Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Be illustrated in figure 1 as the method flow diagram of a kind of deception that prevents to surf the Net of the embodiment of the invention.
Comprise:
Step 101 when the client access network, is inquired about the anti-spoofed message that whether receives client at interval at preset time.
Step 102 when the anti-spoofed message that does not receive client, thinks that then this client is illegal client, sends to disconnect the message that this client network connects.
As one embodiment of the present of invention, before described step 101, comprise, obtain the network access authentication request message that client sends, verify described network access authentication request message, after by described checking, obtain and write down the notification message of reaching the standard grade of the described client in this network access authentication request message.
As one embodiment of the present of invention, above-mentioned network access authentication request message comprises: the user logins media interviews control (the Media Access Control of account number, password, client, MAC) address and Internet protocol (Internet Protocol, IP) address etc., wherein can include only MAC Address and IP address one of them; The above-mentioned notification message of reaching the standard grade comprises: the user logins the MAC Address of account number, client and IP address etc.; Described anti-spoofed message is to be used to verify whether described client legal, and this anti-spoofed message can be form arbitrarily, can be character or character string arbitrarily, perhaps is IP address or MAC Address, also can be above multiple possible group and.
As one embodiment of the present of invention, in described step 101, can be decrypted processing to described anti-deception information, adopt and the corresponding decryption method of client encrypt method, with the described anti-spoofed message after the acquisition deciphering, wherein, in the mode that is decrypted, user in the described anti-spoofed message logins account number can be plaintext, and the MAC Address of client and IP address etc. is a ciphertext; Described decryption method can adopt md5-challenge (Message-digest Algorithm 5, method such as MD5).
Perhaps the notification message utilization mode identical with client of reaching the standard grade that receives can also be encrypted, write down the notification message of reaching the standard grade after the described encryption, for example adopt the md5 encryption method.
As one embodiment of the present of invention, after described step 102, also comprise: inequality when the anti-spoofed message of the reach the standard grade notification message and the described client of described client, then send and disconnect the message that described client network connects.
As one embodiment of the present of invention, also comprise in the notification message of reaching the standard grade of the described client in obtaining and write down this network access authentication request message: also obtain and write down the account number state of described client and the attribute information of account; When another client logging in network, before described step 101, receive also to judge whether the corresponding account number state of this client is whether logging status and attribute information have reached maximum usage threshold, if the account number state is logging status and has reached described maximum usage threshold then sent and disconnect the message that described client network links.
The embodiment of the invention is by having judged whether to obtain the anti-spoofed message of client in a predetermined time interval, when the anti-spoofed message that does not get access to client, think that then this client is illegal client, send and disconnect the message that client network connects, thereby prevent that a plurality of users from illegally using the consolidated network account number to land the situation of network, and the anti-spoofed message of reach the standard grade notification message and client of the logging in network client by will storage is made comparisons, can pick out the anti-different client of spoofed message, thereby prevent that illegitimate client from landing network.
Be illustrated in figure 2 as a kind of anti-spoofs services device structural representation of the embodiment of the invention.
Comprise:
Receiving element 201 is used for when the client access network, inquires about the anti-spoofed message that whether receives client at interval at preset time.
Judging unit 202 is used for not receiving the anti-spoofed message of client, thinks that then this client is illegal client, sends to disconnect the message that this client network connects.
The anti-spoofs services device of the embodiment of the invention has been by having judged whether to obtain the anti-spoofed message of client in a predetermined time interval, thereby prevents that a plurality of users from illegally using the consolidated network account number to land the situation of network.
As one embodiment of the present of invention, as shown in Figure 3, comprise receiving element 301, judging unit 302, also comprise:
Record cell 303 is used for obtaining and write down the notification message of reaching the standard grade of the described client of client network access authentication request message.
Comparing unit 304 is used for the anti-spoofed message of the reach the standard grade notification message and the described client of more described client, then sends the message that disconnects described client network link when inequality.
Described record cell 303 also is used to obtain and write down the account number state of described client and the attribute information of account.
Analytic unit 305, be used for receiving and judging whether the corresponding account number state of this client is whether logging status and attribute information arrive maximum usage threshold, if the account number state is logging status and has arrived maximum usage threshold then send the message that disconnects described client network connection.
Decrypting device 306 is used for the anti-spoofed message that described receiving element 301 receives is decrypted, with the described anti-spoofed message after the acquisition deciphering.
As optional with decrypting device 306, can also comprise ciphering unit 307, be used for the notification message of reaching the standard grade of the described client of described client network access authentication request message is carried out encryption, be stored in described record cell 303.
Be illustrated in figure 4 as the structural representation of a kind of fraud system that prevents to surf the Net of the embodiment of the invention.
Comprise client 401, aaa server 402, anti-spoofs services device 403, OCS server 404.
Described client 401 is used for initiating the network access authentication request message to described aaa server 402, and sends the anti-spoofed message of this client at interval to described anti-spoofs services device 403 at preset time.
Described aaa server 402 is used to verify described network access authentication request message, and sends the message that allows logging in network or disconnect network to described client 401.
Described anti-spoofs services device 403, be used for when the client access network, inquire about the anti-spoofed message that whether receives client at interval at preset time, when the anti-spoofed message that does not receive client, think that then this client is illegal client, send the message that disconnects described client 401 networks connection to described aaa server 402.
Described OCS server 404 is used for described client is chargeed, and stores the attribute information of described client account number.
Wherein, described anti-spoofs services device 403 is the embodiment shown in Fig. 2 or 3.
Described anti-spoofs services device 403 can also be integrated in the OCS server.
Adopt predetermined protocol to communicate between described client 401 and the described anti-spoofs services device 403, perhaps described client 401 uses predefined cryptographic algorithm to encrypt described anti-spoofed message, for example cover, displacement or XOR processing are done in 48 MAC Address, 32 IP address, (Message-digest Algorithm 5 MD5) encrypts the result who generates by md5-challenge again.
The embodiment of the invention is by adding anti-spoofs services device, realized preventing that a plurality of illegal clients from using same account number logging in network.
Be illustrated in figure 5 as the embodiment of the invention prevent from the to surf the Net data flow diagram of fraud system.
Comprise:
Step 501, under the situation of legitimate client 1 online, client 1 sends the network access authentication request message to aaa server, described network access authentication request message carries medium access control (the Media Access Control of account number, password and this client, MAC) address, Internet protocol (Ihternet Protocol, IP) address.
Step 502, aaa server authenticates account number, password, because client 1 is a validated user, so authentication is passed through.
Step 503, aaa server is issued client with the authentication result response message.
Step 504, can client be determined and be surfed the Net according to response message.Under the legal situation of client 1, client 1 begins online after receiving the response message that authentication passes through.
Step 505, under the situation that aaa server passes through the network access authentication request message authentication of client, the user that aaa server sends in the network access authentication request message reaches the standard grade notification message to anti-spoofs services device, the described user notification message of reaching the standard grade comprises information such as the MAC Address of account number, client and IP address, and wherein MAC Address and IP address can be optional one between the two.
Step 506, described anti-spoofs services device write down the information that above-mentioned user reaches the standard grade and carries in the notification message.As optional step, anti-spoofs services device can also utilize the encryption method identical with client, the described notification message of reaching the standard grade is encrypted, write down the notification message of reaching the standard grade after the described encryption then, for example the MAC Address and the IP address of client are encrypted, for example cover, displacement or XOR processing are done in 48 MAC Address, 32 IP address, (Message-digest Algorithm 5 MD5) encrypts the result of generation by md5-challenge again.
Step 507, described anti-spoofs services device is by control Dimeter agreement (the Dimeter Credit Control that charges, DCC) send credit control request information (Credit Control Request to the OCS server, CCR) to inquire about the attribute information of account, as the maximum permission linking number (maximum usage threshold) of account, account's charge information, and record account state is the state that is in logging in network.
Step 508, OCS server are returned credit control response message, and (Credit Control Answer, CCR) to anti-spoofs services device notice account number attribute information, anti-spoofs services device writes down the account attribute information.
Should be noted in the discussion above that above-mentioned steps 503 to the order of step 508 can be in no particular order.
Step 509, so far, client 1 successful logging in network begins online, and the anti-spoofs services device user that obtained this client notification message of reaching the standard grade.Client according to the embodiment of the invention will regularly send anti-spoofed message to anti-spoofs services device.Described anti-spoofed message comprises information such as the MAC Address of account number, client and IP address, the kind of the described anti-spoofed message notification message kind of should reaching the standard grade with the user on being kept at described anti-spoofs services device is identical, for example anti-spoofs services device has been preserved reach the standard grade IP address in the notification message of user, also comprises the IP address in the so described anti-spoofed message.
Wherein, described client 1 can utilize predefined agreement to transmit described anti-spoofed message, also can encrypt described anti-spoofed message, for example the MAC Address of encipher only client and IP address.
Step 510, anti-spoofs services device receives after the anti-spoofed message of client transmission, its account number of carrying, MAC, IP address and anti-spoofs services device are checked at the user of the step 506 record notification message of reaching the standard grade, thought that in the two consistent situation this client online is legal.
Step 511 can continue normal online by the back client 1 of checking of above-mentioned steps 510.
In addition, when client 1 rolled off the production line, AAA sent the user offline notification message to anti-spoofs services device, and this message also carries the account number, MAC, IP address of client 1 etc., anti-spoofs services device upgrades the state information of account according to this message, is updated to down status from logging status.
Step 512, attempt online after having an illegitimate client 2 to steal the account number of legitimate client 1, password, here be divided into two kinds may: the one, the account number state of legitimate client 1 during for login illegitimate client 2 attempt online, the 2nd, be that line illegitimate client of following time 2 is attempted online at the account number state of legitimate client 1.
Under the situation that illegitimate client 2 attempts to surf the Net when the account number state of client 1 is login, illegitimate client 2 adopts other pppoe client internet software according to account number, the password stolen.Its same network access authentication request message that sends is to aaa server, and this network access authentication request message carries MAC Address, the IP address of account number, password and login terminal.
Step 513, aaa server authenticates account number, password.Because illegitimate client 2 has been stolen the account number and the password of legitimate client, so the authentication of aaa server is passed through equally at this moment.
Step 514, aaa server will authenticate the response message that passes through and issue illegitimate client 2.
Step 515, illegitimate client 2 begin online after receiving the response message that authentication passes through.
Step 516, the same with the situation of the step 505 of legitimate client, under the situation that aaa server passes through the authentication of illegitimate client 2, aaa server sends the user and reaches the standard grade notification message to anti-spoofs services device, and this user notification message of reaching the standard grade carries MAC, the IP address that the user logins account number, client.
Step 517, described anti-spoofs services device is consulted the attribute information of the account that obtains in the above-mentioned steps 508, with account number state information in this anti-spoofs services device storage, find that this user account number only allows single online (maximum usage threshold is 1), and there has been legitimate client 1 to be in logging status, therefore, anti-spoofs services device thinks that logging on client 2 is for illegal.
Step 518, for the client of illegal online, anti-spoofs services device initiatively sends to aaa server and cuts off illegal connection message.
Step 519, aaa server send to illegitimate client 2 and cut off illegal connection message, and illegitimate client 2 online are interrupted.
Step 520, aaa server sends the result that above-mentioned interruption illegitimate client is surfed the Net, i.e. response message to anti-spoofs services device.。
Fail to steal the correct account number and the situation of password as for illegitimate client, obviously, it just can't not have the chance of networking by account number, the cipher authentication of aaa server in step 502 or step 513.Therefore this paper is not described in detail this situation.
In addition, according to the embodiment of the invention, even in legitimate client 1 not in when online, illegitimate client 2 also can't be surfed the Net.
In step 517, described anti-spoofs services device is consulted the attribute information of the account that obtains in the above-mentioned steps 508, with account number state information in this anti-spoofs services device storage, find that this user account number only allows single online, and legitimate client 1 is not in logging status, so can not send and cut off illegal connection message at once to aaa server, but after waiting for a predetermined time interval, judge whether to receive the anti-spoofed message that illegitimate client 2 sends, as one embodiment of the present of invention, predetermined time interval can be 3 minutes, if do not receive anti-spoofed message then think that logging on client 2 is for illegal.
As optional embodiment, in above-mentioned steps 517, anti-spoofs services device receives after this anti-spoofed message, and the user that the account number that it can also be carried, MAC, IP address and anti-spoofs services device write down in step 506 notification message of reaching the standard grade is checked.Think that in the two consistent situation this client online is legal, this moment, this client can continue online.Wherein, anti-spoofs services device is decrypted the anti-spoofed message that receives, obtain account number, MAC, IP address, check, if unanimity the then whether online of this client is legal with the corresponding information that the user who is stored in this anti-spoofs services device reaches the standard grade in the notification message; As optional embodiment, anti-spoofs services device can also think that in the two consistent situation this client online is legal with described comparing through the anti-spoofed message of encryption and the notification message of reaching the standard grade through encrypting of described storage of receiving.
As mentioned above, by state information and the attribute information that obtains account number, can prevent that illegal a plurality of users from using same account number logging in network.
Be illustrated in figure 6 as the embodiment of the invention prevent to surf the Net another data flow diagram of fraud system.
In the present embodiment, step 601 to 611 with above-mentioned step 501 embodiment illustrated in fig. 5 to 511 identical, do not repeat them here.
In the process of legitimate client 1 online, illegitimate client 2 also begins online.
Step 612, client 2 sends the network access authentication request message to aaa server, and this network access authentication request message carries MAC Address, the IP address of account number, password and client 2.
Step 613, aaa server authenticates account number, password and passes through.
Step 614, aaa server will authenticate the response message that passes through and issue client 2.
Step 615, client 2 begin online after receiving the response message that authentication passes through.
Step 616, simultaneously, aaa server sends the user and reaches the standard grade notification message to anti-spoofs services device, and this message is carried MAC Address, the IP address of account number, client.
Step 617, described anti-spoofs services device is consulted the attribute information of the account that obtains in the above-mentioned steps 608, with account number state information in this anti-spoofs services device storage, at this moment, different with the situation of Fig. 5, anti-spoofs services device supports many people to share according to the account number attribute information discovery account that receives in step 608, and do not reach maximum number of connections (promptly not reaching maximum usage threshold), therefore, anti-spoofs services device writes down reach the standard grade notification message and be updated in the connection number of account on the anti-spoofs services device of this user, existing account number connects on the number and adds 1 on the number, allows this user to continue online, and the wait client software sends anti-spoofed message.
Step 618, client 2 in a predetermined time interval (as 3 minutes) send anti-spoofed message.
Step 619, anti-spoofs services device receives this anti-spoofed message, thinks that this client 2 belongs to validated user.
Step 620, client 2 can continue online.
In another kind of situation, if in step 617, anti-spoofs services device finds that the attribute information of account number has reached maximum link number, thinks that then this client 2 is illegitimate client, sends to aaa server and cuts off illegal connection message.
Simultaneously, even an account's number of users reaches its maximum linking number that allows as yet, not authorized user also can't be only surfs the Net with the account number cipher stealing or use.This is because not authorized user client can't be as the client of the embodiment of the invention, according to the anti-spoofed message of anti-swindle predetermined protocol timed sending.Anti-spoofs services device can in step 617 according to whether in a scheduled time (as 3 minutes) receive anti-spoofed message, judge thus whether this client is illegal, send the illegal connection message of cut-out to stop the illegitimate client online to aaa server if do not receive then can pass through.
Be illustrated in figure 7 as embodiment of the invention client prevent from the to surf the Net method flow diagram of deception.
Comprise:
Step 701 sends the network access authentication request message to network side, with the request logging in network.
Step 702 behind successful logging in network, sends anti-spoofed message to network side at interval according to preset time.
As one embodiment of the present of invention, in described step 702, adopt predetermined protocol to encapsulate to described anti-spoofed message.
As one embodiment of the present of invention, in described step 702, can also be to the encryption of described anti-spoofed message row, wherein, in the mode of encrypting, user in the anti-spoofed message logins account number can be plaintext, and the MAC Address of client and IP address etc. is a ciphertext, for example adopts the md5 encryption method.
Comprise the described notification message of reaching the standard grade in the described network access authentication request message.
By the foregoing description, judge whether to have obtained the anti-spoofed message of client in the predetermined time interval, thereby prevent that a plurality of users from illegally using the consolidated network account number to land the situation of network.
Be illustrated in figure 8 as the structural representation of client of the present invention.
Comprise transmitting element 801, be used for sending the network access authentication request message, with the described network of request login to network side.
Timed sending unit 802 is used for behind successful logging in network, sends anti-spoofed message to network side at interval according to preset time.
Also comprise ciphering unit 803, be used to encrypt described anti-spoofed message.
Beneficial effect as the embodiment of the invention is, by judging at the fixed time whether received anti-spoofed message in the interval, whether distinguish is legitimate client, under the situation of multi-user shared account, be convenient to system's control and share the charging of account number, even someone uses account number, password, client and brings in the loss that online can not cause operator to charge yet, thereby has strengthened internet security.
One of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method, can instruct relevant hardware to finish by computer program, described program can be stored in the computer read/write memory medium, this program can comprise the flow process as the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-Only Memory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
Above-described embodiment; purpose of the present invention, technical scheme and beneficial effect are further described; institute is understood that; the above only is the specific embodiment of the present invention; and be not intended to limit the scope of the invention; within the spirit and principles in the present invention all, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.