CN102882748A - Network access detection system and network access detection method - Google Patents
Network access detection system and network access detection method Download PDFInfo
- Publication number
- CN102882748A CN102882748A CN2012104060553A CN201210406055A CN102882748A CN 102882748 A CN102882748 A CN 102882748A CN 2012104060553 A CN2012104060553 A CN 2012104060553A CN 201210406055 A CN201210406055 A CN 201210406055A CN 102882748 A CN102882748 A CN 102882748A
- Authority
- CN
- China
- Prior art keywords
- network
- host
- user
- module
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides a network access detection system which comprises a data packet acquisition module, a message extraction module, a field extraction processing module and a host quantity determining module. The data packet acquisition module acquires data packets in a network; the message extraction module extracts HTTP (hypertext transport protocol) messages in the data packets; the field extraction module extracts and records values of user agent fields in the HTTP protocol messages; the host quantity determining module is used for comparing the record values of the user agent fields and determining quantity of hosts required to access to the network according to the comparison results. Correspondingly, the invention provides a network access detection method. By the network access detection system and the network access detection method, whether users are in sharing internet through multiple computers or not can be detected, sharing access detection precision can be improved effectively, detection evasion of some hosts by technical means such as breaking IPID (interface point identifier) contract rules and orders or dispersing the IPID is avoided, and further failure in detection of sharing access is avoided.
Description
Technical field
The present invention relates to Internet technical field, in particular to a kind of network insertion detection system and network insertion detection method.
Background technology
At present, because the mode of duration based accounting rather than charge on traffic is mainly still adopted in the charging of the Internet broadband access service.Some people utilizes this leak of operator, often allows enterprise or black Internet bar use with one's own name application broadband, and perhaps several families share the broadband share the expenses, and this has caused huge losses of revenues to operator.Because the historical reasons of IP Protocol Design itself, can reflect directly to share in the local area network (LAN) under the same IP address that without any a standard or agreement how many platform computers are arranged, the detection method that present industry is generally used has following several:
The IPID sign is arranged in the IP message, and this sign from 0 to 65535 of every machine circulates, and is to increase progressively ordered series of numbers, and router, NAT and most acting server all can not revised this sign, therefore can judge whether according to the continuity of this sign it is same machine.But be with the difficulty that the method is judged, continuity can seem very chaotic when the machine number of units was more, can cause the difficulty accurately calculated very large.In addition, some machine has infected virus and worm, also can cause the supernormal growth of IPID value, also can cause difficulty in computation to become large.Therefore need complicated and efficient algorithm to restore truth.
Method one draws a straight line the message that every machine sends as far as possible according to this principle exactly, and every straight line represents a machine;
The method two principle is the same, but algorithm is different, is not to be reduced into straight line, but is reduced into discrete array, and each array represents a machine;
Method three is according to the TCP sequence number, part TCP message also has the sequence number that increases progressively with system time, router, NAT and acting server all can not be revised this sign, otherwise message lost efficacy, the message that also can as far as possible every machine be sent draws a straight line, and every straight line represents a machine;
The SNMP scanning method, scan to detect by at access device Modem implantation SNMP scanning imaging system subscriber's main station being carried out SNMP whether the shared online of many machines is arranged, because very easily the user configures to evade by revising Modem, and the scanning subscriber's main station also can cause the user to be discovered and is discontented with, substantially superseded at present;
MAC Address is obtained method, can only be deployed in Access Layer, by in the Access Layer large scale deployment, whether statistics has a plurality of MAC Address to use the situation of identical ip addresses online in network packet, this method is invalid for the NAT/Proxy proxy surfing, and the situation to a plurality of network interface cards of main frame can produce wrong report, and is also substantially superseded at present;
The TTL analytic approach, also can only be deployed in Access Layer, judge whether the Multi-computer Sharing access by the TTL numerical value difference in the analyzing IP message, because the type of destination server network application is different, ttl value can change, and therefore this method only has certain effect under some particular case, even TTL is inconsistent, also not necessarily share the Internet user, the situation for the Proxy proxy surfing also can lose efficacy simultaneously, and is therefore also substantially superseded at present.
Therefore, need a kind of new technical scheme, the accuracy that can the Effective Raise shared access detects, can avoid simultaneously some main frame by upsetting IPID the rule of giving out a contract for a project, order or disperse the technological means of IPID to escape detection, cause can't detect the situation of shared access.
Summary of the invention
Technical problem to be solved by this invention is, a kind of new technical scheme is provided, the accuracy that can the Effective Raise shared access detects, can avoid simultaneously some main frame to detect by the rule of giving out a contract for a project, the order of upsetting IPID or the technological means escape that disperses IPID, cause can't detect the situation of shared access.
In view of this, the invention provides a kind of network insertion detection system, comprising: packet capture module, the packet in the collection network; The message extraction module extracts the http protocol message in the described packet; The value of user agent's field in the described http protocol message is extracted and recorded to field extraction process module; The number of host determination module, the value of user agent's field that contrast has been recorded is according to the number of host in the described network of the definite access of comparing result.
Use the technical program, HTTP packet in the collection network, by reduction and the analysis to user agent's field in the HTTP packet, obtain the key messages such as operating system sign, browser version, render engine, and then by the comprehensive study of the comparison of these key messages and self-consistentency, number of types is judged, can detect the quantity of sharing the computer of online.
In technique scheme, preferably, described packet capture module gathers the packet from the specific user from described network; Described number of host determination module determines that the specific user accesses the number of host of described network.
Use the technical program, can some specific user's network insertion situation be detected, thereby judge whether it uses many computers to share online, and operator can take corresponding control strategy according to testing result, avoid broadband access operation charge to run off.
In technique scheme, preferably, also comprise: logger module, judge that whether described specific user accesses the number of host of described network above predetermined threshold, and in judged result when being, described specific user's information and the number of host of the described network of access are recorded in the daily record accordingly.
Use the technical program, can be to the number of host predetermined threshold of specific user's access network, when surpassing threshold value, can generate the corresponding log recording that detects, operator can arrange corresponding control strategy according to the situation that detects Log Report, thereby makes things convenient for operator that user's Internet Use is managed.
In technique scheme, preferably, also comprise: network control module, the user who records in the described daily record is carried out the network control operation.
Use the technical program, operator arranges corresponding control strategy according to the situation that detects Log Report, and carries out corresponding control operation, thereby realizes undelegated shared access behavior is effectively hit, warned or containment etc.
In technique scheme, preferably, also comprise: the displaying interface module, provide to represent the interface, represent the user's who records in the described daily record information and/or access the number of host of described network.
Use the technical program, operator can view the user's who records in the daily record information and/or the number of host of access network representing the interface, thereby operator can obtain to detect more accurately information, realizes the accurate location to the user, and then it is taken appropriate measures.
According to another aspect of the invention, the invention allows for a kind of network insertion detection method, comprising: step 202, the packet in the collection network; Step 204 is extracted the http protocol message in the described packet; The value of user agent's field in the described http protocol message is extracted and recorded to step 206; Step 208, the value of user agent's field that contrast has been recorded is according to the number of host in the described network of the definite access of comparing result.
Use the technical program, HTTP packet in the collection network, by reduction and the analysis to user agent's field in the HTTP packet, obtain the key messages such as operating system sign, browser version, render engine, and then by the comprehensive study of the comparison of these key messages and self-consistentency, number of types is judged, can detect the quantity of sharing the computer of online.
In technique scheme, preferably, described step 202 comprises: gather the packet from the specific user from described network; Described step 208 comprises: determine that the specific user accesses the number of host of described network.
Use the technical program, can some specific user's network insertion situation be detected, thereby judge whether it uses many computers to share online, and operator can take corresponding control strategy according to testing result, avoid broadband access operation charge to run off.
In technique scheme, preferably, also comprise: judge that whether the number of host that described specific user accesses described network surpasses predetermined threshold, and in judged result when being, described specific user's information and the number of host that accesses described network are recorded in the daily record accordingly.
Use the technical program, can be to the number of host predetermined threshold of specific user's access network, when surpassing threshold value, can generate the corresponding log recording that detects, operator can arrange corresponding control strategy according to the situation that detects Log Report, thereby makes things convenient for operator that user's Internet Use is managed.
In technique scheme, preferably, also comprise: press predetermined way, the user who records in the described daily record is carried out the network control operation.
Use the technical program, operator arranges corresponding control strategy according to the situation that detects Log Report, and carries out corresponding control operation, thereby realizes undelegated shared access behavior is effectively hit, warned or containment etc.
In technique scheme, preferably, also comprise: provide to represent the interface, represent the user's who records in the described daily record information and/or access the number of host of described network.
Use the technical program, operator can view the user's who records in the daily record information and/or the number of host of access network representing the interface, thereby operator can obtain to detect more accurately information, realizes the accurate location to the user, and then it is taken appropriate measures.
The invention provides a kind of network insertion detection technique, the accuracy that can the Effective Raise shared access detects, can avoid simultaneously some to detect by the rule of giving out a contract for a project, the order of upsetting IPID or the technological means escape that disperses IPID, cause can't detect the situation of shared access.
Description of drawings
Fig. 1 shows the block diagram of according to an embodiment of the invention network insertion detection system;
Fig. 2 shows the flow chart of according to an embodiment of the invention network insertion detection method;
Fig. 3 shows the particular flow sheet of according to an embodiment of the invention network insertion detection method
Fig. 4 shows the schematic diagram of comprehensive according to an embodiment of the invention shared network access detection technique.
Embodiment
In order more clearly to understand above-mentioned purpose of the present invention, feature and advantage, below in conjunction with the drawings and specific embodiments the present invention is further described in detail.Need to prove, in the situation that do not conflict, the application's embodiment and the feature among the embodiment can make up mutually.
A lot of details have been set forth in the following description so that fully understand the present invention; but; the present invention can also adopt other to be different from other modes described here and implement, and therefore, protection scope of the present invention is not subjected to the restriction of following public specific embodiment.
Fig. 1 shows the block diagram of according to an embodiment of the invention network insertion detection system.
As shown in Figure 1, according to an embodiment of the invention network insertion detection system 100 comprises: packet capture module 102, the packet in the collection network; Message extraction module 104 extracts the http protocol message in the described packet; The value of user agent's field in the described http protocol message is extracted and recorded to field extraction process module 106; Number of host determination module 108, the value of user agent's field that contrast has been recorded is according to the number of host in the described network of the definite access of comparing result.
Use the technical program, HTTP packet in the collection network, by reduction and the analysis to user agent's field in the HTTP packet, obtain the key messages such as operating system sign, browser version, render engine, and then by the comprehensive study of the comparison of these key messages and self-consistentency, number of types is judged, can detect the quantity of sharing the computer of online.
In technique scheme, preferably, described packet capture module 102 gathers the packet from the specific user from described network; Described number of host determination module 108 determines that the specific user accesses the number of host of described network.
Use the technical program, can some specific user's network insertion situation be detected, thereby judge whether it uses many computers to share online, and operator can take corresponding control strategy according to testing result, avoid broadband access operation charge to run off.
In technique scheme, preferably, also comprise: logger module 110, judge that whether described specific user accesses the number of host of described network above predetermined threshold, and in judged result when being, described specific user's information and the number of host of the described network of access are recorded in the daily record accordingly.
Use the technical program, can be to the number of host predetermined threshold of specific user's access network, when surpassing threshold value, can generate the corresponding log recording that detects, operator can arrange corresponding control strategy according to the situation that detects Log Report, thereby makes things convenient for operator that user's Internet Use is managed.
In technique scheme, preferably, also comprise: network control module 112, the user who records in the described daily record is carried out the network control operation.
Use the technical program, operator arranges corresponding control strategy according to the situation that detects Log Report, and carries out corresponding control operation, thereby realizes undelegated shared access behavior is effectively hit, warned or containment etc.
In technique scheme, preferably, also comprise: displaying interface module 114, provide to represent the interface, represent the user's who records in the described daily record information and/or access the number of host of described network.
Use the technical program, operator can view the user's who records in the daily record information and/or the number of host of access network representing the interface, thereby operator can obtain to detect more accurately information, realizes the accurate location to the user, and then it is taken appropriate measures.
Fig. 2 shows the flow chart of according to an embodiment of the invention network insertion detection method.
As shown in Figure 2, according to an embodiment of the invention network insertion detection method comprises: step 202, the packet in the collection network; Step 204 is extracted the http protocol message in the described packet; The value of user agent's field in the described http protocol message is extracted and recorded to step 206; Step 208, the value of user agent's field that contrast has been recorded is according to the number of host in the described network of the definite access of comparing result.
Use the technical program, HTTP packet in the collection network, by reduction and the analysis to user agent's field in the HTTP packet, obtain the key messages such as operating system sign, browser version, render engine, and then by the comprehensive study of the comparison of these key messages and self-consistentency, number of types is judged, can detect the quantity of sharing the computer of online.
In technique scheme, preferably, described step 202 comprises: gather the packet from the specific user from described network; Described step 208 comprises: determine that the specific user accesses the number of host of described network.
Use the technical program, can some specific user's network insertion situation be detected, thereby judge whether it uses many computers to share online, and operator can take corresponding control strategy according to testing result, avoid broadband access operation charge to run off.
In technique scheme, preferably, also comprise: judge that whether the number of host that described specific user accesses described network surpasses predetermined threshold, and in judged result when being, described specific user's information and the number of host that accesses described network are recorded in the daily record accordingly.
Use the technical program, can be to the number of host predetermined threshold of specific user's access network, when surpassing threshold value, can generate the corresponding log recording that detects, operator can arrange corresponding control strategy according to the situation that detects Log Report, thereby makes things convenient for operator that user's Internet Use is managed.
In technique scheme, preferably, also comprise: press predetermined way, the user who records in the described daily record is carried out the network control operation.
Use the technical program, operator arranges corresponding control strategy according to the situation that detects Log Report, and carries out corresponding control operation, thereby realizes undelegated shared access behavior is effectively hit, warned or containment etc.
In technique scheme, preferably, also comprise: provide to represent the interface, represent the user's who records in the described daily record information and/or access the number of host of described network.
Use the technical program, operator can view the user's who records in the daily record information and/or the number of host of access network representing the interface, thereby operator can obtain to detect more accurately information, realizes the accurate location to the user, and then it is taken appropriate measures.
Fig. 3 shows the particular flow sheet of according to an embodiment of the invention network insertion detection method.
As shown in Figure 3, the idiographic flow of the network insertion detection method of embodiments of the invention is as follows:
Step 302 is carried out packet capture at carrier network Access Layer or backbone network outlet.
Step 304 is extracted http protocol message in the packet that gathers.
User agent (User-Agent) field value is disassembled and extracted to step 306 with the http protocol message that extracts.
Step 308 is extracted the critical datas such as operating system version, browser version, render engine according to rule and is carried out statistic record from the User-Agent field.
Step 310 according to the threshold values of system configuration, is judged in conjunction with the statistic record data, judges whether the user surfs the Net in violation of rules and regulations above the host number of threshold value, with the information such as number formation detection log recording and the preservation of user in violation of rules and regulations and computer thereof.
Step 312 enters and represents the interface, and to analysis result, namely testing result is carried out form and checked, can retrieve according to information such as Internet user IP, account number, zones.
Wherein, User-Agent Chinese user agent by name is the part in the Http agreement, belongs to the part of header field, and User-Agent also is called for short UA.It is a special string head, be a kind of to access websites provide employed browser type and version, operating system and version, browser kernel, etc. the sign of information.
The explanation of User-Agent word string:
1, browser sign
For purposes such as compatibility and popularizations, the sign of a lot of browsers is identical, so the browser sign can not illustrate the true version of browser, and true version information can find at UA word string afterbody.Below be the information (the 8th, 9 row) of User-Agent in the typical http protocol packet header:
Frame?167:741?bytes?on?wire(5928bits),741?bytes?captured(5928bits)on?interface?0
Ethernet?II,Src:Intelcor_ea:13:4c(74:e5:0b:ea:13:4c),Dst:LannerE1_0c:01:6a(00:90:0b:0c:01:6a)
Internet?Protocol?Version?4,Src:172.31.12.222(172.31.12.222),Dst:61.135.169.105)
Transmission?Control?Protocol,Src?Port:59065(59065),Dst?Port:http(80),Sep:1,Ack:1,Len:687
Hypertext?Transfer?Protocol
GET/HTTP/1.1\r\n
Connection:keep-alive\r/n
User-Agent:Mozilla/5.0(windows?NT?6.1;wow64)Applewdbkit/535.11(KHTML,like?
Gecko)chrome/17.0.963.84?Safari/535.11?LBBROWSER\r\n
Accept-Encoding:gzip,deflate,sdch\r\n
Accept-Language:zh-CN,zh;q=0.8\r\n
Accept-Charset:GBK,utf-8;q=0.7,q=0.3\r\n
[truncated]Cookie:BAIDUID=B6C8E64DA9B52D3A09D327E00068290B:FG=1;BDUSS=hzejNE?VX5yeFY2Bhbjngm3tkverwl-D1ZNeilcwpJRKX3RUE2Ewse51AlpsQ\Rr\n
[full?request?URI;http://www.baidu.com/]
2, operating system sign
3, secret grade sign
N: expression is without safety encipher.
I: the weak safety encipher of expression.
U: represent strong safety encipher.
4, browser language
At preference〉routine〉language of appointment in the language.
5, render engine
The main flow render engine that the display navigation device uses has: Gecko, WebKit, KHTML, Presto, Trident, Tasman etc., form is: render engine/version information.
6, version information
The true version information of display navigation device, form is: browser/version.
Fig. 4 shows the schematic diagram of comprehensive according to an embodiment of the invention shared network access detection technique.
As shown in Figure 4, based on IPID continuity detection method, the discrete detection method of IPID, TCP sequence number continuity detection method, the present invention proposes HTTP packet header detection method, this scheme can the real-time analysis os release, browser version quantity, whether detect in real time is to share Internet user and online host number, its monitoring is passive monitoring fully, needn't send detection information, and effective equally to the sharing users of timesharing online.
Operator can make up to improve the detection effect with multiple detection technique, and the user can't avoid the testing result of various means, thereby improves the accuracy that detects, and has reduced because detection cracks technology and has improved the undetected risk of failing to report of bringing.
More than be described with reference to the accompanying drawings technical scheme of the present invention, by technical scheme of the present invention, the accuracy that can the Effective Raise shared access detects, can avoid simultaneously some to detect by the rule of giving out a contract for a project, the order of upsetting IPID or the technological means escape that disperses IPID, cause can't detect the situation of shared access.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any modification of doing, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. a network insertion detection system is characterized in that, comprising:
The packet capture module, the packet in the collection network;
The message extraction module extracts the http protocol message in the described packet;
The value of user agent's field in the described http protocol message is extracted and recorded to field extraction process module;
The number of host determination module, the value of user agent's field that contrast has been recorded is according to the number of host in the described network of the definite access of comparing result.
2. network insertion detection system according to claim 1 is characterized in that, described packet capture module gathers the packet from the specific user from described network;
Described number of host determination module determines that the specific user accesses the number of host of described network.
3. network insertion detection system according to claim 2 is characterized in that, also comprises:
Logger module judges that whether the number of host that described specific user accesses described network surpasses predetermined threshold, and in judged result when being, described specific user's information and the number of host that accesses described network are recorded in the daily record accordingly.
4. network insertion detection system according to claim 3 is characterized in that, also comprises:
Network control module is carried out the network control operation to the user who records in the described daily record.
5. according to claim 3 or 4 described network insertion detection systems, it is characterized in that, also comprise:
The displaying interface module provides to represent the interface, represents the user's who records in the described daily record information and/or accesses the number of host of described network.
6. a network insertion detection method is characterized in that, comprising:
Step 202, the packet in the collection network;
Step 204 is extracted the http protocol message in the described packet;
The value of user agent's field in the described http protocol message is extracted and recorded to step 206;
Step 208, the value of user agent's field that contrast has been recorded is according to the number of host in the described network of the definite access of comparing result.
7. network insertion detection method according to claim 6 is characterized in that, described step 202 comprises: gather the packet from the specific user from described network;
Described step 208 comprises: determine that the specific user accesses the number of host of described network.
8. network insertion detection method according to claim 7 is characterized in that, also comprises:
Judge that whether the number of host that described specific user accesses described network surpasses predetermined threshold, and in judged result when being, described specific user's information and the number of host that accesses described network are recorded in the daily record accordingly.
9. network insertion detection method according to claim 8 is characterized in that, also comprises:
Press predetermined way, the user who records in the described daily record is carried out the network control operation.
10. according to claim 8 or 9 described network insertion detection methods, it is characterized in that, also comprise:
Provide to represent the interface, represent the user's who records in the described daily record information and/or access the number of host of described network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012104060553A CN102882748A (en) | 2012-10-23 | 2012-10-23 | Network access detection system and network access detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012104060553A CN102882748A (en) | 2012-10-23 | 2012-10-23 | Network access detection system and network access detection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102882748A true CN102882748A (en) | 2013-01-16 |
Family
ID=47483902
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012104060553A Pending CN102882748A (en) | 2012-10-23 | 2012-10-23 | Network access detection system and network access detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102882748A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103457789A (en) * | 2013-08-15 | 2013-12-18 | 北京星网锐捷网络技术有限公司 | Parallel operation detecting method and device |
| CN103763125A (en) * | 2013-12-27 | 2014-04-30 | 北京集奥聚合科技有限公司 | Statistical method and device for number of actual users in operator network |
| CN103986616A (en) * | 2014-04-15 | 2014-08-13 | 深信服网络科技(深圳)有限公司 | Method and device for recognizing number of machines having access to internet through proxy |
| CN104836700A (en) * | 2015-04-17 | 2015-08-12 | 中国科学院信息工程研究所 | NAT (Network Address Translation) host number detection method based on IPID and probability statistics model |
| CN106790087A (en) * | 2016-12-23 | 2017-05-31 | 大连网月科技股份有限公司 | The method and system that a kind of anti-illegal level 2 router is accessed |
| CN107454202A (en) * | 2017-07-11 | 2017-12-08 | 浙江远望信息股份有限公司 | A kind of NAT borders based on http protocol analysis find method |
| CN107592299A (en) * | 2017-08-11 | 2018-01-16 | 深信服科技股份有限公司 | Proxy surfing recognition methods, computer installation and computer-readable recording medium |
| CN108235303A (en) * | 2017-12-29 | 2018-06-29 | 中国移动通信集团江苏有限公司 | Method, apparatus, equipment and the medium of the shared flow user of identification |
| CN110661675A (en) * | 2018-06-29 | 2020-01-07 | 中国电信股份有限公司 | Method and system for detecting network drift of client host |
| CN111263345A (en) * | 2018-11-30 | 2020-06-09 | 中国移动通信集团山东有限公司 | User terminal identification method and device |
-
2012
- 2012-10-23 CN CN2012104060553A patent/CN102882748A/en active Pending
Non-Patent Citations (1)
| Title |
|---|
| 梁峰: "代理服务器及NAT网关检测技术的研究", 《中国优秀硕士学位论文全文数据库》, no. 5, 15 May 2010 (2010-05-15) * |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103457789A (en) * | 2013-08-15 | 2013-12-18 | 北京星网锐捷网络技术有限公司 | Parallel operation detecting method and device |
| CN103763125A (en) * | 2013-12-27 | 2014-04-30 | 北京集奥聚合科技有限公司 | Statistical method and device for number of actual users in operator network |
| CN103986616B (en) * | 2014-04-15 | 2017-05-10 | 深信服网络科技(深圳)有限公司 | Method and device for recognizing number of machines having access to internet through proxy |
| CN103986616A (en) * | 2014-04-15 | 2014-08-13 | 深信服网络科技(深圳)有限公司 | Method and device for recognizing number of machines having access to internet through proxy |
| CN104836700B (en) * | 2015-04-17 | 2018-11-06 | 中国科学院信息工程研究所 | NAT host number detection methods based on IPID and probability statistics model |
| CN104836700A (en) * | 2015-04-17 | 2015-08-12 | 中国科学院信息工程研究所 | NAT (Network Address Translation) host number detection method based on IPID and probability statistics model |
| CN106790087A (en) * | 2016-12-23 | 2017-05-31 | 大连网月科技股份有限公司 | The method and system that a kind of anti-illegal level 2 router is accessed |
| CN107454202A (en) * | 2017-07-11 | 2017-12-08 | 浙江远望信息股份有限公司 | A kind of NAT borders based on http protocol analysis find method |
| CN107592299A (en) * | 2017-08-11 | 2018-01-16 | 深信服科技股份有限公司 | Proxy surfing recognition methods, computer installation and computer-readable recording medium |
| CN107592299B (en) * | 2017-08-11 | 2020-06-09 | 深信服科技股份有限公司 | Proxy internet access identification method, computer device and computer readable storage medium |
| CN108235303A (en) * | 2017-12-29 | 2018-06-29 | 中国移动通信集团江苏有限公司 | Method, apparatus, equipment and the medium of the shared flow user of identification |
| CN108235303B (en) * | 2017-12-29 | 2020-12-15 | 中国移动通信集团江苏有限公司 | Method, device, equipment and medium for identifying shared flow users |
| CN110661675A (en) * | 2018-06-29 | 2020-01-07 | 中国电信股份有限公司 | Method and system for detecting network drift of client host |
| CN111263345A (en) * | 2018-11-30 | 2020-06-09 | 中国移动通信集团山东有限公司 | User terminal identification method and device |
| CN111263345B (en) * | 2018-11-30 | 2022-11-08 | 中国移动通信集团山东有限公司 | User terminal identification method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102882748A (en) | Network access detection system and network access detection method | |
| CN107454109B (en) | Network privacy stealing behavior detection method based on HTTP traffic analysis | |
| Protić | Review of KDD Cup ‘99, NSL-KDD and Kyoto 2006+ datasets | |
| KR101010302B1 (en) | Security management system and method of irc and http botnet | |
| CN103685575B (en) | A kind of web portal security monitoring method based on cloud framework | |
| Bethencourt et al. | Mapping Internet Sensors with Probe Response Attacks. | |
| US9848004B2 (en) | Methods and systems for internet protocol (IP) packet header collection and storage | |
| CN107070929A (en) | A kind of industry control network honey pot system | |
| CN107733851A (en) | DNS tunnels Trojan detecting method based on communication behavior analysis | |
| EP2953298A1 (en) | Log analysis device, information processing method and program | |
| CN103279710B (en) | Method and system for detecting malicious codes of Internet information system | |
| Barbosa et al. | Exploiting traffic periodicity in industrial control networks | |
| CN106656922A (en) | Flow analysis based protective method and device against network attack | |
| CN103916288B (en) | A kind of Botnet detection methods and system based on gateway with local | |
| US20100046393A1 (en) | Methods and systems for internet protocol (ip) traffic conversation detection and storage | |
| CN107465651A (en) | Network attack detecting method and device | |
| US20140130167A1 (en) | System and method for periodically inspecting malicious code distribution and landing sites | |
| CN104135474B (en) | Intrusion Detection based on host goes out the Network anomalous behaviors detection method of in-degree | |
| JP5813810B2 (en) | Blacklist expansion device, blacklist expansion method, and blacklist expansion program | |
| CN103457909A (en) | Botnet detection method and device | |
| CN107547490A (en) | A kind of scanner recognition method, apparatus and system | |
| CN114244564B (en) | Attack defense method, device, equipment and readable storage medium | |
| CN102984003A (en) | Network access detection system and network access detection method | |
| Wang et al. | Honeynet construction based on intrusion detection | |
| US11394687B2 (en) | Fully qualified domain name (FQDN) determination |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20130116 |
|
| RJ01 | Rejection of invention patent application after publication |