TW201526589A - Method for selectively allowing or stopping the internet access request traffic sharing the public IP on the basis of present time, and the current state detecting and stopping system for executing the method sharing the public IP - Google Patents

Abstract

The present invention provides a method for selectively allowing or stopping the internet access request traffic sharing the public IP on the basis of present time, and the current state detecting and stopping system for executing the method sharing the public IP. The method and system are configured to selectively allow or stop the internet access request traffic by detecting the quantity of a plurality of user terminals using the same public IP in private network, and comparing with an assigned allowing quantity of the terminals to perform the access request, after pre-detecting the suspected user who overuses the router, the user using the public IP is only detected for real router overuse state to stop operation of webpage traffic, thereby the user unrelated to the router is almost not affected by the router detecting system. In addition, during detecting the suspected user who overuses the router, Internet speed is almost not decreased. Even the detecting system has an error or fails, the user of Internet is not affected. Moreover, during a stage of detecting correct overuse state of router to stop the access, by using the flash shared object with cookies which are not easy to delete by user, the possibility of erroneous detecting or miss stopping is decreased, so as to provide high efficiency through dynamic classifying the terminals to be accessed and the terminals to be stopped for processing during the real stopping stage.

Description

Selective permission or blocking method for sharing Internet connection request traffic of public network IP based on current time and current state detection and blocking system for public IP sharing of the method for performing the method

The present invention relates to an Internet service provided by an Internet service provider in a manner of sharing a public IP by using an IP router by IP address translation such as Network Address Translation (NAT) or a network router for a plurality of users. The network detects, in the Internet service user, the user who performs the multiple access connection by the IP router beyond the line allowed for the user in the current state, and allows the Internet to be allowed based on the current state for the IP sharing status of the IP sharing user. The webpage of the connected terminal is used, and the device for preventing the webpage of the terminal connected to the Internet from being connected based on the current state and the blocking method using the device are blocked.

In recent years, in the process of simultaneously using a network by a client terminal such as a multi-user computer, there are many cases in which an IP router is used to share a public network IP assigned to an Internet service user, and the Internet is used in an increasing number of companies or companies. A firewall is formed between the company's internal network and the external Internet, and Network Address Translation (NAT) is formed on the router. Private IP is also used internally.

On the other hand, in the infrastructure built by the existing Internet Service Provider (ISP), equipment and network maintenance fees, network speed and other resources are limited, on the other hand, with the use of network address translation or IP As the frequency of routers and the like increases, a plurality of users are connected to one line provided by the network, resulting in an unordered increase in traffic, whereby there is only one client terminal for the Internet public IP of each line (computer A user who is in normal use, or a user who normally uses the Internet public IP line equivalent to the number of Internet-required client terminals, is relatively liable for the loss.

However, in order to correctly grasp the user of the corresponding number of client terminals (user terminals, user computers) that use more than the public network IP lines using the Internet service by the Internet service, the IP address of the actual user terminal (user computer) needs to be tracked. However, due to network address translation (NAT) or the actual IP (private IP) address of the user inside the IP router, it is converted to a public IP address when passing through a network address translation (NAT) or IP router, thereby being unable to grasp from the outside. The actual IP address of the user cannot correctly grasp that a specific public IP is shared by several private IPs.

In order to solve this problem, by analyzing the TCP/IP packet, all the sessions connected to the domain with the primary domain are redirected for the shared object in the requested page, and the private network using the specific public IP (Internet IP) is used. Master the user's private IP and implement databaseization so that the number of users using the Internet can be properly grasped. If the private IP user connects to the network at the same time by means of database-based IP pool information and tasks (JOB), There is a Republic of Korea Patent Registration No. 10-0723657 (2007.5.23. Announcement) based on TCP/IP selective permission and blocking technology. In order to obtain the private IP of the user computer, it is necessary to set a private IP for informing users in the internal network. An independent applet (application) of an address, and needs to run an independently set applet (application) in a user computer attempting to connect to the Internet by a web browser, however, the user can identify such an applet Setting or shipping If you delete it or stop it, you can't provide a fundamental solution to the problem.

On the other hand, in response to the problem of the problem that the technology for setting up a private IP for independent applet is set in the user terminal as described above, according to the Korean Republic Patent Publication No. 10-2009-0041752 The technology disclosed in No. (2009.4.29.) discloses the client side by using a sophisticated detection algorithm of a cookie generated on a client side of a shared-use private network for a plurality of terminals that need to be detected. The correct number of technologies for multiple terminals, through the database of cookie pool database information and the task running at predetermined time intervals (JOB) scheduler (Scheduler), if the private network user of a specific public IP address exceeds the number of allowed lines While connected to the Internet, Internet connections are allowed and blocked in a private network based on TCP/IP.

However, in such a router detection and prevention method or router detection and prevention system according to the prior art, the detection process of detecting the number of users using too many terminals (computers) by using an IP router and detecting the detection from such users The process of blocking the system is integrated, and there is a structure in which the traffic of all users, such as an IP router, which is completely unrelated to the use of the shared equipment, flows into the router detection system, thereby not only increasing the load of the router detection system but also the traffic of all users. The processing speed and the like are affected by the processing performance of the router detection system, which not only causes the Internet speed to slow down, but if the router detects that the system has an error or a failure, the traffic of all users is in an unprocessable state, which causes the Internet itself to collapse.

Meanwhile, in the above prior art, in order to detect and prevent the router from overusing the user, the cookie stored in a specific area of the user's computer is utilized, and the cookie is for the standard HTTP protocol extension function for giving continuity to the client side. Operated by a web browser, which is stored in a known location on the hard disk of the user's computer, and most Computer users know the cookie deletion method very well. If the cookie is accumulated, it will cause the Internet speed to be low. For this reason, the web browser also provides the function of deleting and sorting it after the scheduled period, for example, if a public network IP is limited to use by one computer (not using an IP router, etc.), if the webpage traffic occurs when the web browser is re-run after deleting the cookie on the Internet connection, it is erroneously judged as a blocking system according to the prior art. Traffic that occurs in other computers with the same public IP address (that is, traffic using IP routers, etc.), which causes it to be blocked, and this problem will be related to the reliability of the service provided by the Internet service provider. Cause huge damage.

Meanwhile, in the above prior art, if an IP router is used in an Internet service user to connect to the Internet at a terminal exceeding a line permitted by the user, and the number of terminals connected to the Internet is used within a range permitted for the user, The current state of the terminal that is connected to the Internet is in the state of disconnection of the connection, in order to be able to allow the connection of the terminal connected to the network later, as a cookie pool including a record set for distinguishing the separators of the terminals connected by the same IP A task scheduler that updates the time at which the separator list exists at predetermined intervals in the database (or user identity pool database), for example, a task (JOB) scheduler that runs every 30 minutes, by viewing the cookie The uploaded Internet connection time in the record uploaded in the pool database is deleted and the information is updated by recording the change of the connectionless time within a predetermined time (for example, within 20 minutes) (refer to FIG. 5b).

However, in this case, for example, six staff members use the four computers assigned to connect to the Internet and handle their respective services. If they work in groups of two and work in the form of 12-hour shifts, if there are only two Internet connection allows lines, there is a new group of shifts. 2 staff members can't be able to delete the Internet connection records of the previous group of 2 staff members by the 30-minute task (JOB) planning program. The problem of connecting to the Internet, and this can't connect to the Internet for the longest time. (JOB) The scheduler drives the time interval (for example, 30 minutes) and the drive task (JOB) scheduler to record the deletion of the base time (for example, 20 minutes) plus 50 minutes, thereby causing great inconvenience to the user. Sex.

On the other hand, if the task (JOB) scheduler drive time interval and the record deletion time interval after the drive task (JOB) scheduler are minimized in order to alleviate such a problem, not only the drive task (JOB) scheduler but also the drive task (JOB) scheduler As a result, the workload of the database server is increased, and for the user, if the other services are temporarily handled or a little rested, the Internet connection authority of the terminal is lost, resulting in inconvenience in use.

The present invention is a technical means for solving the problem of the prior art, which is a selective enabling or blocking method for sharing Internet connection request traffic of a public network IP, which selectively allows and prevents the same utilization by detection. Internet connection request traffic of a terminal that requests connection by comparing the number of user terminals on the private network of the public IP to the number of allowed users (for example, user generated by the TCP/IP-based HTTP protocol) HTTP request (Request) traffic, by GET, POST, etc. (Method) HTTP request (Request) traffic, characterized by: (I) joining the mirroring phase of user traffic, which is driven by the client terminal In the case where the web browser requests to connect to a website on the Internet, the mirroring device installed in the backbone network of the Internet service provider mirrors the website connection request traffic generated from the client terminal, and transmits the mirrored website connection request traffic. To the push server to confirm whether the suspected user is over-utilized by the IP router; (II) suspected excessive use of user traffic During the IP confirmation phase of the public network, the above-mentioned push server confirms whether the mirrored website connection request traffic is processed by the push server and is selected as a router excess by the public network IP and cookie information included in the previous connection traffic. Use the public network IP of the suspect user; (III) The router over-use status detection and blocking decision phase, if it is selected as the router over-use the public network IP of the suspect user, in order to reduce the load, the push server performs to confirm whether the mirrored website connection request traffic is After the stage of the traffic that is the target of the decision to prevent or not, if the traffic is determined to be blocked or not, the second false response traffic is transmitted to the client terminal (in order to distinguish it from the "first false response traffic" described later. The second false response traffic) is such that the address of the website that the user originally tried to connect is supplemented by parameters on the 100% frame generated by the user client terminal by the second false response traffic, and is detected and blocked by the network server. After detecting and preventing the forwarding of the forwarding traffic from the client terminal to the detecting and blocking network server, the detecting and blocking network server is different from the user extracted from the above-mentioned detection and blocking forwarding traffic. 0% detection frame independently generated by the network IP and the above 100% frame, received by the user from the user terminal The flash shared object stored in the parameter name is stored in the unknown area of the user's hard disk. It is not easy for the user to delete it. It is different from the cookie and does not set the persistent data. The router over-use detection algorithm is executed by the inherent parameter value of the expiration date, etc., whereby the traffic of the user who is in the non-router over-utilization state is allowed to be over-used by the detection router by the website connection requested by the user client terminal. The user traffic of the state determines whether to allow or block the website connection request of the user client terminal of the router over-utilization state by supplementing the processing conditions.

Moreover, in the phase of the IP authentication phase of the suspected user public network in which the router for adding user traffic is excessively used in the present invention, a more specific method including the processing stage of the public network IP that is not selected as the router for excessive use of the suspect user is as follows: (I) Joining In the mirroring phase of user traffic, when a client terminal requests to connect to a website on the Internet by driving a web browser, the mirroring device installed on the backbone network of the Internet service provider mirrors the website connection generated from the client terminal. Request traffic and transfer the mirrored website connection request traffic to the push server so that Confirm whether the suspected user is excessively used by the IP router; (II) the excessive use of the user traffic for the suspected user public network IP confirmation phase, which is confirmed by the above push server whether the mirrored website connection request traffic is processed by the push server The public network IP of the suspected user is selected by the router by using the public IP and cookie information contained in the previous connection traffic; (III-A) router overuses the suspect user selection and upload phase, if it is not selected as If the router overuses the public network IP of the suspect user, the push server verifies whether the suspected user should be selected as the router excessively by using the public network IP and cookie information included in the mirrored website connection request traffic. If the router is selected as a router for excessive use of the suspect user, the IP is uploaded, and, in addition, a command for storing a unique variable for setting a cookie effective time such as a sign parameter to the client terminal and setting the cookie at the current time and for The first false of the redirect command that is redirected to reconnect to the original attempted connection The traffic should be transmitted to the client terminal; (III-B) the router over-use status detection and blocking decision phase, if it is selected as the router over-use the public network IP of the suspect user, in order to reduce the load, the above-mentioned push server performs confirmation Whether the above-mentioned mirrored website connection request flow is a stage that can be the target of determining whether to block or not, and if it is a blockage or not, the second false response flow is transmitted to the client terminal, so that the second In the 100% frame generated by the user client terminal, the address of the website that the user originally tried to connect is supplemented by the parameter in response to the traffic, and the detection and prevention of the redirected network server is detected and blocked. The forwarding traffic is transmitted from the client terminal to the detection. And blocking the network server, the detection and blocking network server independently generates 0% detection by using the public network IP of the user extracted from the detection and blocking forwarding traffic and the 100% frame. The frame is executed by the router through the inherent parameter value of the flash shared object received by the user client terminal. The usage detection algorithm, if it is the user traffic of the non-router over-utilization state, allows the website connection requested by the user client terminal to detect the excessive use state of the router. The user traffic determines whether to allow or block the website connection request of the user client terminal of the router over-utilization status according to the supplementary processing condition, and the above-mentioned mirrored website connection request traffic of the suspect user selection and upload stage is excessively used by the router, and Regardless of whether the router overuses the suspect user or not, it is discarded in the above push server, allowing the Internet connection to request traffic through the original website connection, and the above-mentioned router over-use status in the above-mentioned router over-usage state detection and blocking decision phase. In the detection, it is not determined that the router is over-used, and the detection and prevention of the network server is allowed to be connected to the original destination website for detecting and blocking the forwarding traffic by parameter redirection to the user client terminal. The user who is not determined to be in the excessive state of the router in the above-mentioned router over-use state detection in the above-mentioned router over-utilization state detection and blocking decision stage, or in the user who decides whether to allow or block the router over-utilization state In the case where the website connection is allowed in the process of connecting the website of the terminal, the detection and prevention of the network server is added to the above-mentioned detection and blocking forwarding traffic by parameter redirection by being redirected to the user client terminal. The original destination website allows the connection of the website.

In this way, by detecting and blocking the user traffic detection phase of the router over-utilization state of the router over-utilization state detection and blocking phase, which is executed by the network server, preferably, the method includes the following stages: detecting and blocking by the foregoing The network server requests, in the flash shared object of the user client terminal (user computer) by the 0% detection frame, the stage of storing the parameter value of the parameter name such as the user identity certificate; and in the stage of requesting the inherent parameter value Receiving the inherent parameter value of the user identity certificate from the client terminal, if there is a user identity of the currently connected user client terminal (user computer) in the user identity certificate list within 24 hours of the user IP (ID) of the database server Inherent parameters of the user identity certificate that are judged to be valid by the same value Value, the connection time of the user identity certificate is updated to the database server, allowing connection to the stage of the website requested by the user's client terminal, and if the user requests the inherent parameter value, the user identity cannot be received from the client terminal. The inherent parameter value of the certificate, or the intrinsic parameter value of the user identity certificate received, but the user identity terminal (user computer) of the currently connected user identity list does not exist in the user identity certificate list within 24 hours of the IP (ID) The intrinsic parameter value of the user identity certificate determined to be invalid by the same value, and the valid user identity certificate list within 24 hours of finding the user IP (ID) existing in the current database server The number and the number of router computers permitted by the user's IP (ID), (a) if the number of valid user identity certificates is less than the number of computers allowed, it is determined that the router is not currently in the over-utilized state, for the currently connected user. The terminal (user computer) generates a new parameter value of the user identity certificate and stores it in the user name. The client terminal also uploads it to the database server together with the connection time, allows the user to connect to the website requested by the client terminal, and (b) if the number of valid user identity certificates exceeds the number of computers allowed, the current terminal is determined to be current In the router over-commitment state, for the currently connected user client terminal (user computer), the blocking or permission decision phase for determining whether to allow or block the Internet connection connection request flow is implemented by supplementing the processing conditions.

Further, in the stage of determining or allowing the connection request flow for deciding whether to allow or block the Internet connection by the supplementary processing condition as described above, preferably, it includes: (b1) existing in the database In the valid user identity certificate list within the first set time (T-1; for example, 24 hours) of the user IP (ID) of the server, if the uploaded connection time exists, the second setting is exceeded based on the current time. Time (T-2; for example, 30 minutes) and the user identity certificate passed, the user identity certificate list with the longest connection time in the database server is deleted, and is generated for the currently connected user client terminal (user computer). The intrinsic parameter value of the new user identity certificate is stored in the user client terminal, and is also uploaded to the database server together with the connection time, allowing the user to connect to the website requested by the client terminal, and (b2) if present If there is no user identity certificate in the valid user ID list within 24 hours of the user IP (ID) of the database server, the user identity certificate for more than 30 minutes based on the current time is for the currently connected user. The client terminal (user computer) blocks the connection to the website of the requested connection.

The present invention provides a public network IP sharing state detection and prevention system, which performs the above method invention by detecting the number of a plurality of user client terminals on a private network using the same public network IP and performing the number of allowed users. Comparing and selectively enabling and blocking an Internet connection request traffic of a client terminal requesting connection according to an IP sharing state, comprising: a mirroring device requesting connection by driving a web browser by a client terminal of an Internet service user In the case of a website on the Internet, the website connection request traffic for mirroring from the client terminal is set in the backbone network of the Internet service provider; the push server, which authenticates the user by requesting the mirrored website connection request traffic Whether the network IP is selected by the push server by the public network IP and cookie information included in the previous connection traffic, and is selected as the public network IP of the router overusing the suspect user, if it is selected as the router excessive use of the suspect user Public network IP, in order to reduce the load of detecting and blocking the use of network servers The push server performs a phase for confirming whether the mirrored website connection request traffic is a traffic that can be determined to be blocked or not, and if the traffic is determined to be blocked or not, the second fake response traffic is transmitted to the client terminal. So that the address of the website that the user originally tried to connect is supplemented by parameters generated by the 100% frame generated by the user client terminal, and the detection and blocking forwarding traffic for detecting and blocking the network server is transmitted from the client terminal to the detection and Blocking the use of a web server; Detecting and blocking a network server, which is independently generated by the public network IP extracted from the above-mentioned user client terminal and blocked by the forwarded traffic, and the 0% detection frame independently generated by the above 100% frame, And storing the inherent parameter value of the flash shared object stored in the setting parameter name, such as the user identity certificate received from the user client terminal, in the database server, by searching the list stored from the connection time to the first set time period, and executing The router overuses the state detection algorithm, whereby the user traffic of the non-router over-utilization state is redirected to the original destination website that detects and blocks the forwarded traffic by parameterizing the user client terminal, by detecting The user traffic of the router over-utilization state determines whether to allow or block the website connection request of the user client terminal of the router over-utilization state by supplementing the processing conditions.

In another aspect, the public network IP sharing state detecting and blocking system of the present invention is further configured to provide a processing function that is not selected to be a situation in which the router overuses the public network IP of the suspect user, and is characterized by: a mirroring device, In the case where the client terminal of the Internet service user requests to connect to the website on the Internet by driving the web browser, the website connection request traffic for mirroring from the client terminal is set on the backbone network of the Internet service provider; The server, which determines whether the public network IP of the user of the mirrored website connection request traffic is processed by the public network IP and cookie information included in the previous connection traffic, and is selected as the public network of the router excessively using the suspect user. IP, if not for the public network IP of the suspected user who is selected as the router, the public network IP and the connected host (HOST) information included in the mirrored website connection request traffic are transmitted to the analysis server, so that the confirmation is in the Should be selected as the status of the router overusing the suspect user, and will be included for storage to the client terminal By first defining a unique variable that sets the cookie valid time, such as the sign parameter, and transmitting the cookie with the current time and the first false response traffic for booting the redirect command to reconnect to the website the user originally attempted to connect to. Client terminal, and, if it is selected as a router for excessive use of suspect users The network IP transmits the second false response traffic to the client terminal, so that the address of the website that the user originally tried to connect is supplemented in a parameter form on the 100% frame generated by the user client terminal by using the second false response traffic. Detecting and preventing the detection and prevention of forwarding by the network server from the client terminal to the detection and blocking network server; the analysis server, which will receive the public network IP and the connected host (HOST) information of the user received from the above push server Stored in the database server together with the connection time data, and determine whether the number of connection requests initiated by the specific host is greater than the number of connection requests initiated by the specific host in the set time, and whether the number of connection requests exceeds the IP sharing permission managed by different user policies. The allowable value of the number of computers, thereby determining whether the suspected user is selected for excessive use by the router, transmitting the result of the decision along with the public IP to the push server; and detecting and blocking the use of the network server, which is different from The above-mentioned user client terminal transmits the above-mentioned detection and blocking extracted traffic The user's public network IP and the 0% detection frame independently generated by the above 100% frame, and the inherent parameter value of the flash shared object stored in the parameter name stored by the user identity certificate received from the user client terminal is stored in the database server. The router overuse state detection algorithm is executed by searching the list stored from the connection time to the first set time, whereby the user traffic for the non-router overuse state is attached to the parameter by the user client terminal The above-mentioned detection and prevention of the original destination website for forwarding traffic is performed, and by detecting the user traffic of the router over-utilization state, by determining the processing conditions, whether to allow or block the router connection request of the user client terminal of the router over-use state is determined. .

According to the present invention, after detecting the excessive use of the suspect user by the router in advance, the actual router over-utilization status is detected only for the user who uses the public network IP, and the work of preventing the detection system from being performed is performed, whereby the user unrelated to the use of the router, Almost without the influence of the router detection system, in the process of detecting the excessive use of suspected users of the router, there is almost no slowdown of the Internet speed, even if the detection system is wrong or Failure will not affect the user's Internet.

In addition, in the stage of detecting the correct over-utilization state of the router and blocking it, by using the flash shared object ("Flash Shared Object": the data stored in the binary form is stored in an unknown area of the user's hard disk, the user is not easy to perform Deletion, unlike cookies, does not set the expiration date of the ongoing data by the expiration date, etc., instead of using cookies that are easily deleted by the user, thereby reducing the probability of false detection or false blocking.

At the same time, in the actual blocking phase, by dynamically distinguishing between the terminal that should be allowed to be connected and the terminal that should be blocked, the overall system is given high efficiency, and in particular, the workload in the state that the Internet connection should be allowed is minimized. In this way, the fundamental service efficiency of the Internet connection service can be greatly improved.

100‧‧‧IP router

200‧‧‧ public network IP sharing status detection and blocking system

210‧‧‧Mirror device

220‧‧‧Push server

230‧‧‧Analysis server

240‧‧‧Database Server

250‧‧‧ Policy Management Web Server

260‧‧‧Detecting and blocking web servers

300‧‧‧Internet

BRIEF DESCRIPTION OF THE DRAWINGS Fig. 1 is a view showing the overall configuration of a detecting and preventing system of the present invention.

2a and 2b are diagrams showing the operation state of the process of performing the selection phase of the suspect user over-utilization by the router of the push server and the analysis server in the detection and prevention system of the present invention.

Figure 3 is a diagram showing the operation of the process of detecting and blocking the router over-utilization state detection and blocking phase by the push server and the detecting and blocking network server in the detecting and blocking system of the present invention.

4a to 4d are sequence diagrams of the inventive method of the present invention.

5a and 5b are timing charts for comparison with the process of the execution router over-utilization state detection and blocking phase of the present invention shown in FIG. 5c.

Figures 6a through 7c are diagrams showing an embodiment of performing web traffic flow transmitted during a router's overuse of a suspect user selection phase in accordance with the present invention.

8 and 9a through 10b are diagrams showing an embodiment of performing web server over-the-state detection and blocking of web page traffic transmitted during the decision phase phase in accordance with the present invention.

Hereinafter, a terminal for selectively allowing and blocking a request connection by detecting a plurality of user terminal numbers on a private network using the same public IP and comparing it with the number of allowed allowed numbers will be described with reference to the accompanying drawings. A preferred embodiment of the present invention for Internet connection request traffic is described.

Referring to the basic structural diagram and the operational state diagram shown in FIG. 1 to FIG. 3 and the diagrams shown in FIG. 4a to FIG. 10b, first, a preferred embodiment of the public network IP sharing state detecting and blocking system of the present invention is performed. Description.

As shown in FIG. 1, a preferred embodiment of the public network IP sharing state detecting and blocking system 200 of the present invention includes a mirroring device 210, a push server 220, an analysis server 230, a database server 240, and a detection and blocking network. The server 260, specifically, the mirroring device 210, requests connection to the Internet 300 by driving a web browser by a client terminal (computer-1, computer-2, computer-3, computer-4) of the Internet service user. In the case of the website, the website connection request traffic for mirroring from the client terminal is set in the Back Bone Network of the Internet Service Provider (ISP); the push server 220 borrows Whether the public network IP of the user confirming the above-mentioned mirrored website connection request traffic is selected by the push server as the public network IP and cookie information included in the previous connection traffic, and is selected as the public network of the router excessively using the suspect user. IP, if not for the public network IP of the suspect user who is selected to be over-utilized by the router, then transmitted to the analysis server 230 for inclusion on The mirrored website connects the public network IP and the connected host (HOST) information of the request traffic, so that the confirmation is in the state that the suspect user should be selected for excessive use of the router, and will be included for the client terminal (computer-1, Computer-2, Computer-3, Computer-4) store commands by setting a unique variable such as the cookie valid time of the sign parameter and setting the cookie at the current time and for guiding to reconnect to the user's original attempt to connect. The first false response traffic of the redirect command of the website (refer to Figure 6b) is transmitted to the client terminal (computer-1, computer-2, computer-3, computer-4), and if it is selected for the router overuse suspect The user's public network IP, in order to reduce the load of detecting and blocking the network server, perform the phase for confirming whether the mirrored website connection request traffic is the traffic that can be the object of determining whether to block or not (Fig. 4a and Fig. 4c) "S250"), if it belongs to the blocking or not determining the target traffic, transmitting the second false response traffic to the client terminal (refer to FIG. 9a and FIG. 9b), so that the second fake response traffic is used by the user client terminal The generated 100% frame is parameterized to supplement the address of the website that the user originally tried to connect to and is detected and blocked by the detection and blocking network server 260. The forwarding traffic (refer to FIG. 10a and FIG. 10b) is transmitted from the client terminal to the detection. And the blocking network server 260; the analyzing server 230 stores the public network IP and the connected host (HOST) information of the user received from the push server 220 together with the connection time data in the database server 240, by grasping the setting The number of connection requests initiated by a specific host for the public network IP, and whether the number of connection requests exceeds the number of different user policies. The IP share allows the allowable value of the number of computers, thereby determining whether the suspect user is selected to be over-utilized by the router, and transmitting the result of the decision along with the public IP to the push server 220; the detecting and blocking network server 260, The 0% detection frame independently generated by the user's public network IP and the above 100% frame extracted from the above-mentioned detection and blocking forwarding traffic (refer to FIG. 10a and FIG. 10b) different from the above-mentioned user client terminal transmission. And storing the inherent parameter value of the flash shared object ("Flash Shared Object") stored in the parameter name stored by the user identity certificate received from the user client terminal in the database server 240, by searching for the self-connection time to the first setting The list stored during the time period, and the router over-use state detection algorithm is executed, whereby the user traffic for the non-router over-utilization state is attached to the original detection and blocking forwarding traffic by parameterizing the user client terminal. The destination website performs redirection, by detecting the user traffic of the router over-used state, by supplement processing Member to decide whether to allow or block the user's client terminal site router excess state of the connection request.

Moreover, preferably, in the system of the present invention, it further comprises: policy management web service The server 250 stores the list of allowed IP shares of the IP sharing management managed by the different user policies on the database server 240 and can change the information.

With regard to the method invention of the present invention, a preferred embodiment of the specific method shown in FIG. 4a is shown in the form of a sequence diagram (flow diagram) as shown in FIG. 2a, FIG. 2b and FIG. A selective enabling or blocking method for sharing Internet connection request traffic of a public network IP by detecting the number of plural user terminals on a private network using the same public IP and comparing it with the number of allowed allocations And selectively enabling and blocking the Internet connection request traffic of the terminal requesting the connection, comprising: (I) joining a mirroring phase of user traffic ("S100"), which is requested by the client terminal by driving the web browser In the case of connecting to a website on the Internet, the mirror connection device 210 installed in the backbone network of the Internet service provider mirrors the website connection request traffic generated from the client terminal, and transmits the mirrored website connection request traffic to the push server 220. In order to confirm whether the suspected user is overused for the IP router; (II) excessive use of the user traffic to confirm the public network IP of the suspect user Segment ("S200"), which is confirmed by the above-mentioned push server 220 whether the mirrored website connection request traffic is selected as a router by the push server and processed by the public network IP and cookie information included in the previous connection traffic. Excessive use of the public network IP of the suspect user; (III-A) router overuse of the suspect user selection and upload phase ("S210"), if it is not selected for the router to overuse the public network IP of the suspect user, then the above push The server 220 verifies whether the suspected user should be selected as a router excessively by using the public network IP and cookie information included in the mirrored website connection request traffic. If the router is selected as a router for excessive use of the suspect user, the IP is uploaded. And, in addition, will include a command for storing a unique variable for setting a cookie effective time such as a sign parameter to the client terminal and setting a cookie at the current time and for guiding to reconnect to the original attempted connection. The first false response traffic of the directed command is transmitted to the client terminal; (III-B) the router overuse status detection and blocking Stage ( "S400"), if it In order to reduce the load of the public network IP of the suspect user selected as the router, the push server 220 performs a phase for confirming whether the mirrored website connection request traffic is a traffic that can be the object of determining the prevention or not ( "S250"), if it is a blocking or not determining the target traffic, transmitting a second false response traffic ("S300") to the client terminal, so that 100% of the generated by the user terminal is generated by the second false response traffic The above detection and blocking are performed after the frame is supplemented with a parameter in the form of a parameter and the detection and prevention of the redirected traffic to the detection and blocking network server 260 is transmitted from the client terminal to the detection and blocking network server 260. The network server 260 receives the 0% detection frame independently generated by the user's public network IP and the 100% frame extracted from the above-mentioned detection and blocking forwarding traffic, and is received by the user client terminal. The flash shared object has an inherent parameter value and performs a router overuse detection algorithm, thereby implementing excessive use of the router After the router over-use status detection ("S410") for detecting the user traffic, the website connection request ("S420a") of the user client terminal for allowing or preventing the router over-utilization status is determined by supplementing the processing conditions, and after the above The router over-utilizes the above-mentioned mirrored website connection request traffic of the suspect user selection and upload phase ("S210"), regardless of whether the router is selected as the router excessive use suspect or not, is discarded in the push server 220 ("S220") Allowing an Internet connection ("S230") for requesting traffic through the original website connection, which is not discriminated in the above-mentioned router over-use status detection ("S410") in the router over-utilization state detection and blocking decision phase ("S400") Detecting and blocking the network in case the router is over-used, or in the process of deciding whether to allow or prevent the router from over-using the user's client terminal's website connection ("S420a"), by allowing the website to be connected by supplemental processing conditions The server 260 is in the form of a parameter by being redirected to the user client terminal. Attached to the detection site and stop forwarding traffic using the original purpose of allowing the connection site ( "S420b").

Here, the router excessively uses the suspect user selection and upload phase ("S210"), as shown in FIG. 4b, in a more specific stage, in which the "website connection request traffic" mirrored by the user client terminal is checked (if If the mirrored user traffic is not "website connection request traffic", the push server simply discards the mirrored user traffic.) The "Host" of the "URL (Uniform Resource Locator)" indicating the website that is trying to connect is checked. URI (Uniform Resource Identifier), "Header (Referer: traces when visiting the Internet by hyperlinks in a web browser)", "Cookie" unique variable (for example, sign variable) status If the above "Host" belongs to the pre-set main detection target host (for example, the top ten or so websites of the main portal, etc.) (the following setting conditions) ), and other unique variables of "URI", "Referer", "Cookie" satisfy the following setting conditions (the following setting conditions) , , ), it is set to enable the router to use the public network IP and cookie information to over-use the suspect user detection phase to continue execution; otherwise, the setting is such that the mirrored website connection request traffic is discarded.

- Set conditions : Is "Host" the primary detection target host? : That is, if it belongs to the main detection target host, the condition is met, and the reason for establishing such a setting condition is to ensure that the push server only performs the router excessive use of the suspected user for the pre-set website, for example, only the website of the top ten of the website connection ranking. The inspection work, thereby greatly reducing the traffic processing load associated with this. Therefore, if "HOST" is a non-primary detection target host, the push server will discard the mirrored traffic of the user, so that the response traffic of the HOST is normally transmitted (output) to the user client terminal by the user's original website connection request traffic ( User computer). Here, preferably, the Host detected by the push server 220 means a Host including all subdomains, for example, if the host detected by the push server 220 (HOST) is "naver.com", the representation thereof includes "www.naver.com *.naver.com for subdomains such as "search.naver.com" and "abcnaver.com". Therefore, if a cookie is set for the user or the connection host information is transmitted to the analysis server 230, it is set or transmitted by the host reference detected by the push server 220, for example, if the connected host of the user is "www.naver.com" and the push server is The host detected by 220 is "naver.com", then

The cookie is set to the "naver.com" domain name (refer to "domain=.naver.com.;" of the first false response traffic of FIG. 6b), and the host information is also transmitted to the analysis server 230 as "naver.com". Cookies are set with the "naver.com" domain name. When connected with "*.naver.com", unconditionally set cookies are transmitted with the requested traffic.

- Set conditions : Is the end of "URI""/" or "/?"? : That is, if the push server satisfies the condition, the router excessively uses the suspect user detection work because the end of the "URI" redirects the traffic other than "/" or "/?", and an error occurs.

- Set conditions : Is there a "Referer"? That is, the push server confirms whether or not it is a condition of the redirected traffic by the condition, which is a condition for preventing an infinite loop.

- Set conditions : Is there a "sign" variable in "Cookie"? : If there is a "sign" unique variable value in the "cookie", this is the default time (for example, 1 hour; when the "sign" variable value is stored, using the same client terminal as the last connected client terminal. The lifetime of the website is connected to the website by the web browser. This is the non-router usage detection (monitoring) target traffic, and the push server discards the mirrored user traffic.

Further, the user traffic detection ("S410") phase constituting the above-mentioned router over-utilization state of the router over-utilization state detection and prevention phase ("S400") is in a more specific stage as shown in FIG. 4d, and is implemented in the following stage. That is, the detection and prevention network server 260 requests the user's client terminal (user computer) in the flash sharing object by the 0% detection frame to set the parameter value of the parameter parameter value such as the user identity certificate. "S411"); and the inherent parameter value of the user identity certificate received from the client terminal in the above "S411" phase, if the user identity certificate list exists within 24 hours of the user IP (ID) of the database server 240 When the user identity terminal (user computer) of the currently connected user client terminal has the same value as the user identity certificate and is determined to be a valid parameter value of the user identity certificate, the database server 240 updates the connection time of the user identity certificate, and allows the connection. Receiving the stage of the website requested by the client terminal of the user ("S412"), and if in the above "S411", the inherent parameter value of the user identity certificate cannot be received from the client terminal, or the inherent identity of the user identity certificate has been received. The parameter value, however, the user identity certificate in the user identity certificate list within 24 hours of the IP (ID) does not have the same value as the user identity certificate value of the currently connected user client terminal (user computer) and is determined to be invalid. The inherent parameter value is obtained by searching the number of valid user identity certificates within 24 hours of the user IP (ID) existing in the current database server 240 and the router computer allowing the user IP (ID) Number ("S413"), (a) If the number of valid user identity certificates list is less than the number of computers allowed, it is determined that the current state is not in the router over-commitment state, and a new one is generated for the currently connected user client terminal (user computer). The intrinsic parameter value of the user identity certificate is stored in the user client terminal, and is also uploaded to the database server 2 together with the connection time. 40, allowing the user to connect to the website requested by the client terminal ("S414a"), and (b) if the number of valid user identification certificates exceeds the number of allowed computers, it is determined that the router is currently in the state of excessive use of the router ("S414b" "), for the currently connected user client terminal (user computer), by means of supplementary processing conditions, the decision or the permission decision phase of the connection request flow for deciding whether to allow or block the Internet connection is implemented (refer to "S420a of FIG. 4a"). "And Figure 4d).

(b1) In the valid user identity certificate list existing within the first set time (T-1; for example, 24 hours) of the user IP (ID) of the database server 240, if there is an uploaded connection time to the current If the user identity certificate passed the second set time (T-2; for example, 30 minutes) is the benchmark, the user identity certificate list with the longest connection time in the database server 240 is deleted, and the currently connected user client is deleted. The terminal (user computer) generates a new parameter value of the user identity certificate, stores it in the user client terminal, and uploads it to the database server 240 together with the connection time, allowing the user to connect to the website requested by the client terminal. ("S420b1"), (b2) if it exists within 24 hours of the user IP (ID) of the database server 240 If there is no user identity certificate in the valid user identity certificate list that has been uploaded for more than 30 minutes based on the current time, the user terminal (user computer) that is currently connected is blocked from connecting to the requested connection site ( "S420b2").

Therefore, the duration of the user identity certificate list, for example, the first set time (T-1) of 24 hours is the time set for confirming the number of terminals connected by the router (ie, if reconnecting within 24 hours, Then, the new user identity certificate is not generated and only the connection time is updated. Therefore, there is an unreasonable situation, that is, the terminal that has no Internet website connection in almost 20 hours or more is the first in the duration of the user identity certification. The connection priority is continuously maintained within the set time (T-1), and the connection of the terminal of the subsequent connection is continuously disabled. This requires a solution in order to prevent the current state from exceeding the range of the number of lines allowed for the user. Flexibly allowing the network connection, and setting the second set time (T-2) independently of the first set time (T-1) of the duration of the user identity certificate list, based on the connection time of the currently connected additional terminal , deleting the user identity certificate of the previous terminal after the second set time (T-2) after connecting to the Internet, and generating a new user for the newly connected terminal Points to prove, and upload it to the repository server and allow websites to connect, thereby dynamically allocating connection priority.

Here, the stage of detecting the connection to the website requested by the client terminal of the user by the detection and prevention network server 260 ("S420b2") can be performed as shown in FIG. 4a and FIG. 4d together. The blocking phase may provide no response to the user by policy, and instead, as shown in Figure 4d, may also include a phase of redirecting to the blocking message page or the warning message page.

Hereinafter, a case in which an invention according to the present invention and an apparatus system for performing the method thereof are specifically described with reference to the accompanying drawings, and specifically, a case in which a plurality of client terminals (user computers) are connected to an Internet website by the IP router 100 will be described. The processing, thereby further supplementing the understanding of the structure of the present invention, while supplementing the more specific embodiments, further explains the working state and its effects and effects.

As shown in FIG. 2a and FIG. 2b, a plurality of client terminals (user computers) (computer-1, computer-2, computer-3, computer-4) are constructed by using an IP router 100 such as a network address translation device. In a private network attempting to connect to the Internet, for example, if the first computer (computer-1) drives a web browser to generate a user request for requesting an Internet website connection (refer to "user request traffic" in FIG. 6a) , such a website connection request traffic (hereinafter referred to as "user request traffic"), as shown by the arrow "1" in FIG. 2a, in the backbone network of the Internet Service Provider (ISP) (Back Bone Network) The mirroring device 210 is mirrored, and the mirrored website connection request traffic is transmitted to the push server 220 to confirm whether the IP router is overusing the suspect user (refer to the "S100" stage of FIG. 4a).

Thus, in the public network IP confirmation phase ("S200") of the user traffic added in FIG. 4a, the push server 220 confirms the user of the mirrored website connection request traffic (the user ID of FIG. 2a is "USER-1"). ") Is the public network IP ("IP-Addr1" in Figure 2a) the public network IP of the suspected user who is selected to be over-utilized by the router, if not for the public network IP of the suspected user who is selected to be over-utilized by the router, by including The above-mentioned mirrored website is connected to the public network IP and cookie information of the request traffic, and is used to check whether the router is in a state of being selected as a router for excessive use of the suspected user and uploading the router for excessive use of the suspect user selection and uploading phase ("S210") ).

Here, regarding the process of the above-mentioned router overusing the suspect user selection and uploading phase ("S210"), more specifically, preferably, the push server 220 first confirms whether the mirrored traffic is "website connection request traffic" (figure) In the "S211" phase of 4b, if the mirrored user traffic is not "website connection request traffic", the push server simply discards the mirrored user traffic, thereby allowing the website to be connected by the original traffic.

Furthermore, if it is "website connection request traffic", the setting conditions are enforced. Whether "Host" is the stage of the main monitoring target host (HOST) ("S212"); setting conditions Whether the end of the "URI" is "/" or "/?" and whether there is a setting condition "Referer" stage ("S213"); and setting conditions The "Cookie" included in the website connection request traffic has a phase ("S214") of the parameter value called "sign".

In the user request traffic shown in FIG. 6a, it is both "website connection request traffic", and all satisfy (YES) the setting conditions as described above. ("Host" is the main detection target host), (The end of the "URI" is "/" or "/?"), (no "Referer"), (There is no sign variable in "Cookie"; it indicates the computer that requested the connection for the first time within the specified time), whereby the push server 220 transmits the user IP and the connected host (HOST) information to the analysis server 230 (stage "S215a" of Fig. 4b) Based on this, the analysis server 230 detects whether or not the suspect user is excessively used by the router (stage "S216a" of Fig. 4b).

At this time, the analysis server 230 stores the user IP and the connection host information received from the push server 220 in the database server 240, and records the storage time thereof, if the same public network IP and the specified time (for example, 1 hour) The same host initiates multiple connection requests and the number of connections does not exceed the allowable value of the number of IP sharing allowed computers managed by the policy management web server 250 according to different user policies, ensuring that the suspect is not selected for the router to overuse the suspect ( Refer to Figure 2a).

On the other hand, when the push server 220 transmits the user IP and the connection host information (refer to arrow 3 in FIG. 2a) to the analysis server 230, simultaneously or at a predetermined time (independent of the order), the user client terminal (user computer; computer- 1) The transmission ensures the first false response flow for the next job in the user's computer (see arrow 2 of Figure 2a), and the first false response flow is as shown in Figure 6b.

(i) define a variable called sign, store the cookie whose current time is set as a value in the user's computer (computer-1), (ii) set the effective time of the sign variable to 1 hour (3,600 seconds), (iii) A redirect command to redirect to a website that the user originally tried to connect to

Thereby, the reconnection traffic generated from the user computer (computer-1) is as shown in Fig. 6c. On the other hand, there is a "Referer" in this reconnected traffic, and there is a sign change. The value of the cookie (sign=1265344202: see Fig. 6c) is discarded in the push server 220 even if it is mirrored again in the mirror device 210 and transmitted to the push server 220.

On the other hand, if the web browser of the first computer (computer-1) is driven again within one hour and user request traffic (additional connection traffic) occurs, the same user computer (computer-1) of the same IP is used. As shown in FIG. 7a, there is no "Referer" in the additional connection flow rate, and there is a cookie having a value of the sign variable (sign=1265344202: see FIG. 7a), so that even in the mirror device 210 The image is transferred to the push server 220 and will also be discarded in the push server 220.

Then, if the web browser of the second computer (computer-2) is driven to process the user request traffic in the same manner (the process related description is omitted), the third computer (computer-3) drives the web browser to generate The user requesting traffic for the Internet site connection request (refer to "user request traffic" in FIG. 7b), such user request traffic is also shown by the arrow "1" in FIG. 2b, at the Internet service provider (ISP; Internet). The mirror device 210 of the Back Bone Network of the Service Provider is mirrored, and the mirrored website connection request traffic is transmitted to the push server 220 to confirm whether the IP router excessively uses the suspect user (refer to FIG. 4a). S100" stage).

Thus, in the public network IP confirmation phase ("S200") of the user traffic added in FIG. 4a, the push server 220 confirms the user of the mirrored website connection request traffic (the user ID of FIG. 2b is "USER-1"). ") Is the public IP ("IP-Addr1" in Figure 2b) the public IP of the suspected user who is selected to be over-utilized by the router, if not for the public network IP of the suspected user who is selected for excessive use by the router? The above-mentioned mirrored website is connected to the public network IP and cookie information of the request traffic, and is used to check whether the router is in a state of being selected as a router for excessive use of the suspected user and uploading the router for excessive use of the suspect user selection and uploading phase ("S210") ).

Here, regarding the above-mentioned router overuse suspect user selection and upload stage ("S210") is performed as of the case where the analysis server 230 detects whether the router is overusing the suspect user (stage "S216a" of FIG. 4b) and the first computer (computer-1) described above. the same.

However, this time is different from that shown in FIG. 2a, and as shown in FIG. 2b, the number of connections for the same website due to the user of the public IP using "IP-Addr1" (the user ID of FIG. 2b is "USER-1"). Exceeding the allowable value of the number of allowed IP shares of the IP management by the policy management web server 250 according to different user policies, the analysis server 230 selects it as a router for excessive use of the suspect user, and sets its public network IP (IP-Addr1). After the router stores the suspect user IP list in excess, it is transmitted to the push server 220 at predetermined time intervals (see arrow "4" in Fig. 2b).

On the other hand, the push server 220 transmits the user IP and the connection host information (refer to the arrow 3 in FIG. 2b) to the analysis server 230 in order to select the router to overuse the suspect user, simultaneously or at a predetermined time (independent of the order), to the user client. The terminal (user computer; computer-3) transmits the first false response traffic as described above (see arrow 2 of FIG. 2b), and the first false response traffic is also as shown in FIG. 6b (excluding the sign value itself of the cookie).

Thereby, the reconnection traffic generated from the user computer (computer-3) by the first false response traffic (refer to the arrow "2" of FIG. 2b) is also as shown in FIG. 6c (excluding the sign value of the cookie) In itself, there is a "Referer" in the reconnected traffic and there is a sign value of the cookie having the value of the sign variable (refer to FIG. 6c), and therefore, even if it is mirrored again in the mirror device 210 and transmitted to the push server 220, The push server 220 discards (refer to "S213", "S214" -> "NO" -> "S220" in Fig. 4b), allowing the user to normally connect to the requested website, that is, the value of the unique sign variable of the cookie, affecting The router overuses the suspect user selection and upload process without affecting the blocking or permission (not blocking) of the webpage traffic, for example, if any cookie deletion occurs in the user's computer, etc. (according to prior art misjudgment) In the case of excessive use of users for routers, it does not block web traffic, thereby maintaining the reliability of Internet service providers.

On the other hand, for example, after the web browser of the first computer (computer-1) is driven to set the Sign variable of the cookie, after the set time of one hour (after the value of the sign variable disappears), the first computer (computer-1) The web browser is driven again and the generated user requests traffic, which becomes the traffic as shown in Figure 7c.

Further, after such a process, the user selected to be the router after the excessive use of the suspect user is used by the plurality of client terminals to utilize the Internet, as shown in FIG. 3, if the third computer (computer-3) generates the website connection request again. The traffic (refer to the arrow "5" in FIG. 3), the Internet site connection request traffic (refer to FIG. 8) also uses the mirror device of the Back Bone Network of the Internet Service Provider (ISP). 210 is mirrored, and the mirrored website connection request traffic is transmitted to the push server 220 (refer to arrow "6" in FIG. 3, "S100" in FIG. 4a), and the push server 220 is used to confirm the above-mentioned mirrored website connection. Whether the public IP address of the user requesting the traffic is the public network IP confirmation phase of the user traffic selected as the public network IP of the suspected over-utilized user of the router (refer to arrow "7" in FIG. 3, "S200" in FIG. 4a). As described above, since it is a public network IP (IP-Addr1) that has been selected as a router for excessive use of the suspect user, as shown in FIG. 4a and FIG. 4c, the above push server 220 first performs a phase for confirming whether it is a traffic belonging to the blocking target ("S250" of FIG. 4a and FIG. 4c), and if it is a blocking or not determining the target traffic, to the client terminal of FIG. 3, for example, to a user computer (computer -3) Transmission of the second false response flow rate (refer to Figs. 9a and 9b) (refer to arrow "8" in Fig. 3, "S300" in Fig. 4a).

Here, as shown in FIG. 4a, in the stage of confirming whether or not the traffic of the object is determined ("S250"), in order to reduce the load of the detection and blocking network server 260, as shown in FIG. 4c, the push server 220 is specifically shown. After confirming whether the mirrored traffic is the "site connection request traffic" phase ("S251" phase of Figure 4c), confirm whether the connected host (HOST) of the mirrored traffic is the stage of "expanding the monitoring target site" (" S252"), confirm whether the end of the URI of the mirrored traffic is "/" or "/?" (if the end of the redirect URI) If the traffic is not "/" or "/?", an error occurs when the network server 260 is detected and blocked from redirecting to the website the user is trying to connect to) and if there is a Referer (if the traffic with the Referer is redirected, In the stage of the infinite loop ("S253") by pushing the server, if one or more of the conditions cannot be satisfied in the above-mentioned confirmation phase ("S251", "S252", "S253") (in the sequence diagram) Marked as "No"), as shown in Figure 4c, the mirrored traffic is discarded ("S220"), allowing normal connection to the website requested by the user ("S230").

Further, in the stage ("S250") for confirming whether or not the traffic is determined to be blocked or not, if the condition for suppressing the flow of the target traffic is satisfied (the judgment result in Fig. 4c is "Yes") (website connection request) At about 10% of the traffic, a phase ("S300") in which the second fake response traffic (see FIG. 9a and FIG. 9b) is transmitted by the push server 220 to the user computer (computer-3) is performed.

Here, regarding the "expanding monitoring target website", preferably, for example, a redirect error is not generated in a website selected from about 1,000 pages before the website connection ranking (the HTTP protocol is a general protocol, in addition to a web browser, for example, NateOn) For other applications, if the push server redirects traffic from such other applications, the application is running at a very high probability of error.

Figures 9a and 9b show two embodiments of the second false response traffic (reasonably selected according to the requirements of the Internet service provider), according to the first embodiment shown in Figure 9a, which is generated in the push server 220 by Two kinds of frames, that is, 100% frame (the URL of the website the user originally tried to connect) and 0% detection frame (the URL of the detection and blocking network server; used to specify the inclusion of the user identity certificate and the data from the client terminal) An embodiment in which the library server performs a comparison check command "search.jsp"; the address of the website that the user originally tried to connect is attached as a parameter); according to the second embodiment shown in FIG. 9b, It is generated by the push server 220 only by 100% frame (detecting and blocking the URL of the web server; specifying "check.jsp"; the URL address of the website that the user originally tried to connect to The second false response flow formed by the parameter form is as shown in FIG. 9c, and is divided into iframes in the check.jsp to generate an independent 0% detection frame in the detection and blocking network server 260 (detection and detection) Blocking the URL of the web server; "search.jsp" for specifying the command to retrieve the user ID certificate from the client terminal and compare it with the database server; attach the address of the website that the user originally tried to connect with as a parameter on). In the 0% detection frame of the first embodiment and the 100% frame of the second embodiment, the address of the website that the user originally tried to connect is attached in the form of a parameter, and detection and prevention for blocking by detecting the shared state are generated. The network server 260 connects (redirects) the traffic (for example, "detecting and blocking forwarding traffic" in FIG. 10a and FIG. 10b), so the reason for dividing the frame is to not change (avoid the user knows) the address bar of the web browser. The mode access detects and blocks the network server 260 by detecting the shared state, whereby the user can generate the web browser screen without changing (see the arrow "9" in FIG. 3) to detect the shared state. The detection of the blocking and the blocking of the traffic of the network server 260 (""detecting and blocking forwarding traffic" in Fig. 10a or Fig. 10b).

Of course, the detection and blocking forwarding traffic of such a user is also transmitted through the backbone network of the Internet service provider and is mirrored in the mirroring device 210 and transmitted to the push server 220, as shown in FIG. 10a and FIG. 10b. The traffic is accompanied by a "Referer", which is inevitably discarded by the push server 220.

Comparing the features of the two types of second false response flow embodiments, in the above first embodiment, the warning and blocking pages can only be operated by pop-up/general page form, in the second embodiment The advantage of the warning and blocking pages is that in addition to the pop-up/general page form, the HTML layer form can be always displayed even if the pop-up frame is blocked, thereby making the warning and blocking the form change of the page flexible. Sex.

As such, the second false response traffic transmission phase ("S300"), the detection and blocking of the forwarding traffic shown in Figure 10a (or Figure 10b) is transmitted to the detection and blocking network server (260; 10a and 10b are shown in the form of "ipsd.com", and then the detection and blocking of the public network IP of the user extracted by the network server 260 from the above-mentioned detection and blocking forwarding traffic is The 0% detection frame independently generated by the above 100% frame stores the inherent parameter value of the "Flash Shared Object" received from the user client terminal in the database server 240, by searching for the self-connection time to the first Setting a list stored during the time period, and executing a router over-use state detection algorithm, whereby the user traffic for the non-router over-utilization state is attached to the above-mentioned detection and blocking forwarding traffic by parameter to the user client terminal. The original destination website is redirected (refer to "S412", "S414a": by minimizing the workload in the state where the Internet connection should be allowed to be prevented, and the basic service efficiency of the Internet connection service can be greatly improved) By detecting the user traffic of the router over-utilization status (refer to "S414b"), it is determined whether to allow or block by supplementing the processing condition ("S420a"). Router Status excess of user client terminal site of the connection request.

Further, FIG. 3 showing the state in which the user traffic detection phase ("S411") in the above-mentioned router over-utilization state is performed, and FIG. 4d showing the progress of the process in the form of a sequence diagram, specifically, the network server for detecting and blocking 260 requests the intrinsic parameter value stored in the parameter name of the user identity in the "Flash Shared Object" of the user computer ("Computer-3" of FIG. 3) by the 0% detection frame described above ( The arrow "10" in FIG. 3, the reference numeral "S411" in FIG. 4d, receives the inherent parameter value of the user identity certificate from the client terminal in the above "S411" phase, and the user IP in the database server 240 ( ID) within 24 hours of the user identity certificate list, the intrinsic parameter value of the user identity certificate determined to be valid is the same value as the user identity certificate value of the currently connected user client terminal (user computer), and then the database is The server 240 updates the connection moment of the user identity certificate, allows connection to the stage of the website requested by the client terminal of the user ("S412"), and, if in the above "S In 411", the inherent parameter value of the user identity certificate cannot be received from the client terminal, or the inherent parameter value of the user identity certificate has been received, however, The user's identity certificate list within 24 hours of the IP (ID) does not have an intrinsic parameter value of the user identity certificate determined to be invalid, which is the same value as the user identity certificate value of the currently connected user client terminal (user computer). Then, the number of valid user identity certificates listed within 24 hours of the user IP (ID) existing in the current database server 240 and the number of router computers permitted by the user IP (ID) ("S413") ), (a) If the number of valid user identity certificates list is less than the number of computers allowed, it is determined that the router is not in the over-utilization state, and the inherent parameters of the new user identity certificate are generated for the currently connected user client terminal (user computer). The value is stored in the user client terminal, and is also uploaded to the database server 240 along with the connection time, as indicated by the arrow "12" in FIG. 3, and redirected to the URL that the user attempts to connect to (http://www. Naver.com) allows the user to connect to the website ("S414a") that the client terminal is requesting to connect to. At this time, the main frame generated by the push server 220 is redirected, and the top refresh is performed.

(b) If the number of valid user identity certificates exceeds the number of allowed computers, it is determined that the router is currently in the overuse state ("S414b"), and the user terminal (user computer) currently connected is supplemented by the processing conditions. A blocking or permission decision phase for determining whether to allow or block the connection request of the Internet connection is implemented (refer to "S420a" and FIG. 4d of FIG. 4a).

(b1) In the valid user identity certificate list existing within the first set time (T-1; for example, 24 hours) of the user IP (ID) of the database server 240, if there is an uploaded connection time to the current If the user's identity certificate (compared with reference to FIG. 5a, FIG. 5b, and FIG. 5c) that passes the second set time (T-2; for example, 30 minutes) is the reference, the connection time in the database server 240 is deleted. The long-standing user identity certificate list generates a new parameter value of the user identity certificate for the currently connected user client terminal (user computer), and stores it in the user client terminal (user computer; "computer-3" of FIG. 3) ( The arrow "10" of Figure 3, the reference numeral "S414a" of Figure 4d, and the "User Identity Certificate - Field- of Figure 5c" Update") is also uploaded to the database server 240 along with the connection time, allowing the user to connect to the website ("S420b1") to which the client terminal is requested to connect (in the case of Fig. 5c).

In contrast, in the comparative example shown in FIG. 5a, regardless of whether there is a user identity certificate (the user identity certificate-2 of FIG. 5c) passed over the second set time (T-2; for example, 30 minutes), The website connection of the terminal (the user identity certificate-3 of Figure 5c) of the terminal that has been connected is continuously blocked for the first set time (24 hours) that has been continued in an effective manner, and the main solution is to solve the problem caused by the problem. It is proposed by the Korean Laid-Open Patent Publication No. 10-2009-0041752, and a further comparative example as shown in FIG. 5b is updated by using a task scheduler at a predetermined time interval (30 minutes in the figure) centered on non-individual users. All databases (Task 1, Task 2, Task 3), delete the unrecorded list from the time of update to within 20 minutes, by comparing Figure 5b showing such a comparative example with the processing of the processing method of the present invention. As shown in Fig. 5c, it can be seen that the scheme of Fig. 5c is more excellent in terms of effect, and according to the scheme of Fig. 5c, the database update is performed only when necessary, thereby reducing the need to update the entire schedule by the task scheduler. The burden of the database server caused by the work of the database.

(b2) On the other hand, if the valid user identity certificate list exists within 24 hours of the user IP (ID) of the database server 240, the uploaded connection time does not exist for more than 30 minutes based on the current time. The user identity certificate blocks the connection to the requested connection website ("S420b2") for the currently connected user client terminal (user computer; computer-3).

Here, the number of valid user identity certificate lists that are within 24 hours of querying the user IP (ID) of the current database server 240 and the number of router computers allowed for the user IP (ID) ("S413 "), more specifically, as shown by the arrow "11" in FIG. 3, the number of shared computers allowed to search for the user IP (or user ID) in the database server 240 by using the user IP (refer to FIG. 3 below) Table), the IP (ID) of the user calculated in the database server 240 and the user identity certificate list within 24 hours (refer to the table above in Figure 3; discarded After the current 24-hour user identification list (the "T5" in the upper table of Figure 3), the number of user identity certificates stored in the valid list ("2" in the upper table of Figure 3), if the calculated user identity certificate is stored If the number exceeds the number of shared computers allowed by the user ("2" in the lower table of FIG. 3), it is determined that the router is in an overused state (so, the state shown in FIG. 3 is an overused state), as shown in the above figure. The "S420a" phase of 4d and its next phase ("S420b1" or "S420b2") are shown, and subsequent processing is performed according to the supplementary processing conditions.

On the other hand, if the user is prevented from connecting to the website of the requested connection ("S420b2"), such blocking may not provide any response to the user according to the policy, or may be redirected to the warning message page or the blocking message page.

In the above warning message page or blocking message page, in addition to displaying the warning or blocking status, considering the format of the user client terminal (user computer) or deleting the latest generated user identity certificate such as "Flash Shared Object" A blocking state or the like is reached, and a separate "connection permission request button" is provided in the blocking screen to release the blocking state of the current client terminal, and initialized (deleted) in the previously permitted client terminal in the database server 240. The user identity certificate of the client terminal that is initially connected within the hour (because the connection information is continuously updated, and therefore is limited to the initial connection within 24 hours), in addition to the above-mentioned additional phase, or the following method may be adopted, ie, If the request is received by the Internet service provider by means of telephone or the like, the Internet service provider administrator initializes (deletes) the past client information stored in the database server 240 by the policy management web server 250 (the user identity certificate) ), thereby unblocking the state.

On the other hand, different from the preferred embodiment of the present invention shown in the above, it can be seen that in the embodiment of still another aspect of the present invention, the function of the analysis server 230 can be integrated into the push server 220. Instead of the above-described analysis server 230 being independent of the above-described push server 220, the operation is substantially the same, and is omitted in order to avoid a detailed description thereof.

The present invention is illustrated by way of specific embodiments, illustrated in Figures 6a through 10b. The code used in the webpage traffic is compiled based on jsp/java. However, these are merely exemplary, and those skilled in the art understand that they can be replaced by other methods, and the multiple embodiments of the present invention are only for helping to understand this. The invention is not limited thereto, and various modifications can be made by those skilled in the art within the scope of the technical idea to which the invention is to be protected.

100‧‧‧IP router

210‧‧‧Internet Service Provider Backbone Network

220‧‧‧Push server

230‧‧‧Analysis server

240‧‧‧Database Server

250‧‧‧ Policy Management Web Server

260‧‧‧Detect/block web server

300‧‧‧Internet

Claims (18)

A selective enabling or blocking method for sharing Internet connection request traffic of a public network IP, which selectively allows and blocks the number of user terminals on a private network utilizing the same public IP address and is allocated The Internet connection request traffic of the terminal that allows the number of comparisons to be made to perform the connection is characterized by: (I) a mirroring phase of joining user traffic ("S100"), which drives the web browser at the client terminal and requests connection to In the case of a website on the network, the mirroring device (210) of the Back Bone Network installed in an Internet Service Provider (ISP) mirrors the website connection request traffic generated from the client terminal, and the above The mirrored website connection request traffic is transmitted to the push server (220) to confirm whether the suspected user is overused by the IP router; (II) the excessive use of the user traffic is confirmed by the suspect user public network IP confirmation phase ("S200"), which is The push server (220) confirms whether the added public network IP of the mirrored website connection request traffic is pushed by The public network IP that is processed by the server and included in the previous connection traffic and the public network IP selected by the router to overuse the suspect user by the cookie information; (III) the router over-use status detection and blocking decision phase ("S400"), If the public network IP of the suspect user is selected to be excessively used by the router, in order to reduce the load, the push server (220) performs a check for confirming whether the mirrored website connection request traffic is the object of determining whether to block or not. The phase of the traffic ("S250"), if it is determined to block or not, the second fake response traffic ("S300") is transmitted to the client terminal, so that the second fake response traffic is used by the user client terminal. The generated 100% frame is supplemented with parameters to supplement the address of the website that the user originally tried to connect to and detects and blocks the detection by the web server (260). And preventing the use of the forwarding traffic from the client terminal to the detecting and blocking network server (260), wherein the detecting and blocking network server (260) is extracted by the forwarding and receiving traffic from the detecting and blocking The user's public network IP and the 0% detection frame independently generated by the above 100% frame, the router overuse detection algorithm is executed by the inherent parameter value of the flash shared object received from the user client terminal, thereby The user's traffic of the state of use allows the user's client terminal to determine whether to allow or block the excessive use of the router by supplementing the processing conditions by detecting the user's traffic requested by the user's client terminal. Website connection request. A selective enabling or blocking method for sharing Internet connection request traffic of a public network IP, which selectively allows and blocks the number of user terminals on a private network utilizing the same public IP address and is allocated The Internet connection request traffic of the terminal that allows the number of comparisons to be made to be connected is characterized by: (1) a mirroring phase ("S100") of joining user traffic, which is driven by the client terminal by driving the web browser. In the case of requesting connection to a website on the Internet, the mirroring device (210) installed in the backbone network of the Internet service provider mirrors the website connection request traffic generated from the client terminal, and transmits the mirrored website connection request traffic to the Pushing the server (220) to confirm whether the suspect router is overused by the IP router; (II) adding the user traffic excess usage suspect network public network IP confirmation phase ("S200"), which is confirmed by the above push server (220) Whether the mirrored website connection request traffic is processed by the push server by being included in the previous connection traffic Network IP and cookie information and selected as the router user suspects excessive use of public network IP; (III-A) router suspected excessive use of user-selected and uploaded stage ( "S210"), which If it is not for the public network IP of the suspect user that is selected to be over-utilized by the router, the push server (220) verifies whether it should be selected by the public network IP and cookie information included in the mirrored website connection request traffic. The router overuses the status of the suspect user. If it is selected as the router overusing the suspect user, uploading the IP, in turn, will include a unique variable for storing the cookie effective time by defining a setting such as the sign parameter to the client terminal and The command of the cookie set at the moment and the first false response traffic for guiding to re-connect to the redirect command of the original attempted connection to the client terminal; (III-B) the router over-use state detection and blocking decision phase ( "S400"), if it is selected as the router over-use the public network IP of the suspect user, in order to reduce the load, the push server (220) performs a confirmation for confirming whether the mirrored website connection request traffic is a decision to prevent Whether or not the flow of the object ("S250"), if it is blocked or not, determines the target traffic, then ends with the customer. Transmitting a second false response traffic ("S300"), so that the address of the website that the user originally tried to connect is supplemented by parameters on the 100% frame generated by the user client terminal by using the second false response traffic, and is detected and Preventing the detection by the network server (260) and preventing the use of the forwarding traffic from the client terminal to the detection and blocking network server (260), the detection and blocking network server (260) is different from the received network The router executes the router by detecting and blocking the 0% detection frame independently generated by the user's public network IP extracted by the forwarding traffic and the 100% frame, and the inherent parameter value of the flash shared object received from the user client terminal. Excessive use of the detection algorithm, whereby the user over-the-state detection ("S410"), which detects the user traffic of the router in the overused state, is determined by supplementing the processing conditions to determine whether to allow or prevent the router from overusing the user. The website connection request of the terminal ("S420a"), and the suspected user selection and uploading stage is over-utilized by the above router ("S210 ") The above mirrored website connection request traffic is not related to the suspected user who is selected as the router overuse, and is discarded in the push server (220) ("S220"), allowing the Internet connection to request traffic through the original website connection ( "S230"), in the above-mentioned router over-utilization state detection and blocking decision phase ("S400"), the above-mentioned router over-use state detection ("S410") is not determined as the router over-utilization state, or is determined whether to allow or block In the case where the website connection ("S420a") of the user terminal of the router is over-utilized, the website is allowed to connect by supplementing the processing conditions, and the network server (260) is detected and blocked by being redirected to the user by the user. The terminal is attached to the above-mentioned website for detecting and blocking the original destination website for forwarding traffic by means of parameters ("S420b"). The selective permission or blocking method for the Internet connection request traffic of the shared public network IP of claim 2, wherein the router excessively using the suspect user selection and uploading phase ("S210") comprises: first confirming by the push server (220) Whether the above-mentioned traffic of the mirror is the stage of "website connection request traffic"("S211"); the setting condition of the above-mentioned traffic mirrored by the above-mentioned push server (220) is confirmed Whether the "Host" is the stage of the main monitoring target host (HOST) ("S212"); the setting condition of the above-mentioned traffic mirrored by the above-mentioned push server (220) is confirmed Whether the end of the "URI" is "/" or "/?" and whether there is a setting condition a "Referer" stage ("S213"); and a setting condition for confirming the mirrored traffic by the push server (220) Whether "Cookie" has a phase of a parameter value called "sign"("S214"). The selective permission or blocking method for the Internet connection request traffic of the shared public network IP of claim 3, wherein the main monitoring target host (HOST) is a website within the top ten of the website connection ranking. A method for selectively enabling or blocking an Internet connection request traffic of a shared public network IP according to any one of claims 1 to 4, wherein the method of confirming whether the mirrored traffic is a stop or not determines the target traffic ("S250") And the connected host (HOST) confirming whether the mirrored traffic is the "website connection request traffic" ("S251"), and the above-mentioned push server (220) confirms the mirrored traffic by the push server (220) Whether it is the stage of "expanding the monitoring target website" ("S252"), and confirming by the above-mentioned push server (220) whether the end portion of the URI of the mirrored traffic is "/" or "/?" and whether or not there is a Referer In the process of the stage ("S253"), if the push server (220) fails to satisfy one or more of the conditions in the confirmation phase of the above "S251", "S252", and "S253", the traffic is mirrored. Deprecated ("S220"), allowing normal connection to the website requested by the user ("S230"), and if the above-mentioned push server (220) is confirmed by the above "S251", "S252", "S253" All satisfied the conditions of the paragraph, the above-described embodiment the transmission "S300" of the second stage of the prosthesis in response to the flow rate of the client terminal. The selective enabling or blocking method for the Internet connection request traffic of the shared public network IP according to any one of claims 1 to 4, wherein the router excessive use state constituting the router over-utilization state detection and blocking phase ("S400") a user traffic detection ("S410") phase, which is implemented in the following stage, by the above-mentioned detection and blocking network server (260) requesting a flash shared object of a user client terminal (user computer) by a 0% detection frame, such as a phase of the intrinsic parameter value stored in the parameter name name, such as the user identity certificate ("S411"); and the intrinsic parameter value of the user identity certificate received from the client terminal in the above "S411" phase, if the database server (240) User within 24 hours of user IP (ID) If there is an inherent parameter value of the user identity certificate determined to be valid by the same value as the user identity certificate value of the currently connected user client terminal (user computer) in the identity certificate list, the user identity is updated to the database server (240). The connection moment of the proof is allowed to connect to the stage of the website requested by the user terminal of the user ("S412"), and if in the above "S411", the inherent parameter value of the user identity certificate cannot be received from the client terminal, or has been received The value of the intrinsic parameter of the user identity certificate, but the user identity certificate list within 24 hours of the IP (ID) is not determined to be the same value as the user identity certificate value of the currently connected user client terminal (user computer). The intrinsic parameter value of the invalid user identity certificate is obtained by finding the number of valid user identity certification lists within 24 hours of the user IP (ID) existing in the current database server (240) and the user IP ( ID) The number of router computers allowed ("S413"), (a) If the number of valid user identity certificates is less than the number of computers allowed, Then, it is determined that the router is not in the over-utilization state, and the unique parameter value of the new user identity certificate is generated for the currently connected user client terminal (user computer), stored in the user client terminal, and uploaded together with the connection time. The database server (240) allows the user to connect to the website requested by the client terminal ("S414a"), and (b) if the number of valid user identity certificates exceeds the number of computers allowed, it is determined that the router is currently in excess The use status ("S414b"), for the currently connected user client terminal (user computer), by means of supplemental processing conditions, the decision or the permission decision phase of the connection request flow for deciding whether to allow or block the Internet connection is implemented (refer to "S420a" of Figure 4a and Figure 4d). The method for selectively enabling or blocking the Internet connection request traffic of the shared public network IP of claim 4, wherein (b1) the user IP (ID) existing in the database server (240) in the stage of determining or allowing the connection request traffic for determining whether to allow or block the Internet connection by the supplementary processing condition In the valid user identity certificate list within the first set time (T-1; for example, 24 hours), if the uploaded connection time exists, the second set time is exceeded based on the current time (T-2; for example, 30 minutes) and the user identity certificate passed, the user identity certificate list with the longest connection time in the database server (240) is deleted, and the new user identity certificate is generated for the currently connected user client terminal (user computer). The parameter value is stored in the user client terminal, and is also uploaded to the database server (240) along with the connection time, allowing the user to connect to the website ("S420b1") requested by the client terminal. The selective enabling or blocking method for the Internet connection request traffic of the shared public network IP of claim 7, wherein the blocking or allowing of the connection request traffic for deciding whether to allow or block the Internet connection is implemented by supplementing the processing conditions In the decision phase, (b2) if the valid user identity certificate list that exists within 24 hours of the user IP (ID) of the database server (240) does not exist, the uploaded connection time exceeds the current time as a reference. A 30-minute proof of user identity prevents the connection to the requested connection ("S420b2") for the currently connected user client terminal (user computer). The selective permission or blocking method of the Internet connection request traffic of the shared public network IP of claim 8, wherein the connection to the website of the requested connection ("S420b2") is blocked for the currently connected user client terminal (user computer) In the stage, no response is provided to the user by policy. Selective permission of the Internet connection request traffic of the shared public network IP of claim 8 or A blocking method in which a phase of blocking a connection to a website of a requested connection ("S420b2") for a currently connected user client terminal (user computer) includes a phase of redirecting to a blocking message page or a warning message page. The selective permission or blocking method for the Internet connection request traffic of the shared public network IP of claim 10, wherein in the above blocking message page or warning message page, in addition to displaying the warning or blocking status, by providing a separate "connection" The request button is allowed to cancel the blocking state of the current client terminal, and initialize (delete) the user identity certificate of the client terminal that was originally connected in the previously permitted client terminal in the database server (240) within the set time. The selective permission or blocking method for the Internet connection request traffic of the shared public network IP according to any one of claims 1 to 4, wherein the second false response traffic transmitted from the push server (220) to the user client terminal is the user The frame of the client terminal is divided into 100% frame (the URL of the website the user originally tried to connect) and 0% detection frame (the URL of the detection and blocking network server; used to specify the inclusion of the user identity certificate and the data from the client terminal) The library server performs a comparison check command "search.jsp"; the address of the website that the user originally tried to connect is attached as a parameter). The selective permission or blocking method for the Internet connection request traffic of the shared public network IP according to any one of claims 1 to 4, wherein the second false response traffic transmitted from the push server (220) to the user client terminal is Making the frame of the user client terminal consist of only 100% frames (detecting and blocking the URL of the web server; specifying "check.jsp"; attaching the URL address of the website that the user originally tried to connect) to the parameter, and the above detection and Preventing the use of the web server (260) to generate independent by splitting frames 0% detection frame (detects and blocks the URL of the web server; it is used to specify the "search.jsp" that contains the command to retrieve the user ID certificate from the client terminal and compare it with the database server; the user originally tried to connect The address of the website is attached as a parameter). A public network IP sharing state detecting and blocking system for detecting an IP sharing state by detecting the number of a plurality of user client terminals on a private network using the same public IP address and comparing it with the allowed number of allowed users And selectively enabling and blocking Internet connection request traffic of the client terminal requesting the connection, characterized by comprising: a mirroring device (210) requesting connection to the Internet by a client terminal of the Internet service user by driving the web browser In the case of the website, the website connection request traffic for mirroring from the client terminal is set in the backbone network of the Internet service provider; the push server (220) confirms the traffic of the request through the mirrored website connection request. Whether the network IP is selected by the push server by the public network IP and cookie information included in the previous connection traffic, and is selected as the public network IP of the router overusing the suspect user, if it is selected as the router excessive use of the suspect user Public network IP, in order to reduce the load of detecting and blocking the use of the network server, the above push server (220) The line is used to confirm whether the above-mentioned mirrored website connection request flow is a stage that can be the target of determining whether to block or not, and if it is a blockage or not, the second false response flow is transmitted to the client terminal, so as to borrow The address of the website that the user originally tried to connect is supplemented by a parameter generated by the 100% frame generated by the user client terminal, and the detection and prevention of the redirected traffic to the detection and blocking network server (260) is transmitted from the client terminal to the detection and Blocking the network server (260); and detecting and blocking the network server (260), which is different from the user extracted from the above-mentioned user terminal by detecting and blocking the forwarding traffic The network IP and the 0% detection frame independently generated by the 100% frame, and the inherent parameter value of the flash shared object stored in the parameter name stored by the user identity certificate received from the user client terminal is stored in the database server (240). The router overuse state detection algorithm is executed by searching the list stored from the connection time to the first set time, whereby the user traffic for the non-router overuse state is attached to the parameter by the user client terminal The above-mentioned detection and prevention of the original destination website for forwarding traffic is performed, and by detecting the user traffic of the router over-utilization state, by determining the processing conditions, whether to allow or block the router connection request of the user client terminal of the router over-use state is determined. . A public network IP sharing state detecting and blocking system for detecting an IP sharing state by detecting the number of a plurality of user client terminals on a private network using the same public IP address and comparing it with the allowed number of allowed users And selectively enabling and blocking Internet connection request traffic of the client terminal requesting the connection, characterized by comprising: a mirroring device (210) requesting connection to the Internet by a client terminal of the Internet service user by driving the web browser In the case of the website, the website connection request traffic for mirroring from the client terminal is set in the backbone network of the Internet service provider; the push server (220) confirms the traffic of the request through the mirrored website connection request. Whether the network IP is selected by the push server to be the public network IP of the suspect over-utilized user by the public network IP and cookie information contained in the previous connection traffic, if not for the suspected user who is selected as the router over-use The public network IP transmits the connection request traffic included in the mirrored website to the analysis server. Network IP and connection host (HOST) information, so as to confirm whether it is in the state that the router should be selected as a suspected over-utilization user, and the push server (220) connects to the public network that requests the traffic by including the mirrored website. IP and cookie information to verify whether it should be selected as a router overdose Using the status of the suspected user, if the selected user is selected to use the suspected user excessively, uploading the IP, in addition, will include a unique variable for storing the cookie effective time by setting a setting such as the sign parameter to the client terminal and setting the current time The cookie command and the first false response traffic used to boot the redirection command to reconnect to the website the user originally attempted to connect to, and if, the public network IP of the suspect user is selected for excessive use by the router In order to reduce the load of detecting and blocking the use of the network server, the execution of the traffic for confirming whether the mirrored website connection request flow is the target of determining whether to block or not is performed, and if it is blocked or not, the target traffic is determined. Transmitting, by the client terminal, the second false response traffic, so as to supplement the address of the website that the user originally tried to connect to the 100% frame generated by the user client terminal by using the second false response traffic, and detecting and blocking the address of the website that the user originally tried to connect to Network server (260) redirection detection and blocking forwarding traffic from client terminal to detection Blocking the network server (260); the analysis server (230), which stores the public network IP and the connected host (HOST) information of the user received from the push server together with the connection time data in the database server (240), Master the number of connection requests initiated by a specific host for the public network IP in the set time, and determine whether the number of connection requests exceeds the allowable value of the number of IP sharing allowed computers managed according to different user policies, thereby determining whether to select The router overuses the suspect user, transmits the determined result to the push server (220) together with the public network IP, and detects and blocks the network server (260), which is different from the user terminal terminal. The above-mentioned detection and blocking of the public network IP extracted by the forwarded traffic and the 0% detection frame independently generated by the above 100% frame, and the flash shared object stored in the parameter name such as the user identity certificate received from the user client terminal The inherent parameter values are stored in the database server (240) by searching for the columns stored from the connection time to the first set time period. , The router performs overcommitted The detection algorithm, whereby the user traffic of the non-router over-utilization state is redirected to the original destination website that detects and blocks the forwarded traffic by parameterizing the user client terminal, thereby detecting the excessive use state of the router. The user traffic, by supplementing the processing conditions, determines whether to allow or block the website connection request of the user client terminal of the router over-committed state. The public network IP sharing status detecting and blocking system of claim 15, further comprising: a policy management web server (250), wherein the IP sharing permitted computer number list managed by different user policies is stored in the database server (240) ) and can change this information. The public network IP sharing state detecting and blocking system according to any one of claims 14 to 16, wherein the push server (220) transmits the second false response traffic from the push server (220) to the user client terminal. Divide the frame of the user client terminal into 100% frames (the URL of the website the user originally tried to connect) and 0% detection frame (the URL of the detection and blocking network server; used to specify the inclusion of the user identity certificate from the client terminal and The "search.jsp" of the command for comparison check with the database server; the two frames of the address of the website that the user originally tried to connect are attached as parameters. The public network IP sharing state detecting and blocking system according to any one of claims 14 to 16, wherein the push server (220) transmits the second false response traffic from the push server (220) to the user client terminal. So that the frame of the user client terminal is composed of only 100% frames (detecting and blocking the URL of the web server; specifying "check.jsp"; attaching the URL address of the website that the user originally tried to connect is parameterized), and the above Detecting and blocking the web server (260) to generate an independent 0% detection frame by dividing the frame (detecting and blocking the URL of the web server; The client terminal retrieves the user identity certificate and compares it with the database server to search for "search.jsp"; the address of the website that the user originally tried to connect is attached as a parameter).