CN111200665B - User source tracing method and device and computer readable storage medium - Google Patents

User source tracing method and device and computer readable storage medium Download PDF

Info

Publication number
CN111200665B
CN111200665B CN201811375981.2A CN201811375981A CN111200665B CN 111200665 B CN111200665 B CN 111200665B CN 201811375981 A CN201811375981 A CN 201811375981A CN 111200665 B CN111200665 B CN 111200665B
Authority
CN
China
Prior art keywords
nat
log
dpi
aaa
ticket
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811375981.2A
Other languages
Chinese (zh)
Other versions
CN111200665A (en
Inventor
关欣
於少菲
张军华
吴进夫
辛海英
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Liaoning Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Liaoning Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Liaoning Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201811375981.2A priority Critical patent/CN111200665B/en
Publication of CN111200665A publication Critical patent/CN111200665A/en
Application granted granted Critical
Publication of CN111200665B publication Critical patent/CN111200665B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Debugging And Monitoring (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a user tracing method, a user tracing device and a computer readable storage medium, which are used for solving the technical problem that the user tracing can not be realized under a centralized CGN networking architecture in the prior art. The method comprises the following steps: determining at least one NAT log associated with the DPI call ticket to be traced from the plurality of NAT logs according to a first association relation between the DPI call ticket and the NAT log; wherein the first association relationship comprises: the DPI ticket and the NAT log contain the same keywords; determining at least one AAA log related to the at least one NAT log from the plurality of AAA logs according to the second association relationship between the NAT log and the AAA log; wherein the second association relationship comprises: the NAT log and the AAA log contain the same keywords; and determining the user account in the at least one AAA log, and determining the user account as the tracing result of the DPI ticket to be traced.

Description

User source tracing method and device and computer readable storage medium
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a user tracing method, an apparatus, and a computer-readable storage medium.
Background
At present, Carrier-Grade Network Address Translation (CGN device) has a plurality of deployment scenarios, mainly including two types, distributed and centralized.
Fig. 1 is a networking structure diagram of a distributed CGN system in the prior art. In a distributed CGN system, CGN devices are directly mounted on Broadband Remote Access Server (BRAS) devices, and the network address translation technique is static address mapping, that is, when a private IP address of an internal network is translated into a public IP address, the IP addresses are one-to-one, and ports are port blocks with fixed and continuous port numbers. When a user is online, an Authentication-Authorization-Accounting (AAA) device records a user account, a BRAS reports a user's private network IP, a mapped public network IP and a port block sequence number to the AAA device, and after the user generates an online record, a Deep Packet Inspection (DPI) device records a source IP, a source port number, a destination IP and a destination port number of the user online. The correlation algorithm adopted by the user tracing under the networking architecture is as follows: source IP in DPI device ═ public network IP in AAA device, source port number in DPI device > public network end block start number in AAA device & DPI.
Fig. 2 is a networking structure diagram of a centralized CGN system in the prior art. The distributed system is different in that the CGN device in the centralized CGN system is mounted on a Core Router (CR), and the network address translation technique is to use dynamic address translation, that is, when a private IP address of an internal network is translated into a public IP address, the translated public IP address is uncertain and random. Under the networking architecture, the prior art cannot realize the source tracing of the user networking records.
Disclosure of Invention
The embodiment of the invention provides a user tracing method, a user tracing device and a computer readable storage medium, which are used for solving the technical problem that the user tracing cannot be realized under a centralized CGN networking architecture in the prior art.
In a first aspect, an embodiment of the present invention provides a user tracing method, which is applied to a centralized CGN system, and the method includes:
determining at least one NAT log associated with the DPI call ticket to be traced from the plurality of NAT logs according to the first association relationship between the DPI call ticket and the NAT log; wherein the first association relationship comprises: the DPI ticket and the NAT log contain the same keywords;
determining at least one AAA log related to the at least one NAT log from the plurality of AAA logs according to the second association relationship between the NAT log and the AAA log; wherein the second association relationship comprises: the NAT log and the AAA log contain the same keywords;
and determining the user account in the at least one AAA log, and determining the user account as the tracing result of the DPI ticket to be traced.
When the DPI ticket is subjected to user tracing, at least one NAT log associated with the DPI ticket to be traced is determined from the plurality of NAT logs according to a first association relation between the DPI ticket and the NAT log; determining at least one AAA log related to the at least one NAT log from the plurality of AAA logs according to a second association relation between the NAT log and the AAA log; and determining the user account in the at least one AAA log, and determining the user account as the tracing result of the DPI ticket to be traced, so that the technical problem that the user tracing cannot be realized under a centralized CGN networking architecture in the prior art is solved, and the traditional centralized CGN system networking architecture is slightly modified and has strong applicability.
Optionally, the first association relationship includes at least one of the following:
the source IP address in the DPI ticket is the same as the IP address after NAT in the NAT log;
the source port in the DPI ticket is the same as the port after NAT in the NAT log;
the destination IP address in the DPI ticket is the same as the destination IP address in the NAT log;
the destination port in the DPI ticket is the same as the destination port in the NAT log.
The implementation mode provides various implementation modes of the first incidence relation, so that the process of tracing the DPI ticket to the NAT log can be more flexible.
Optionally, according to the first association relationship between the DPI call ticket and the NAT log, at least one NAT log associated with the DPI call ticket to be traced back is determined from the plurality of NAT logs, and the method includes:
determining at least one NAT log of which the NAT session starting time is earlier than the time identified by the minimum timestamp in the DPI call ticket to be traced and the NAT session ending time is later than the time identified by the maximum timestamp in the DPI call ticket to be traced from the plurality of NAT logs; or
And determining at least one NAT log from the plurality of NAT logs, wherein the NAT session starting time is earlier than the time identified by the minimum timestamp in the DPI call ticket to be traced, and the NAT session ending time is later than the preset time after the time identified by the maximum timestamp in the DPI call ticket to be traced.
The problem of matching errors caused by reuse of the private network IP address is further avoided through the method and the device, and the source tracing accuracy of the user is further improved.
Optionally, the second association relationship includes:
the IP address before NAT in the NAT log is the same as the private network IP address in the AAA log.
The method and the device realize the tracing process from the NAT log to the AAA log based on the IP address before the NAT in the NAT log and the private network IP address in the AAA log, and ensure the reliability of user tracing.
Optionally, determining, according to the second association relationship between the NAT log and the AAA log, at least one AAA log associated with the at least one NAT log from the multiple AAA logs, including:
and determining the AAA log with the user online time earlier than the NAT session starting time in the at least one NAT log and the user offline time later than the NAT session ending time in the at least one NAT log from the plurality of AAA logs.
By the method and the device, the problem of matching errors caused by reuse of the private network IP address can be avoided, and the source tracing accuracy of the user is further improved.
Optionally, before determining at least one AAA log associated with the at least one NAT log from the plurality of AAA logs, the method further includes:
determining an online record and an offline record corresponding to the same user from the plurality of AAA logs according to the session _ ID and the BRAS _ IP, and associating the online record and the offline record corresponding to the same user into a record;
and when any online record is determined not to have a corresponding offline record, associating the online record with an offline record with the offline time being infinite.
By the method and the device, the problem of matching errors caused by repeated use of the private network IP address by different users can be avoided, and the accuracy of user source tracing is further improved.
Optionally, before determining at least one NAT log associated with the DPI call ticket to be traced from the plurality of NAT logs according to the first association relationship between the DPI call ticket and the NAT log, the method further includes:
collecting the DPI call ticket to be traced from DPI equipment;
collecting the plurality of NAT logs from NAT equipment;
collecting the plurality of AAA logs from the AAA device.
The method and the device can obtain the data required by the user tracing process, and ensure the reliability of the user tracing method.
In a second aspect, an embodiment of the present invention provides a user tracing apparatus, including:
the first determining unit is used for determining at least one NAT log associated with the DPI call ticket to be traced from the plurality of NAT logs according to the first association relation between the DPI call ticket and the NAT log; wherein the first association relationship comprises: the DPI ticket and the NAT log contain the same keywords;
a second determining unit, configured to determine, according to a second association relationship between the NAT log and the AAA log, at least one AAA log associated with the at least one NAT log from the multiple AAA logs; wherein the second association relationship comprises: the NAT log and the AAA log contain the same key words;
and a third determining unit, configured to determine a user account in the at least one AAA log, and determine the user account as a tracing result of the to-be-traced DPI ticket.
Optionally, the first association relationship includes at least one of the following:
the source IP address in the DPI ticket is the same as the IP address after NAT in the NAT log;
the source port in the DPI ticket is the same as the port after NAT in the NAT log;
the destination IP address in the DPI ticket is the same as the destination IP address in the NAT log;
and the destination port in the DPI ticket is the same as the destination port in the NAT log.
Optionally, the first determining unit is specifically configured to: determining at least one NAT log of which the NAT session starting time is earlier than the time identified by the minimum timestamp in the DPI call ticket to be traced and the NAT session ending time is later than the time identified by the maximum timestamp in the DPI call ticket to be traced from the plurality of NAT logs; or
And determining at least one NAT log of which the NAT session starting time is earlier than the time identified by the minimum timestamp in the DPI call ticket to be traced and the NAT session ending time is later than the preset time after the time identified by the maximum timestamp in the DPI call ticket to be traced from the plurality of NAT logs.
Optionally, the second association relationship includes:
the IP address before NAT in the NAT log is the same as the private network IP address in the AAA log.
Optionally, the second determining unit is specifically configured to:
and determining the AAA log with the user online time earlier than the NAT session starting time in the at least one NAT log and the user offline time later than the NAT session ending time in the at least one NAT log from the plurality of AAA logs.
Optionally, the apparatus further comprises:
the association unit is used for determining the online record and the offline record corresponding to the same user from the plurality of AAA logs according to the session _ ID and the BRAS _ IP before the second determination unit determines at least one AAA log associated with the at least one NAT log from the plurality of AAA logs, and associating the online record and the offline record corresponding to the same user into one record; and when any online record is determined not to have a corresponding offline record, associating the online record with an offline record with the offline time being infinite.
Optionally, the apparatus further comprises:
the collection unit is used for collecting the DPI call tickets to be traced from the DPI equipment, collecting the NAT logs from the NAT equipment and collecting the AAA logs from the AAA equipment before the first determination unit determines at least one NAT log associated with the DPI call tickets to be traced from the NAT logs according to the first association relation between the DPI call tickets and the NAT logs.
In a third aspect, an embodiment of the present invention provides a user tracing apparatus, including:
at least one processor, and
a memory communicatively coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, and the at least one processor performs the method according to the first aspect of the embodiments or any alternative implementation of the first aspect of the embodiments by executing the instructions stored in the memory.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, which stores computer instructions that, when executed on a computer, cause the computer to perform the method according to the first aspect of the present invention or any optional implementation manner of the first aspect.
One or more technical schemes provided in the embodiments of the present invention have at least the following technical effects or advantages:
when the user tracing is carried out on the DPI call ticket, at least one NAT log associated with the DPI call ticket to be traced is determined from a plurality of NAT logs according to a first association relation between the DPI call ticket and the NAT log; determining at least one AAA log related to the at least one NAT log from the plurality of AAA logs according to the second association relationship between the NAT log and the AAA log; and determining the user account in the at least one AAA log, and determining the user account as the tracing result of the DPI ticket to be traced, so that the technical problem that the user tracing cannot be realized under a centralized CGN networking architecture in the prior art is solved, and the traditional centralized CGN system networking architecture is slightly modified and has strong applicability.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings required to be used in the description of the embodiments will be briefly introduced below, and it is apparent that the drawings in the description below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings may be obtained according to the drawings without inventive labor.
Fig. 1 is a network structure diagram of a distributed CGN system in the prior art;
FIG. 2 is a diagram of a networking architecture of a centralized CGN system in the prior art;
FIG. 3 is a flowchart illustrating a user tracing method according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a DPI ticket, NAT log and AAA log generating and collecting process in the embodiment of the invention;
FIG. 5 is a diagram illustrating a method for associating multiple types of data according to an embodiment of the present invention;
FIG. 6 is a schematic structural diagram of a user tracing apparatus according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a user tracing apparatus in an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention are described in detail below with reference to the drawings and the specific embodiments, and it should be understood that the specific features in the embodiments and the embodiments of the present invention are not intended to limit the technical solutions of the present invention, but may be combined with each other without conflict.
It is to be understood that the terms first, second, and the like in the description of the embodiments of the invention are used for distinguishing between the descriptions and not necessarily for describing a sequential or chronological order. "plurality" in the description of the embodiments of the present invention means two or more.
The term "and/or" in the embodiment of the present invention is only one kind of association relationship describing an associated object, and indicates that three relationships may exist, for example, a and/or B may indicate: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
The embodiment of the invention provides a user tracing method, a user tracing device and a computer readable storage medium, which are applied to a centralized CGN system and used for solving the technical problem that the prior art cannot realize user tracing under a centralized CGN networking architecture.
Referring to fig. 3, the user tracing method includes:
s101: determining at least one NAT log associated with the DPI call ticket to be traced from the plurality of NAT logs according to the first association relationship between the DPI call ticket and the NAT log; wherein the first association relationship comprises: the DPI ticket and the NAT log contain the same keywords;
s102: determining at least one AAA log related to the at least one NAT log from the plurality of AAA logs according to the second association relationship between the NAT log and the AAA log; wherein the second association relationship comprises: the NAT log and the AAA log contain the same keywords;
s103: and determining a user account in the at least one AAA log, and determining the user account as a tracing result of the DPI ticket to be traced.
Specifically, before executing the steps S101, S102, and S103, the DPI bill to be traced is collected from a DPI device, the NAT logs are collected from a NAT device, and the AAA logs are collected from an AAA device. Fig. 4 is a schematic diagram of a process of generating and collecting a DPI call ticket, a NAT log and an AAA log in the embodiment of the present invention.
In specific implementation, since the same private network IP may be used by different users at different time periods, in order to avoid a matching error problem caused by reuse of a private network IP address, after the AAA log is collected from the AAA device, and before at least one AAA log associated with the at least one NAT log is determined from the plurality of AAA logs, an online record and an offline record of the same user may be further associated.
The specific implementation mode of associating the online record and the offline record of the same user comprises the following steps: and taking the combination of the session _ ID and the BRAS _ IP as a unique identifier to match with the online and offline records corresponding to the same user in a preset time range, associating the online record and the offline record corresponding to the same user into a record, and associating any online record with an offline record with the offline time being infinite if any online record does not have the corresponding offline record. The BRAS _ IP is an IP address of BRAS equipment which distributes private network IP to a user; the session _ ID is a unique identifier of each session when the BRAS device assigns a private network IP to a user.
In the embodiment of the present invention, the first association relationship in step S101 includes, but is not limited to, the following four types:
1) the source IP address in the DPI ticket is the same as the IP address behind the NAT in the NAT log (also called the source IP address in the NAT log);
2) the source port in the DPI ticket is the same as the port behind the NAT in the NAT log (also called the source port in the NAT log);
3) the destination IP address in the DPI ticket is the same as the destination IP address in the NAT log;
4) the destination port in the DPI ticket is the same as the destination port in the NAT log.
In specific implementation, the four association relationships may be implemented separately or in combination, and the embodiments of the present invention are not limited in particular.
For example, one possible correlation algorithm between DPI tickets and NAT logs is:
DPI, source IP is NAT, source IP;
DPI, target IP is NAT;
DPI source port is NAT source port;
and the DPI and the destination port are NAT and destination ports.
In order to further avoid the problem of matching error caused by reuse of the private network IP address, when at least one NAT log associated with the DPI ticket to be traced is determined from the plurality of NAT logs in step S101, the data action range of the association algorithm can be further limited, for example, the data action range of the association algorithm is determined according to the NAT session start time and the NAT session end time of the NAT log to be traced, so that the accuracy of tracing the source of the user is further improved. Specific embodiments include, but are not limited to, the following four:
1) the NAT session starting time is earlier than the time identified by the minimum timestamp in the DPI call ticket to be traced and the NAT session ending time is later than the time identified by the maximum timestamp in the DPI call ticket to be traced;
2) the NAT session starting time is earlier than the time identified by the minimum timestamp in the DPI call ticket to be traced and the NAT session ending time is later than a first preset time after the time identified by the maximum timestamp in the DPI call ticket to be traced;
3) the NAT session starting time is earlier than a second preset time before the time identified by the minimum timestamp in the DPI call ticket to be traced, and the NAT session ending time is later than the time identified by the maximum timestamp in the DPI call ticket to be traced;
4) the NAT session starting time is earlier than a third preset time before the time identified by the minimum timestamp in the DPI call ticket to be traced, and the NAT session ending time is later than a fourth preset time after the time identified by the maximum timestamp in the DPI call ticket to be traced.
For example:
the session aging time of the NAT equipment is X ═ NAT session formation time;
the minimum time delay of the data batch processing is X;
a is the minimum timestamp in the DPI ticket;
b is the maximum timestamp in the DPI ticket;
DPI data range is time domain A to B;
then the range of NAT log data acted on by the algorithm in the batch is time domain a to (B + X).
In this embodiment of the present invention, the second association relationship in step S102 includes: the IP address before NAT in the NAT log is the same as the private network IP address in the AAA log.
In order to further avoid the problem of matching error caused by reuse of the private network IP address, when at least one AAA log associated with the at least one NAT log is determined from the multiple AAA logs in step S102, the data action range of the association algorithm may be further limited, for example, the data action range of the association algorithm is determined according to the user online/offline time in the AAA log to be limited, so as to further improve the accuracy of tracing to the source. The specific implementation mode comprises the following steps: and the user online time is earlier than the NAT session starting time in the at least one NAT log, and the user offline time is later than the NAT session ending time in the at least one NAT log.
In order to facilitate a clearer understanding of the technical solutions of the embodiments of the present invention, a possible method for associating multiple data is exemplified below.
Referring to fig. 5, when tracing the source of the DPI call ticket, first, NAT logs with the same post-NAT IP as the source IP in the DPI call ticket, the same post-NAT port as the source IP in the DPI call ticket, the same destination IP as the destination IP in the DPI call ticket, and the same destination port as the destination port in the DPI call ticket are determined from a plurality of NAT logs within a preset time range; then, AAA logs with the same private network IP (namely the IP before NAT) as the private network IP in the determined NAT log are determined from the AAA logs in the preset time range; and finally, determining a user account corresponding to the private network IP in the AAA log according to the corresponding relation between the private network IP and the user account, and completing user tracing.
In the embodiment of the invention, when a DPI ticket is subjected to user tracing, at least one NAT log associated with the DPI ticket to be traced is determined from a plurality of NAT logs according to a first association relation between the DPI ticket and an NAT log; determining at least one AAA log related to the at least one NAT log from the plurality of AAA logs according to the second association relationship between the NAT log and the AAA log; and determining the user account in the at least one AAA log, and determining the user account as the tracing result of the DPI ticket to be traced, so that the technical problem that the user tracing cannot be realized under a centralized CGN networking architecture in the prior art is solved, and the traditional centralized CGN system networking architecture is slightly modified and has strong applicability.
Referring to fig. 6, based on the same inventive concept, an embodiment of the present invention further provides a user tracing apparatus, including:
the first determining unit 201 is configured to determine, according to a first association relationship between the DPI call ticket and the NAT log, at least one NAT log associated with the DPI call ticket to be traced back from the plurality of NAT logs; wherein the first association relationship comprises: the DPI ticket and the NAT log contain the same keywords;
a second determining unit 202, configured to determine, according to a second association relationship between the NAT log and the AAA log, at least one AAA log associated with the at least one NAT log from the multiple AAA logs; wherein the second association relationship comprises: the NAT log and the AAA log contain the same keywords;
a third determining unit 203, configured to determine a user account in the at least one AAA log, and determine the user account as a tracing result of the to-be-traced DPI ticket.
Optionally, the first association relationship includes at least one of the following:
the source IP address in the DPI ticket is the same as the IP address after NAT in the NAT log;
the source port in the DPI ticket is the same as the port after NAT in the NAT log;
the destination IP address in the DPI ticket is the same as the destination IP address in the NAT log;
the destination port in the DPI ticket is the same as the destination port in the NAT log.
Optionally, the first determining unit 201 is specifically configured to: determining at least one NAT log of which the NAT session starting time is earlier than the time identified by the minimum timestamp in the DPI call ticket to be traced and the NAT session ending time is later than the time identified by the maximum timestamp in the DPI call ticket to be traced from the plurality of NAT logs; or
And determining at least one NAT log from the plurality of NAT logs, wherein the NAT session starting time is earlier than the time identified by the minimum timestamp in the DPI call ticket to be traced, and the NAT session ending time is later than the preset time after the time identified by the maximum timestamp in the DPI call ticket to be traced.
Optionally, the second association relationship includes:
the IP address before NAT in the NAT log is the same as the private network IP address in the AAA log.
Optionally, the second determining unit 202 is specifically configured to:
and determining the AAA log with the user online time earlier than the NAT session starting time in the at least one NAT log and the user offline time later than the NAT session ending time in the at least one NAT log from the plurality of AAA logs.
Optionally, the apparatus further comprises:
an associating unit, configured to determine, according to the session _ ID and the BRAS _ IP, an online record and an offline record corresponding to the same user from the multiple AAA logs before the second determining unit 202 determines, from the multiple AAA logs, at least one AAA log associated with the at least one NAT log, and associate the online record and the offline record corresponding to the same user into one record; and when any online record is determined not to have a corresponding offline record, associating the online record with an offline record with the offline time being infinite.
Optionally, the apparatus further comprises:
the collection unit is configured to collect the DPI call ticket to be traced from a DPI device, collect the plurality of NAT logs from a NAT device, and collect the plurality of AAA logs from an AAA device before the first determination unit 201 determines at least one NAT log associated with the DPI call ticket to be traced from the plurality of NAT logs according to the first association relationship between the DPI call ticket and the NAT log.
The method and the device are based on the same inventive concept, and because the principles of solving the problems of the method and the device are similar, the specific implementation modes of the operations executed by the units can refer to the corresponding steps in the user tracing method in the embodiment of the invention, so the implementation of the device and the method can be referred to each other, and repeated parts are not described again.
Referring to fig. 7, based on the same inventive concept, an embodiment of the present invention further provides a user tracing apparatus, including:
at least one processor 301, and
a memory 302 coupled to the at least one processor;
the memory 302 stores instructions executable by the at least one processor 301, and the at least one processor 301 executes the instructions stored in the memory 302 to perform the steps of the user tracing method in the above method embodiments according to the present invention.
Optionally, the processor 301 may specifically include a Central Processing Unit (CPU) and an Application Specific Integrated Circuit (ASIC), which may be one or more integrated circuits for controlling program execution, may be a hardware circuit developed by using a Field Programmable Gate Array (FPGA), and may be a baseband processor.
Optionally, the processor 301 may include at least one processing core.
Optionally, the apparatus further includes a memory 302, and the memory 302 may include a Read Only Memory (ROM), a Random Access Memory (RAM), and a disk memory. The memory 302 is used for storing data required by the processor 301 in operation.
Based on the same inventive concept, an embodiment of the present invention further provides a computer-readable storage medium, where the computer-readable storage medium stores computer instructions, and when the computer instructions are executed on a computer, the computer is caused to execute the steps of the user tracing method according to the embodiment of the present invention.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (12)

1. A user tracing method is applied to a centralized carrier-level network address translation (CGN) system, and comprises the following steps:
according to a first association relation between the DPI call ticket and the NAT log converted by the network address, determining at least one NAT log associated with the DPI call ticket to be traced from the plurality of NAT logs; wherein the first association relationship comprises: the DPI ticket and the NAT log contain the same keywords;
determining at least one AAA log related to the at least one NAT log from the plurality of AAA logs according to a second association relation between the NAT log and an authentication, authorization and accounting (AAA) log; wherein the second association relationship comprises: the NAT log and the AAA log contain the same keywords;
determining a user account in the at least one AAA log, and determining the user account as a tracing result of the DPI ticket to be traced;
wherein the second association relationship includes: the IP address before NAT in the NAT log is the same as the private network IP address in the AAA log;
determining at least one AAA log associated with the at least one NAT log from the plurality of AAA logs according to the second association relationship between the NAT log and the AAA log, comprising: and determining the AAA log with the user online time earlier than the NAT session starting time in the at least one NAT log and the user offline time later than the NAT session ending time in the at least one NAT log from the plurality of AAA logs.
2. The method of claim 1, wherein the first association comprises at least one of:
the source IP address in the DPI ticket is the same as the IP address after NAT in the NAT log;
the source port in the DPI ticket is the same as the port after NAT in the NAT log;
the destination IP address in the DPI ticket is the same as the destination IP address in the NAT log;
the destination port in the DPI ticket is the same as the destination port in the NAT log.
3. The method of claim 2, wherein determining at least one NAT log associated with the DPI ticket to be traced from the plurality of NAT logs according to the first association relationship between the DPI ticket and the NAT log comprises:
determining at least one NAT log of which the NAT session starting time is earlier than the time identified by the minimum timestamp in the DPI call ticket to be traced and the NAT session ending time is later than the time identified by the maximum timestamp in the DPI call ticket to be traced from the plurality of NAT logs; or
And determining at least one NAT log of which the NAT session starting time is earlier than the time identified by the minimum timestamp in the DPI call ticket to be traced and the NAT session ending time is later than the preset time after the time identified by the maximum timestamp in the DPI call ticket to be traced from the plurality of NAT logs.
4. The method of claim 1, wherein prior to determining at least one AAA log associated with the at least one NAT log from a plurality of AAA logs, further comprising:
determining an online record and an offline record corresponding to the same user from the plurality of AAA logs according to the session _ ID and the BRAS _ IP, and associating the online record and the offline record corresponding to the same user into a record;
and when any online record is determined not to have a corresponding offline record, associating the online record with an offline record with the offline time being infinite.
5. The method according to any of claims 1-4, wherein before determining at least one NAT log associated with a DPI ticket to be traced back from a plurality of NAT logs according to the first association relationship between the DPI ticket and the NAT log, the method further comprises:
collecting the DPI call ticket to be traced from DPI equipment;
collecting the plurality of NAT logs from NAT equipment;
collecting the plurality of AAA logs from the AAA device.
6. A user tracing apparatus, comprising:
the first determining unit is used for determining at least one NAT log associated with the DPI call ticket to be traced from the plurality of NAT logs according to the first association relation between the DPI call ticket and the NAT log; wherein the first association relationship comprises: the DPI ticket and the NAT log contain the same keywords;
a second determining unit, configured to determine, according to a second association relationship between the NAT log and the AAA log, at least one AAA log associated with the at least one NAT log from the multiple AAA logs; wherein the second association relationship comprises: the NAT log and the AAA log contain the same keywords;
a third determining unit, configured to determine a user account in the at least one AAA log, and determine the user account as a tracing result of the DPI ticket to be traced;
wherein the second association relationship includes: the IP address before NAT in the NAT log is the same as the private network IP address in the AAA log;
the second determining unit is specifically configured to: and determining the AAA log with the user online time earlier than the NAT session starting time in the at least one NAT log and the user offline time later than the NAT session ending time in the at least one NAT log from the plurality of AAA logs.
7. The apparatus of claim 6, wherein the first association comprises at least one of:
the source IP address in the DPI ticket is the same as the IP address after NAT in the NAT log;
the source port in the DPI ticket is the same as the port after NAT in the NAT log;
the destination IP address in the DPI ticket is the same as the destination IP address in the NAT log;
and the destination port in the DPI ticket is the same as the destination port in the NAT log.
8. The apparatus of claim 7, wherein the first determining unit is specifically configured to: determining at least one NAT log of which the NAT session starting time is earlier than the time identified by the minimum timestamp in the DPI call ticket to be traced and the NAT session ending time is later than the time identified by the maximum timestamp in the DPI call ticket to be traced from the plurality of NAT logs; or
And determining at least one NAT log from the plurality of NAT logs, wherein the NAT session starting time is earlier than the time identified by the minimum timestamp in the DPI call ticket to be traced, and the NAT session ending time is later than the preset time after the time identified by the maximum timestamp in the DPI call ticket to be traced.
9. The apparatus of claim 6, wherein the apparatus further comprises:
the association unit is used for determining the online record and the offline record corresponding to the same user from the plurality of AAA logs according to the session _ ID and the BRAS _ IP before the second determination unit determines at least one AAA log associated with the at least one NAT log from the plurality of AAA logs, and associating the online record and the offline record corresponding to the same user into one record; and when any online record is determined not to have a corresponding offline record, associating the online record with an offline record with the offline time being infinite.
10. The apparatus of any of claims 6-9, wherein the apparatus further comprises:
the collection unit is used for collecting the DPI call tickets to be traced from the DPI equipment, collecting the NAT logs from the NAT equipment and collecting the AAA logs from the AAA equipment before the first determination unit determines at least one NAT log associated with the DPI call tickets to be traced from the NAT logs according to the first association relation between the DPI call tickets and the NAT logs.
11. A user tracing apparatus, comprising:
at least one processor, and
a memory communicatively coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor to perform the method of any one of claims 1-5 by executing the instructions stored by the memory.
12. A computer-readable storage medium characterized by:
the computer readable storage medium stores computer instructions that, when executed on a computer, cause the computer to perform the method of any of claims 1-5.
CN201811375981.2A 2018-11-19 2018-11-19 User source tracing method and device and computer readable storage medium Active CN111200665B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811375981.2A CN111200665B (en) 2018-11-19 2018-11-19 User source tracing method and device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811375981.2A CN111200665B (en) 2018-11-19 2018-11-19 User source tracing method and device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN111200665A CN111200665A (en) 2020-05-26
CN111200665B true CN111200665B (en) 2022-07-01

Family

ID=70745908

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811375981.2A Active CN111200665B (en) 2018-11-19 2018-11-19 User source tracing method and device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN111200665B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112073258B (en) * 2020-08-06 2022-09-30 深信服科技股份有限公司 Method for identifying user, electronic equipment and storage medium
CN112328661B (en) * 2020-11-04 2024-04-02 北京思特奇信息技术股份有限公司 Method, system and electronic equipment for monitoring ticket processing performance
CN112989823B (en) * 2021-04-27 2021-08-13 北京优特捷信息技术有限公司 Log processing method, device, equipment and storage medium
CN115021969A (en) * 2022-05-10 2022-09-06 中国电信股份有限公司 Broadband account number determination method and device
CN115442277B (en) * 2022-08-28 2023-10-20 厦门市美亚柏科信息股份有限公司 Method and system for improving correctness of 5G traceability association

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103139326A (en) * 2013-03-06 2013-06-05 中国联合网络通信集团有限公司 Method, device and system for tracing internet protocol (IP)
CN107241454A (en) * 2016-03-29 2017-10-10 中兴通讯股份有限公司 A kind of method for realizing address administration, device, aaa server and SDN controllers
CN108173981A (en) * 2012-09-28 2018-06-15 瞻博网络公司 For the network address translation of the application of subscriber-aware service

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108173981A (en) * 2012-09-28 2018-06-15 瞻博网络公司 For the network address translation of the application of subscriber-aware service
CN103139326A (en) * 2013-03-06 2013-06-05 中国联合网络通信集团有限公司 Method, device and system for tracing internet protocol (IP)
CN107241454A (en) * 2016-03-29 2017-10-10 中兴通讯股份有限公司 A kind of method for realizing address administration, device, aaa server and SDN controllers

Also Published As

Publication number Publication date
CN111200665A (en) 2020-05-26

Similar Documents

Publication Publication Date Title
CN111200665B (en) User source tracing method and device and computer readable storage medium
CN109033471B (en) Information asset identification method and device
WO2019184164A1 (en) Method for automatically deploying kubernetes worker node, device, terminal apparatus, and readable storage medium
CN113807538B (en) Federal learning method, federal learning device, electronic equipment and storage medium
CN109413096B (en) A kind of login method and device more applied
Cerroni et al. Live migration of virtual network functions in cloud-based edge networks
CN111431758B (en) Cloud network equipment testing method and device, storage medium and computer equipment
US20160380867A1 (en) Method and System for Detecting and Identifying Assets on a Computer Network
CN104821950B (en) distributed host vulnerability scanning method
CN110365711B (en) Multi-platform user identity association method and device, computer equipment and computer readable storage medium
CN104113598A (en) Three-layer auditing method for database
CN114281888A (en) Block chain consensus method, device, equipment and storage medium
CN109257764A (en) User's representation data processing method and processing device
WO2022111169A1 (en) User identity identification method, computing device and computer storage medium
CN109525683B (en) Vacant address diving method and device for IPV4 address of metropolitan area network
CN109558710A (en) User login method, device, system and storage medium
CN108228197A (en) A kind of method and apparatus for installing software in the cluster
CN112437022B (en) Network traffic identification method, device and computer storage medium
CN113114503A (en) Deployment method and device based on application delivery network requirements
CN106789979B (en) Method and device for diagnosing effectiveness of active domain name in IDC machine room
CN103595827A (en) IP address identifying method and device for CDN (Content Distribution Network) source station
CN116567609A (en) User information association backfill method, device, equipment and storage medium
KR101491322B1 (en) Self-configuring local area network security
CN103701690B (en) A kind of method and system for setting up voice communication
CN107423041B (en) Method and apparatus for implementing application programming interface configuration and invocation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant