CN114205820B - Suspicious user detection method, suspicious user detection device and suspicious user detection computer equipment carrying pseudo base station - Google Patents
Suspicious user detection method, suspicious user detection device and suspicious user detection computer equipment carrying pseudo base station Download PDFInfo
- Publication number
- CN114205820B CN114205820B CN202010896623.7A CN202010896623A CN114205820B CN 114205820 B CN114205820 B CN 114205820B CN 202010896623 A CN202010896623 A CN 202010896623A CN 114205820 B CN114205820 B CN 114205820B
- Authority
- CN
- China
- Prior art keywords
- user
- target
- cell
- users
- target user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/02—Services making use of location information
- H04W4/025—Services making use of location information using location based information parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/02—Services making use of location information
- H04W4/029—Location-based management or tracking services
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Alarm Systems (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the invention relates to the technical field of communication, and discloses a suspicious user detection method carrying a pseudo base station, which comprises the following steps: acquiring signaling data; counting the users to be screened, of which the number of times of updating abnormal positions in the same resident cell is smaller than a preset threshold value in a preset period according to the abnormal position updating information, and taking the users to be screened as target users; sorting the target users according to the updating times of the abnormal positions, and obtaining a first preset number of target users before sorting to form a target user list; acquiring a track of a target user in a preset period; screening out resident cells with residence time longer than preset time of a target user as target cells; acquiring the number of users with failed position updating in the target cell, and taking the target cell with the number of users with failed position updating being greater than a second preset number as a suspected cell; and determining the target user which resides in the suspected cell in the target user list as the suspicious user according to the track. Through the mode, the embodiment of the invention realizes the accurate detection of the mobile base station.
Description
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to a suspicious user detection method, a suspicious user detection device and computer equipment with a pseudo base station.
Background
The pseudo base station is illegal radio communication equipment utilizing the defect of one-way authentication of GSM, can temporarily pinch off the contact between a mobile phone and an operator base station, and sends junk information to the mobile phone instead, and can steal telephone number information of a user more feared. In the prior art, the detection of the pseudo base station depends on a terminal or a newly added detection module, and the terminal side needs to add a new function for preventing the pseudo base station from being accessed, and as a large number of released terminals have no new function for preventing the pseudo base station from being accessed, the pseudo base station cannot be identified, so that the pseudo base station can still be accessed; when the detection module is used for detecting the pseudo base station, when the area of the pseudo base station is confirmed and a tool for detecting the pseudo base station is used, tracking and positioning are difficult to realize due to mobility of the pseudo base station, so that the purpose is poor and the accuracy is low when the pseudo base station is detected, and the method is not suitable for comprehensively detecting the pseudo base station in actual operation and maintenance.
Disclosure of Invention
In view of the above problems, an embodiment of the present invention provides a method for detecting suspicious users carrying pseudo base stations, which is used to solve the problem in the prior art that the detection accuracy of pseudo base stations is low.
According to an aspect of an embodiment of the present invention, there is provided a method for detecting suspicious users carrying a pseudo base station, the method including:
acquiring signaling data, wherein the signaling data comprises abnormal position updating information of a user to be screened;
counting the users to be screened, of which the number of times of updating abnormal positions in the same resident cell is smaller than a preset threshold value in a preset period according to the abnormal position updating information, and taking the users to be screened as target users;
sorting the target users according to the updating times of the abnormal positions, obtaining a first preset number of target users before sorting, and forming a target user list;
acquiring a track of the target user in the target user list in the preset period according to the abnormal position updating information of the target user, wherein the track comprises residence cell information of the target user in the preset period;
based on the track, selecting a resident cell with the resident time length longer than a preset time length of the target user from the resident cells as a target cell;
acquiring the number of users with failed position updating in the target cell, and taking the target cell with the number of users with failed position updating being larger than a second preset number as a suspected cell;
and according to the track, determining the target user which resides in the suspected cell in the target user list as a suspicious user.
In an alternative way, acquiring signaling data includes: and acquiring signaling data from the A-port signaling, wherein the A-port signaling comprises updating information, and the updating information comprises a user identifier, a resident cell, a location area, abnormal location updating information and updating time.
In an optional manner, counting, as the target user, users to be screened whose number of abnormal position update times occurring in the same resident cell is smaller than a preset threshold value in a preset period according to the abnormal position update information, including:
acquiring abnormal position updating information corresponding to a user to be screened and a corresponding resident cell from updating information of the signaling of the A port;
counting the updating times of abnormal positions of the users to be screened in the same resident cell;
and determining the user to be screened with the abnormal position update times larger than a preset threshold as a target user.
In an optional manner, according to the track, determining the target user residing in the suspected cell in the target user list as a suspected user includes:
determining target users in the suspicious user list and with trajectories covering suspicious cells;
the target user in the suspicious user list and with the track covering the suspicious cell is determined to be the suspicious user.
In an alternative way, after determining the target user in the target user list and the track covers the suspected cell, the method further comprises the steps of:
determining whether the target user carries an engineering machine;
and when the target user is in the target user list, the track covers the suspected cell and carries the engineering machine, determining the target user as the suspected user.
According to another aspect of the embodiment of the present invention, there is provided a suspicious user detection apparatus carrying a pseudo base station, including:
the data acquisition module is used for acquiring signaling data, wherein the signaling data comprises abnormal position updating information of at least one user to be screened;
the first screening module is used for counting the users to be screened, of which the number of times of updating abnormal positions in the same resident cell is smaller than a preset threshold value in a preset period according to the abnormal position updating information, and taking the users to be screened as target users;
the second screening module is used for sorting the target users according to the updating times of the abnormal positions, obtaining a first preset number of target users before sorting, and forming a target user list;
the track determining module is used for acquiring a track of the target user in the preset time period in the target user list according to the abnormal position updating information of the target user, wherein the track comprises resident cell information of the target user in the preset time period;
the target cell determining module is used for screening out resident cells with the residence time longer than the preset duration of the target user from the resident cells based on the track, and taking the resident cells as target cells;
the suspected cell determining module is used for acquiring the number of users with failed position updating in the target cells, and taking the target cells with the number of users with failed position updating being larger than a second preset number as suspected cells;
and the suspicious user determining module is used for determining the target user which resides in the suspicious cell in the target user list as a suspicious user according to the track.
In an alternative way, acquiring signaling data includes: and acquiring signaling data from the A-port signaling, wherein the A-port signaling comprises updating information, and the updating information comprises a user identifier, a resident cell, a location area, abnormal location updating information and updating time.
In an optional manner, the first screening module counts, according to the abnormal location update information, users to be screened, whose number of times of occurrence of abnormal location update of the same resident cell is smaller than a preset threshold value in a preset period, as target users, including:
acquiring abnormal position updating information corresponding to a user to be screened and a corresponding resident cell from updating information of the signaling of the A port;
counting the updating times of abnormal positions of the users to be screened in the same resident cell;
and determining the user to be screened with the abnormal position update times larger than a preset threshold as a target user.
According to another aspect of the embodiment of the present invention, there is provided a suspicious user detection device carrying a pseudo base station, including a processor, a memory, a communication interface and a communication bus, where the processor, the memory and the communication interface complete communication with each other through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operations of the suspicious user detection method carrying the pseudo base station
According to still another aspect of the embodiments of the present invention, there is provided a computer readable storage medium having stored therein at least one executable instruction which, when run on a suspicious user detection device/apparatus carrying a pseudo base station, causes the suspicious user detection device/apparatus carrying a pseudo base station to perform the operations of the suspicious user detection method carrying a pseudo base station described above.
According to the embodiment of the invention, the suspicious user list is output according to the updating times of the abnormal positions, the suspicious user track is determined according to the user position updating record, and the suspicious user carrying the pseudo base station is determined according to the suspicious user track, the residence time of the suspicious user in the residence cell and the updating failure user number of the residence cell, so that the suspicious user carrying the pseudo base station can be detected against the mobile pseudo base station with high detection difficulty without depending on a terminal or a newly added detection module, and the comprehensiveness and the accuracy of the detection are improved.
The foregoing description is only an overview of the technical solutions of the embodiments of the present invention, and may be implemented according to the content of the specification, so that the technical means of the embodiments of the present invention can be more clearly understood, and the following specific embodiments of the present invention are given for clarity and understanding.
Drawings
The drawings are only for purposes of illustrating embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
fig. 1 is a flow chart illustrating a suspicious user detection method with a pseudo base station according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a suspicious user detection apparatus carrying a pseudo base station according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a suspicious user detection device carrying a pseudo base station according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein.
The names appearing in the embodiments of the present invention are explained as follows:
signaling on the A port: the GSM network a interface refers to the interface between the BSC (base station controller) and the MSC (mobile services switching center), which is the interface between the wireless and core networks. The location information, service type information, etc. of the user can be obtained through a-interface signaling detection.
Location area: the maximum can be equivalent to one MSC area, the minimum can be equivalent to the coverage area of one cell, and the minimum can be equivalent to the coverage area of a plurality of adjacent base stations when a user initiates paging.
MSC area: within this area, there is a common coding method and routing scheme, and there is a mobile switching center control area called the MSC service area, where an MSC area contains one or more location areas.
Cell: also called a cell, the ideal shape is a regular hexagon and a cell contains one base station.
CI: cell Identity (Cell Identity).
MSISDN (Mobile Subscriber International ISDN/PSTN number (ISDN is an integrated services digital network, integrated Service Digital Network)): the called number which is required to be dialed by a calling user for calling a mobile user in the GSM PLMN acts as a PSTN number of a fixed network; is a number uniquely identifying the mobile subscriber in the public switched telephone network numbering plan.
LAC (location area code) is a location area code in a mobile communication system, and is an area set for paging.
Fig. 1 shows a flow chart of an embodiment of a suspicious user detection method carrying a pseudo base station according to the present invention, which method is performed by a computer device. The computer equipment can be electronic equipment such as a user terminal, a computer, a cloud platform and the like. As shown in fig. 1, the method comprises the steps of:
step 110: and acquiring signaling data, wherein the signaling data comprises abnormal position updating information of the user to be screened.
The signaling data is obtained from an A-port signaling (signal a), wherein the A-port signaling record comprises at least one piece of user update information to be screened, and the update information comprises user identification, residence cell, location area, abnormal location update information and update time of the user to be screened. Wherein the abnormal position update information includes an abnormal position area at a preset period. And determining the abnormal updating times according to the times of the abnormal position areas in the signaling data of the preset time period. In the embodiment of the present invention, the update information of the signaling record of the a port further includes a normal location update, a periodic location update, an IMSI attach update, a call start time, a call end time, and the like.
In the embodiment of the invention, the A-port signaling record can be acquired through a bridging technology.
Wherein the user identification is the user MSISDN, i.e. the user identification code. The following information can be obtained according to the fields in the signaling data of the A port, wherein the explanation of each information is shown in the following table:
and corresponding information can be obtained by reading the corresponding fields from the signaling record of the A port. Specifically, by reading the MSISDN field, a user identifier of the user to be screened, that is, a number uniquely identifying the user to be screened, may be obtained; by reading the cell field, a resident cell in which the user to be screened resides in a preset time can be obtained; the area for the user to be screened to initiate paging can be obtained by reading the position area; by reading the abnormal location area, the user to be screened located in the abnormal location area can be obtained.
Step 120: and counting the users to be screened, of which the number of times of updating the abnormal position of the same resident cell is smaller than a preset threshold value in a preset period according to the abnormal position updating information, and taking the users to be screened as target users.
In the mobile pseudo base station, the suspects can not generate multiple abnormal position updates in the same cell in a mobile state, so that the number of times of abnormal position updates in the same resident cell is less for users to be screened with abnormal position updates. Therefore, the users to be screened, of which the number of times of updating abnormal positions of the same resident cell is smaller than a preset threshold value in a preset period, are counted and serve as target users. The embodiment of the invention is not particularly limited to the preset threshold, and can be set by a person skilled in the art according to a specific scene. For example, it may be 1 to 5. And when the preset threshold value is 5, characterizing that when the number of times of updating the abnormal position of the user to be screened in the same resident cell is smaller than 5, determining the user to be screened as a target user.
The preset period may be a period for acquiring the signaling data, for example, a target user in one day may be determined, and thus, the period for acquiring the signaling data is one day. And acquiring signaling data in one day, and analyzing the users to be screened, of which the updating times of abnormal positions in the same resident cell in one day are smaller than a preset threshold value, as target users.
According to the fields in the signaling data, the MSISDN, IMSI, number of cells, number of location areas, total number of location updates, number of abnormal location updates occurring in the same cell, mobile phone model and attribution of each user to be screened can be determined, and specific statistical information is shown in the following table:
the number of times of updating the abnormal position can be counted according to the field in the signaling data, and the number of times of updating the abnormal position in each resident cell is counted by taking the cell as a dimension, and is used as the number of times of updating the abnormal position in the same cell.
Specifically, according to the abnormal location update information, counting the users to be screened, whose number of times of occurrence of abnormal location update of the same resident cell is smaller than a preset threshold value in a preset period, as target users, including: acquiring abnormal position updating information corresponding to a user to be screened and a corresponding resident cell from updating information of the signaling of the A port;
counting the updating times of abnormal positions of the users to be screened in the same resident cell;
determining a user to be screened with abnormal position updating times larger than a preset threshold value as a target user
Step 130: and sequencing the target users according to the updating times of the abnormal positions, and obtaining a first preset number of target users before sequencing to form a target user list.
In the embodiment of the invention, the abnormal position updating times of the target user in the target user list in a preset time period are updated according to the field information in the signaling data.
And sequencing the target users from more than at least according to the updating times of the abnormal positions, and sequencing the target users with the first preset number before to form a target user list. The embodiment of the present invention is not specifically limited to the specific value of the first preset number, and may be set by those skilled in the art according to specific scenarios. For example, the first preset number may be 100. That is, the target user list is a TOP100 list, and the target users on the target user list are the target users with the TOP100 of the abnormal location update times.
Step 140: and acquiring a track of the target user in the target user list in the preset period according to the abnormal position updating information of the target user, wherein the track comprises residence cell information of the target user in the preset period.
The signaling data in the preset time period comprises updating information of a target user on a target user list in the preset time period, wherein the updating information comprises updating time, user identification, resident cells, location areas and abnormal location updating information.
And determining the track information of each target user on the target user list according to the updating time in the preset time period in the signaling data and the residence cell.
In the embodiment of the invention, the target user list and the track information corresponding to the target user are also output and displayed. The user can inquire the related information of the target user through a plurality of groups of inquiry conditions such as time and LAC with updated positions on the interface.
Step 150: and screening out resident cells with the resident time length longer than the preset time length of the target user from the resident cells based on the track, and taking the resident cells as target cells.
The method comprises the steps of counting the updating time in track information to obtain the residence time of each target user in each residence cell, counting the residence time of each residence cell, and screening residence cells with residence time longer than preset time from the residence cells to serve as target cells. In other words, in the statistics of the signaling of the port a, in the data records continuously appearing in a certain resident cell, the difference between the time of the first record and the time of the last record is counted, so as to obtain the resident duration of each target user in each resident cell.
The residence time period is not specifically limited in the embodiment of the present invention, and a person skilled in the art may set the residence time period according to a specific scenario, for example, in one embodiment of the present invention, the residence time period may be one hour.
Step 160: and acquiring the number of users with failed position updating in the target cell, and taking the target cell with the number of users with failed position updating being larger than a second preset number as a suspected cell.
And when the number of the users with failed position updating of the target cell is larger than a second preset number, determining the corresponding target cell as a suspected cell.
The location update failure includes a location update failure caused by a location update rejection, a location update failure caused by an authentication failure, and other reasons, and the data can be obtained through an a-port signaling data record.
In the embodiment of the present invention, the second preset number is 100, that is, when the number of users failing to update the position in a certain target cell reaches more than 100, the target cell is determined to be a suspected cell. The suspected cell is a cell in which a mobile pseudo base station exists with a high probability.
Step 170: and according to the track, determining the target user which resides in the suspected cell in the target user list as a suspicious user.
The method specifically comprises the following steps:
determining target users in the target user list and with tracks covering suspected cells;
and determining the target user which is in the target user list and the track covers the suspected cell as the suspected user.
In the embodiment of the present invention, after determining that the track covers the target user of the suspected cell in the target user list, the method further includes the following steps:
determining whether the target user carries an engineering machine;
and when the target user is in the target user list, the track covers the suspected cell and carries the engineering machine, determining the target user as the suspected user.
In the embodiment of the invention, whether the user carries the engineering machine is determined according to the IMEI field in the signaling data of the A port. This is due to the engineering machine having a specific IMEI.
In the embodiment of the invention, the probability of carrying the pseudo base station is higher because the target user carrying the engineering machine is higher, so whether the target user is a suspicious user is further judged by combining whether the engineering machine is carried or not. The engineering machine can be a Nokia engineering machine or other model engineering machines, and whether the user carries the engineering machine or not can be determined through the IMEI of the engineering machine.
According to the embodiment of the invention, the query panel is built according to the signaling data acquired in real time, the suspicious user information (such as IMSI, IMEI or MSISDN) can be input in the query panel, the query is clicked, the position update record of the suspicious user is queried, and the A interface position of the suspicious number is presented in the query result.
The query panel also comprises track information of suspicious users. And displaying the activity track of the suspicious user in the map of the query panel according to the signaling data acquired in real time.
According to the embodiment of the invention, the suspicious user list is output according to the updating times of the abnormal positions, the suspicious user track is determined according to the user position updating record, and the suspicious user carrying the pseudo base station is determined according to the suspicious user track, the residence time of the suspicious user in the residence cell and the updating failure user number of the residence cell, so that the suspicious user carrying the pseudo base station can be detected against the mobile pseudo base station with high detection difficulty without depending on a terminal or a newly added detection module, and the comprehensiveness and the accuracy of the detection are improved.
Fig. 2 shows a schematic structural diagram of an embodiment of the suspicious user detection apparatus carrying the pseudo base station according to the present invention. As shown in fig. 2, the apparatus 200 includes: the data acquisition module 210, the first screening module 220, the second screening module 230, the trajectory determination module 240, the target cell determination module 250, the suspected cell determination module 260, and the suspected user determination module 270.
A data acquisition module 210, configured to acquire signaling data, where the signaling data includes abnormal location update information of a user to be screened;
the first screening module 220 is configured to count, according to the abnormal location update information, users to be screened, whose number of times of updating abnormal locations occurring in the same resident cell in a preset period is less than a preset threshold, as target users;
the second filtering module 230 is configured to sort the target users according to the number of updating times of the abnormal positions, obtain a first preset number of target users before sorting, and form a target user list;
a track determining module 240, configured to obtain a track of the target user in the target user list within the preset period according to the abnormal location update information of the target user, where the track includes residence cell information of the target user within the preset period;
a target cell determining module 250, configured to screen, based on the track, a camping cell with a camping time longer than a preset time length of the target user from the camping cells, as a target cell;
a suspected cell determining module 260, configured to obtain a number of users with failed location update in the target cells, and use the target cells with the number of users with failed location update being greater than a second preset number as suspected cells;
and a suspicious user determination module 270, configured to determine, according to the trajectory, a target user residing in the suspicious cell in the target user list as a suspicious user.
In an alternative way, acquiring signaling data includes: and acquiring signaling data from the A-port signaling, wherein the A-port signaling comprises updating information, and the updating information comprises a user identifier, a resident cell, a location area, abnormal location updating information and updating time.
In an optional manner, counting, as the target user, users to be screened whose number of abnormal position update times occurring in the same resident cell is smaller than a preset threshold value in a preset period according to the abnormal position update information, including:
acquiring abnormal position updating information corresponding to a user to be screened and a corresponding resident cell from updating information of the signaling of the A port;
counting the updating times of abnormal positions of the users to be screened in the same resident cell;
and determining the user to be screened with the abnormal position update times larger than a preset threshold as a target user.
In an optional manner, according to the track, determining the target user residing in the suspected cell in the target user list as a suspected user includes:
determining target users in the suspicious user list and with trajectories covering suspicious cells;
the target user in the suspicious user list and with the track covering the suspicious cell is determined to be the suspicious user.
In an alternative way, after determining the target user in the target user list and the track covers the suspected cell, the method further comprises the steps of:
determining whether the target user carries an engineering machine;
and when the target user is in the target user list, the track covers the suspected cell and carries the engineering machine, determining the target user as the suspected user.
According to the embodiment of the invention, the suspicious user list is output according to the updating times of the abnormal positions, the suspicious user track is determined according to the user position updating record, and the suspicious user carrying the pseudo base station is determined according to the suspicious user track, the residence time of the suspicious user in the residence cell and the updating failure user number of the residence cell, so that the suspicious user carrying the pseudo base station can be detected against the mobile pseudo base station with high detection difficulty without depending on a terminal or a newly added detection module, and the comprehensiveness and the accuracy of the detection are improved.
Fig. 3 is a schematic structural diagram of an embodiment of a suspicious ue carrying a pseudo base station according to the present invention, and the embodiment of the present invention is not limited to the specific implementation of the suspicious ue carrying a pseudo base station.
As shown in fig. 3, the suspicious user detection device carrying the pseudo base station may include: a processor (processor) 302, a communication interface (Communications Interface) 304, a memory (memory) 306, and a communication bus 308.
Wherein: processor 302, communication interface 304, and memory 306 perform communication with each other via communication bus 308. A communication interface 304 for communicating with network elements of other devices, such as clients or other servers. The processor 302 is configured to execute the program 310, and may specifically perform the relevant steps in the above-described embodiment of the suspicious user detection method for carrying a pseudo base station.
In particular, program 310 may include program code comprising computer-executable instructions.
The processor 302 may be a central processing unit CPU, or a specific integrated circuit ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement embodiments of the present invention. The one or more processors included in the suspicious user detection device carrying the pseudo base station may be the same type of processor, such as one or more CPUs; but may also be different types of processors such as one or more CPUs and one or more ASICs.
Memory 306 for storing programs 310. Memory 306 may comprise high-speed RAM memory or may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
Program 310 may be specifically invoked by processor 302 to cause a suspicious user detection device carrying a fake base station to:
acquiring signaling data, wherein the signaling data comprises abnormal position updating information of a user to be screened;
counting the users to be screened, of which the number of times of updating abnormal positions in the same resident cell is smaller than a preset threshold value in a preset period according to the abnormal position updating information, and taking the users to be screened as target users;
sorting the target users according to the updating times of the abnormal positions, obtaining a first preset number of target users before sorting, and forming a target user list;
acquiring a track of the target user in the target user list in the preset period according to the abnormal position updating information of the target user, wherein the track comprises residence cell information of the target user in the preset period;
based on the track, selecting a resident cell with the resident time length longer than a preset time length of the target user from the resident cells as a target cell;
acquiring the number of users with failed position updating in the target cell, and taking the target cell with the number of users with failed position updating being larger than a second preset number as a suspected cell;
and according to the track, determining the target user which resides in the suspected cell in the target user list as a suspicious user.
In an alternative way, acquiring signaling data includes: and acquiring signaling data from the A-port signaling, wherein the A-port signaling comprises updating information, and the updating information comprises a user identifier, a resident cell, a location area, abnormal location updating information and updating time.
In an optional manner, counting, as the target user, users to be screened whose number of abnormal position update times occurring in the same resident cell is smaller than a preset threshold value in a preset period according to the abnormal position update information, including:
acquiring abnormal position updating information corresponding to a user to be screened and a corresponding resident cell from updating information of the signaling of the A port;
counting the updating times of abnormal positions of the users to be screened in the same resident cell;
and determining the user to be screened with the abnormal position update times larger than a preset threshold as a target user.
In an optional manner, according to the track, determining the target user residing in the suspected cell in the target user list as a suspected user includes:
determining target users in the suspicious user list and with trajectories covering suspicious cells;
the target user in the suspicious user list and with the track covering the suspicious cell is determined to be the suspicious user.
In an alternative way, after determining the target user in the target user list and the track covers the suspected cell, the method further comprises the steps of:
determining whether the target user carries an engineering machine;
and when the target user is in the target user list, the track covers the suspected cell and carries the engineering machine, determining the target user as the suspected user.
According to the embodiment of the invention, the suspicious user list is output according to the updating times of the abnormal positions, the suspicious user track is determined according to the user position updating record, and the suspicious user carrying the pseudo base station is determined according to the suspicious user track, the residence time of the suspicious user in the residence cell and the updating failure user number of the residence cell, so that the suspicious user carrying the pseudo base station can be detected against the mobile pseudo base station with high detection difficulty without depending on a terminal or a newly added detection module, and the comprehensiveness and the accuracy of the detection are improved.
The embodiment of the invention provides a computer readable storage medium, which stores at least one executable instruction, and when the executable instruction runs on suspicious user detection equipment/device carrying a pseudo base station, the suspicious user detection equipment/device carrying the pseudo base station executes the suspicious user detection method carrying the pseudo base station in any method embodiment.
The executable instructions may be specifically configured to cause a suspicious user detection device/apparatus carrying a fake base station to:
acquiring signaling data, wherein the signaling data comprises abnormal position updating information of a user to be screened;
counting the users to be screened, of which the number of times of updating abnormal positions in the same resident cell is smaller than a preset threshold value in a preset period according to the abnormal position updating information, and taking the users to be screened as target users;
sorting the target users according to the updating times of the abnormal positions, obtaining a first preset number of target users before sorting, and forming a target user list;
acquiring a track of the target user in the target user list in the preset period according to the abnormal position updating information of the target user, wherein the track comprises residence cell information of the target user in the preset period;
based on the track, selecting a resident cell with the resident time length longer than a preset time length of the target user from the resident cells as a target cell;
acquiring the number of users with failed position updating in the target cell, and taking the target cell with the number of users with failed position updating being larger than a second preset number as a suspected cell;
and according to the track, determining the target user which resides in the suspected cell in the target user list as a suspicious user.
In an alternative way, acquiring signaling data includes: and acquiring signaling data from the A-port signaling, wherein the A-port signaling comprises updating information, and the updating information comprises a user identifier, a resident cell, a location area, abnormal location updating information and updating time.
In an optional manner, counting, as the target user, users to be screened whose number of abnormal position update times occurring in the same resident cell is smaller than a preset threshold value in a preset period according to the abnormal position update information, including:
acquiring abnormal position updating information corresponding to a user to be screened and a corresponding resident cell from updating information of the signaling of the A port;
counting the updating times of abnormal positions of the users to be screened in the same resident cell;
and determining the user to be screened with the abnormal position update times larger than a preset threshold as a target user.
In an optional manner, according to the track, determining the target user residing in the suspected cell in the target user list as a suspected user includes:
determining target users in the suspicious user list and with trajectories covering suspicious cells;
the target user in the suspicious user list and with the track covering the suspicious cell is determined to be the suspicious user.
In an alternative way, after determining the target user in the target user list and the track covers the suspected cell, the method further comprises the steps of:
determining whether the target user carries an engineering machine;
and when the target user is in the target user list, the track covers the suspected cell and carries the engineering machine, determining the target user as the suspected user.
According to the embodiment of the invention, the suspicious user list is output according to the updating times of the abnormal positions, the suspicious user track is determined according to the user position updating record, and the suspicious user carrying the pseudo base station is determined according to the suspicious user track, the residence time of the suspicious user in the residence cell and the updating failure user number of the residence cell, so that the suspicious user carrying the pseudo base station can be detected against the mobile pseudo base station with high detection difficulty without depending on a terminal or a newly added detection module, and the comprehensiveness and the accuracy of the detection are improved.
The embodiment of the invention provides a suspicious user detection device carrying a pseudo base station, which is used for executing the suspicious user detection method carrying the pseudo base station.
The embodiment of the invention provides a computer program which can be called by a processor to enable suspicious user detection equipment carrying a pseudo base station to execute the suspicious user detection method carrying the pseudo base station in any of the method embodiments.
An embodiment of the present invention provides a computer program product, where the computer program product includes a computer program stored on a computer readable storage medium, where the computer program includes program instructions, when the program instructions are executed on a computer, cause the computer to perform the suspicious user detection method with a pseudo base station in any of the above method embodiments.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general-purpose systems may also be used with the teachings herein. The required structure for a construction of such a system is apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It will be appreciated that the teachings of the present invention described herein may be implemented in a variety of programming languages, and the above description of specific languages is provided for disclosure of enablement and best mode of the present invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the above description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed invention requires more features than are expressly recited in each claim.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component, and they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specifically stated.
Claims (10)
1. A method for detecting suspicious users carrying pseudo base stations, the method comprising:
acquiring signaling data, wherein the signaling data comprises abnormal position updating information of a user to be screened;
counting the users to be screened, of which the number of times of updating abnormal positions in the same resident cell is smaller than a preset threshold value in a preset period according to the abnormal position updating information, and taking the users to be screened as target users;
sorting the target users according to the updating times of the abnormal positions, obtaining a first preset number of target users before sorting, and forming a target user list;
acquiring a track of the target user in the target user list in the preset period according to the abnormal position updating information of the target user, wherein the track comprises residence cell information of the target user in the preset period;
based on the track, selecting a resident cell with the resident time length longer than a preset time length of the target user from the resident cells as a target cell;
acquiring the number of users with failed position updating in the target cell, and taking the target cell with the number of users with failed position updating being larger than a second preset number as a suspected cell;
and according to the track, determining the target user which resides in the suspected cell in the target user list as a suspicious user.
2. The method of claim 1, wherein obtaining signaling data comprises: and acquiring signaling data from the A-port signaling, wherein the A-port signaling comprises updating information, and the updating information comprises a user identifier, a resident cell, a location area, abnormal location updating information and updating time.
3. The method according to claim 2, wherein counting, as the target user, the users to be screened whose number of abnormal location updates occurring in the same resident cell is smaller than a preset threshold value within a preset period of time according to the abnormal location update information, comprises:
acquiring abnormal position updating information corresponding to a user to be screened and a corresponding resident cell from updating information of the signaling of the A port;
counting the updating times of abnormal positions of the users to be screened in the same resident cell;
and determining the user to be screened with the abnormal position update times smaller than a preset threshold as a target user.
4. A method according to any of claims 1-3, characterized in that determining the target user of the target user list having the suspected cell camped on as a suspicious user on the basis of the trajectory comprises:
determining target users in the suspicious user list and with trajectories covering suspicious cells;
the target user in the suspicious user list and with the track covering the suspicious cell is determined to be the suspicious user.
5. The method of claim 4, further comprising the steps of, after determining the target user in the target user list and the trajectory covers the suspected cell:
determining whether the target user carries an engineering machine;
and when the target user is in the target user list, the track covers the suspected cell and carries the engineering machine, determining the target user as the suspected user.
6. A suspicious user detection apparatus carrying a fake base station, the apparatus comprising:
the data acquisition module is used for acquiring signaling data, wherein the signaling data comprises abnormal position updating information of at least one user to be screened;
the first screening module is used for counting the users to be screened, of which the number of times of updating abnormal positions in the same resident cell is smaller than a preset threshold value in a preset period according to the abnormal position updating information, and taking the users to be screened as target users;
the second screening module is used for sorting the target users according to the updating times of the abnormal positions, obtaining a first preset number of target users before sorting, and forming a target user list;
the track determining module is used for acquiring a track of the target user in the preset time period in the target user list according to the abnormal position updating information of the target user, wherein the track comprises resident cell information of the target user in the preset time period;
the target cell determining module is used for screening out resident cells with the residence time longer than the preset duration of the target user from the resident cells based on the track, and taking the resident cells as target cells;
the suspected cell determining module is used for acquiring the number of users with failed position updating in the target cells, and taking the target cells with the number of users with failed position updating being larger than a second preset number as suspected cells;
and the suspicious user determining module is used for determining the target user which resides in the suspicious cell in the target user list as a suspicious user according to the track.
7. The apparatus of claim 6, wherein obtaining signaling data comprises: and acquiring signaling data from the A-port signaling, wherein the A-port signaling comprises updating information, and the updating information comprises a user identifier, a resident cell, a location area, abnormal location updating information and updating time.
8. The apparatus of claim 7, wherein the first filtering module counts, as the target user, users to be filtered having an abnormal location update number of times less than a preset threshold value in the same resident cell within a preset period according to the abnormal location update information, including:
acquiring abnormal position updating information corresponding to a user to be screened and a corresponding resident cell from updating information of the signaling of the A port;
counting the updating times of abnormal positions of the users to be screened in the same resident cell;
and determining the user to be screened with the abnormal position update times smaller than a preset threshold as a target user.
9. A suspicious user detection apparatus carrying a fake base station, comprising: the device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform the operations of the suspicious user detection method carrying a fake base station according to any one of claims 1 to 5.
10. A computer readable storage medium having stored therein at least one executable instruction which, when run on a suspicious user detection device/means carrying a pseudo base station, causes the suspicious user detection device/means carrying a pseudo base station to perform the operations of the suspicious user detection method carrying a pseudo base station according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010896623.7A CN114205820B (en) | 2020-08-31 | 2020-08-31 | Suspicious user detection method, suspicious user detection device and suspicious user detection computer equipment carrying pseudo base station |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010896623.7A CN114205820B (en) | 2020-08-31 | 2020-08-31 | Suspicious user detection method, suspicious user detection device and suspicious user detection computer equipment carrying pseudo base station |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114205820A CN114205820A (en) | 2022-03-18 |
| CN114205820B true CN114205820B (en) | 2023-08-15 |
Family
ID=80644293
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010896623.7A Active CN114205820B (en) | 2020-08-31 | 2020-08-31 | Suspicious user detection method, suspicious user detection device and suspicious user detection computer equipment carrying pseudo base station |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114205820B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117119434B (en) * | 2023-10-24 | 2024-04-02 | 北京大也智慧数据科技服务有限公司 | Personnel identification method, device, equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104661204A (en) * | 2015-01-05 | 2015-05-27 | 中国联合网络通信集团有限公司 | Positioning method and device for pseudo base station |
| CN105050092A (en) * | 2015-08-21 | 2015-11-11 | 广西英伦信息技术股份有限公司 | Method for locating false base station |
| CN105873068A (en) * | 2016-06-17 | 2016-08-17 | 珠海市魅族科技有限公司 | Pseudo base station identification method and device |
| CN108243421A (en) * | 2016-12-26 | 2018-07-03 | 中国移动通信集团山东有限公司 | Pseudo-base station recognition methods and system |
| CN108271157A (en) * | 2016-12-30 | 2018-07-10 | 中移(杭州)信息技术有限公司 | A kind of pseudo-base station recognition methods and device |
| CN108513301A (en) * | 2017-02-23 | 2018-09-07 | 中国移动通信有限公司研究院 | A kind of disabled user's recognition methods and device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9838879B2 (en) * | 2014-12-19 | 2017-12-05 | Telefonaktiebolaget Lm Ericsson (Publ) | Network node and method for detecting false base stations |
| US9867039B2 (en) * | 2015-06-26 | 2018-01-09 | Futurewei Technologies, Inc. | System and method for faked base station detection |
| CN110741661B (en) * | 2017-05-31 | 2023-05-26 | 苹果公司 | Method, mobile device and computer readable storage medium for pseudo base station detection |
-
2020
- 2020-08-31 CN CN202010896623.7A patent/CN114205820B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104661204A (en) * | 2015-01-05 | 2015-05-27 | 中国联合网络通信集团有限公司 | Positioning method and device for pseudo base station |
| CN105050092A (en) * | 2015-08-21 | 2015-11-11 | 广西英伦信息技术股份有限公司 | Method for locating false base station |
| CN105873068A (en) * | 2016-06-17 | 2016-08-17 | 珠海市魅族科技有限公司 | Pseudo base station identification method and device |
| CN108243421A (en) * | 2016-12-26 | 2018-07-03 | 中国移动通信集团山东有限公司 | Pseudo-base station recognition methods and system |
| CN108271157A (en) * | 2016-12-30 | 2018-07-10 | 中移(杭州)信息技术有限公司 | A kind of pseudo-base station recognition methods and device |
| CN108513301A (en) * | 2017-02-23 | 2018-09-07 | 中国移动通信有限公司研究院 | A kind of disabled user's recognition methods and device |
Non-Patent Citations (1)
| Title |
|---|
| Detecting and Tracking Pseudo Base Stations in GSM Signal Hijacking and Frauds: a Visualized Approach;Yongxing Li et al.;《Information Security and Computer Fraud》;第5卷(第1期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114205820A (en) | 2022-03-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113810224B (en) | Information processing method and device | |
| CN105516986B (en) | A kind of method, terminal, data processor and system detecting pseudo-base station | |
| US7570941B2 (en) | Method enabling detection of stolen mobile communication devices and systems thereof | |
| US8364147B2 (en) | System and method for determining commonly used communication terminals and for identifying noisy entities in large-scale link analysis | |
| CN103796241A (en) | Method for judging and positioning pseudo base station based on reported information of terminal | |
| CN1961602A (en) | Method and radio communication network for detecting the presence of fraudulent subscriber identity modules | |
| CN110063071B (en) | Cell selection method and terminal | |
| EP3407541A1 (en) | Method and device for analyzing poor network quality problem | |
| CN108513301B (en) | Illegal user identification method and device | |
| EP1976225A2 (en) | System and method for ciphering key forwarding and RRC packet deciphering in a UMTS monitoring system | |
| CN108391223B (en) | Method and device for determining lost user | |
| CN111459702B (en) | Indoor distribution system fault monitoring method and device based on MDT data | |
| CN114205820B (en) | Suspicious user detection method, suspicious user detection device and suspicious user detection computer equipment carrying pseudo base station | |
| US8311535B2 (en) | Method for controlling information trace and core network element | |
| CN113301555A (en) | Resident cell determining method, resident cell determining device, resident cell determining equipment, resident cell determining medium and resident cell determining product | |
| US8996558B2 (en) | Geolocation information storage system for mobile communications data | |
| CN102547565A (en) | System for position management of mobile user and mobile network on basis of position analysis | |
| CN103348716B (en) | Informing a MME about a HLR restart via the S6A interface | |
| CN113163361A (en) | Vehicle information processing method and device and server | |
| EP2915344B1 (en) | Method, location determiner, computer program and computer program product for determining a location of a mobile communication terminal | |
| CN108064043A (en) | A kind of pseudo-base station detection method, device, system and a kind of communication server | |
| EP2871875A1 (en) | Security method for the verification of an information retrieval request | |
| EP2592860A2 (en) | Geolocation information storage system for mobile communications data | |
| CN115242620B (en) | Voice service paging failure positioning method and device | |
| US20210410208A1 (en) | System and method to identify user equipment device type connected to a wireless network using a single characteristic indicator based on classmark |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |