CN101980477B - Method and device for detecting number of shadow users, and network equipment - Google Patents

Method and device for detecting number of shadow users, and network equipment Download PDF

Info

Publication number
CN101980477B
CN101980477B CN2010105052767A CN201010505276A CN101980477B CN 101980477 B CN101980477 B CN 101980477B CN 2010105052767 A CN2010105052767 A CN 2010105052767A CN 201010505276 A CN201010505276 A CN 201010505276A CN 101980477 B CN101980477 B CN 101980477B
Authority
CN
China
Prior art keywords
message
user
identification field
difference
sequence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2010105052767A
Other languages
Chinese (zh)
Other versions
CN101980477A (en
Inventor
陈光磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Star Net Ruijie Networks Co Ltd
Original Assignee
Beijing Star Net Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Star Net Ruijie Networks Co Ltd filed Critical Beijing Star Net Ruijie Networks Co Ltd
Priority to CN2010105052767A priority Critical patent/CN101980477B/en
Publication of CN101980477A publication Critical patent/CN101980477A/en
Application granted granted Critical
Publication of CN101980477B publication Critical patent/CN101980477B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention provides a method and a device for detecting the number of shadow users, and network equipment. The method comprises the following steps of: receiving messages with the same user authentication characteristics as those of users passing authentication; extracting identification fields from the messages, and for each received message, calculating a difference value between the identification fields of the message and a specified message; if the difference value is within a preset abnormity range, determining the message corresponds to a new user; determining the number of the new users corresponding to all the messages; and determining the finally-determined number of the new users as the number of the shadow users. In the method and the device, the number of the shadow users can be determined, so that subsequent service loss quantization can be conveniently performed.

Description

Detect method and apparatus and the network equipment of the number of shadow user
Technical field
The embodiment of the invention relates to the communication technology, relates in particular to method and apparatus and the network equipment of the number that detects shadow user.
Background technology
802.1x the network access control based on port is adopted in authentication, and the safety access of point-to-point formula is provided for LAN subscriber.As an example of the computer access example (also can be that other access terminal), a simple signal as shown in Figure 1, PC (the Personal Computer of 802.1x Authentication Client software is installed, be called for short PC) will submit to relevant authentication information to authenticate to switch, switch is handed to certificate server with relevant authentication information and is confirmed.If authentication is passed through, switch is opened relevant port, and the computer that then connects this port just can use network.
In 802.1x, as long as authentication has been passed through, switch will record medium access control (Media Access Control the is called for short MAC) address of authentication success computer.So long as the data of this MAC Address, switch will be thought what the computer through authentication sent out, these data of therefore can letting pass.
As shown in Figure 2, under the switch ports themselves of authentication, increase a hub (HUB) if there is the people to adopt, two computers is connected on the HUB.PC a is equipped with the 802.1x Authentication Client, and authentication is passed through.And PC b is only identical with the MAC Address of PC a by MAC Address is modified as, and just can authenticate and illegally uses network.
For the defective shown in Fig. 2, the solution of commonplace employing is exactly on the port of switch in the prior art, to Internet Protocol (Internet Protocol the is called for short IP) address of the computer that authenticated, MAC Address and port binding are together.Rather than simply decide data whether to let pass by MAC Address.
Provided as shown in Figure 3 the scheme of using port, IP, the binding of MAC element, this moment, PC b was because the IP address of using is different from PC a, therefore can't use network.But still there is a leak in the element binding scheme, and identical with IP and the MAC Address of PC a if PC b is revised as IP and MAC Address, then PC b still can use network by just not authenticating, as shown in Figure 4.
As can be seen from Figure 4, when the PC a that accesses terminal sends authentication request by Authentication Client software, switch is transmitted corresponding information, and submit to certificate server to confirm, if by authentication, switch is just opened corresponding port (PORT), and the message that allows to satisfy (IP+MAC+PORT) tlv triple authentication condition passes through.If have another PC b that accesses terminal to link together by HUB and PC a this moment, and IP address and the MAC Address of counterfeit PC a, PC b also can satisfy the authentication condition of tlv triple (IP+MAC+PORT) so, so do not need PC b at this moment just can the accesses network resource through authentication.Like this, can not authenticate problem with regard to accesses network with regard to the terminal that counterfeit IP address and MAC Address have occurred in the network.
Shadow user just refers to that the disabled user attempts not by authentication, and directly adopts the IP address of validated user and the user of MAC Address.Be shadow user such as the PC b among Fig. 4.If there is shadow user, so as long as reached the standard grade by counterfeit user, shadow user need not authentication and can use network so.
When there was one or more shadow user in validated user, server but can only all be used as a user and process, and like this, has often caused a large amount of losses of network traffics, and has caused the leak of authentication and charging.And at present, do not detect the method for shadow user number, that is to say to learn what shadow users of existence, therefore caused and to have quantized traffic lost, such as, can't obtain the concrete loss quantity of the network traffics that caused by each shadow user, the concrete quantity of expenses of surfing in Internet loss etc., thereby greatly reduce service feature.
Summary of the invention
The embodiment of the invention provides method and apparatus and the network equipment of the number that detects shadow user, can detect the number of shadow user.
The method of the number of the detection shadow user that the embodiment of the invention provides comprises:
The message that A, reception and the user that authentication is passed through have identical user's authentication feature;
B, extract the identification field of described message;
C, for each message that receives, calculate the difference of this message and the identification field of specifying message; If described difference in default abnormal ranges, then Adds User for corresponding one of this message;
D, determine the individual numerical value that Adds User that all messages are corresponding;
E, the individual numerical value that Adds User that will finally determine are defined as the number of shadow user.
In the steps A, described user's authentication feature comprises Internet Protocol IP address, source and/or source medium access control MAC Address.
In a plurality of sampling periods of dividing in advance, carry out respectively described steps A to step D;
Between step D and step e, further comprise: all individual numerical value that Add User of determining from all sampling periods, determine the individual numerical value that Adds User that occurrence number is maximum.
Described appointment message is: n the message that has received, n are natural number; Perhaps, each message in the m that has the received message, m are the natural number greater than 1.
Described difference is: the value of the identification field of described each message deducts the value of the identification field of described appointment message;
Among the step C, if described difference comprises in default abnormal ranges: if described difference is greater than the permission packet loss threshold value that sets in advance; Perhaps, if described difference less than 0.
Described step C comprises:
The sequence of a correspondence is set for first message that receives in the setting-up time section, the identification field values in described first message is put into this corresponding sequence; For k the message that receives in the described setting-up time section, k is the natural number greater than 1, calculates respectively in the value of the identification field in this k message and the described setting-up time section difference between the value of each identification field in existing each sequence; For described k message, if all differences are all in default abnormal ranges, it then is the sequence of the newly-increased correspondence of described k message, identification field values in described k the message is put into this newly-increased sequence, if arbitrary difference is not in default abnormal ranges, then the identification field values in described k the message is put into nearest sequence, this nearest sequence is to calculate the not employed sequence of minimal difference in default abnormal ranges;
The described individual numerical value that Adds User is: the individual numerical value of new series.
In the steps A, described reception comprises with the message that the user that authentication is passed through has identical user's authentication feature:
Continue to receive all and the message that authenticates the user that passes through and have identical user's authentication feature;
Perhaps,
Receive the message that the continuous user with authentication is passed through of predetermined number has identical user's authentication feature every setting-up time.
The device of the number of the detection shadow user that the embodiment of the invention provides comprises:
Receiver module, the message that the user who passes through for reception and authentication has identical user's authentication feature;
Extraction module is for the identification field that extracts described message;
Computing module is used for each message to receiving, and calculates the difference of the identification field of this message and appointment message;
Processing module is used for each message to receiving, if described difference in default abnormal ranges, then Adds User for corresponding one of this message;
Determination module is used for determining the individual numerical value that Adds User corresponding to all messages;
Output module, the individual numerical value that Adds User that is used for finally determining is output as the number of shadow user.
Described receiver module comprises that first receives submodule, is used for receiving initialization when each sampling period in a plurality of sampling periods of dividing in advance begins, and then receives and the message that authenticates the user that passes through and have identical user's authentication feature;
Described determination module comprises:
First determines submodule, is used for determining the individual numerical value that Adds User corresponding to all messages in this sampling period when described each sampling period finishes;
Second determines submodule, is used for determining the individual numerical value that Adds User that occurrence number is maximum from all definite individual numerical value that Add User of all sampling periods.
Described computing module comprises:
The first calculating sub module is used for each message to receiving, and calculates the difference of this message and the identification field of n the message that has received, and n is natural number;
Perhaps,
The second calculating sub module is used for each message to receiving, and calculates the difference of the identification field of each message in this message and m the message that has received, and m is the natural number greater than 1.
Described computing module comprises the 3rd calculating sub module, is used for the value of the identification field of each message is deducted the value of the identification field of described appointment message;
Described processing module comprises:
First judges submodule, is used for whether judging described difference greater than the permission packet loss threshold value that sets in advance, and if so, then described difference is in default abnormal ranges;
Perhaps,
Second judges submodule, be used for judging described difference whether less than 0 if then described difference is in default abnormal ranges.
Described computing module comprises the 4th calculating sub module, is used to first message that receives in the setting-up time section that the sequence of a correspondence is set, and the identification field values in described first message is put into this corresponding sequence; For k the message that receives in the described setting-up time section, k is the natural number greater than 1, calculates respectively in the value of the identification field in this k message and the described setting-up time section difference between the value of each identification field in existing each sequence;
Described processing module comprises:
First ray is processed submodule, is used for for described k message, if all differences all in default abnormal ranges, then be the sequence that described k message increases a correspondence newly, the identification field values in described k the message is put into the sequence that this increases newly;
The second series processing submodule, be used for for described k message, if arbitrary difference is not in default abnormal ranges, then the identification field values in described k the message is put into nearest sequence, this nearest sequence is to calculate the not employed sequence of minimal difference in default abnormal ranges;
Described determination module comprises that the 3rd determines submodule, is used for the individual numerical value of new series is defined as the described individual numerical value that Adds User.
Described receiver module comprises:
Second receives submodule, is used for continuing receiving all and the message that authenticates the user that passes through and have identical user's authentication feature;
Perhaps,
The 3rd receives submodule, is used for receiving the message that the continuous user with authentication is passed through of predetermined number has identical user's authentication feature every setting-up time.
The network equipment that the embodiment of the invention provides comprises the device of the number of any one detection shadow user that the embodiment of the invention provides.
Method and apparatus and the network equipment of the number of the detection shadow user that the embodiment of the invention proposes, utilized shadow user can't construct the characteristics of the message of the identification field Changing Pattern that meets validated user, for all messages with same subscriber authentication feature, whether the difference of identification field values and other message identification field values is in default abnormal ranges in each message that analysis receives in the certain hour section, that is to say whether analyze each message does not meet the due Changing Pattern of identification field in the message that existing subscriber's main frame sends, thereby determine whether the message of current reception and the message that receives first are that same subscriber's main station sends, and the number of record different user, thereby determine the number of shadow user, and then can dissolve traffic lost according to the number of the shadow user of determining, such as, obtain the concrete loss quantity of the network traffics that caused by each shadow user, the concrete quantity of expenses of surfing in Internet loss etc., thus service feature greatly improved.
Further, in the method and apparatus of the number of the detection shadow user that the embodiment of the invention proposes and a kind of realization of the network equipment, only need to utilize subtraction can detect the number of shadow user, and need not to adopt the complicated algorithm such as statistical algorithms, therefore, realize simply.
Further, method and apparatus and the network equipment of the number of the detection shadow user that the embodiment of the invention proposes, need not to produce and send extra detection messages in order to detect the shadow user number, only need process at the device interior that can receive message and get final product, thereby can not give in order to bring redundant data flow, can not affect normal network and use.
Further, because the IP agreement is the basic agreement of Internet Transmission, no matter which kind of shadow user and validated user use share network access, the IP agreement is used in the capital, therefore, method and apparatus and the network equipment of the number of the detection shadow user that the embodiment of the invention proposes utilize the identification field in the IP message to detect, and have then greatly increased the range of application of the embodiment of the invention.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, the below will do one to the accompanying drawing of required use in embodiment or the description of the Prior Art and introduce simply, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is 802.1x authentication schematic diagram;
Fig. 2 pretends validated user schematic diagram one for the disabled user;
Fig. 3 pretends validated user schematic diagram two for the disabled user;
Fig. 4 is shadow user camouflage validated user schematic diagram;
Fig. 5 is the basic flow sheet of the number of the detection shadow user that proposes of the embodiment of the invention;
Fig. 6 is the flow chart that detects the number of shadow user in a preferred embodiment of the invention;
Fig. 7 is the basic block diagram of device of the number of the detection shadow user that proposes of the embodiment of the invention;
Fig. 8 is a kind of optional structure chart of device that detects the shadow user number in the embodiment of the invention;
Fig. 9 is the another kind of optional structure chart of device that detects the shadow user number in the embodiment of the invention;
Figure 10 is another the optional structure chart of device that detects the shadow user number in the embodiment of the invention;
Figure 11 is another the optional structure chart of device that detects the shadow user number in the embodiment of the invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
The embodiment of the invention has proposed a kind of method that detects the number of shadow user, and referring to Fig. 5, the method comprises:
Step 501: receive and the message that authenticates the user that passes through and have identical user's authentication feature.
The concrete methods of realizing of this step can for: continue to receive all and the message that authenticates the user that passes through and have identical user's authentication feature; Perhaps, also can be to receive the message that the continuous user with authentication is passed through of predetermined number has identical user's authentication feature every setting-up time.
In this step, user's authentication feature can comprise source IP address and/or source MAC.
Step 502: the identification field that extracts described message.
Step 503: for each message that receives, calculate the difference of the identification field of this message and appointment message, if described difference in default abnormal ranges, then Adds User for corresponding one of this message.
In this step, when the difference of the identification field of calculating a message and appointment message, this appointment message can be n the message that has received, n is natural number, that is to say, calculate the difference of a message and the identification field of any one message of receiving before, preferably, can be the difference with upper or upper last message, then utilize this difference to judge that difference is whether in the abnormal ranges of presetting; Perhaps,
The appointment message also can be each message in m the message that has received, m is the natural number greater than 1, that is to say, the difference of the identification field of the message of any number of calculating a message and receiving before, preferably, can be the difference with the identification field of each message that has received before, then utilize the difference of this any number to judge that the difference of this any number is whether all in default abnormal ranges.
Difference in this step is: the value of the identification field of each message deducts the value of the identification field of described appointment message.
In this step, if difference is specifically as follows in default abnormal ranges: if difference is greater than the permission packet loss threshold value that sets in advance; Perhaps, if difference less than 0.
Step 504: determine the individual numerical value that Adds User that all messages are corresponding.
Step 505: the individual numerical value that Adds User that will finally determine is defined as the number of shadow user.
Although shadow user is identical with IP address and the MAC Address of validated user, but in different subscriber's main stations, the sign of IP header (id) field is independently, and identification field is increased progressively according to certain step-length in the IP message that successively sends by sender's set point.In practical business, shadow user and validated user are owing to independently going up separately net operation and different data traffic, its message rate of sending is discrepant, and, the initial value of the identification field of the message that the main frame of shadow user and validated user sends and the amplitude that increases progressively can be along with a variety of causes such as separately packet loss and burst change at random, shadow user can't construct the message of the identification field Changing Pattern that meets validated user, comes so that the identification field of the message of the identification field of this message and validated user combines just in time is the normal variation rule of legal identification field.And the method for the number of the detection shadow user that the embodiment of the invention proposes has been utilized These characteristics just, for all messages with same subscriber authentication feature, whether the difference of identification field values and other message identification field values is in default abnormal ranges in each message that analysis receives in the certain hour section, that is to say whether analyze each message does not meet the due Changing Pattern of identification field in the message that existing subscriber's main frame sends, thereby determine whether the message of current reception and the message that receives first are that same subscriber's main station sends, and record the number that Adds User, thereby determine the number of shadow user.
In the method for the number of the detection shadow user that the embodiment of the invention proposes, in order further to improve the accuracy that detects, can mark off in advance a plurality of sampling periods, each sampling period is all carried out once the processing of the individual numerical value that Adds User in definite this sampling period, like this, each sampling period can both be determined the number of shadow user, and the number of the shadow user that occurrence number is maximum finally is defined as the number of detected shadow user.
In addition, in the method for the number of the detection shadow user that the embodiment of the invention proposes, the number of the new series that the number that Adds User of record can be by record embodies.
The below records the method for the number that Adds User as example with the method that adopts above-mentioned a plurality of sampling periods and in the mode of sequence, and take the difference of calculating respectively a message and the identification field of each message of having received before as example, describe the process that the embodiment of the invention realizes detecting the number of shadow user in detail.Referring to Fig. 6, this process may further comprise the steps:
Step 600: mark off in advance a plurality of sampling periods.
" mode " in the statistics (Mode) is illustrated in the numerical value that has obvious central tendency point on the Distribution Statistics, and the mean level of representative data briefly is the maximum numerical value of occurrence number in one group of data, is mode.
Principle based on mode, in order further to improve the accuracy that detects, mark off a plurality of sampling periods in this step, in order in subsequent treatment, can all obtain in each sampling period the number of a shadow user, that is to say, obtain one group about the data of shadow user number, according to the principle of mode, the number of the shadow user that occurrence number is maximum finally is defined as the number of detected shadow user, thereby can make the number of the shadow user of determining more accurate.
Such as, in this step, can mark off 5 sampling periods, the length in each sampling period is 20 seconds.
Step 601: authenticate by rear the user, begin the timing to each sampling period.
Step 602: after each sampling period begins, receive and the message that authenticates the user that passes through and have identical user's authentication feature.
In this step, user's authentication feature can comprise source IP address and/or source MAC.
In each sampling period, can receive continuously all messages, also can receive at intervals several continuous messages.Therefore, in this step, reception specifically can comprise with the message that the user that authentication is passed through has identical user's authentication feature:
Continue to receive all and the message that authenticates the user that passes through and have identical user's authentication feature; For example, in the current sampling period, the message that the user that all and authentication are passed through can be had identical source IP address all obtains, in order to carry out real-time analysis and detection, the detection sensitivity of this mode is high;
Perhaps,
Receive the message that the continuous user with authentication is passed through of predetermined number has identical user's authentication feature every setting-up time, for example can obtain every 4 seconds the message that 10 continuous users with authentication is passed through have identical source IP address, analyze and detect, this mode can guarantee to save under certain detection sensitivity and detect the resource that takies.
For ease of subsequent descriptions, suppose that the message that receives is followed successively by within the current sampling period: P1, P2 ..., Pn.
Step 603: from the message that receives, extract identification field.
For ease of subsequent descriptions, suppose within the current sampling period, from the message P1 that receives successively, P2 ..., the identification field values that extracts respectively among the Pn is followed successively by: id1, and id2 ..., idn.
Step 604: the initiation sequence (being designated as U1) of a correspondence is set for first message P1 that receives in the current sampling period, and the identification field id1 that will extract from message P1 puts into this initiation sequence U1.
Step 605: for k the message Pk that receives in the current sampling period, k is natural number, and 2≤k≤n, calculates respectively in the value of the identification field among this message Pk and current sampling period the difference between each identification field values in existing each sequence.
Step 606: for k message Pk, judge all differences calculate whether all in default abnormal ranges, if so, then execution in step 607, otherwise, execution in step 608.
In the business realizing of reality, packet loss is recurrent situation in network, therefore, can set in advance one and allow the packet loss threshold value, the difference that is less than or equal to this permission packet loss threshold value is all thought the difference that packet loss causes, that is to say, can think that these two messages are that same user sends, on the contrary, then think greater than the difference of this permission packet loss threshold value not to be the difference that packet loss causes, that is to say, can think that message is that an emerging user sends.
In addition, do not meet normal progressive law if difference, also illustrates the Changing Pattern of the identification field values in the message less than 0, therefore, can think that message is that an emerging user sends yet.
Therefore, in this step, judge whether all differences all specifically can comprise in default abnormal ranges: whether judge all differences all greater than the permission packet loss threshold value that sets in advance, if so, then all differences are all in default abnormal ranges; Perhaps, whether judge all differences all less than 0, if so, then all differences are all in default abnormal ranges.
Step 607: the sequence Uk for the newly-increased correspondence of message Pk, put into this corresponding sequence Uk, execution in step 609 with the identification field idk among the message Pk.
Step 608: the identification field values idk among the message Pk is put into existing nearest sequence, and this nearest sequence is to calculate the not employed sequence of minimal difference in default abnormal ranges.
Illustrate above-mentioned steps 605 to the process of step 608, if current k value is 2, that is to say for second the message P2 that receives, at first, existing identification field values only has the id1 among the sequence U1 in the existing sequence, therefore, carries out id2-id1; If difference is greater than the permission packet loss threshold value that sets in advance or less than 0, illustrate that then the subscriber's main station that sends message P2 is different from the subscriber's main station that sends message P1, with respect to the existing subscriber's main station that sends P1, increased a subscriber's main station newly, in order to represent to have increased newly a subscriber's main station, for the newly-increased sequence U2 of message P2, id2 is put into U2; Otherwise, illustrate that the subscriber's main station that sends message P2 is identical with the subscriber's main station that sends message P1, need not the sequence of newly-increased respective user main frame, id2 is put into existing sequence U1.
If current k value is 3, if and corresponding message P2 has increased sequence U2 newly, then existing identification field values comprises id1 among the sequence U1 and the id2 among the sequence U2 in the existing sequence, carry out respectively diff (id3, id1)=id3-id1, and diff (id3, id2)=id3-id2, if diff (id3, id1) and diff (id3, id2) two differences are all greater than the permission packet loss threshold value that sets in advance or all less than 0, illustrate that then the subscriber's main station that sends message P3 is different from the subscriber's main station that sends message P1 and P2, newly-increased subscriber's main station, therefore, for the newly-increased sequence U3 of message P3, id3 is put into U3; Otherwise, if diff (id3, id2) is less than the permission packet loss threshold value that sets in advance, and two difference diff (id3, id1) and diff (id3, id2) in, diff (id3, id2) is less, illustrate that the subscriber's main station that sends message P3 and the subscriber's main station that sends message P2 should be same subscriber's main station, therefore, new series not, but id3 is put into nearest sequence U2.By that analogy, until last message in the current sampling period.
Step 609: judge whether current k value equals the number n of the message that receives in the current sampling period, and if so, then execution in step 611, otherwise, execution in step 610.
Step 610:k=k+1 returns step 605.
Step 611: obtain the individual numerical value of new series in the current sampling period, the individual numerical value of new series is defined as the individual numerical value that Adds User in the current sampling period.
When carrying out this step, then can obtain within the current sampling period, for all messages of concrete same subscriber authentication feature (such as identical source IP address and source MAC), except validated user sent this kind message, always total how many individual Adding User were sent this kind message.
Step 612: judge whether all sampling periods all finish, if so, execution in step 613, otherwise, return step 602.
Step 613: all individual numerical value that Add User of determining from all sampling periods, determine the individual numerical value that Adds User that occurrence number is maximum.
Step 614: the individual numerical value that Adds User that will finally determine is defined as the number of shadow user.
Such as, having 5 sampling periods, each numerical value that the number of the new series of determining respectively namely Adds User is: 3,4,4,4,2, so, can determine that then the maximum individual numerical value that Adds User of outlet number of times is 4, therefore, the number of determining shadow user is 4, that is to say except validated user, to also have the identity of 4 counterfeit validated users of disabled user to send message.
In practice, because access switch can both receive the IP message with same subscriber authentication feature with the subscriber's main station that Authentication Client software is installed, therefore, above-mentioned process shown in Figure 6 can be carried out in access switch, also can carry out in the subscriber's main station that Authentication Client software is installed.Preferably, in order further to reduce the load of access switch, can also connect a special equipment for access switch, cooperate the above-mentioned process shown in Figure 6 of carrying out with this special equipment by access switch, namely receive the message that all have the same subscriber authentication feature by access switch in each sampling period, then be transmitted to this special equipment, other is processed then and is carried out by this special equipment.
Need to prove, it is the difference of calculating respectively a message and each message of having received before in the above-mentioned process shown in Figure 6, then utilize all differences to judge whether all in abnormal ranges, to determine for example the number of new series corresponding to message (namely Adding User), in the business realizing of reality, the difference of the identification field of any one message that also can only calculate a message and receive before, preferably, it can be the difference with upper or upper last message, then utilize this difference to judge that difference is whether in default abnormal ranges, thereby determine the number of the new series (namely Adding User) that message is corresponding, and then finally determine the number of shadow user; Perhaps, in the business realizing of reality, the difference of the identification field of the message of any number that also can calculate a message and receive before, such as with front 2 messages that received before in the difference of identification field of each message, then utilize these 2 differences to judge that difference is whether all in default abnormal ranges, thereby determine the number of the new series (namely Adding User) that message is corresponding, and then finally determine the number of shadow user.
The embodiment of the invention has also proposed a kind of device that detects the number of shadow user, and referring to Fig. 7, this device comprises:
Receiver module 700, the message that the user who passes through for reception and authentication has identical user's authentication feature;
Extraction module 701 is for the identification field that extracts described message;
Computing module 702 is used for each message to receiving, and calculates the difference of the identification field of this message and appointment message;
Processing module 703 is used for each message to receiving, if described difference in default abnormal ranges, then Adds User for corresponding one of this message;
Determination module 704 is used for determining the individual numerical value that Adds User corresponding to all messages;
Output module 705, the individual numerical value that Adds User that is used for finally determining is output as the number of shadow user.
Referring to Fig. 8, in a kind of the optimizing structure of the device of the detection shadow user number that the embodiment of the invention proposes,
Described receiver module 700 comprises that first receives submodule 801, is used for receiving initialization when each sampling period in a plurality of sampling periods of dividing in advance begins, and then receives and the message that authenticates the user that passes through and have identical user's authentication feature;
Correspondingly, described determination module 704 comprises:
First determines submodule 802, is used for determining the individual numerical value that Adds User corresponding to all messages in this sampling period when described each sampling period finishes;
Second determines submodule 803, is used for determining the individual numerical value that Adds User that occurrence number is maximum from all definite individual numerical value that Add User of all sampling periods.
Referring to Fig. 9, in the another kind of the device of the detection shadow user number that the embodiment of the invention proposes was optimized structure, described computing module 702 comprised:
The first difference submodule 7021 is used for each message to receiving, and calculates the difference of this message and the identification field of n the message that has received, and n is natural number;
Perhaps,
The second difference submodule 7022 is used for each message to receiving, and calculates the difference of the identification field of each message in this message and m the message that has received, and m is the natural number greater than 1.
Referring to Fig. 9, described computing module 702 can also comprise the first calculating sub module 901, is used for the value of the identification field of each message is deducted the value of the identification field of described appointment message;
Correspondingly, described processing module 703 comprises:
First judges submodule 902, is used for whether judging described difference greater than the permission packet loss threshold value that sets in advance, and if so, then the described difference of institute is in the abnormal ranges of presetting;
Perhaps,
Second judges submodule 903, be used for judging described difference whether less than 0 if then described difference is in default abnormal ranges.
Referring to Figure 10, in another of the device of the detection shadow user number that the embodiment of the invention proposes optimized structure,
Described computing module 702 comprises the second calculating sub module 7023, is used to first message that receives in the setting-up time section that the sequence of a correspondence is set, and the identification field values in described first message is put into this corresponding sequence; For k the message that receives in the described setting-up time section, k is the natural number greater than 1, calculates respectively in the value of the identification field in this k message and the described setting-up time section difference between the value of each identification field in existing each sequence;
Correspondingly, described processing module 703 comprises:
First ray is processed submodule 1001, be used for for described k message, if all differences in default abnormal ranges, then are the sequence of the newly-increased correspondence of described k message all, the identification field values in described k the message is put into this newly-increased sequence;
The second series processing submodule 1002, be used for for described k message, if arbitrary difference is not in default abnormal ranges, then the identification field values in described k the message is put into nearest sequence, this nearest sequence is to calculate the not employed sequence of minimal difference in default abnormal ranges;
Correspondingly, described determination module 704 comprises that the 3rd determines submodule 1003, is used for the individual numerical value of new series is defined as the described individual numerical value that Adds User.
Referring to Figure 11, in another of the device of the detection shadow user number that the embodiment of the invention proposes optimized structure,
Described receiver module 700 comprises:
Second receives submodule 1101, is used for continuing receiving all and the message that authenticates the user that passes through and have identical user's authentication feature;
Perhaps,
The 3rd receives submodule 1102, is used for receiving the message that the continuous user with authentication is passed through of predetermined number has identical user's authentication feature every setting-up time.
The embodiment of the invention has also proposed a kind of network equipment, and this network equipment comprises the device of the number of any one detection shadow user that the embodiment of the invention provides.
The network equipment that the embodiment of the invention proposes can be access switch, perhaps for the subscriber's main station of Authentication Client software is installed; Perhaps be the equipment that links to each other with access switch, and described receiver module 700 users that pass through with authentication that receive have the message of identical user's authentication feature from described access switch forwarding.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforementioned program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: the various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment puts down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (12)

1. a method that detects the number of shadow user is characterized in that, comprising:
The message that A, reception and the user that authentication is passed through have identical user's authentication feature;
B, extract the identification field of described message;
C, for each message that receives, calculate the difference of this message and the identification field of specifying message; If described difference is in default abnormal ranges, then Add User for corresponding one of this message, be specially: the sequence of a correspondence is set for first message that receives in the setting-up time section, the identification field values in described first message is put into this corresponding sequence; For k the message that receives in the described setting-up time section, k is the natural number greater than 1, calculates respectively in the value of the identification field in this k message and the described setting-up time section difference between the value of each identification field in existing each sequence; For described k message, if all differences are all in default abnormal ranges, it then is the sequence of the newly-increased correspondence of described k message, identification field values in described k the message is put into this newly-increased sequence, if arbitrary difference is not in default abnormal ranges, then the identification field values in described k the message is put into nearest sequence, this nearest sequence is to calculate the not employed sequence of minimal difference in default abnormal ranges, and the described individual numerical value that Adds User is: the individual numerical value of new series;
D, determine the individual numerical value that Adds User that all messages are corresponding;
E, the individual numerical value that Adds User that will finally determine are defined as the number of shadow user.
2. method according to claim 1 is characterized in that, in the steps A, described user's authentication feature comprises Internet Protocol IP address, source and/or source medium access control MAC Address.
3. method according to claim 1 is characterized in that,
In a plurality of sampling periods of dividing in advance, carry out respectively described steps A to step D;
Between step D and step e, further comprise: all individual numerical value that Add User of determining from all sampling periods, determine the individual numerical value that Adds User that occurrence number is maximum.
4. method according to claim 1 is characterized in that, described appointment message is: n the message that has received, n are natural number; Perhaps, each message in the m that has the received message, m are the natural number greater than 1.
5. method according to claim 1 is characterized in that, described difference is: the value of the identification field of described each message deducts the value of the identification field of described appointment message;
Among the step C, if described difference comprises in default abnormal ranges: if described difference is greater than the permission packet loss threshold value that sets in advance; Perhaps, if described difference less than 0.
6. arbitrary described method is characterized in that according to claim 1~5, and in the steps A, described reception comprises with the message that the user that authentication is passed through has identical user's authentication feature:
Continue to receive all and the message that authenticates the user that passes through and have identical user's authentication feature;
Perhaps,
Receive the message that the continuous user with authentication is passed through of predetermined number has identical user's authentication feature every setting-up time.
7. a device that detects the number of shadow user is characterized in that, comprising:
Receiver module, the message that the user who passes through for reception and authentication has identical user's authentication feature;
Extraction module is for the identification field that extracts described message;
Computing module, be used for each message to receiving, calculate the difference of the identification field of this message and appointment message, be specially: comprise the 4th calculating sub module, be used to first message that receives in the setting-up time section that the sequence of a correspondence is set, the identification field values in described first message is put into this corresponding sequence; For k the message that receives in the described setting-up time section, k is the natural number greater than 1, calculates respectively in the value of the identification field in this k message and the described setting-up time section difference between the value of each identification field in existing each sequence;
Processing module comprises:
First ray is processed submodule, is used for for described k message, if all differences all in default abnormal ranges, then be the sequence that described k message increases a correspondence newly, the identification field values in described k the message is put into the sequence that this increases newly;
The second series processing submodule, be used for for described k message, if arbitrary difference is not in default abnormal ranges, then the identification field values in described k the message is put into nearest sequence, this nearest sequence is to calculate the not employed sequence of minimal difference in default abnormal ranges;
Determination module comprises that the 3rd determines submodule, is used for the individual numerical value of new series is defined as the described individual numerical value that Adds User;
Output module, the individual numerical value that Adds User that is used for finally determining is output as the number of shadow user.
8. device according to claim 7 is characterized in that,
Described receiver module comprises that first receives submodule, is used for receiving initialization when each sampling period in a plurality of sampling periods of dividing in advance begins, and then receives and the message that authenticates the user that passes through and have identical user's authentication feature;
Described determination module comprises:
First determines submodule, is used for determining the individual numerical value that Adds User corresponding to all messages in this sampling period when described each sampling period finishes;
Second determines submodule, is used for determining the individual numerical value that Adds User that occurrence number is maximum from all definite individual numerical value that Add User of all sampling periods.
9. device according to claim 7 is characterized in that, described computing module comprises:
The first calculating sub module is used for each message to receiving, and calculates the difference of this message and the identification field of n the message that has received, and n is natural number;
Perhaps,
The second calculating sub module is used for each message to receiving, and calculates the difference of the identification field of each message in this message and m the message that has received, and m is the natural number greater than 1.
10. device according to claim 7 is characterized in that,
Described computing module comprises the 3rd calculating sub module, is used for the value of the identification field of each message is deducted the value of the identification field of described appointment message;
Described processing module comprises:
First judges submodule, is used for whether judging described difference greater than the permission packet loss threshold value that sets in advance, and if so, then described difference is in default abnormal ranges;
Perhaps,
Second judges submodule, be used for judging described difference whether less than 0 if then described difference is in default abnormal ranges.
11. arbitrary described device is characterized in that according to claim 7~10, described receiver module comprises:
Second receives submodule, is used for continuing receiving all and the message that authenticates the user that passes through and have identical user's authentication feature;
Perhaps,
The 3rd receives submodule, is used for receiving the message that the continuous user with authentication is passed through of predetermined number has identical user's authentication feature every setting-up time.
12. a network equipment is characterized in that, comprises the device such as the number of arbitrary described detection shadow user in the claim 7 to 11.
CN2010105052767A 2010-10-09 2010-10-09 Method and device for detecting number of shadow users, and network equipment Expired - Fee Related CN101980477B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010105052767A CN101980477B (en) 2010-10-09 2010-10-09 Method and device for detecting number of shadow users, and network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010105052767A CN101980477B (en) 2010-10-09 2010-10-09 Method and device for detecting number of shadow users, and network equipment

Publications (2)

Publication Number Publication Date
CN101980477A CN101980477A (en) 2011-02-23
CN101980477B true CN101980477B (en) 2013-01-30

Family

ID=43600962

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010105052767A Expired - Fee Related CN101980477B (en) 2010-10-09 2010-10-09 Method and device for detecting number of shadow users, and network equipment

Country Status (1)

Country Link
CN (1) CN101980477B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105703962A (en) * 2014-11-25 2016-06-22 中兴通讯股份有限公司 Internet access user detection method and device
CN108512816B (en) * 2017-02-28 2021-04-27 中国移动通信集团广东有限公司 Traffic hijacking detection method and device
CN107769999B (en) * 2017-12-07 2020-09-25 锐捷网络股份有限公司 Method and device for identifying user agent internet surfing
CN111953807B (en) * 2020-07-30 2022-02-22 新华三信息安全技术有限公司 Message identifier processing method and device and storage medium
CN115066702A (en) * 2020-12-31 2022-09-16 百果园技术(新加坡)有限公司 Advertisement putting distribution method and device, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101645891A (en) * 2009-08-28 2010-02-10 北京星网锐捷网络技术有限公司 Shadow user identify control method, device and network device
CN101778380A (en) * 2009-12-31 2010-07-14 卓望数码技术(深圳)有限公司 Identity authentication method, device and system
CN101841445A (en) * 2010-04-20 2010-09-22 北京星网锐捷网络技术有限公司 User identifying method and device for internet connection sharing

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101645891A (en) * 2009-08-28 2010-02-10 北京星网锐捷网络技术有限公司 Shadow user identify control method, device and network device
CN101778380A (en) * 2009-12-31 2010-07-14 卓望数码技术(深圳)有限公司 Identity authentication method, device and system
CN101841445A (en) * 2010-04-20 2010-09-22 北京星网锐捷网络技术有限公司 User identifying method and device for internet connection sharing

Also Published As

Publication number Publication date
CN101980477A (en) 2011-02-23

Similar Documents

Publication Publication Date Title
CN104320377B (en) The anti-stealing link method and equipment of a kind of files in stream media
Balasubramaniyan et al. Pindr0p: Using single-ended audio features to determine call provenance
CN101980477B (en) Method and device for detecting number of shadow users, and network equipment
CN107566381A (en) Equipment safety control method, apparatus and system
CN109698809B (en) Method and device for identifying abnormal login of account
CN103905194B (en) Identity traceability authentication method and system
CN103442014A (en) Method and system for automatic detection of suspected counterfeit websites
CN106708489A (en) Debugging method and system of equipment
CN106789855A (en) The method and device of user login validation
CN106549902A (en) A kind of recognition methods of suspicious user and equipment
CN106470204A (en) User identification method based on request behavior characteristicss, device, equipment and system
CN107682328A (en) A kind of data verification method and client
CN104796436A (en) User login method and system, first platform server and related platform server
CN111181930A (en) DDoS attack detection method, device, computer equipment and storage medium
WO2018128237A1 (en) Identity authentication system and user equipment utilizing user usage pattern analysis
CN107046516B (en) Wind control method and device for identifying mobile terminal identity
CN105119876B (en) A kind of detection method and system of the domain name automatically generated
WO2017054307A1 (en) Recognition method and apparatus for user information
CN101888296B (en) Method, device, equipment and system for detecting shadow user
CN104243225A (en) Traffic identification method based on deep package inspection
CN107395580B (en) Data verification method and device
WO2021174879A1 (en) Ai video call quality analysis method and apparatus, computer device, and storage medium
CN104703162A (en) Method, device and system for accessing third-party resource through application
KR102119636B1 (en) Anonymous network analysis system using passive fingerprinting and method thereof
CN103532937B (en) Application identification verifying method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20130130

Termination date: 20211009