WO2016119420A1 - Method, apparatus and communication gateway for detecting malicious access to network resources - Google Patents

Method, apparatus and communication gateway for detecting malicious access to network resources Download PDF

Info

Publication number
WO2016119420A1
WO2016119420A1 PCT/CN2015/085435 CN2015085435W WO2016119420A1 WO 2016119420 A1 WO2016119420 A1 WO 2016119420A1 CN 2015085435 W CN2015085435 W CN 2015085435W WO 2016119420 A1 WO2016119420 A1 WO 2016119420A1
Authority
WO
WIPO (PCT)
Prior art keywords
service request
user information
request message
internet service
internet
Prior art date
Application number
PCT/CN2015/085435
Other languages
French (fr)
Chinese (zh)
Inventor
左建勋
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016119420A1 publication Critical patent/WO2016119420A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • This application relates to, but is not limited to, the field of mobile internet technology.
  • the application content provider needs to know various attributes of the user, such as the mobile phone number and the operator network name, when the user accesses different services based on the needs of marketing or business authentication.
  • the operator provides the user information to the application content provider by inserting the message header field into the client by using the HTTP (Hypertext Transfer Protocol) message in the gateway node.
  • the provisioning content provider performs different content providing strategies according to different user information.
  • This document provides a malicious access detection method, device and communication gateway for network resources, which prevents the application content provider from extracting untrue user information from the user's online request message.
  • a method for detecting malicious access to network resources including:
  • the checking, by the communication terminal, based on the Internet service request message sent by the mobile internet includes:
  • each header field name in the network service request packet header field name group corresponds to the corresponding user information identifier.
  • the checking, by the communication terminal, based on the Internet service request message sent by the mobile internet includes:
  • Each header field name in the network service request packet header field name group corresponds to the corresponding user information identifier.
  • the type of the user information includes at least one of the following: a mobile phone number of the user, a cell location information where the user is located, an IMSI (International Mobile Subscriber Identification Number) of the user, and an IP address of the user. And the user's IMEI (International Mobile Equipment Identity);
  • the obtaining manner of the real user information includes: obtaining from a context of a session established when the communication terminal accesses the mobile internet.
  • performing a corresponding service disposition policy according to the check result including:
  • the Internet service request message is provided to an application content provider
  • the service prohibition policy, the service correction policy, or the service redirection policy is executed.
  • the service forbidding policy includes: discarding the online service request message;
  • the service correcting policy includes: modifying the user information corresponding to the field in the header field of the Internet service request message to be consistent with the corresponding real user information, and then providing the online service request message to the application content provider. ;
  • the service redirection policy includes: responding to the online service request message by jumping to a set page, and prompting the user that the online service request is abnormal.
  • a malicious access detecting device for network resources comprising:
  • the checking module is configured to: check, according to the Internet service request message sent by the communication terminal based on the mobile internet;
  • the disposal module is set to: execute a corresponding business disposition policy according to the check result.
  • the checking module includes:
  • the extraction module is configured to: extract the user information identification field from the header field of the Internet service request message sent by the communication terminal based on the mobile internet;
  • the determining module is configured to: determine whether the extracted user information identification field appears in the pre-stored Internet service request packet header domain name group, and if yes, determine that the Internet service request message is abnormal, and if not, determine the location The Internet service request message is normal; each of the header domain names in the Internet service request packet header field name group corresponds to the corresponding user information identifier.
  • the checking module includes:
  • the extraction module is configured to: extract the user information identification field from the header field of the Internet service request message sent by the communication terminal based on the mobile internet;
  • the first determining module is configured to: determine whether the extracted user information identification field appears in the pre-stored Internet service request packet header domain name group, and if yes, invoke the second determining module, and if not, determine the online access
  • the service request packet is normal; each header field name in the header field name group of the Internet service request packet corresponds to the corresponding user information identifier;
  • the second determining module is configured to: determine whether the user information corresponding to the user information identification field is consistent with the real user information, and if yes, determine that the online service request message is normal, and if not, determine the online service The request message is abnormal.
  • a communication gateway includes the above malicious access detecting device for network resources.
  • a computer readable storage medium storing computer executable instructions for performing the method of any of the above.
  • the embodiments of the present invention can effectively prevent illegal users from using network resources normally in the mobile Internet.
  • the intrusion of malicious users is prevented, and the network quality of the application content provider is improved.
  • FIG. 1 is a flowchart of a method for detecting malicious access to a network resource according to a first embodiment of the present invention
  • FIG. 3 is a flowchart of step S102 of the second embodiment of the present invention.
  • FIG. 4 is a schematic structural diagram of a device for detecting a malicious access to a network resource according to a third embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of a device for detecting a malicious access to a network resource according to a fourth embodiment of the present invention.
  • FIG. 6 is a schematic flowchart of processing a malicious access network resource according to a fifth embodiment of the present invention.
  • a first embodiment of the present invention is a malicious access detection method for network resources. As shown in FIG. 1, the method includes the following steps:
  • Step S101 After the mobile terminal establishes a network connection of the data service with the application content provider, the communication terminal sends an Internet service request message to the application content provider.
  • the type of the Internet service request packet includes: an HTTP packet, an FTP (File Transfer Protocol) packet, and an RTSP (Real Time Streaming Protocol) packet.
  • HTTP HyperText Transfer Protocol
  • FTP File Transfer Protocol
  • RTSP Real Time Streaming Protocol
  • Step S102 The communication gateway checks the communication terminal for the Internet service request message sent by the communication terminal based on the mobile Internet;
  • step S102 includes:
  • the communication gateway extracts the user information identification field from the header field of the Internet service request message sent by the communication terminal based on the mobile Internet;
  • the communication gateway determines whether the extracted user information identification field is present in the pre-stored Internet service request packet header field name group, and if yes, determines that the Internet service request message is abnormal, and if not, determines the Internet access
  • the service request packet is normal.
  • the Internet service request packet header field name group includes some preset name fields that are inserted by the communication gateway to insert the Internet service request message header field, and these name fields may be used as user information identifiers, and the provisioning content provides a search and The user information identifier is followed by the corresponding user information.
  • Step S103 The communication gateway executes a corresponding service disposition policy according to the check result.
  • Step S103 comprising:
  • the communication gateway If it is determined that the Internet service request message is normal, the communication gateway provides the Internet service request message to the application content provider;
  • the communication gateway If it is determined that the Internet service request packet is abnormal, the communication gateway performs a service prohibition policy, a service correction policy, or a service redirection policy.
  • the service forbidding policy includes: discarding the online service request message;
  • the service correcting policy includes: modifying the user information corresponding to the user information identifier field in the header field of the Internet service request message to be consistent with the corresponding real user information, and then providing the Internet service request message to the application.
  • the service redirection policy includes: responding to the online service request message by jumping to a set page, and prompting the user that the online service request is abnormal.
  • the idea of determining whether the Internet service request message is abnormal is that the normal Internet service request message does not insert extra in the header field of the message before the communication gateway of the operator is reached. Information is entered, and only some information is inserted by the communication gateway in the header field of the message, and the provision is searched and extracted by the content provider. Therefore, if additional information is found in the header field of the Internet service request packet, the packet has been maliciously tampered with and is an abnormal packet.
  • the second embodiment of the present invention is a method for detecting a malicious access to a network resource.
  • the method in this embodiment is substantially the same as the first embodiment. The difference is that, as shown in FIG. 3, the check in step S102 is performed in this embodiment. The flow is different from the first embodiment.
  • the inspection process in step S102 includes the following steps:
  • step B2 determining whether the extracted user information identification field is present in the pre-stored Internet service request packet header field name group, and if yes, executing step B3; if not, determining that the online service request message is normal, and checking the process Ending; the name of each header field in the header field name group of the Internet service request packet is corresponding to the corresponding user information identifier; for example, the header domain name "Call-ID" is the mobile phone number identifier of the user, then the header The user information corresponding to the domain name is the user's mobile phone number.
  • B3 It is determined whether the user information corresponding to the user information identification field is consistent with the real user information, and if yes, determining that the Internet service request message is normal, and if not, determining that the Internet service request message is abnormal.
  • the type of the user information includes at least one of the following: a mobile phone number of the user, cell location information of the user, an IMSI of the user, an IP address of the user, and an IMEI of the user.
  • the obtaining manner of the real user information includes: obtaining from a context of a session established when the communication terminal accesses the mobile internet.
  • the method for determining whether the Internet service request packet is abnormal is that the Internet access service request message has additional information inserted in the header field of the message before the communication gateway of the operator is received, but the additional information must be guaranteed.
  • the inserted user information matches the corresponding real user information.
  • the third embodiment of the present invention corresponds to the first embodiment.
  • This embodiment introduces a malicious access detecting device for network resources. As shown in FIG. 4, the following components are included:
  • the checking module 100 is configured to: check the internet service request message sent by the communication terminal based on the mobile internet.
  • the inspection module 100 includes:
  • the extracting module 101 is configured to: extract the user information identification field from the header field of the Internet service request message sent by the communication terminal based on the mobile internet;
  • the determining module 102 is configured to: determine whether the extracted user information identification field is present in the pre-stored Internet service request packet header field name group, and if yes, determine that the Internet service request message is abnormal, if not, determine The Internet service request message is normal.
  • Each header field name in the network service request packet header field name group corresponds to the corresponding user information identifier.
  • the disposition module 200 is configured to: execute a corresponding service disposition policy according to the check result.
  • the disposal module 200 is configured to:
  • the communication gateway If it is determined that the Internet service request message is normal, the communication gateway provides the Internet service request message to the application content provider;
  • the communication gateway If it is determined that the Internet service request packet is abnormal, the communication gateway performs a service prohibition policy, a service correction policy, or a service redirection policy.
  • the service forbidding policy includes: discarding the online service request message;
  • the service correcting policy includes: modifying the user information corresponding to the field in the header field of the Internet service request message to be consistent with the corresponding real user information, and then providing the online service request message to the application content provider. ;
  • the service redirection policy includes: responding to the online service request message by jumping to a set page, and prompting the user that the online service request is abnormal.
  • the check module 100 determines whether the Internet service request message is abnormal.
  • the normal Internet service request message does not insert additional information in the header field of the message before the communication gateway of the operator is reached. Only the communication gateway inserts some information in the header field of the message, and the supply is searched and extracted by the content provider. Therefore, if additional information is found in the header field of the Internet service request packet, the packet has been maliciously tampered with and is an abnormal packet.
  • the fourth embodiment of the present invention corresponds to the second embodiment.
  • This embodiment introduces a malicious access detection device for network resources. As shown in FIG. 5, the following components are included:
  • the checking module 100 is configured to: check the internet service request message sent by the communication terminal based on the mobile internet.
  • the inspection module 100 includes:
  • the extracting module 101 is configured to: extract the user information identification field from the header field of the Internet service request message sent by the communication terminal based on the mobile internet;
  • the first determining module 103 is configured to: determine whether the extracted user information identification field is present in the pre-stored Internet service request header field name group, and if yes, invoke the second determining module 104, if not, determine the location
  • the network service request message is normal; each head domain name in the network service request packet header field name group corresponds to the corresponding user information identifier; for example, the header domain name “Call-ID” is the user's mobile phone. If the number is identified, the user information corresponding to the header field name is the user's mobile number.
  • the second determining module 104 is configured to: determine whether the user information corresponding to the user information identification field is consistent with the real user information, and if yes, determine that the online service request message is normal, and if not, determine the online access The service request packet is abnormal.
  • the type of the user information includes at least one of the following: a mobile phone number of the user, cell location information of the user, an IMSI of the user, an IP address of the user, and an IMEI of the user.
  • the obtaining manner of the real user information includes: obtaining from a context of a session established when the communication terminal accesses the mobile internet.
  • the checking module 100 determines whether the Internet service request packet is abnormal.
  • the idea is that the Internet access service request message has additional information inserted in the header field of the message before the communication gateway of the operator is received. It is guaranteed that the additionally inserted user information matches the corresponding real user information.
  • the disposition module 200 is configured to: execute a corresponding service disposition policy according to the check result.
  • the process of the service processing policy performed by the processing module 200 in this embodiment is the same as that in the third embodiment, and therefore is not described herein again.
  • this embodiment introduces a method based on the third and fourth embodiments.
  • the communication gateway includes the malicious access detecting means for network resources in the third and fourth embodiments.
  • the communication gateway of this embodiment can be understood as a physical device.
  • the sixth embodiment of the present invention is based on the foregoing embodiment, and an application example of the present invention is described with reference to FIG. 6 as an example in which a communication terminal accesses a webpage based on an HTTP packet.
  • the first line is: the communication terminal of the normal user A sends an Internet service request message based on the HHTP protocol, and the header field Carrying "GET HTTP://www.xxx.cn ⁇ r ⁇ n", which is transmitted to the carrier's communication gateway via the base station, will be required to be inserted in the header field of the Internet service request message at the operator's communication gateway.
  • the mobile phone number of the user identifies the Call-ID and the mobile phone number of the user A.
  • the application content provider finds the mobile phone number identifier of the user to extract the mobile phone number of the user, and performs business authentication or marketing activities.
  • the illegal user A evades the authentication of the application content provider by maliciously constructing the header field content of the HTTP message.
  • the communication terminal used by the user enters the mobile phone number identification Call-ID and the mobile phone number of the user B in the header field of the Internet service request message, and the message arrives at the operator's communication gateway.
  • the communication gateway will further insert the mobile phone number of the user A into the header field of the message, and the application content provider is thus likely to obtain the wrong information, thereby evading the authentication of the application content provider.
  • the case of the third line that is, the case in the application example of the present invention is: deploying a malicious access detecting device for the network resource at the operator's communication gateway, in the process of the illegal user A performing the business, although the illegal user A is passing through the communication terminal
  • the user's mobile phone number is inserted in the header field of the Internet service request packet, but the operator's communication gateway intelligently identifies the scenario and processes the abnormal packet by means of service correction, service barring, or service redirection to ensure application.
  • the mobile number information obtained by the content provider is always correct.
  • the detection process of the third case is as follows:
  • Step 601 After the mobile phone user A and the application content provider perform TCP/IP three-time chain completion, the mobile phone user A sends an HTTP request message to the application content based on the mobile Internet, and maliciously modifies the HTTP request message on the mobile phone user A side.
  • Header field the header field of the constructed HTTP message The content is as follows:
  • Step 602 The communication gateway of the operator intercepts the HTTP request packet, and extracts a field “Call-ID”, which matches a header field name in the HTTP header domain name group pre-stored in the communication gateway, and the content corresponding to the field is “ If the 137xxxxxxxx does not match the real mobile number of the user, the packet is identified as an abnormal packet.
  • Step 603 Control the service according to a pre-stored control policy in the communication gateway for the abnormal message.
  • the control policy in the communication gateway can be set as a service correction policy (ie, policy 1), a service drop policy (ie, policy 2), and a service redirection policy (ie, policy 3).
  • This application example deploys the detection device on the communication gateway to prevent the intrusion of illegal users and improve the network quality of the application content service provider.
  • the malicious access detection method, device and communication gateway for the network resource in the embodiment of the invention can effectively prevent the illegal user from using the network resource normally in the mobile internet.
  • all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve.
  • the devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
  • the device/function module/functional unit in the above embodiment When the device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium.
  • the above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
  • the embodiments of the present invention can effectively prevent illegal users from using network resources normally in the mobile Internet.
  • the intrusion of malicious users is prevented, and the network quality of the application content provider is improved.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

This article discloses a method, apparatus and communication gateway for detecting malicious access to network resources. The method comprises: checking internet service request messages sent by a communication terminal based on a mobile Internet; and executing the corresponding service processing strategy according to checking results. The apparatus comprises a checking module and a processing module.

Description

一种对网络资源的恶意访问检测方法、装置及通信网关Malicious access detection method, device and communication gateway for network resources 技术领域Technical field
本申请涉及但不限于移动互联网技术领域。This application relates to, but is not limited to, the field of mobile internet technology.
背景技术Background technique
随着移动互联网的快速发展,各类门户和APP应用层出不穷,运营商和内容提供商之间的合作越来越紧密。应用内容提供商基于市场推广或者业务鉴权的需求,在用户访问不同业务时需要获知用户的各种属性,如:手机号码、运营商网络名称等。运营商通过在网关节点中对用户的上网请求报文,主要是HTTP(Hypertext transfer protocol,超文本传送协议)报文,采用对报文头域插入的方式,将用户信息提供给应用内容提供商,供应用内容提供商依据不同的用户信息执行不同的内容提供策略。With the rapid development of the mobile Internet, various portals and APP applications are emerging one after another, and cooperation between operators and content providers is becoming more and more close. The application content provider needs to know various attributes of the user, such as the mobile phone number and the operator network name, when the user accesses different services based on the needs of marketing or business authentication. The operator provides the user information to the application content provider by inserting the message header field into the client by using the HTTP (Hypertext Transfer Protocol) message in the gateway node. The provisioning content provider performs different content providing strategies according to different user information.
然而,目前手机中已经出现了一类恶意应用程序,预先在用户发出的HTTP报文的头域中插入信息,阻碍或者混淆应用内容提供商对于上网请求报文头域中真实信息的提取,导致商业损失。However, a type of malicious application has appeared in the mobile phone, and information is inserted in the header field of the HTTP packet sent by the user in advance, which hinders or confuses the application content provider to extract the real information in the header field of the Internet request message, resulting in Business loss.
发明内容Summary of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
本文提供一种对网络资源的恶意访问检测方法、装置及通信网关,避免应用内容提供商从用户的上网请求报文中提取到不真实的用户信息。This document provides a malicious access detection method, device and communication gateway for network resources, which prevents the application content provider from extracting untrue user information from the user's online request message.
一种对网络资源的恶意访问检测方法,包括:A method for detecting malicious access to network resources, including:
对通信终端基于移动互联网发出的上网业务请求报文进行检查;Checking the Internet service request message sent by the communication terminal based on the mobile internet;
根据检查结果执行相应的业务处置策略。Perform the corresponding business disposition strategy based on the inspection results.
作为一种可选的技术方案,所述对通信终端基于移动互联网发出的上网业务请求报文进行检查,包括: As an optional technical solution, the checking, by the communication terminal, based on the Internet service request message sent by the mobile internet, includes:
对通信终端基于移动互联网发出的上网业务请求报文的头域进行用户信息标识字段的提取;Extracting a user information identification field from a header field of the Internet service request message sent by the communication terminal based on the mobile internet;
判断提取出的用户信息标识字段是否出现在预先存储的上网业务请求报文头域名称组中,若是,则判定所述上网业务请求报文异常,若否,则判定所述上网业务请求报文正常;所述上网业务请求报文头域名称组中的每一条头域名称均与相应的用户信息标识对应。Determining whether the extracted user information identification field is in the pre-stored Internet service request packet header field name group, and if yes, determining that the Internet service request message is abnormal, and if not, determining the Internet service request message Normally, each header field name in the network service request packet header field name group corresponds to the corresponding user information identifier.
作为另一种可选的技术方案,所述对通信终端基于移动互联网发出的上网业务请求报文进行检查,包括:As another optional technical solution, the checking, by the communication terminal, based on the Internet service request message sent by the mobile internet, includes:
对通信终端基于移动互联网发出的上网业务请求报文的头域进行用户信息标识字段的提取;Extracting a user information identification field from a header field of the Internet service request message sent by the communication terminal based on the mobile internet;
判断提取出的用户信息标识字段是否出现在预先存储的上网业务请求报文头域名称组中:Determining whether the extracted user information identification field appears in the pre-stored Internet service request packet header field name group:
若否,则判定所述上网业务请求报文正常,检查流程结束;If not, determining that the Internet service request message is normal, and the checking process ends;
若是,则判断所述用户信息标识字段所对应的用户信息与真实的用户信息是否一致,若是,则判定所述上网业务请求报文正常,若否,则判定所述上网业务请求报文异常;If yes, determining whether the user information corresponding to the user information identifier field is consistent with the real user information, and if yes, determining that the Internet service request message is normal, and if not, determining that the Internet service request message is abnormal;
所述上网业务请求报文头域名称组中的每一条头域名称均与相应的用户信息标识对应。Each header field name in the network service request packet header field name group corresponds to the corresponding user information identifier.
.
可选地,所述用户信息的种类至少包括以下之一:用户的手机号、用户所处的小区位置信息、用户的IMSI(International Mobile Subscriber Identification Number,国际移动用户识别码)、用户的IP地址、和用户的IMEI(International Mobile Equipment Identity,国际移动设备标识);Optionally, the type of the user information includes at least one of the following: a mobile phone number of the user, a cell location information where the user is located, an IMSI (International Mobile Subscriber Identification Number) of the user, and an IP address of the user. And the user's IMEI (International Mobile Equipment Identity);
所述真实的用户信息的获取方式,包括:从通信终端接入移动互联网时所建立的会话的上下文中获取。The obtaining manner of the real user information includes: obtaining from a context of a session established when the communication terminal accesses the mobile internet.
可选地,根据检查结果执行相应的业务处置策略,包括:Optionally, performing a corresponding service disposition policy according to the check result, including:
若判定所述上网业务请求报文正常,则将所述上网业务请求报文提供给应用内容提供商; If it is determined that the Internet service request packet is normal, the Internet service request message is provided to an application content provider;
若判定所述上网业务请求报文异常,则执行业务禁止策略、业务纠正策略或者业务重定向策略。If it is determined that the Internet service request packet is abnormal, the service prohibition policy, the service correction policy, or the service redirection policy is executed.
可选地,所述业务禁止策略,包括:丢弃所述上网业务请求报文;Optionally, the service forbidding policy includes: discarding the online service request message;
所述业务纠正策略,包括:将所述上网业务请求报文头域中的字段对应的用户信息修改为与相应的真实用户信息一致,再将所述上网业务请求报文提供给应用内容提供商;The service correcting policy includes: modifying the user information corresponding to the field in the header field of the Internet service request message to be consistent with the corresponding real user information, and then providing the online service request message to the application content provider. ;
所述业务重定向策略,包括:通过跳转到一个设定的页面来响应所述上网业务请求报文,用于提示用户该上网业务请求存在异常。The service redirection policy includes: responding to the online service request message by jumping to a set page, and prompting the user that the online service request is abnormal.
一种对网络资源的恶意访问检测装置,包括:A malicious access detecting device for network resources, comprising:
检查模块,设置为:对通信终端基于移动互联网发出的上网业务请求报文进行检查;The checking module is configured to: check, according to the Internet service request message sent by the communication terminal based on the mobile internet;
处置模块,设置为:根据检查结果执行相应的业务处置策略。The disposal module is set to: execute a corresponding business disposition policy according to the check result.
作为一种可选的技术方案,所述检查模块,包括:As an optional technical solution, the checking module includes:
提取模块,设置为:对通信终端基于移动互联网发出的上网业务请求报文的头域进行用户信息标识字段的提取;The extraction module is configured to: extract the user information identification field from the header field of the Internet service request message sent by the communication terminal based on the mobile internet;
判断模块,设置为:判断提取出的用户信息标识字段是否出现在预先存储的上网业务请求报文头域名称组中,若是,则判定所述上网业务请求报文异常,若否,则判定所述上网业务请求报文正常;所述上网业务请求报文头域名称组中的每一条头域名称均与相应的用户信息标识对应。The determining module is configured to: determine whether the extracted user information identification field appears in the pre-stored Internet service request packet header domain name group, and if yes, determine that the Internet service request message is abnormal, and if not, determine the location The Internet service request message is normal; each of the header domain names in the Internet service request packet header field name group corresponds to the corresponding user information identifier.
作为另一种可选的技术方案,所述检查模块,包括:As an alternative technical solution, the checking module includes:
提取模块,设置为:对通信终端基于移动互联网发出的上网业务请求报文的头域进行用户信息标识字段的提取;The extraction module is configured to: extract the user information identification field from the header field of the Internet service request message sent by the communication terminal based on the mobile internet;
第一判断模块,设置为:判断提取出的用户信息标识字段是否出现在预先存储的上网业务请求报文头域名称组中,若是,则调用第二判断模块,若否,则判定所述上网业务请求报文正常;所述上网业务请求报文头域名称组中的每一条头域名称均与相应的用户信息标识对应; The first determining module is configured to: determine whether the extracted user information identification field appears in the pre-stored Internet service request packet header domain name group, and if yes, invoke the second determining module, and if not, determine the online access The service request packet is normal; each header field name in the header field name group of the Internet service request packet corresponds to the corresponding user information identifier;
第二判断模块,设置为:判断所述用户信息标识字段所对应的用户信息与真实的用户信息是否一致,若是,则判定所述上网业务请求报文正常,若否,则判定所述上网业务请求报文异常。The second determining module is configured to: determine whether the user information corresponding to the user information identification field is consistent with the real user information, and if yes, determine that the online service request message is normal, and if not, determine the online service The request message is abnormal.
一种通信网关,包括上述对网络资源的恶意访问检测装置。A communication gateway includes the above malicious access detecting device for network resources.
一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令用于执行上述任一项的方法。A computer readable storage medium storing computer executable instructions for performing the method of any of the above.
本发明实施例能有效遏制非法用户在移动互联网中正常使用网络资源。在通信网关处,防止恶意用户的入侵,提升应用内容提供商的网络质量。The embodiments of the present invention can effectively prevent illegal users from using network resources normally in the mobile Internet. At the communication gateway, the intrusion of malicious users is prevented, and the network quality of the application content provider is improved.
在阅读并理解了附图和详细描述后,可以明白其他方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.
附图概述BRIEF abstract
图1为本发明第一实施例的对网络资源的恶意访问检测方法流程图;1 is a flowchart of a method for detecting malicious access to a network resource according to a first embodiment of the present invention;
图2为本发明第一实施例的步骤S102的流程图;2 is a flowchart of step S102 of the first embodiment of the present invention;
图3为本发明第二实施例的步骤S102的流程图;Figure 3 is a flowchart of step S102 of the second embodiment of the present invention;
图4为本发明第三实施例的对网络资源的恶意访问检测装置组成结构示意图;4 is a schematic structural diagram of a device for detecting a malicious access to a network resource according to a third embodiment of the present invention;
图5为本发明第四实施例的对网络资源的恶意访问检测装置组成结构示意图;FIG. 5 is a schematic structural diagram of a device for detecting a malicious access to a network resource according to a fourth embodiment of the present invention; FIG.
图6为本发明第五实施例的对恶意访问网络资源的处理流程示意图。FIG. 6 is a schematic flowchart of processing a malicious access network resource according to a fifth embodiment of the present invention.
本发明的实施方式Embodiments of the invention
本发明第一实施例,一种对网络资源的恶意访问检测方法,如图1所示,该方法包括以下步骤:A first embodiment of the present invention is a malicious access detection method for network resources. As shown in FIG. 1, the method includes the following steps:
步骤S101,通信终端基于移动互联网与应用内容提供商建立数据业务的网络连接后,向应用内容提供商发送上网业务请求报文。 Step S101: After the mobile terminal establishes a network connection of the data service with the application content provider, the communication terminal sends an Internet service request message to the application content provider.
上网业务请求报文的类型包括:HTTP报文、FTP(File Transfer Protocol,文件传输协议)报文和RTSP(Real Time Streaming Protocol,实时流协议)报文。The type of the Internet service request packet includes: an HTTP packet, an FTP (File Transfer Protocol) packet, and an RTSP (Real Time Streaming Protocol) packet.
步骤S102,通信网关对通信终端基于移动互联网发出的上网业务请求报文进行检查;Step S102: The communication gateway checks the communication terminal for the Internet service request message sent by the communication terminal based on the mobile Internet;
如图2所示,步骤S102,包括:As shown in FIG. 2, step S102 includes:
A1:通信网关对通信终端基于移动互联网发出的上网业务请求报文的头域进行用户信息标识字段的提取;A1: The communication gateway extracts the user information identification field from the header field of the Internet service request message sent by the communication terminal based on the mobile Internet;
A2:通信网关判断提取出的用户信息标识字段是否出现在预先存储的上网业务请求报文头域名称组中,若是,则判定所述上网业务请求报文异常,若否,则判定所述上网业务请求报文正常。上网业务请求报文头域名称组中包括预先设定的一些由通信网关负责插入上网业务请求报文头域中的名称字段,这些名称字段可以作为用户信息标识,供应用内容提供查找并在该用户信息标识后面提取相应的用户信息。A2: The communication gateway determines whether the extracted user information identification field is present in the pre-stored Internet service request packet header field name group, and if yes, determines that the Internet service request message is abnormal, and if not, determines the Internet access The service request packet is normal. The Internet service request packet header field name group includes some preset name fields that are inserted by the communication gateway to insert the Internet service request message header field, and these name fields may be used as user information identifiers, and the provisioning content provides a search and The user information identifier is followed by the corresponding user information.
步骤S103,通信网关根据检查结果执行相应的业务处置策略。Step S103: The communication gateway executes a corresponding service disposition policy according to the check result.
步骤S103,包括:Step S103, comprising:
若判定所述上网业务请求报文正常,则通信网关将所述上网业务请求报文提供给应用内容提供商;If it is determined that the Internet service request message is normal, the communication gateway provides the Internet service request message to the application content provider;
若判定所述上网业务请求报文异常,则通信网关执行业务禁止策略、业务纠正策略或者业务重定向策略。If it is determined that the Internet service request packet is abnormal, the communication gateway performs a service prohibition policy, a service correction policy, or a service redirection policy.
所述业务禁止策略,包括:丢弃所述上网业务请求报文;The service forbidding policy includes: discarding the online service request message;
所述业务纠正策略,包括:将所述上网业务请求报文头域中的用户信息标识字段对应的用户信息修改为与相应的真实用户信息一致,再将所述上网业务请求报文提供给应用内容提供商;The service correcting policy includes: modifying the user information corresponding to the user information identifier field in the header field of the Internet service request message to be consistent with the corresponding real user information, and then providing the Internet service request message to the application. Content provider
所述业务重定向策略,包括:通过跳转到一个设定的页面来响应所述上网业务请求报文,用于提示用户该上网业务请求存在异常。The service redirection policy includes: responding to the online service request message by jumping to a set page, and prompting the user that the online service request is abnormal.
在本实施例中,判断上网业务请求报文是否异常的思路是,正常的上网业务请求报文在到达运营商的通信网关之前的该报文的头域中并不会额外插 入信息,而只会由通信网关在该报文的头域中插入一些信息,供应用内容提供商查找并提取。因此,如果在上网业务请求报文的头域中发现了额外插入的信息,则说明该报文已经被恶意篡改了,属于异常的报文。In this embodiment, the idea of determining whether the Internet service request message is abnormal is that the normal Internet service request message does not insert extra in the header field of the message before the communication gateway of the operator is reached. Information is entered, and only some information is inserted by the communication gateway in the header field of the message, and the provision is searched and extracted by the content provider. Therefore, if additional information is found in the header field of the Internet service request packet, the packet has been maliciously tampered with and is an abnormal packet.
本发明第二实施例,一种对网络资源的恶意访问检测方法,本实施例所述方法与第一实施例大致相同,区别在于,如图3所示,本实施例在步骤S102中的检查流程与第一实施例不相同。The second embodiment of the present invention is a method for detecting a malicious access to a network resource. The method in this embodiment is substantially the same as the first embodiment. The difference is that, as shown in FIG. 3, the check in step S102 is performed in this embodiment. The flow is different from the first embodiment.
步骤S102中的检查流程包括以下步骤:The inspection process in step S102 includes the following steps:
B1:对通信终端基于移动互联网发出的上网业务请求报文的头域进行用户信息标识字段的提取;B1: extracting a user information identification field from a header field of the Internet service request message sent by the communication terminal based on the mobile Internet;
B2:判断提取出的用户信息标识字段是否出现在预先存储的上网业务请求报文头域名称组中,若是,则执行步骤B3,若否,则判定所述上网业务请求报文正常,检查流程结束;所述上网业务请求报文头域名称组中的每一条头域名称均与相应的用户信息标识对应;比如:头域名称“Call-ID”即为用户的手机号码标识,则该头域名称对应的用户信息即为用户的手机号码。B2: determining whether the extracted user information identification field is present in the pre-stored Internet service request packet header field name group, and if yes, executing step B3; if not, determining that the online service request message is normal, and checking the process Ending; the name of each header field in the header field name group of the Internet service request packet is corresponding to the corresponding user information identifier; for example, the header domain name "Call-ID" is the mobile phone number identifier of the user, then the header The user information corresponding to the domain name is the user's mobile phone number.
B3:判断所述用户信息标识字段所对应的用户信息与真实的用户信息是否一致,若是,则判定所述上网业务请求报文正常,若否,则判定所述上网业务请求报文异常。B3: It is determined whether the user information corresponding to the user information identification field is consistent with the real user information, and if yes, determining that the Internet service request message is normal, and if not, determining that the Internet service request message is abnormal.
所述用户信息的种类包括至少包括以下之一:用户的手机号、用户所处的小区位置信息、用户的IMSI、用户的IP地址、和用户的IMEI。The type of the user information includes at least one of the following: a mobile phone number of the user, cell location information of the user, an IMSI of the user, an IP address of the user, and an IMEI of the user.
所述真实的用户信息的获取方式,包括:从通信终端接入移动互联网时所建立的会话的上下文中获取。The obtaining manner of the real user information includes: obtaining from a context of a session established when the communication terminal accesses the mobile internet.
在本实施例中,判断上网业务请求报文是否异常的思路是,容忍上网业务请求报文在到达运营商的通信网关之前的该报文的头域中已额外插入信息,只是须保证该额外插入的用户信息与对应的真实用户信息相符即可。In this embodiment, the method for determining whether the Internet service request packet is abnormal is that the Internet access service request message has additional information inserted in the header field of the message before the communication gateway of the operator is received, but the additional information must be guaranteed. The inserted user information matches the corresponding real user information.
本发明第三实施例,与第一实施例对应,本实施例介绍一种对网络资源的恶意访问检测装置,如图4所示,包括以下组成部分: The third embodiment of the present invention corresponds to the first embodiment. This embodiment introduces a malicious access detecting device for network resources. As shown in FIG. 4, the following components are included:
1)检查模块100,设置为:对通信终端基于移动互联网发出的上网业务请求报文进行检查。1) The checking module 100 is configured to: check the internet service request message sent by the communication terminal based on the mobile internet.
检查模块100,包括:The inspection module 100 includes:
提取模块101,设置为:对通信终端基于移动互联网发出的上网业务请求报文的头域进行用户信息标识字段的提取;The extracting module 101 is configured to: extract the user information identification field from the header field of the Internet service request message sent by the communication terminal based on the mobile internet;
判断模块102,设置为:判断提取出的用户信息标识字段是否出现在预先存储的上网业务请求报文头域名称组中,若是,则判定所述上网业务请求报文异常,若否,则判定所述上网业务请求报文正常。所述上网业务请求报文头域名称组中的每一条头域名称均与相应的用户信息标识对应。The determining module 102 is configured to: determine whether the extracted user information identification field is present in the pre-stored Internet service request packet header field name group, and if yes, determine that the Internet service request message is abnormal, if not, determine The Internet service request message is normal. Each header field name in the network service request packet header field name group corresponds to the corresponding user information identifier.
2)处置模块200,设置为:根据检查结果执行相应的业务处置策略。2) The disposition module 200 is configured to: execute a corresponding service disposition policy according to the check result.
其中,处置模块200,是设置为:The disposal module 200 is configured to:
若判定所述上网业务请求报文正常,则通信网关将所述上网业务请求报文提供给应用内容提供商;If it is determined that the Internet service request message is normal, the communication gateway provides the Internet service request message to the application content provider;
若判定所述上网业务请求报文异常,则通信网关执行业务禁止策略、业务纠正策略或者业务重定向策略。If it is determined that the Internet service request packet is abnormal, the communication gateway performs a service prohibition policy, a service correction policy, or a service redirection policy.
所述业务禁止策略,包括:丢弃所述上网业务请求报文;The service forbidding policy includes: discarding the online service request message;
所述业务纠正策略,包括:将所述上网业务请求报文头域中的字段对应的用户信息修改为与相应的真实用户信息一致,再将所述上网业务请求报文提供给应用内容提供商;The service correcting policy includes: modifying the user information corresponding to the field in the header field of the Internet service request message to be consistent with the corresponding real user information, and then providing the online service request message to the application content provider. ;
所述业务重定向策略,包括:通过跳转到一个设定的页面来响应所述上网业务请求报文,用于提示用户该上网业务请求存在异常。The service redirection policy includes: responding to the online service request message by jumping to a set page, and prompting the user that the online service request is abnormal.
在本实施例中,检查模块100判断上网业务请求报文是否异常的思路是,正常的上网业务请求报文在到达运营商的通信网关之前的该报文的头域中并不会额外插入信息,而只会由通信网关在该报文的头域中插入一些信息,供应用内容提供商查找并提取。因此,如果在上网业务请求报文的头域中发现了额外插入的信息,则说明该报文已经被恶意篡改了,属于异常的报文。 In this embodiment, the check module 100 determines whether the Internet service request message is abnormal. The normal Internet service request message does not insert additional information in the header field of the message before the communication gateway of the operator is reached. Only the communication gateway inserts some information in the header field of the message, and the supply is searched and extracted by the content provider. Therefore, if additional information is found in the header field of the Internet service request packet, the packet has been maliciously tampered with and is an abnormal packet.
本发明第四实施例,与第二实施例对应,本实施例介绍一种对网络资源的恶意访问检测装置,如图5所示,包括以下组成部分:The fourth embodiment of the present invention corresponds to the second embodiment. This embodiment introduces a malicious access detection device for network resources. As shown in FIG. 5, the following components are included:
1)检查模块100,设置为:对通信终端基于移动互联网发出的上网业务请求报文进行检查。1) The checking module 100 is configured to: check the internet service request message sent by the communication terminal based on the mobile internet.
检查模块100,包括:The inspection module 100 includes:
提取模块101,设置为:对通信终端基于移动互联网发出的上网业务请求报文的头域进行用户信息标识字段的提取;The extracting module 101 is configured to: extract the user information identification field from the header field of the Internet service request message sent by the communication terminal based on the mobile internet;
第一判断模块103,设置为:判断提取出的用户信息标识字段是否出现在预先存储的上网业务请求报文头域名称组中,若是,则调用第二判断模块104,若否,则判定所述上网业务请求报文正常;所述上网业务请求报文头域名称组中的每一条头域名称均与相应的用户信息标识对应;比如:头域名称“Call-ID”即为用户的手机号码标识,则该头域名称对应的用户信息即为用户的手机号码。The first determining module 103 is configured to: determine whether the extracted user information identification field is present in the pre-stored Internet service request header field name group, and if yes, invoke the second determining module 104, if not, determine the location The network service request message is normal; each head domain name in the network service request packet header field name group corresponds to the corresponding user information identifier; for example, the header domain name “Call-ID” is the user's mobile phone. If the number is identified, the user information corresponding to the header field name is the user's mobile number.
第二判断模块104,设置为:判断所述用户信息标识字段所对应的用户信息与真实的用户信息是否一致,若是,则判定所述上网业务请求报文正常,若否,则判定所述上网业务请求报文异常。The second determining module 104 is configured to: determine whether the user information corresponding to the user information identification field is consistent with the real user information, and if yes, determine that the online service request message is normal, and if not, determine the online access The service request packet is abnormal.
所述用户信息的种类包括至少包括以下之一:用户的手机号、用户所处的小区位置信息、用户的IMSI、用户的IP地址、和用户的IMEI。The type of the user information includes at least one of the following: a mobile phone number of the user, cell location information of the user, an IMSI of the user, an IP address of the user, and an IMEI of the user.
所述真实的用户信息的获取方式,包括:从通信终端接入移动互联网时所建立的会话的上下文中获取。The obtaining manner of the real user information includes: obtaining from a context of a session established when the communication terminal accesses the mobile internet.
在本实施例中,检查模块100判断上网业务请求报文是否异常的思路是,容忍上网业务请求报文在到达运营商的通信网关之前的该报文的头域中已额外插入信息,只是须保证该额外插入的用户信息与对应的真实用户信息相符即可。In this embodiment, the checking module 100 determines whether the Internet service request packet is abnormal. The idea is that the Internet access service request message has additional information inserted in the header field of the message before the communication gateway of the operator is received. It is guaranteed that the additionally inserted user information matches the corresponding real user information.
2)处置模块200,设置为:根据检查结果执行相应的业务处置策略。2) The disposition module 200 is configured to: execute a corresponding service disposition policy according to the check result.
本实施例中处理模块200执行的业务处置策略的过程与第三实施例中相同,故此处不再赘述。The process of the service processing policy performed by the processing module 200 in this embodiment is the same as that in the third embodiment, and therefore is not described herein again.
本发明第五实施例,本实施例是在第三、四实施例的基础上,介绍一种 通信网关,包含第三、四实施例中的对网络资源的恶意访问检测装置。本实施例的通信网关可以当作实体装置来理解。According to a fifth embodiment of the present invention, this embodiment introduces a method based on the third and fourth embodiments. The communication gateway includes the malicious access detecting means for network resources in the third and fourth embodiments. The communication gateway of this embodiment can be understood as a physical device.
本发明第六实施例,本实施例是在上述实施例的基础上,以通信终端基于HTTP报文访问网页为例,结合附图6介绍一个本发明的应用实例。The sixth embodiment of the present invention is based on the foregoing embodiment, and an application example of the present invention is described with reference to FIG. 6 as an example in which a communication terminal accesses a webpage based on an HTTP packet.
如图6所示,移动网络中,运营商和应用内容提供商合作的某些业务场景中,第一行的情况是:正常用户A的通信终端基于HHTP协议发出上网业务请求报文,头域中携带“GET HTTP://www.xxx.cn\r\n”,经过基站传输到运营商的通信网关,会要求在运营商的通信网关处对该上网业务请求报文的头域中插入用户手机号码标识Call-ID及用户A的手机号码,应用内容提供商收到该上网业务请求报文后,查找到用户手机号码标识以提取用户手机号码,进行业务鉴权或者市场推广活动。As shown in FIG. 6 , in the mobile network, in some service scenarios in which the operator and the application content provider cooperate, the first line is: the communication terminal of the normal user A sends an Internet service request message based on the HHTP protocol, and the header field Carrying "GET HTTP://www.xxx.cn\r\n", which is transmitted to the carrier's communication gateway via the base station, will be required to be inserted in the header field of the Internet service request message at the operator's communication gateway. The mobile phone number of the user identifies the Call-ID and the mobile phone number of the user A. After receiving the Internet service request message, the application content provider finds the mobile phone number identifier of the user to extract the mobile phone number of the user, and performs business authentication or marketing activities.
第二行的情况是:非法用户A通过恶意构造HTTP报文的头域内容,逃避应用内容提供商的鉴权。在非法用户A进行业务过程中,通过其使用的通信终端向上网业务请求报文的头域中插入用户手机号码标识Call-ID以及用户B的手机号码,当该报文到达运营商的通信网关时,通信网关还会再往该报文的头域中插入用户A的手机号码,应用内容提供商因而很可能获取错误的信息,从而逃避应用内容提供商的鉴权。In the second line, the illegal user A evades the authentication of the application content provider by maliciously constructing the header field content of the HTTP message. In the process of the illegal user A performing the service, the communication terminal used by the user enters the mobile phone number identification Call-ID and the mobile phone number of the user B in the header field of the Internet service request message, and the message arrives at the operator's communication gateway. At the same time, the communication gateway will further insert the mobile phone number of the user A into the header field of the message, and the application content provider is thus likely to obtain the wrong information, thereby evading the authentication of the application content provider.
第三行的情况,即本发明应用实例中的情况是:在运营商的通信网关处部署对网络资源的恶意访问检测装置,在非法用户A进行业务过程中,虽然非法用户A通过通信终端在上网业务请求报文的头域中插入用户B的手机号码,但是运营商的通信网关智能识别出该场景,通过业务纠正、业务禁止或者业务重定向等手段对该异常报文进行处理,确保应用内容提供商获取到的手机号码信息始终是正确的。The case of the third line, that is, the case in the application example of the present invention is: deploying a malicious access detecting device for the network resource at the operator's communication gateway, in the process of the illegal user A performing the business, although the illegal user A is passing through the communication terminal The user's mobile phone number is inserted in the header field of the Internet service request packet, but the operator's communication gateway intelligently identifies the scenario and processes the abnormal packet by means of service correction, service barring, or service redirection to ensure application. The mobile number information obtained by the content provider is always correct.
第三种情况的检测处理流程,如下:The detection process of the third case is as follows:
步骤601,手机用户A与应用内容提供商进行TCP/IP三次建链完成之后,手机用户A基于移动互联网向应用内容提供上发出HTTP请求报文,在手机用户A侧恶意修改HTTP请求报文的头域,构造出的HTTP报文的头域 内容如下:Step 601: After the mobile phone user A and the application content provider perform TCP/IP three-time chain completion, the mobile phone user A sends an HTTP request message to the application content based on the mobile Internet, and maliciously modifies the HTTP request message on the mobile phone user A side. Header field, the header field of the constructed HTTP message The content is as follows:
GET HTTP://www.xxx.com\r\nGET HTTP://www.xxx.com\r\n
…(其它头域信息)...(other header information)
Call-ID:137xxxxxxxx(即用户B的手机号码)Call-ID: 137xxxxxxxx (ie user B's mobile number)
步骤602,运营商的通信网关截获该HTTP请求报文,提取字段“Call-ID”,匹配上通信网关中预存的HTTP头域名称组中的某一条头域名称,并且该字段对应的内容“137xxxxxxxx”与用户真实手机号码不匹配,则识别出该报文为异常报文。Step 602: The communication gateway of the operator intercepts the HTTP request packet, and extracts a field “Call-ID”, which matches a header field name in the HTTP header domain name group pre-stored in the communication gateway, and the content corresponding to the field is “ If the 137xxxxxxxx does not match the real mobile number of the user, the packet is identified as an abnormal packet.
步骤603,针对异常报文,根据通信网关中预存的控制策略对该业务进行控制。通信网关中的控制策略根据业务需求,可以设置为业务纠正策略(即策略1)、业务丢弃策略(即策略2)、业务重定向策略(即策略3)等。Step 603: Control the service according to a pre-stored control policy in the communication gateway for the abnormal message. The control policy in the communication gateway can be set as a service correction policy (ie, policy 1), a service drop policy (ie, policy 2), and a service redirection policy (ie, policy 3).
本应用实例通过在通信网关部署该检测装置,防止非法用户的入侵,提升应用内容服务商的网络质量。This application example deploys the detection device on the communication gateway to prevent the intrusion of illegal users and improve the network quality of the application content service provider.
本发明实施例的所述对网络资源的恶意访问检测方法、装置及通信网关,能有效遏制非法用户在移动互联网中正常使用网络资源。The malicious access detection method, device and communication gateway for the network resource in the embodiment of the invention can effectively prevent the illegal user from using the network resource normally in the mobile internet.
本领域普通技术人员可以理解上述实施例的全部或部分步骤可以使用计算机程序流程来实现,所述计算机程序可以存储于一计算机可读存储介质中,所述计算机程序在相应的硬件平台上(如系统、设备、装置、器件等)执行,在执行时,包括方法实施例的步骤之一或其组合。One of ordinary skill in the art will appreciate that all or a portion of the steps of the above-described embodiments can be implemented using a computer program flow, which can be stored in a computer readable storage medium, such as on a corresponding hardware platform (eg, The system, device, device, device, etc. are executed, and when executed, include one or a combination of the steps of the method embodiments.
可选地,上述实施例的全部或部分步骤也可以使用集成电路来实现,这些步骤可以被分别制作成一个个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。Alternatively, all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve.
上述实施例中的装置/功能模块/功能单元可以采用通用的计算装置来实现,它们可以集中在单个的计算装置上,也可以分布在多个计算装置所组成的网络上。The devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
上述实施例中的装置/功能模块/功能单元以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。上述提到的计算机可读取存储介质可以是只读存储器,磁盘或光盘等。 When the device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. The above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
工业实用性Industrial applicability
本发明实施例能有效遏制非法用户在移动互联网中正常使用网络资源。在通信网关处,防止恶意用户的入侵,提升应用内容提供商的网络质量。 The embodiments of the present invention can effectively prevent illegal users from using network resources normally in the mobile Internet. At the communication gateway, the intrusion of malicious users is prevented, and the network quality of the application content provider is improved.

Claims (11)

  1. 一种对网络资源的恶意访问检测方法,包括:A method for detecting malicious access to network resources, including:
    对通信终端基于移动互联网发出的上网业务请求报文进行检查;Checking the Internet service request message sent by the communication terminal based on the mobile internet;
    根据检查结果执行相应的业务处置策略。Perform the corresponding business disposition strategy based on the inspection results.
  2. 根据权利要求1所述的对网络资源的恶意访问检测方法,其中,所述对通信终端基于移动互联网发出的上网业务请求报文进行检查,包括:The method for detecting a malicious access to a network resource according to claim 1, wherein the checking, by the communication terminal, based on an Internet service request message sent by the mobile Internet, includes:
    对通信终端基于移动互联网发出的上网业务请求报文的头域进行用户信息标识字段的提取;Extracting a user information identification field from a header field of the Internet service request message sent by the communication terminal based on the mobile internet;
    判断提取出的用户信息标识字段是否出现在预先存储的上网业务请求报文头域名称组中,若是,则判定所述上网业务请求报文异常,若否,则判定所述上网业务请求报文正常;所述上网业务请求报文头域名称组中的每一条头域名称均与相应的用户信息标识对应。Determining whether the extracted user information identification field is in the pre-stored Internet service request packet header field name group, and if yes, determining that the Internet service request message is abnormal, and if not, determining the Internet service request message Normally, each header field name in the network service request packet header field name group corresponds to the corresponding user information identifier.
  3. 根据权利要求1所述的对网络资源的恶意访问检测方法,其中,所述对通信终端基于移动互联网发出的上网业务请求报文进行检查,包括:The method for detecting a malicious access to a network resource according to claim 1, wherein the checking, by the communication terminal, based on an Internet service request message sent by the mobile Internet, includes:
    对通信终端基于移动互联网发出的上网业务请求报文的头域进行用户信息标识字段的提取;Extracting a user information identification field from a header field of the Internet service request message sent by the communication terminal based on the mobile internet;
    判断提取出的用户信息标识字段是否出现在预先存储的上网业务请求报文头域名称组中:Determining whether the extracted user information identification field appears in the pre-stored Internet service request packet header field name group:
    若否,则判定所述上网业务请求报文正常,检查流程结束;If not, determining that the Internet service request message is normal, and the checking process ends;
    若是,则判断所述用户信息标识字段所对应的用户信息与真实的用户信息是否一致,若是,则判定所述上网业务请求报文正常,若否,则判定所述上网业务请求报文异常;If yes, determining whether the user information corresponding to the user information identifier field is consistent with the real user information, and if yes, determining that the Internet service request message is normal, and if not, determining that the Internet service request message is abnormal;
    所述上网业务请求报文头域名称组中的每一条头域名称均与相应的用户信息标识对应。Each header field name in the network service request packet header field name group corresponds to the corresponding user information identifier.
  4. 根据权利要求3所述的对网络资源的恶意访问检测方法,其中,所述用户信息的种类至少包括以下之一:用户的手机号、用户所处的小区位置信息、用户的国际移动用户识别码IMSI、用户的IP地址、和用户的国际移 动设备标识IMEI;The method for detecting a malicious access to a network resource according to claim 3, wherein the type of the user information comprises at least one of the following: a mobile phone number of the user, a cell location information of the user, and an international mobile subscriber identity of the user. IMSI, user's IP address, and user's international shift Mobile device identification IMEI;
    所述真实的用户信息的获取方式,包括:从通信终端接入移动互联网时所建立的会话的上下文中获取。The obtaining manner of the real user information includes: obtaining from a context of a session established when the communication terminal accesses the mobile internet.
  5. 根据权利要求2~4中任一项所述的对网络资源的恶意访问检测方法,其中,根据检查结果执行相应的业务处置策略,包括:The method for detecting a malicious access to a network resource according to any one of claims 2 to 4, wherein the executing the corresponding service disposition policy according to the check result comprises:
    若判定所述上网业务请求报文正常,则将所述上网业务请求报文提供给应用内容提供商;If it is determined that the Internet service request packet is normal, the Internet service request message is provided to an application content provider;
    若判定所述上网业务请求报文异常,则执行业务禁止策略、业务纠正策略或者业务重定向策略。If it is determined that the Internet service request packet is abnormal, the service prohibition policy, the service correction policy, or the service redirection policy is executed.
  6. 根据权利要求5所述的对网络资源的恶意访问检测方法,其中,所述业务禁止策略,包括:丢弃所述上网业务请求报文;The method for detecting a malicious access to a network resource according to claim 5, wherein the service prohibition policy comprises: discarding the Internet service request message;
    所述业务纠正策略,包括:将所述上网业务请求报文头域中的字段对应的用户信息修改为与相应的真实用户信息一致,再将所述上网业务请求报文提供给应用内容提供商;The service correcting policy includes: modifying the user information corresponding to the field in the header field of the Internet service request message to be consistent with the corresponding real user information, and then providing the online service request message to the application content provider. ;
    所述业务重定向策略,包括:通过跳转到一个设定的页面来响应所述上网业务请求报文,用于提示用户该上网业务请求存在异常。The service redirection policy includes: responding to the online service request message by jumping to a set page, and prompting the user that the online service request is abnormal.
  7. 一种对网络资源的恶意访问检测装置,包括:A malicious access detecting device for network resources, comprising:
    检查模块,设置为:对通信终端基于移动互联网发出的上网业务请求报文进行检查;The checking module is configured to: check, according to the Internet service request message sent by the communication terminal based on the mobile internet;
    处置模块,设置为:根据检查结果执行相应的业务处置策略。The disposal module is set to: execute a corresponding business disposition policy according to the check result.
  8. 根据权利要求7所述的对网络资源的恶意访问检测装置,其中,所述检查模块,包括:The device for detecting malicious access to a network resource according to claim 7, wherein the checking module comprises:
    提取模块,设置为:对通信终端基于移动互联网发出的上网业务请求报文的头域进行用户信息标识字段的提取;The extraction module is configured to: extract the user information identification field from the header field of the Internet service request message sent by the communication terminal based on the mobile internet;
    判断模块,设置为:判断提取出的用户信息标识字段是否出现在预先存储的上网业务请求报文头域名称组中,若是,则判定所述上网业务请求报文 异常,若否,则判定所述上网业务请求报文正常;所述上网业务请求报文头域名称组中的每一条头域名称均与相应的用户信息标识对应。The determining module is configured to: determine whether the extracted user information identification field is present in the pre-stored Internet service request packet header domain name group, and if yes, determine the online service request packet The abnormality, if not, determines that the Internet service request message is normal; each of the header domain names in the Internet service request packet header field name group corresponds to the corresponding user information identifier.
  9. 根据权利要求7所述的对网络资源的恶意访问检测装置,其中,所述检查模块,包括:The device for detecting malicious access to a network resource according to claim 7, wherein the checking module comprises:
    提取模块,设置为:对通信终端基于移动互联网发出的上网业务请求报文的头域进行用户信息标识字段的提取;The extraction module is configured to: extract the user information identification field from the header field of the Internet service request message sent by the communication terminal based on the mobile internet;
    第一判断模块,设置为:判断提取出的用户信息标识字段是否出现在预先存储的上网业务请求报文头域名称组中,若是,则调用第二判断模块,若否,则判定所述上网业务请求报文正常;所述上网业务请求报文头域名称组中的每一条头域名称均与相应的用户信息标识对应;The first determining module is configured to: determine whether the extracted user information identification field appears in the pre-stored Internet service request packet header domain name group, and if yes, invoke the second determining module, and if not, determine the online access The service request packet is normal; each header field name in the header field name group of the Internet service request packet corresponds to the corresponding user information identifier;
    第二判断模块,设置为:判断所述用户信息标识字段所对应的用户信息与真实的用户信息是否一致,若是,则判定所述上网业务请求报文正常,若否,则判定所述上网业务请求报文异常。The second determining module is configured to: determine whether the user information corresponding to the user information identification field is consistent with the real user information, and if yes, determine that the online service request message is normal, and if not, determine the online service The request message is abnormal.
  10. 一种通信网关,包括权利要求7~9中任一项所述的对网络资源的恶意访问检测装置。A communication gateway comprising the malicious access detecting device for network resources according to any one of claims 7 to 9.
  11. 一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令用于执行权利要求1-6任一项的方法。 A computer readable storage medium storing computer executable instructions for performing the method of any of claims 1-6.
PCT/CN2015/085435 2015-01-26 2015-07-29 Method, apparatus and communication gateway for detecting malicious access to network resources WO2016119420A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510038923.0A CN105897664A (en) 2015-01-26 2015-01-26 Detection method and device of malicious access to network resource, and communication gateway
CN201510038923.0 2015-01-26

Publications (1)

Publication Number Publication Date
WO2016119420A1 true WO2016119420A1 (en) 2016-08-04

Family

ID=56542296

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/085435 WO2016119420A1 (en) 2015-01-26 2015-07-29 Method, apparatus and communication gateway for detecting malicious access to network resources

Country Status (2)

Country Link
CN (1) CN105897664A (en)
WO (1) WO2016119420A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112887327A (en) * 2021-02-23 2021-06-01 深信服科技股份有限公司 Method, device and storage medium for detecting malicious behaviors
CN114095177A (en) * 2021-11-18 2022-02-25 中国银行股份有限公司 Information security processing method and device, electronic equipment and storage medium
CN115460270A (en) * 2022-08-10 2022-12-09 深圳震有科技股份有限公司 5G UPF violation service blocking method and related equipment
CN115460270B (en) * 2022-08-10 2024-05-31 深圳震有科技股份有限公司 5G UPF (high speed uplink packet filter) illegal service blocking method and related equipment

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109375930B (en) * 2018-12-05 2023-11-24 恒创数字科技(江苏)有限公司 Software installation platform with anti-theft function
CN110098975B (en) * 2019-04-03 2021-03-30 新浪网技术(中国)有限公司 Detection method and system for user to access internet through virtual private network
CN111078668B (en) * 2019-12-13 2023-03-21 北京明略软件系统有限公司 Data generation method and device, electronic equipment and storage medium
CN114124581B (en) * 2022-01-27 2022-05-17 深圳融安网络科技有限公司 Message processing method, firewall and readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101488951A (en) * 2008-12-31 2009-07-22 成都市华为赛门铁克科技有限公司 Method, equipment and communication network for preventing from address resolution protocol attack
US20110107412A1 (en) * 2009-11-02 2011-05-05 Tai Jin Lee Apparatus for detecting and filtering ddos attack based on request uri type
CN102841990A (en) * 2011-11-14 2012-12-26 哈尔滨安天科技股份有限公司 Method and system for detecting malicious codes based on uniform resource locator
CN102857572A (en) * 2012-09-14 2013-01-02 北京星网锐捷网络技术有限公司 Method and device for processing HTTP (hyper text transport protocol) access request and gateway equipment
CN103825887A (en) * 2014-02-14 2014-05-28 深信服网络科技(深圳)有限公司 Hypertext transfer protocol over secure socket layer (HTTPS) encryption-based web filtering method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101488951A (en) * 2008-12-31 2009-07-22 成都市华为赛门铁克科技有限公司 Method, equipment and communication network for preventing from address resolution protocol attack
US20110107412A1 (en) * 2009-11-02 2011-05-05 Tai Jin Lee Apparatus for detecting and filtering ddos attack based on request uri type
CN102841990A (en) * 2011-11-14 2012-12-26 哈尔滨安天科技股份有限公司 Method and system for detecting malicious codes based on uniform resource locator
CN102857572A (en) * 2012-09-14 2013-01-02 北京星网锐捷网络技术有限公司 Method and device for processing HTTP (hyper text transport protocol) access request and gateway equipment
CN103825887A (en) * 2014-02-14 2014-05-28 深信服网络科技(深圳)有限公司 Hypertext transfer protocol over secure socket layer (HTTPS) encryption-based web filtering method and system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112887327A (en) * 2021-02-23 2021-06-01 深信服科技股份有限公司 Method, device and storage medium for detecting malicious behaviors
CN112887327B (en) * 2021-02-23 2022-11-22 深信服科技股份有限公司 Method, device and storage medium for detecting malicious behaviors
CN114095177A (en) * 2021-11-18 2022-02-25 中国银行股份有限公司 Information security processing method and device, electronic equipment and storage medium
CN114095177B (en) * 2021-11-18 2024-01-26 中国银行股份有限公司 Information security processing method and device, electronic equipment and storage medium
CN115460270A (en) * 2022-08-10 2022-12-09 深圳震有科技股份有限公司 5G UPF violation service blocking method and related equipment
CN115460270B (en) * 2022-08-10 2024-05-31 深圳震有科技股份有限公司 5G UPF (high speed uplink packet filter) illegal service blocking method and related equipment

Also Published As

Publication number Publication date
CN105897664A (en) 2016-08-24

Similar Documents

Publication Publication Date Title
WO2016119420A1 (en) Method, apparatus and communication gateway for detecting malicious access to network resources
US10681548B2 (en) Authenticating mobile devices
US10097546B2 (en) Authentication of a user device using traffic flow information
US9264430B2 (en) Obtaining targeted services using a unique identification header (UIDH)
US9635010B2 (en) Network-based authentication for third party content
CA3088359C (en) Multi-access distributed edge security in mobile networks
CN109474916B (en) Equipment authentication method, device and machine readable medium
US20140189861A1 (en) System and method for correlating network information with subscriber information in a mobile network environment
US20150208234A1 (en) Anonymous customer reference services enabler
US20120166803A1 (en) Verification method, apparatus, and system for resource access control
CN107046544B (en) Method and device for identifying illegal access request to website
US20170085567A1 (en) System and method for processing task resources
CN105635073B (en) Access control method and device and network access equipment
CN104580553B (en) Method and device for identifying network address translation equipment
US10798080B2 (en) User authentication in communication systems
US9614848B2 (en) Providing unique identifiers via a user device
US11689502B2 (en) Securing control and user plane separation in mobile networks
CN107508822A (en) Access control method and device
CN101902482A (en) Method and system for realizing terminal security admission control based on IPv6 (Internet Protocol Version 6) automatic configuration
CN110913011B (en) Session holding method, session holding device, readable storage medium and electronic device
Wang et al. Smart devices information extraction in home wi‐fi networks
CN112136301A (en) Error handling framework for security management in a communication system
CN108259416B (en) Method for detecting malicious webpage and related equipment
CN101662357A (en) Method for accessing secure gateway client
US9313627B2 (en) Multimedia messaging service (MMS) originator authentication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15879619

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15879619

Country of ref document: EP

Kind code of ref document: A1