CN102833738B - Method and device for communication monitoring - Google Patents
Method and device for communication monitoring Download PDFInfo
- Publication number
- CN102833738B CN102833738B CN201210268846.4A CN201210268846A CN102833738B CN 102833738 B CN102833738 B CN 102833738B CN 201210268846 A CN201210268846 A CN 201210268846A CN 102833738 B CN102833738 B CN 102833738B
- Authority
- CN
- China
- Prior art keywords
- terminal
- call
- mpty
- ticket
- default
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention provides a method and a device for communication monitoring. The method comprises: obtaining bills of a terminal in a preset call period, determining whether a call indicated by each bill is a multi party call; obtaining a first proportion of the multi party calls in the calls with preset call times; determining whether the first proportion is larger than a preset first threshold value, if yes, calculating repetition rates of other numbers in the preset multi party calls except the number of the terminal; and determining whether a maximum value of the repetition rates of other numbers is larger than a preset second threshold value, if yes, determining calls of the terminal are monitored. Through analyzing bills of the terminal in the preset call period, the method and the device can determine whether the calls of the terminal are monitored, thereby dealing with various illegal monitoring types of viruses, and call information of the terminal is effectively protected.
Description
Technical field
The application relates to security of network and information technology, particularly relates to a kind of communication monitoring method and device.
Background technology
In the mobile Internet epoch, virus, wooden horse, Malware are day by day remarkable to the threat of terminal.After the monitored viroid of terminal infects, the call of terminal illegally will be monitored by other people, and result causes the individual privacy of terminal use to reveal, and causes serious harm to the normal operation of network, the prestige of operator and income.Prior art by loading the invasion that the antivirus program monitoring viroid can be prevented to prevent from monitoring viroid on server and terminal.
But, in the prior art by loading the method for antivirus protection program on server and terminal, need the virus base in timing renewal antivirus protection program, protective action could be played to the monitoring viroid of the new or mutation occurred at any time, renewal due to virus base exists delays, therefore poor to the protection promptness of the new virus occurred at any time.
Summary of the invention
The application provides a kind of communication monitoring method and device, to tackle the virus of various illegal monitoring class in time, available protecting call-information.
The embodiment of the present invention provides a kind of communication monitoring method, comprising:
Acquisition terminal presets the ticket in talk period, judges whether the call indicated by every bar ticket is MPTY;
The first ratio described in the call of the default talk times of acquisition shared by MPTY;
Judge whether described first ratio is greater than default first threshold value, if then calculate the repetition rate of other numbers preset in MPTY number of times except the number of described terminal;
Judge whether the maximum in the repetition rate of other numbers described is greater than default second threshold value, if then judge that the call of described terminal is monitored.
The embodiment of the present invention provides a kind of communication monitoring device, comprising:
First processing module, presetting ticket in talk period for obtaining terminal, judging whether the call indicated by every bar ticket is MPTY;
Second processing module, for obtain default talk times call described in the first ratio shared by MPTY;
3rd processing module, for judging whether described first ratio is greater than default first threshold value, if then calculate the repetition rate of other numbers preset in MPTY number of times except the number of described terminal;
4th processing module, for judging whether the maximum in the repetition rate of other numbers described is greater than default second threshold value, if then judge that the call of described terminal is monitored.
The method and apparatus that the embodiment of the present invention provides, communication monitoring device presets many tickets of talk period by associated terminal, judge to show whether terminal MPTY occurs, and according to the call-information of MPTY, whether the MPTY behavior of statistical analysis terminal meets the rule of conduct preset, if meet, illustrate that this terminal has probably infected illegal monitoring viroid, because no matter which kind of is viral, terminal is after being illegally listened, its message accounting behavior is all become most MPTY by the most double-talk of script, as long as therefore the message accounting behavior of terminal meets default rule of conduct, can judge that this terminal has infected illegal monitoring virus.No matter in the future how virus makes a variation; the message accounting behavior of terminal after poisoning is all identical; therefore various existing and newborn illegal monitoring viroid can be tackled in time by the communication monitoring device of core-network side; eliminate the attack window on the zero that antivirus program cannot be eliminated, thus the call-information of effective protection user.
Accompanying drawing explanation
Fig. 1 is communication monitoring method first embodiment flow chart of the present invention;
Fig. 2 is communication monitoring method second embodiment flow chart of the present invention;
Fig. 3 is communication monitoring device first example structure schematic diagram of the present invention;
Fig. 4 is communication monitoring device second example structure schematic diagram of the present invention;
Fig. 5 is communication monitoring device the 3rd example structure schematic diagram of the present invention;
Fig. 6 is communication monitoring device the 4th example structure schematic diagram of the present invention.
Embodiment
Fig. 1 is communication monitoring method first embodiment flow chart of the present invention, as shown in Figure 1, the communication monitoring method that the embodiment of the present invention provides is performed by the communication monitoring device of core-network side, carries out monitoring analysis, illegally monitored to prevent call-information by other people the call behavior of terminal.Communication monitoring device can adopt the form of software and/or hardware to realize, and the method comprises:
Step S100, acquisition terminal presets the ticket in talk period, judges whether the call indicated by every bar ticket is MPTY;
Communication monitoring device initiates to charging center to obtain ticket request, acquisition request terminal presets all tickets of talk period, default talk period refers to the talk period of the terminal that the needs preset obtain, such as communication monitoring device can initiate to charging center to obtain the ticket of terminal from all calls of yesterday zero up to the same day zero time every day zero time, also within each hour, can initiate to charging center the ticket obtaining terminal all calls of nearest a hour.
It should be noted that, because namely charging center produces the ticket of terminal this call after terminal call terminates, therefore communication monitoring device can the ticket of Real-time Obtaining terminal, also can the ticket of talk period described in timing acquisition.When timing acquisition ticket, all tickets of the default talk period got can be stored in the scratchpad area (SPA) of communication monitoring device.
By the call-information associating many tickets, communication monitoring device can judge whether the call indicated by every bar ticket is MPTY after obtaining ticket one by one.Terminal often occurs once to converse, and charging center is by generation ticket, and have recorded the call-information of terminal this time call in this ticket, ticket comprises: call start time, clearing time, the duration of call, calling number, called number.
When terminal there occurs double-talk, charging center produces a call ticket; When terminal there occurs Three-Way Calling or MPTY, charging center can produce two or more pieces call ticket.Such as, after the terminal being A when number is infracting by virus, termination number A calls out called number B, and illegal monitoring number is Q, then, after A calls out B, A has initiated calling to Q in unwitting situation, and A, B and Q there occurs Three-Way Calling.After this end of conversation, for A, charging center produces two tickets, and the call-information that Article 1 ticket comprises is: call start time T1, clearing time T2, duration of call T3, calling number A, called number B; The call-information of Article 2 ticket is: call start time T4, clearing time T5, duration of call T6, calling number A, called number Q.Because be Three-Way Calling, therefore the air time section in the call-information that comprises of these two tickets is overlapping.Therefore by the call-information of association many tickets, communication monitoring device can judge whether the call indicated by every bar ticket is MPTY one by one.The method is equally applicable to calling number B calling called number A, afterwards number A and calls out again the situation of the MPTY of called number C.
In a preferred embodiment, if communication monitoring device judges that a certain call is MPTY, can the call-information in the ticket of this MPTY of instruction be stored in the MPTY database of communication monitoring device, wherein call-information comprises call start time, clearing time, calling number, called number and third party's number, MPTY database is for storing the MPTY information of user in section sometime, this time period is preset by communication monitoring device, is preferably set to six months.
Step S102, the first ratio described in the call of the default talk times of acquisition shared by MPTY;
Described default talk times refers to, sample number that preset, the required reference when calculating the first ratio, the terminal call number of times namely preset.After the ticket of communication monitoring device to default talk period judges one by one, according to judged result and the default talk times of MPTY, calculate the ratio that MPTY accounts for default talk times, i.e. the first ratio.Such as hypothesis presets talk times is 100 times.It is 120 times that communication monitoring device obtains the total talk times of terminal A in default talk period, and front is for 20 times double-talk, and rear is for 100 times Three-Way Calling, and before these 120 times calls, MPTY ratio is 0%.The ticket of communication monitoring device to these 120 times calls judges one by one, when judging to proceed to the 20th call, show that the ratio of terminal A MPTY is 0%; When judging to proceed to the 100th call, showing that the ratio of terminal A MPTY is 80%, when judging to proceed to the 120th call, showing that the ratio of terminal A MPTY is 100%.
In a preferred embodiment, calculate the first ratio by exponentially weighted moving average (EWMA) value (EWMA), circular is:
EWMA (t)=λ X+ (1-λ) EWMA (t-1), wherein λ is weighting parameters, value is the inverse of default talk times, X represents the judged result of this call, if for MPTY X value is 1, otherwise X value is 0, EWMA (1) gets arbitrary value.It can thus be appreciated that result of calculation when EWMA (t) is the t time call, EWMA (t-1) is result of calculation during t-1 call, when t is more than or equal to default talk times, EWMA (t) is namely approximately MPTY proportion in the call of default talk times.
Step S104, judges whether described first ratio is greater than default first threshold value, if then perform step S106, then this flow process terminates if not;
Step S106, calculates the repetition rate of other numbers preset in MPTY number of times except the number of described terminal;
Communication monitoring device is according to the first ratio and preset the first threshold value, judges whether the first ratio is greater than default first threshold value.Presetting the first threshold value is in the call of default talk times, the threshold value of MPTY proportion.If the first ratio is greater than default first threshold value, then communication monitoring device obtains the call-information that terminal presets MPTY number of times from local MPTY database, calculates the repetition rate of other numbers preset in MPTY number of times except the number of terminal further.Preset MPTY number of times to refer to, the number of times of the MPTY that the needs preset obtain from local MPTY database.Other numbers refer to the number except termination number, suppose that termination number is the calling number in the call-information of MPTY, then other numbers are called number and third party's number.
Wherein, the frequency that occurs in default MPTY number of times for the number except termination number of the repetition rate of other numbers.
Such as, the first ratio of terminal A MPTY is 80%, and presetting the first threshold value is that the 50%, first ratio is greater than default first threshold value.Presetting MPTY number of times is 50 times, calculates in 50 MPTYs of terminal A further, the repetition rate of other numbers except number A.Assuming that termination number A is in nearest 50 MPTYs, converse with B, C, D, E respectively, wherein illegally monitor the call that number Q has monitored A and B, C, D, E, then the repetition rate calculating other numbers is the frequency that calculating B, C, D, E, Q occur in nearest 50 MPTYs.
It should be noted that, the repetition rate of other numbers can by add up and the multiple computational methods such as sequence obtain.
Step S108, judge whether the maximum in the repetition rate of other numbers described is greater than default second threshold value, if then perform step S110, then this flow process terminates if not;
Step S110, judges that the call of described terminal is monitored.
Obtain the repetition rate of other numbers in default MPTY number of times and get maximum, judging whether the maximum of the repetition rate of other numbers is greater than default second threshold value.Preset the threshold value that the second threshold value is the maximum of other number repetition rates preset, if exceed this threshold value, illustrate that the call-information of this terminal is illegally listened.
In the technical scheme of the present embodiment, communication monitoring device presets many tickets of talk period by associated terminal, judge to show whether terminal MPTY occurs, and according to the call-information of MPTY, whether the MPTY behavior of statistical analysis terminal meets the rule of conduct preset, if meet, illustrate that this terminal has probably infected illegal monitoring viroid, because no matter which kind of is viral, terminal is after being illegally listened, its message accounting behavior is all become most MPTY by the most double-talk of script, as long as therefore the message accounting behavior of terminal meets default rule of conduct, can judge that this terminal has infected illegal monitoring virus.No matter in the future how virus makes a variation; the message accounting behavior of terminal after poisoning is all identical; therefore various existing and newborn illegal monitoring viroid can be tackled in time by the communication monitoring device of core-network side; eliminate the attack window on the zero that antivirus program cannot be eliminated, thus the call-information of effective protection user.
Fig. 2 is communication monitoring method second embodiment flow chart of the present invention, and the executive agent of the present embodiment is communication monitoring device, and as shown in Figure 2, the method comprises:
Step S200, obtains the communication monitoring request message of the carried terminal mark that described terminal sends;
Step S202, according to described terminal iidentification, judges whether described terminal is legal terminal; If then enter step S204, then refuse the communication monitoring request of this terminal if not, flow process terminates;
Step S204, obtains the ticket that terminal presets talk period;
Step S206, obtains the call start time in each described ticket and clearing time;
Step S208, associate many tickets, judge that whether the call start time in multiple described ticket is overlapping to the time period of clearing time, if then the call of described terminal is described MPTY, obtain the first ratio shared by MPTY described in described default talk times;
Step S210, judges whether described first ratio is greater than default first threshold value; If then enter step S212, this flow process terminates if not;
Step S212, calculates the repetition rate of other numbers preset in MPTY number of times except the number of described terminal;
Step S214, judges whether the maximum in the repetition rate of other numbers described is greater than default second threshold value; If then enter step S216, this flow process terminates if not;
Step S216, sends Communications Monitoring Report to described terminal, and Communications Monitoring Report comprises the monitored information of call.
Particularly; the communication monitoring device of terminal to apply core-network side is protected its talking state; communication monitoring device obtains the communication monitoring request message of the carried terminal mark that terminal sends; judge that whether this terminal is for take part in the legal terminal of the communication monitoring protection service that operator provides according to terminal iidentification, wherein terminal iidentification can be the phone number of terminal.If legal terminal then provides communication monitoring to protect service to this terminal, then refuse the communication monitoring request of this terminal if not.
Communication monitoring device sends the request message of the ticket obtained in the nearest default talk period of terminal to charging center, and carried terminal mark in request message, charging center returns the ticket of this terminal at default talk period according to terminal iidentification.Because terminal often occurs once to converse, namely charging center produces a ticket, and therefore the default talk period of hypothesis comprises N bar ticket.Communication monitoring device by associate many tickets call-information method, one by one to every bar ticket carry out analysiss judgement.Double-talk produces a ticket in charging center; And MPTY produces two even many tickets in charging center, ticket comprises: call start time, the clearing time.
Communication monitoring device also judges whether the call indicated by every bar ticket is MPTY one by one by association many tickets.If the call start time that such as there are two tickets is overlapping to the time period of clearing time, then judge that the call of this terminal is MPTY.Such as, after the terminal being A when number is infracting by virus, termination number A calls out called number B, and illegal monitoring number is Q, then, after A calls out B, A has initiated calling to Q in unwitting situation, and A, B and Q there occurs Three-Way Calling.After this end of conversation, charging center produces two tickets.Article 1, ticket comprises: call start time T1, clearing time T2, duration of call T3, calling number A, called number B; Article 2 ticket comprises: call start time T4, clearing time T5, duration of call T6, calling number A, called number Q; Because be Three-Way Calling, therefore the air time section in the call-information that comprises of these two tickets is overlapping.Therefore communication monitoring device by association many tickets can judge whether the call indicated by every bar ticket is MPTY one by one.The method is equally applicable to calling number B calling called number A, afterwards number A and calls out again the situation of the MPTY of called number C.If judge, call indicated by certain ticket is as MPTY, be then stored in the call-information of this ticket in the MPTY database of communication monitoring device this locality.
After the ticket of communication monitoring device to default talk period judges one by one, according to judged result and the default talk times of MPTY, calculate the ratio that MPTY accounts for default talk times, i.e. the first ratio.Judge whether the first ratio is greater than default first threshold value.If the first ratio is greater than default first threshold value, then communication monitoring device obtains the ticket that terminal presets MPTY number of times from MPTY database, calculates the repetition rate of other numbers preset in MPTY number of times except the number of terminal further.Obtain the repetition rate of other numbers in default MPTY number of times and get maximum, judging whether the maximum in the repetition rate of other numbers is greater than default second threshold value.If then judge that this terminal has infected illegal monitoring viroid, send Communications Monitoring Report to this terminal, Communications Monitoring Report comprises the monitored information of call.
Further, after this terminal of judgement is monitored, forbid that this terminal enables MPTY, thus it is monitored to stop this terminal.
Such as, after communication monitoring device obtains the ticket of the N bar call presetting talk period, every bar ticket is judged one by one, the first ratio is calculated by exponentially weighted moving average (EWMA) value (EWMA), circular is: EWMA (t)=λ X+ (1-λ) EWMA (t-1), wherein hypothesis presets talk times is 100 times, then λ is the inverse of total talk times, namely 0.01.Suppose that the first ratio is 80%, be greater than default first threshold value 50%, calculate further the repetition rate presetting other numbers in MPTY number of times 50 times.First one by one travel through the MPTY of 50 times, when suppose to traverse first time MPTY, other numbers Q first time occurs, sets up an array in addition record, is designated as (Q, 1), represents number Q appearance once; Other numbers B first time occurs, upgrading array is (Q, 1; B, 1), represent that number B also occurs once.Continue successively to traverse second time MPTY, suppose that other numbers except termination number are Q and C, then upgrading array is (Q, 2; B, 1; C, 1), represent that number Q occurs that twice, number B occurs once, number C occurs once.The like the traversal MPTY of 50 times, finally, the occurrence number of other numbers is sorted, supposes that obtaining the maximum Q of occurrence number occurs 40 times altogether.Abandon the ranking results of the number except Q, obtain (Q, 40), represent that number Q occurs 40 times, i.e. maximum in the repetition rate of other numbers is 80%.
It should be noted that, the repetition rate of other numbers can be obtained by multiple statistics and sequence computational methods.
Further, the number that the maximum in the repetition rate of other numbers described in comprising in monitored information of conversing is corresponding.
Further, if the first ratio is not more than default first threshold value, or the maximum in the repetition rate of other numbers is not more than default second threshold value, then regular to the not monitored monitoring report of terminal transmission.
Further, not monitored Communications Monitoring Report comprises the first ratio of MPTY and/or other numbers corresponding to number repetition rate maximum.
It should be noted that, when communication monitoring device judges that terminal is monitored or not monitored, communication monitoring device can to measurement and charging rule functions (Policy And Charging Rules Function, be called for short PCRF) server interaction, transmission implementation strategy is reported, PCRF sends implementation strategy according to implementation strategy report to terminal.Such as, if this terminal that judges communication monitoring device has infected illegal monitoring viroid, then send implementation strategy report to PCRF, PCRF sends implementation strategy to terminal, wherein implementation strategy includes but not limited to send Communications Monitoring Report by the mode of note or mail to terminal, wherein can comprise the monitored information of call in Communications Monitoring Report; If judge, this terminal has not infected illegal monitoring viroid, can also send not monitored monitoring report to terminal.
In the technical scheme of the present embodiment, communication monitoring device presets many tickets of talk period by associated terminal, judge to show whether terminal MPTY occurs, and according to the call-information of MPTY, whether the MPTY behavior of statistical analysis terminal meets the rule of conduct preset, if meet, illustrate that this terminal has probably infected illegal monitoring viroid, because no matter which kind of is viral, terminal is after being illegally listened, its message accounting behavior is all become most MPTY by the most double-talk of script, as long as therefore the message accounting behavior of terminal meets default rule of conduct, can judge that this terminal has infected illegal monitoring virus.No matter in the future how virus makes a variation; the message accounting behavior of terminal after poisoning is all identical; therefore various existing and newborn illegal monitoring viroid can be tackled in time by the communication monitoring device of core-network side; eliminate the attack window on the zero that antivirus program cannot be eliminated; thus the call-information of effective protection user; and technical scheme is simple, cost is lower, is easy to later maintenance.
Fig. 3 is communication monitoring device first example structure schematic diagram of the present invention, and as shown in Figure 3, this device comprises: the first processing module 10, presets all tickets of talk period for obtaining terminal, judges whether the call indicated by every bar ticket is MPTY; Second processing module 12, for obtaining the first ratio described in the call in described default talk times shared by MPTY; 3rd processing module 14, judges whether described first ratio is greater than default first threshold value, if then calculate the repetition rate of other numbers preset in MPTY number of times except the number of described terminal; 4th processing module 16, judges whether the maximum in the repetition rate of other numbers described is greater than default second threshold value, if then judge that the call of described terminal is monitored.
Particularly, first processing module 10 is initiated to charging center to obtain the request that terminal presets the ticket of talk period, charging center returns ticket to the first processing module 10, judged result by the call-information of association many tickets, judge whether the call indicated by every bar ticket is MPTY one by one, and is sent to the second processing module 12 by the first processing module 10.Second processing module 12 obtains the judged result of the first processing module 10, and calculates the ratio in the call presetting talk times shared by MPTY, i.e. the first ratio.And this first ratio is sent to the 3rd processing module 14, after 3rd processing module 14 obtains the first ratio, judge whether the first ratio is greater than default first threshold value, if then calculate the repetition rate of other numbers preset in MPTY number of times except the number of described terminal, and the maximum in the repetition rate of other numbers is sent to the 4th processing module 16,4th processing module 16 judges whether the maximum in the repetition rate of other numbers is greater than default second threshold value, if then judge that the call of this terminal is monitored.
Wherein, the frequency that occurs in default MPTY number of times for the number except termination number of the repetition rate of other numbers.
The communication monitoring method that the communication monitoring device that various embodiments of the present invention provide provides for performing the embodiment of the present invention, possesses corresponding functional module.
It should be noted that, because namely charging center produces the ticket of terminal this call after terminal call terminates, therefore the first processing module 10 can the ticket of Real-time Obtaining terminal, also can timing acquisition ticket.When timing acquisition ticket, need the scratchpad area (SPA) all tickets of the default talk period got being stored in communication monitoring device.
In a preferred embodiment, if the first processing module 10 judges that a certain call is MPTY, can the information of this MPTY be stored in the MPTY database of communication monitoring device, MPTY database is for storing the call-information of user at the MPTY of section sometime, this time period is preset by communication monitoring device, is preferably set to six months.
In a preferred embodiment, calculate the first ratio by exponentially weighted moving average (EWMA) value (EWMA), circular is:
EWMA (t)=λ X+ (1-λ) EWMA (t-1), wherein λ is weighting parameters, value is the inverse of default talk times, X represents the judged result of this call, if for MPTY X value is 1, otherwise X value is 0, EWMA (1) gets arbitrary value.It can thus be appreciated that result of calculation when EWMA (t) is the t time call, EWMA (t-1) is result of calculation during t-1 call, when t is more than or equal to default talk times, EWMA (t) is namely approximately MPTY proportion in the call of default talk times.
It should be noted that, the repetition rate of other numbers can by add up and the multiple computational methods such as sequence obtain.
Further, Fig. 4 is communication monitoring device second example structure schematic diagram of the present invention, as shown in Figure 4, communication monitoring device also comprises Executive Module 18, Executive Module 18 comprises the first performance element 181, for sending Communications Monitoring Report to terminal, described Communications Monitoring Report comprises the monitored information of call.
Further, the number that maximum in the repetition rate of other numbers is corresponding is comprised in monitored information of conversing.
Further, Executive Module 18 also comprises the second performance element 182, for being not more than default first threshold value when the first ratio, or when the maximum in the repetition rate of other numbers is not more than default second threshold value, regularly sends not monitored monitoring report to terminal.
Further, not monitored Communications Monitoring Report comprises the first ratio of MPTY and/or other numbers corresponding to number repetition rate maximum.
Further, Executive Module 18 can also by the measurement in the second interface unit and core net and charging rule functions (Policy And Charging Rules Function, being called for short PCRF) server carries out alternately, when judging that terminal is monitored or not monitored, second interface unit sends implementation strategy report, and PCRF sends implementation strategy according to implementation strategy report to terminal.Such as, if this terminal that judges communication monitoring device has infected illegal monitoring viroid, then send implementation strategy report to PCRF by the second interface unit, PCRF sends implementation strategy to terminal, wherein implementation strategy includes but not limited to send Communications Monitoring Report by the mode of note or mail to terminal, wherein can comprise the monitored information of call in Communications Monitoring Report; If judge, this terminal does not infect illegally monitors viroid, can also send not monitored monitoring report to terminal.
In the technical scheme of the present embodiment, communication monitoring device presets the ticket of talk period by terminal, judge to show whether terminal MPTY occurs, and according to the call-information of MPTY, whether the MPTY behavior of statistical analysis terminal meets the rule of conduct preset, if meet, illustrate that this terminal has probably infected illegal monitoring viroid, because no matter which kind of is viral, terminal is after being illegally listened, its message accounting behavior is all become most MPTY by the most double-talk of script, as long as therefore the message accounting behavior of terminal meets default rule of conduct, can judge that this terminal has infected illegal monitoring virus.No matter in the future how virus makes a variation; the message accounting behavior of terminal after poisoning is all identical; therefore various existing and newborn illegal monitoring viroid can be tackled in time by the communication monitoring device of core-network side; eliminate the attack window on the zero that antivirus program cannot be eliminated; thus the call-information of effective protection user; and technical scheme is simple, cost is lower, is easy to later maintenance.
Fig. 5 is communication monitoring device the 3rd example structure schematic diagram of the present invention, as shown in Figure 5, this device comprises: the first processing module 20, second processing module 21,3rd processing module 22, and the 4th processing module 23, wherein the first processing module 20 comprises the first acquiring unit 201, first judging unit 202, first interface unit 203.
Second processing module the 21, three processing module 22, and the functional realiey mode of the 4th processing module 23 is see above-described embodiment, repeats no more herein.
Wherein the first acquiring unit 201, for obtaining the communication monitoring request message of the carried terminal mark that described terminal sends; First judging unit 202, for according to described terminal iidentification, judges whether described terminal is legal terminal; First interface unit 203, if be described legal terminal for described terminal, then obtains the ticket that described terminal presets talk period from charging center.
Further, the first processing module 20 also comprises second acquisition unit 204 and the second judging unit 205, wherein second acquisition unit 204, for obtaining call start time in each described ticket and clearing time; For associating, second judging unit 205, judges that the call start time in multiple described ticket is overlapping to the time period of clearing time, if then the call of described terminal is described MPTY.
Particularly, the first acquiring unit 201 obtains the communication monitoring request message of the carried terminal mark that terminal sends, and transmitting terminal mark is to the first judging unit 202; According to terminal iidentification, first judging unit 202 judges that whether this terminal is for take part in the legal terminal of the communication monitoring protection service that operator provides; wherein terminal iidentification can be the phone number of terminal; if this terminal belongs to legal terminal; then notify that first interface unit 203 sends this terminal of acquisition and presets the request message of the ticket in talk period to charging center; carried terminal mark in request message, charging center returns the ticket of this terminal at default talk period to first interface unit 203 according to terminal iidentification.
Second acquisition unit 204 receives the ticket of the default talk period that first interface unit 203 sends, and because terminal often occurs once to converse, namely charging center produces a ticket, and therefore the default talk period of hypothesis comprises N bar ticket.Second judging unit 205 carries out analysis to every bar ticket one by one and judges.Double-talk produces a ticket, and MPTY can produce the ticket of two or more pieces, and ticket comprises: call start time, the clearing time.Second judging unit 205, by associating many tickets, checking that whether the call start time in many tickets is overlapping to the time period of clearing time, can judge whether the call indicated by every bar ticket is MPTY one by one.
The communication monitoring method that the communication monitoring device that various embodiments of the present invention provide provides for performing the embodiment of the present invention, possesses corresponding functional module.
In a preferred embodiment, calculate the first ratio by exponentially weighted moving average (EWMA) value (EWMA), circular is:
EWMA (t)=λ X+ (1-λ) EWMA (t-1), wherein λ is weighting parameters, value is the inverse of default talk times, X represents the judged result of this call, if for MPTY X value is 1, otherwise X value is 0, EWMA (1) gets arbitrary value.It can thus be appreciated that result of calculation when EWMA (t) is the t time call, EWMA (t-1) is result of calculation during t-1 call, when t is more than or equal to default talk times, EWMA (t) is namely approximately MPTY proportion in the call of default talk times.
It should be noted that, the repetition rate of other numbers can by add up and the multiple computational methods such as sequence obtain.
Further, communication monitoring device also comprises Executive Module 24, and Executive Module 24 comprises the first performance element 241, and for sending Communications Monitoring Report to terminal, described Communications Monitoring Report comprises the monitored information of call.
Further, the number that maximum in the repetition rate of other numbers is corresponding is comprised in monitored information of conversing.
Further, Executive Module 24 also comprises the second performance element 242, for being not more than default first threshold value when the first ratio, or when the maximum in the repetition rate of other numbers is not more than default second threshold value, regularly sends not monitored monitoring report to terminal.
Further, not monitored Communications Monitoring Report comprises the first ratio of MPTY and/or other numbers corresponding to number repetition rate maximum.
Further, Executive Module 24 also can by the measurement in the second interface unit and core net and charging rule functions (Policy And Charging Rules Function, being called for short PCRF) server carries out alternately, when judging that terminal is monitored or not monitored, second interface unit sends implementation strategy report, and PCRF sends implementation strategy according to implementation strategy report to terminal.Such as, if this terminal that judges communication monitoring device has infected illegal monitoring viroid, then send implementation strategy report to PCRF by the second interface unit, PCRF sends implementation strategy to terminal, wherein implementation strategy includes but not limited to send Communications Monitoring Report by the mode of note or mail to terminal, wherein can comprise the monitored information of call in Communications Monitoring Report; If judge, this terminal does not infect illegally monitors viroid, can also send not monitored monitoring report to terminal.
In the technical scheme of the present embodiment, communication monitoring device presets the ticket of talk period by terminal, judge to show whether terminal MPTY occurs, and according to the call-information of MPTY, whether the MPTY behavior of statistical analysis terminal meets the rule of conduct preset, if meet, illustrate that this terminal has probably infected illegal monitoring viroid, because no matter which kind of is viral, terminal is after being illegally listened, its message accounting behavior is all become most MPTY by the most double-talk of script, as long as therefore the message accounting behavior of terminal meets default rule of conduct, can judge that this terminal has infected illegal monitoring virus.No matter in the future how virus makes a variation; the message accounting behavior of terminal after poisoning is all identical; therefore various existing and newborn illegal monitoring viroid can be tackled in time by the communication monitoring device of core-network side; eliminate the attack window on the zero that antivirus program cannot be eliminated; thus the call-information of effective protection user; and technical scheme is simple, cost is lower, is easy to later maintenance.
Fig. 6 is communication monitoring device the 4th example structure schematic diagram of the present invention, and as shown in Figure 6, this device comprises: the first processing module 30, second processing module the 31, three processing module the 32, four processing module 33, and scratchpad area (SPA) 34.
First processing module 30, second processing module the 31, three processing module 32, and the functional realiey mode of the 4th processing module 33 is see above-described embodiment, repeats no more herein.
In a preferred embodiment, communication monitoring device also comprises scratchpad area (SPA) 34, and this terminal got for storing the first processing module 30 presets the ticket of talk period.Because namely charging center produces the ticket of terminal this call after terminal call terminates, therefore the first processing module 30 can the ticket of Real-time Obtaining terminal; Also can timing acquisition ticket.When timing acquisition ticket, the ticket of the default talk period got is stored in scratchpad area (SPA) 34 by the first processing module 30, and the first processing module 30 obtains every bar ticket and carries out association analysis and judges that the call of described terminal is described MPTY from scratchpad area (SPA) 34.
In a preferred embodiment, communication monitoring device also comprises MPTY database 35, if the first processing module 30 judges that a certain call is MPTY, can the call-information of this MPTY be stored in the MPTY database 35 of communication monitoring device, MPTY database 35 is for storing the MPTY information of user in section sometime, this time period is preset by communication monitoring device, is preferably set to six months.
In the technical scheme of the present embodiment, communication monitoring device presets the ticket of talk period by terminal, judge to show whether terminal MPTY occurs, and according to the call-information of MPTY, whether the MPTY behavior of statistical analysis terminal meets the rule of conduct preset, if meet, illustrate that this terminal has probably infected illegal monitoring viroid, because no matter which kind of is viral, terminal is after being illegally listened, its message accounting behavior is all become most MPTY by the most double-talk of script, as long as therefore the message accounting behavior of terminal meets default rule of conduct, can judge that this terminal has infected illegal monitoring virus.No matter in the future how virus makes a variation; the message accounting behavior of terminal after poisoning is all identical; therefore various existing and newborn illegal monitoring viroid can be tackled in time by the communication monitoring device of core-network side; eliminate the attack window on the zero that antivirus program cannot be eliminated; thus the call-information of effective protection user; and technical scheme is simple, cost is lower, is easy to later maintenance.
One of ordinary skill in the art will appreciate that: all or part of step realizing above-mentioned each embodiment of the method can have been come by the hardware that program command is relevant.Aforesaid program can be stored in a computer read/write memory medium.This program, when performing, performs the step comprising above-mentioned each embodiment of the method; And aforesaid storage medium comprises: ROM, RAM, magnetic disc or CD etc. various can be program code stored medium.
Last it is noted that above each embodiment is only in order to illustrate the technical scheme of the application, be not intended to limit; Although with reference to foregoing embodiments to present application has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein some or all of technical characteristic; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of each embodiment technical scheme of the application.
Claims (8)
1. a communication monitoring method, is characterized in that, comprising:
Acquisition terminal presets the ticket in talk period, and judge whether the call indicated by every bar ticket is MPTY, described ticket comprises call start time and clearing time;
The first ratio described in the call of the default talk times of acquisition shared by MPTY;
Judge whether described first ratio is greater than default first threshold value, if then calculate the repetition rate of other numbers preset in MPTY number of times except the number of described terminal;
Judge whether the maximum in the repetition rate of other numbers described is greater than default second threshold value, if then judge that the call of described terminal is monitored;
Describedly judge whether the call indicated by every bar ticket is MPTY, comprising:
Obtain the call start time in each described ticket and clearing time;
Judge that whether the call start time of multiple described ticket is overlapping to the time period of clearing time, if then the call of described terminal is described MPTY.
2. method according to claim 1, is characterized in that, described acquisition terminal presets the ticket in talk period, comprising:
Obtain the communication monitoring request message of the carried terminal mark that described terminal sends;
According to described terminal iidentification, judge whether described terminal is legal terminal, if then obtain described terminal to preset ticket in talk period.
3. the method according to the arbitrary claim of claim 1 ~ 2, is characterized in that, after the call of the described terminal of described judgement is monitored, also comprises:
Send Communications Monitoring Report to described terminal, described Communications Monitoring Report comprises the monitored information of call.
4. method according to claim 3, is characterized in that, the number that the maximum in the repetition rate of other numbers described in comprising in the monitored information of described call is corresponding.
5. a communication monitoring device, is characterized in that, comprising:
First processing module, preset ticket in talk period for obtaining terminal, judge whether the call indicated by every bar ticket is MPTY, described ticket comprises call start time and clearing time;
Second processing module, for obtain default talk times call described in the first ratio shared by MPTY;
3rd processing module, for judging whether described first ratio is greater than default first threshold value, if then calculate the repetition rate of other numbers preset in MPTY number of times except the number of described terminal;
4th processing module, for judging whether the maximum in the repetition rate of other numbers described is greater than default second threshold value, if then judge that the call of described terminal is monitored,
Described first processing module, comprising:
Second acquisition unit, for obtaining call start time in each described ticket and clearing time;
Second judging unit, whether the time period for the call start time to clearing time that judge multiple described ticket is overlapping, if then the call of described terminal is described MPTY.
6. device according to claim 5, is characterized in that, described first processing module, comprising:
First acquiring unit, for obtaining the communication monitoring request message of the carried terminal mark that described terminal sends;
First judging unit, for according to described terminal iidentification, judges whether described terminal is legal terminal;
First interface unit, if judge that described terminal is described legal terminal for described first judging unit, then obtains the ticket in default talk period described in described terminal.
7. the device according to the arbitrary claim of claim 5 ~ 6, is characterized in that, described communication monitoring device, also comprises:
Executive Module, for sending Communications Monitoring Report to described terminal, described Communications Monitoring Report comprises the monitored information of call.
8. device according to claim 6, is characterized in that, the number that the maximum in the repetition rate of other numbers described in comprising in the monitored information of described call is corresponding.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210268846.4A CN102833738B (en) | 2012-07-30 | 2012-07-30 | Method and device for communication monitoring |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210268846.4A CN102833738B (en) | 2012-07-30 | 2012-07-30 | Method and device for communication monitoring |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102833738A CN102833738A (en) | 2012-12-19 |
| CN102833738B true CN102833738B (en) | 2015-05-20 |
Family
ID=47336646
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210268846.4A Active CN102833738B (en) | 2012-07-30 | 2012-07-30 | Method and device for communication monitoring |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102833738B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104735671B (en) * | 2015-02-27 | 2018-11-09 | 腾讯科技(深圳)有限公司 | A kind of method and apparatus of identification malicious call |
| CN106681850B (en) * | 2016-12-06 | 2019-11-26 | 北京中交兴路信息科技有限公司 | A kind of vehicle model method of calibration and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1926335A1 (en) * | 2005-08-30 | 2008-05-28 | Matsushita Electric Industrial Co., Ltd. | Wireless device monitoring system |
| CN102055853A (en) * | 2009-11-04 | 2011-05-11 | 中兴通讯股份有限公司 | Monitoring system and analysis and supervision method thereof |
-
2012
- 2012-07-30 CN CN201210268846.4A patent/CN102833738B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1926335A1 (en) * | 2005-08-30 | 2008-05-28 | Matsushita Electric Industrial Co., Ltd. | Wireless device monitoring system |
| CN102055853A (en) * | 2009-11-04 | 2011-05-11 | 中兴通讯股份有限公司 | Monitoring system and analysis and supervision method thereof |
Non-Patent Citations (1)
| Title |
|---|
| admin.《"X卧底"实时监听手机通话 其实是手机病毒》.《都市快报》.2011,第1-3页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102833738A (en) | 2012-12-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2701689C (en) | System and method of malware sample collection on mobile networks | |
| WO2016197675A1 (en) | Method and apparatus for identifying crank call | |
| RU2510982C2 (en) | User evaluation system and method for message filtering | |
| US8122499B2 (en) | Network security apparatus and method | |
| CN102209326B (en) | Malicious behavior detection method and system based on smartphone radio interface layer | |
| JP5547289B2 (en) | Method and apparatus for detecting fraud in a telecommunications network | |
| CN105959250A (en) | Network attack black list management method and device | |
| CN101150586A (en) | CC attack prevention method and device | |
| CN102404741B (en) | Method and device for detecting abnormal online of mobile terminal | |
| CN109168168B (en) | Method for detecting international embezzlement | |
| WO2016197646A1 (en) | Method and device for monitoring crank call | |
| US6570968B1 (en) | Alert suppression in a telecommunications fraud control system | |
| CN102231888A (en) | Monitoring method and device | |
| CN108737622A (en) | Monitoring method of conversing and device | |
| CN108271158A (en) | Call processing method and system | |
| CN106911675A (en) | A kind of mobile phone Malware method for early warning and device | |
| CN102833738B (en) | Method and device for communication monitoring | |
| CN101917309A (en) | Detection method of denial of service of public service number under soft switching platform | |
| Van Ruitenbeek et al. | Quantifying the effectiveness of mobile phone virus response mechanisms | |
| KR20170006158A (en) | System and method for detecting fraud usage of message | |
| WO2012113191A1 (en) | Method and device for monitoring short messages | |
| CN102111723A (en) | Method for identifying spam short message user by analyzing short message frequency and content | |
| CN104581729B (en) | Junk information processing method and device | |
| CN101917445B (en) | Method for detecting denial of service attack of number segment in soft switching platform | |
| CN102231874A (en) | Short message processing method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |