CN112671755B - Suspected VPN erection personnel identification method and device and storage medium - Google Patents
Suspected VPN erection personnel identification method and device and storage medium Download PDFInfo
- Publication number
- CN112671755B CN112671755B CN202011520795.0A CN202011520795A CN112671755B CN 112671755 B CN112671755 B CN 112671755B CN 202011520795 A CN202011520795 A CN 202011520795A CN 112671755 B CN112671755 B CN 112671755B
- Authority
- CN
- China
- Prior art keywords
- vpn
- personnel
- information
- suspected
- vps
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a method, a device and a storage medium for identifying suspected VPN erection personnel, wherein the method comprises the following steps: acquiring first person information for accessing, registering and/or purchasing a VPS; acquiring second personnel information of the remote access VPN; acquiring third personnel information for managing and popularizing the VPN and fourth personnel information for setting up VPN service; and performing fusion processing on the first, second, third and fourth personnel information to obtain suspected VPN erection personnel. The invention analyzes the characteristics of network flow of websites, tools, templates, apps, mails and the like involved in the behaviors by analyzing a series of activity behaviors generated in the VPN setting process, classifies and refines the characteristics, and forms various rule bases. And performing data collision in the big data by using the rule base to obtain results corresponding to each base, and performing collision or ranking according to the weight integral by using the results, thereby identifying suspected VPN service erectors and improving the accuracy and speed of identification of the suspected VPN service erectors.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a method and a device for identifying suspected VPN erection personnel and a storage medium.
Background
In recent years, more and more foreign websites cannot be accessed, and particularly, some internationally known popular websites, such as Twitter, Instagram, youtobe, Google, FaceBook and the like, have led to a strong increase in the demand of netizens in china for tools such as VPN.
The requirement on the VPN is very high, so that a lot of conditions of private VPN erection are caused, data and network safety are influenced, and national safety is further influenced.
Disclosure of Invention
The present invention addresses one or more of the above-mentioned deficiencies in the prior art, and provides a solution to the above-mentioned problems.
A method of suspected VPN erection personnel identification, the method comprising:
a first acquisition step of acquiring first person information for accessing, registering and/or purchasing a VPS;
a second acquisition step of acquiring second personnel information of the remote access VPN;
a third acquisition step of acquiring third personnel information for managing and promoting the VPN and fourth personnel information for setting up the VPN service;
and a fusion step, namely performing fusion processing on the first, second, third and fourth personnel information to obtain suspected VPN erection personnel.
Further, the operation of acquiring the first person information for accessing, registering and/or purchasing the VPS is: collecting various VPS service provider websites inside and outside a country, analyzing the flow characteristics of the registration, login and/or recharging behaviors of the various VPS service provider websites to form a flow characteristic library, and acquiring information of people accessing the VPS based on the flow characteristic library; analyzing the content of the interactive mail of the VPS service provider and the buyer, extracting the key words of the mail to form a mail feature library, matching the content of other mails based on the mail feature library, and obtaining the personnel information with registration, purchase and/or recharging behaviors at the VPS service provider; and fusing the personnel information for accessing the VPS and the personnel information with registration, purchase and/or recharging behaviors at a VPS service provider to obtain the first personnel information.
Still further, the operation of obtaining second person information of the remote access VPN includes: analyzing network flow of various VPN tools to obtain a VPN server IP list of each APP, obtaining network flow characteristics of the VPN for the APP which cannot obtain the server list, and obtaining and adding the IP of the VPN server to the IP list by using VPN behaviors; and analyzing the Telnet or SSh remote control protocol to obtain the IP of the VPN server and the personnel using the protocol, and obtaining the second personnel information of the remote access VPN based on the IP list and the IP of the VPN server and the personnel using the protocol.
Further, the operation of acquiring the third person information for managing and promoting the VPN and the fourth person information for setting up the VPN service includes: analyzing network traffic generated by a WHMCS template in a user management process to form a traffic feature library managed by a VPN user, judging whether VPN user management and promotion behaviors exist or not through the traffic feature library managed by the user, and taking user information with the VPN user management and promotion behaviors as third personnel information; and (3) setting up tool templates for the v2board, the sspanel and/or the showsocks-manager, analyzing to form a tool feature library corresponding to each tool, judging whether a person with the VPN setting behavior exists or not based on the tool feature library, and taking the information of the person with the VPN setting behavior as fourth person information.
Furthermore, the operation of fusing the first, second, third and fourth personnel information to obtain the suspected VPN erection personnel is as follows:
obtaining intersection of the information of the first, second, third and fourth personnel, wherein the personnel in the intersection are suspected VPN erection personnel;
alternatively, the first and second electrodes may be,
and performing weighted calculation according to the personnel behaviors in the first, second, third and fourth personnel information to obtain a weighted score of each personnel, and taking the personnel with the weighted score exceeding a threshold value as suspected VPN erection personnel.
The invention also provides a suspected VPN erection personnel identification device, which comprises:
a first acquisition unit that acquires first person information for accessing, registering, and/or purchasing a VPS;
the second acquisition unit is used for acquiring second personnel information of the remote access VPN;
a third acquiring unit, configured to acquire third person information for managing and promoting the VPN and fourth person information for setting up a VPN service;
and the fusion unit is used for carrying out fusion processing on the first, second, third and fourth personnel information to obtain suspected VPN erection personnel.
Further, the operation of acquiring the first person information for accessing, registering and/or purchasing the VPS is: collecting various VPS service provider websites inside and outside a country, analyzing the flow characteristics of the registration, login and/or recharging behaviors of the various VPS service provider websites to form a flow characteristic library, and acquiring information of people accessing the VPS based on the flow characteristic library; analyzing the content of the interactive mails of the VPS service provider and the buyer, extracting key words of the mails to form a mail feature library, matching the contents of other mails based on the mail feature library, and obtaining personnel information with registration, purchase and/or recharge behaviors at the VPS service provider; and fusing the personnel information for accessing the VPS and the personnel information with registration, purchase and/or recharging behaviors at a VPS service provider to obtain the first personnel information.
Still further, the operation of obtaining second person information of the remote access VPN includes: analyzing network flow by using various VPN tools to obtain a VPN server IP list of each APP, obtaining network flow characteristics using the VPN for the APP which cannot obtain the server list, and obtaining and adding the IP of the VPN server to the IP list by using VPN behaviors; and analyzing the Telnet or SSh remote control protocol to obtain the IP of the VPN server and the personnel using the protocol, and obtaining the second personnel information of the remote access VPN based on the IP list and the IP of the VPN server and the personnel using the protocol.
Further, the operation of acquiring the third person information for managing and promoting the VPN and the fourth person information for setting up the VPN service includes: analyzing network traffic generated by a WHMCS template in a user management process to form a traffic characteristic library managed by a VPN user, judging whether VPN user management and promotion behaviors exist or not through the traffic characteristic library managed by the user, and taking user information with the VPN user management and promotion behaviors as third personnel information; and (3) setting up tool templates for the v2board, the sspanel and/or the showsocks-manager, analyzing to form a tool feature library corresponding to each tool, judging whether a person with the VPN construction behavior exists or not based on the tool feature library, and taking the person information with the VPN construction behavior as fourth person information.
Further, the operation of fusing the first, second, third and fourth person information to obtain the suspected VPN erection personnel is as follows:
obtaining intersection of the information of the first, second, third and fourth personnel, wherein the personnel in the intersection are suspected VPN erection personnel;
alternatively, the first and second electrodes may be,
and performing weighted calculation according to the personnel behaviors in the first, second, third and fourth personnel information to obtain a weighted score of each personnel, and taking the personnel with the weighted score exceeding a threshold value as suspected VPN erection personnel.
The present invention also proposes a computer-readable storage medium having stored thereon computer program code which, when executed by a computer, performs the method of any of the above.
The invention has the technical effects that: the invention discloses a method, a device and a storage medium for identifying suspected VPN erection personnel, wherein the method comprises the following steps: a first acquisition step of acquiring first person information for accessing, registering and/or purchasing a VPS; a second acquisition step of acquiring second personnel information of the remote access VPN; a third acquisition step of acquiring third personnel information for managing and promoting the VPN and fourth personnel information for setting up the VPN service; and a fusion step, namely performing fusion processing on the first, second, third and fourth personnel information to obtain suspected VPN erection personnel. The method analyzes the characteristics of network flow of websites, tools, templates, apps, mails and the like related to the behaviors by analyzing a series of activity behaviors generated in the VPN setting process, classifies and refines the characteristics, and forms various rule bases. And performing data collision in the big data by using the rule base to obtain results corresponding to each base, and performing collision or ranking according to the weight integral by using the results, thereby identifying suspected VPN service erectors and improving the accuracy and speed of identification of the suspected VPN service erectors.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings.
Fig. 1 is a flow chart of a method of suspected VPN erection personnel identification in accordance with an embodiment of the present invention.
Fig. 2 is a block diagram of a suspected VPN installer identification device in accordance with an embodiment of the present invention.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the present invention are shown in the drawings.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
The principle of the invention is as follows: by analyzing the behaviors of erecting VPN service, the network flow characteristics of the behaviors are abstracted, and then the behaviors are collided to finally obtain the result of a highly suspected erector. After analysis and the process of setting up the VPN service, the flow from the beginning to the end mainly includes the following network behaviors: the VPN server: a VPS service is required to be purchased, and a VPN service end is erected in a server; background management of the server: remotely connecting a server, and entering background management; setting up a VPN server: setting up a VPN by using a general VPN setting template tool such as a v2board, a sspanel, a showsocks-manager and the like; user management and maintenance: managing users by using a management template such as a WHMCS; by analyzing the links, the network messages generated by related protocols, tools, templates and the like are analyzed and refined to generate a rule base for identifying suspected VPN erection personnel.
Fig. 1 illustrates a method of suspected VPN erection personnel identification of the present invention, the method comprising:
a first acquisition step S101 of acquiring first person information for accessing, registering and/or purchasing a VPS; specifically, the operation of acquiring the first person information for accessing, registering and/or purchasing the VPS is: collecting various VPS service provider websites inside and outside a country, analyzing the flow characteristics of the registration, login and/or recharging behaviors of the various VPS service provider websites to form a flow characteristic library, and acquiring information of people accessing the VPS based on the flow characteristic library; analyzing the content of the interactive mails of the VPS service provider and the buyer, extracting key words of the mails to form a mail feature library, matching the contents of other mails based on the mail feature library, and obtaining personnel information with registration, purchase and/or recharge behaviors at the VPS service provider; and fusing the personnel information for accessing the VPS and the personnel information with registration, purchase and/or recharging behaviors at the VPS service provider to obtain the first personnel information.
In a specific embodiment, for example, 100 VPS service provider websites around the country are collected, traffic characteristics of registration, login, recharge and other behaviors of the websites are analyzed, and the traffic characteristics are extracted to form a characteristic library. By using the feature library, the person accessing the VPS is obtained, and a result Z, that is, a person information, is formed, which can record all the persons accessing the VPS in a list form, wherein, for the persons accessing a plurality of VPS service providers, the probability is high, and a weight value can be increased when a model algorithm is performed. In gathering the above-described features, it was discovered that the VPS service provider interacted with the purchaser (including registration information, purchase information, etc.) through mail in the actions of registration, login, purchase, and recharge. Analyzing the content of each VPS service provider interactive mail, extracting the mail characteristics such as keywords and the like in the content, and forming a characteristic library Y. Analyzing, restoring and extracting mail content, colliding the Y characteristic library with the mail content to obtain personnel who have registration, purchase and recharge behaviors at a VPS service provider to form a result X, and calculating first personnel information by using a result X, Z in a way of finding a union set, which is the first invention point of the invention, namely, preliminarily determining a personnel screening range based on recording personnel accessing, registering and/or purchasing the VPS.
A second acquisition step S102, acquiring second personnel information of the remote access VPN; in one embodiment, the operation of obtaining second person information of the remote access VPN includes: analyzing network flow by using various VPN tools to obtain a VPN server IP list of each APP, obtaining network flow characteristics using the VPN for the APP which cannot obtain the server list, and obtaining and adding the IP of the VPN server to the IP list by using VPN behaviors; and analyzing the Telnet or SSh remote control protocol to obtain the IP of the VPN server and the personnel using the protocol, and obtaining the second personnel information of the remote access VPN based on the IP list and the IP of the VPN server and the personnel using the protocol.
In one embodiment, the above operation may be achieved by:
the first step is as follows: analyzing the network flow of various VPN tools in the market to obtain a VPN server IP list used by each APP, and for the situation that the VPN server list cannot be obtained, obtaining the network flow characteristics using the VPN, and obtaining the IP of the VPN server by using the behavior of the VPN.
The second step: analyzing remote control protocols such as Telnet, SSh and the like to obtain a server IP and personnel using the protocols;
the third step: the server list a of the first step is collided with the result B of the second step to obtain a result C, wherein C represents the second person information of the remote access VPN, and may be in a list form, and the result is represented as: and logging in the VPN server to perform management operation by using Telnet, SSh and other remote controls. This is another important point of the present invention.
A third acquisition step S103 of acquiring third person information for managing and promoting the VPN and fourth person information for setting up a VPN service; specifically, the operation of acquiring the third person information for managing and promoting the VPN and the fourth person information for setting up the VPN service includes: analyzing network traffic generated by a WHMCS template in a user management process to form a traffic characteristic library managed by a VPN user, judging whether VPN user management and promotion behaviors exist or not through the traffic characteristic library managed by the user, and taking user information with the VPN user management and promotion behaviors as third personnel information; and (3) setting up tool templates for the v2board, the sspanel and/or the showsocks-manager, analyzing to form a tool feature library corresponding to each tool, judging whether a person with the VPN construction behavior exists or not based on the tool feature library, and taking the person information with the VPN construction behavior as fourth person information.
In one embodiment, VPN builders now use primarily v2 boards, sspanels, showsocks-managers, and other related derivative tools and templates to build VPNs. And setting up the VPN by using the universal tool templates, analyzing message characteristics in the setting process, forming a characteristic library corresponding to each tool, and judging whether a VPN setting behavior exists or not through the characteristic library.
Analyzing network flow generated by templates such as WHMCS and the like in the user management process, analyzing characteristics of the flow to form a flow characteristic library managed by VPN users, and judging whether VPN user management behaviors exist or not through the characteristic library.
And a fusion step S104, performing fusion processing on the first, second, third and fourth personnel information to obtain suspected VPN erection personnel.
Specifically, the operation of fusing the first, second, third and fourth personnel information to obtain the suspected VPN erection personnel comprises:
obtaining intersection of the information of the first, second, third and fourth personnel, wherein the personnel in the intersection are suspected VPN erection personnel; this is the simplest way to determine the suspected VPN erection staff, but this way is not accurate, and in order to improve the accuracy of determining the suspected VPN erection staff, the following way may be adopted:
and performing weighted calculation according to the personnel behaviors in the first, second, third and fourth personnel information to obtain a weighted score of each personnel, and taking the personnel with the weighted score exceeding a threshold value as suspected VPN erection personnel. Such as design integration rules:
1 point of 1 VPS service provider is visited, 2 points of 3 points are visited, 3 points of 5 points are visited, the more visits are made, the higher the score is, and the like;
5, registering VPS service members, namely registering a plurality of VPS service members, wherein the higher the score is, and so on;
purchase VPS service for 20 points;
setting up a suspected VPN behavior for 50 minutes;
selling, popularizing VPN 8 points;
the method is more accurate compared with simple intersection calculation, and is another important invention point of the invention.
The method analyzes the characteristics of network flow of websites, tools, templates, apps, mails and the like involved in the behaviors by analyzing a series of activity behaviors generated in the VPN setting process, classifies and refines the characteristics, and forms various rule bases. The method comprises the steps of utilizing the rule base to perform data collision in big data to obtain results corresponding to all the bases, and utilizing the results to perform collision or ranking according to weight points, so that suspected VPN service erection personnel are identified, and the accuracy and the speed of identification of the suspected VPN service erection personnel are improved.
Fig. 2 shows a device for identification of suspected VPN erection personnel according to the invention, which device comprises:
a first acquisition unit 201 that acquires first person information for accessing, registering, and/or purchasing a VPS; specifically, the operation of acquiring the first person information for accessing, registering and/or purchasing the VPS is: collecting various VPS service provider websites inside and outside a country, analyzing the flow characteristics of the registration, login and/or recharging behaviors of the various VPS service provider websites to form a flow characteristic library, and acquiring information of people accessing the VPS based on the flow characteristic library; analyzing the content of the interactive mails of the VPS service provider and the buyer, extracting key words of the mails to form a mail feature library, matching the contents of other mails based on the mail feature library, and obtaining personnel information with registration, purchase and/or recharge behaviors at the VPS service provider; and fusing the personnel information for accessing the VPS and the personnel information with registration, purchase and/or recharging behaviors at a VPS service provider to obtain the first personnel information.
In a specific embodiment, for example, 100 VPS service provider websites around the country are collected, traffic characteristics of registration, login, recharge and other behaviors of the websites are analyzed, and the traffic characteristics are extracted to form a characteristic library. By using the feature library, the person who accesses the VPS is obtained, and a result Z, that is, one person information, is formed, and it may record all the persons who access the VPS in a list form, where it is highly suspected that the persons who access multiple VPS service providers may add a weight value when making a model algorithm. In gathering the above-described features, it was discovered that the VPS service provider interacted with the purchaser (including registration information, purchase information, etc.) through mail in the actions of registration, login, purchase, and recharge. And analyzing the content of the interactive mails of each VPS service provider, extracting the mail characteristics such as keywords and the like in the interactive mails to form a characteristic library Y. Analyzing, restoring and extracting mail content, colliding the Y characteristic library with the mail content to obtain personnel who have registration, purchase and recharge behaviors at a VPS service provider to form a result X, and calculating first personnel information by using a result X, Z in a way of finding a union set, which is the first invention point of the invention, namely, preliminarily determining a personnel screening range based on recording personnel accessing, registering and/or purchasing the VPS.
A second acquiring unit 202 configured to acquire second person information of the remote VPN access; in one embodiment, the operation of obtaining second person information of the remote access VPN includes: analyzing network flow of various VPN tools to obtain a VPN server IP list of each APP, obtaining network flow characteristics of the VPN for the APP which cannot obtain the server list, and obtaining and adding the IP of the VPN server to the IP list by using VPN behaviors; and analyzing the Telnet or SSh remote control protocol to obtain the IP of the VPN server and the personnel using the protocol, and obtaining the second personnel information of the remote access VPN based on the IP list and the IP of the VPN server and the personnel using the protocol.
In one embodiment, the above operation may be achieved by:
the first step is as follows: analyzing network flow of various VPN tools on the market to obtain a VPN server IP list used by each APP, and for the condition that the VPN server list cannot be obtained, obtaining the network flow characteristics using the VPN, and obtaining the IP of the VPN server through the behavior using the VPN.
The second step is that: analyzing remote control protocols such as Telnet, SSh and the like to obtain a server IP and personnel using the protocols;
the third step: the server list a of the first step is collided with the result B of the second step to obtain a result C, wherein C represents the second person information of the remote access VPN, and may be in a list form, and the result is represented as: and logging in the VPN server to perform management operation by using Telnet, SSh and other remote controls. This is another important point of the present invention.
A third acquiring unit 203, acquiring third person information for managing and promoting the VPN and fourth person information for setting up the VPN service; specifically, the operation of acquiring the third person information for managing and promoting the VPN and the fourth person information for setting up the VPN service includes: analyzing network traffic generated by a WHMCS template in a user management process to form a traffic feature library managed by a VPN user, judging whether VPN user management and promotion behaviors exist or not through the traffic feature library managed by the user, and taking user information with the VPN user management and promotion behaviors as third personnel information; and (3) setting up tool templates for the v2board, the sspanel and/or the showsocks-manager, analyzing to form a tool feature library corresponding to each tool, judging whether a person with the VPN setting behavior exists or not based on the tool feature library, and taking the information of the person with the VPN setting behavior as fourth person information.
In one embodiment, VPN builders now use primarily v2 boards, sspanels, showsocks-managers, and other related derivative tools and templates to build VPNs. And setting up the VPN by using the universal tool templates, analyzing message characteristics in the setting process, forming a characteristic library corresponding to each tool, and judging whether a VPN setting behavior exists or not through the characteristic library.
Analyzing network flow generated by templates such as WHMCS in the user management process, analyzing characteristics of the flow to form a flow characteristic library managed by the VPN user, and judging whether VPN user management behaviors exist or not through the characteristic library.
And the fusion unit 204 is used for performing fusion processing on the first, second, third and fourth personnel information to obtain suspected VPN erection personnel.
Specifically, the operation of fusing the first, second, third and fourth person information to obtain the suspected VPN erection personnel is as follows:
obtaining intersection of the first, second, third and fourth personnel information, wherein the personnel in the intersection are suspected VPN erection personnel; this is the simplest way to determine the suspected VPN erection staff, but this way is not accurate, and in order to improve the accuracy of determining the suspected VPN erection staff, the following way may be adopted:
and performing weighted calculation according to the personnel behaviors in the first, second, third and fourth personnel information to obtain a weighted score of each personnel, and taking the personnel with the weighted score exceeding a threshold value as suspected VPN erection personnel. Such as design integration rules:
1 point of 1 VPS service provider is visited, 2 points of 3 points are visited, 3 points of 5 points are visited, the more visits are made, the higher the score is, and the like;
5, registering VPS service members, namely registering a plurality of VPS service members, wherein the higher the score is, and so on;
purchase VPS service for 20 points;
setting up a suspected VPN behavior for 50 minutes;
selling, and popularizing VPN 8 points;
the method is more accurate compared with simple intersection calculation, and is another important invention point of the invention.
The device analyzes the characteristics of network flow of websites, tools, templates, apps, mails and the like related to the behaviors by analyzing a series of activity behaviors generated in the VPN setting process, classifies and refines the characteristics, and forms various rule bases. And performing data collision in the big data by using the rule base to obtain results corresponding to each base, and performing collision or ranking according to the weight integral by using the results, thereby identifying suspected VPN service erection personnel and improving the accuracy and speed of identification of the suspected VPN service erection personnel.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
From the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by software plus a necessary general hardware platform. Based on such understanding, the technical solutions of the present application or portions thereof contributing to the prior art may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the apparatuses according to the embodiments or some parts of the embodiments of the present application.
Finally, it should be noted that: although the present invention has been described in detail with reference to the above embodiments, it should be understood by those skilled in the art that: modifications and equivalents may be made thereto without departing from the spirit and scope of the invention and it is intended to cover in the claims the invention any modifications and equivalents.
Claims (5)
1. A method of identifying a suspected VPN erection personnel, the method comprising:
a first acquisition step of acquiring first person information for accessing, registering and/or purchasing a VPS; collecting various VPS service provider websites inside and outside a country, analyzing the flow characteristics of the registration, login and/or recharging behaviors of the various VPS service provider websites to form a flow characteristic library, and acquiring information of people accessing the VPS based on the flow characteristic library; analyzing the content of the interactive mails of the VPS service provider and the buyer, extracting key words of the mails to form a mail feature library, matching the contents of other mails based on the mail feature library, and obtaining personnel information with registration, purchase and/or recharge behaviors at the VPS service provider; fusing the personnel information for accessing the VPS and the personnel information with registration, purchase and/or recharging behaviors at a VPS service provider to obtain the first personnel information;
a second acquisition step of acquiring second personnel information of the remote access VPN; analyzing network flow of various VPN tools to obtain a VPN server IP list of each APP, obtaining network flow characteristics of the VPN for which the server list cannot be obtained, and obtaining and adding IP of a VPN server to the IP list by using VPN behaviors; analyzing a Telnet or SSh remote control protocol to obtain a VPN server IP and personnel using the protocol, and obtaining second personnel information of remote access VPN based on the IP list and the personnel using the VPN server IP and the protocol;
a third acquisition step of acquiring third personnel information for managing and promoting the VPN and fourth personnel information for setting up the VPN service; analyzing network traffic generated by a WHMCS template in a user management process to form a traffic characteristic library for VPN user management, judging whether VPN user management and popularization behaviors exist or not through the traffic characteristic library for user management, and taking user information with the VPN user management and popularization behaviors as third personnel information; analyzing a v2board, a sspanel and/or a shutowsocks-manager setting tool template to form a tool feature library corresponding to each tool, judging whether a person with a VPN setting behavior exists or not based on the tool feature library, and taking the information of the person with the VPN setting behavior as fourth person information;
and a fusion step, namely performing fusion processing on the first, second, third and fourth personnel information to obtain suspected VPN erection personnel.
2. The method according to claim 1, wherein the operation of fusing the first, second, third and fourth person information to obtain the suspected VPN erection personnel is:
obtaining intersection of the information of the first, second, third and fourth personnel, wherein the personnel in the intersection are suspected VPN erection personnel;
alternatively, the first and second electrodes may be,
and performing weighted calculation according to the personnel behaviors in the first, second, third and fourth personnel information to obtain a weighted score of each personnel, and taking the personnel with the weighted score exceeding a threshold value as suspected VPN erection personnel.
3. A device for identification of suspected VPN erection personnel, the device comprising:
the first acquisition unit is used for acquiring first personnel information for accessing, registering and/or purchasing the VPS, and comprises the steps of collecting various VPS service provider websites inside and outside the country, analyzing the flow characteristics of the registration, login and/or recharging behaviors of the various VPS service provider websites to form a flow characteristic library, and acquiring the personnel information for accessing the VPS based on the flow characteristic library; analyzing the content of the interactive mail of the VPS service provider and the buyer, extracting the key words of the mail to form a mail feature library, matching the content of other mails based on the mail feature library, and obtaining the personnel information with registration, purchase and/or recharging behaviors at the VPS service provider; fusing the personnel information for accessing the VPS and the personnel information with registration, purchase and/or recharging behaviors at a VPS service provider to obtain the first personnel information;
the second acquisition unit is used for acquiring second personnel information of the remote access VPN, and comprises the steps of analyzing network flow by using various VPN tools, acquiring a VPN server IP list of each APP, acquiring network flow characteristics using the VPN for the server list which cannot be acquired, and acquiring and adding the IP of the VPN server to the IP list by using VPN behaviors; analyzing a Telnet or SSh remote control protocol to obtain a VPN server IP and personnel using the protocol, and obtaining second personnel information of remote access VPN based on the IP list and the personnel using the VPN server IP and the protocol;
a third acquiring unit, configured to acquire third person information for managing and promoting the VPN and fourth person information for setting up a VPN service, including analyzing network traffic generated by a WHMCS template in a user management process to form a traffic feature library for VPN user management, determining whether a VPN user management and promotion behavior exists through the traffic feature library for user management, and using the user information with the VPN user management and promotion behavior as the third person information; building a tool template for v2board, sspanel and/or showsocks-manager, analyzing to form a tool feature library corresponding to each tool, judging whether a person with VPN erection behavior exists or not based on the tool feature library, and taking the person information with VPN erection behavior as fourth person information;
and the fusion unit is used for carrying out fusion processing on the first, second, third and fourth personnel information to obtain suspected VPN erection personnel.
4. The apparatus according to claim 3, wherein the operation of fusing the first, second, third and fourth personnel information to obtain the suspected VPN erection personnel is:
obtaining intersection of the first, second, third and fourth personnel information, wherein the personnel in the intersection are suspected VPN erection personnel;
alternatively, the first and second electrodes may be,
and performing weighted calculation according to the personnel behaviors in the first, second, third and fourth personnel information to obtain a weighted score of each personnel, and taking the personnel with the weighted score exceeding a threshold value as suspected VPN erection personnel.
5. A computer-readable storage medium, characterized in that the storage medium has stored thereon computer program code which, when executed by a computer, performs the method of any of claims 1-2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011520795.0A CN112671755B (en) | 2020-12-21 | 2020-12-21 | Suspected VPN erection personnel identification method and device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011520795.0A CN112671755B (en) | 2020-12-21 | 2020-12-21 | Suspected VPN erection personnel identification method and device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112671755A CN112671755A (en) | 2021-04-16 |
| CN112671755B true CN112671755B (en) | 2022-07-15 |
Family
ID=75407045
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011520795.0A Active CN112671755B (en) | 2020-12-21 | 2020-12-21 | Suspected VPN erection personnel identification method and device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112671755B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110311840A (en) * | 2019-07-31 | 2019-10-08 | 秒针信息技术有限公司 | Network flow identification method, device, equipment and storage medium |
| CN110912943A (en) * | 2019-12-30 | 2020-03-24 | 北京明朝万达科技股份有限公司 | Cross-network traffic analysis system |
| CN111711534A (en) * | 2020-05-27 | 2020-09-25 | 新浪网技术(中国)有限公司 | Network service quality analysis method, device, system, equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10432587B2 (en) * | 2012-02-21 | 2019-10-01 | Aventail Llc | VPN deep packet inspection |
-
2020
- 2020-12-21 CN CN202011520795.0A patent/CN112671755B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110311840A (en) * | 2019-07-31 | 2019-10-08 | 秒针信息技术有限公司 | Network flow identification method, device, equipment and storage medium |
| CN110912943A (en) * | 2019-12-30 | 2020-03-24 | 北京明朝万达科技股份有限公司 | Cross-network traffic analysis system |
| CN111711534A (en) * | 2020-05-27 | 2020-09-25 | 新浪网技术(中国)有限公司 | Network service quality analysis method, device, system, equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 基于流量的高校VPN用户访问行为分析;赖清楠等;《中国教育网络》;20181105(第11期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112671755A (en) | 2021-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106992994A (en) | A kind of automatically-monitored method and system of cloud service | |
| CN103218431A (en) | System and method for identifying and automatically acquiring webpage information | |
| CN102546625A (en) | Semi-supervised clustering integrated protocol identification system | |
| CN108718341A (en) | Shared and search the method for data | |
| US20190019222A1 (en) | User/group servicing based on deep network analysis | |
| CN110727761B (en) | Object information acquisition method and device and electronic equipment | |
| CN105376223B (en) | The reliability degree calculation method of network identity relationship | |
| US11880401B2 (en) | Template generation using directed acyclic word graphs | |
| CN112087445A (en) | Electric power Internet of things security vulnerability assessment method fusing business security | |
| CN111696656B (en) | Doctor evaluation method and device of Internet medical platform | |
| CN111563560B (en) | Data stream classification method and device based on time sequence feature learning | |
| CN110648172A (en) | Identity recognition method and system fusing multiple mobile devices | |
| CN113098934A (en) | Content pushing method based on big data and private domain flow and social network platform | |
| CN114422211B (en) | HTTP malicious traffic detection method and device based on graph attention network | |
| KR20210148573A (en) | Systems and methods for gathering public data of SNS user channel and providing influence reports based on the collected public data | |
| CN112671755B (en) | Suspected VPN erection personnel identification method and device and storage medium | |
| CN109309665A (en) | A kind of access request processing method and processing device, a kind of calculating equipment and storage medium | |
| CN117240632A (en) | Attack detection method and system based on knowledge graph | |
| KR20170062910A (en) | An IoT system Method receiving data from outside data sources using virtual gateway | |
| CN112231700B (en) | Behavior recognition method and apparatus, storage medium, and electronic device | |
| CN112685618A (en) | User feature identification method and device, computing equipment and computer storage medium | |
| CN111148185A (en) | Method and device for establishing user relationship | |
| JP6742360B2 (en) | Information generating device, program, and information generating method | |
| JPWO2019244849A1 (en) | Post information extraction control device, post information extraction control program | |
| CN109933704A (en) | Vehicle consultation information processing method and processing device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |