CN113727350A - Malicious website processing method and device, computer equipment and storage medium - Google Patents
Malicious website processing method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN113727350A CN113727350A CN202111131450.0A CN202111131450A CN113727350A CN 113727350 A CN113727350 A CN 113727350A CN 202111131450 A CN202111131450 A CN 202111131450A CN 113727350 A CN113727350 A CN 113727350A
- Authority
- CN
- China
- Prior art keywords
- information
- user
- malicious website
- service area
- cell information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 29
- 238000012545 processing Methods 0.000 claims abstract description 66
- 238000000034 method Methods 0.000 claims abstract description 25
- 230000011664 signaling Effects 0.000 claims description 45
- 238000004590 computer program Methods 0.000 claims description 3
- 238000010295 mobile communication Methods 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 238000010276 construction Methods 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000001514 detection method Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000013500 data storage Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000009825 accumulation Methods 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/02—Services making use of location information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the invention discloses a malicious website processing method and device, computer equipment and a storage medium. The method comprises the following steps: if a malicious website is detected in the user plane traffic, acquiring the bearing information of a user from the user plane traffic; determining cell information corresponding to the bearing information; determining a service area corresponding to cell information; and processing the malicious website according to the service area. By the technical scheme of the embodiment of the invention, the malicious website can be processed in real time based on the position information of the user, the problems of low time delay and high concurrency when the position information of the user is acquired in an ultra-large-flow mobile communication scene are solved, and the processing efficiency of the malicious website is improved.
Description
Technical Field
The embodiment of the invention relates to the technical field of 4G/5G communication network security, in particular to a malicious website processing method and device, computer equipment and a storage medium.
Background
At present, along with the continuous growth of the scale of 4G and 5G mobile networks, great convenience is brought to the network life of people, but along with the increase of the network usage amount, more problems are brought to network security management, such as interception of malicious websites, pop-up prompt of malicious websites and the like. With the development of computer network technology, with the assistance of correct processing requirements and accurate positioning of the user position, processing of malicious websites of the mobile core network can be realized.
However, in the prior art, considering the complexity of the core network structure of the operator and the construction of hardware facilities, under the condition that the location of the user is constantly changed, a method for processing different malicious websites in real time according to the location of the user (such as a city, a business district, and a cell) is a difficult point of research. Some researches have proposed methods for processing malicious websites based on user locations, but if location query services are performed through a Home Subscriber Server (HSS Server), core network devices cannot meet microsecond-level query responses, or even cannot load ten-million-level concurrent queries, and a billing Server of an operator cannot bear queries of several millions of times per second, and response delay of remote queries cannot meet requirements of real-time detection, so that these methods need detection devices to have location learning and accumulation capabilities, and can achieve real-time processing capabilities under dual requirements of frequency and delay. Therefore, the processing speed of the malicious website is greatly reduced.
Disclosure of Invention
The embodiment of the invention provides a malicious website processing method and device, computer equipment and a storage medium, which can be used for rapidly and accurately processing a malicious website in real time.
In a first aspect, an embodiment of the present invention provides a malicious website processing method, including:
if a malicious website is detected in the user plane traffic, acquiring the bearing information of a user from the user plane traffic;
determining cell information corresponding to the bearing information;
determining a service area corresponding to cell information;
and processing the malicious website according to the service area.
In a second aspect, an embodiment of the present invention further provides a malicious website processing apparatus, where the apparatus includes:
the system comprises a bearing information acquisition module, a service information acquisition module and a service information acquisition module, wherein the bearing information acquisition module is used for acquiring bearing information of a user from user plane traffic if a malicious website is detected in the user plane traffic;
a cell information determining module, configured to determine cell information corresponding to the bearer information;
a service area determining module, configured to determine a service area corresponding to the cell information;
and the malicious website processing module is used for processing the malicious website according to the service area.
In a third aspect, an embodiment of the present invention further provides a computer device, where the computer device includes:
one or more processors;
a storage device for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors implement the malicious website processing method according to any embodiment of the present invention.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the malicious website processing method according to any embodiment of the present invention.
According to the technical scheme of the embodiment of the invention, the cell information corresponding to the bearing information of the user is determined, the service area corresponding to the cell information is further determined, and the malicious website is processed in a relevant manner according to the service area, so that the malicious website can be processed in real time based on the position information of the user, the problems of low time delay and high concurrency when the position information of the user is acquired in a mobile communication scene with super-large flow are solved, and the processing efficiency of the malicious website is improved.
Drawings
Fig. 1 is a flowchart of a malicious website processing method according to an embodiment of the present invention;
fig. 2a is a flowchart of a malicious website processing method according to an embodiment of the present invention;
fig. 2b is a schematic diagram of a malicious website processing flow according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a malicious website processing apparatus according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
At present, along with the continuous growth of the scale of 4G and 5G mobile networks, great convenience is brought to the network life of people, but along with the increase of the network usage amount, more problems are brought to network security management, such as interception of malicious websites, pop-up prompt of malicious websites and the like. Therefore, the processing capability for malicious websites of the mobile core network is more and more important.
However, as the core network structure of the operator is more and more complex, one machine room often covers several or even more than ten cities, and the processing requirements of different cities for malicious websites are different. The method and the device have the advantages that problems of low time delay and high concurrency can occur when user position information serving as a basis for disposing malicious websites is acquired in a mobile communication scene with ultra-large flow.
In the prior art, separate data collection and analysis is typically performed over separate physical links, and location query services are performed over HSS servers. However, the construction cost for carrying out independent data acquisition and analysis through an independent physical link is very high, and is limited by the networking scheme of operators in various provinces, the service cannot be dynamically adjusted, and the networking construction scheme accurate to the business circle level cannot be met; when the HSS server is used for position query service, core network equipment cannot meet microsecond-level query response, more cannot load ten-million-level concurrent query, and if the mode of using local cache and timing synchronization of HSS server position information is relied on, the accuracy and the real-time performance of the position cannot be guaranteed in the scene that a user frequently moves the position.
Therefore, in order to avoid repeated hardware facility construction, user location differentiation at a software level must be implemented, that is, it is to be ensured that, under the condition that the location of the user is constantly changed, the malicious website processing service is customized according to the location of the user (such as a city, a business district, and a cell). Therefore, the embodiment of the present invention provides a malicious website processing method to solve the above problems.
Fig. 1 is a flowchart of a malicious website processing method according to an embodiment of the present invention, where the method is applicable to a case where a malicious website is processed in real time based on location information of a user, and the method may be executed by a malicious website processing apparatus, and the apparatus may be implemented in a hardware and/or software manner, and may be generally integrated in a computer device, such as a terminal or a server.
As shown in fig. 1, a malicious website processing method provided by the embodiment of the present invention includes the following specific steps:
s110: and if the malicious website is detected in the user plane traffic, acquiring the bearing information of the user from the user plane traffic.
The malicious website may refer to an illegal website of a virus, a worm, and a trojan that intentionally executes a malicious task at a user side, and if a user accesses the malicious website, a potential safety hazard may be caused to the user, for example, if the user accesses a certain malicious website through a mobile phone, the mobile phone user may encounter problems of stealing privacy, maliciously deducting mobile phone charges, maliciously losing traffic, and the like; the User Plane traffic may include N3 interface traffic between a (Radio) Access Network (R) AN and a User Plane Function (UPF); the bearer information of the user may refer to user address information included in the user plane traffic.
In an optional implementation manner of the embodiment of the present invention, the detection of the malicious website may be completed by comparing the website in the user plane traffic with a preset malicious website library, where the malicious website library stores the website or domain name of the malicious website. And when the website in the user plane traffic is the same as the website or domain name of the malicious website, the malicious website is considered to exist in the user plane traffic. Further, the bearer information containing the user address information can be acquired from the user plane traffic with the malicious website.
S120: and determining cell information corresponding to the bearing information.
The base station can be a form of a radio station, and a mobile user can access the internet through the base station and the mobile core network, so that the internet can be accessed; a cell may refer to an area covered by a portion of a sector antenna of a base station within which a mobile device may reliably communicate with the base station over a wireless channel; the cell information may include cell location information, i.e., latitude and longitude data information.
In an optional implementation manner of the embodiment of the present invention, a corresponding relationship between bearer information including user address information and cell information including cell location information may be pre-established, and then, the cell information corresponding to the bearer information may be determined according to the bearer information of the user and the corresponding relationship.
Therefore, the cell information corresponding to the bearing information is determined through the bearing information of the user and the corresponding relation, the cell information can be accumulated in an autonomous mode, the time delay for acquiring the cell information is reduced, the time delay for acquiring the cell information can be reduced to be within 1 second while the user continuously moves, and the time delay for acquiring the cell information can be reduced to be within 50 microseconds for the user who does not register to surf the internet for the first time, so that the processing time delay of malicious websites can be met.
S130: and determining a service area corresponding to the cell information.
The service area may refer to an area where a service needs to be processed for different malicious websites. In an optional implementation manner of the embodiment of the present invention, the service area may be divided into different service groups, for example, an administrative area needs to process malicious websites that divulge a secret from government information, and a school area needs to process malicious websites that guide students to download games, so that the administrative area and the school area need to process different malicious websites, and therefore, the service area may be divided into the administrative area and the school area.
In another optional embodiment, a corresponding relationship between the cell information and the service area may be pre-established, and then the service area corresponding to the cell information may be determined according to the cell information and the corresponding relationship.
On the basis of the foregoing embodiment, the method provided in the embodiment of the present invention may further include: acquiring a latest cell information work participation table from an operator server; and dividing the cell information into different service groups according to the service areas according to the cell position information in the cell information work parameter table. Specifically, the latest cell information work-reference table can be directly obtained from the operator server, and then the cell information is divided into different service groups according to the division basis of the service areas according to the corresponding relationship between the cell position information and the service areas in the cell information work-reference table.
Therefore, the service area corresponding to the cell information is determined through the cell information and the corresponding relation, the service area can be limited to the cell accurately, the cell information is grouped and marked according to the area according to the division of the service area, and the accuracy of the malicious website processing method is improved.
S140: and processing the malicious website according to the service area.
Specifically, different malicious websites can be processed according to service areas of different service groups, for example, a malicious website which divulges government information can be used as processing content in an administrative area; the school zone may have as the processing content a malicious website that guides students to download games. Therefore, different malicious websites can be processed according to different service areas, and the requirements of users can be better met. The processing method can comprise interception, redirection, popup window and the like, wherein the interception can be used for directly blocking the malicious website to prevent the malicious website from entering the client; redirection may refer to transfer of a malicious website to a new non-malicious website, which may promote a network security website for the police, facilitating the user to learn knowledge related to network security; the pop-up window may refer to a warning box for prompting detection information of a malicious website, for example, when the malicious website is detected, the pop-up window may appear in the lower right corner of the user interface to warn the user.
According to the technical scheme of the embodiment of the invention, the cell information corresponding to the bearing information of the user is determined, the service area corresponding to the cell information is further determined, and the malicious website is processed in a relevant manner according to the service area, so that the malicious website can be processed in real time based on the position information of the user, the problems of low time delay and high concurrency when the position information of the user is acquired in a mobile communication scene with super-large flow are solved, and the processing efficiency of the malicious website is improved.
Fig. 2a is a flowchart of a malicious website processing method according to an embodiment of the present invention, and fig. 2b is a schematic diagram of a malicious website processing flow according to an embodiment of the present invention. In this embodiment, optionally, the method may further include: acquiring signaling traffic of a full number of users, and analyzing the signaling traffic of each user respectively to obtain cell information and bearing information carried in the signaling traffic; and establishing a corresponding relation between the cell information and the bearing information based on the cell information and the bearing information carried in the signaling flow, and updating the corresponding relation in real time.
Optionally, the method may further include: acquiring signaling traffic and user plane traffic of a full number of users, and analyzing the signaling traffic and the user plane traffic of each user respectively to obtain cell information carried by the signaling traffic and Global Positioning System (GPS) information carried by the user plane traffic; determining GPS information covered by each cell based on each cell information and the GPS information; and performing service grouping on the cell information according to the service area according to the GPS information covered by the cell and the GPS information covered by the service area, and establishing a corresponding relation between the cell information and the service area based on the service grouping.
Optionally, the processing the malicious website according to the service area includes: and if the service area is a target service area and the malicious website is a set website, correspondingly processing the malicious website.
Optionally, the processing the malicious website according to the service area includes: and if the service area is an administrative area, intercepting the malicious website. And if the service area is a school area, carrying out redirection or popup processing on the malicious website.
Optionally, the bearer information includes a user internet protocol IP or a user IP and a tunnel identifier; if the user IP address in the flow coverage range is not repeated, the user IP is used for associating the signaling flow with the user plane flow; and if the user IP address in the flow coverage range is repeated, using the user IP and the tunnel identifier to associate the signaling flow with the user plane flow.
As shown in fig. 2a, a malicious website processing method provided by the embodiment of the present invention includes the following specific steps:
s210: acquiring signaling traffic of a full number of users, and analyzing the signaling traffic of each user respectively to obtain cell information and bearing information carried in the signaling traffic; and establishing a corresponding relation between the cell information and the bearing information based on the cell information and the bearing information carried in the signaling flow, and updating the corresponding relation in real time.
Wherein, the total number of users may refer to all users within a certain base station network range; signaling traffic may include N1 interface traffic between a User Equipment (UE) and AN Access and Mobility Management Function (AMF), N2 interface traffic between AN AMF and AN (R) AN, and N11 interface traffic between AN AMF and a Session Management Function (SMF); the cell information may refer to cell location information. Specifically, the association between the user plane traffic and the signaling traffic may be established through the bearer information of the user, so that the relationship between the bearer information and the cell information may be obtained.
For example, a set of real-time cell information memory database of a full number of users can be established to store related information in user signaling traffic, because the full number of users are all users within a network range of a certain base station, and the same user does not communicate with a plurality of base stations in the same area, a data storage is established in the database for each user, wherein cell information and bearer information carried in the signaling traffic of each user are stored, when a malicious website exists in user plane traffic, cell information corresponding to the bearer information of the user can be found out from the database, and a calculation burden that the user needs to analyze the user signaling traffic again when entering the coverage of the same cell information for many times is avoided.
In an alternative embodiment, if there is duplication of user IP addresses within the traffic coverage, the user IP and tunnel identifier are used to associate the signaling traffic with the user plane traffic. Illustratively, the bearer information may be obtained by parsing the IP and TEID of the S1-U SGW GTP-U interface. The format description of the part of the message carrying the information can be as follows:
illustratively, the Cell information may be obtained by parsing Tracking Area Identity (TAI) and E-UTRAN Cell Identifier (ECI) of User Location information (User Location Info, ULI). The partial message format description of the cell information may be as follows:
in another alternative embodiment, if there is no duplication of user IP addresses within the traffic coverage, the user IP is used to associate the signaling traffic with the user plane traffic. The format description of a part of messages (createsession messages) of the user IP information may be as follows:
s220: acquiring signaling traffic and user plane traffic of a full number of users, and analyzing The signaling traffic and The user plane traffic of each user respectively to obtain cell information carried by The signaling traffic and Global Positioning System (GPS) information carried by The user plane traffic; determining GPS information covered by each cell based on each cell information and the GPS information; and performing service grouping on the cell information according to the service area according to the GPS information covered by the cell and the GPS information covered by the service area, and establishing a corresponding relation between the cell information and the service area based on the service grouping.
The GPS information covered by the service area may be predetermined according to the geographical location of the service area. Specifically, the user plane traffic and the signaling traffic can be associated through the bearer information of the user, and further, the relationship between the cell information carried by the signaling traffic and the GPS information carried by the user plane traffic can be obtained, so that the GPS information covered by each cell can be obtained; and then, the GPS information covered by the cell, which is the same as the GPS information covered by the service area, is screened according to the GPS information covered by the service area, so that the cell information is subjected to service grouping according to the service area, the GPS information covered by each cell can be accumulated in a self-learning mode, malicious websites in the cell information range can be managed according to the grouping, and the execution speed of the method is improved.
It should be noted that the GPS information covered by each cell in the above steps may be stored in a certain database after being once accumulated and acquired, and when the GPS information covered by the cell needs to be acquired again, the GPS information covered by the cell may be directly queried in the database without being accumulated and acquired again, thereby avoiding waste of resources.
It can be understood that, in the technical solution of the embodiment of the present invention, the execution sequence of the step 210 and the step 220 is not limited, and the content of the step 210 may be executed first and then the content of the step 220 may be executed first, or the content of the step 220 may be executed first and then the content of the step 210 is executed.
S230: and if the malicious website is detected in the user plane traffic, acquiring the bearing information of the user from the user plane traffic.
The bearer information includes a user Internet Protocol (IP) or a user IP and a Tunnel Identifier (TEID).
In an optional embodiment, the bearer information of the user may be obtained by analyzing the user plane traffic, and a partial message format description of the user plane traffic bearer information may be as follows:
s240: and determining cell information corresponding to the bearing information according to the corresponding relation between the cell information and the bearing information.
Specifically, the corresponding relationship between the cell information and the bearer information can be established according to the cell information and the bearer information carried in the signaling traffic, so that the cell information corresponding to the user plane traffic can be conveniently obtained according to the bearer information of the user plane traffic, the cell information of the user can be quickly obtained, and the processing speed of the malicious website processing method is improved.
S250: and determining a service area corresponding to the cell information according to the corresponding relation between the cell information and the service area.
Specifically, after the association is established according to the bearer information in the user plane traffic and the signaling traffic, the cell information corresponding to the bearer information is obtained, and then the service area corresponding to the cell information can be obtained according to the corresponding relationship between the cell information and the service area.
S260: and processing the malicious website according to the service area.
In an optional implementation manner, if the service area is a target service area and the malicious website is a set website, the malicious website is correspondingly processed. The target service area may refer to a service area grouped according to a division basis; the set website may refer to a malicious website corresponding to the processing content of the target service area. Specifically, if the service area is a service area grouped according to the division basis and the malicious website is a malicious website corresponding to the processing content of the target service area, the malicious website is correspondingly processed according to the grouping of the service area.
In another alternative embodiment, if the service area is divided into an administrative area and a school area, different processing methods may be performed on each service area according to the important category of the service area, for example, the administrative area contains most confidential data, and the degree of importance of the confidential data affected by the malicious website is higher than that of the school area, so that unnecessary waste of resources may be reduced by performing different processing methods on each service area according to the important category of different service areas. Specifically, the processing of the malicious website according to the service area includes: and if the service area is an administrative area, intercepting the malicious website. And if the service area is a school area, carrying out redirection or popup processing on the malicious website. The malicious website may refer to a malicious website corresponding to the processing content of the service area, for example, a malicious website that divulges government information is used as a malicious website corresponding to the processing content of the administrative area; and taking the malicious website for guiding the students to download the games as a malicious website corresponding to the processing content of the school area.
According to the technical scheme of the embodiment of the invention, the cell information corresponding to the bearing information of the user is determined, the service area corresponding to the cell information is further determined, and the malicious website is correspondingly processed according to the service packet of the service area, so that the malicious website of the set website can be correspondingly processed in real time based on the position information of the user, the problems of low time delay and high concurrency when the position information of the user is acquired in a mobile communication scene with ultra-large flow are solved, and the processing efficiency of the malicious website is improved.
Fig. 3 is a schematic structural diagram of a malicious website processing apparatus according to an embodiment of the present invention, which is capable of executing the malicious website processing methods in the embodiments. The device may be implemented in a software and/or hardware manner, and as shown in fig. 3, the malicious website processing device specifically includes: a bearer information obtaining module 310, a cell information determining module 320, a service area determining module 330, and a malicious website processing module 340.
The bearer information acquiring module 310 is configured to, if a malicious website is detected in a user plane traffic, acquire bearer information of a user from the user plane traffic;
a cell information determining module 320, configured to determine cell information corresponding to the bearer information;
a service area determining module 330, configured to determine a service area corresponding to the cell information;
and the malicious website processing module 340 is configured to process the malicious website according to the service area.
According to the technical scheme of the embodiment of the invention, the cell information corresponding to the bearing information of the user is determined, the service area corresponding to the cell information is further determined, and the malicious website is processed in a relevant manner according to the service area, so that the malicious website can be processed in real time based on the position information of the user, the problems of low time delay and high concurrency when the position information of the user is acquired in a mobile communication scene with super-large flow are solved, and the processing efficiency of the malicious website is improved.
Optionally, the malicious website processing apparatus may further include a first correspondence relationship establishing module, configured to acquire signaling traffic of a full number of users, and analyze the signaling traffic of each user respectively to obtain cell information and bearer information carried in the signaling traffic; and establishing a corresponding relation between the cell information and the bearing information based on the cell information and the bearing information carried in the signaling flow, and updating the corresponding relation in real time.
Optionally, the malicious website processing apparatus may further include a second correspondence relationship establishing module, configured to obtain signaling traffic and user plane traffic of a full number of users, and analyze the signaling traffic and the user plane traffic of each user respectively to obtain cell information carried by the signaling traffic and global positioning system GPS information carried by the user plane traffic; determining GPS information covered by each cell based on each cell information and the GPS information; and performing service grouping on the cell information according to the service area according to the GPS information covered by the cell and the GPS information covered by the service area, and establishing a corresponding relation between the cell information and the service area based on the service grouping.
Optionally, the malicious website processing module 340 may be specifically configured to, if the service area is a target service area and the malicious website is a set website, perform corresponding processing on the malicious website.
Optionally, the malicious website processing module 340 may be specifically configured to intercept the malicious website if the service area is an administrative area; and if the service area is a school area, carrying out redirection or popup processing on the malicious website.
Optionally, the malicious website processing apparatus may further include a cell information grouping module, configured to obtain a latest cell information work parameter table from an operator server; and dividing the cell information into different service groups according to the service areas according to the cell position information in the cell information work parameter table.
Optionally, the bearer information includes a user internet protocol IP or a user IP and a tunnel identifier; if the user IP address in the flow coverage range is not repeated, the user IP is used for associating the signaling flow with the user plane flow; and if the user IP address in the flow coverage range is repeated, using the user IP and the tunnel identifier to associate the signaling flow with the user plane flow.
The malicious website processing device provided by the embodiment of the invention can execute the malicious website processing method provided by any embodiment of the invention, and has the corresponding functional module and beneficial effect of the execution method.
Fig. 4 is a schematic structural diagram of a computer apparatus according to an embodiment of the present invention, as shown in fig. 4, the computer apparatus includes a processor 410, a memory 420, an input device 430, and an output device 440; the number of the processors 410 in the computer device may be one or more, and one processor 410 is taken as an example in fig. 4; the processor 410, the memory 420, the input device 430 and the output device 440 in the computer apparatus may be connected by a bus or other means, and the connection by the bus is exemplified in fig. 4.
The memory 420 serves as a computer-readable storage medium, and may be used to store software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the malicious web address processing method in the embodiment of the present invention (for example, the bearer information acquiring module 310, the cell information determining module 320, the service area determining module 330, and the malicious web address processing module 340 in the malicious web address processing apparatus). The processor 410 executes various functional applications and data processing of the computer device by executing the software programs, instructions and modules stored in the memory 420, so as to implement the malicious website processing method described above.
The memory 420 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 420 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, memory 420 may further include memory located remotely from processor 410, which may be connected to a computer device through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 430 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the computer apparatus. The output device 440 may include a display device such as a display screen.
An embodiment of the present invention further provides a storage medium containing computer-executable instructions, where the computer-executable instructions are executed by a computer processor to perform a malicious website processing method, where the method includes:
if a malicious website is detected in the user plane traffic, acquiring the bearing information of a user from the user plane traffic;
determining cell information corresponding to the bearing information;
determining a service area corresponding to cell information;
and processing the malicious website according to the service area.
Of course, the storage medium containing the computer-executable instructions provided by the embodiments of the present invention is not limited to the above-described method operations, and may also perform related operations in the malicious website processing method provided by any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the malicious website processing apparatus, each included unit and module are only divided according to functional logic, but are not limited to the above division, as long as corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. A malicious website processing method is characterized by comprising the following steps:
if a malicious website is detected in the user plane traffic, acquiring the bearing information of a user from the user plane traffic;
determining cell information corresponding to the bearing information;
determining a service area corresponding to cell information;
and processing the malicious website according to the service area.
2. The method of claim 1, further comprising:
acquiring signaling traffic of a full number of users, and analyzing the signaling traffic of each user respectively to obtain cell information and bearing information carried in the signaling traffic;
and establishing a corresponding relation between the cell information and the bearing information based on the cell information and the bearing information carried in the signaling flow, and updating the corresponding relation in real time.
3. The method of claim 1, further comprising:
acquiring signaling traffic and user plane traffic of a full number of users, and analyzing the signaling traffic and the user plane traffic of each user respectively to obtain cell information carried by the signaling traffic and Global Positioning System (GPS) information carried by the user plane traffic;
determining GPS information covered by each cell based on each cell information and the GPS information;
and performing service grouping on the cell information according to the service area according to the GPS information covered by the cell and the GPS information covered by the service area, and establishing a corresponding relation between the cell information and the service area based on the service grouping.
4. The method of claim 1, wherein processing the malicious website according to the service area comprises:
and if the service area is a target service area and the malicious website is a set website, correspondingly processing the malicious website.
5. The method of claim 1, wherein processing the malicious website according to the service area comprises:
if the service area is an administrative area, intercepting the malicious website;
and if the service area is a school area, carrying out redirection or popup processing on the malicious website.
6. The method of claim 1, further comprising:
acquiring a latest cell information work participation table from an operator server;
and dividing the cell information into different service groups according to the service areas according to the cell position information in the cell information work parameter table.
7. The method of claim 2, wherein the bearer information comprises a user Internet Protocol (IP) or a user IP and a tunnel identifier;
if the user IP address in the flow coverage range is not repeated, the user IP is used for associating the signaling flow with the user plane flow;
and if the user IP address in the flow coverage range is repeated, using the user IP and the tunnel identifier to associate the signaling flow with the user plane flow.
8. A malicious website processing apparatus, comprising:
the system comprises a bearing information acquisition module, a service information acquisition module and a service information acquisition module, wherein the bearing information acquisition module is used for acquiring bearing information of a user from user plane traffic if a malicious website is detected in the user plane traffic;
a cell information determining module, configured to determine cell information corresponding to the bearer information;
a service area determining module, configured to determine a service area corresponding to the cell information;
and the malicious website processing module is used for processing the malicious website according to the service area.
9. A computer device, characterized in that the computer device comprises:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the malicious web address processing method according to any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the malicious web address processing method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111131450.0A CN113727350A (en) | 2021-09-26 | 2021-09-26 | Malicious website processing method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111131450.0A CN113727350A (en) | 2021-09-26 | 2021-09-26 | Malicious website processing method and device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113727350A true CN113727350A (en) | 2021-11-30 |
Family
ID=78684980
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111131450.0A Pending CN113727350A (en) | 2021-09-26 | 2021-09-26 | Malicious website processing method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113727350A (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004070509A2 (en) * | 2001-08-14 | 2004-08-19 | Riverhead Networks Inc. | Detecting and protecting against worm traffic on a network |
| CN1602470A (en) * | 2001-12-10 | 2005-03-30 | 思科技术公司 | Protecting against malicious traffic |
| CN101617516A (en) * | 2006-12-28 | 2009-12-30 | 意大利电信股份公司 | Control client and have the method and apparatus of the application message between the server of private network address |
| CN104301180A (en) * | 2014-10-16 | 2015-01-21 | 杭州华三通信技术有限公司 | Service message processing method and device |
| CN107592322A (en) * | 2017-11-01 | 2018-01-16 | 北京知道创宇信息技术有限公司 | Network address hold-up interception method and device |
| CN109274691A (en) * | 2018-11-09 | 2019-01-25 | 南京医渡云医学技术有限公司 | Business data safety implementation method, device and medium |
| US20190288984A1 (en) * | 2018-03-13 | 2019-09-19 | Charter Communications Operating, Llc | Distributed denial-of-service prevention using floating internet protocol gateway |
| CN110381089A (en) * | 2019-08-23 | 2019-10-25 | 南京邮电大学 | Means of defence is detected to malice domain name based on deep learning |
| CN111294365A (en) * | 2020-05-12 | 2020-06-16 | 腾讯科技(深圳)有限公司 | Attack flow protection system, method and device, electronic equipment and storage medium |
| CN111800412A (en) * | 2020-07-01 | 2020-10-20 | 中国移动通信集团有限公司 | Advanced sustainable threat tracing method, system, computer equipment and storage medium |
-
2021
- 2021-09-26 CN CN202111131450.0A patent/CN113727350A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004070509A2 (en) * | 2001-08-14 | 2004-08-19 | Riverhead Networks Inc. | Detecting and protecting against worm traffic on a network |
| CN1602470A (en) * | 2001-12-10 | 2005-03-30 | 思科技术公司 | Protecting against malicious traffic |
| CN101617516A (en) * | 2006-12-28 | 2009-12-30 | 意大利电信股份公司 | Control client and have the method and apparatus of the application message between the server of private network address |
| CN104301180A (en) * | 2014-10-16 | 2015-01-21 | 杭州华三通信技术有限公司 | Service message processing method and device |
| CN107592322A (en) * | 2017-11-01 | 2018-01-16 | 北京知道创宇信息技术有限公司 | Network address hold-up interception method and device |
| US20190288984A1 (en) * | 2018-03-13 | 2019-09-19 | Charter Communications Operating, Llc | Distributed denial-of-service prevention using floating internet protocol gateway |
| CN109274691A (en) * | 2018-11-09 | 2019-01-25 | 南京医渡云医学技术有限公司 | Business data safety implementation method, device and medium |
| CN110381089A (en) * | 2019-08-23 | 2019-10-25 | 南京邮电大学 | Means of defence is detected to malice domain name based on deep learning |
| CN111294365A (en) * | 2020-05-12 | 2020-06-16 | 腾讯科技(深圳)有限公司 | Attack flow protection system, method and device, electronic equipment and storage medium |
| CN111800412A (en) * | 2020-07-01 | 2020-10-20 | 中国移动通信集团有限公司 | Advanced sustainable threat tracing method, system, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2823624B1 (en) | Method and apparatus for identifying an application associated with an ip flow using dns data | |
| ES2691236T3 (en) | Network access method and mobile communication terminal | |
| US8989701B2 (en) | Identifying a wireless device of a target user for communication interception based on individual usage pattern(S) | |
| EP4145882A1 (en) | Method and device for determining function and information provision of user plane, and medium | |
| CN105307119A (en) | Pseudo base station positioning method based on RSSI base station signal estimation | |
| CN106572450A (en) | Pseudo base station identification method and device | |
| CN113825129B (en) | Industrial Internet asset mapping method in 5G network environment | |
| CN106899948B (en) | Pseudo base station discovery method, system, terminal and server | |
| EP3579626A1 (en) | Paging method and relevant device | |
| CN108243177B (en) | Data transmission method and device | |
| US20180306929A1 (en) | Transmitting gps correction data through emergency alert system | |
| CN108270827B (en) | User location capability opening method and device | |
| CN104244223A (en) | Method and device for querying contact people | |
| CN106255115A (en) | A kind of pseudo-base station identification device and method | |
| EP3382981B1 (en) | A user equipment and method for protection of user privacy in communication networks | |
| WO2015180427A1 (en) | Method and apparatus for processing user data | |
| Yuan et al. | Crowdfunding assisted cellular system analysis and application | |
| Zhao et al. | A localization and tracking scheme for target gangs based on big data of Wi-Fi locations | |
| WO2017020748A1 (en) | Method and device for processing signalling tracking task | |
| CN113727350A (en) | Malicious website processing method and device, computer equipment and storage medium | |
| CN114691734B (en) | Cache management and control method and device, computer readable medium and electronic equipment | |
| EP4027678A1 (en) | Authorization in cellular communication systems | |
| CN110708665B (en) | Method and device for determining home area of access network equipment | |
| CN106888471B (en) | Method and device for determining mobile network signal blind area | |
| WO2022175593A1 (en) | Roaming in cellular communication networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |