CN103139740B - The identification of a kind of illegal signaling, processing method and device - Google Patents
The identification of a kind of illegal signaling, processing method and device Download PDFInfo
- Publication number
- CN103139740B CN103139740B CN201110398861.6A CN201110398861A CN103139740B CN 103139740 B CN103139740 B CN 103139740B CN 201110398861 A CN201110398861 A CN 201110398861A CN 103139740 B CN103139740 B CN 103139740B
- Authority
- CN
- China
- Prior art keywords
- signaling
- illegal
- domain name
- determined
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
A kind of identification of illegal signaling, processing method and device, main contents include: by gathering the signaling in PS territory, judge the signaling whether comprising the eigenvalue of predetermined illegal domain name or setting in the PS domain signaling gathered, if comprising, the signaling then determining this collection is illegal signaling, therefore, illegal signaling can be shielded, postpone transmission or amendment etc. to process, containment utilizes PS territory to carry out the transmission of illegal signaling, the server making illegal operator can not promptly and accurately receive illegal signaling, and then avoid according to the content in illegal signaling carry out all kinds of underground operation business, it is effectively reduced based on utilizing PS territory to transmit illegal signaling and all kinds of illegal traffic that launch taking and harm to the network information security Internet resources.
Description
Technical field
The present invention relates to communication technical field, particularly relate to the identification of a kind of illegal signaling, processing method and device.
Background technology
Development along with mobile communications network, number of users is continuously increased, cooperation between different operators is also more tight, various New function, new business continue to bring out, such as the speech business (VoiceOverInternetProtocol, VOIP) of internet protocol-based, caller identification, data traffic monthly package etc. But some illegal operators set up illegal server in a network, every business is provided a user with to escape charging by illegal way, the Internet resources shared when causing providing a user with every business of this way can not get supervision, information security is impacted, the Internet resources of preciousness have also been illegally occupied simultaneously, to this, it is necessary to the business performed by illegal server is identified, contain illegal traffic.
With circuit switching (CircuitSwitch, CS) the reservation callback service in territory is example, assume that terminal A has opened caller identification business, answered coin free service, then when terminal A converses with terminal B as calling terminal, terminal A does not initiate calling to terminal B in a conventional manner, but realize the calling to terminal B by the switching of illegal server, to escape the call monitoring between terminal A and terminal B, specifically, terminal A realizes as follows with the calling procedure of terminal B by the switching of illegal server:
The first step: the terminal A access code according to illegal server, initiates calling to illegal server.
Second step: illegal server is refused this calling, and terminal A is carried out callback, make terminal A become terminal called from calling terminal after receiving the calling of self terminal A.
After 3rd step: terminal A connects the calling of illegal server, button in the process conversed is being carried out with illegal server, dual-tone multifrequency (DualToneMultiFrequency, DTMF) function is used to transmit number namely the called number of terminal B to illegal server.
4th step: illegal server is according to the called number calling terminal B received so that terminal A and terminal B all converses with called identity.
Realize in the calling procedure with terminal B at above-mentioned terminal A by the switching of illegal server, information between terminal A, illegal server, terminal B cannot obtain effective monitoring alternately, take substantial amounts of Internet resources, and the caller identification number that terminal B is when call establishment is without authentication, arbitrary numbers can be shown, the network information security is worked the mischief.
At present, for above-mentioned illegal reservation callback service, can by the reservation illegal signaling that carries out in process of callback service be identified, described illegal signaling refers to the information such as critical packet or the character string for identifying illegal operator of the specific format utilizing communication protocol in existing network to transmit in order to obtain unlawful interests. When identify a certain process of service execution has illegal signaling exist time, then can determine that this business is illegal traffic, this business need to be shielded or interrupt this type of business.
Still for above-mentioned reservation callback service, identify that whether this reservation callback service is the mode of illegal traffic and is:
Due in illegal reservation callback service, terminal A need to use DTMF function to send the number (i.e. called number) of terminal B to illegal server, therefore, can to whether the communication process in network produces certain length and continuous print dtmf tone frequency information be identified, if a talk business exists certain length and continuous print dtmf tone frequency information, it may be determined that this talk business is illegal reservation callback service; And then can determine that performing this server illegally preengaging callback service is the illegal server that illegal operator sets up, and initiates the transmitting terminal that terminal is illegal signaling of this dtmf tone frequency information.
Although can by the dtmf tone frequency information produced in communication process be identified and then illegal callback service is judged, but, above-mentioned dtmf tone frequency information is identified method and may be only available for carrying out in CS territory between calling and called terminal and illegal server the scene of illegal signaling transmission, for transmitting illegal signaling by PS territory between calling and called terminal and illegal server and can not be suitable in the scene of CS intra-area communication.
Such as: transmit the reservation callback service of illegal signaling, CS domain call for PS territory, terminal A initiates the PS domain signaling of the number (i.e. called number) of number (i.e. calling number) and the terminal B comprising self to illegal server, as: terminal A utilizes the business of networking opened to input in the Web address field of webpage:
" URL=/javatel.asp? username=vi83219&PW=1973&NO0=139********&NO1=137******** " character string of this specific format, wherein, 139******** and 137******** is calling number and called number, and javatel.asp is the reference address of illegal server. Illegal server is initiated calling by CS territory to terminal A and terminal B, is made terminal A and terminal B all converse with called identity after receiving the terminal A PS domain signaling sent.
Again such as: sent the business of short message to terminal B by illegal server for terminal A, terminal A initiates the number (i.e. sender number) comprising self to illegal server, the number (i.e. recipient's number) of terminal B and the PS domain signaling of content of short message, the specific software that the Word message of described content of short message has been installed by terminal A is converted to Serial No. (such as numeral telegraph code), after illegal server receives the terminal A PS signaling sent, calling is initiated to terminal B by CS territory, and in the caller identification of terminal B the content in display digit sequence successively, and by the specific software installed in terminal B, first hanging up calling, again the Serial No. in caller identification is converted to Word message. generally, caller identification can transmit the number sequence of 17, therefore illegal server repeatedly can initiate calling to terminal B, shows the content in a part of Serial No., until all of Serial No. is sent to terminal B by the mode of caller identification in the caller identification of per call.
Owing to transmitting illegal signaling and under the scene of CS intra-area communication by PS territory between above-mentioned terminal and illegal server, dtmf tone frequency information is not produced in communication process or in short message sending process, therefore dtmf tone frequency information cannot be used to identify illegal traffic, cause this transmitting illegal signaling in PS territory and at the illegal traffic None-identified of CS field communication, more cannot contain.
Summary of the invention
The embodiment of the present invention provides the identification of a kind of illegal signaling, processing method and device, PS territory is transmitted illegal signaling and the illegal traffic None-identified problem at CS field communication solving prior art.
A kind of recognition methods of illegal signaling, described method includes:
Gather the signaling produced in packet domain;
For each signaling gathered, it is judged that whether this signaling comprises the eigenvalue of predetermined illegal domain name or setting, if comprising, it is determined that this signaling is illegal signaling.
A kind of recognition methods of illegal signaling, described method includes:
Gather the signaling produced in packet domain;
For each signaling gathered, when this signaling meets the combination of either condition or multiple condition in following three kinds of conditions, according to the weighted value distributed for every kind of condition, it is determined that the weighted value sum that this signaling satisfies condition, and when this weighted value sum is more than threshold value, it is determined that this signaling is illegal signaling;
Described three kinds of conditions are respectively as follows:
Signaling comprises and predetermined illegal domain name, signaling comprise illegal sequence code set in advance and signaling generates the time and belong to the illegal time period set in advance.
A kind of method that illegal signaling that any one method in above two illegal signaling recognition methods is determined processes, described method includes:
The illegal signaling that shielding, delay transmission or amendment are determined;
Or,
According to the illegal domain name comprised in the illegal signaling determined, it is determined that corresponding server is illegal server;
Or,
If described illegal signaling is up signaling, then when determining that the up illegal signaling of N bar is sent by same terminal, it is determined that this terminal is illegal terminal, and described N is positive integer.
A kind of identification device of illegal signaling, described device includes:
Signal collecting module, for gathering the signaling produced in packet domain;
Illegal signaling determines module, for for each signaling gathered, it is judged that whether comprise the eigenvalue of predetermined illegal domain name or setting in this signaling, if comprising, it is determined that this signaling is illegal signaling.
A kind of identification device of illegal signaling, described device includes:
Signal collecting module, for gathering the signaling produced in packet domain;
Illegal signaling determines module, for for each signaling gathered, when the combination of either condition or multiple condition in three kinds of conditions below this signaling meets, according to the weighted value for every kind of condition distribution, determine the weighted value sum that this signaling satisfies condition, and when this weighted value sum is more than threshold value, it is determined that this signaling is illegal signaling;
Described three kinds of conditions are respectively as follows:
Signaling comprises and predetermined illegal domain name, signaling comprise illegal sequence code set in advance and signaling generates the time and belong to the illegal time period set in advance.
The device that a kind of illegal signaling that the arbitrary identification device identified in device of the illegal signaling of above two is determined processes, described device includes:
Restriction module, for shielding, postpone transmission or revising the illegal signaling determined;
Illegality equipment determines module, for according to the illegal domain name comprised in the illegal signaling determined, it is determined that corresponding server is illegal server; Or, if being up signaling for described illegal signaling, then when determining that the up illegal signaling of N bar is sent by same terminal, it is determined that this terminal is illegal terminal, and described N is positive integer.
In the scheme of the embodiment of the present invention, by gathering the signaling in PS territory, judge the signaling whether comprising predetermined illegal domain name in the PS domain signaling gathered, if comprising, the signaling then determining this collection is illegal signaling, therefore, illegal signaling can be shielded, postpone the process such as transmission or amendment, containment utilizes PS territory to carry out the transmission of illegal signaling, the server making illegal operator can not promptly and accurately receive illegal signaling, and then avoid or reduce and carry out all kinds of underground operation business according to the content in illegal signaling; By the scheme of the embodiment of the present invention, due to by the scheme of the embodiment of the present invention, owing to the signaling in the PS territory of collection being mated according to predetermined illegal domain name, can accurately determine illegal signaling, illegal signaling is processed, be effectively reduced described illegal traffic to the taking of Internet resources, slow down the development of underground operation business and the harm to the network information security.
Accompanying drawing explanation
Fig. 1 is the schematic diagram of the recognition methods of the illegal signaling in the embodiment of the present invention one;
Fig. 2 is the schematic diagram of the recognition methods of the illegal signaling in the embodiment of the present invention two;
Fig. 3 is the method schematic diagram that the carrying out to the illegal signaling that the recognition methods utilizing described illegal signaling identifies in the embodiment of the present invention three processes;
Fig. 4 is the structural representation identifying device of the illegal signaling in the embodiment of the present invention four;
Fig. 5 is the structural representation processing device of the illegal signaling in the embodiment of the present invention six.
Detailed description of the invention
For existing illegal traffic recognition methods to utilizing PS territory to transmit illegal signaling, the problem of the illegal traffic None-identified of CS field communication, embodiments provide identification and the processing method of a kind of new illegal signaling, by gathering the signaling in PS territory, judge the signaling whether comprising predetermined illegal domain name in the PS domain signaling gathered, if comprising, the signaling then determining this collection is illegal signaling, therefore, illegal signaling can be shielded, postpone transmission or amendment etc. to process, containment utilizes PS territory to carry out the transmission of illegal signaling, the server making illegal operator can not promptly and accurately receive illegal signaling, and then avoid according to the content in illegal signaling carry out all kinds of underground operation business.
The solution of the present invention is described in detail below in conjunction with specific embodiment.
Embodiment one
As it is shown in figure 1, be the schematic diagram of the recognition methods of a kind of illegal signaling in the embodiment of the present invention one, described method specifically includes following steps:
Step 101: gather the signaling produced in packet domain.
In the scheme of this step 101, it is possible to the signaling produced in Real-time Collection PS territory, it is also possible to periodically gather the signaling of generation, and the signaling of collection is stored in original signaling data storehouse with certain form.
More preferably, consider the signaling gathered is likely to comprise substantial amounts of information, its data volume stored in raw data base is also bigger, therefore, in the scheme of this step 101, signalling analysis program can be utilized to resolve the PS domain signaling gathered, it is determined that what wherein comprise has the information necessarily associated with signaling legitimacy, such as domain name, calling number, called number, user name, password etc., and signaling there is the information necessarily associated to be stored in original signaling data storehouse with the legitimacy of signaling after resolving.
Preferably, the process that the signaling produced in PS territory is acquired, it can be the collection to Gb Interface and/or the signaling at gn interface place, described Gb Interface is base station sub-system (BaseStationSubsystem, BSS) with GPRS service node (ServingGPRSSupportNode, SGSN) interface between, described gn interface is same public land mobile net (PublicLandMobileNetwork, PLMN) between SGSN and SGSN and SGSN and Gateway GPRS Support Node (GatewayGPRSSupportNode, GGSN) interface between. certainly, the present embodiment is also not necessarily limited to gather the signaling produced in PS territory by other means.
Step 102: for each signaling gathered, it is judged that whether comprise the eigenvalue of predetermined illegal domain name or setting in this signaling, if comprising, then perform step 103, if not comprising, it is determined that this signaling is legal signaling.
More preferably, if the signaling gathered in a step 101 is stored in original signaling data storehouse with certain form, then in this step 102, it is possible to the signaling of storage in described original signaling data storehouse is carried out process at a high speed, judge that the signaling gathered is illegal signaling or legal signaling successively.
In this step 102, for judging that signaling be whether the basis for estimation of illegal signaling can be predetermined illegal domain name, this illegal domain name can be determined by empirical value, using fixed illegal domain name before as the basis for estimation of this step 102; Preset outside illegal domain name except that according to empirical value, it is also possible to preset illegal domain name according to the form of expression that illegal signaling is transmitted, for instance:
When being normally carried out signaling transmission between terminal and server, in most cases, the data volume of the signaling (being referred to as up signaling in the present embodiment) that the data volume of the signaling (being referred to as downlink signaling in the present embodiment) that server sends to terminal sends much larger than terminal to server, and when utilizing the illegal signalling in PS territory to carry out the operation of CS territory, the main purpose of the up signaling that terminal to server sends is the relevant information that the server to illegal operator reports for the operation of CS territory, and illegally operator is for reducing operation cost, its server is typically small to the data volume of the downlink signaling that terminal sends, that is, for a certain server, the data volume of its up signaling received is more than the feature of the data volume of the downlink signaling of its transmission, can as the feature identifying that this server is illegal server, then the PS domain signaling of this server transmitting-receiving also should be illegal signaling, therefore, in the scheme of this step 102, predetermined illegal domain name can be determined in the following manner:
First, for the signaling in a large amount of PS territories gathered, it is determined that at least one comprises the up signaling of same domain name, it is determined that described up signaling be the up signaling that at least one terminal is sent to same server.
It is then determined the downlink signaling that server corresponding to described same domain name generates for described up signaling, it is determined that described downlink signaling be the downlink signaling that same server is sent at least one terminal.
Finally, if the difference of the data volume of the data volume of described up signaling and downlink signaling is more than threshold value, meet the feature identifying that server is illegal server, therefore, the domain name comprised in described up signaling is illegal domain name, and server corresponding to this illegal domain name is also just for illegal server.
It is above with " data volume of the up signaling received is more than the data volume of the downlink signaling sent " this feature to preset illegal domain name, the scheme of this step 102 is also not necessarily limited to the form of expression according to the transmission of other illegal signalings and presets illegal domain name.
More preferably, according to after determining illegal domain name with upper type, it is also possible to the illegal domain name determined is analyzed, finds out other illegal domain names relevant to the illegal domain name determined further. Such as: after determining that www.tianxiatong.com is illegal domain name, pass through string matching algorithm, by character string higher for some similarities such as: www.tianxiaton.com, www.tianxiatong1.com, www.tianxiaton1.com can be judged to illegal domain name, more than threshold value or special forbidden character string format is comprised being carried out the difference determining whether up-downgoing data volume by step 102. If so, illegal domain name then it is judged as.
Preferably, the method that illegal signaling is identified by illegal domain name in conjunction with separator can also be adopted, namely in the transmission process of illegal signaling, specific signaling can be provided with and send form to distinguish illegal server domain name, calling number, called number, as distinguished by separator, conventional separator as: #, &,?,! Deng.
More preferably, except predefined illegal domain name, it is also possible to pre-determine legitimate domain name, if the signaling gathered comprises legitimate domain name, it is determined that this signaling is legal signaling, to reduce the operand identifying illegal signaling.
In this step 102, can also judge that whether comprising eigenvalue set in advance in the signaling gathered carries out the identification of illegal signaling, the described eigenvalue set is as being: the phone number of user, user name, password and the character string after described phone number being processed by various algorithms, as phone number carries out the character string after inverted order arrangement.
Described username and password can be the terminal the using illegal traffic log-on message at illegal carrier web site, and this information can have corresponding relation with phone number.
Step 103: determine that this signaling is illegal signaling.
Preferably, it is to be determined to illegal signaling be stored in illegal traffic data base with certain form, in order to analyze make new advances identify illegal signaling condition.
By the scheme of above step 101 to step 103, the signaling gathered is analyzed, finds out illegal signaling therein in PS territory.
In the scheme of above-mentioned steps 101 to step 103, illegal signaling is judged for condition with predetermined illegal domain name, more preferably, in the scheme of the present embodiment one, including but not limited to the combination of following arbitrary Rule of judgment or two conditions, the Rule of judgment in integrating step 102 identifies illegal signaling:
1, illegal sequence code set in advance is that condition is to identify illegal signaling.
Concrete, described illegal sequence code can be the telegraph code of conventional note term, it is also possible to be determined Serial No. code by empirical value.
Consider that terminal utilizes PS territory carry out illegal signaling transmission and then utilize in the business that CS territory carries out illegal communication, if business in the cs domain is short message service, sending side terminal need to send, by PS territory, the illegal signaling comprising the number of self, recipient's number and content of short message to illegal server, content of short message in illegal signaling is to transmit with the form of sequence code, therefore, by being identified whether signaling comprises conventional sequence code set in advance (telegraph code such as common phrases), determine that the key character of illegal signaling.
2, the illegal time period set in advance is that condition is to identify illegal signaling.
The described illegal time period set in advance may be set to the time period of voice service busy.
Consider that the PS domain signaling between calling terminal and illegal server is alternately to reach to carry out, with terminal called, the purpose conversed, therefore, the closeness that this illegal traffic carries out has the similar regularity of distribution with voice service busy extent, that is, this illegal traffic is typically in voice service busy and performs in a large number, and normal time period of data service busy and the time period of voice service busy differ, therefore can using the time period of voice service busy as the default illegal time period, within the time period, the probability carrying out illegal traffic is bigger.
Embodiment two
The embodiment of the present invention two provides another kind of illegal signaling recognition methods, as in figure 2 it is shown, said method comprising the steps of:
Step 201: gather the signaling produced in packet domain.
This step 201 implement with a kind of step 101 of embodiment realize identical, repeat no more here.
Step 202: for each signaling gathered, when the combination of either condition or multiple condition in three kinds of conditions below this signaling meets, according to the weighted value for every kind of condition distribution, determine the weighted value sum that this signaling satisfies condition, and when this weighted value sum is more than threshold value, it is determined that this signaling is illegal signaling.
Described three kinds of conditions are respectively as follows:
Signaling comprises and predetermined illegal domain name, signaling comprise illegal sequence code set in advance and signaling generates the time and belong to the illegal time period set in advance.
The reason and the every kind of condition determination method that select above-mentioned three kinds of conditions are identical with embodiment one, repeat no more here.
Embodiment three
Illegal signaling recognition methods based on the embodiment of the present invention one and embodiment two, the present embodiment three proposes the method that the carrying out of the illegal signaling that a kind of recognition methods to utilizing described illegal signaling identifies processes, as shown in Figure 3, for in conjunction with illegal signaling identification and the process schematic diagram to illegal signaling, after determining illegal signaling, comprise the following steps:
The first step: limit the transmission of illegal signaling.
The transmission of the illegal signaling of described restriction includes but not limited to: shielding, delay are transmitted or revise illegal signaling.
Except the restriction of illegal signaling is transmitted, it is also possible to determine illegal server and illegal terminal according to illegal signaling, particularly as follows:
According to the illegal domain name comprised in illegal signaling, it is determined that corresponding server is illegal server, the signaling of this illegal server transmitting-receiving is shielded completely.
If described illegal signaling is up signaling, then when determining that the up illegal signaling of N bar is sent by same terminal, it is determined that this terminal is illegal terminal, and described N is positive integer, that is, for frequently sending the terminal of illegal signaling, the calling number in the up signaling of its transmission or called number can be modified, form defective ringing, or signaling is constantly retransmitted, formed and repeatedly call, reduce user's perception, it is to avoid user reuses illegal traffic. And for using the user of illegal traffic for the first time, the up signaling sent can be shielded or increases the mode of time delay, reduce user's perception.
If what terminal was desired with is the transmission of illegal short message, then NUL can be adopted to replace the short message content in up signaling, or directly shield up signaling.
Second step: present and preserve result.
In this step, it is possible to set up man machine interface and present real-time result to attendant, and provide the functions such as the inquiry of historical data, attendant can carry out the configuration of Parameter Conditions by man machine interface.
Scheme by the present embodiment three, the illegal server receiving illegal signaling is carried out different process from the transmission terminal of illegal signaling according to different situations, illegal signaling can not be transmitted timely and accurately, and then contained that the described PS of utilization territory carries out signaling transmission and the illegal traffic utilizing CS territory to communicate, it is effectively reduced described illegal traffic taking and harm to the network information security Internet resources.
Embodiment four
Based on the same design with the embodiment of the present invention one, the embodiment of the present invention four provides the identification device of a kind of illegal signaling, and as shown in Figure 4, the identification device of described illegal signaling includes: signal collecting module 41 and illegal domain name determine module 42, wherein:
Signal collecting module 41, for gathering the signaling produced in packet domain.
Illegal signaling determines module 42, for for each signaling gathered, it is judged that whether comprise the eigenvalue of predetermined illegal domain name or setting in this signaling, if comprising, it is determined that this signaling is illegal signaling.
Preferably, the identification device of described illegal signaling also includes:
Illegal domain name determines module 43, specifically for determining the up signaling at least one packet domain comprising same domain name, and determine the downlink signaling that server corresponding to this domain name generates for described up signaling, if the difference of the data volume of the data volume of described up signaling and downlink signaling is more than threshold value, then determining that the domain name comprised in described up signaling is illegal domain name, illegal domain name determines as illegal signaling, the illegal domain name that module 43 is determined can determine that module 42 judges the foundation of invalid information.
Preferably, described signal collecting module 41 is specifically for gathering the signaling of Gb Interface and/or gn interface.
Preferably, the identification device of described illegal signaling also includes:
Illegal sequence code determines module 44, is used for determining illegal sequence code set in advance.
Described illegal signaling determines module 42, when being additionally operable to comprise illegal sequence code set in advance in the signaling determining collection, it is determined that this signaling is illegal signaling.
Preferably, the identification device of described illegal signaling also includes:
The illegal time period determines module 45, is used for determining the illegal time period set in advance.
Described illegal signaling determines module 42, is additionally operable to when the signaling generation time determining collection belongs to the illegal time period set in advance, it is determined that this signaling is illegal signaling.
Embodiment five
Based on the same design with the embodiment of the present invention two, the embodiment of the present invention five provides the identification device of a kind of illegal signaling, and the structural representation of this device is identical with the structure of Fig. 4, but the function of each module is different, particularly as follows:
The identification device of described illegal signaling includes: signal collecting module 41 and illegal signaling determine module 42, wherein:
Signal collecting module 41, for gathering the signaling produced in packet domain.
Illegal signaling determines module 42, for for each signaling gathered, when the combination of either condition or multiple condition in three kinds of conditions below this signaling meets, according to the weighted value for every kind of condition distribution, determine the weighted value sum that this signaling satisfies condition, and when this weighted value sum is more than threshold value, determining that this signaling is illegal signaling, described three kinds of conditions are respectively as follows: in signaling to comprise and comprise illegal sequence code set in advance in predetermined illegal domain name, signaling and signaling generates the time and belongs to the illegal time period set in advance.
Preferably, described illegal signaling identification device also includes:
Illegal domain name determines module 43, for determining the up signaling at least one packet domain comprising same domain name, and determine the downlink signaling that server corresponding to this domain name generates for described up signaling, if the difference of the data volume of the data volume of described up signaling and downlink signaling is more than threshold value, it is determined that the domain name comprised in described up signaling is illegal domain name.
Illegal sequence code determines module 44, is used for determining illegal sequence code set in advance.
The illegal time period determines module 45, is used for determining the illegal time period set in advance.
Described illegal signaling determines module 42, specifically for for each signaling gathered, when this signaling comprises illegal domain name that illegal domain name determines that module 43 determines, comprise illegal sequence code and determine illegal sequence code that module 44 determines, the generation time is when belonging to the combination that the illegal time period determines either condition or multiple condition in the illegal time period these three condition that module 45 is determined, according to the weighted value for every kind of condition distribution, determine the weighted value sum that this signaling satisfies condition, and when this weighted value sum is more than threshold value, it is determined that this signaling is illegal signaling.
Embodiment six
Based on the same design with the embodiment of the present invention three, the embodiment of the present invention six provides the process device of a kind of illegal signaling, as it is shown in figure 5, the process device of described illegal signaling includes: restriction module 51 and illegality equipment determine module 52, wherein:
Restriction module 51, for shielding, postpone transmission or revising the illegal signaling determined;
Illegality equipment determines module 52, for according to the illegal domain name comprised in the illegal signaling determined, it is determined that corresponding server is illegal server; Or, if being up signaling for described illegal signaling, then when determining that the up illegal signaling of N bar is sent by same terminal, it is determined that this terminal is illegal terminal, and described N is positive integer.
Preferably, the process device of described illegal signaling also includes:
Maintenance module 53, for presenting real-time result to attendant, and provides the functions such as the inquiry of historical data, and attendant can pass through this maintenance module 53 and carry out the configuration of Parameter Conditions.
Those skilled in the art are it should be appreciated that embodiments herein can be provided as method, system or computer program. Therefore, the application can adopt the form of complete hardware embodiment, complete software implementation or the embodiment in conjunction with software and hardware aspect. And, the application can adopt the form at one or more upper computer programs implemented of computer-usable storage medium (including but not limited to disk memory, CD-ROM, optical memory etc.) wherein including computer usable program code.
The application describes with reference to flow chart and/or the block diagram according to the method for the embodiment of the present application, equipment (system) and computer program. It should be understood that can by the combination of the flow process in each flow process in computer program instructions flowchart and/or block diagram and/or square frame and flow chart and/or block diagram and/or square frame. These computer program instructions can be provided to produce a machine to the processor of general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device so that the instruction performed by the processor of computer or other programmable data processing device is produced for realizing the device of function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions may be alternatively stored in and can guide in the computer-readable memory that computer or other programmable data processing device work in a specific way, the instruction making to be stored in this computer-readable memory produces to include the manufacture of command device, and this command device realizes the function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, make on computer or other programmable devices, to perform sequence of operations step to produce computer implemented process, thus the instruction performed on computer or other programmable devices provides for realizing the step of function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
Although having been described for the preferred embodiment of the application, but those skilled in the art are once know basic creative concept, then these embodiments can be made other change and amendment. So, claims are intended to be construed to include preferred embodiment and fall into all changes and the amendment of the application scope.
Obviously, the present invention can be carried out various change and modification without deviating from the spirit and scope of the present invention by those skilled in the art. So, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.
Claims (14)
1. the recognition methods of an illegal signaling, it is characterised in that described method includes:
Gather the signaling produced in packet domain;
For each signaling gathered, it is judged that whether this signaling comprises predetermined illegal domain name, if comprising, it is determined that this signaling is illegal signaling;
Wherein, described predetermined illegal domain name is determined in the following manner:
Determine the up signaling at least one packet domain comprising same domain name, and determine the downlink signaling that server corresponding to this domain name generates for described up signaling, if the difference of the data volume of the data volume of described up signaling and downlink signaling is more than threshold value, it is determined that the domain name comprised in described up signaling is illegal domain name.
2. the recognition methods of illegal signaling as claimed in claim 1, it is characterised in that gather the signaling produced in packet domain, specifically include:
Gather the signaling of Gb Interface and/or gn interface.
3. the recognition methods of illegal signaling as claimed in claim 1, it is characterised in that determining that signaling is before illegal signaling, described method also includes:
Determine and the signaling of collection comprises illegal sequence code set in advance.
4. the recognition methods of illegal signaling as claimed in claim 1, it is characterised in that determining that signaling is before illegal signaling, described method also includes:
Determine that the signaling generation time of collection belongs to the illegal time period set in advance.
5. the recognition methods of an illegal signaling, it is characterised in that described method includes:
Gather the signaling produced in packet domain;
For each signaling gathered, when this signaling meets the combination of either condition or multiple condition in following three kinds of conditions, according to the weighted value distributed for every kind of condition, it is determined that the weighted value sum that this signaling satisfies condition, and when this weighted value sum is more than threshold value, it is determined that this signaling is illegal signaling;
Described three kinds of conditions are respectively as follows:
Signaling comprises and predetermined illegal domain name, signaling comprise illegal sequence code set in advance and signaling generates the time and belong to the illegal time period set in advance.
6. the recognition methods of illegal signaling as claimed in claim 5, it is characterised in that described predetermined illegal domain name is determined in the following manner:
Determine the up signaling at least one packet domain comprising same domain name, and determine the downlink signaling that server corresponding to this domain name generates for described up signaling, if the difference of the data volume of the data volume of described up signaling and downlink signaling is more than threshold value, it is determined that the domain name comprised in described up signaling is illegal domain name.
7. the method that the illegal signaling that claim 1 or claim 5 are determined processes, it is characterised in that described method includes:
The illegal signaling that shielding, delay transmission or amendment are determined;
Or,
According to the illegal domain name comprised in the illegal signaling determined, it is determined that corresponding server is illegal server;
Or,
If described illegal signaling is up signaling, then when determining that the up illegal signaling of N bar is sent by same terminal, it is determined that this terminal is illegal terminal, and described N is positive integer.
8. the identification device of an illegal signaling, it is characterised in that described device includes:
Signal collecting module, for gathering the signaling produced in packet domain;
Illegal signaling determines module, for for each signaling gathered, it is judged that whether comprise predetermined illegal domain name in this signaling, if comprising, it is determined that this signaling is illegal signaling;
Illegal domain name determines module, for determining the up signaling at least one packet domain comprising same domain name, and determine the downlink signaling that server corresponding to this domain name generates for described up signaling, if the difference of the data volume of the data volume of described up signaling and downlink signaling is more than threshold value, it is determined that the domain name comprised in described up signaling is illegal domain name.
9. the identification device of illegal signaling as claimed in claim 8, it is characterised in that described signal collecting module is specifically for gathering the signaling of Gb Interface and/or gn interface.
10. the identification device of illegal signaling as claimed in claim 8, it is characterised in that described device also includes:
Illegal sequence code determines module, is used for determining illegal sequence code set in advance;
Described illegal signaling determines module, when being additionally operable to comprise illegal sequence code set in advance in the signaling determining collection, it is determined that this signaling is illegal signaling.
11. the identification device of illegal signaling as claimed in claim 8, it is characterised in that described device also includes:
The illegal time period determines module, is used for determining the illegal time period set in advance;
Described illegal signaling determines module, is additionally operable to when the signaling generation time determining collection belongs to the illegal time period set in advance, it is determined that this signaling is illegal signaling.
12. the identification device of an illegal signaling, it is characterised in that described device includes:
Signal collecting module, for gathering the signaling produced in packet domain;
Illegal signaling determines module, for for each signaling gathered, when the combination of either condition or multiple condition in three kinds of conditions below this signaling meets, according to the weighted value for every kind of condition distribution, determine the weighted value sum that this signaling satisfies condition, and when this weighted value sum is more than threshold value, it is determined that this signaling is illegal signaling;
Described three kinds of conditions are respectively as follows:
Signaling comprises and predetermined illegal domain name, signaling comprise illegal sequence code set in advance and signaling generates the time and belong to the illegal time period set in advance.
13. the identification device of illegal signaling as claimed in claim 12, it is characterised in that described device also includes:
Illegal domain name determines module, for determining the up signaling at least one packet domain comprising same domain name, and determine the downlink signaling that server corresponding to this domain name generates for described up signaling, if the difference of the data volume of the data volume of described up signaling and downlink signaling is more than threshold value, it is determined that the domain name comprised in described up signaling is illegal domain name.
14. the device that the illegal signaling that claim 8 or claim 12 are determined processes, it is characterised in that described device includes:
Restriction module, for shielding, postpone transmission or revising the illegal signaling determined;
Illegality equipment determines module, for according to the illegal domain name comprised in the illegal signaling determined, it is determined that corresponding server is illegal server; Or, if being up signaling for described illegal signaling, then when determining that the up illegal signaling of N bar is sent by same terminal, it is determined that this terminal is illegal terminal, and described N is positive integer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110398861.6A CN103139740B (en) | 2011-12-05 | 2011-12-05 | The identification of a kind of illegal signaling, processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110398861.6A CN103139740B (en) | 2011-12-05 | 2011-12-05 | The identification of a kind of illegal signaling, processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103139740A CN103139740A (en) | 2013-06-05 |
| CN103139740B true CN103139740B (en) | 2016-06-01 |
Family
ID=48498934
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110398861.6A Active CN103139740B (en) | 2011-12-05 | 2011-12-05 | The identification of a kind of illegal signaling, processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103139740B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108418976A (en) * | 2017-02-10 | 2018-08-17 | 中国移动通信集团河南有限公司 | Callback service monitoring method and system |
| CN108933867B (en) * | 2017-05-27 | 2021-04-13 | 中国移动通信集团公司 | Method and device for preventing and controlling information fraud, equipment and storage medium |
| CN109089002B (en) * | 2017-06-13 | 2021-06-25 | 中国移动通信集团陕西有限公司 | Method and device for blocking illegal network telephone |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1516490A (en) * | 2003-01-03 | 2004-07-28 | ��Ϊ��������˾ | Method for limiting illegal international short message service |
| CN1937530A (en) * | 2006-08-07 | 2007-03-28 | 华为技术有限公司 | Method, device and system for identifying illegal packet phones |
| CN101163264A (en) * | 2007-11-14 | 2008-04-16 | 中兴通讯股份有限公司 | Data traffic access control method in mobile communications system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060135132A1 (en) * | 2004-12-21 | 2006-06-22 | Lucent Technologies, Inc. | Storing anti-spam black lists |
-
2011
- 2011-12-05 CN CN201110398861.6A patent/CN103139740B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1516490A (en) * | 2003-01-03 | 2004-07-28 | ��Ϊ��������˾ | Method for limiting illegal international short message service |
| CN1937530A (en) * | 2006-08-07 | 2007-03-28 | 华为技术有限公司 | Method, device and system for identifying illegal packet phones |
| CN101163264A (en) * | 2007-11-14 | 2008-04-16 | 中兴通讯股份有限公司 | Data traffic access control method in mobile communications system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103139740A (en) | 2013-06-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102209326B (en) | Malicious behavior detection method and system based on smartphone radio interface layer | |
| CN108605266B (en) | Wireless access control method, device and system | |
| RU2008107084A (en) | METHOD AND PROTOCOL FOR PROCESSING ATTEMPTS FOR GETTING ACCESS FOR A COMMUNICATION SYSTEM | |
| CN106162714A (en) | A kind of calling information processing method and processing device | |
| CN105722090A (en) | Control method and device for automatically identifying pseudo base station | |
| CN104243727A (en) | System and method for performing big data analysis confirmation and interception on phone scams | |
| CN103108320A (en) | Method and system for monitoring application program of mobile device | |
| CN101459718A (en) | Rubbish voice filtering method based on mobile communication network and system thereof | |
| CN104683965A (en) | Interception method and equipment for spam short messages of pseudo base station | |
| CN113206814A (en) | Network event processing method and device and readable storage medium | |
| CN103813329A (en) | Capability calling method and capability opening system | |
| CN103139740B (en) | The identification of a kind of illegal signaling, processing method and device | |
| CN104955171A (en) | Method and device for controlling establishment of mobile communication network connection | |
| CN106658509A (en) | Countering method and equipment for invalid wireless access points and wireless local area network | |
| CN103733581B (en) | Message processing method and base station | |
| CN105557045A (en) | Access network node, core network node and paging method | |
| CN102098640B (en) | Method, device and system for distinguishing and stopping equipment from sending SMS (short messaging service) spam | |
| CN106572482B (en) | Parameter configuration method and device and core network self-configuration self-optimization platform | |
| CN101848495A (en) | Random access processing method and processing system | |
| CN103906167B (en) | The connection control method and device of a kind of user equipment | |
| CN101771757A (en) | Method for detecting and intercepting nuisance calls | |
| CN105656912A (en) | Mobile intelligent terminal APP request process control method | |
| CN102905241A (en) | USSD (Unstructured Supplementary Service Data) server, HLR (Home Location Register) server, and call forwarding method based on USSD | |
| CN105577634B (en) | A kind of processing method and user terminal of the failure of encrypted word connection setup | |
| CN105430623A (en) | Monitoring method, device and system for RCS junk message |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |