WO2016070633A1 - Network log generation method and device - Google Patents

Network log generation method and device Download PDF

Info

Publication number
WO2016070633A1
WO2016070633A1 PCT/CN2015/082563 CN2015082563W WO2016070633A1 WO 2016070633 A1 WO2016070633 A1 WO 2016070633A1 CN 2015082563 W CN2015082563 W CN 2015082563W WO 2016070633 A1 WO2016070633 A1 WO 2016070633A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
information
private network
log
nat
Prior art date
Application number
PCT/CN2015/082563
Other languages
French (fr)
Chinese (zh)
Inventor
樊海彬
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016070633A1 publication Critical patent/WO2016070633A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming

Definitions

  • the present invention relates to the field of communications, and in particular to a method and apparatus for generating an online log.
  • the firewall is the gateway for connecting the mobile access network and the Internet. It has the function of Network Address Translation (NAT), which can be used to connect the Internet.
  • IP Internet Protocol
  • IP Internet Protocol
  • the Internet Protocol (IP) address is translated into an idle public IP address in the firewall address pool.
  • the telecom operator will assign a private IP address to the mobile user who is going to access the Internet, and translate the private IP address of the user into a public IP address through the NAT function of the firewall. This solves the problem of the shortage of the IP address of the public network. It can make multiple terminals in the LAN share the network connection.
  • the content source of mobile Internet is complex.
  • the national security department requires basic telecommunications enterprises to provide necessary management and control functions, implement the retention, check and report of users' mobile Internet logs, and actively carry out the construction of user online log query system.
  • the Internet server can only record the public IP address processed by the firewall NAT, and the Internet server cannot further know the corresponding private network IP address and international mobile subscriber identity through the public IP address.
  • IMSI International Mobile Subscriber Identification Number
  • MSISDN Mobile Subscriber International ISDN/PSTN Number
  • the Chinese patent "Administrative Device and Method for Integrating Mobile Internet Users' Internet Logs" with the patent number 103532752 completely relies on receiving the Remote Authentication Dial In User Service sent by the mobile internet gateway (Remote Authentication Dial In User Service). , referred to as Radius) message to obtain the correspondence between user information (such as mobile phone number) and private network IP address.
  • Radius Remote Authentication Dial In User Service
  • the Radius message may not be obtained, and the correspondence between the private network IP address and the user information cannot be known. relationship.
  • the patented technology uses a single NAT log and Radius message fusion processing module to contract network services, because the business rises beyond the processing performance limit, and the overload system appears. The system cannot meet the collection requirements. At the same time, once the communication link is interrupted, the entire log collection system is paralyzed. The reliability and scalability of the system are poor.
  • the association process of the user information and the mapping table of the public network IP in the Chinese patent "an IP source-tracking method, device and system" with the patent number 103731515 is performed in the NAT device. That is, the NAT device needs to bear the basic private IP address and the public network IP address translation function on the one hand, and needs to complete the merge to generate the association mapping table on the other hand. This may require a NAT device to be modified, which is costly. At the same time, when the network traffic is large, it may cause the NAT device to work at full load, and even the possibility of embarrassment.
  • the embodiment of the invention provides a method and a device for generating an online log, so as to solve at least the problem that the online log of the generated user cannot be generated when the Radius message cannot be obtained in the related art.
  • a method for generating an Internet log includes: obtaining a private network information of a user through a user control plane message GTP-C of the network; and acquiring NAT information of the network address of the user; The private network information and the NAT information generate an online log of the user.
  • the method before acquiring the private network information of the user by using the user control plane message GTP-C of the network, the method further includes: determining whether the right to obtain the private network information from the Radius message is included; If the determination result is no, the private network information of the user is obtained through the GTP-C of the network.
  • the method further includes: obtaining the private information from the Radius message according to the network gateway if the determination result is yes
  • the network information is generated according to the private network information obtained from the Radius message and the NAT information.
  • the method further includes: receiving a query request for querying a user's online log; The query request feeds back the query result to the query requester.
  • the private network information of the user includes at least one of the following: an international mobile subscriber identity (IMSI), a mobile subscriber international number (MSISDN), and a packet data protocol (PDP) activation time.
  • IMSI international mobile subscriber identity
  • MSISDN mobile subscriber international number
  • PDP packet data protocol
  • the NAT information of the user includes at least one of the following: a source private network IP address, a source private network port number, a source public network IP address, a source public network port number, a destination IP address, and a destination. Port number, NAT start time, and NAT end time.
  • an Internet log generating apparatus including: a first acquiring module, configured to acquire private network information of a user through a user control plane message GTP-C of the network; and a second acquiring module, configured to Obtaining the network address translation NAT information of the user; the generating module is configured to generate the online log of the user according to the acquired private network information and the NAT information.
  • the device further includes: a determining module, configured to determine whether the right to obtain the private network information is obtained from the Radius message; the first acquiring module is further configured to be determined by the determining module If the result is no, the private network information of the user is obtained through the GTP-C of the network.
  • the device further includes: a third acquiring module, configured to obtain the private network information from the Radius message according to the network gateway if the determining result of the determining module is yes;
  • the generating module is further configured to generate an online log of the user according to the private network information obtained from the Radius message and the NAT information.
  • the device further includes: a receiving module, configured to receive a query request for querying the user's online log; and the feedback module is configured to feed back the query result to the query requesting party according to the received query request.
  • the user control plane message GTP-C is used to obtain the private network information of the user; the network address translation NAT information of the user is obtained; and the user's internet log is generated according to the obtained private network information and the NAT information.
  • FIG. 1 is a flowchart of a method for generating an online log according to an embodiment of the present invention
  • FIG. 2 is a structural block diagram of an Internet log generating apparatus according to an embodiment of the present invention.
  • FIG. 3 is a block diagram 1 of a preferred structure of an Internet log generating apparatus according to an embodiment of the present invention
  • FIG. 4 is a block diagram 2 of a preferred structure of an Internet log generating apparatus according to an embodiment of the present invention.
  • FIG. 5 is a block diagram 3 of a preferred structure of an Internet log generating apparatus according to an embodiment of the present invention.
  • Figure 6 is a schematic view showing the structure of a preferred embodiment 1 of the present invention.
  • FIG. 7 is a flowchart showing the operation of a Radius message processing module according to a preferred embodiment 1 of the present invention.
  • Figure 8 is a schematic view showing the structure of a preferred embodiment 2 of the present invention.
  • FIG. 9 is a flowchart showing the operation of a signaling collection processing module according to a preferred embodiment 2 of the present invention.
  • FIG. 10 is a flowchart showing the operation of the NAT log processing module 3 according to a preferred embodiment 3 of the present invention.
  • Figure 11 is a block diagram showing the structure of a log merge processing module 4 in a preferred embodiment 3 of the present invention.
  • Figure 12 is a flowchart showing the data processing of the log merge processing module 4 in the preferred embodiment 3 of the present invention.
  • Figure 13 is a block diagram showing the structure of an application service module 5 in a preferred embodiment 3 of the present invention.
  • FIG. 14 is a flow chart showing the operation of querying a user's online log record in accordance with a preferred embodiment 3 of the present invention.
  • FIG. 1 is a flowchart of a method for generating an Internet log according to an embodiment of the present invention. As shown in FIG. 1 , the process includes the following steps:
  • Step S102 Acquire private network information of the user through the user control plane message GTP-C of the network;
  • Step S104 acquiring network address translation NAT information of the user
  • Step S106 Generate an online log of the user according to the obtained private network information and the NAT information.
  • the private network information of the user is obtained through the GTP-C.
  • the private network information of the user can only be obtained according to the Radius message.
  • the Radius message cannot be obtained, the problem of the user's online log record cannot be generated.
  • it not only solves the related technology in the absence of When the Radius message is obtained, the problem of the user's Internet log record cannot be generated, and the user's Internet log can be generated when the Radius message cannot be obtained.
  • the user control plane message GTP-C of the network may also determine whether the right to obtain the private network information from the Radius message is obtained; if the judgment result is negative, Only through the network GTP-C to obtain the user's private network information. If the result of the determination is yes, the network gateway obtains the private network information from the Radius message; and generates the user's online log according to the private network information and the NAT information obtained from the Radius message. That is, through the combination of the two ways of obtaining the private network information of the user, the private network information of the user can be effectively obtained in various network environments, thereby effectively generating the online log of the user.
  • the generated online log may be stored to provide subsequent query work, for example, after the online log is stored, the received log is received.
  • the private network information of the foregoing user may include multiple types, for example, at least one of the following: an international mobile subscriber identity IMSI, a mobile subscriber international number MSISDN, and a packet data protocol PDP activation time.
  • IMSI international mobile subscriber identity
  • MSISDN mobile subscriber international number
  • PDP activation time a packet data protocol
  • the NAT information of the user may also include multiple types, for example, at least one of the following: a source private network IP address, a source private network port number, a source public network IP address, a source public network port number, a destination IP address, and a destination port. Number, NAT start time, and NAT end time.
  • an online log generating device is provided, which is used to implement the above-mentioned embodiments and preferred embodiments, and has not been described again.
  • the term “module” may implement a combination of software and/or hardware of a predetermined function.
  • the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • FIG. 2 is a structural block diagram of an Internet log generating device according to an embodiment of the present invention. As shown in FIG. 2, the device includes a first acquiring module 22 and a second. The acquisition module 24 and the generation module 26 are described below.
  • the first obtaining module 22 is configured to obtain the private network information of the user through the user control plane message GTP-C of the network.
  • the second obtaining module 24 is connected to the first obtaining module 22, and is configured to obtain the network address translation NAT information of the user.
  • the generating module 26 is connected to the first obtaining module 22 and the second obtaining module 24, and is configured to generate an online log of the user according to the obtained private network information and the NAT information.
  • FIG. 3 is a block diagram of a preferred structure of an Internet log generating apparatus according to an embodiment of the present invention. As shown in FIG. 3, the apparatus includes, in addition to all the modules shown in FIG. 2, a determining module 32. Module 32 is described.
  • the determining module 32 is connected to the first obtaining module 22, and is configured to determine whether the right to obtain private network information from the Radius message is provided.
  • the first obtaining module 22 is further configured to: if the determining result of the determining module is negative, Obtain the private network information of the user through the GTP-C of the network.
  • FIG. 4 is a block diagram of a preferred structure of an Internet log generating apparatus according to an embodiment of the present invention. As shown in FIG. 4, the apparatus includes: a third acquiring module 42 in addition to all the modules shown in FIG. The third acquisition module 42 is described.
  • the third obtaining module 42 is connected to the determining module 32, and is configured to obtain private network information from the Radius message according to the network gateway if the determining result of the determining module is yes; the generating module is further configured to be based on the Radius message.
  • the obtained private network information and the NAT information generate the user's online log.
  • FIG. 5 is a block diagram 3 of a preferred structure of an Internet log generating apparatus according to an embodiment of the present invention. As shown in FIG. 4, the apparatus includes: a receiving module 52 and a feedback module 54 in addition to all the modules shown in FIG. The device will be described.
  • the receiving module 52 is connected to the generating module 26, and is configured to receive a query request for querying the user's online log.
  • the feedback module 54 is connected to the receiving module 52, and is configured to feed back the query to the query requesting party according to the received query request. result.
  • a scheme for tracing the user's online behavior is provided. That is, the log system can record the log information of the public network IP address, the private network address, the user's IMSI, and the MSISDN number of the Internet in a certain period of time, and provide an external query interface, which can trace and locate the Internet based on the query conditions.
  • the user is thus beneficial to the operator to fulfill the requirements of the relevant national departments for the safe maintenance and control of the mobile data Internet.
  • a method for generating an Internet log is provided. The probe is used to collect a user control plane signaling message (GPRS Tunneling Protocol-Control, GTP-C for short), or a mobile Internet gateway is collected.
  • GPRS Tunneling Protocol-Control GPRS Tunneling Protocol-Control
  • the Radius message (based on different network topologies, one of which is selected), combined with the firewall NAT log, establishes the correspondence between the key user information such as the IMSI and the MSISDN number and the public network IP address when the Internet is connected, and forms a detailed online log record. Store and provide an inquiry system to provide data security support for mobile users to the national security regulatory authorities.
  • a distributed networking policy is also provided.
  • a different number of firewall NAT log processing servers and a log merge processing server are dynamically deployed in the network. Designed to evenly share network traffic and improve system processing power and reliability.
  • the following provides two methods for backtracking processing based on distributed Internet logs for different scenarios in the actual network environment:
  • the Radius message is obtained from the Internet gateway by connecting to the Internet gateway and parsing the user identification information (IMSI, MSISDN) and the private network IP address.
  • the firewall log processing module is connected to the firewall NAT device, and obtains the public network IP address of the online user's IMSI, MSISDN, and user terminal after being translated by the firewall NAT through the interaction between the signaling source and the firewall log processing module.
  • the port number is used to establish the correspondence between the user ID and the public IP address, and generate detailed user log records and provide query functions.
  • the signaling collector is connected to the network control plane message transmission interface in a mirrored manner to obtain the corresponding signaling message GTP- C and pars out the user identification information therein.
  • the subsequent steps are the same as described in the above one.
  • the distributed Internet log backtracking processing method is further provided.
  • a distributed Internet log backtracking processing system is provided.
  • the system is provided with a Radius message processing module (the function is equivalent to the foregoing third obtaining module 42).
  • a signaling collection processing module (function equivalent to the first acquisition module 22) 2
  • a firewall log processing module (function equivalent to the second acquisition module 24) 3
  • a log merge processing module (function equivalent to the generation module 26) 4
  • the application service module functions is equivalent to the receiving module 52 and the feedback module 54) 5 and the log storage module 6 has six components.
  • the Radius message processing module 1 and the signaling collection processing module 2 are respectively deployed in different network scenarios. The functions of each part are as follows:
  • Radius message processing module 1 When having the access rights of Radius from the Internet gateway, it is deployed in the network and interfaces with the Internet gateway. Responsible for receiving Radius messages includes: the user's IMSI, MSISDN, private network IP address, private network port number and so on. Therefore, the module performs parsing processing on the received Radius message to extract the user identification information, and sends the identification information to the log merge processing module 4.
  • the signaling collection processing module 2 when the authority for obtaining the Radius message from the Internet gateway is limited, the signaling collection processing module 2 needs to be deployed in the system instead of the Radius message processing module 1 and connected to the network in a mirrored manner.
  • User control plane message interface The signaling collection processing module 2 can completely capture all user control plane signaling messages GTP-C flowing through the interface, and perform in-depth analysis on the user control plane signaling message GTP-C to mine user identification information: IMSI, MSISDN, private network IP address, and private network port number. And sending the user identification information to the log merge processing module 4.
  • Firewall log processing module 3 Connects to the NAT device of the network firewall and is responsible for receiving the NAT log sent by the firewall NAT device.
  • the firewall log processing module 3 parses the received NAT log and obtains the NAT translation information: the source private network IP address, the source private network port number, the source public network IP address, the source public network port number, and the destination IP address.
  • the destination port number, the NAT start time, and the NAT end time are sent to the log merge processing module 4.
  • the log merge processing module 4 is connected to the Radius message processing module 1, the signaling collection processing module 2, and the firewall log processing module 3. Mainly responsible for three aspects of work:
  • the application service module 5 is connected to the Radius message processing module 1, the firewall log processing module 3, and the log merge processing module 4, and assumes the role of the control center. Can provide two functions:
  • the query personnel can input query conditions such as the start time, end time, and public IP address used by the user according to the query interface provided by the application service module 5.
  • the query condition is sent to the log merge processing module 4 connected thereto, and the query result is fed back to the query personnel through the query interface.
  • the query results include: IMSI, MSISDN, source private network IP address, source private network port number, source public network IP address, source public network port number, destination IP address, destination port number, NAT start time, and NAT end time.
  • the log storage module 6 is connected to the log merge processing module 4, and is used for saving the online log records of the merged user for later use by the staff.
  • a distributed networking policy is also provided, and multiple log merge processing modules 4 are deployed on the network, and the direct connection is performed.
  • the way is connected to the firewall log processing module 3, and these log merge processing modules 4 share the storage and query tasks together.
  • the Radius message processing module 1 and the signaling collection processing module 2 are directly connected to each log combination processing module 4, and the Radius message processing module 1 or the signaling collection processing module 2 broadcasts the user's IMSI, MSISDN, and private network IP address by means of broadcast. And the private network port number is sent to each log merge processing module 4, and merged with the firewall NAT conversion information received by the log merge processing module 4.
  • the embodiment of the present invention can achieve the following effects:
  • the signaling plane message is collected from the network, and key user identification information such as IMSI, MSISDN, user private network IP address, and private network port are parsed. No., similar to the function of obtaining Radius messages directly from the mobile Internet gateway, and associated with the firewall NAT log to provide a detailed user online log information.
  • the system and method for backing up the user's Internet log can be applied to different networking environments to provide application scope and value.
  • a distributed networking policy is also provided, so that the network element can share the entire network service load in parallel and improve the service processing performance of the network under the demand of a large amount of data.
  • the network element communication link is interrupted or faulty, other network elements in the distributed network take over the network element service, and the entire network operation state is not interrupted, thereby ensuring network stability and reliability.
  • FIG. 6 is a schematic structural diagram of a preferred embodiment 1 according to the present invention. As shown in FIG. 6, in a network scenario in which a Radius message can be obtained from a mobile Internet gateway, in this embodiment, a log collection device structure in a distributed deployment manner is adopted.
  • the composition, deployment location, and data flow are as follows:
  • the distributed device is implemented by adding a network element in a mobile data network of an operator in the related art.
  • the Radius message processing module 1 is deployed in the mobile data network architecture topology to access the mobile internet gateway.
  • the Radius message processing module 1 is responsible for obtaining the Radius message from the mobile internet gateway, parsing the Radius message, and obtaining the user identification information IMSI, MSISDN, PDP activation. Time and private network IP address and private network port number.
  • FIG. 7 is a flowchart of the operation of a Radius message processing module according to a preferred embodiment 1 of the present invention. As shown in FIG. 7, the process includes the following steps:
  • Step S202 Obtain a Radius message from the Internet gateway.
  • Step S204 Parsing the Radius message to obtain the field values of the user identification information IMSI, the MSISDN, the PDP activation time, and the private network IP address and the private network port number;
  • Step S206 Re-encode these fields into one data block and send it to all log merge processing modules 4 connected thereto.
  • FIG. 8 is a schematic structural diagram of a preferred embodiment 2 of the present invention. As shown in FIG. 8, when a Radius message cannot be obtained through a mobile Internet gateway, that is, a network environment in which a Radius message acquisition condition is limited, a structure of a user's Internet log collection device is shown.
  • the composition, deployment location, and data flow are as follows:
  • the device is also implemented by adding a network element in a mobile data network of an operator in the related art. It deploys the signaling collection processing module 2 in the mobile data network architecture topology to access the Internet service support node (such as SGSN (Serving GPRS SUPPORT NODE) in the 3G network, MME (Mobility Management Entity) in the 4G network) and the mobile Internet gateway.
  • the interface of the firewall log processing module 3 accesses the NAT firewall.
  • the signaling collection processing module 2 obtains the user control plane message from the interface in the image collection manner, and extracts the user identification information IMSI, MSISDN, and PDP activation time, as well as the private network IP address and the private network port number.
  • FIG. 9 is a flowchart of the operation of a signaling collection processing module according to a preferred embodiment 2 of the present invention. As shown in FIG. 4, the process includes the following steps:
  • Step S302 Grab the user control plane message packet of the interface between the service support node and the mobile internet gateway;
  • Step S304 Parsing the control plane message to obtain a user identification information field value such as an MSISDN, an IMSI, and a PDP activation time;
  • Step S306 Re-encode these fields into one data block and send it to the log merge processing module 4 connected thereto.
  • the distributed mobile Internet behavior backtracking system of the preferred embodiment 1 and the preferred embodiment 2 adopts a distributed networking architecture, that is, a plurality of log consolidation processing modules 4 are arranged in a distributed networking architecture in the network.
  • the plurality of merge processing modules 4 are respectively connected to the firewall log processing module 3, and according to the polling policy, the plurality of merge processing modules 4 corresponding to the sequential number receive the NAT conversion information processed by the firewall log processing module 3 each time. Used for jointly merging user identification information and NAT conversion information, and for generating, querying, and storing tasks of user online log records;
  • the plurality of merge processing modules 4 are respectively connected to the Radius message processing module 1 and the signaling collection processing module 2, and are configured to receive user identification information that is sent by the Radius message processing module 1 or the signaling collection processing module 2 in a broadcast manner.
  • the firewall log processing module 3 is connected to the NAT device of the network firewall, obtains the NAT log from the NAT device of the network firewall, and parses the NAT log to obtain the NAT conversion information.
  • the NAT conversion information includes: the source private network IP address and the source private network port number.
  • FIG. 10 is a flowchart of the operation of the NAT log processing module 3 according to the preferred embodiment 3 of the present invention. As shown in FIG. 5, the process includes the following steps:
  • Step S402 Receive a NAT log data packet sent by the network firewall.
  • Step S404 Parsing the NAT log data packet to obtain the NAT conversion information field value, that is, the source private network IP address and port number, the source public network IP address and port number, the destination address and port number, the NAT start time, and the NAT end time. value;
  • Step S406 The NAT conversion information field values are reassembled into a new data block and sent to the log merge processing module 4 connected thereto.
  • the log merge processing module 4 is connected to the Radius message processing module 1, the signaling collection processing module 2, and the firewall log processing module 3, respectively, for using the user identification information sent by the Radius message processing module 1 or the signaling collection processing module 2,
  • the private network IP address and the private network port number are associated with the NAT translation information sent by the firewall log processing module 3, and a detailed user online log record is generated.
  • FIG. 11 is a structural block diagram of a log merge processing module 4 according to a preferred embodiment 3 of the present invention. As shown in FIG. 11, the log merge processing module 4 mainly includes the following parts:
  • the first communication sub-module 401 is connected to the Radius message processing module 1 and the signaling collection processing module 2, and is configured to receive the user identification information and the private network IP sent by the Radius message processing module 1 or the signaling collection processing module 2
  • the address and the private network port number, and the user identification information, the private network IP address, and the private network port number are pushed to the processing queue sub-module 403;
  • the second communication sub-module 402 is connected to the firewall log processing module 3, configured to receive the NAT conversion information sent by the firewall log processing module 3, and split the NAT conversion information into a plurality of single NAT conversion information log records, and the log The record is pushed to the processing queue sub-module 403;
  • the processing queue sub-module 403 is connected to the first communication sub-module 401 and the second communication sub-module 402, and is set to user identification information, a private network IP address, a private network port number, and a second communication that are pushed by the first communication sub-module 401.
  • the NAT conversion information pushed by the submodule 402 is sent to the associated merge submodule 404;
  • the association merge sub-module 404 (executing the same function of the generation module 26) is connected to the processing queue sub-module 403, and is configured to receive the user identification information, the private network IP address, the private network port number, and the NAT translation sent by the processing queue sub-module 403. Information; using the private network IP address as a key, using the user identification information as a mapping value for association and merging, generating a complete user online log record, and placing the user online log record into the storage sub-module 405;
  • the association merge sub-module 404 maintains a Map data area structure, with the private network IP address as a key and the user identification information as a mapping value.
  • the processing queue sub-module 403 sends the user identification information, the private network IP address, and the private network port number, the message is parsed first, and the private network IP address field value is extracted. And use the private network IP address as a key value to retrieve whether the Map container contains a corresponding record. If it does not exist, the user identification information is added to the Map container; otherwise, no processing is done.
  • the private network IP address is extracted and the private network IP address is used as the key value to retrieve whether the map container contains a user identification information record of the key value. If yes, the record is merged with the firewall NAT translation information to generate an IMSI, an MSISDN, a source private network IP address, a source private network port number, a source public network IP address, a source public network port number, and a destination IP address.
  • the storage sub-module 405 is connected to the associated merge sub-module 404, configured to receive the user's Internet log record, and write it to the log storage module 6;
  • FIG. 12 is a flowchart of data processing of the log merge processing module 4 according to the preferred embodiment 3 of the present invention. As shown in FIG. 12, the flow includes the following steps:
  • Step S502 Receive firewall NAT conversion information and user identification information data packets processed by the firewall log collection module 3, the Radius message processing module 1 or the signaling collection processing module 2, respectively.
  • Step S504 The received data packet is pushed to the processing queue sub-module 403, and the data packet is taken out from the queue header.
  • the data packet type needs to be parsed and distributed according to different policies. If the packet type is not a firewall NAT translation information packet, that is, a user identification information packet, step S506 is performed. Otherwise, step S514 is performed.
  • Step S506 Determine the integrity of the user identification information data packet. If complete, perform a decoding operation on the data packet to obtain a field value such as a private IP address, a port number, an IMSI, an MSISDN, and a PDP activation time; otherwise, discard.
  • a field value such as a private IP address, a port number, an IMSI, an MSISDN, and a PDP activation time
  • Step S508 Using the private IP address as a key value, it is found whether there is a record of the key value in the Map container. If not, step S510 is performed; otherwise, step S512 is performed.
  • step S510 the private IP address is used as an index key, and a record is added in the Map container, and the IMSI, MSISDN, and PDP activation time field values in the user identification message are used as mapping values of the record.
  • the timer is started, and the private IP address is used as the timer index value. If the timeout period arrives, the record is cleared from the Map container.
  • Step S512 Update the original record value in the Map container with the value of each field in the new message.
  • Step S514 Decapsulating the firewall NAT conversion information packet, and splitting the data packet into a plurality of firewall NAT conversion information message blocks.
  • Step S516 Check the validity of each data block and extract the private IP address field. Using the private IP address as a key value, it is queried whether there is a record containing the key value in the Map container. If yes, step S518 is performed; otherwise, step S520 is performed.
  • Step S518 determining the IP address type in the firewall NAT translation information data block, that is, extracting the IMSI number, the MSISDN number, and the PDP activation time field value (that is, the user identification information part) of the record in the Map container, and converting the information record with the firewall NAT.
  • the source private IP address and port number, source public IP address and port number, destination IP address and port number, NAT start time, NAT end time, and protocol type fields are recombined into a complete online log record containing user information.
  • Step S520 no longer obtain the IMSI, MSISDN, PDP activation time and other field values from the Map container, but directly set the field values to 0, and then merge with the firewall NAT conversion information to reassemble one without the user identification information.
  • Step S522 Write the re-merged user online log record to the log storage module 6 for storage.
  • a corresponding application service module 5 is also provided, which is connected to the log merge processing module 4; the application service module 5 includes an Internet log query terminal 501, which is set.
  • the query interface is configured to receive the input user online log record query condition, and send the query condition to the log merge processing module 4 connected thereto, and the user fed back by the log merge processing module 4 accesses the Internet.
  • Log records are displayed through the query interface for inspection by the inquiring personnel;
  • the third communication sub-module 406 is connected to the online log query terminal 501, and the third communication sub-module 406 is configured to receive the query request command including the query condition sent by the online log query terminal 501, and The query condition is parsed and sent to the query sub-module 407 (the same function of the feedback module 54 is executed), and is set to feed back the query result to the online log query terminal 501; the query sub-module 407 includes an efficient query algorithm and log storage.
  • the module 6 is connected, configured to perform a lookup match in the log storage module 6 according to the query condition, and feed back the search result to the third communication submodule 406.
  • the query conditions for the user's Internet log record include: the start time and end time of the user's online log record, and the public IP address used by the user.
  • the query results include: IMSI, MSISDN, source private network IP address, source private network port number, source public network IP address, source public network port number, destination IP address, destination port number, NAT start time, NAT end time, and protocol type. .
  • FIG. 14 is a flowchart of a process for querying a user's online log record according to a preferred embodiment 3 of the present invention. As shown in FIG. 14, the process includes the following steps:
  • Step S602 The user inputs the query conditions in the online log query terminal 51 of the application service processing module 5, including: a start time, an end time, and a public network IP address.
  • Step S604 The application service processing module 5 sends the query request data packet to the log merge processing module 4 connected thereto.
  • Step S606 The log merge processing module 4 queries to listen to the arrival of the query request data packet, and converts the query condition in the data packet into: a start date, an end date, a session hour, and a public network IP address. Search for the log records that meet the conditions on the connected log storage module (LSU).
  • LSU connected log storage module
  • Step S608 The log merge processing module 4 sends all the log record component data packets that satisfy the condition to the application service processing module 5.
  • Step S610 The application service processing module 5 receives the query result data packet returned by each log merge processing module 4, and displays the final result on the query interface of the application service processing module 5.
  • the application service module 5 further provides a corresponding network management configuration terminal 502 for managing and configuring the network; the network management configuration terminal 502 and the Radius message processing module 1 and the signaling collection processing module 2, respectively.
  • the firewall log processing module 3 is used to set:
  • Radius message processing module 1 needs to connect to the mobile internet network management address
  • Firewall log processing module 3 needs to connect to the firewall address
  • the user control plane signaling message GTP-C GPRS Tunnelling Protocol-Control
  • the Radius message sent by the mobile internet gateway is collected (based on different network topologies, two Select one), combined with the firewall NAT log, establish the correspondence between the key user information such as IMSI and MSISDN number and the public network IP address when accessing the Internet, form a detailed online log record for storage and provide an inquiry system, thus solving the relevant
  • the Radius message cannot be obtained in the technology, the problem of the user's online log record cannot be obtained, and the national security supervision department provides the mobile user's online data query support.
  • the above-mentioned online log generation method and device can prevent the communication link from being interrupted, resulting in a flaw in the entire log collection system, and reliability and scalability are very strong.
  • modules or steps of the embodiments of the present invention can be implemented by a general computing device, which can be concentrated on a single computing device or distributed in multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from The steps shown or described are performed sequentially, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated into a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
  • the above embodiments and preferred embodiments solve the problem that the user's private network information cannot be obtained through the Radius message in the related art, and the log information of the user cannot be generated in combination with the NAT information, and the user's private information is obtained through the GTP-C.
  • the network information not only provides the national security supervision department with the data query support for mobile users, but also has strong reliability and scalability.

Abstract

Disclosed are a network log generation method and device. The method comprises: obtaining user private network information via a user control plane message GTP-C of a network; obtaining user network address translation (NAT) information; generating a user network log according to the obtained private network information and the NAT information. The present invention solves the problem in related technology that the user private network information cannot be obtained via Radius information, and consequently cannot be combined with the NAT information to generate user log information. Further, obtaining user private network information via GTP-C can provide a mobile user network data query support for a national security supervision department and has high reliability and scalability.

Description

上网日志生成方法和装置Internet log generation method and device 技术领域Technical field
本发明涉及通信领域,具体而言,涉及一种上网日志生成方法和装置。The present invention relates to the field of communications, and in particular to a method and apparatus for generating an online log.
背景技术Background technique
近年来,随着第三代移动通信3G和长期演进(Long Term Evolution,简称为LTE)等移动接入技术的快速发展,并伴随着与高度智能的移动终端相结合,使得移动数据业务兼具移动通信和互联网两者优势。然而,全球公网IP地址数量已经趋近枯尽。通常,电信运营商采用一种防火墙技术来解决这一问题,防火墙是连接移动接入网络和互联网络的关口,它具有网络地址转换(Network Address Translation,简称为NAT)功能,能够将私网因特网协议(Internet Protocol,简称为IP)地址转换为防火墙地址池中空闲的公网IP地址。具体的说,电信运营商会给准备访问互联网的移动用户分配一个私网IP地址,通过防火墙的NAT功能将用户私网IP地址转换为公网IP地址,这样就解决了公网IP地址紧缺的问题,可以使局域网多台终端共享网络连接。In recent years, with the rapid development of mobile access technologies such as 3G mobile communication 3G and Long Term Evolution (LTE), and with the combination of highly intelligent mobile terminals, mobile data services are combined. The advantages of both mobile communication and the Internet. However, the number of global public IP addresses has nearly exhausted. Generally, telecom operators use a firewall technology to solve this problem. The firewall is the gateway for connecting the mobile access network and the Internet. It has the function of Network Address Translation (NAT), which can be used to connect the Internet. The Internet Protocol (IP) address is translated into an idle public IP address in the firewall address pool. Specifically, the telecom operator will assign a private IP address to the mobile user who is going to access the Internet, and translate the private IP address of the user into a public IP address through the NAT function of the firewall. This solves the problem of the shortage of the IP address of the public network. It can make multiple terminals in the LAN share the network connection.
移动互联网的内容来源复杂,为了强化网络监控,国家安全部门要求基础电信企业提供必要的管控功能,落实用户移动上网日志的留存、查存和上报,积极开展用户上网日志查询系统建设。但是,由于当前防火墙网络架构的存在,使得互联网服务器只能记录经过防火墙NAT处理后的公网IP地址,互联网服务器无法通过该公网IP地址进一步获知对应的私网IP地址、国际移动用户识别码(International Mobile Subscriber Identification Number,简称为IMSI)、以及移动用户国际号码(Mobile Subscriber International ISDN/PSTN Number,简称为MSISDN)等标识用户身份的关键信息。The content source of mobile Internet is complex. In order to strengthen network monitoring, the national security department requires basic telecommunications enterprises to provide necessary management and control functions, implement the retention, check and report of users' mobile Internet logs, and actively carry out the construction of user online log query system. However, due to the existence of the current firewall network architecture, the Internet server can only record the public IP address processed by the firewall NAT, and the Internet server cannot further know the corresponding private network IP address and international mobile subscriber identity through the public IP address. (International Mobile Subscriber Identification Number, IMSI for short) and Mobile Subscriber International ISDN/PSTN Number (MSISDN) are key information for identifying user identity.
在相关技术中,专利号为103532752的中国专利“移动互联网络用户上网日志实现融合的管理装置和方法”中,完全依赖于接收移动互联网网关发送的远程认证拨号用户服务(Remote Authentication Dial In User Service,简称为Radius)消息来获取用户信息(如手机号码)与私网IP地址之间的对应关系。然而,在实际网络部署中,由于不同厂商设备间使用权限的限制,或者运营商基于安全和稳定因素的考虑,可能导致无法获取Radius消息,因而无法获知私网IP地址和用户信息之间的对应关系。另外,在大容量组网环境下,该专利技术采用单一的NAT日志和Radius消息融合处理模块来承裁网络业务,因为业务上升出现超出处理性能极限的情况,出现负载过重系 统无法满足采集需求。同时,一旦出现通信链路中断,导致整个日志采集系统瘫痪。系统的可靠性、可扩容性较差。In the related art, the Chinese patent "Administrative Device and Method for Integrating Mobile Internet Users' Internet Logs" with the patent number 103532752 completely relies on receiving the Remote Authentication Dial In User Service sent by the mobile internet gateway (Remote Authentication Dial In User Service). , referred to as Radius) message to obtain the correspondence between user information (such as mobile phone number) and private network IP address. However, in the actual network deployment, due to the limitation of the usage rights between devices of different vendors, or the operator's consideration of security and stability factors, the Radius message may not be obtained, and the correspondence between the private network IP address and the user information cannot be known. relationship. In addition, in the large-capacity networking environment, the patented technology uses a single NAT log and Radius message fusion processing module to contract network services, because the business rises beyond the processing performance limit, and the overload system appears. The system cannot meet the collection requirements. At the same time, once the communication link is interrupted, the entire log collection system is paralyzed. The reliability and scalability of the system are poor.
在相关技术中,专利号为103731515的中国专利“一种IP溯源方法、设备和系统”中用户信息和公网IP等映射表的关联过程是在NAT设备中进行的。即NAT设备,一方面需要承担基本的私有IP地址和公网IP地址转换功能,另一方面需要完成合并产生关联映射表。这可能需要对NAT设备进行改造,这样代价是巨大。同时,当网络业务量较大时,有可能导致NAT设备全负荷工作,甚至出现瘫痪的可能。In the related art, the association process of the user information and the mapping table of the public network IP in the Chinese patent "an IP source-tracking method, device and system" with the patent number 103731515 is performed in the NAT device. That is, the NAT device needs to bear the basic private IP address and the public network IP address translation function on the one hand, and needs to complete the merge to generate the association mapping table on the other hand. This may require a NAT device to be modified, which is costly. At the same time, when the network traffic is large, it may cause the NAT device to work at full load, and even the possibility of embarrassment.
因此,在相关技术中,存在在无法获取Radius消息时,就无法对生成用户的上网日志记录的问题。Therefore, in the related art, there is a problem that the online log of the generated user cannot be generated when the Radius message cannot be acquired.
发明内容Summary of the invention
本发明实施例提供了一种上网日志生成方法和装置,以至少解决在相关技术中,存在在无法获取Radius消息时,就无法对生成用户的上网日志记录的问题。The embodiment of the invention provides a method and a device for generating an online log, so as to solve at least the problem that the online log of the generated user cannot be generated when the Radius message cannot be obtained in the related art.
根据本发明的一个方面,提供了一种上网日志生成方法,包括:通过网络的用户控制面消息GTP-C获取用户的私网信息;获取所述用户的网络地址转换NAT信息;依据获取的所述私网信息,以及所述NAT信息生成所述用户的上网日志。According to an aspect of the present invention, a method for generating an Internet log includes: obtaining a private network information of a user through a user control plane message GTP-C of the network; and acquiring NAT information of the network address of the user; The private network information and the NAT information generate an online log of the user.
在本发明实施例中,在通过网络的用户控制面消息GTP-C获取所述用户的所述私网信息之前,还包括:判断是否具备从Radius消息中获取所述私网信息的权限;在判断结果为否的情况下,通过网络的所述GTP-C获取用户的所述私网信息。In the embodiment of the present invention, before acquiring the private network information of the user by using the user control plane message GTP-C of the network, the method further includes: determining whether the right to obtain the private network information from the Radius message is included; If the determination result is no, the private network information of the user is obtained through the GTP-C of the network.
在本发明实施例中,在判断是否具备从Radius消息中获取所述私网信息的权限之后,还包括:在判断结果为是的情况下,依据网络网关从所述Radius消息中获取所述私网信息;依据从所述Radius消息中获取的所述私网信息以及所述NAT信息生成所述用户的上网日志。In the embodiment of the present invention, after determining whether the right to obtain the private network information is obtained from the Radius message, the method further includes: obtaining the private information from the Radius message according to the network gateway if the determination result is yes The network information is generated according to the private network information obtained from the Radius message and the NAT information.
在本发明实施例中,在依据获取的所述私网信息,以及所述NAT信息生成所述用户的上网日志之后,还包括:接收到用于查询用户上网日志的查询请求;依据接收到的所述查询请求向查询请求方反馈查询结果。In the embodiment of the present invention, after generating the online log of the user according to the obtained private network information and the NAT information, the method further includes: receiving a query request for querying a user's online log; The query request feeds back the query result to the query requester.
在本发明实施例中,所述用户的所述私网信息包括以下至少之一:国际移动用户识别码IMSI、移动用户国际号码MSISDN、分组数据协议PDP激活时间。 In the embodiment of the present invention, the private network information of the user includes at least one of the following: an international mobile subscriber identity (IMSI), a mobile subscriber international number (MSISDN), and a packet data protocol (PDP) activation time.
在本发明实施例中,所述用户的所述NAT信息包括以下至少之一:源私网IP地址、源私网端口号、源公网IP地址、源公网端口号、目的IP地址、目的端口号、NAT开始时间和NAT结束时间。In the embodiment of the present invention, the NAT information of the user includes at least one of the following: a source private network IP address, a source private network port number, a source public network IP address, a source public network port number, a destination IP address, and a destination. Port number, NAT start time, and NAT end time.
根据本发明的另一方面,提供了一种上网日志生成装置,包括:第一获取模块,设置为通过网络的用户控制面消息GTP-C获取用户的私网信息;第二获取模块,设置为获取所述用户的网络地址转换NAT信息;生成模块,设置为依据获取的所述私网信息,以及所述NAT信息生成所述用户的上网日志。According to another aspect of the present invention, an Internet log generating apparatus is provided, including: a first acquiring module, configured to acquire private network information of a user through a user control plane message GTP-C of the network; and a second acquiring module, configured to Obtaining the network address translation NAT information of the user; the generating module is configured to generate the online log of the user according to the acquired private network information and the NAT information.
在本发明实施例中,该装置还包括:判断模块,设置为判断是否具备从Radius消息中获取所述私网信息的权限;所述第一获取模块,还设置为在所述判断模块的判断结果为否的情况下,通过网络的所述GTP-C获取用户的所述私网信息。In the embodiment of the present invention, the device further includes: a determining module, configured to determine whether the right to obtain the private network information is obtained from the Radius message; the first acquiring module is further configured to be determined by the determining module If the result is no, the private network information of the user is obtained through the GTP-C of the network.
在本发明实施例中,该装置还包括:第三获取模块,设置为在所述判断模块的判断结果为是的情况下,依据网络网关从所述Radius消息中获取所述私网信息;所述生成模块,还设置为依据从所述Radius消息中获取的所述私网信息以及所述NAT信息生成所述用户的上网日志。In the embodiment of the present invention, the device further includes: a third acquiring module, configured to obtain the private network information from the Radius message according to the network gateway if the determining result of the determining module is yes; The generating module is further configured to generate an online log of the user according to the private network information obtained from the Radius message and the NAT information.
在本发明实施例中,该装置还包括:接收模块,设置为接收到用于查询用户上网日志的查询请求;反馈模块,设置为依据接收到的所述查询请求向查询请求方反馈查询结果。In the embodiment of the present invention, the device further includes: a receiving module, configured to receive a query request for querying the user's online log; and the feedback module is configured to feed back the query result to the query requesting party according to the received query request.
采用通过网络的用户控制面消息GTP-C获取用户的私网信息;获取所述用户的网络地址转换NAT信息;依据获取的所述私网信息,以及所述NAT信息生成所述用户的上网日志,解决了相关技术中无法通过Radius消息获取用户私网信息,进而无法与NAT信息结合生成用户的日志信息的问题,通过GTP-C获取用户的私网信息,不仅为国家安全监管部门提供移动用户上网数据查询支撑,而且可靠性、可扩容性非常强。The user control plane message GTP-C is used to obtain the private network information of the user; the network address translation NAT information of the user is obtained; and the user's internet log is generated according to the obtained private network information and the NAT information. The problem that the user's private network information cannot be obtained through the Radius message in the related art, and thus the user's log information cannot be combined with the NAT information, and the private network information of the user is obtained through the GTP-C, thereby providing the mobile security user not only for the national security regulatory department. Internet data query support, and reliability, scalability is very strong.
附图说明DRAWINGS
此处所说明的附图用来提供对本发明实施例的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings are intended to provide a further understanding of the embodiments of the present invention, and are intended to be a part of the present invention, and the description of the present invention is not intended to limit the invention. In the drawing:
图1是根据本发明实施例的上网日志生成方法的流程图;1 is a flowchart of a method for generating an online log according to an embodiment of the present invention;
图2是根据本发明实施例的上网日志生成装置的结构框图; 2 is a structural block diagram of an Internet log generating apparatus according to an embodiment of the present invention;
图3是根据本发明实施例的上网日志生成装置的优选结构框图一;3 is a block diagram 1 of a preferred structure of an Internet log generating apparatus according to an embodiment of the present invention;
图4是根据本发明实施例的上网日志生成装置的优选结构框图二;4 is a block diagram 2 of a preferred structure of an Internet log generating apparatus according to an embodiment of the present invention;
图5是根据本发明实施例的上网日志生成装置的优选结构框图三;5 is a block diagram 3 of a preferred structure of an Internet log generating apparatus according to an embodiment of the present invention;
图6是根据本发明优选实施例1的结构示意图;Figure 6 is a schematic view showing the structure of a preferred embodiment 1 of the present invention;
图7是根据本发明优选实施例1的Radius消息处理模块的工作流程图;7 is a flowchart showing the operation of a Radius message processing module according to a preferred embodiment 1 of the present invention;
图8是根据本发明优选实施例2的结构示意图;Figure 8 is a schematic view showing the structure of a preferred embodiment 2 of the present invention;
图9是根据本发明优选实施例2的信令采集处理模块的工作流程图;9 is a flowchart showing the operation of a signaling collection processing module according to a preferred embodiment 2 of the present invention;
图10是根据本发明优选实施例3的NAT日志处理模块3的工作流程图;10 is a flowchart showing the operation of the NAT log processing module 3 according to a preferred embodiment 3 of the present invention;
图11是根据本发明优选实施例3中日志合并处理模块4的结构框图;Figure 11 is a block diagram showing the structure of a log merge processing module 4 in a preferred embodiment 3 of the present invention;
图12是根据本发明优选实施例3中日志合并处理模块4的数据处理流程图;Figure 12 is a flowchart showing the data processing of the log merge processing module 4 in the preferred embodiment 3 of the present invention;
图13是根据本发明优选实施例3中应用服务模块5结构框图;Figure 13 is a block diagram showing the structure of an application service module 5 in a preferred embodiment 3 of the present invention;
图14是根据本发明优选实施例3中用户上网日志记录进行查询的工作流程图。FIG. 14 is a flow chart showing the operation of querying a user's online log record in accordance with a preferred embodiment 3 of the present invention.
具体实施方式detailed description
下文中将参考附图并结合实施例来详细说明本发明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。The invention will be described in detail below with reference to the drawings in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
在本实施例中,提供了一种上网日志生成方法,图1是根据本发明实施例的上网日志生成方法的流程图,如图1所示,该流程包括如下步骤:In this embodiment, a method for generating an Internet log is provided. FIG. 1 is a flowchart of a method for generating an Internet log according to an embodiment of the present invention. As shown in FIG. 1 , the process includes the following steps:
步骤S102,通过网络的用户控制面消息GTP-C获取用户的私网信息;Step S102: Acquire private network information of the user through the user control plane message GTP-C of the network;
步骤S104,获取用户的网络地址转换NAT信息;Step S104, acquiring network address translation NAT information of the user;
步骤S106,依据获取的私网信息,以及NAT信息生成用户的上网日志。Step S106: Generate an online log of the user according to the obtained private network information and the NAT information.
通过上述步骤,通过GTP-C获取用户的私网信息,相对于相关技术中,仅能依据Radius消息获取用户的私网信息,在无法获取Radius消息时,就不能生成用户上网日志记录的问题,通过一种新的获取用户私网信息的方式,不仅解决了相关技术中在无 法获取Radius消息时,就不能生成用户上网日志记录的问题,实现了在无法获取Radius消息时,也能够生成用户上网日志。Through the above steps, the private network information of the user is obtained through the GTP-C. Compared with the related technology, the private network information of the user can only be obtained according to the Radius message. When the Radius message cannot be obtained, the problem of the user's online log record cannot be generated. Through a new way to obtain private network information of users, it not only solves the related technology in the absence of When the Radius message is obtained, the problem of the user's Internet log record cannot be generated, and the user's Internet log can be generated when the Radius message cannot be obtained.
在本发明实施例中,在通过网络的用户控制面消息GTP-C获取用户的私网信息之前,还可以判断是否具备从Radius消息中获取私网信息的权限;在判断结果为否的情况下,才通过网络的GTP-C获取用户的私网信息。而在判断结果为是的情况下,依据网络网关从Radius消息中获取私网信息;依据从Radius消息中获取的私网信息以及NAT信息生成用户的上网日志。即通过两种获取用户私网信息方式的结合,能够在多种网络环境下均能够有效地获取到用户私网信息,从而有效地实现用户上网日志的生成。In the embodiment of the present invention, before the user control plane message GTP-C of the network obtains the private network information of the user, it may also determine whether the right to obtain the private network information from the Radius message is obtained; if the judgment result is negative, Only through the network GTP-C to obtain the user's private network information. If the result of the determination is yes, the network gateway obtains the private network information from the Radius message; and generates the user's online log according to the private network information and the NAT information obtained from the Radius message. That is, through the combination of the two ways of obtaining the private network information of the user, the private network information of the user can be effectively obtained in various network environments, thereby effectively generating the online log of the user.
在依据获取的私网信息,以及NAT信息生成用户的上网日志之后,还可以对生成的该上网日志进行存储,以提供后续的查询工作,例如,在对该上网日志进行存储之后,接收到用于查询用户上网日志的查询请求;依据接收到的查询请求向查询请求方反馈查询结果。After the user's Internet log is generated according to the obtained private network information and the NAT information, the generated online log may be stored to provide subsequent query work, for example, after the online log is stored, the received log is received. The query request for querying the user's online log; and feeding back the query result to the query requester according to the received query request.
需要说明的是,上述用户的私网信息可以包括多种,例如,可以包括以下至少之一:国际移动用户识别码IMSI、移动用户国际号码MSISDN、分组数据协议PDP激活时间。It should be noted that the private network information of the foregoing user may include multiple types, for example, at least one of the following: an international mobile subscriber identity IMSI, a mobile subscriber international number MSISDN, and a packet data protocol PDP activation time.
上述用户的NAT信息也可以包括多种,例如,可以包括以下至少之一:源私网IP地址、源私网端口号、源公网IP地址、源公网端口号、目的IP地址、目的端口号、NAT开始时间和NAT结束时间。The NAT information of the user may also include multiple types, for example, at least one of the following: a source private network IP address, a source private network port number, a source public network IP address, a source public network port number, a destination IP address, and a destination port. Number, NAT start time, and NAT end time.
在本实施例中还提供了一种上网日志生成装置,该装置用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。In the embodiment, an online log generating device is provided, which is used to implement the above-mentioned embodiments and preferred embodiments, and has not been described again. As used below, the term "module" may implement a combination of software and/or hardware of a predetermined function. Although the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
在本实施例中,还提供了一种上网日志生成装置,图2是根据本发明实施例的上网日志生成装置的结构框图,如图2所示,该装置包括第一获取模块22、第二获取模块24和生成模块26,下面对该装置进行说明。In this embodiment, an Internet log generating device is also provided. FIG. 2 is a structural block diagram of an Internet log generating device according to an embodiment of the present invention. As shown in FIG. 2, the device includes a first acquiring module 22 and a second. The acquisition module 24 and the generation module 26 are described below.
第一获取模块22,设置为通过网络的用户控制面消息GTP-C获取用户的私网信息;第二获取模块24,连接至上述第一获取模块22,设置为获取用户的网络地址转换NAT信息;生成模块26,连接至上述第一获取模块22和第二获取模块24,设置为依据获取的私网信息,以及NAT信息生成用户的上网日志。 The first obtaining module 22 is configured to obtain the private network information of the user through the user control plane message GTP-C of the network. The second obtaining module 24 is connected to the first obtaining module 22, and is configured to obtain the network address translation NAT information of the user. The generating module 26 is connected to the first obtaining module 22 and the second obtaining module 24, and is configured to generate an online log of the user according to the obtained private network information and the NAT information.
图3是根据本发明实施例的上网日志生成装置的优选结构框图一,如图3所示,该装置除包括图2所示的所有模块外,还包括:判断模块32,下面对该判断模块32进行说明。FIG. 3 is a block diagram of a preferred structure of an Internet log generating apparatus according to an embodiment of the present invention. As shown in FIG. 3, the apparatus includes, in addition to all the modules shown in FIG. 2, a determining module 32. Module 32 is described.
判断模块32,连接至上述第一获取模块22,设置为判断是否具备从Radius消息中获取私网信息的权限;第一获取模块22,还设置为在判断模块的判断结果为否的情况下,通过网络的GTP-C获取用户的私网信息。The determining module 32 is connected to the first obtaining module 22, and is configured to determine whether the right to obtain private network information from the Radius message is provided. The first obtaining module 22 is further configured to: if the determining result of the determining module is negative, Obtain the private network information of the user through the GTP-C of the network.
图4是根据本发明实施例的上网日志生成装置的优选结构框图二,如图4所示,该装置除包括图3所示的所有模块外,还包括:第三获取模块42,下面对该第三获取模块42进行说明。4 is a block diagram of a preferred structure of an Internet log generating apparatus according to an embodiment of the present invention. As shown in FIG. 4, the apparatus includes: a third acquiring module 42 in addition to all the modules shown in FIG. The third acquisition module 42 is described.
第三获取模块42,连接至上述判断模块32,设置为在判断模块的判断结果为是的情况下,依据网络网关从Radius消息中获取私网信息;生成模块,还设置为依据从Radius消息中获取的私网信息以及NAT信息生成用户的上网日志。The third obtaining module 42 is connected to the determining module 32, and is configured to obtain private network information from the Radius message according to the network gateway if the determining result of the determining module is yes; the generating module is further configured to be based on the Radius message. The obtained private network information and the NAT information generate the user's online log.
图5是根据本发明实施例的上网日志生成装置的优选结构框图三,如图4所示,该装置除包括图2所示的所有模块外,还包括:接收模块52和反馈模块54,下面对该装置进行说明。5 is a block diagram 3 of a preferred structure of an Internet log generating apparatus according to an embodiment of the present invention. As shown in FIG. 4, the apparatus includes: a receiving module 52 and a feedback module 54 in addition to all the modules shown in FIG. The device will be described.
接收模块52,连接至上述生成模块26,设置为接收到用于查询用户上网日志的查询请求;反馈模块54,连接至上述接收模块52,设置为依据接收到的查询请求向查询请求方反馈查询结果。The receiving module 52 is connected to the generating module 26, and is configured to receive a query request for querying the user's online log. The feedback module 54 is connected to the receiving module 52, and is configured to feed back the query to the query requesting party according to the received query request. result.
为实现相关技术中的以下要求:在部署具有NAT功能的网络系统中,提供一种用户上网行为溯源的方案。即通过日志系统能够详细记录在某个时间段访问互联网的公网IP地址、私网地址、用户的IMSI、MSISDN号码等日志信息,并提供外部查询接口,能够基于查询条件来追溯和定位上网的用户,从而有益于运营商完成国家相关部门对移动数据互联网的安全维护和管控的要求。在本实施例中,提供了一种上网日志生成方法方案,通过部署探针采集网络中用户控制面信令消息(GPRS Tunnelling Protocol-Control,简称为GTP-C),或者是收集移动互联网网关发送的Radius消息(基于不同网络拓扑,两者选其一),与防火墙NAT日志相结合,建立IMSI、MSISDN号码等关键用户信息与上网时的公网IP地址对应关系,形成详细的上网日志纪录进行存储并提供查询系统,为国家安全监管部门提供移动用户上网数据查询支撑。 To implement the following requirements in the related art: in deploying a network function with NAT function, a scheme for tracing the user's online behavior is provided. That is, the log system can record the log information of the public network IP address, the private network address, the user's IMSI, and the MSISDN number of the Internet in a certain period of time, and provide an external query interface, which can trace and locate the Internet based on the query conditions. The user is thus beneficial to the operator to fulfill the requirements of the relevant national departments for the safe maintenance and control of the mobile data Internet. In this embodiment, a method for generating an Internet log is provided. The probe is used to collect a user control plane signaling message (GPRS Tunneling Protocol-Control, GTP-C for short), or a mobile Internet gateway is collected. The Radius message (based on different network topologies, one of which is selected), combined with the firewall NAT log, establishes the correspondence between the key user information such as the IMSI and the MSISDN number and the public network IP address when the Internet is connected, and forms a detailed online log record. Store and provide an inquiry system to provide data security support for mobile users to the national security regulatory authorities.
另外,在本实施例中,还提供了一种分布式组网策略,针对大数据量的网络业务需求,动态在网络中部署不同数量的防火墙NAT日志处理服务器,以及日志合并处理服务器。旨在均匀分担网络业务量,提高系统处理能力和可靠性。In addition, in this embodiment, a distributed networking policy is also provided. For a large data volume network service requirement, a different number of firewall NAT log processing servers and a log merge processing server are dynamically deployed in the network. Designed to evenly share network traffic and improve system processing power and reliability.
下面,针对于实际网络环境中不同的场景需求,提供两种基于分布式的上网日志回溯处理方法进行说明:The following provides two methods for backtracking processing based on distributed Internet logs for different scenarios in the actual network environment:
一、在具有通过互联网网关获取Radius消息的权限时,通过连接到互联网网关以从中获取Radius消息并解析出用户标识信息(IMSI、MSISDN)和私网IP地址。同时,防火墙日志处理模块连接到防火墙NAT设备,通过信令采集器和防火墙日志处理模块两种网元的交互,获取在线用户的IMSI、MSISDN与用户终端经过防火墙NAT转换后的公网IP地址及端口号,建立用户标识信息与公网IP地址的对应关系,并生成详细的用户上网日志记录,同时提供查询功能。1. When having the right to obtain a Radius message through the Internet gateway, the Radius message is obtained from the Internet gateway by connecting to the Internet gateway and parsing the user identification information (IMSI, MSISDN) and the private network IP address. At the same time, the firewall log processing module is connected to the firewall NAT device, and obtains the public network IP address of the online user's IMSI, MSISDN, and user terminal after being translated by the firewall NAT through the interaction between the signaling source and the firewall log processing module. The port number is used to establish the correspondence between the user ID and the public IP address, and generate detailed user log records and provide query functions.
二、在Radius消息的获取权限受到严格限制时,即无法获得互联网网关发出的Radius时,通过将信令采集器以镜像的方式连接到网络控制面消息传输接口,获取相应的信令消息GTP-C并解析出其中的用户标识信息。后续步骤同上述一中描述相同。2. When the access rights of the Radius message are strictly restricted, that is, when the Radius issued by the Internet gateway cannot be obtained, the signaling collector is connected to the network control plane message transmission interface in a mirrored manner to obtain the corresponding signaling message GTP- C and pars out the user identification information therein. The subsequent steps are the same as described in the above one.
结合上述分布式的上网日志回溯处理方法,在本实施例中,还提供了一种分布式的上网日志回溯处理系统,该系统设有:Radius消息处理模块(功能相当于上述第三获取模块42)1、信令采集处理模块(功能相当于第一获取模块22)2、防火墙日志处理模块(功能相当于第二获取模块24)3、日志合并处理模块(功能相当于生成模块26)4、应用服务模块(功能相当于接收模块52和反馈模块54)5以及日志存储模块6共六个组成部分。其中,Radius消息处理模块1和信令采集处理模块2分别部署在不同的网络场景中。各个部分功能如下:In the embodiment, the distributed Internet log backtracking processing method is further provided. In this embodiment, a distributed Internet log backtracking processing system is provided. The system is provided with a Radius message processing module (the function is equivalent to the foregoing third obtaining module 42). 1) a signaling collection processing module (function equivalent to the first acquisition module 22) 2, a firewall log processing module (function equivalent to the second acquisition module 24) 3, a log merge processing module (function equivalent to the generation module 26) 4, The application service module (function is equivalent to the receiving module 52 and the feedback module 54) 5 and the log storage module 6 has six components. The Radius message processing module 1 and the signaling collection processing module 2 are respectively deployed in different network scenarios. The functions of each part are as follows:
Radius消息处理模块1:当具有从互联网网关获取Radius使用权限时,部署在网络中并与互联网网关对接。负责接收Radius消息包括:用户的IMSI、MSISDN、私网IP地址、私网端口号等值。因此,该模块将收到的Radius消息做解析处理以提取出用户标识信息,并将标识信息发送给日志合并处理模块4。Radius message processing module 1: When having the access rights of Radius from the Internet gateway, it is deployed in the network and interfaces with the Internet gateway. Responsible for receiving Radius messages includes: the user's IMSI, MSISDN, private network IP address, private network port number and so on. Therefore, the module performs parsing processing on the received Radius message to extract the user identification information, and sends the identification information to the log merge processing module 4.
信令采集处理模块2:当从互联网网关获取Radius消息的权限受限时,需要将信令采集处理模块2代替Radius消息处理模块1来部署在系统中,并以镜像的方式连接到网络中的用户控制面消息接口。信令采集处理模块2能够完整地抓取流经该接口所有用户控制面信令消息GTP-C,并对用户控制面信令消息GTP-C进行深度分析,以挖掘出用户标识信息:IMSI、MSISDN、私网IP地址以及私网端口号。并将这些用户标识信息发送给日志合并处理模块4。 The signaling collection processing module 2: when the authority for obtaining the Radius message from the Internet gateway is limited, the signaling collection processing module 2 needs to be deployed in the system instead of the Radius message processing module 1 and connected to the network in a mirrored manner. User control plane message interface. The signaling collection processing module 2 can completely capture all user control plane signaling messages GTP-C flowing through the interface, and perform in-depth analysis on the user control plane signaling message GTP-C to mine user identification information: IMSI, MSISDN, private network IP address, and private network port number. And sending the user identification information to the log merge processing module 4.
防火墙日志处理模块3:与网络防火墙的NAT设备对接,负责接收防火墙NAT设备发送的NAT日志。防火墙日志处理模块3将接收到的NAT日志做解析处理,获取其中的NAT转换信息:源私网IP地址、源私网端口号、源公网IP地址、源公网端口号、目的IP地址、目的端口号、NAT开始时间和NAT结束时间,并将这些获取到的NAT转换信息组包发送给日志合并处理模块4。Firewall log processing module 3: Connects to the NAT device of the network firewall and is responsible for receiving the NAT log sent by the firewall NAT device. The firewall log processing module 3 parses the received NAT log and obtains the NAT translation information: the source private network IP address, the source private network port number, the source public network IP address, the source public network port number, and the destination IP address. The destination port number, the NAT start time, and the NAT end time are sent to the log merge processing module 4.
日志合并处理模块4:与Radius消息处理模块1、信令采集处理模块2以及防火墙日志处理模块3连接。主要负责三个方面的工作:The log merge processing module 4 is connected to the Radius message processing module 1, the signaling collection processing module 2, and the firewall log processing module 3. Mainly responsible for three aspects of work:
1)将Radius消息处理模块1或信令采集处理模块2发来的用户标识信息和防火墙日志处理模块3发送的NAT转换信息进行关联合并,并生成包括用户IMSI、MSISDN、源私网IP地址、源私网端口号、源公网IP地址、源公网端口号、目的IP地址、目的端口号、NAT开始时间和NAT结束时间的详细用户上网日志记录;1) Associate the user identification information sent by the Radius message processing module 1 or the signaling collection processing module 2 with the NAT conversion information sent by the firewall log processing module 3, and generate an IP address including the user IMSI, the MSISDN, and the source private network. Detailed user Internet log records of the source private network port number, the source public network IP address, the source public network port number, the destination IP address, the destination port number, the NAT start time, and the NAT end time;
2)将生成的用后上网日志记录按照一定的策略保存到日志存储模块6;2) The generated post-use Internet log record is saved to the log storage module 6 according to a certain policy;
3)收到包括查询条件的查询请求后,负责提供用户上网日志记录查询功能,并将查询结果反馈查询命令请求端。3) After receiving the query request including the query condition, it is responsible for providing the user's online log record query function, and feeding the query result to the query command requesting end.
应用服务模块5:与Radius消息处理模块1、防火墙日志处理模块3和日志合并处理模块4分别连接,承担管控中心的角色。能够提供两方面的功能:The application service module 5 is connected to the Radius message processing module 1, the firewall log processing module 3, and the log merge processing module 4, and assumes the role of the control center. Can provide two functions:
1)提供详细的用户上网日志记录查询功能,查询人员能够根据应用服务模块5提供的查询界面,输入需要查询日志的起始时间、结束时间、用户使用的公网IP地址等查询条件。将查询条件发送给与之相连的日志合并处理模块4,并将查询结果通过查询界面反馈给查询人员。查询结果包括:IMSI、MSISDN、源私网IP地址、源私网端口号、源公网IP地址、源公网端口号、目的IP地址、目的端口号、NAT开始时间和NAT结束时间。1) Provide detailed user online log record query function. The query personnel can input query conditions such as the start time, end time, and public IP address used by the user according to the query interface provided by the application service module 5. The query condition is sent to the log merge processing module 4 connected thereto, and the query result is fed back to the query personnel through the query interface. The query results include: IMSI, MSISDN, source private network IP address, source private network port number, source public network IP address, source public network port number, destination IP address, destination port number, NAT start time, and NAT end time.
2)提供网管参数配置管控中心,能够为网络管理人员提供参数配置界面,设置Radius消息处理模块1需要连接移动互联网网管地址、信令采集处理模块2需要连接控制面镜像接口的交换机地址、防火墙日志处理模块3需要连接的防火墙地址、日志合并处理模块4需要连接的Radius消息处理模块1和防火墙日志处理模块3的地址。2) Provide the network management parameter configuration management and control center, which can provide the parameter configuration interface for the network management personnel, set the Radius message processing module 1 to connect to the mobile Internet network management address, the signaling collection and processing module 2 needs to connect the switch address of the control plane mirror interface, and the firewall log. The processing module 3 needs to connect the firewall address, the address of the Radius message processing module 1 and the firewall log processing module 3 that the log merge processing module 4 needs to connect.
日志存贮模块6:与日志合并处理模块4连接,用来保存合并处理后的用户上网日志记录,供日后工作人员查询使用。 The log storage module 6 is connected to the log merge processing module 4, and is used for saving the online log records of the merged user for later use by the staff.
为了达到系统对大数据量级业务的处理能力和保证可靠性的目的,在本实施例中,还提供了一种分布式组网策略,在网络部署多个日志合并处理模块4,通过直联的方式连接到防火墙日志处理模块3上,这些日志合并处理模块4共同均分存储和查询任务。Radius消息处理模块1和信令采集处理模块2与每个日志合并处理模块4直联,Radius消息处理模块1或信令采集处理模块2通过广播的方式将用户的IMSI、MSISDN、私网IP地址以及私网端口号发送到每个日志合并处理模块4,与日志合并处理模块4接收到的防火墙NAT转换信息进行合并。In the embodiment, a distributed networking policy is also provided, and multiple log merge processing modules 4 are deployed on the network, and the direct connection is performed. The way is connected to the firewall log processing module 3, and these log merge processing modules 4 share the storage and query tasks together. The Radius message processing module 1 and the signaling collection processing module 2 are directly connected to each log combination processing module 4, and the Radius message processing module 1 or the signaling collection processing module 2 broadcasts the user's IMSI, MSISDN, and private network IP address by means of broadcast. And the private network port number is sent to each log merge processing module 4, and merged with the firewall NAT conversion information received by the log merge processing module 4.
与相关技术相比,本发明实施例能够实现以下效果:Compared with the related art, the embodiment of the present invention can achieve the following effects:
一、在实际网络环境中从移动互联网网关获取Radius消息的权限受到限制时,从网络中采集信令面消息,并解析出IMSI、MSISDN等关键用户标识信息、用户私网IP地址、私网端口号,完成类似于直接从移动互联网网关获取Radius消息的功能,并与防火墙NAT日志进行关联合并,提供一个详细用户上网日志信息。使得用户上网日志回溯系统和方法能够适用于不同的组网环境,提供应用范围和价值。1. In the actual network environment, when the permission to obtain Radius messages from the mobile Internet gateway is restricted, the signaling plane message is collected from the network, and key user identification information such as IMSI, MSISDN, user private network IP address, and private network port are parsed. No., similar to the function of obtaining Radius messages directly from the mobile Internet gateway, and associated with the firewall NAT log to provide a detailed user online log information. The system and method for backing up the user's Internet log can be applied to different networking environments to provide application scope and value.
二、在本发明实施例中,还提供了一种分布式组网策略,以适应在大数据量的业务需求下,网元并行分担整个网络业务负载,提高网络的业务处理性能。同时,在某个网元通信链路出现中断或故障时,分布式网络中的其它网元接替该网元业务,整个网络运营状态不中断,保证了网络的稳定性和可靠性。In the embodiment of the present invention, a distributed networking policy is also provided, so that the network element can share the entire network service load in parallel and improve the service processing performance of the network under the demand of a large amount of data. At the same time, when a network element communication link is interrupted or faulty, other network elements in the distributed network take over the network element service, and the entire network operation state is not interrupted, thereby ensuring network stability and reliability.
下面对本发明优选实施方式进行说明。Preferred embodiments of the invention are described below.
优选实施例1:Preferred embodiment 1:
图6是根据本发明优选实施例1的结构示意图,如图6所示,在能够从移动互联网网关获取Radius消息的网络场景中,本实施例中,采用分布式部署的方式的日志采集装置结构组成、部署位置及其数据流向如下:6 is a schematic structural diagram of a preferred embodiment 1 according to the present invention. As shown in FIG. 6, in a network scenario in which a Radius message can be obtained from a mobile Internet gateway, in this embodiment, a log collection device structure in a distributed deployment manner is adopted. The composition, deployment location, and data flow are as follows:
该分布式装置是在相关技术中运营商的移动数据网络中通过增加网元的方式实现的。在移动数据网络架构拓扑中部署Radius消息处理模块1,使其接入移动互联网网关,Radius消息处理模块1负责从移动互联网网关获取Radius消息,解析Radius消息并获取用户标识信息IMSI、MSISDN、PDP激活时间以及私网IP地址和私网端口号。The distributed device is implemented by adding a network element in a mobile data network of an operator in the related art. The Radius message processing module 1 is deployed in the mobile data network architecture topology to access the mobile internet gateway. The Radius message processing module 1 is responsible for obtaining the Radius message from the mobile internet gateway, parsing the Radius message, and obtaining the user identification information IMSI, MSISDN, PDP activation. Time and private network IP address and private network port number.
图7是根据本发明优选实施例1的Radius消息处理模块的工作流程图,如图7所示,该流程包括如下步骤:7 is a flowchart of the operation of a Radius message processing module according to a preferred embodiment 1 of the present invention. As shown in FIG. 7, the process includes the following steps:
步骤S202:从互联网网关获取Radius消息; Step S202: Obtain a Radius message from the Internet gateway.
步骤S204:解析Radius消息,以获取用户标识信息IMSI、MSISDN、PDP激活时间以及私网IP地址以及私网端口号的字段值;Step S204: Parsing the Radius message to obtain the field values of the user identification information IMSI, the MSISDN, the PDP activation time, and the private network IP address and the private network port number;
步骤S206:将这些字段重新编码成一个数据块,发送给所有与其相连接的日志合并处理模块4。Step S206: Re-encode these fields into one data block and send it to all log merge processing modules 4 connected thereto.
优选实施例2:Preferred embodiment 2:
图8是根据本发明优选实施例2的结构示意图,如图8所示,在无法通过移动互联网网关获取Radius消息时,即Radius消息获取条件受限的网络环境下,用户上网日志采集装置的结构组成、部署位置及其数据流向如下:8 is a schematic structural diagram of a preferred embodiment 2 of the present invention. As shown in FIG. 8, when a Radius message cannot be obtained through a mobile Internet gateway, that is, a network environment in which a Radius message acquisition condition is limited, a structure of a user's Internet log collection device is shown. The composition, deployment location, and data flow are as follows:
该装置也是在相关技术中的运营商的移动数据网络中通过新增网元的方式实现的。其在移动数据网络架构拓扑中部署信令采集处理模块2接入互联网服务支持节点(如3G网络中SGSN(Serving GPRS SUPPORT NODE)、4G网络中MME(Mobility Management Entity))和移动互联网网关之间的接口,防火墙日志处理模块3接入NAT防火墙。通过两个网元交互,信令采集处理模块2从接口以镜像采集的方式获取用户控制面消息,并提取出用户标识信息IMSI、MSISDN和PDP激活时间以及私网IP地址、私网端口号。The device is also implemented by adding a network element in a mobile data network of an operator in the related art. It deploys the signaling collection processing module 2 in the mobile data network architecture topology to access the Internet service support node (such as SGSN (Serving GPRS SUPPORT NODE) in the 3G network, MME (Mobility Management Entity) in the 4G network) and the mobile Internet gateway. The interface of the firewall log processing module 3 accesses the NAT firewall. Through the interaction of the two network elements, the signaling collection processing module 2 obtains the user control plane message from the interface in the image collection manner, and extracts the user identification information IMSI, MSISDN, and PDP activation time, as well as the private network IP address and the private network port number.
图9是根据本发明优选实施例2的信令采集处理模块的工作流程图,如图4所示,该流程包括如下步骤:9 is a flowchart of the operation of a signaling collection processing module according to a preferred embodiment 2 of the present invention. As shown in FIG. 4, the process includes the following steps:
步骤S302:抓取服务支持节点与移动互联网网关之间接口的用户控制面消息报文;Step S302: Grab the user control plane message packet of the interface between the service support node and the mobile internet gateway;
步骤S304:解析该控制面消息,以获取MSISDN、IMSI、PDP激活时间等用户标识信息字段值;Step S304: Parsing the control plane message to obtain a user identification information field value such as an MSISDN, an IMSI, and a PDP activation time;
步骤S306:将这些字段重新编码成一个数据块,发送给与其相连接的日志合并处理模块4。Step S306: Re-encode these fields into one data block and send it to the log merge processing module 4 connected thereto.
上述优选实施例1和优选实施例2的分布式移动上网行为回溯系统采用了分布式组网架构,即在网络中采用分布式组网架构布置多个日志合并处理模块4。The distributed mobile Internet behavior backtracking system of the preferred embodiment 1 and the preferred embodiment 2 adopts a distributed networking architecture, that is, a plurality of log consolidation processing modules 4 are arranged in a distributed networking architecture in the network.
多个合并处理模块4分别与防火墙日志处理模块3连接,依据轮询策略,对应顺序编号的多个合并处理模块4接收防火墙日志处理模块3每次处理的NAT转换信息, 用于共同均分用户标识信息和NAT转换信息的关联合并、用户上网日志记录的生成、查询和存储任务;The plurality of merge processing modules 4 are respectively connected to the firewall log processing module 3, and according to the polling policy, the plurality of merge processing modules 4 corresponding to the sequential number receive the NAT conversion information processed by the firewall log processing module 3 each time. Used for jointly merging user identification information and NAT conversion information, and for generating, querying, and storing tasks of user online log records;
上述多个合并处理模块4分别与Radius消息处理模块1和信令采集处理模块2连接,用于接收Radius消息处理模块1或信令采集处理模块2以广播方式发送的用户标识信息。The plurality of merge processing modules 4 are respectively connected to the Radius message processing module 1 and the signaling collection processing module 2, and are configured to receive user identification information that is sent by the Radius message processing module 1 or the signaling collection processing module 2 in a broadcast manner.
优选实施例3:Preferred Embodiment 3:
防火墙日志处理模块3与网络防火墙的NAT设备连接,从网络防火墙的NAT设备获取NAT日志,并将NAT日志进行解析得到NAT转换信息,NAT转换信息包括:源私网IP地址、源私网端口号、源公网IP地址、源公网端口号、目的IP地址、目的端口号、NAT开始时间和NAT结束时间,并将NAT转换信息组包发送给日志数据合并模块4用于和Radius消息处理模块1或信令采集处理模块2发送的用户标识信息、私网IP地址以及私网端口号进行关联合并处理;The firewall log processing module 3 is connected to the NAT device of the network firewall, obtains the NAT log from the NAT device of the network firewall, and parses the NAT log to obtain the NAT conversion information. The NAT conversion information includes: the source private network IP address and the source private network port number. The source public network IP address, the source public network port number, the destination IP address, the destination port number, the NAT start time, and the NAT end time, and send the NAT conversion packet to the log data merge module 4 for use with the Radius message processing module. 1 or the user identification information, the private network IP address, and the private network port number sent by the signaling collection processing module 2 are associated and processed;
图10是根据本发明优选实施例3的NAT日志处理模块3的工作流程图,如图5所示,该流程包括如下步骤:FIG. 10 is a flowchart of the operation of the NAT log processing module 3 according to the preferred embodiment 3 of the present invention. As shown in FIG. 5, the process includes the following steps:
步骤S402:接收网络防火墙发送的NAT日志数据包;Step S402: Receive a NAT log data packet sent by the network firewall.
步骤S404:解析NAT日志数据包获取NAT转换信息字段值,即:源私网IP地址及端口号、源公网IP地址及端口号、目的地址及端口号、NAT开始时间以及NAT结束时间等字段值;Step S404: Parsing the NAT log data packet to obtain the NAT conversion information field value, that is, the source private network IP address and port number, the source public network IP address and port number, the destination address and port number, the NAT start time, and the NAT end time. value;
步骤S406:将NAT转换信息字段值重新组合成一个新的数据块,发送给与之相连接的日志合并处理模块4。Step S406: The NAT conversion information field values are reassembled into a new data block and sent to the log merge processing module 4 connected thereto.
上述日志合并处理模块4分别与Radius消息处理模块1、信令采集处理模块2以及防火墙日志处理模块3连接,用于将Radius消息处理模块1或信令采集处理模块2发来的用户标识信息、私网IP地址以及私网端口号和防火墙日志处理模块3发送的NAT转换信息进行关联合并,并生成详细的用户上网日志记录。The log merge processing module 4 is connected to the Radius message processing module 1, the signaling collection processing module 2, and the firewall log processing module 3, respectively, for using the user identification information sent by the Radius message processing module 1 or the signaling collection processing module 2, The private network IP address and the private network port number are associated with the NAT translation information sent by the firewall log processing module 3, and a detailed user online log record is generated.
图11是根据本发明优选实施例3中日志合并处理模块4的结构框架图,如图11所示,该日志合并处理模块4主要包含以下几个部分:11 is a structural block diagram of a log merge processing module 4 according to a preferred embodiment 3 of the present invention. As shown in FIG. 11, the log merge processing module 4 mainly includes the following parts:
第一通信子模块401:与Radius消息处理模块1、信令采集处理模块2连接,设置为接收Radius消息处理模块1或信令采集处理模块2发送的用户标识信息、私网IP 地址以及私网端口号,并将用户标识信息、私网IP地址以及私网端口号推送到处理队列子模块403中;The first communication sub-module 401 is connected to the Radius message processing module 1 and the signaling collection processing module 2, and is configured to receive the user identification information and the private network IP sent by the Radius message processing module 1 or the signaling collection processing module 2 The address and the private network port number, and the user identification information, the private network IP address, and the private network port number are pushed to the processing queue sub-module 403;
第二通信子模块402:与防火墙日志处理模块3连接,设置为接收防火墙日志处理模块3发送的NAT转换信息,并将NAT转换信息拆分成若干个单条NAT转换信息日志记录,并将该日志记录推送到处理队列子模块403中;The second communication sub-module 402 is connected to the firewall log processing module 3, configured to receive the NAT conversion information sent by the firewall log processing module 3, and split the NAT conversion information into a plurality of single NAT conversion information log records, and the log The record is pushed to the processing queue sub-module 403;
处理队列子模块403:与第一通信子模块401和第二通信子模块402连接,设置为将第一通信子模块401推送的用户标识信息、私网IP地址以及私网端口号和第二通信子模块402推送的NAT转换信息发送到关联合并子模块404;The processing queue sub-module 403 is connected to the first communication sub-module 401 and the second communication sub-module 402, and is set to user identification information, a private network IP address, a private network port number, and a second communication that are pushed by the first communication sub-module 401. The NAT conversion information pushed by the submodule 402 is sent to the associated merge submodule 404;
关联合并子模块404(执行上述生成模块26相同的功能):与处理队列子模块403连接,设置为接收处理队列子模块403发送的用户标识信息、私网IP地址以及私网端口号和NAT转换信息;以私网IP地址作为关键字,以用户标识信息作为映射数值进行关联合并,生成完整的用户上网日志记录,并将用户上网日志记录放入存储子模块405;The association merge sub-module 404 (executing the same function of the generation module 26) is connected to the processing queue sub-module 403, and is configured to receive the user identification information, the private network IP address, the private network port number, and the NAT translation sent by the processing queue sub-module 403. Information; using the private network IP address as a key, using the user identification information as a mapping value for association and merging, generating a complete user online log record, and placing the user online log record into the storage sub-module 405;
关联合并子模块404维护一个Map数据区结构,以私网IP地址作为关键字,用户标识信息作为映射数值。当处理队列子模块403派发过来的是用户标识信息、私网IP地址以及私网端口号时,首先对该消息进行解析操作,提取出其中的私网IP地址字段值。并以该私网IP地址作为键值检索Map容器中是否包含一个对应的记录。如果不存在,则将用户标识信息添加到该Map容器中;否则,不做处理。The association merge sub-module 404 maintains a Map data area structure, with the private network IP address as a key and the user identification information as a mapping value. When the processing queue sub-module 403 sends the user identification information, the private network IP address, and the private network port number, the message is parsed first, and the private network IP address field value is extracted. And use the private network IP address as a key value to retrieve whether the Map container contains a corresponding record. If it does not exist, the user identification information is added to the Map container; otherwise, no processing is done.
当处理队列子模块403派发过来的是防火墙NAT转换信息消息时,提取出其中私网IP地址并以该私网IP地址作为键值检索Map容器中是否包含一条该键值的用户标识信息记录。如果存在,则将该记录与防火墙NAT转换信息进行合并,生成一条包括IMSI、MSISDN、源私网IP地址、源私网端口号、源公网IP地址、源公网端口号、目的IP地址、目的端口号、NAT开始时间、NAT结束时间以及协议类型的完整用户上网日志记录。如果不存在相应记录,则只将防火墙NAT转换信息自身生成一条上网记录(该记录缺少IMSI、MSISDN等信息)。When the processing queue sub-module 403 dispatches the firewall NAT conversion information message, the private network IP address is extracted and the private network IP address is used as the key value to retrieve whether the map container contains a user identification information record of the key value. If yes, the record is merged with the firewall NAT translation information to generate an IMSI, an MSISDN, a source private network IP address, a source private network port number, a source public network IP address, a source public network port number, and a destination IP address. The user's online log record of the destination port number, NAT start time, NAT end time, and protocol type. If there is no corresponding record, only the firewall NAT translation information itself generates an Internet record (the record lacks information such as IMSI, MSISDN, etc.).
存储子模块405:与关联合并子模块404连接,设置为接收用户上网日志记录,并将其写入到日志存储模块6;The storage sub-module 405 is connected to the associated merge sub-module 404, configured to receive the user's Internet log record, and write it to the log storage module 6;
图12是根据本发明优选实施例3中日志合并处理模块4的数据处理流程图,如图12所示,该流程包括如下步骤: FIG. 12 is a flowchart of data processing of the log merge processing module 4 according to the preferred embodiment 3 of the present invention. As shown in FIG. 12, the flow includes the following steps:
步骤S502:分别接收从防火墙日志采集模块3、Radius消息处理模块1或信令采集处理模块2处理后的防火墙NAT转换信息和用户标识信息数据包。Step S502: Receive firewall NAT conversion information and user identification information data packets processed by the firewall log collection module 3, the Radius message processing module 1 or the signaling collection processing module 2, respectively.
步骤S504:接收到数据包被推送到处理队列子模块403,从队列头部取出数据包,需要解析数据包类型,根据不同的策略进行派发。如果数据包类型不是防火墙NAT转换信息数据包,即为用户标识信息数据包,则执行步骤S506。否则,则执行步骤S514。Step S504: The received data packet is pushed to the processing queue sub-module 403, and the data packet is taken out from the queue header. The data packet type needs to be parsed and distributed according to different policies. If the packet type is not a firewall NAT translation information packet, that is, a user identification information packet, step S506 is performed. Otherwise, step S514 is performed.
步骤S506:判断用户标识信息数据包的完整性,如果完整,则对数据包执行解码操作,以获取私有IP地址、端口号、IMSI、MSISDN、PDP激活时间等字段值;否则,则丢弃。Step S506: Determine the integrity of the user identification information data packet. If complete, perform a decoding operation on the data packet to obtain a field value such as a private IP address, a port number, an IMSI, an MSISDN, and a PDP activation time; otherwise, discard.
步骤S508:以私有IP地址作为键值,查找Map容器中是否存在一条该键值的纪录。如果不存在,则执行步骤S510;否则,执行步骤S512。Step S508: Using the private IP address as a key value, it is found whether there is a record of the key value in the Map container. If not, step S510 is performed; otherwise, step S512 is performed.
步骤S510:以该私有IP地址作为索引关键字,在Map容器中添加一条记录,用户标识消息中的IMSI、MSISDN、PDP激活时间字段值作为该纪录的映射值。与此同时启动定时器,该私有IP地址作为定时器索引值。如果超时时间到达,则从Map容器中清除该记录。In step S510, the private IP address is used as an index key, and a record is added in the Map container, and the IMSI, MSISDN, and PDP activation time field values in the user identification message are used as mapping values of the record. At the same time, the timer is started, and the private IP address is used as the timer index value. If the timeout period arrives, the record is cleared from the Map container.
步骤S512:用新消息中各字段的值更新Map容器中原有纪录值。Step S512: Update the original record value in the Map container with the value of each field in the new message.
步骤S514:对防火墙NAT转换信息数据包进行解封装,将数据包拆分成若干个防火墙NAT转换信息消息块。Step S514: Decapsulating the firewall NAT conversion information packet, and splitting the data packet into a plurality of firewall NAT conversion information message blocks.
步骤S516:检查每个数据块的有效性,并提取出私有IP地址字段。以该私有IP地址作为键值,查询Map容器中是否存在包含该键值的记录。如果存在,执行步骤S518;否则,执行步骤S520。Step S516: Check the validity of each data block and extract the private IP address field. Using the private IP address as a key value, it is queried whether there is a record containing the key value in the Map container. If yes, step S518 is performed; otherwise, step S520 is performed.
步骤S518:判断防火墙NAT转换信息数据块中IP地址类型,即取出Map容器中该记录的IMSI号码、MSISDN号码、PDP激活时间字段值(即用户标识信息部分),并与防火墙NAT转换信息纪录中的源私有IP地址及端口号、源公网IP地址及端口号、目的IP地址及端口号、NAT开始时间、NAT结束时间以及协议类型字段重新组合成一条包含用户信息的完整上网日志记录。Step S518: determining the IP address type in the firewall NAT translation information data block, that is, extracting the IMSI number, the MSISDN number, and the PDP activation time field value (that is, the user identification information part) of the record in the Map container, and converting the information record with the firewall NAT. The source private IP address and port number, source public IP address and port number, destination IP address and port number, NAT start time, NAT end time, and protocol type fields are recombined into a complete online log record containing user information.
步骤S520:不再从Map容器中获取IMSI、MSISDN、PDP激活时间等字段值,而是直接将这些字段值设置为0,然后再与防火墙NAT转换信息进行合并,重新组合一条不包含用户标识信息的上网日志记录。 Step S520: no longer obtain the IMSI, MSISDN, PDP activation time and other field values from the Map container, but directly set the field values to 0, and then merge with the firewall NAT conversion information to reassemble one without the user identification information. Internet log records.
步骤S522:将重新合并后的用户上网日志纪录写入日志存储模块6进行存储。Step S522: Write the re-merged user online log record to the log storage module 6 for storage.
为了方便管理人员对存储的用户上网日志记录进行查询,如图13所示,还设置了相应的应用服务模块5,与日志合并处理模块4连接;应用服务模块5包括上网日志查询终端501,设置为为查询人员提供查询界面,查询界面用于接收输入的用户上网日志记录查询条件,并将查询条件发送给与之相连接的日志合并处理模块4,并将日志合并处理模块4反馈的用户上网日志记录通过查询界面进行显示以供查询人员查阅;In order to facilitate the management to query the stored user's Internet log records, as shown in FIG. 13, a corresponding application service module 5 is also provided, which is connected to the log merge processing module 4; the application service module 5 includes an Internet log query terminal 501, which is set. In order to provide a query interface for the querying personnel, the query interface is configured to receive the input user online log record query condition, and send the query condition to the log merge processing module 4 connected thereto, and the user fed back by the log merge processing module 4 accesses the Internet. Log records are displayed through the query interface for inspection by the inquiring personnel;
相应地日志合并处理模块4中设置了与上网日志查询终端501对接的第三通信子模块406,第三通信子模块406设置为接收上网日志查询终端501发送的包含查询条件的查询请求命令,并将查询条件解析后发送给查询子模块407(执行上述反馈模块54相同的功能),同时设置为将查询结果反馈给上网日志查询终端501;查询子模块407包含了高效的查询算法,与日志存储模块6连接,设置为根据查询条件在日志存储模块6中执行查找匹配,并将查找结果反馈给第三通信子模块406。Correspondingly, the third communication sub-module 406 is connected to the online log query terminal 501, and the third communication sub-module 406 is configured to receive the query request command including the query condition sent by the online log query terminal 501, and The query condition is parsed and sent to the query sub-module 407 (the same function of the feedback module 54 is executed), and is set to feed back the query result to the online log query terminal 501; the query sub-module 407 includes an efficient query algorithm and log storage. The module 6 is connected, configured to perform a lookup match in the log storage module 6 according to the query condition, and feed back the search result to the third communication submodule 406.
用户上网日志记录查询条件包括:用户上网日志记录的起始时间、结束时间以及用户使用的公网IP地址。查询结果包括:IMSI、MSISDN、源私网IP地址、源私网端口号、源公网IP地址、源公网端口号、目的IP地址、目的端口号、NAT开始时间、NAT结束时间以及协议类型。The query conditions for the user's Internet log record include: the start time and end time of the user's online log record, and the public IP address used by the user. The query results include: IMSI, MSISDN, source private network IP address, source private network port number, source public network IP address, source public network port number, destination IP address, destination port number, NAT start time, NAT end time, and protocol type. .
图14是根据本发明优选实施例3中用户上网日志记录进行查询的工作流程图,如图14所示,该流程包括如下步骤:FIG. 14 is a flowchart of a process for querying a user's online log record according to a preferred embodiment 3 of the present invention. As shown in FIG. 14, the process includes the following steps:
步骤S602:用户在应用服务处理模块5的上网日志查询终端51输入查询条件包括:开始时间、结束时间、公网IP地址。Step S602: The user inputs the query conditions in the online log query terminal 51 of the application service processing module 5, including: a start time, an end time, and a public network IP address.
步骤S604:应用服务处理模块5将该查询请求数据包发送给与其相连接的日志合并处理模块4。Step S604: The application service processing module 5 sends the query request data packet to the log merge processing module 4 connected thereto.
步骤S606:日志合并处理模块4查询监听到有查询请求数据包到来,将该数据包中的查询条件并转化为:起始日期、结束日期、会话小时、以及公网IP地址。并在连接的日志存贮模块(LSU)上搜索满足条件的日志记录。Step S606: The log merge processing module 4 queries to listen to the arrival of the query request data packet, and converts the query condition in the data packet into: a start date, an end date, a session hour, and a public network IP address. Search for the log records that meet the conditions on the connected log storage module (LSU).
步骤S608:日志合并处理模块4将所有满足条件的日志记录组成数据包发送给应用服务处理模块5。 Step S608: The log merge processing module 4 sends all the log record component data packets that satisfy the condition to the application service processing module 5.
步骤S610:应用服务处理模块5收到各个日志合并处理模块4返回的查询结果数据包,并将最终结果显示在应用服务处理模块5的查询界面上。Step S610: The application service processing module 5 receives the query result data packet returned by each log merge processing module 4, and displays the final result on the query interface of the application service processing module 5.
如图13所示,同时应用服务模块5还提供了相应的用于对网络进行管理和配置的网络管理配置终端502;网络管理配置终端502分别与Radius消息处理模块1、信令采集处理模块2以及防火墙日志处理模块3用于设置:As shown in FIG. 13, the application service module 5 further provides a corresponding network management configuration terminal 502 for managing and configuring the network; the network management configuration terminal 502 and the Radius message processing module 1 and the signaling collection processing module 2, respectively. And the firewall log processing module 3 is used to set:
Radius消息处理模块1需要连接的移动互联网网管地址;Radius message processing module 1 needs to connect to the mobile internet network management address;
信令采集处理模块2需要连接的用户控制面镜像接口的交换机地址;The switch address of the mirrored interface of the user control plane that the signaling collection processing module 2 needs to connect to;
防火墙日志处理模块3需要连接的防火墙地址;以及,Firewall log processing module 3 needs to connect to the firewall address; and,
日志合并处理模块4需要连接的Radius消息处理模块1和防火墙日志处理模块3的地址。The address of the Radius message processing module 1 and the firewall log processing module 3 that the log merge processing module 4 needs to connect to.
通过上述实施例及优选实施方式,通过部署探针采集网络中用户控制面信令消息GTP-C(GPRS Tunnelling Protocol-Control),或者是收集移动互联网网关发送的Radius消息(基于不同网络拓扑,两者选其一),与防火墙NAT日志相结合,建立IMSI、MSISDN号码等关键用户信息与上网时的公网IP地址对应关系,形成详细的上网日志纪录进行存储并提供查询系统,从而解决了相关技术中移动上网行为回溯方法和系统在实际网络部署中,在无法获取Radius消息时,不能获取用户上网日志记录的问题,为国家安全监管部门提供移动用户上网数据查询支撑。同时,当网络业务量较大时,采用上述上网日志生成方法和装置能够防止通信链路中断,导致整个日志采集系统瘫痪,可靠性、可扩容性非常强。Through the foregoing embodiments and the preferred embodiments, the user control plane signaling message GTP-C (GPRS Tunnelling Protocol-Control) in the network is deployed, or the Radius message sent by the mobile internet gateway is collected (based on different network topologies, two Select one), combined with the firewall NAT log, establish the correspondence between the key user information such as IMSI and MSISDN number and the public network IP address when accessing the Internet, form a detailed online log record for storage and provide an inquiry system, thus solving the relevant In the actual network deployment, when the Radius message cannot be obtained in the technology, the problem of the user's online log record cannot be obtained, and the national security supervision department provides the mobile user's online data query support. At the same time, when the network traffic is large, the above-mentioned online log generation method and device can prevent the communication link from being interrupted, resulting in a flaw in the entire log collection system, and reliability and scalability are very strong.
显然,本领域的技术人员应该明白,上述的本发明实施例的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。Obviously, those skilled in the art should understand that the above modules or steps of the embodiments of the present invention can be implemented by a general computing device, which can be concentrated on a single computing device or distributed in multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from The steps shown or described are performed sequentially, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated into a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 The above description is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.
工业实用性Industrial applicability
如上所述,通过上述实施例及优选实施方式,解决了相关技术中无法通过Radius消息获取用户私网信息,进而无法与NAT信息结合生成用户的日志信息的问题,通过GTP-C获取用户的私网信息,不仅为国家安全监管部门提供移动用户上网数据查询支撑,而且可靠性、可扩容性非常强。 As described above, the above embodiments and preferred embodiments solve the problem that the user's private network information cannot be obtained through the Radius message in the related art, and the log information of the user cannot be generated in combination with the NAT information, and the user's private information is obtained through the GTP-C. The network information not only provides the national security supervision department with the data query support for mobile users, but also has strong reliability and scalability.

Claims (10)

  1. 一种上网日志生成方法,包括:An online log generation method includes:
    通过网络的用户控制面消息GTP-C获取用户的私网信息;The user's private network information is obtained through the user control plane message GTP-C of the network;
    获取所述用户的网络地址转换NAT信息;Obtaining the network address translation NAT information of the user;
    依据获取的所述私网信息,以及所述NAT信息生成所述用户的上网日志。Generating the online log of the user according to the obtained private network information and the NAT information.
  2. 根据权利要求1所述的方法,其中,在通过网络的用户控制面消息GTP-C获取所述用户的所述私网信息之前,还包括:The method according to claim 1, wherein before the user control plane message GTP-C of the network obtains the private network information of the user, the method further includes:
    判断是否具备从Radius消息中获取所述私网信息的权限;Determining whether the right to obtain the private network information from the Radius message is available;
    在判断结果为否的情况下,通过网络的所述GTP-C获取用户的所述私网信息。If the result of the determination is no, the private network information of the user is obtained through the GTP-C of the network.
  3. 根据权利要求2所述的方法,其中,在判断是否具备从Radius消息中获取所述私网信息的权限之后,还包括:The method according to claim 2, further comprising: after determining whether the right to obtain the private network information is obtained from the Radius message, further comprising:
    在判断结果为是的情况下,依据网络网关从所述Radius消息中获取所述私网信息;If the result of the determination is yes, the private network information is obtained from the Radius message according to the network gateway;
    依据从所述Radius消息中获取的所述私网信息以及所述NAT信息生成所述用户的上网日志。Generating an online log of the user according to the private network information obtained from the Radius message and the NAT information.
  4. 根据权利要求1所述的方法,其中,在依据获取的所述私网信息,以及所述NAT信息生成所述用户的上网日志之后,还包括:The method of claim 1, further comprising: after generating the online log of the user according to the acquired private network information and the NAT information,
    接收到用于查询用户上网日志的查询请求;Receiving a query request for querying a user's online log;
    依据接收到的所述查询请求向查询请求方反馈查询结果。The query result is fed back to the query requester according to the received query request.
  5. 根据权利要求1至4中任一项所述的方法,其中,所述用户的所述私网信息包括以下至少之一:The method according to any one of claims 1 to 4, wherein the private network information of the user comprises at least one of the following:
    国际移动用户识别码IMSI、移动用户国际号码MSISDN、分组数据协议PDP激活时间。International Mobile Subscriber Identity IMSI, Mobile Subscriber International Number MSISDN, Packet Data Protocol PDP Activation Time.
  6. 根据权利要求1至4中任一项所述的方法,其中,所述用户的所述NAT信息包括以下至少之一: The method according to any one of claims 1 to 4, wherein the NAT information of the user comprises at least one of the following:
    源私网IP地址、源私网端口号、源公网IP地址、源公网端口号、目的IP地址、目的端口号、NAT开始时间和NAT结束时间。Source private network IP address, source private network port number, source public network IP address, source public network port number, destination IP address, destination port number, NAT start time, and NAT end time.
  7. 一种上网日志生成装置,包括:An internet log generating device includes:
    第一获取模块,设置为通过网络的用户控制面消息GTP-C获取用户的私网信息;The first obtaining module is configured to obtain the private network information of the user by using a user control plane message GTP-C of the network;
    第二获取模块,设置为获取所述用户的网络地址转换NAT信息;a second obtaining module, configured to acquire network address translation NAT information of the user;
    生成模块,设置为依据获取的所述私网信息,以及所述NAT信息生成所述用户的上网日志。The generating module is configured to generate the online log of the user according to the obtained private network information and the NAT information.
  8. 根据权利要求7所述的装置,其中,还包括:The apparatus according to claim 7, further comprising:
    判断模块,设置为判断是否具备从Radius消息中获取所述私网信息的权限;The determining module is configured to determine whether the right to obtain the private network information from the Radius message is available;
    所述第一获取模块,还设置为在所述判断模块的判断结果为否的情况下,通过网络的所述GTP-C获取用户的所述私网信息。The first obtaining module is further configured to acquire the private network information of the user through the GTP-C of the network if the determining result of the determining module is negative.
  9. 根据权利要求8所述的装置,其中,还包括:The apparatus of claim 8 further comprising:
    第三获取模块,设置为在所述判断模块的判断结果为是的情况下,依据网络网关从所述Radius消息中获取所述私网信息;a third obtaining module, configured to obtain the private network information from the Radius message according to the network gateway, if the determining result of the determining module is yes;
    所述生成模块,还设置为依据从所述Radius消息中获取的所述私网信息以及所述NAT信息生成所述用户的上网日志。The generating module is further configured to generate an online log of the user according to the private network information obtained from the Radius message and the NAT information.
  10. 根据权利要求7所述的装置,其中,还包括:The apparatus according to claim 7, further comprising:
    接收模块,设置为接收到用于查询用户上网日志的查询请求;a receiving module, configured to receive a query request for querying a user's online log;
    反馈模块,设置为依据接收到的所述查询请求向查询请求方反馈查询结果。 The feedback module is configured to feed back the query result to the query requester according to the received query request.
PCT/CN2015/082563 2014-11-03 2015-06-26 Network log generation method and device WO2016070633A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410614457.1A CN105635329A (en) 2014-11-03 2014-11-03 Online log generation method and apparatus
CN201410614457.1 2014-11-03

Publications (1)

Publication Number Publication Date
WO2016070633A1 true WO2016070633A1 (en) 2016-05-12

Family

ID=55908513

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/082563 WO2016070633A1 (en) 2014-11-03 2015-06-26 Network log generation method and device

Country Status (2)

Country Link
CN (1) CN105635329A (en)
WO (1) WO2016070633A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019011953A1 (en) * 2017-07-12 2019-01-17 Nokia Solutions And Networks Oy Identifier mapping in edge computing within radio networks

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106067880B (en) * 2016-06-13 2019-05-31 国家计算机网络与信息安全管理中心 A kind of source tracing method of the IP address based on 4G network
CN107864062B (en) * 2016-12-14 2021-02-09 中国电子科技网络信息安全有限公司 Container firewall system deployment method
CN110351373B (en) * 2019-07-15 2022-04-08 阳光电源股份有限公司 Remote monitoring method and device for power station
CN110855503A (en) * 2019-11-22 2020-02-28 叶晓斌 Fault cause determining method and system based on network protocol hierarchy dependency relationship
CN114827126B (en) * 2022-03-24 2023-07-14 中通服创立信息科技有限责任公司 IPTVCDN user play log reporting method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101803416A (en) * 2007-09-28 2010-08-11 朗讯科技公司 The IP layer service in the related UMTS/GSM network and the method and system of radio layer unit
CN101854360A (en) * 2010-05-21 2010-10-06 恒安嘉新(北京)科技有限公司 Device and method for tracing to the source of mobile subscriber cellphone number according to IP (Internet Protocol) address
CN103532752A (en) * 2013-10-10 2014-01-22 北京首信科技股份有限公司 Management device and method for realizing integration of surfing logs of mobile internet users
CN103731515A (en) * 2014-01-15 2014-04-16 中国联合网络通信集团有限公司 Internet protocol (IP) source tracing method, device and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101252592B (en) * 2008-04-14 2012-12-05 工业和信息化部电信传输研究所 Method and system for tracing network source of IP network
US8509148B2 (en) * 2010-12-29 2013-08-13 Industrial Technology Research Institute System and method for application layer gateway assisted local IP access at a femto base station by network address translation
CN102790812B (en) * 2012-07-31 2015-07-15 中国联合网络通信集团有限公司 IP (internet protocol) address source tracing method, equipment and system based on mobile terminal

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101803416A (en) * 2007-09-28 2010-08-11 朗讯科技公司 The IP layer service in the related UMTS/GSM network and the method and system of radio layer unit
CN101854360A (en) * 2010-05-21 2010-10-06 恒安嘉新(北京)科技有限公司 Device and method for tracing to the source of mobile subscriber cellphone number according to IP (Internet Protocol) address
CN103532752A (en) * 2013-10-10 2014-01-22 北京首信科技股份有限公司 Management device and method for realizing integration of surfing logs of mobile internet users
CN103731515A (en) * 2014-01-15 2014-04-16 中国联合网络通信集团有限公司 Internet protocol (IP) source tracing method, device and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019011953A1 (en) * 2017-07-12 2019-01-17 Nokia Solutions And Networks Oy Identifier mapping in edge computing within radio networks
US11089471B2 (en) 2017-07-12 2021-08-10 Nokia Solutions And Networks Oy Identifier mapping in edge computing within radio networks

Also Published As

Publication number Publication date
CN105635329A (en) 2016-06-01

Similar Documents

Publication Publication Date Title
WO2016070633A1 (en) Network log generation method and device
US10454880B2 (en) IP packet processing method and apparatus, and network system
US10334419B2 (en) Methods, systems, and computer readable media for optimizing machine type communication (MTC) device signaling
US20070104180A1 (en) Connected communication terminal, connecting communication terminal, session management server and trigger server
US20130191890A1 (en) Method and system for user identity recognition based on specific information
WO2017036289A1 (en) Data access method and device
KR101267303B1 (en) Adaptation system for a legal interception in different communication networks
WO2019223887A1 (en) Methods for processing encrypted domain name server, dns, queries received from user equipment in a telecommunication network
WO2014082577A1 (en) Remote debugging method and system
JP2011154622A (en) Access control system and access control method
CN104811371A (en) Brand-new instant messaging system
CN103532752A (en) Management device and method for realizing integration of surfing logs of mobile internet users
CN109474713B (en) Message forwarding method and device
CN106331187A (en) NAT (Network Address Translation) penetration method, device and system
CN103428041B (en) A kind of end-to-end flux content detection system and detection method based on cloud
EP3016423A1 (en) Network safety monitoring method and system
CN113132170A (en) Data management method and system, associated subsystem and computer readable medium
CN102647432B (en) A kind of authentication information transmission method, device and certification middleware
CN102075588A (en) Method and system for realizing network address translation (NAT) transversing and equipment
CN105429880B (en) The network equipment and its method for carrying out routing forwarding
US11196666B2 (en) Receiver directed anonymization of identifier flows in identity enabled networks
CN110809033B (en) Message forwarding method and device and switching server
JP2013126219A (en) Transfer server and transfer program
CN112838933A (en) Information synchronization method, equipment and storage medium in network traffic analysis
CN113068223A (en) Local distribution method, device and equipment based on slice information and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15857804

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15857804

Country of ref document: EP

Kind code of ref document: A1