using domain directory
CN114925406B (en) Data verification method, device and computer program product
CN110708211A (en) Network flow testing method and system
Texon et al. Fingerprinting: Tiktok analysis of network traffic using data capture tools
CN112468610B (en) Data transmission method, monitoring node, monitoring server and monitoring network system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant