CN116561403B - Terminal identification method, system, storage medium and equipment - Google Patents

Terminal identification method, system, storage medium and equipment Download PDF

Info

Publication number
CN116561403B
CN116561403B CN202310846632.9A CN202310846632A CN116561403B CN 116561403 B CN116561403 B CN 116561403B CN 202310846632 A CN202310846632 A CN 202310846632A CN 116561403 B CN116561403 B CN 116561403B
Authority
CN
China
Prior art keywords
terminal
feature
score
mac
identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310846632.9A
Other languages
Chinese (zh)
Other versions
CN116561403A (en
Inventor
陈立
王东泉
张俊安
唐磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Maxnet Network Safety Technology Co ltd
Original Assignee
Suzhou Maxnet Network Safety Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Maxnet Network Safety Technology Co ltd filed Critical Suzhou Maxnet Network Safety Technology Co ltd
Priority to CN202310846632.9A priority Critical patent/CN116561403B/en
Publication of CN116561403A publication Critical patent/CN116561403A/en
Application granted granted Critical
Publication of CN116561403B publication Critical patent/CN116561403B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/30Managing network names, e.g. use of aliases or nicknames
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2468Fuzzy queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/953Querying, e.g. by the use of web search engines
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Fuzzy Systems (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Automation & Control Theory (AREA)
  • Probability & Statistics with Applications (AREA)
  • Computational Linguistics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a terminal identification method, a system, a storage medium and equipment, wherein the method comprises the steps of S1, acquiring a mac address and characteristics of a terminal required by identification; s2, determining whether the characteristics are acquired and whether a mac large database identifies a terminal ID corresponding to the terminal mac address; the corresponding terminal is determined according to the characteristics or the mac address of the terminal or the oui characteristics in combination with different cases. The invention integrates the characteristic corresponding terminal ID library, the mac large database and the oui fuzzy recognition library for terminal recognition, can process the conditions of no characteristic report, incapability of recognizing the mac address of the terminal and the like, and improves the recognition capability. The score of the terminal ID identified by the mac large database is used as a score threshold, and when the enhanced feature score is higher than the score threshold, the reliability of the terminal ID determined by the feature identification is higher, so that the identification precision is improved.

Description

Terminal identification method, system, storage medium and equipment
Technical Field
The invention relates to the technical field of computers, in particular to a terminal identification method, a system, a storage medium and equipment.
Background
In the area network, the terminal devices in the access network include terminals such as IP phones, printers, cameras, and the like, in addition to intelligent terminals (PCs, mobile phones).
The current network management system can only check the IP of the access terminal and the mac address of the terminal, does not know what equipment the terminal is, and cannot perform finer visual management on the network terminal.
The service configuration and the strategy to be deployed after the different types of terminals are accessed to the network are also different, and an administrator needs to manually configure different service configurations and strategies for the different types of terminals, so that the service deployment is complex and the operation is complicated. Therefore, the terminal needs to be identified for finer network management.
The existing terminal identification method can be used for identifying through a terminal mac address, for example, as disclosed in the chinese patent application with application publication number CN112202610a, but this method has a problem of low identification accuracy, and even cannot be effectively identified according to the terminal mac address.
Of course, there are other features reported by the acquisition terminal, such as hostname, but these terminal identification methods generally use a single or a small number of features with fixed dimensions to perform identification, so that the identification mode has high fluctuation rate, unstable identification result and relatively mechanized identification logic.
Disclosure of Invention
The invention aims to solve the problems in the prior art and provides a terminal identification method, a system, a storage medium and equipment.
The aim of the invention is achieved by the following technical scheme:
the terminal identification method comprises the following steps:
s1, acquiring a terminal mac address and characteristics required by identification;
s2, determining whether the characteristics are acquired and whether a mac large database identifies a terminal ID corresponding to the terminal mac address;
s3, if the characteristics are not obtained and the mac large database identifies the terminal ID corresponding to the mac address of the terminal, taking the terminal ID identified by the mac large database as an identification result;
s4, if the characteristics are not obtained and the mac large database does not identify the terminal ID corresponding to the terminal mac address, using a oui characteristic of the terminal mac address identified by a oui fuzzy identification library as an identification result;
s5, if the characteristics are obtained and the terminal ID corresponding to the terminal mac address is not identified by the mac large database, determining the reinforcement characteristic score of each terminal ID according to the characteristics and taking the terminal ID corresponding to the one with the largest reinforcement characteristic score as an identification result;
s6, if the characteristics are obtained and the mac large database identifies the terminal ID corresponding to the mac address of the terminal, determining the enhanced characteristic score of the terminal ID according to the characteristics; comparing the enhanced feature score of the terminal ID with a score threshold; if the reinforcement feature score is determined to be greater than the score threshold, taking a terminal ID corresponding to the reinforcement feature score which is greater than the score threshold as an identification result; and if all the enhanced feature scores are smaller than or equal to the score threshold, taking the terminal ID corresponding to the terminal mac address identified by the mac large database as an identification result.
Preferably, the determining the enhanced feature of the terminal ID according to the feature includes the following steps:
s10, determining a terminal ID corresponding to each feature through feature identification;
s20, calculating the feature hit score corresponding to each terminal ID determined in S10;
s30, calculating mac matching scores corresponding to the terminal IDs determined in the S10;
s40, calculating the feature score corresponding to each terminal ID according to the mac matching score and the feature hit score;
and S50, calculating the strengthening characteristic score corresponding to each terminal ID according to the strengthening coefficient and the characteristic score corresponding to each terminal ID.
Preferably, the step S20 includes the steps of:
s210, determining the feature number hit by each terminal ID;
s220, calculating the feature hit rate corresponding to each terminal ID according to the feature number hit by the terminal ID;
s230, calculating the feature hit score corresponding to each terminal ID according to the feature coefficient corresponding to each terminal ID and the feature hit rate;
preferably, in S230, the feature coefficient corresponding to each terminal ID is a sum of scores corresponding to all features included in the terminal ID, each feature is one of the features acquired in S1, and the score corresponding to the feature is 1/n, where n is the number of terminal IDs including the feature determined in S10.
Preferably, said S30 includes,
s310, calculating the mac feature number of hits corresponding to each terminal ID;
s320, calculating the mac matching score corresponding to each terminal ID according to the mac feature hit number corresponding to each terminal ID and the mac total feature number corresponding to each terminal ID.
Preferably, in S50, when the feature score corresponding to a terminal ID is greater than a predetermined value, the feature score corresponding to the terminal ID is positively enhanced by the enhancement coefficient, and otherwise, the feature score corresponding to the terminal ID is negatively enhanced by the enhancement coefficient.
Preferably, in the step S6, if there are a plurality of the reinforcement feature scores greater than the score threshold, a terminal ID corresponding to a maximum value of the plurality of reinforcement feature scores greater than the score threshold is used as the identification result.
A terminal identification system comprising:
the data acquisition unit is used for acquiring the mac address and the characteristics of the terminal required by identification;
a judging unit, configured to determine whether a feature is acquired and whether a mac large database identifies a terminal ID corresponding to the terminal mac address;
a first result determining unit, configured to, when no feature is acquired and the mac large database identifies a terminal ID corresponding to the mac address of the terminal, take the terminal ID identified by the mac large database as an identification result;
a second result determining unit, configured to, when no feature is acquired and the mac large database does not identify a terminal ID corresponding to the terminal mac address, take, as an identification result, a result obtained by identifying oui features of the terminal mac address by the oui fuzzy identification library;
a third result determining unit, configured to determine, when a feature is acquired and a mac large database does not identify a terminal ID corresponding to the mac address of the terminal, an enhanced feature score of each terminal ID according to the feature, and take, as an identification result, a terminal ID corresponding to one of the enhanced feature scores that is the largest;
a fourth result determining unit, configured to determine, when a feature is acquired and a mac large database identifies a terminal ID corresponding to the terminal mac address, an enhanced feature score of the terminal ID according to the feature; comparing the enhanced feature score of the terminal ID with a score threshold; if the reinforcement feature score is determined to be greater than the score threshold, taking a terminal ID corresponding to the reinforcement feature score which is greater than the score threshold as an identification result; if all the enhanced feature scores are smaller than or equal to the score threshold, taking the terminal ID corresponding to the terminal mac address identified by the mac large database as an identification result;
an enhanced feature score determining unit for determining an enhanced feature score of a terminal ID according to the feature, comprising:
the terminal ID identification module is used for determining the terminal ID corresponding to each feature through feature identification;
the first calculation module is used for calculating the feature hit score corresponding to each terminal ID determined by the terminal ID recognition module;
the second calculation module is used for calculating the mac matching score corresponding to each terminal ID determined by the terminal ID recognition module;
the third calculation module is used for calculating the feature score corresponding to each terminal ID according to the mac matching score and the feature hit score;
the fourth calculation module is used for calculating the strengthening characteristic score corresponding to each terminal ID according to the strengthening coefficient and the characteristic score corresponding to each terminal ID; when the feature score corresponding to a terminal ID is larger than a preset value, positively strengthening the feature score corresponding to the terminal ID through the strengthening coefficient, otherwise, negatively strengthening the feature score corresponding to the terminal ID through the strengthening coefficient;
the first computing module includes:
the feature number determining module is used for determining the feature number hit by each terminal ID;
the characteristic hit rate determining module is used for calculating the characteristic hit rate corresponding to each terminal ID according to the characteristic number hit by the terminal ID;
the feature hit score calculation module is used for calculating the feature hit score corresponding to each terminal ID according to the feature coefficient and the feature hit rate corresponding to each terminal ID; the feature coefficient corresponding to each terminal ID is the sum of scores corresponding to all features contained in the terminal ID, each feature is one of the features acquired by the data acquisition unit, the score corresponding to the feature coefficient is 1/n, and n is the number of the terminal IDs containing the feature determined by the terminal ID recognition module.
A storage medium in which a program is stored, which when executed implements the terminal identification method as described in any one of the above.
The terminal identification device comprises a memory and a processor, wherein the memory stores a program which can be processed by the processor, and the program realizes the terminal identification method when being executed.
The technical scheme of the invention has the advantages that:
the invention integrates the characteristic corresponding terminal ID library, the mac big database and the oui fuzzy recognition library for terminal recognition, can recognize a plurality of elements of the characteristics, the terminal mac address and the oui characteristics, can process the conditions of no characteristic report, terminal mac address unrecognizable and the like, and improves the recognition capability.
Because the identification accuracy of the mac large database is about 0.5, the score of the terminal ID identified by the mac large database is used as a score threshold, and when the enhanced feature score is higher than the score threshold, the reliability of the terminal ID determined by the feature identification is higher, thereby being beneficial to improving the identification accuracy and further reducing the identification fluctuation rate.
When the acquired features are used for identification, the features of multiple dimensions are considered, the strong features and the weak features are distinguished, the fluctuation problem of feature identification of single or small number of dimensions is effectively avoided, the stability of identification is better, and the precision and consistency are better.
The method can adjust the identification parameters and has flexible identification logic. Meanwhile, positive reinforcement and negative reinforcement are carried out according to different conditions when the reinforcement characteristic score is calculated, so that the identified fluctuation rate is further reduced.
Drawings
FIG. 1 is a schematic flow chart of the present invention;
fig. 2 is a schematic flow chart of the present invention for determining the enhanced feature score of each terminal ID according to the feature.
Detailed Description
The objects, advantages and features of the present invention are illustrated and explained by the following non-limiting description of preferred embodiments. These embodiments are only typical examples of the technical scheme of the invention, and all technical schemes formed by adopting equivalent substitution or equivalent transformation fall within the scope of the invention.
In the description of the embodiments, it should be noted that the positional or positional relationship indicated by the terms such as "center", "upper", "lower", "left", "right", "front", "rear", "vertical", "horizontal", "inner", "outer", etc. are based on the positional or positional relationship shown in the drawings, are merely for convenience of description and simplification of description, and do not indicate or imply that the apparatus or elements referred to must have a specific orientation, be configured and operated in the specific orientation, and thus are not to be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
Example 1
The terminal identification method disclosed by the invention is described below with reference to the accompanying drawings, and as shown in fig. 1, the method comprises the following steps:
s1, acquiring a terminal mac address and characteristics required by identification;
s2, determining whether the characteristics are acquired and whether a mac large database identifies a terminal ID corresponding to the terminal mac address;
s3, if the characteristics are not obtained and the mac large database identifies the terminal ID corresponding to the mac address of the terminal, taking the terminal ID identified by the mac large database as an identification result;
s4, if the characteristics are not obtained and the mac large database does not identify the terminal ID corresponding to the terminal mac address, using a oui characteristic of the terminal mac address identified by a oui fuzzy identification library as an identification result;
s5, if the characteristics are obtained and the terminal ID corresponding to the terminal mac address is not identified by the mac large database, determining the reinforcement characteristic score of each terminal ID according to the characteristics and taking the terminal ID corresponding to the one with the largest reinforcement characteristic score as an identification result;
s6, if the characteristics are obtained and the mac large database identifies the terminal ID corresponding to the mac address of the terminal, determining the enhanced characteristic score of the terminal ID according to the characteristics; comparing the enhanced feature score of the terminal ID with a score threshold; if the reinforcement feature score is determined to be greater than the score threshold, taking a terminal ID corresponding to the reinforcement feature score which is greater than the score threshold as an identification result; and if all the enhanced feature scores are smaller than or equal to the score threshold, taking the terminal ID corresponding to the terminal mac address identified by the mac large database as an identification result.
The method and the device divide the features to be acquired into strong features and weak features, wherein the features acquired through direct connection are defined as strong features, and the features acquired through forwarding messages are defined as weak features. Among them, strong features include, but are not limited to: five-dimensional features of hostname, vendor, elink, mdns, and upnp. Weak features include, but are not limited to, features of the dimension http (hypertext transfer protocol).
In the step S1, the feature to be acquired, that is, one or more of the features reported by the terminal, may, of course, be not acquired due to the fact that the terminal does not report the feature.
In the step S2, the mac large database is a database of the mac address of the terminal and the corresponding ID of the terminal constructed according to the history data, and the specific construction process is a known technology, which is not described herein. After the mac address of the terminal is obtained in S1, the mac address is input into the mac database, and the terminal ID corresponding to the mac address can be determined through feature recognition, and detailed recognition processes and principles are known technologies and are not described herein.
In the step S4, the oui fuzzy recognition library is a oui feature database and a corresponding terminal ID database, which are also constructed according to historical data, and the specific construction process is also a known technology, which is not described herein. The oui fuzzy recognition library determines the probability that the first 6 bits (oui features) of the acquired terminal mac address belong to each terminal ID, and takes the terminal ID corresponding to the maximum probability as a recognition result, and detailed recognition process and principle are known technologies and are not described herein.
As shown in fig. 2, in S5 and S6, the determining the enhanced feature of the terminal ID according to the feature includes the following steps:
s10, determining the corresponding terminal ID of each feature obtained in the S1 in a terminal ID library corresponding to the feature through feature recognition;
s20, calculating the feature hit score corresponding to each terminal ID determined in S10;
s30, calculating mac matching scores corresponding to the terminal IDs determined in the S10;
s40, calculating the feature score corresponding to each terminal ID according to the mac matching score and the feature hit score;
and S50, calculating the strengthening characteristic score corresponding to each terminal ID according to the strengthening coefficient and the characteristic score corresponding to each terminal ID.
In the step S10, the feature-to-terminal ID library is a database of features and corresponding terminal IDs constructed based on historical data, and a specific construction process thereof is a known technology and will not be described herein. The features are input into the terminal ID library corresponding to the features, so that the terminal ID corresponding to the features can be identified, and the corresponding identification process and principle are known techniques and are not described herein.
The S20 includes:
and S210, determining the feature number of each terminal ID hit, wherein the feature number of each terminal ID hit refers to the feature of which dimension is contained in the features acquired in S1 by the feature identification determination in S10, for example, if a certain terminal ID identified in S10 contains the features of two dimensions of vendor, hostname, http, the feature number of each terminal ID hit is 2.
S220, calculating the feature hit rate corresponding to each terminal ID according to the feature number hit by the terminal ID; the feature hit rate is obtained by dividing the feature number hit by each terminal ID by the total feature number corresponding to each terminal ID. The total feature number refers to that each terminal ID includes features of several dimensions in a feature corresponding terminal ID library, for example, in the feature corresponding terminal ID library, terminal ID10000 has features in four dimensions of vendor, hostname, mdns, and upnp, and then the total feature number corresponding to the terminal ID10000 is 4.
S230, calculating the feature hit score corresponding to each terminal ID determined in S10 according to the feature coefficient corresponding to each terminal ID and the feature hit rate; the feature coefficient corresponding to each terminal ID is the sum of scores corresponding to all features contained in the terminal ID, each feature is one of the features acquired in S1, the score corresponding to the feature is 1/n, and n is the number of terminal IDs containing the feature determined in S10. In the concrete calculation, the feature hit score corresponding to each terminal ID is obtained by multiplying the feature coefficient corresponding to each terminal ID and the feature hit rate corresponding to each terminal ID.
The S30 includes:
s310, the mac feature number of the terminal ID is calculated, for example, if one terminal ID identified in S10 includes the two dimensions of the feature vector and the feature hostname obtained in S1, the mac feature number of the terminal ID is 2.
S320, calculating a mac matching score corresponding to each terminal ID determined in S10 according to the mac feature number of hits; the mac matching score is equal to the number of mac feature hits divided by the mac total feature number, where the mac total feature number is the number of dimensions of all features reported by each terminal mac address, for example, the feature reported by a terminal mac address corresponding to a terminal ID is the feature of vendor, hostname, http, and the corresponding mac total feature number is 3.
In S40, the feature score corresponding to each terminal ID is obtained by multiplying the mac matching score corresponding to each terminal ID by the feature hit score corresponding to each terminal ID.
In S50, the augmentation factor is determined according to two probabilities, where one probability is a probability that the terminal belongs to a different terminal type determined according to the oui feature, and may be determined by performing feature recognition on the oui feature by the oui fuzzy recognition library. The other probability is a probability that the vendor belongs to different terminal types and is determined according to the vendor characteristics, and the vendor characteristics can be determined by performing feature recognition on the vendor characteristics through a vendor corresponding terminal type library, and the corresponding processes of building the vendor corresponding terminal type library and performing feature recognition are known technologies and are not described herein.
When the feature score corresponding to a terminal ID is larger than a preset value, positive strengthening is carried out on the feature score corresponding to the terminal ID through a strengthening coefficient, and when the positive strengthening is carried out, the strengthening coefficient is obtained by multiplying the maximum value of the two probabilities; conversely, when the feature score corresponding to a terminal ID is not greater than a predetermined value, negative reinforcement is performed by the feature score corresponding to the terminal ID by the reinforcement coefficient, and when the negative reinforcement is performed, the reinforcement coefficient is obtained by multiplying the minimum value of the two probabilities. The predetermined value may be set as needed, and may be, for example, 0.05, 0.1, 0.2, or the like. The reinforcement characteristic score is calculated by multiplying the reinforcement coefficient and the characteristic score corresponding to each terminal ID.
In S6, the score of the terminal ID identified by the mac large database is recorded as the score threshold, and the score threshold is, for example, 0.5, but may be designed to be another value as required. There is typically only one reinforcement feature score greater than the score threshold. And when the scores of the plurality of strengthening features are larger than the score threshold value, the terminal ID corresponding to the maximum value is taken as the identification result.
The above procedure is described below in connection with specific examples:
and acquiring a terminal mac address and a characteristic, wherein the terminal mac address is 52B858ED9EA6, the strong characteristic vendor is androID ID-dhcp-12, the strong characteristic hostname is xiaomi-12, and the weak characteristic http is 2201123C.
Performing feature recognition on the obtained feature input feature corresponding terminal ID library to determine the terminal IDs matched with different features in the feature corresponding terminal ID library, wherein the obtained result is as follows:
the terminal ID containing the characteristic androID-dhcp-12 is as follows:
[10004,10009,12588,13215,13085,15542,15541];
the terminal ID containing the characteristic xiaomi-12 is as follows: [15541, 15542];
the terminal ID including the feature 2201123C is as follows: [15542].
In S210, the feature number of each terminal ID hit is as follows:
{15542:3,15541:2,10004:1,10009:1,12588:1,13215:1,13085:1}。
in S220, the number of dimensions of the features included in each terminal ID is queried in the feature-corresponding terminal ID library, which is specifically as follows:
{15542:3,15541:3,10004:3,10009:3,12588:2,13215:4,13085:3}。
then, the feature hit rate corresponding to each terminal ID is as follows:
{15542:3/3,15541:2/3,10004:1/3,10009:1/3,12588:1/2,13215:1/4,13085:1/3}
={15542:1,15541:0.67,10004:0.33,10009:0.33,12588:0.5,13215:0.25,13085:0.33}。
since 7 terminal IDs including the feature androID-dhcp-12, 2 terminal IDs including the feature xiaomi-12 and 1 terminal ID including the feature 2201123C, the score corresponding to the vendor feature is 1/7, the score corresponding to the hostname feature is 1/2 and the score corresponding to the http feature is 1/1.
In S230, the characteristic coefficient corresponding to each terminal ID is as follows:
{15542:1+1/2+1/7,15541:1/2+1/7,10004:1/7,10009:1/7,12588:1/7,13215:1/7,13085:1/7}
={15542:1.62,15541:0.62,10004:0.14,10009:0.14,12588:0.14,13215:0.14,13085:0.14}。
in S230, the feature hit score of each terminal id=the feature hit rate of each terminal id×the feature coefficient corresponding to each terminal ID, specifically as follows:
{15542:1×1.62,15541:0.67×0.62,10004:0.33×0.14,10009:0.33×0.14;12588:0.5×0.14,13215:0.25×0.14,13085:0.33×0.14}
={15542:1.62,15541:0.42,10004:0.05,10009:0.05,12588:0.07,13215:0.04,13085:0.05}。
in S310, the number of mac feature hits corresponding to each terminal ID is as follows:
{15542:3,15541:2,10004:1,10009:1,12588:1,13215:1,13085:1};
in S320, assuming that each terminal mac address reports 3 dimensions of features, the total mac feature number corresponding to each terminal ID is 3.
The mac match score is therefore as follows:
{15542:3/3,15541:2/3,10004:1/3,10009:1/3,12588:1/3,13215:1/3,13085:1/3}
={15542:1,15541:0.67,10004:0.33,10009:0.33,12588:0.33,13215:0.33,13085:0.33}。
in S40, the feature score=feature hit score×mac matching score corresponding to each terminal ID is specifically as follows:
{15542:1.62×1,15541:0.42×0.67,10004:0.05×0.33,10009:0.05×0.33,12588:0.07×0.33, 13215:0.04×0.33,13085:0.05×0.33}
={15542:1.62,15541:0.28,10004:0.02,10009:0.02,12588:0.02,13215:0.01,13085:0.02}。
in S50, the probability of recognizing that the corresponding terminal type is the mobile phone is 0.8 and the probability of recognizing that the corresponding terminal type is the router is 0.2 by identifying 52B858 (oui feature obtained according to the acquired terminal mac address) through the oui fuzzy recognition library. And identifying the androID ID-dhcp-12 (vendor characteristics) according to the vendor corresponding terminal type library, wherein the probability of identifying the corresponding terminal type as a mobile phone is 0.9, and the other terminal types are 0.1.
In S50, the reinforcement feature score corresponding to each terminal ID is as follows:
{15542:1.62×0.8×0.9,15541:0.28×0.8×0.9,10004:0.02×0.2×0.1,10009:0.02×0.2×0.1,12588:0.02×0.2×0.1,13215:0.01×0.2×0.1,13085:0.02×0.2×0.1};
={15542:1.12,15541:0.20,10004:0.0004,10009:0.0004,12588:0.0004,13215:0.0002,13085:0.0004}。
from the S50, it is known that: and if the reinforcement feature score corresponding to the terminal ID 15542 is 1.12 and is greater than the score threshold value 0.5, in S6, the terminal ID of the final recognition result is 15542.
The corresponding terminal type and/or terminal model can be determined according to the identified terminal ID, which is a known technology and will not be described in detail herein.
Example 2
The embodiment discloses a terminal identification system, which comprises:
the data acquisition unit is used for acquiring the mac address and the characteristics of the terminal required by identification;
a judging unit, configured to determine whether a feature is acquired and whether a mac large database identifies a terminal ID corresponding to the terminal mac address;
a first result determining unit, configured to, when no feature is acquired and the mac large database identifies a terminal ID corresponding to the mac address of the terminal, take the terminal ID identified by the mac large database as an identification result;
a second result determining unit, configured to, when no feature is acquired and the mac large database does not identify a terminal ID corresponding to the terminal mac address, take, as an identification result, a result obtained by identifying oui features of the terminal mac address by the oui fuzzy identification library;
a third result determining unit, configured to determine, when a feature is acquired and a mac large database does not identify a terminal ID corresponding to the mac address of the terminal, an enhanced feature score of each terminal ID according to the feature, and take, as an identification result, a terminal ID corresponding to one of the enhanced feature scores that is the largest;
a fourth result determining unit, configured to determine, when a feature is acquired and a mac large database identifies a terminal ID corresponding to the terminal mac address, an enhanced feature score of the terminal ID according to the feature; comparing the enhanced feature score of the terminal ID with a score threshold; if the reinforcement feature score is determined to be greater than the score threshold, taking a terminal ID corresponding to the reinforcement feature score which is greater than the score threshold as an identification result; and if all the enhanced feature scores are smaller than or equal to the score threshold, taking the terminal ID corresponding to the terminal mac address identified by the mac large database as an identification result.
Example 3
The present embodiment discloses a storage medium in which a program is stored, which when executed implements the terminal identification method as described above.
Example 4
The embodiment discloses an apparatus comprising a memory and a processor, the memory storing a program processable by the processor, the program when executed implementing the terminal identification method as described above.
The invention has various embodiments, and all technical schemes formed by equivalent transformation or equivalent transformation fall within the protection scope of the invention.

Claims (6)

1. The terminal identification method is characterized by comprising the following steps:
s1, acquiring a terminal mac address and characteristics required by identification;
s2, determining whether the characteristics are acquired and whether a mac large database identifies a terminal ID corresponding to the terminal mac address;
s3, if the characteristics are not obtained and the mac large database identifies the terminal ID corresponding to the mac address of the terminal, taking the terminal ID identified by the mac large database as an identification result;
s4, if the characteristics are not obtained and the mac large database does not identify the terminal ID corresponding to the terminal mac address, using a oui characteristic of the terminal mac address identified by a oui fuzzy identification library as an identification result;
s5, if the characteristics are obtained and the terminal ID corresponding to the terminal mac address is not identified by the mac large database, determining the reinforcement characteristic score of each terminal ID according to the characteristics and taking the terminal ID corresponding to the one with the largest reinforcement characteristic score as an identification result;
s6, if the characteristics are obtained and the mac large database identifies the terminal ID corresponding to the mac address of the terminal, determining the enhanced characteristic score of the terminal ID according to the characteristics; comparing the enhanced feature score of the terminal ID with a score threshold; if the reinforcement feature score is determined to be greater than the score threshold, taking a terminal ID corresponding to the reinforcement feature score which is greater than the score threshold as an identification result; if all the enhanced feature scores are smaller than or equal to the score threshold, taking the terminal ID corresponding to the terminal mac address identified by the mac large database as an identification result;
the step of determining the enhanced feature score of the terminal ID according to the features comprises the following steps:
s10, determining a terminal ID corresponding to each feature through feature identification;
s20, calculating the feature hit score corresponding to each terminal ID determined in S10;
s30, calculating mac matching scores corresponding to the terminal IDs determined in the S10;
s40, calculating the feature score corresponding to each terminal ID according to the mac matching score and the feature hit score;
s50, calculating the strengthening characteristic score corresponding to each terminal ID according to the strengthening coefficient and the characteristic score corresponding to each terminal ID;
the step S20 includes the steps of:
s210, determining the feature number hit by each terminal ID;
s220, calculating the feature hit rate corresponding to each terminal ID according to the feature number hit by the terminal ID;
s230, calculating the feature hit score corresponding to each terminal ID according to the feature coefficient corresponding to each terminal ID and the feature hit rate;
in S230, the feature coefficient corresponding to each terminal ID is the sum of scores corresponding to all features included in the terminal ID, each feature is one of the features acquired in S1, and the score corresponding to the feature is 1/n, where n is the number of terminal IDs including the feature determined in S10;
in S50, when the feature score corresponding to a terminal ID is greater than a predetermined value, the feature score corresponding to the terminal ID is positively enhanced by the enhancement coefficient, otherwise, the feature score corresponding to the terminal ID is negatively enhanced by the enhancement coefficient.
2. The terminal identification method according to claim 1, wherein said S30 comprises,
s310, calculating the mac feature number of hits corresponding to each terminal ID;
s320, calculating the mac matching score corresponding to each terminal ID according to the mac feature hit number corresponding to each terminal ID and the mac total feature number corresponding to each terminal ID.
3. A terminal identification method according to any of claims 1-2, characterized in that: in the step S6, if there are a plurality of the reinforcement feature scores greater than the score threshold, the terminal ID corresponding to the maximum value of the plurality of reinforcement feature scores greater than the score threshold is used as the recognition result.
4. A terminal identification system, comprising:
the data acquisition unit is used for acquiring the mac address and the characteristics of the terminal required by identification;
a judging unit, configured to determine whether a feature is acquired and whether a mac large database identifies a terminal ID corresponding to the terminal mac address;
a first result determining unit, configured to, when no feature is acquired and the mac large database identifies a terminal ID corresponding to the mac address of the terminal, take the terminal ID identified by the mac large database as an identification result;
a second result determining unit, configured to, when no feature is acquired and the mac large database does not identify a terminal ID corresponding to the terminal mac address, take, as an identification result, a result obtained by identifying oui features of the terminal mac address by the oui fuzzy identification library;
a third result determining unit, configured to determine, when a feature is acquired and a mac large database does not identify a terminal ID corresponding to the mac address of the terminal, an enhanced feature score of each terminal ID according to the feature, and take, as an identification result, a terminal ID corresponding to one of the enhanced feature scores that is the largest;
a fourth result determining unit, configured to determine, when a feature is acquired and a mac large database identifies a terminal ID corresponding to the terminal mac address, an enhanced feature score of the terminal ID according to the feature; comparing the enhanced feature score of the terminal ID with a score threshold; if the reinforcement feature score is determined to be greater than the score threshold, taking a terminal ID corresponding to the reinforcement feature score which is greater than the score threshold as an identification result; if all the enhanced feature scores are smaller than or equal to the score threshold, taking the terminal ID corresponding to the terminal mac address identified by the mac large database as an identification result;
an enhanced feature score determining unit for determining an enhanced feature score of a terminal ID according to the feature, comprising:
the terminal ID identification module is used for determining the terminal ID corresponding to each feature through feature identification;
the first calculation module is used for calculating the feature hit score corresponding to each terminal ID determined by the terminal ID recognition module;
the second calculation module is used for calculating the mac matching score corresponding to each terminal ID determined by the terminal ID recognition module;
the third calculation module is used for calculating the feature score corresponding to each terminal ID according to the mac matching score and the feature hit score;
the fourth calculation module is used for calculating the strengthening characteristic score corresponding to each terminal ID according to the strengthening coefficient and the characteristic score corresponding to each terminal ID; when the feature score corresponding to a terminal ID is larger than a preset value, positively strengthening the feature score corresponding to the terminal ID through the strengthening coefficient, otherwise, negatively strengthening the feature score corresponding to the terminal ID through the strengthening coefficient;
the first computing module includes:
the feature number determining module is used for determining the feature number hit by each terminal ID;
the characteristic hit rate determining module is used for calculating the characteristic hit rate corresponding to each terminal ID according to the characteristic number hit by the terminal ID;
the feature hit score calculation module is used for calculating the feature hit score corresponding to each terminal ID according to the feature coefficient and the feature hit rate corresponding to each terminal ID; the feature coefficient corresponding to each terminal ID is the sum of scores corresponding to all features contained in the terminal ID, each feature is one of the features acquired by the data acquisition unit, the score corresponding to the feature coefficient is 1/n, and n is the number of the terminal IDs containing the feature determined by the terminal ID recognition module.
5. A storage medium in which a program is stored, characterized in that: the program when executed implements the terminal identification method according to any one of claims 1 to 3.
6. Terminal identification device, including memory and treater, the memory stores the procedure that can be handled by the treater, its characterized in that: the program when executed implements the terminal identification method according to any one of claims 1 to 3.
CN202310846632.9A 2023-07-11 2023-07-11 Terminal identification method, system, storage medium and equipment Active CN116561403B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310846632.9A CN116561403B (en) 2023-07-11 2023-07-11 Terminal identification method, system, storage medium and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310846632.9A CN116561403B (en) 2023-07-11 2023-07-11 Terminal identification method, system, storage medium and equipment

Publications (2)

Publication Number Publication Date
CN116561403A CN116561403A (en) 2023-08-08
CN116561403B true CN116561403B (en) 2023-10-20

Family

ID=87498650

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310846632.9A Active CN116561403B (en) 2023-07-11 2023-07-11 Terminal identification method, system, storage medium and equipment

Country Status (1)

Country Link
CN (1) CN116561403B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109951354A (en) * 2019-03-12 2019-06-28 北京奇虎科技有限公司 A kind of terminal device recognition methods, system and storage medium
CN111177483A (en) * 2019-12-04 2020-05-19 北京奇虎科技有限公司 Terminal device identification method, device and computer readable storage medium
CN112202610A (en) * 2020-09-29 2021-01-08 苏州迈科网络安全技术股份有限公司 Terminal model identification system and method based on MAC address
CN116319408A (en) * 2022-09-07 2023-06-23 苏州迈科网络安全技术股份有限公司 Terminal equipment model identification method based on feature vector

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109951354A (en) * 2019-03-12 2019-06-28 北京奇虎科技有限公司 A kind of terminal device recognition methods, system and storage medium
CN111177483A (en) * 2019-12-04 2020-05-19 北京奇虎科技有限公司 Terminal device identification method, device and computer readable storage medium
CN112202610A (en) * 2020-09-29 2021-01-08 苏州迈科网络安全技术股份有限公司 Terminal model identification system and method based on MAC address
CN116319408A (en) * 2022-09-07 2023-06-23 苏州迈科网络安全技术股份有限公司 Terminal equipment model identification method based on feature vector

Also Published As

Publication number Publication date
CN116561403A (en) 2023-08-08

Similar Documents

Publication Publication Date Title
CN109586952B (en) Server capacity expansion method and device
CN107634964B (en) WAF (Wireless Access Filter) testing method and device
CN109951354B (en) Terminal equipment identification method, system and storage medium
CN111800430A (en) Attack group identification method, device, equipment and medium
CN111885001A (en) Abnormal login behavior recognition method, controller and medium
CN113157854B (en) API sensitive data leakage detection method and system
CN106407203A (en) Method and device for identifying target terminal
CN112487210A (en) Abnormal device identification method, electronic device, and medium
CN111985192A (en) Web attack report generation method, device, equipment and computer medium
CN110430245B (en) Control method, device, equipment and medium for abnormal account identification
CN116561403B (en) Terminal identification method, system, storage medium and equipment
CN113949525A (en) Method and device for detecting abnormal access behavior, storage medium and electronic equipment
CN117150294A (en) Outlier detection method, outlier detection device, electronic equipment and storage medium
CN112732560A (en) Method and device for detecting file descriptor leakage risk
CN111859040B (en) Data matching method, device and related equipment
WO2020062227A1 (en) Method and device for recognizing apparatus and computer readable storage medium and program
CN111258788B (en) Disk failure prediction method, device and computer readable storage medium
CN116155539A (en) Automatic penetration test method, system, equipment and storage medium based on information flow asynchronous processing algorithm
CN114900835A (en) Malicious traffic intelligent detection method and device and storage medium
CN116208513A (en) Gateway health degree prediction method and device
CN113242302A (en) Data access request processing method and device, computer equipment and medium
CN111885159A (en) Data acquisition method and device, electronic equipment and storage medium
CN112052449A (en) Malicious file identification method, device, equipment and storage medium
CN113542211B (en) Information processing method and device
CN110096555B (en) Table matching processing method and device for distributed system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant