CN112671755A - Suspected VPN erection personnel identification method and device and storage medium - Google Patents
Suspected VPN erection personnel identification method and device and storage medium Download PDFInfo
- Publication number
- CN112671755A CN112671755A CN202011520795.0A CN202011520795A CN112671755A CN 112671755 A CN112671755 A CN 112671755A CN 202011520795 A CN202011520795 A CN 202011520795A CN 112671755 A CN112671755 A CN 112671755A
- Authority
- CN
- China
- Prior art keywords
- vpn
- personnel
- information
- vps
- suspected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method, a device and a storage medium for identifying suspected VPN erection personnel, wherein the method comprises the following steps: acquiring first person information for accessing, registering and/or purchasing a VPS; acquiring second personnel information of the remote access VPN; acquiring third personnel information for managing and promoting the VPN and fourth personnel information for setting up the VPN service; and performing fusion processing on the first, second, third and fourth personnel information to obtain suspected VPN erection personnel. The invention analyzes the characteristics of network flow of websites, tools, templates, apps, mails and the like involved in the behaviors by analyzing a series of activity behaviors generated in the VPN setting process, classifies and refines the characteristics, and forms various rule bases. And performing data collision in the big data by using the rule base to obtain results corresponding to each base, and performing collision or ranking according to the weight integral by using the results, thereby identifying suspected VPN service erectors and improving the accuracy and speed of identification of the suspected VPN service erectors.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a method and a device for identifying suspected VPN erection personnel and a storage medium.
Background
In recent years, more and more foreign websites cannot be accessed, and particularly, some internationally known popular websites, such as Twitter, Instagram, youtobe, Google, FaceBook and the like, have led to a strong increase in the demand of netizens in china for tools such as VPN.
The requirement on the VPN is very high, so that a lot of conditions of private VPN erection are caused, data and network safety are influenced, and national safety is further influenced.
Disclosure of Invention
The present invention is directed to one or more of the above technical drawbacks of the prior art, and provides a specific method for solving the above technical problems.
A method of suspected VPN erection personnel identification, the method comprising:
a first acquisition step of acquiring first person information for accessing, registering and/or purchasing a VPS;
a second acquisition step of acquiring second personnel information of the remote access VPN;
a third acquisition step of acquiring third personnel information for managing and promoting the VPN and fourth personnel information for setting up the VPN service;
and a fusion step, namely performing fusion processing on the first, second, third and fourth personnel information to obtain suspected VPN erection personnel.
Further, the operation of acquiring the first person information for accessing, registering and/or purchasing the VPS is: collecting various VPS service provider websites inside and outside a country, analyzing the flow characteristics of the registration, login and/or recharging behaviors of the various VPS service provider websites to form a flow characteristic library, and acquiring information of people accessing the VPS based on the flow characteristic library; analyzing the content of the interactive mails of the VPS service provider and the buyer, extracting key words of the mails to form a mail feature library, matching the contents of other mails based on the mail feature library, and obtaining personnel information with registration, purchase and/or recharge behaviors at the VPS service provider; and fusing the personnel information for accessing the VPS and the personnel information with registration, purchase and/or recharging behaviors at a VPS service provider to obtain the first personnel information.
Still further, the operation of obtaining second person information of the remote access VPN includes: analyzing network flow by using various VPN tools to obtain a VPN server IP list of each APP, obtaining network flow characteristics using the VPN for the APP which cannot obtain the server list, and obtaining and adding the IP of the VPN server to the IP list by using VPN behaviors; and analyzing the Telnet or SSh remote control protocol to obtain the IP of the VPN server and the personnel using the protocol, and obtaining second personnel information of the remote access VPN based on the IP list and the IP of the VPN server and the personnel using the protocol.
Further, the operation of acquiring the third person information for managing and promoting the VPN and the fourth person information for setting up the VPN service includes: analyzing network traffic generated by a WHMCS template in a user management process to form a traffic feature library managed by a VPN user, judging whether VPN user management and promotion behaviors exist or not through the traffic feature library managed by the user, and taking user information with the VPN user management and promotion behaviors as third personnel information; and (3) setting up tool templates for the v2board, the sspanel and/or the showsocks-manager, analyzing to form a tool feature library corresponding to each tool, judging whether a person with the VPN setting behavior exists or not based on the tool feature library, and taking the information of the person with the VPN setting behavior as fourth person information.
Further, the operation of fusing the first, second, third and fourth person information to obtain the suspected VPN erection personnel is as follows:
obtaining intersection of the first, second, third and fourth personnel information, wherein the personnel in the intersection are suspected VPN erection personnel;
alternatively, the first and second electrodes may be,
and performing weighted calculation according to the personnel behaviors in the first, second, third and fourth personnel information to obtain a weighted score of each personnel, and taking the personnel with the weighted score exceeding a threshold value as suspected VPN erection personnel.
The invention also provides a suspected VPN erection personnel identification device, which comprises:
a first acquisition unit acquiring first person information for accessing, registering and/or purchasing a VPS;
the second acquisition unit is used for acquiring second personnel information of the remote access VPN;
a third acquiring unit, configured to acquire third person information for managing and promoting the VPN and fourth person information for setting up a VPN service;
and the fusion unit is used for carrying out fusion processing on the first, second, third and fourth personnel information to obtain suspected VPN erection personnel.
Further, the operation of acquiring the first person information for accessing, registering and/or purchasing the VPS is: collecting various VPS service provider websites inside and outside a country, analyzing the flow characteristics of the registration, login and/or recharging behaviors of the various VPS service provider websites to form a flow characteristic library, and acquiring information of people accessing the VPS based on the flow characteristic library; analyzing the content of the interactive mails of the VPS service provider and the buyer, extracting key words of the mails to form a mail feature library, matching the contents of other mails based on the mail feature library, and obtaining personnel information with registration, purchase and/or recharge behaviors at the VPS service provider; and fusing the personnel information for accessing the VPS and the personnel information with registration, purchase and/or recharging behaviors at a VPS service provider to obtain the first personnel information.
Still further, the operation of obtaining second person information of the remote access VPN includes: analyzing network flow by using various VPN tools to obtain a VPN server IP list of each APP, obtaining network flow characteristics using the VPN for the APP which cannot obtain the server list, and obtaining and adding the IP of the VPN server to the IP list by using VPN behaviors; and analyzing the Telnet or SSh remote control protocol to obtain the IP of the VPN server and the personnel using the protocol, and obtaining second personnel information of the remote access VPN based on the IP list and the IP of the VPN server and the personnel using the protocol.
Further, the operation of acquiring the third person information for managing and promoting the VPN and the fourth person information for setting up the VPN service includes: analyzing network traffic generated by a WHMCS template in a user management process to form a traffic feature library managed by a VPN user, judging whether VPN user management and promotion behaviors exist or not through the traffic feature library managed by the user, and taking user information with the VPN user management and promotion behaviors as third personnel information; and (3) setting up tool templates for the v2board, the sspanel and/or the showsocks-manager, analyzing to form a tool feature library corresponding to each tool, judging whether a person with the VPN setting behavior exists or not based on the tool feature library, and taking the information of the person with the VPN setting behavior as fourth person information.
Further, the operation of fusing the first, second, third and fourth person information to obtain the suspected VPN erection personnel is as follows:
obtaining intersection of the first, second, third and fourth personnel information, wherein the personnel in the intersection are suspected VPN erection personnel;
alternatively, the first and second electrodes may be,
and performing weighted calculation according to the personnel behaviors in the first, second, third and fourth personnel information to obtain a weighted score of each personnel, and taking the personnel with the weighted score exceeding a threshold value as suspected VPN erection personnel.
The invention also proposes a computer-readable storage medium having stored thereon computer program code which, when executed by a computer, performs any of the methods described above.
The invention has the technical effects that: the invention discloses a method, a device and a storage medium for identifying suspected VPN erection personnel, wherein the method comprises the following steps: a first acquisition step of acquiring first person information for accessing, registering and/or purchasing a VPS; a second acquisition step of acquiring second personnel information of the remote access VPN; a third acquisition step of acquiring third personnel information for managing and promoting the VPN and fourth personnel information for setting up the VPN service; and a fusion step, namely performing fusion processing on the first, second, third and fourth personnel information to obtain suspected VPN erection personnel. The invention analyzes the characteristics of network flow of websites, tools, templates, apps, mails and the like involved in the behaviors by analyzing a series of activity behaviors generated in the VPN setting process, classifies and refines the characteristics, and forms various rule bases. And performing data collision in the big data by using the rule base to obtain results corresponding to each base, and performing collision or ranking according to the weight integral by using the results, thereby identifying suspected VPN service erectors and improving the accuracy and speed of identification of the suspected VPN service erectors.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings.
Fig. 1 is a flow chart of a method of suspected VPN erection personnel identification according to an embodiment of the present invention.
Fig. 2 is a block diagram of a suspected VPN installer identification device according to an embodiment of the present invention.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
The principle of the invention is as follows: by analyzing the behaviors of erecting the VPN service, the network flow characteristics of the behaviors are abstracted, and then the behaviors are collided, and finally the result of a highly suspected erector is obtained. After analysis, the process of setting up VPN service, from beginning to end, mainly includes the following network behaviors: VPN server: a VPS service is required to be purchased, and a VPN service end is erected in a server; background management of the server: remotely connecting a server, and entering background management; setting up a VPN server: setting up a VPN by using a general VPN setting template tool such as a v2board, an sspanel, a showsocks-manager and the like; user management and maintenance: managing users by using a management template such as a WHMCS; through analyzing the links, the network messages generated by the related protocols, tools, templates and the like are analyzed and refined to generate a rule base for identifying suspected VPN erection personnel.
Fig. 1 illustrates a method of suspected VPN erection personnel identification of the present invention, the method comprising:
a first acquisition step S101 of acquiring first person information for accessing, registering and/or purchasing a VPS; specifically, the operation of acquiring the first person information for accessing, registering and/or purchasing the VPS is: collecting various VPS service provider websites inside and outside a country, analyzing the flow characteristics of the registration, login and/or recharging behaviors of the various VPS service provider websites to form a flow characteristic library, and acquiring information of people accessing the VPS based on the flow characteristic library; analyzing the content of the interactive mails of the VPS service provider and the buyer, extracting key words of the mails to form a mail feature library, matching the contents of other mails based on the mail feature library, and obtaining personnel information with registration, purchase and/or recharge behaviors at the VPS service provider; and fusing the personnel information for accessing the VPS and the personnel information with registration, purchase and/or recharging behaviors at a VPS service provider to obtain the first personnel information.
In a specific embodiment, for example, 100 kinds of VPS service provider websites around the country are collected, traffic characteristics of registration, login, recharge and other behaviors of the websites are analyzed, and the traffic characteristics are extracted to form a characteristic library. By using the feature library, the person accessing the VPS is obtained, and a result Z, that is, a person information, is formed, which can record all the persons accessing the VPS in a list form, wherein, for the persons accessing a plurality of VPS service providers, the probability is high, and a weight value can be increased when a model algorithm is performed. In gathering the above-described features, it was discovered that the VPS service provider interacted with the purchaser (including registration information, purchase information, etc.) through mail in the actions of registration, login, purchase, and recharge. Analyzing the content of each VPS service provider interactive mail, extracting the mail characteristics such as keywords and the like in the content, and forming a characteristic library Y. Analyzing, restoring and extracting mail content, colliding the Y characteristic library with the mail content to obtain personnel who have registration, purchase and recharge behaviors at a VPS service provider to form a result X, and calculating first personnel information by using a result X, Z in a way of finding a union set, which is the first invention point of the invention, namely, preliminarily determining a personnel screening range based on recording personnel accessing, registering and/or purchasing the VPS.
A second acquisition step S102, acquiring second personnel information of the remote access VPN; in one embodiment, the operation of obtaining second person information of the remote access VPN includes: analyzing network flow by using various VPN tools to obtain a VPN server IP list of each APP, obtaining network flow characteristics using the VPN for the APP which cannot obtain the server list, and obtaining and adding the IP of the VPN server to the IP list by using VPN behaviors; and analyzing the Telnet or SSh remote control protocol to obtain the IP of the VPN server and the personnel using the protocol, and obtaining second personnel information of the remote access VPN based on the IP list and the IP of the VPN server and the personnel using the protocol.
In one embodiment, the above operation may be achieved by:
the first step is as follows: analyzing the network flow of various VPN tools in the market to obtain a VPN server IP list used by each APP, and for the situation that the VPN server list cannot be obtained, obtaining the network flow characteristics using the VPN, and obtaining the IP of the VPN server by using the behavior of the VPN.
The second step is that: analyzing remote control protocols such as Telnet, SSh and the like to obtain a server IP and personnel using the protocols;
the third step: the server list a of the first step is collided with the result B of the second step to obtain a result C, wherein C represents the second person information of the remote access VPN, and may be in a list form, and the result is represented as: and logging in the VPN server to perform management operation by using Telnet, SSh and other remote controls. This is another important inventive point of the present invention.
A third acquisition step S103 of acquiring third person information for managing and promoting the VPN and fourth person information for setting up the VPN service; specifically, the operation of acquiring the third person information for managing and promoting the VPN and the fourth person information for setting up the VPN service includes: analyzing network traffic generated by a WHMCS template in a user management process to form a traffic feature library managed by a VPN user, judging whether VPN user management and promotion behaviors exist or not through the traffic feature library managed by the user, and taking user information with the VPN user management and promotion behaviors as third personnel information; and (3) setting up tool templates for the v2board, the sspanel and/or the showsocks-manager, analyzing to form a tool feature library corresponding to each tool, judging whether a person with the VPN setting behavior exists or not based on the tool feature library, and taking the information of the person with the VPN setting behavior as fourth person information.
In one embodiment, VPN erectors now use primarily v2 boards, sspanel, showsocks-managers, and other related derived tools and templates to erect VPNs. And setting up the VPN by using the universal tool templates, analyzing message characteristics in the setting process, forming a characteristic library corresponding to each tool, and judging whether a VPN setting behavior exists or not through the characteristic library.
Analyzing network flow generated by templates such as WHMCS in the user management process, analyzing characteristics of the flow to form a flow characteristic library managed by the VPN user, and judging whether VPN user management behaviors exist or not through the characteristic library.
And a fusion step S104, performing fusion processing on the first, second, third and fourth personnel information to obtain suspected VPN erection personnel.
Specifically, the operation of fusing the first, second, third and fourth person information to obtain the suspected VPN erection personnel is as follows:
obtaining intersection of the first, second, third and fourth personnel information, wherein the personnel in the intersection are suspected VPN erection personnel; this is the simplest way to determine the suspected VPN erection staff, but this way is not accurate, and in order to improve the accuracy of determining the suspected VPN erection staff, the following way may be adopted:
and performing weighted calculation according to the personnel behaviors in the first, second, third and fourth personnel information to obtain a weighted score of each personnel, and taking the personnel with the weighted score exceeding a threshold value as suspected VPN erection personnel. Such as design integration rules:
1 point of 1 VPS service provider is visited, 2 points of 3 points are visited, 3 points of 5 points are visited, the more visits are made, the higher the score is, and the like;
5, registering VPS service members, namely registering a plurality of VPS service members, wherein the higher the score is, and so on;
purchase VPS service for 20 points;
setting up a suspected VPN behavior for 50 minutes;
selling, and popularizing VPN 8 points;
the method is more accurate compared with simple intersection calculation, and is another important invention point of the invention.
The method analyzes the characteristics of network flow of websites, tools, templates, apps, mails and the like involved in the behaviors by analyzing a series of activity behaviors generated in the VPN setting process, classifies and refines the characteristics, and forms various rule bases. The method comprises the steps of utilizing the rule base to perform data collision in big data to obtain results corresponding to all the bases, and utilizing the results to perform collision or ranking according to weight points, so that suspected VPN service erection personnel are identified, and the accuracy and the speed of identification of the suspected VPN service erection personnel are improved.
Fig. 2 shows a suspected VPN erection personnel identification arrangement according to the invention, comprising:
a first acquisition unit 201 that acquires first person information for accessing, registering, and/or purchasing a VPS; specifically, the operation of acquiring the first person information for accessing, registering and/or purchasing the VPS is: collecting various VPS service provider websites inside and outside a country, analyzing the flow characteristics of the registration, login and/or recharging behaviors of the various VPS service provider websites to form a flow characteristic library, and acquiring information of people accessing the VPS based on the flow characteristic library; analyzing the content of the interactive mails of the VPS service provider and the buyer, extracting key words of the mails to form a mail feature library, matching the contents of other mails based on the mail feature library, and obtaining personnel information with registration, purchase and/or recharge behaviors at the VPS service provider; and fusing the personnel information for accessing the VPS and the personnel information with registration, purchase and/or recharging behaviors at a VPS service provider to obtain the first personnel information.
In a specific embodiment, for example, 100 kinds of VPS service provider websites around the country are collected, traffic characteristics of registration, login, recharge and other behaviors of the websites are analyzed, and the traffic characteristics are extracted to form a characteristic library. By using the feature library, the person accessing the VPS is obtained, and a result Z, that is, a person information, is formed, which can record all the persons accessing the VPS in a list form, wherein, for the persons accessing a plurality of VPS service providers, the probability is high, and a weight value can be increased when a model algorithm is performed. In gathering the above-described features, it was discovered that the VPS service provider interacted with the purchaser (including registration information, purchase information, etc.) through mail in the actions of registration, login, purchase, and recharge. Analyzing the content of each VPS service provider interactive mail, extracting the mail characteristics such as keywords and the like in the content, and forming a characteristic library Y. Analyzing, restoring and extracting mail content, colliding the Y characteristic library with the mail content to obtain personnel who have registration, purchase and recharge behaviors at a VPS service provider to form a result X, and calculating first personnel information by using a result X, Z in a way of finding a union set, which is the first invention point of the invention, namely, preliminarily determining a personnel screening range based on recording personnel accessing, registering and/or purchasing the VPS.
A second acquiring unit 202 that acquires second person information of the remote access VPN; in one embodiment, the operation of obtaining second person information of the remote access VPN includes: analyzing network flow by using various VPN tools to obtain a VPN server IP list of each APP, obtaining network flow characteristics using the VPN for the APP which cannot obtain the server list, and obtaining and adding the IP of the VPN server to the IP list by using VPN behaviors; and analyzing the Telnet or SSh remote control protocol to obtain the IP of the VPN server and the personnel using the protocol, and obtaining second personnel information of the remote access VPN based on the IP list and the IP of the VPN server and the personnel using the protocol.
In one embodiment, the above operation may be achieved by:
the first step is as follows: analyzing the network flow of various VPN tools in the market to obtain a VPN server IP list used by each APP, and for the situation that the VPN server list cannot be obtained, obtaining the network flow characteristics using the VPN, and obtaining the IP of the VPN server by using the behavior of the VPN.
The second step is that: analyzing remote control protocols such as Telnet, SSh and the like to obtain a server IP and personnel using the protocols;
the third step: the server list a of the first step is collided with the result B of the second step to obtain a result C, wherein C represents the second person information of the remote access VPN, and may be in a list form, and the result is represented as: and logging in the VPN server to perform management operation by using Telnet, SSh and other remote controls. This is another important inventive point of the present invention.
A third acquiring unit 203, acquiring third person information for managing and promoting the VPN and fourth person information for setting up the VPN service; specifically, the operation of acquiring the third person information for managing and promoting the VPN and the fourth person information for setting up the VPN service includes: analyzing network traffic generated by a WHMCS template in a user management process to form a traffic feature library managed by a VPN user, judging whether VPN user management and promotion behaviors exist or not through the traffic feature library managed by the user, and taking user information with the VPN user management and promotion behaviors as third personnel information; and (3) setting up tool templates for the v2board, the sspanel and/or the showsocks-manager, analyzing to form a tool feature library corresponding to each tool, judging whether a person with the VPN setting behavior exists or not based on the tool feature library, and taking the information of the person with the VPN setting behavior as fourth person information.
In one embodiment, VPN erectors now use primarily v2 boards, sspanel, showsocks-managers, and other related derived tools and templates to erect VPNs. And setting up the VPN by using the universal tool templates, analyzing message characteristics in the setting process, forming a characteristic library corresponding to each tool, and judging whether a VPN setting behavior exists or not through the characteristic library.
Analyzing network flow generated by templates such as WHMCS in the user management process, analyzing characteristics of the flow to form a flow characteristic library managed by the VPN user, and judging whether VPN user management behaviors exist or not through the characteristic library.
And a fusion unit 204 for performing fusion processing on the first, second, third and fourth personnel information to obtain suspected VPN erection personnel.
Specifically, the operation of fusing the first, second, third and fourth person information to obtain the suspected VPN erection personnel is as follows:
obtaining intersection of the first, second, third and fourth personnel information, wherein the personnel in the intersection are suspected VPN erection personnel; this is the simplest way to determine the suspected VPN erection staff, but this way is not accurate, and in order to improve the accuracy of determining the suspected VPN erection staff, the following way may be adopted:
and performing weighted calculation according to the personnel behaviors in the first, second, third and fourth personnel information to obtain a weighted score of each personnel, and taking the personnel with the weighted score exceeding a threshold value as suspected VPN erection personnel. Such as design integration rules:
1 point of 1 VPS service provider is visited, 2 points of 3 points are visited, 3 points of 5 points are visited, the more visits are made, the higher the score is, and the like;
5, registering VPS service members, namely registering a plurality of VPS service members, wherein the higher the score is, and so on;
purchase VPS service for 20 points;
setting up a suspected VPN behavior for 50 minutes;
selling, and popularizing VPN 8 points;
the method is more accurate compared with simple intersection calculation, and is another important invention point of the invention.
The device analyzes the characteristics of network flow of websites, tools, templates, apps, mails and the like related in a series of activity behaviors generated in the VPN setting process, classifies and refines the characteristics, and forms various rule bases. And performing data collision in the big data by using the rule base to obtain results corresponding to each base, and performing collision or ranking according to the weight integral by using the results, thereby identifying suspected VPN service erectors and improving the accuracy and speed of identification of the suspected VPN service erectors.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
From the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present application may be essentially implemented or the portions that contribute to the prior art may be embodied in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the apparatuses described in the embodiments or some portions of the embodiments of the present application.
Finally, it should be noted that: although the present invention has been described in detail with reference to the above embodiments, it should be understood by those skilled in the art that: modifications and equivalents may be made thereto without departing from the spirit and scope of the invention and it is intended to cover in the claims the invention as defined in the appended claims.
Claims (11)
1. A method for identifying a suspected VPN erection person, the method comprising:
a first acquisition step of acquiring first person information for accessing, registering and/or purchasing a VPS;
a second acquisition step of acquiring second personnel information of the remote access VPN;
a third acquisition step of acquiring third personnel information for managing and promoting the VPN and fourth personnel information for setting up the VPN service;
and a fusion step, namely performing fusion processing on the first, second, third and fourth personnel information to obtain suspected VPN erection personnel.
2. The method of claim 1, wherein obtaining first person information to access, register and/or purchase a VPS comprises: collecting various VPS service provider websites inside and outside a country, analyzing the flow characteristics of the registration, login and/or recharging behaviors of the various VPS service provider websites to form a flow characteristic library, and acquiring information of people accessing the VPS based on the flow characteristic library; analyzing the content of the interactive mails of the VPS service provider and the buyer, extracting key words of the mails to form a mail feature library, matching the contents of other mails based on the mail feature library, and obtaining personnel information with registration, purchase and/or recharge behaviors at the VPS service provider; and fusing the personnel information for accessing the VPS and the personnel information with registration, purchase and/or recharging behaviors at a VPS service provider to obtain the first personnel information.
3. The method of claim 2, wherein obtaining second personal information for a remote-access VPN comprises: analyzing network flow by using various VPN tools to obtain a VPN server IP list of each APP, obtaining network flow characteristics using the VPN for the APP which cannot obtain the server list, and obtaining and adding the IP of the VPN server to the IP list by using VPN behaviors; and analyzing the Telnet or SSh remote control protocol to obtain the IP of the VPN server and the personnel using the protocol, and obtaining second personnel information of the remote access VPN based on the IP list and the IP of the VPN server and the personnel using the protocol.
4. The method of claim 3, wherein the operations of obtaining the third person information for managing, promoting VPN and the fourth person information for setting up VPN service comprise: analyzing network traffic generated by a WHMCS template in a user management process to form a traffic feature library managed by a VPN user, judging whether VPN user management and promotion behaviors exist or not through the traffic feature library managed by the user, and taking user information with the VPN user management and promotion behaviors as third personnel information; and (3) setting up tool templates for the v2board, the sspanel and/or the showsocks-manager, analyzing to form a tool feature library corresponding to each tool, judging whether a person with the VPN setting behavior exists or not based on the tool feature library, and taking the information of the person with the VPN setting behavior as fourth person information.
5. The method according to claim 4, wherein the operation of fusing the first, second, third and fourth person information to obtain the suspected VPN erection personnel is:
obtaining intersection of the first, second, third and fourth personnel information, wherein the personnel in the intersection are suspected VPN erection personnel;
alternatively, the first and second electrodes may be,
and performing weighted calculation according to the personnel behaviors in the first, second, third and fourth personnel information to obtain a weighted score of each personnel, and taking the personnel with the weighted score exceeding a threshold value as suspected VPN erection personnel.
6. A device for identification of suspected VPN erection personnel, the device comprising:
a first acquisition unit acquiring first person information for accessing, registering and/or purchasing a VPS;
the second acquisition unit is used for acquiring second personnel information of the remote access VPN;
a third acquiring unit, configured to acquire third person information for managing and promoting the VPN and fourth person information for setting up a VPN service;
and the fusion unit is used for carrying out fusion processing on the first, second, third and fourth personnel information to obtain suspected VPN erection personnel.
7. The apparatus of claim 6, wherein the operation of obtaining first person information for accessing, registering and/or purchasing a VPS is: collecting various VPS service provider websites inside and outside a country, analyzing the flow characteristics of the registration, login and/or recharging behaviors of the various VPS service provider websites to form a flow characteristic library, and acquiring information of people accessing the VPS based on the flow characteristic library; analyzing the content of the interactive mails of the VPS service provider and the buyer, extracting key words of the mails to form a mail feature library, matching the contents of other mails based on the mail feature library, and obtaining personnel information with registration, purchase and/or recharge behaviors at the VPS service provider; and fusing the personnel information for accessing the VPS and the personnel information with registration, purchase and/or recharging behaviors at a VPS service provider to obtain the first personnel information.
8. The apparatus of claim 7, wherein the operation of obtaining second personal information for a remote-access VPN comprises: analyzing network flow by using various VPN tools to obtain a VPN server IP list of each APP, obtaining network flow characteristics using the VPN for the APP which cannot obtain the server list, and obtaining and adding the IP of the VPN server to the IP list by using VPN behaviors; and analyzing the Telnet or SSh remote control protocol to obtain the IP of the VPN server and the personnel using the protocol, and obtaining second personnel information of the remote access VPN based on the IP list and the IP of the VPN server and the personnel using the protocol.
9. The apparatus of claim 8, wherein the operations of obtaining third person information for managing, promoting VPN, and fourth person information for setting up VPN service comprise: analyzing network traffic generated by a WHMCS template in a user management process to form a traffic feature library managed by a VPN user, judging whether VPN user management and promotion behaviors exist or not through the traffic feature library managed by the user, and taking user information with the VPN user management and promotion behaviors as third personnel information; and (3) setting up tool templates for the v2board, the sspanel and/or the showsocks-manager, analyzing to form a tool feature library corresponding to each tool, judging whether a person with the VPN setting behavior exists or not based on the tool feature library, and taking the information of the person with the VPN setting behavior as fourth person information.
10. The apparatus according to claim 9, wherein the operation of fusing the first, second, third and fourth person information to obtain the suspected VPN erection personnel is:
obtaining intersection of the first, second, third and fourth personnel information, wherein the personnel in the intersection are suspected VPN erection personnel;
alternatively, the first and second electrodes may be,
and performing weighted calculation according to the personnel behaviors in the first, second, third and fourth personnel information to obtain a weighted score of each personnel, and taking the personnel with the weighted score exceeding a threshold value as suspected VPN erection personnel.
11. A computer-readable storage medium, characterized in that the storage medium has stored thereon computer program code which, when executed by a computer, performs the method of any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011520795.0A CN112671755B (en) | 2020-12-21 | 2020-12-21 | Suspected VPN erection personnel identification method and device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011520795.0A CN112671755B (en) | 2020-12-21 | 2020-12-21 | Suspected VPN erection personnel identification method and device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112671755A true CN112671755A (en) | 2021-04-16 |
| CN112671755B CN112671755B (en) | 2022-07-15 |
Family
ID=75407045
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011520795.0A Active CN112671755B (en) | 2020-12-21 | 2020-12-21 | Suspected VPN erection personnel identification method and device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112671755B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130219486A1 (en) * | 2012-02-21 | 2013-08-22 | Steven C. Work | Vpn deep packet inspection |
| CN110311840A (en) * | 2019-07-31 | 2019-10-08 | 秒针信息技术有限公司 | Network flow identification method, device, equipment and storage medium |
| CN110912943A (en) * | 2019-12-30 | 2020-03-24 | 北京明朝万达科技股份有限公司 | Cross-network traffic analysis system |
| CN111711534A (en) * | 2020-05-27 | 2020-09-25 | 新浪网技术(中国)有限公司 | Network service quality analysis method, device, system, equipment and storage medium |
-
2020
- 2020-12-21 CN CN202011520795.0A patent/CN112671755B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130219486A1 (en) * | 2012-02-21 | 2013-08-22 | Steven C. Work | Vpn deep packet inspection |
| CN110311840A (en) * | 2019-07-31 | 2019-10-08 | 秒针信息技术有限公司 | Network flow identification method, device, equipment and storage medium |
| CN110912943A (en) * | 2019-12-30 | 2020-03-24 | 北京明朝万达科技股份有限公司 | Cross-network traffic analysis system |
| CN111711534A (en) * | 2020-05-27 | 2020-09-25 | 新浪网技术(中国)有限公司 | Network service quality analysis method, device, system, equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 赖清楠等: "基于流量的高校VPN用户访问行为分析", 《中国教育网络》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112671755B (en) | 2022-07-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103218431A (en) | System and method for identifying and automatically acquiring webpage information | |
| CN103412930A (en) | Method for identifying attributes of internet users | |
| US20190188741A1 (en) | Fraud detection in data sets using bayesian networks | |
| CN110727761B (en) | Object information acquisition method and device and electronic equipment | |
| CN108718341A (en) | Shared and search the method for data | |
| CN111563560B (en) | Data stream classification method and device based on time sequence feature learning | |
| CN112087445A (en) | Electric power Internet of things security vulnerability assessment method fusing business security | |
| CN110717358A (en) | Visitor number counting method and device, electronic equipment and storage medium | |
| CN110648172A (en) | Identity recognition method and system fusing multiple mobile devices | |
| CN110020161B (en) | Data processing method, log processing method and terminal | |
| CN114422211A (en) | HTTP malicious traffic detection method and device based on graph attention network | |
| CN108512822B (en) | Risk identification method and device for data processing event | |
| CN113098934A (en) | Content pushing method based on big data and private domain flow and social network platform | |
| CN112671755B (en) | Suspected VPN erection personnel identification method and device and storage medium | |
| CN117240632A (en) | Attack detection method and system based on knowledge graph | |
| KR20220091948A (en) | Apparatus and Method For Providing Recommendation Service Through Social Media Activity Analysis | |
| CN109933704A (en) | Vehicle consultation information processing method and processing device | |
| CN112231700B (en) | Behavior recognition method and apparatus, storage medium, and electronic device | |
| CN114915468A (en) | Intelligent analysis and detection method for network crime based on knowledge graph | |
| CN111523034B (en) | Application processing method, device, equipment and medium | |
| CN103823827A (en) | Method and device for crawling rich internet applications | |
| CN106506614A (en) | The generation method of mobile terminal identification code, generating means and mobile terminal | |
| JP6693993B2 (en) | Information generating device, program, and information generating method | |
| US20210226996A1 (en) | Network Data Clustering | |
| CN115604158B (en) | Intelligent equipment identification method, device, equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |