CN101980477A - Method and device for detecting number of shadow users, and network equipment - Google Patents

Method and device for detecting number of shadow users, and network equipment Download PDF

Info

Publication number
CN101980477A
CN101980477A CN2010105052767A CN201010505276A CN101980477A CN 101980477 A CN101980477 A CN 101980477A CN 2010105052767 A CN2010105052767 A CN 2010105052767A CN 201010505276 A CN201010505276 A CN 201010505276A CN 101980477 A CN101980477 A CN 101980477A
Authority
CN
China
Prior art keywords
message
user
difference
identification field
sequence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2010105052767A
Other languages
Chinese (zh)
Other versions
CN101980477B (en
Inventor
陈光磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Star Net Ruijie Networks Co Ltd
Original Assignee
Beijing Star Net Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Star Net Ruijie Networks Co Ltd filed Critical Beijing Star Net Ruijie Networks Co Ltd
Priority to CN2010105052767A priority Critical patent/CN101980477B/en
Publication of CN101980477A publication Critical patent/CN101980477A/en
Application granted granted Critical
Publication of CN101980477B publication Critical patent/CN101980477B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method and a device for detecting the number of shadow users, and network equipment. The method comprises the following steps of: receiving messages with the same user authentication characteristics as those of users passing authentication; extracting identification fields from the messages, and for each received message, calculating a difference value between the identification fields of the message and a specified message; if the difference value is within a preset abnormity range, determining the message corresponds to a new user; determining the number of the new users corresponding to all the messages; and determining the finally-determined number of the new users as the number of the shadow users. In the method and the device, the number of the shadow users can be determined, so that subsequent service loss quantization can be conveniently performed.

Description

Detect the method and apparatus and the network equipment of the number of shadow user
Technical field
The embodiment of the invention relates to the communication technology, relates in particular to the method and apparatus and the network equipment of the number that detects shadow user.
Background technology
802.1x the network access control based on port is adopted in authentication, inserts for LAN subscriber provides the safety of point-to-point formula.With the computer access is example (also can be that other access terminal), a simple signal as shown in Figure 1, PC (the Personal Computer of 802.1x Authentication Client software is installed, be called for short PC) will submit to relevant authentication information to authenticate to switch, switch is handed to certificate server with relevant authentication information and is confirmed.If authentication is passed through, switch is opened relevant port, and the computer that then connects this port just can use network.
In 802.1x, as long as authentication has been passed through, switch will write down medium access control (Media Access Control the is called for short MAC) address of authentication success computer.So long as the data of this MAC Address, switch will be thought what the computer of process authentication sent out, these data of therefore can letting pass.
As shown in Figure 2, under the switch ports themselves of authentication, increase a hub (HUB), two computers is connected on the HUB if there is the people to adopt.PC a is equipped with the 802.1x Authentication Client, and authentication is passed through.And PC b is only identical with the MAC Address of PC a by MAC Address is modified as, and just can authenticate and illegally uses network.
At the defective shown in Fig. 2, the solution of commonplace employing is exactly on the port of switch in the prior art, and to Internet Protocol (Internet Protocol the is called for short IP) address of the computer that authenticated, MAC Address and port binding are together.Rather than simply decide data whether to let pass by MAC Address.
Provided the scheme of using port, IP, the binding of MAC element as shown in Figure 3, this moment, PC b was because the IP address of using is different with PC a, therefore can't use network.But still there is a leak in the element binding scheme, and identical with IP and the MAC Address of PC a if PC b is revised as IP and MAC Address, then PC b still can use network by just not authenticating, as shown in Figure 4.
As can be seen from Figure 4, when the PC a that accesses terminal sends authentication request by Authentication Client software, switch is transmitted corresponding information, and submit to certificate server to confirm, if by authentication, switch is just opened corresponding port (PORT), and the message that allows to satisfy (IP+MAC+PORT) tlv triple authentication condition passes through.If have another PC b that accesses terminal to link together by HUB and PC a this moment, and IP address and the MAC Address of counterfeit PC a, PC b also can satisfy the authentication condition of tlv triple (IP+MAC+PORT) so, so do not need PC b at this moment just can the accesses network resource through authentication.Like this, can not authenticate problem with regard to the terminal that counterfeit IP address and MAC Address have occurred in the network with regard to accesses network.
Shadow user just is meant that the disabled user attempts not by authentication, and directly adopts the IP address of validated user and the user of MAC Address.Be shadow user as the PC b among Fig. 4.If there is shadow user, so as long as reached the standard grade by counterfeit user, shadow user need not authentication and can use network so.
When there was one or more shadow user in validated user, server but can only all be used as a user and handle, and like this, has often caused a large amount of losses of network traffics, and the leak that has caused authentication and chargeed.And at present, do not detect the method for shadow user number, that is to say to learn what shadow users of existence, therefore caused and to have quantized traffic lost, such as, can't obtain the concrete loss quantity of the network traffics that cause by each shadow user, the concrete quantity of expenses of surfing in Internet loss etc., thereby greatly reduce service feature.
Summary of the invention
The embodiment of the invention provides the method and apparatus and the network equipment of the number that detects shadow user, can detect the number of shadow user.
The method of the number of the detection shadow user that the embodiment of the invention provides comprises:
The message that A, reception and the user that authentication is passed through have identical authentification of user feature;
B, extract the identification field of described message;
C, for each message that receives, calculate the difference of this message and the identification field of specifying message; If described difference in default abnormal ranges, then Adds User for corresponding one of this message;
D, determine the individual numerical value that Adds User of all message correspondences;
E, the individual numerical value that Adds User that will finally determine are defined as the number of shadow user.
In the steps A, described authentification of user feature comprises Internet Protocol IP address, source and/or source medium access control MAC Address.
In a plurality of sampling periods of dividing in advance, carry out described steps A respectively to step D;
Between step D and step e, further comprise: all individual numerical value that Add User of determining from all sampling periods, determine the individual numerical value that Adds User that occurrence number is maximum.
Described appointment message is: n the message that has received, n are natural number; Perhaps, each message in the m that has the received message, m are the natural number greater than 1.
Described difference is: the value of the identification field of described each message deducts the value of the identification field of described appointment message;
Among the step C, if described difference comprises in default abnormal ranges: if described difference is greater than the permission packet loss threshold value that sets in advance; Perhaps, if described difference less than 0.
Described step C comprises:
For first message that receives in the setting-up time section is provided with the sequence of a correspondence, the identification field values in described first message is put into this corresponding sequence; For k the message that receives in the described setting-up time section, k is the natural number greater than 1, calculates in the value of the identification field in this k message and the described setting-up time section difference between the value of each identification field in existing each sequence respectively; For described k message, if all differences are all in default abnormal ranges, it then is the sequence of the newly-increased correspondence of described k message, identification field values in described k the message is put into this newly-increased sequence, if arbitrary difference is not in default abnormal ranges, then the identification field values in described k the message is put into nearest sequence, this nearest sequence is to calculate the not employed sequence of minimal difference in default abnormal ranges;
The described individual numerical value that Adds User is: the individual numerical value of new series.
In the steps A, described reception comprises with the message that the user that authentication is passed through has identical authentification of user feature:
Continue to receive all and authenticate the message that the user that passes through has identical authentification of user feature;
Perhaps,
Receive the message that the continuous user with authentication is passed through of predetermined number has identical authentification of user feature every setting-up time.
The device of the number of the detection shadow user that the embodiment of the invention provides comprises:
Receiver module is used to receive and authenticates the message that the user who passes through has identical authentification of user feature;
Extraction module is used to extract the identification field of described message;
Computing module is used for each message to receiving, and calculates the difference of the identification field of this message and appointment message;
Processing module is used for each message to receiving, if described difference in default abnormal ranges, then Adds User for corresponding one of this message;
Determination module is used for determining the individual numerical value that Adds User of all message correspondences;
Output module, the individual numerical value that Adds User that is used for finally determining is output as the number of shadow user.
Described receiver module comprises that first receives submodule, is used for receiving initialization when each sampling period in a plurality of sampling periods of dividing in advance begins, and receives then and authenticates the message that the user that passes through has identical authentification of user feature;
Described determination module comprises:
First determines submodule, is used for determining the individual numerical value that Adds User of all message correspondences in this sampling period when described each sampling period finishes;
Second determines submodule, is used for determining the individual numerical value that Adds User that occurrence number is maximum from all definite individual numerical value that Add User of all sampling periods.
Described computing module comprises:
First calculating sub module is used for each message to receiving, and calculates the difference of this message and the identification field of n message having received, and n is a natural number;
Perhaps,
Second calculating sub module is used for each message to receiving, and calculates the difference of the identification field of each message in this message and m the message having received, and m is the natural number greater than 1.
Described computing module comprises the 3rd calculating sub module, is used for the value of the identification field of each message is deducted the value of the identification field of described appointment message;
Described processing module comprises:
First judges submodule, whether is used to judge described difference greater than the permission packet loss threshold value that sets in advance, if then described difference is in default abnormal ranges;
Perhaps,
Second judges submodule, be used to judge described difference whether less than 0 if then described difference is in default abnormal ranges.
Described computing module comprises the 4th calculating sub module, is used to first message that receives in the setting-up time section that the sequence of a correspondence is set, and the identification field values in described first message is put into this corresponding sequence; For k the message that receives in the described setting-up time section, k is the natural number greater than 1, calculates in the value of the identification field in this k message and the described setting-up time section difference between the value of each identification field in existing each sequence respectively;
Described processing module comprises:
The first series processing submodule is used for for described k message, if all differences all in default abnormal ranges, then be the sequence that described k message increases a correspondence newly, the identification field values in described k the message is put into the sequence that this increases newly;
The second series processing submodule, be used for for described k message, if arbitrary difference is not in default abnormal ranges, then the identification field values in described k the message is put into nearest sequence, this nearest sequence is to calculate the not employed sequence of minimal difference in default abnormal ranges;
Described determination module comprises that the 3rd determines submodule, is used for the individual numerical value of new series is defined as the described individual numerical value that Adds User.
Described receiver module comprises:
Second receives submodule, is used for continuing receiving all and authenticates the message that the user that passes through has identical authentification of user feature;
Perhaps,
The 3rd receives submodule, is used for receiving the message that the continuous user with authentication is passed through of predetermined number has identical authentification of user feature every setting-up time.
The network equipment that the embodiment of the invention provides comprises the device of the number of any one detection shadow user that the embodiment of the invention provides.
The method and apparatus and the network equipment of the number of the detection shadow user that the embodiment of the invention proposes, utilized shadow user can't construct the characteristics of the message of the identification field Changing Pattern that meets validated user, for all messages with same subscriber authentication feature, whether the difference of identification field values and other message identification field values is all in default abnormal ranges in each message that analysis receives in the certain hour section, that is to say whether analyze each message does not meet the due Changing Pattern of identification field in the message that existing subscriber's main frame sends, thereby determine whether the message of current reception and the message that receives earlier are that same subscriber's main station sends, and the number of record different user, thereby determine the number of shadow user, and then can dissolve traffic lost according to the number of the shadow user of determining, such as, obtain the concrete loss quantity of the network traffics that cause by each shadow user, the concrete quantity of expenses of surfing in Internet loss etc., thus service feature improved greatly.
Further, in the method and apparatus of the number of the detection shadow user that the embodiment of the invention proposes and a kind of realization of the network equipment, only need utilize subtraction can detect the number of shadow user, and need not to adopt complicated algorithm such as statistical algorithms, therefore, realize simply.
Further, the method and apparatus and the network equipment of the number of the detection shadow user that the embodiment of the invention proposes, need not to produce and send extra detection messages in order to detect the shadow user number, only need handle and get final product at the device interior that can receive message, thereby can not give, can not influence normal network and use in order to bring redundant data flow.
Further, because the IP agreement is the basic agreement of Network Transmission, no matter which kind of shadow user and validated user use share network access, the IP agreement is used in the capital, therefore, the method and apparatus and the network equipment of the number of the detection shadow user that the embodiment of the invention proposes utilize the identification field in the IP message to detect, and have then increased the range of application of the embodiment of the invention greatly.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply, apparently, accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is 802.1x authentication schematic diagram;
Fig. 2 pretends validated user schematic diagram one for the disabled user;
Fig. 3 pretends validated user schematic diagram two for the disabled user;
Fig. 4 is shadow user camouflage validated user schematic diagram;
Fig. 5 is the basic flow sheet of the number of the detection shadow user that proposes of the embodiment of the invention;
Fig. 6 is the flow chart that detects the number of shadow user in a preferred embodiment of the invention;
Fig. 7 is the basic block diagram of device of the number of the detection shadow user that proposes of the embodiment of the invention;
Fig. 8 is a kind of optional structure chart of device that detects the shadow user number in the embodiment of the invention;
Fig. 9 is the another kind of optional structure chart of device that detects the shadow user number in the embodiment of the invention;
Figure 10 is another the optional structure chart of device that detects the shadow user number in the embodiment of the invention;
Figure 11 is another the optional structure chart of device that detects the shadow user number in the embodiment of the invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
The embodiment of the invention has proposed a kind of method that detects the number of shadow user, and referring to Fig. 5, this method comprises:
Step 501: receive and authenticate the message that the user that passes through has identical authentification of user feature.
The specific implementation method of this step can for: continue to receive all and authenticate the message that the user that passes through has identical authentification of user feature; Perhaps, also can be to receive the message that the continuous user with authentication is passed through of predetermined number has identical authentification of user feature every setting-up time.
In this step, the authentification of user feature can comprise source IP address and/or source MAC.
Step 502: the identification field that extracts described message.
Step 503: for each message that receives, calculate the difference of the identification field of this message and appointment message, if described difference in default abnormal ranges, then Adds User for corresponding one of this message.
In this step, when the difference of the identification field of calculating a message and appointment message, this appointment message can be n the message that has received, n is a natural number, that is to say, calculate the difference of a message and the identification field of any one message of receiving before, preferably, can be and last one or go up the difference of last message to utilize this difference to judge that difference is whether in the abnormal ranges of presetting then; Perhaps,
The appointment message also can be each message in m the message that has received, m is the natural number greater than 1, that is to say, the difference of the identification field of the message of any number of calculating a message and receiving before, preferably, can be the difference with the identification field of each message that has received before, utilize the difference of this any number to judge that the difference of this any number is whether all in default abnormal ranges then.
Difference in this step is: the value of the identification field of each message deducts the value of the identification field of described appointment message.
In this step, if difference is specifically as follows in default abnormal ranges: if difference is greater than the permission packet loss threshold value that sets in advance; Perhaps, if difference less than 0.
Step 504: the individual numerical value that Adds User of determining all message correspondences.
Step 505: the individual numerical value that Adds User that will finally determine is defined as the number of shadow user.
Though shadow user is identical with the IP address and the MAC Address of validated user, but in different subscriber's main stations, the sign of IP header (id) field is independently, and identification field is increased progressively according to certain step-length in the IP message that successively sends by sender's set point.In practical business, shadow user and validated user are owing to independently go up net operation and different data traffics separately, its message rate of sending is discrepant, and, the initial value of the identification field of the message that the main frame of shadow user and validated user sends and the amplitude that increases progressively can be along with a variety of causes such as separately packet loss and burst change at random, shadow user can't construct the message of the identification field Changing Pattern that meets validated user, makes the identification field of message of the identification field of this message and validated user combine just in time to be the normal variation rule of legal identification field.And the method for the number of the detection shadow user that the embodiment of the invention proposes has been utilized These characteristics just, for all messages with same subscriber authentication feature, whether the difference of identification field values and other message identification field values is all in default abnormal ranges in each message that analysis receives in the certain hour section, that is to say whether analyze each message does not meet the due Changing Pattern of identification field in the message that existing subscriber's main frame sends, thereby determine whether the message of current reception and the message that receives earlier are that same subscriber's main station sends, and write down the number that Adds User, thereby determine the number of shadow user.
In the method for the number of the detection shadow user that the embodiment of the invention proposes, in order further to improve the accuracy that detects, can mark off a plurality of sampling periods in advance, each sampling period is all carried out once the processing of the individual numerical value that Adds User in definite this sampling period, like this, each sampling period can both be determined the number of shadow user, and the number of the shadow user that occurrence number is maximum finally is defined as the number of detected shadow user.
In addition, in the method for the number of the detection shadow user that the embodiment of the invention proposes, the number of the new series that the number that Adds User of record can be by record embodies.
Be example with the method that adopts above-mentioned a plurality of sampling periods and with the method that the mode of sequence writes down the number that Adds User below, and be example with the difference of calculating a message and the identification field of each message of having received before respectively, describe the process that the embodiment of the invention realizes detecting the number of shadow user in detail.Referring to Fig. 6, this process may further comprise the steps:
Step 600: mark off a plurality of sampling periods in advance.
" mode " in the statistics (Mode) is illustrated in the numerical value that has obvious central tendency point on the Distribution Statistics, and the mean level of representative data briefly is the maximum numerical value of occurrence number in one group of data, is mode.
Principle based on mode, in order further to improve the accuracy that detects, mark off a plurality of sampling periods in this step, so that in subsequent treatment, can all obtain the number of a shadow user in each sampling period, that is to say, obtain one group of data, according to the principle of mode about the shadow user number, the number of the shadow user that occurrence number is maximum finally is defined as the number of detected shadow user, thereby can make the number of the shadow user of determining more accurate.
Such as, in this step, can mark off 5 sampling periods, the length in each sampling period is 20 seconds.
Step 601: after authentification of user passes through, begin timing to each sampling period.
Step 602: after each sampling period begins, receive and authenticate the message that the user that passes through has identical authentification of user feature.
In this step, the authentification of user feature can comprise source IP address and/or source MAC.
In each sampling period, can receive all messages continuously, also can receive the message of several successive at intervals.Therefore, in this step, reception specifically can comprise with the message that the user that authentication is passed through has identical authentification of user feature:
Continue to receive all and authenticate the message that the user that passes through has identical authentification of user feature; For example, in the current sampling period, the message that the user that all and authentication are passed through can be had identical source IP address all obtains, so that carry out real-time analysis and detection, and the detection sensitivity height of this mode;
Perhaps,
Receive the message that the continuous user with authentication is passed through of predetermined number has identical authentification of user feature every setting-up time, for example can obtain the message that 10 continuous users with authentication is passed through have identical source IP address every 4 seconds, analyze and detect, this mode can guarantee to save under certain detection sensitivity and detect the resource that takies.
For ease of subsequent descriptions, suppose that the message that receives is followed successively by in the current sampling period: P1, P2 ..., Pn.
Step 603: from the message that receives, extract identification field.
For ease of subsequent descriptions, suppose in the current sampling period, from the message P1 that receives successively, P2 ..., the identification field values that extracts respectively among the Pn is followed successively by: id1, and id2 ..., idn.
Step 604: for first message P1 that receives in the current sampling period is provided with the initiation sequence (being designated as U1) of a correspondence, the identification field id1 that will extract from message P1 puts into this initiation sequence U1.
Step 605: for k the message Pk that receives in the current sampling period, k is a natural number, and 2≤k≤n, calculates in the value of the identification field among this message Pk and current sampling period the difference between each identification field values in existing each sequence respectively.
Step 606: for k message Pk, judge all differences calculate whether all in default abnormal ranges, if then execution in step 607, otherwise, execution in step 608.
In the business realizing of reality, packet loss is recurrent situation in network, therefore, can set in advance one and allow the packet loss threshold value, the difference that is less than or equal to this permission packet loss threshold value is all thought the difference that packet loss causes, that is to say, can think that these two messages are that same user sends, on the contrary, then think greater than the difference of this permission packet loss threshold value not to be the difference that packet loss causes, that is to say, can think that message is that an emerging user sends.
In addition, do not meet normal progressive law, therefore, can think that message is that an emerging user sends yet if difference, also illustrates the Changing Pattern of the identification field values in the message less than 0.
Therefore, in this step, judge whether all differences all specifically can comprise in default abnormal ranges: whether judge all differences all greater than the permission packet loss threshold value that sets in advance, if then all differences are all in default abnormal ranges; Perhaps, whether judge all differences, if then all differences are all in default abnormal ranges all less than 0.
Step 607: the sequence Uk for the newly-increased correspondence of message Pk, put into this corresponding sequence Uk, execution in step 609 with the identification field idk among the message Pk.
Step 608: the identification field values idk among the message Pk is put into existing nearest sequence, and this nearest sequence is to calculate the not employed sequence of minimal difference in default abnormal ranges.
Illustrate the process of above-mentioned steps 605 to step 608, if current k value is 2, that is to say at second the message P2 that receives, at first, existing identification field values has only the id1 among the sequence U1 in the existing sequence, therefore, carries out id2-id1; If difference is greater than the permission packet loss threshold value that sets in advance or less than 0, illustrate that then the subscriber's main station that sends message P2 is different with the subscriber's main station that sends message P1, with respect to the existing subscriber's main station that sends P1, increased a subscriber's main station newly, in order to represent to have increased newly a subscriber's main station, for the newly-increased sequence U2 of message P2, id2 is put into U2; Otherwise, illustrate that the subscriber's main station that sends message P2 is identical with the subscriber's main station that sends message P1, need not the sequence of newly-increased respective user main frame, id2 is put into existing sequence U1.
If current k value is 3, if and corresponding message P2 has increased sequence U2 newly, existing identification field values comprises id1 among the sequence U1 and the id2 among the sequence U2 in the then existing sequence, carry out diff (id3 respectively, id1)=id3-id1, and diff (id3, id2)=id3-id2, if diff (id3, id1) and diff (id3, id2) two differences are all greater than the permission packet loss threshold value that sets in advance or all less than 0, illustrate that then the subscriber's main station that sends message P3 is different with the subscriber's main station that sends message P1 and P2, newly-increased subscriber's main station, therefore, for the newly-increased sequence U3 of message P3, id3 is put into U3; Otherwise, if diff (id3, id2) less than the permission packet loss threshold value that sets in advance, and two difference diff (id3, id1) and diff (id3, id2) in, and diff (id3, id2) littler, illustrate that subscriber's main station that sends message P3 and the subscriber's main station that sends message P2 should be same subscriber's main station, therefore, new series not, but id3 is put into nearest sequence U2.By that analogy, last message in the current sampling period.
Step 609: judge whether current k value equals the number n of the message that receives in the current sampling period, if then execution in step 611, otherwise, execution in step 610.
Step 610:k=k+1 returns step 605.
Step 611: obtain the individual numerical value of new series in the current sampling period, the individual numerical value of new series is defined as the individual numerical value that Adds User in the current sampling period.
When carrying out this step, then can obtain in the current sampling period, for all messages of concrete same subscriber authentication feature (as identical source IP address and source MAC), except validated user sent this kind message, always total how many individual Adding User were sent this kind message.
Step 612: judge whether all sampling periods all finish, if, execution in step 613, otherwise, step 602 returned.
Step 613: all individual numerical value that Add User of determining from all sampling periods, determine the individual numerical value that Adds User that occurrence number is maximum.
Step 614: the individual numerical value that Adds User that will finally determine is defined as the number of shadow user.
Such as, having 5 sampling periods, each numerical value of promptly Adding User of the number of the new series of Que Dinging is respectively: 3,4,4,4,2, so, can determine that then the maximum individual numerical value that Adds User of outlet number of times is 4, therefore, the number of determining shadow user is 4, that is to say except validated user, to also have the identity of 4 counterfeit validated users of disabled user to send message.
In practice, because access switch can both receive the IP message with same subscriber authentication feature with the subscriber's main station that Authentication Client software is installed, therefore, above-mentioned process shown in Figure 6 can be carried out in access switch, also can carry out in the subscriber's main station that Authentication Client software is installed.Preferably, in order further to reduce the load of access switch, can also connect a special equipment for access switch, cooperate the above-mentioned process shown in Figure 6 of carrying out with this special equipment by access switch, promptly receive the message that all have the same subscriber authentication feature in each sampling period by access switch, be transmitted to this special equipment then, other is handled then and is carried out by this special equipment.
Need to prove, it in the above-mentioned process shown in Figure 6 difference with each message that calculates a message respectively and received before, utilize all differences to judge whether all in abnormal ranges, to determine the number of the new series (promptly Adding User) of message correspondence then for example, in the business realizing of reality, the difference of the identification field of any one message that also can only calculate a message and receive before, preferably, can be and last one or go up the difference of last message, utilize this difference to judge that difference is whether in default abnormal ranges then, thereby determine the number of the new series (promptly Adding User) of message correspondence, and then finally determine the number of shadow user; Perhaps, in the business realizing of reality, the difference of the identification field of the message of any number that also can calculate a message and receive before, such as with preceding 2 messages that received before in the difference of identification field of each message, utilize these 2 differences to judge that difference is whether all in default abnormal ranges then, thereby determine the number of the new series (promptly Adding User) of message correspondence, and then finally determine the number of shadow user.
The embodiment of the invention has also proposed a kind of device that detects the number of shadow user, and referring to Fig. 7, this device comprises:
Receiver module 700 is used to receive and authenticates the message that the user who passes through has identical authentification of user feature;
Extraction module 701 is used to extract the identification field of described message;
Computing module 702 is used for each message to receiving, and calculates the difference of the identification field of this message and appointment message;
Processing module 703 is used for each message to receiving, if described difference in default abnormal ranges, then Adds User for corresponding one of this message;
Determination module 704 is used for determining the individual numerical value that Adds User of all message correspondences;
Output module 705, the individual numerical value that Adds User that is used for finally determining is output as the number of shadow user.
Referring to Fig. 8, in a kind of the optimizing structure of the device of the detection shadow user number that the embodiment of the invention proposes,
Described receiver module 700 comprises that first receives submodule 801, is used for receiving initialization when each sampling period in a plurality of sampling periods of dividing in advance begins, and receives then and authenticates the message that the user that passes through has identical authentification of user feature;
Correspondingly, described determination module 704 comprises:
First determines submodule 802, is used for determining the individual numerical value that Adds User of all message correspondences in this sampling period when described each sampling period finishes;
Second determines submodule 803, is used for determining the individual numerical value that Adds User that occurrence number is maximum from all definite individual numerical value that Add User of all sampling periods.
Referring to Fig. 9, in the another kind of the device of the detection shadow user number that the embodiment of the invention proposes was optimized structure, described computing module 702 comprised:
The first difference submodule 7021 is used for each message to receiving, and calculates the difference of this message and the identification field of n message having received, and n is a natural number;
Perhaps,
The second difference submodule 7022 is used for each message to receiving, and calculates the difference of the identification field of each message in this message and m the message having received, and m is the natural number greater than 1.
Referring to Fig. 9, described computing module 702 can also comprise first calculating sub module 901, is used for the value of the identification field of each message is deducted the value of the identification field of described appointment message;
Correspondingly, described processing module 703 comprises:
First judges and whether to be used to judge described difference greater than the permission packet loss threshold value that sets in advance by submodule 902, if then the described difference of institute is in the abnormal ranges of presetting;
Perhaps,
Second judges submodule 903, be used to judge described difference whether less than 0 if then described difference is in default abnormal ranges.
Referring to Figure 10, in another of the device of the detection shadow user number that the embodiment of the invention proposes optimized structure,
Described computing module 702 comprises second calculating sub module 7023, is used to first message that receives in the setting-up time section that the sequence of a correspondence is set, and the identification field values in described first message is put into this corresponding sequence; For k the message that receives in the described setting-up time section, k is the natural number greater than 1, calculates in the value of the identification field in this k message and the described setting-up time section difference between the value of each identification field in existing each sequence respectively;
Correspondingly, described processing module 703 comprises:
The first series processing submodule 1001, be used for for described k message, if all differences in default abnormal ranges, then are the sequence of the newly-increased correspondence of described k message all, the identification field values in described k the message is put into this newly-increased sequence;
The second series processing submodule 1002, be used for for described k message, if arbitrary difference is not in default abnormal ranges, then the identification field values in described k the message is put into nearest sequence, this nearest sequence is to calculate the not employed sequence of minimal difference in default abnormal ranges;
Correspondingly, described determination module 704 comprises that the 3rd determines submodule 1003, is used for the individual numerical value of new series is defined as the described individual numerical value that Adds User.
Referring to Figure 11, in another of the device of the detection shadow user number that the embodiment of the invention proposes optimized structure,
Described receiver module 700 comprises:
Second receives submodule 1101, is used for continuing receiving all and authenticates the message that the user that passes through has identical authentification of user feature;
Perhaps,
The 3rd receives submodule 1102, is used for receiving the message that the continuous user with authentication is passed through of predetermined number has identical authentification of user feature every setting-up time.
The embodiment of the invention has also proposed a kind of network equipment, and this network equipment comprises the device of the number of any one detection shadow user that the embodiment of the invention provides.
The network equipment that the embodiment of the invention proposes can be access switch, perhaps for the subscriber's main station of Authentication Client software is installed; Perhaps be the equipment that links to each other with access switch, and described receiver module 700 users that pass through with authentication that receive have the message of identical authentification of user feature from described access switch forwarding.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforementioned program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (14)

1. a method that detects the number of shadow user is characterized in that, comprising:
The message that A, reception and the user that authentication is passed through have identical authentification of user feature;
B, extract the identification field of described message;
C, for each message that receives, calculate the difference of this message and the identification field of specifying message; If described difference in default abnormal ranges, then Adds User for corresponding one of this message;
D, determine the individual numerical value that Adds User of all message correspondences;
E, the individual numerical value that Adds User that will finally determine are defined as the number of shadow user.
2. method according to claim 1 is characterized in that, in the steps A, described authentification of user feature comprises Internet Protocol IP address, source and/or source medium access control MAC Address.
3. method according to claim 1 is characterized in that,
In a plurality of sampling periods of dividing in advance, carry out described steps A respectively to step D;
Between step D and step e, further comprise: all individual numerical value that Add User of determining from all sampling periods, determine the individual numerical value that Adds User that occurrence number is maximum.
4. method according to claim 1 is characterized in that, described appointment message is: n the message that has received, n are natural number; Perhaps, each message in the m that has the received message, m are the natural number greater than 1.
5. method according to claim 1 is characterized in that, described difference is: the value of the identification field of described each message deducts the value of the identification field of described appointment message;
Among the step C, if described difference comprises in default abnormal ranges: if described difference is greater than the permission packet loss threshold value that sets in advance; Perhaps, if described difference less than 0.
6. according to the arbitrary described method of claim 1~5, it is characterized in that,
Described step C comprises:
For first message that receives in the setting-up time section is provided with the sequence of a correspondence, the identification field values in described first message is put into this corresponding sequence; For k the message that receives in the described setting-up time section, k is the natural number greater than 1, calculates in the value of the identification field in this k message and the described setting-up time section difference between the value of each identification field in existing each sequence respectively; For described k message, if all differences are all in default abnormal ranges, it then is the sequence of the newly-increased correspondence of described k message, identification field values in described k the message is put into this newly-increased sequence, if arbitrary difference is not in default abnormal ranges, then the identification field values in described k the message is put into nearest sequence, this nearest sequence is to calculate the not employed sequence of minimal difference in default abnormal ranges;
The described individual numerical value that Adds User is: the individual numerical value of new series.
7. according to the arbitrary described method of claim 1~5, it is characterized in that in the steps A, described reception comprises with the message that the user that authentication is passed through has identical authentification of user feature:
Continue to receive all and authenticate the message that the user that passes through has identical authentification of user feature;
Perhaps,
Receive the message that the continuous user with authentication is passed through of predetermined number has identical authentification of user feature every setting-up time.
8. a device that detects the number of shadow user is characterized in that, comprising:
Receiver module is used to receive and authenticates the message that the user who passes through has identical authentification of user feature;
Extraction module is used to extract the identification field of described message;
Computing module is used for each message to receiving, and calculates the difference of the identification field of this message and appointment message;
Processing module is used for each message to receiving, if described difference in default abnormal ranges, then Adds User for corresponding one of this message;
Determination module is used for determining the individual numerical value that Adds User of all message correspondences;
Output module, the individual numerical value that Adds User that is used for finally determining is output as the number of shadow user.
9. device according to claim 8 is characterized in that,
Described receiver module comprises that first receives submodule, is used for receiving initialization when each sampling period in a plurality of sampling periods of dividing in advance begins, and receives then and authenticates the message that the user that passes through has identical authentification of user feature;
Described determination module comprises:
First determines submodule, is used for determining the individual numerical value that Adds User of all message correspondences in this sampling period when described each sampling period finishes;
Second determines submodule, is used for determining the individual numerical value that Adds User that occurrence number is maximum from all definite individual numerical value that Add User of all sampling periods.
10. device according to claim 8 is characterized in that, described computing module comprises:
The first difference submodule is used for each message to receiving, and calculates the difference of this message and the identification field of n message having received, and n is a natural number;
Perhaps,
The second difference submodule is used for each message to receiving, and calculates the difference of the identification field of each message in this message and m the message having received, and m is the natural number greater than 1.
11. device according to claim 8 is characterized in that,
Described computing module comprises first calculating sub module, is used for the value of the identification field of each message is deducted the value of the identification field of described appointment message;
Described processing module comprises:
First judges submodule, whether is used to judge described difference greater than the permission packet loss threshold value that sets in advance, if then described difference is in default abnormal ranges;
Perhaps,
Second judges submodule, be used to judge described difference whether less than 0 if then described difference is in default abnormal ranges.
12. arbitrary according to Claim 8~11 described device, it is characterized in that, described computing module comprises second calculating sub module, be used to first message that receives in the setting-up time section that the sequence of a correspondence is set, the identification field values in described first message is put into this corresponding sequence; For k the message that receives in the described setting-up time section, k is the natural number greater than 1, calculates in the value of the identification field in this k message and the described setting-up time section difference between the value of each identification field in existing each sequence respectively;
Described processing module comprises:
The first series processing submodule is used for for described k message, if all differences all in default abnormal ranges, then be the sequence that described k message increases a correspondence newly, the identification field values in described k the message is put into the sequence that this increases newly;
The second series processing submodule, be used for for described k message, if arbitrary difference is not in default abnormal ranges, then the identification field values in described k the message is put into nearest sequence, this nearest sequence is to calculate the not employed sequence of minimal difference in default abnormal ranges;
Described determination module comprises that the 3rd determines submodule, is used for the individual numerical value of new series is defined as the described individual numerical value that Adds User.
13. arbitrary according to Claim 8~11 described device is characterized in that described receiver module comprises:
Second receives submodule, is used for continuing receiving all and authenticates the message that the user that passes through has identical authentification of user feature;
Perhaps,
The 3rd receives submodule, is used for receiving the message that the continuous user with authentication is passed through of predetermined number has identical authentification of user feature every setting-up time.
14. a network equipment is characterized in that, comprises the device as the number of arbitrary described detection shadow user in the claim 8 to 13.
CN2010105052767A 2010-10-09 2010-10-09 Method and device for detecting number of shadow users, and network equipment Expired - Fee Related CN101980477B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010105052767A CN101980477B (en) 2010-10-09 2010-10-09 Method and device for detecting number of shadow users, and network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010105052767A CN101980477B (en) 2010-10-09 2010-10-09 Method and device for detecting number of shadow users, and network equipment

Publications (2)

Publication Number Publication Date
CN101980477A true CN101980477A (en) 2011-02-23
CN101980477B CN101980477B (en) 2013-01-30

Family

ID=43600962

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010105052767A Expired - Fee Related CN101980477B (en) 2010-10-09 2010-10-09 Method and device for detecting number of shadow users, and network equipment

Country Status (1)

Country Link
CN (1) CN101980477B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016082626A1 (en) * 2014-11-25 2016-06-02 中兴通讯股份有限公司 Internet user detection method and device
CN107769999A (en) * 2017-12-07 2018-03-06 锐捷网络股份有限公司 A kind of method and apparatus for identifying user agent's online
CN108512816A (en) * 2017-02-28 2018-09-07 中国移动通信集团广东有限公司 A kind of detection method and device that flow is kidnapped
CN111953807A (en) * 2020-07-30 2020-11-17 新华三信息安全技术有限公司 Message identifier processing method and device and storage medium
WO2022141456A1 (en) * 2020-12-31 2022-07-07 百果园技术(新加坡)有限公司 Advertisement delivery allocation method and apparatus, and electronic device and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101645891A (en) * 2009-08-28 2010-02-10 北京星网锐捷网络技术有限公司 Shadow user identify control method, device and network device
CN101778380A (en) * 2009-12-31 2010-07-14 卓望数码技术(深圳)有限公司 Identity authentication method, device and system
CN101841445A (en) * 2010-04-20 2010-09-22 北京星网锐捷网络技术有限公司 User identifying method and device for internet connection sharing

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101645891A (en) * 2009-08-28 2010-02-10 北京星网锐捷网络技术有限公司 Shadow user identify control method, device and network device
CN101778380A (en) * 2009-12-31 2010-07-14 卓望数码技术(深圳)有限公司 Identity authentication method, device and system
CN101841445A (en) * 2010-04-20 2010-09-22 北京星网锐捷网络技术有限公司 User identifying method and device for internet connection sharing

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016082626A1 (en) * 2014-11-25 2016-06-02 中兴通讯股份有限公司 Internet user detection method and device
CN105703962A (en) * 2014-11-25 2016-06-22 中兴通讯股份有限公司 Internet access user detection method and device
CN108512816A (en) * 2017-02-28 2018-09-07 中国移动通信集团广东有限公司 A kind of detection method and device that flow is kidnapped
CN108512816B (en) * 2017-02-28 2021-04-27 中国移动通信集团广东有限公司 Traffic hijacking detection method and device
CN107769999A (en) * 2017-12-07 2018-03-06 锐捷网络股份有限公司 A kind of method and apparatus for identifying user agent's online
CN111953807A (en) * 2020-07-30 2020-11-17 新华三信息安全技术有限公司 Message identifier processing method and device and storage medium
CN111953807B (en) * 2020-07-30 2022-02-22 新华三信息安全技术有限公司 Message identifier processing method and device and storage medium
WO2022141456A1 (en) * 2020-12-31 2022-07-07 百果园技术(新加坡)有限公司 Advertisement delivery allocation method and apparatus, and electronic device and storage medium

Also Published As

Publication number Publication date
CN101980477B (en) 2013-01-30

Similar Documents

Publication Publication Date Title
Balasubramaniyan et al. Pindr0p: Using single-ended audio features to determine call provenance
CN104320377B (en) The anti-stealing link method and equipment of a kind of files in stream media
CN104144419B (en) Identity authentication method, device and system
AU2011276467B2 (en) Systems and methods for detecting call provenance from call audio
CN102801530B (en) A kind of authentication method based on transfer voice
CN101980477B (en) Method and device for detecting number of shadow users, and network equipment
CN109698809B (en) Method and device for identifying abnormal login of account
CN107566381A (en) Equipment safety control method, apparatus and system
CN103905194B (en) Identity traceability authentication method and system
CN103442014A (en) Method and system for automatic detection of suspected counterfeit websites
CN103369529A (en) Identity authentication method, access point (AP) and access controller (AC)
CN104410492A (en) Method and system for timely verifying event type dynamic password false proof label legality
CN108898440A (en) Flow exchanging method and device
CN106600275A (en) Risk identification method and apparatus thereof
WO2009008641A3 (en) Node authentication and node operation methods within service and access networks in ngn environment
CN108574668A (en) A kind of ddos attack peak flow prediction technique based on machine learning
CN107464328A (en) Unlocking method, device, storage medium and the smart lock of smart lock
CN105119876B (en) A kind of detection method and system of the domain name automatically generated
WO2017054307A1 (en) Recognition method and apparatus for user information
CN104168117A (en) Voice digital signature method
CN101888296B (en) Method, device, equipment and system for detecting shadow user
CN101577644A (en) Peer-to-peer network application traffic identification method
CN104243225A (en) Traffic identification method based on deep package inspection
CN107276997A (en) A kind of intelligent cut-in method, the apparatus and system of electric power mobile application terminal
CN111611617A (en) Reading authentication management system based on intelligent power grid database

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20130130

Termination date: 20211009

CF01 Termination of patent right due to non-payment of annual fee