CN104144417B - Mobile Internet access Subscriber Number inverse-checking method, device and system - Google Patents

Mobile Internet access Subscriber Number inverse-checking method, device and system Download PDF

Info

Publication number
CN104144417B
CN104144417B CN201310170495.8A CN201310170495A CN104144417B CN 104144417 B CN104144417 B CN 104144417B CN 201310170495 A CN201310170495 A CN 201310170495A CN 104144417 B CN104144417 B CN 104144417B
Authority
CN
China
Prior art keywords
address
user
mdn
counter
numbers
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310170495.8A
Other languages
Chinese (zh)
Other versions
CN104144417A (en
Inventor
沈平
程青松
肖江浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN201310170495.8A priority Critical patent/CN104144417B/en
Publication of CN104144417A publication Critical patent/CN104144417A/en
Application granted granted Critical
Publication of CN104144417B publication Critical patent/CN104144417B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses a kind of mobile Internet access Subscriber Number inverse-checking method, device and system, it is related to mobile Internet field.Brush selects accounting request message in all Radius messages sent and received from aaa server;The IP address and MDN numbers of user is obtained from accounting request message;According to the type of accounting request message, IP address and MDN numbers to user carry out database manipulation;Monitor counter make a thorough investigation of of number that SP websites are sent to ask, wherein including the anti-IP address looked into of needs;In the IP address of the user preserved according to the IP address from database and the record of MDN numbers, find MDN numbers corresponding with the IP address, be returned to SP websites, so as to SP websites provide WAP log in secondary checking or NET modes exempt from authenticate automated log on.The present invention can ensure the safety of user profile under WAP network accesses, or realize that user exempts to authenticate automated log under NET network accesses.

Description

Mobile Internet access Subscriber Number inverse-checking method, device and system
Technical field
The present invention relates to mobile Internet business field in mobile communication, more particularly to a kind of mobile Internet access Subscriber Number is anti- Checking method, device and system.
Background technology
With the popularization made the overall arrangement for intelligent terminal of 3G network, mobile Internet access business rapidly increases, while user couple The service-aware of mobile Internet access requires also more and more higher, and therefore, each operation commercial city is being directed to lifting mobile Internet field Service quality and user perceive, and the security and convenience of mobile Internet access business are then the important aspects of two of which.
The access of operator's mobile Internet access at present is generally divided into WAP(Wireless Application Protocol, wirelessly Application protocol)Mode and NET two ways.
1st, WAP modes
Mobile grouping field network element is that user distributes private net address(Such as 10.0.0.0/8 address fields), will be used by WAP gateway The private network source IP address at family is mapped as public network address, and then realizes and SP on internet(Service provider)The access of website is handed over Mutually.
In the process, AAA(Verify authorization and accounting)Charging message message can be transmitted to WAP gateway, WAP by server Gateway obtains the MDN numbers of user by parsing the message(Mobile Directory Number)With the user profile such as source IP address, As the HTTP of user(HTTP)When request is sent to WAP gateway, corresponding user profile is inserted into by WAP gateway In HTTP request, NAT is carried out by fire wall(Network address translation)After be forwarded to SP websites.SP websites are according to HTTP message head In user profile realize and exempt to authenticate the function such as automated log on.
If SP websites are not for the address of user's request(Address after fire wall NAT)Limited, but directly Realized according to the user profile carried in HTTP message and exempt to authenticate automated log on, then larger potential safety hazard be present.Hacker can be pseudo- The HTTP message containing relevant field is made, the privacy information of user, such as login user are obtained by exempting from authentication automated log on mode Mailbox, palm business hall etc., implement illegal operation even with which, significant damage caused to user benefit.
If SP websites consider that the address that security is asked user is limited, WAP gateway increases address every time Section/pond, it is required to notify all related SP websites in theory, otherwise user may be caused not log in normally, not possess reality Operability.
2nd, NET modes
Mobile grouping field network element is that user distributes public network address, directly can be interacted with SP websites on internet.
In the process, user's request is without proxy server(Such as WAP gateway)Deng network element, and directly by packet domain, Bearer network is sent to SP websites, can not carry the information such as the number of user, therefore can not realize and exempt to authenticate automated log on.User is every Secondary login is required for inputting associated user name/encrypted message, in-convenience in use, and identical business of networking in WAP modes and Business uniformity under NET modes perceives poor.
The content of the invention
A technical problem to be solved of the embodiment of the present invention is:A kind of anti-side of looking into of mobile Internet access Subscriber Number is provided Method, device and system, solve the problems, such as to ensure user information safety under WAP modes, or, realize that user exempts to reflect under NET modes Weigh automated log on.
The one side of the embodiment of the present invention provides a kind of mobile Internet access Subscriber Number inverse-checking method, including:By dividing Light obtains all Radius that checking authorization and accounting aaa server sends and receives(Remote authentication dial-in user service)Report Text, and brush selects accounting request message from Radius messages;Obtained from accounting request message user IP address and No. MDN Code;According to the type of accounting request message, IP address and MDN numbers to user carry out database manipulation;Monitoring is counter to look into interface, From it is counter look into interface obtain service provider site counter make a thorough investigation of of number ask, number it is counter make a thorough investigation of ask in include service provider site Need the anti-IP address looked into;According to the anti-IP address looked into of the needs, the IP address of the user preserved from database and In the record of MDN numbers, MDN numbers corresponding with the counter IP address looked into of the needs are found, and by find No. MDN Code returns to service provider site, so that service provider site provides the secondary checking that WAP logs in or NET modes are exempted to reflect Weigh automated log on.
The embodiment of the present invention looks into device another aspect provides a kind of mobile Internet access Subscriber Number is counter, including: Radius receives authentication module, all remote for being sent and received by light splitting acquisition checking authorization and accounting aaa server Journey certification dial-in user service Radius messages, and brush selects accounting request message from Radius messages;Radius handles mould Block, for obtaining the IP address and Mobile Directory Number MDN numbers of user from accounting request message;Please according to charging The type of message is sought, the IP address and MDN numbers to user carry out database manipulation;It is counter to External Number to look into module, for monitoring It is counter to look into interface, from it is counter look into interface obtain service provider site counter make a thorough investigation of of number ask, number it is counter make a thorough investigation of ask in comprising service Provider's website needs the anti-IP address looked into;According to the anti-IP address looked into of the needs, the user preserved from database IP address and MDN numbers record in, find MDN numbers corresponding with the counter IP address looked into of the needs, and will look into The MDN numbers found return to service provider site, so that service provider site provides what WAP WAP was logged in It is secondary checking or NET modes exempt from authenticate automated log on.
Another aspect of the embodiment of the present invention provides that a kind of mobile Internet access Subscriber Number is counter to look into system, including:It is foregoing Mobile Internet access Subscriber Number is counter to look into device and service provider site, and service provider site is used for mobile Internet access Subscriber Number It is counter look into device and send counter make a thorough investigation of of number ask, number it is counter make a thorough investigation of ask in comprising service provider site with needing the anti-IP looked into Location, and provide secondary checking that WAP WAP logs in or NET modes according to the counter MDN numbers that check in and exempt to reflect Weigh automated log on.
The present invention is by being divided all Radius messages for obtaining aaa server and sending and receiving, from Radius messages Brush selects accounting request message, the IP address and MDN numbers of user is then obtained from accounting request message, then according to charging The type of request message, IP address and MDN numbers to user carry out database manipulation, so as to build user's in database The mapping table of IP address and MDN numbers, provided the foundation for follow-up counter look into of SP websites;For WAP modes, anti-device of looking into can To provide real IP and MDN corresponding relations, SP websites realize secondary checking, and it is automatic by modes such as message forgeries to prevent hacker Log in, and then obtain user profile, so as to ensure the safety of user profile;For NET modes, anti-device of looking into can provide very Real IP and MDN corresponding relations, SP websites are realized according to the anti-MDN checked in exempts to authenticate automated log on, and improving customer service makes Convenience, and cause under different access ways, business is consistent using perception, no matter being surfed the Net using WAP modes Or surfed the Net using NET modes, user can not have to repeatedly input username and password, it is only necessary to input once follow-up can Realize authentication automated log on.
By referring to the drawings to the present invention exemplary embodiment detailed description, further feature of the invention and its Advantage will be made apparent from.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are only this Some embodiments of invention, for those of ordinary skill in the art, without having to pay creative labor, may be used also To obtain other accompanying drawings according to these accompanying drawings.
Fig. 1 is the anti-structural representation for looking into system one embodiment of mobile Internet access Subscriber Number of the present invention.
Fig. 2 is the schematic flow sheet of mobile Internet access Subscriber Number inverse-checking method one embodiment of the present invention.
Fig. 3 is that Radius of the present invention receives checking schematic flow sheet.
Fig. 4 is Radius handling processes schematic diagram of the present invention.
Fig. 5 is cache database operating process schematic diagram of the present invention.
Fig. 6 looks into interface interchange schematic flow sheet for number of the present invention is counter.
Fig. 7 is the anti-structural representation for looking into device one embodiment of mobile Internet access Subscriber Number of the present invention.
Fig. 8 is the anti-structural representation for looking into another embodiment of device of mobile Internet access Subscriber Number of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.Below Description only actually at least one exemplary embodiment is illustrative, is never used as to the present invention and its application or makes Any restrictions.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise Lower obtained every other embodiment, belongs to the scope of protection of the invention.
Unless specifically stated otherwise, the part and positioned opposite, the digital table of step otherwise illustrated in these embodiments Do not limited the scope of the invention up to formula and numerical value.
Simultaneously, it should be appreciated that for the ease of description, the size of the various pieces shown in accompanying drawing is not according to reality Proportionate relationship draw.
It may be not discussed in detail for technology, method and apparatus known to person of ordinary skill in the relevant, but suitable In the case of, the technology, method and apparatus should be considered as authorizing part for specification.
In shown here and discussion all examples, any occurrence should be construed as merely exemplary, without It is as limitation.Therefore, the other examples of exemplary embodiment can have different values.
It should be noted that:Similar label and letter represents similar terms in following accompanying drawing, therefore, once a certain Xiang Yi It is defined, then it need not be further discussed in subsequent accompanying drawing in individual accompanying drawing.
In the present invention, the anti-system of looking into of mobile Internet access Subscriber Number referred to as counter can look into system, mobile Internet access Subscriber Number Anti- device of looking into referred to as counter can look into device, and mobile Internet access Subscriber Number inverse-checking method can abbreviation inverse-checking method.
Fig. 1 is the anti-structural representation for looking into system one embodiment of mobile Internet access Subscriber Number of the present invention.
As shown in figure 1, the anti-system 10 of looking into of the embodiment can include:Mobile Internet access Subscriber Number is counter to look into the He of device 101 Service provider site 102, anti-device 101 of looking into carry out information exchange with service provider site 102 by anti-interface of looking into.For Different network accesses, anti-system 10 of looking into can also include different equipment.Under WAP network accesses, anti-system 10 of looking into may be used also With including:Proxy server 103, aaa server 104 and mobile grouping field network element PDSN(Packet data serving node)105, its In proxy server 103 for example can be WAP gateway, PDSN105 therein is user's mobile Internet access entrance.Surfed the Net in NET Under mode, anti-system 10 of looking into can also include:PDSN105, PDSN105 can be by bearer networks directly with carrying out letter to SP websites Breath interaction, without passing through proxy server 103.
Each equipment is introduced separately below.
Mobile Internet access Subscriber Number is counter to look into device 101:Radius messages are obtained by being divided, according to Rule Extraction user's IP, MDN information, interacted with SP websites, realize that user exempts to authenticate under the secondary checking and NET modes that user logs under WAP modes Automated log on.Wherein, user exempt from authenticate automated log on refer to, user input username and password login system after, subsequently again When needing login system, system can be signed in without input username and password again.
Under WAP network accesses, service provider site 102:Logged in providing WAP according to the anti-MDN numbers checked in Secondary checking when, specifically can be used for Receiving Agent server forwarding HTTP request, the HTTP request include agency takes The IP address and MDN numbers for the user that business device obtains from charging message;Using the IP address of the user in HTTP request as needs The anti-IP address looked into, and by the counter IP address looked into of the needs carry number it is counter make a thorough investigation of ask in carry out that number is counter to be looked into Obtain MDN numbers;By the MDN numbers in HTTP request compared with the anti-MDN numbers checked in, if the two is consistent, MDN numbers in HTTP request, which are realized, exempts to authenticate automated log on.
Under NET network accesses, service provider site 102:NET modes are being provided according to the anti-MDN numbers checked in Exempt from authenticate automated log on when, specifically can be used for receive by public network IP address route user request;During user is asked Public network IP address as needing the anti-IP address looked into, it is and the counter IP address carrying looked into of the needs is anti-in number Make a thorough investigation of and ask middle and carry out that number is counter sees to obtain MDN numbers;Realized according to the anti-MDN numbers checked in and exempt to authenticate automated log on.
Proxy server(Such as WAP gateway)103:The proxy server of SP websites, a side are accessed as user under WAP modes The processing of user's HTTP request is realized in face, on the other hand realizes form conversion of the contents such as picture, word etc..Can also be used into Row network address translation, it is public network address by private net address Mapping and Converting.
Aaa server 104:Interacted with PDSN, user's access authentication is completed by message such as PAP/CHAP.Receive simultaneously The charging message that PDSN is sent, the charge accounting of user's mobile Internet access is realized, and be responsible for corresponding message being transmitted to OCS, WAP net The periphery network elements such as pass.
Mobile grouping field network element PDSN105:For user's mobile Internet access entrance, it is responsible for establishing PPP with user terminal being connected, with Aaa server interaction carries out access authentication, and IP address is distributed for user, while is used as charging message message source, sends related report Text gives aaa server.For NET modes, directly user is asked by PDSN to be routed to SP websites by bearer network, completes user Access request.
System is looked into based on above-mentioned mobile Internet access Subscriber Number is counter, mobile Internet access Subscriber Number inverse-checking method is described below.
Fig. 2 is the schematic flow sheet of mobile Internet access Subscriber Number inverse-checking method one embodiment of the present invention.
As shown in Fig. 2 the inverse-checking method of the embodiment comprises the following steps:
Step 201, the anti-all Radius messages looked into device and sent and received by being divided acquisition aaa server, and from Brush selects accounting request message in Radius messages.
Wherein, brush selects a kind of embodiment of accounting request message and is from Radius messages:According to preset packet Data serving node PDSN IP address, effective Radius messages are extracted from all Radius messages of light splitting acquisition;Root Brush choosing is carried out according to the code fields of effective Radius messages, if code fields are 4, the Radius messages are accounting requests Message.
Wherein, a kind of embodiment for extracting effective Radius messages is:All Radius messages obtained to light splitting Source IP address matched with preset packet data serving node PDSN IP address, if the match is successful, should Radius messages are effective Radius messages, extract the Radius messages, if matching is unsuccessful, abandon Radius reports Text.
Step 202, the anti-IP address and MDN numbers looked into device and user is obtained from accounting request message.
Wherein, the IP address of user is obtained from accounting request message and a kind of embodiment of MDN numbers is:According to Accounting request message is divided into charging and starts to report among message, accounting completion packet and charging by Acct-Status-Type fields Text, wherein, the Acct-Status-Type that charging starts message is 1, and the Acct-Status-Type of accounting completion packet is 2, The Acct-Status-Type of charging midamble is other numerical value in addition to 1 and 2;Start message or charging knot for charging Beam message, Framed-IP-Address fields and Calling-Station-Id fields in outgoing packet are extracted, wherein, Framed-IP-Address field references PDSN is the IP address Calling-Station-Id field references users of user's distribution MDN numbers.It for charging midamble, can abandon, and also the record in database is not updated.
Step 203, counter to look into type of the device according to accounting request message, IP address and MDN numbers to user enter line number Operated according to storehouse.
Wherein, according to the type of accounting request message, IP address and MDN numbers to user carry out the one of database manipulation Planting embodiment is:
If the type of accounting request message, which is charging, starts message, check whether have in database the IP address of user or The record of MDN numbers, if having the IP address of user or the record of MDN numbers in database, former record is deleted, insertion, which includes, to be used The IP address at family and the new record of MDN numbers, if there is no the record of the IP address of user or MDN numbers in database, insertion The new record of IP address comprising user and MDN numbers.
If the type of accounting request message is accounting completion packet, check database in whether have user IP address or The record of MDN numbers, if having the IP address of user or the record of MDN numbers in database, former record is deleted, if database In there is no the record of the IP address of user or MDN numbers, database is not operated.
Step 204, it is counter look into device monitor it is counter look into interface, counter made a thorough investigation of from the anti-number for looking into interface acquisition service provider site Ask, number it is counter make a thorough investigation of ask in comprising service provider site need the anti-IP address looked into.
Step 205, anti-device of looking into is according to the anti-IP address looked into of the needs, the IP address of the user preserved from database In the record of MDN numbers, MDN numbers corresponding with the counter IP address looked into of the needs, and the MDN that will be found are found Number returns to service provider site, so that service provider site provides the secondary checking of WAP logins or exempting from for NET modes Authenticate automated log on.
It is counter look into device and be built-in with possess the anti-legal SP site lists for looking into qualification, the list can be manually added by WEB Mode or REQ file modes, which are synchronized to, counter looks into device.Before counter looked into, anti-device of looking into can be by the counter source asked of making a thorough investigation of of number IP address is compared with legal SP site lists, if the anti-source IP address asked of making a thorough investigation of of number in legal SP site lists, Then ask for legal counter make a thorough investigation of of number, if the anti-source IP address asked of making a thorough investigation of of number not in legal SP site lists, to be non- Counter make a thorough investigation of of the number of method is asked, and can abandon counter make a thorough investigation of of illegal number and ask.
Wherein, service provider site provides the embodiment for the secondary checking that WAP is logged in, or, service provider station Point provides the embodiment for exempting to authenticate automated log on of NET modes, may be referred to foregoing, repeats no more here.
Above-mentioned mobile Internet access Subscriber Number inverse-checking method, can divide be further subdivided into Radius receive checking flow, Radius handling processes, cache database operating process, number are counter to look into interface interchange flow, in order that the present invention is more clear Chu, it is introduced separately below.
Fig. 3 is that Radius of the present invention receives checking schematic flow sheet.Include as shown in figure 3, Radius receives checking flow Following steps:
Step 301, by inserting light-dividing device between aaa server and core router, anti-device of looking into obtains AAA clothes All Radius messages that business device sends and receives.
Step 302, looked into counter in device, all mobile network nucleus equipment PDSN source IP address is prefixed, as extraction The foundation of effective Radius messages.The anti-IP address looked into device and read preset PDSN, enters to the validity of Radius messages Row checking.
Step 303, the anti-source IP address for looking into all Radius messages that device obtains to light splitting and preset PDSN equipment IP address matched.
Step 304A, if the match is successful, the message is the message that PDSN is sent, including PDSN authentication requests message and Accounting request message etc..
Step 304B, if matching is unsuccessful, the message is not the message that PDSN is sent, to subsequent cache data The inquiry and change in storehouse directly abandon the message without effect.
Step 304A or step 304B can be performed after step 303.After step 304A, step 305, step are performed After 304B, this flow terminates.
Step 305, the Radius messages sent to PDSN, anti-device of looking into are screened according to the code fields of message, inspection Whether the code fields for looking into Radius messages are 4.Step 306A or step 306B can be performed after step 305.
Step 306A, if code values are 4, for effective accounting request message(Accounting request are reported Text).
Step 306B, if code values are not 4, for the other kinds of invalid packet such as authentication request message, directly lose Abandon.
Fig. 4 is Radius handling processes schematic diagram of the present invention.As shown in figure 4, Radius handling processes comprise the following steps:
Step 401, the type of accounting request message is identified anti-device of looking into.
Step 402, it is counter look into device accounting request message can be divided into by charging according to Acct-Status-Type fields open Beginning message, accounting completion packet and charging midamble.Specifically, the Acct-Status-Type that charging starts message is 1, meter The Acct-Status-Type for taking end message is 2, and the Acct-Status-Type of charging midamble is in addition to 1 and 2 Other numerical value.
Step 403A, if charging starts message or accounting completion packet, anti-device of looking into extracts Framed- therein IP-Address fields and Calling-Station-Id fields, IP address that PDSN distributes as user and user are represented respectively MDN numbers.
Step 403B, if charging midamble, then anti-device of looking into abandons the message, subsequently also not in database Record is updated.
Step 403A or step 403B can be performed after step 402, step 404 can be performed after step 403A.
Step 404, anti-device of looking into carries out database manipulation, the database to the IP address and MDN numbers of the user of extraction Can be cache database, corresponding database manipulation includes insertion, deletion and lookup etc., the following detailed description of.
Fig. 5 is cache database operating process schematic diagram of the present invention.As shown in figure 5, cache database operates Flow comprises the following steps:
Step 501, anti-device of looking into is handled according to the different type classification of accounting request message.
Step 502, whether it is " 1 " according to Acct-Status-Type fields, anti-device of looking into starts charging and charging knot Beam message makes a distinction, and carries out different cache database operations respectively.
Step 503A or step 503B can be performed after step 502.
Step 503A, if Acct-Status-Type is 1, start message for charging, it is counter to look into device respectively with extraction IP and MDN out searches original cache database as keyword.
Step 504A, anti-device of looking into judge whether there is MDN numbers or the record of IP address in database.
Step 505A1, if having MDN numbers or the record of IP address in database, explanation is that newest charging starts to report Text deletes original record, it is necessary to update original database, and insertion is comprising MDN numbers and IP address in database New record.
Step 505A2, if there is no MDN numbers or the record of IP address in database, inserted in database and include MDN The new record of number and IP address.
Step 503B, if Acct-Status-Type is not 1(With reference to foregoing, then the value is only possible to as 2), then it is charging End message, the anti-IP and MDN for looking into device respectively to extract search original cached data as keyword respectively Storehouse.
Step 504B, anti-device of looking into judge whether there is MDN numbers or the record of IP address in database.
Step 505B1, if having MDN numbers or the record of IP address in database, explanation is that newest charging terminates to report Text, therefore original record is deleted, avoid looking into the presence of " dirty " data influence number is counter.
Step 505B2, if not having MDN numbers or the record of IP address in database, without response in database of descriptions Entry, database is not operated for the situation.
So far, cache database has carried out corresponding renewal according to PDSN accounting request message, can basis Counter make a thorough investigation of of SP websites seeks the corresponding result of offer.
The basic structure of cache database is as shown in the table:
MDN numbers IP address
13301010101 100.0.0.6
13301010102 100.0.0.7
13301010103 100.0.0.8
...... ......
Fig. 6 looks into interface interchange schematic flow sheet for number of the present invention is counter.As shown in fig. 6, number is counter to look into interface interchange flow Comprise the following steps:
Step 601, anti-device of looking into by monitoring API query interfaces, ask by counter make a thorough investigation of of number for obtaining SP websites.
Step 602, it is counter look into device and be built-in with possess the anti-legal SP site lists for looking into qualification, the list can pass through WEB Manually add mode or REQ file modes are synchronized to and counter look into device.Legal SP site lists are read, counter make a thorough investigation of of checking numbers asks progress Legitimate verification.
Step 603, the counter source IP address asked of making a thorough investigation of of number can be compared with legal SP site lists for anti-device of looking into, Asked with counter make a thorough investigation of of the number for determining whether legal.
Step 604A, if the anti-source IP address asked of making a thorough investigation of of number in legal SP site lists, for legal number Counter make a thorough investigation of is asked, in the record of the anti-IP address for looking into the user that device preserves from database and MDN numbers, in lookup and the request MDN numbers corresponding to IP address.
Step 604B, if the anti-source IP address asked of making a thorough investigation of of number not in legal SP site lists, for illegal number Counter make a thorough investigation of of code is asked, and anti-device of looking into directly abandons the request, while for security reasons, can remember this inquiry request Record is got off, and is convenient for system audit and analytic statistics.
Step 605, anti-device of looking into judges whether to find MDN numbers corresponding with the IP address in the request.
Step 606A, if finding MDN numbers corresponding with the IP address in the request, by it is counter look into interface by this As a result SP websites are returned.
Step 606B, if not finding MDN numbers corresponding with the IP address in the request, it can be looked into by counter Interface returns to null value record.
In addition, the query function based on IP and MDN numbers, can reserve corresponding api interface, subsequently can and other CRM(CRM system)、BSS(Business support system)Docked etc. marketing system, the base of interface is being got through with CRM, BSS On plinth, increase corresponding field code, provide more user properties for SP, facilitate legal authorization website to provide the user more Abundant personalized service.
Fig. 7 is the anti-structural representation for looking into device one embodiment of mobile Internet access Subscriber Number of the present invention.
As shown in fig. 7, anti-device of looking into includes:Radius receives authentication module 701, Radius processing modules 702, to nickname Code is counter to look into module 703.
Radius receives authentication module 701, for verifying that authorization and accounting aaa server sends and connect by being divided to obtain All remote authentication dial-in user service Radius messages received, and brush selects accounting request message from Radius messages;
Radius processing modules 702, for obtaining the IP address and mobile subscriber number of user from accounting request message Book number MDN numbers;According to the type of accounting request message, IP address and MDN numbers to user carry out database manipulation;
It is counter to External Number to look into module 703, for monitor it is counter look into interface, from it is counter look into interface obtain service provider site number Counter make a thorough investigation of of code is asked, number it is counter make a thorough investigation of ask in comprising the anti-IP address looked into of service provider site needs;According to the needs The anti-IP address looked into, from the IP address of user and the record of MDN numbers of database preservation, find and enter with the needs MDN numbers corresponding to the anti-IP address looked into of row, and the MDN numbers found are returned into service provider site, to service Provider website provide the secondary checking that WAP WAP logs in or NET modes exempt from authenticate automated log on.
Fig. 8 is the anti-structural representation for looking into another embodiment of device of mobile Internet access Subscriber Number of the present invention.
As shown in figure 8, Radius receives authentication module 701, including:Message sink submodule 7011, validation verification Module 7012 and type of message identifying processing submodule 7013.
Message sink submodule 7011, for verifying that authorization and accounting aaa server sends and receives by being divided to obtain All remote authentication dial-in user service Radius messages;
Validation verification submodule 7012, for the IP address according to preset packet data serving node PDSN, from point Effective Radius messages are extracted in all Radius messages that light obtains;
Type of message identifying processing submodule 7013, for being brushed according to the code fields of effective Radius messages Choosing, if code fields are 4, the Radius messages are accounting request messages.
Wherein, validation verification submodule 7012, specifically for the source IP to being divided all Radius messages obtained Location is matched with preset packet data serving node PDSN IP address, if the match is successful, the Radius messages are Effective Radius messages, extract the Radius messages, if matching is unsuccessful, abandon the Radius messages.
As shown in figure 8, Radius processing modules 702, including:Charge type identification submodule 7021, charging processing submodule Block 7022 and database operation submodule 7023.
Charge type identifies submodule 7021, for being divided into accounting request message according to Acct-Status-Type fields Charging starts message, accounting completion packet and charging midamble;
Charging handles submodule 7022, for starting message or accounting completion packet for charging, extracts in outgoing packet Framed-IP-Address fields and Calling-Station-Id fields, wherein, Framed-IP-Address field references PDSN is the MDN numbers of the IP address Calling-Station-Id field references users of user's distribution;
Database manipulation submodule 7023, for the type according to accounting request message, the IP address to user and No. MDN Code carries out database manipulation.
Wherein, database manipulation submodule 7023, is specifically used for
If the type of accounting request message, which is charging, starts message, check whether have in database the IP address of user or The record of MDN numbers, if having the IP address of user or the record of MDN numbers in database, former record is deleted, insertion, which includes, to be used The IP address at family and the new record of MDN numbers, if there is no the record of the IP address of user or MDN numbers in database, insertion The new record of IP address comprising user and MDN numbers;
If the type of accounting request message is accounting completion packet, check database in whether have user IP address or The record of MDN numbers, if having the IP address of user or the record of MDN numbers in database, former record is deleted, if database In there is no the record of the IP address of user or MDN numbers, database is not operated.
Module 703 is looked into as shown in figure 8, counter to External Number, including:External inquiry interface sub-module 7031 and data base querying Submodule 7033.
External inquiry interface sub-module 7031, for monitor it is counter look into interface, from it is counter look into interface obtain service provider site Counter make a thorough investigation of of number ask, number it is counter make a thorough investigation of ask in comprising service provider site need the anti-IP address looked into;
Data base querying submodule 7033, possess according to the anti-IP address looked into of the needs, the use preserved from database In the IP address at family and the record of MDN numbers, MDN numbers corresponding with the counter IP address looked into of the needs are found, and will The MDN numbers found return to service provider site, are logged in so that service provider site provides WAP WAP Secondary checking or NET modes exempt from authenticate automated log on.
It is counter to External Number to look into module 703 as shown in figure 8, optional, in addition to:Inquire about address legitimate verification submodule 7032 or/and log recording submodule 7034.
Inquire about address legitimate verification submodule 7032, for perform data base querying submodule is counter looked into before, The counter source IP address asked of making a thorough investigation of of number is compared with legal SP site lists, if the anti-source IP address asked of making a thorough investigation of of number exists In legal SP site lists, then asked for counter make a thorough investigation of of legal number, if the anti-source IP address asked of making a thorough investigation of of number is not in legal SP In site list, then asked for counter make a thorough investigation of of illegal number, counter make a thorough investigation of of illegal number can be abandoned and asked.
Log recording submodule 7034, for recording the anti-information for looking into process correlation, it is convenient for system audit and analysis Statistics.
Mobile Internet access Subscriber Number inverse-checking method provided in an embodiment of the present invention, device and system, pass through to be divided and obtain AAA All Radius messages that server sends and receives, brush selects accounting request message from Radius messages, then from charging The IP address and MDN numbers of user is obtained in request message, then according to the type of accounting request message, to the IP address of user Database manipulation is carried out with MDN numbers, so as to build the mapping table of the IP address of user and MDN numbers in database, Provided the foundation for follow-up counter look into of SP websites;For WAP modes, anti-device of looking into can provide real IP and MDN corresponding relations, SP websites realize secondary checking, prevent hacker by mode automated log ons such as message forgeries, and then obtain user profile, so as to protect The safety of user profile is hindered;For NET modes, anti-device of looking into can provide real IP and MDN corresponding relations, SP website roots Realized according to the anti-MDN checked in and exempt to authenticate automated log on, improve the convenience that customer service uses, and cause different access sides Under formula, business is consistent using perception, no matter being surfed the Net using WAP modes or being surfed the Net using NET modes, user can Without repeatedly inputting username and password, it is only necessary to which once follow-up can realizes authentication automated log on for input.
One of ordinary skill in the art will appreciate that hardware can be passed through by realizing all or part of step of above-described embodiment To complete, by program the hardware of correlation can also be instructed to complete, described program can be stored in a kind of computer-readable In storage medium, storage medium mentioned above can be read-only storage, disk or CD etc..
The foregoing is only presently preferred embodiments of the present invention, be not intended to limit the invention, it is all the present invention spirit and Within principle, any modification, equivalent substitution and improvements made etc., it should be included in the scope of the protection.

Claims (13)

1. a kind of mobile Internet access Subscriber Number inverse-checking method, including:
By being divided all remote authentication dial-in user services for obtaining checking authorization and accounting aaa server and sending and receiving Radius messages, and brush selects accounting request message from Radius messages;
The IP address and Mobile Directory Number MDN numbers of user is obtained from accounting request message;
According to the type of accounting request message, IP address and MDN numbers to user carry out database manipulation;
Monitor it is counter looks into interface, ask from anti-number counter make a thorough investigation of for looking into interface acquisition service provider site, asked in counter make a thorough investigation of of number The anti-IP address looked into is needed comprising service provider site;
According to the anti-IP address looked into of the needs, in the IP address of user and the record of MDN numbers that are preserved from database, look into MDN numbers corresponding with the counter IP address looked into of the needs are found, and the MDN numbers found are returned into service provider Website, so as to service provider site provide the secondary checking that WAP WAP logs in or NET modes to exempt from authentication automatic Log in;
Wherein, the HTTP HTTP for needing the anti-IP address service looked into be received from service provider site Obtained in request, the service provider site, which provides the secondary checking that WAP WAP is logged in, to be included:Service provider Website by the MDN numbers in the HTTP request compared with the anti-MDN numbers checked in, if the two is consistent, basis MDN numbers in the HTTP request, which are realized, exempts to authenticate automated log on.
2. according to the method for claim 1, it is characterised in that the service provider site offer NET modes are exempted to reflect Power automated log on includes:
Service provider site receives the user being route by public network IP address and asked;
Public network IP address during service provider site asks user needs as the anti-IP address looked into of needs, and by this The counter IP address looked into carry number it is counter make a thorough investigation of ask in carry out that number is counter to be seen to obtain MDN numbers;
Service provider site is realized according to the anti-MDN numbers checked in exempts to authenticate automated log on.
3. according to the method for claim 1, it is characterised in that brush selects accounting request message in the message from Radius Including:
According to preset packet data serving node PDSN IP address, being extracted in all Radius messages obtained from light splitting has The Radius messages of effect;
Brush choosing is carried out according to the code fields of effective Radius messages, if code fields are 4, the Radius messages are meters Take request message.
4. according to the method for claim 3, it is characterised in that described according to preset packet data serving node PDSN's IP address, extract effective Radius messages and include in all Radius messages obtained from light splitting:
The IP address of the source IP address of all Radius messages obtained to light splitting and preset packet data serving node PDSN Matched, if the match is successful, the Radius messages are effective Radius messages, extract the Radius messages, if Match unsuccessful, abandon the Radius messages.
5. according to the method for claim 1, it is characterised in that the IP address of user is obtained in the message from accounting request Include with MDN numbers:
Accounting request message is divided into by charging according to Acct-Status-Type fields and starts message, accounting completion packet and charging Midamble;
Start message or accounting completion packet for charging, extract Framed-IP-Address fields in outgoing packet and Calling-Station-Id fields, wherein, Framed-IP-Address field references PDSN is the IP address of user's distribution The MDN numbers of Calling-Station-Id field references users.
6. according to the method for claim 1, it is characterised in that the type according to accounting request message, to user's IP address and MDN numbers, which carry out database manipulation, to be included:
Whether if the type of accounting request message, which is charging, starts message, checking has the IP address or MDN of user in database The record of number, if having the IP address of user or the record of MDN numbers in database, former record is deleted, insertion includes user IP address and MDN numbers new record, if there is no the record of the IP address of user or MDN numbers in database, insertion bag The new record of IP address and MDN numbers containing user;
Whether if the type of accounting request message is accounting completion packet, checking has the IP address or MDN of user in database The record of number, if having the IP address of user or the record of MDN numbers in database, former record is deleted, if in database There is no the record of the IP address of user or MDN numbers, database is not operated.
Device is looked into 7. a kind of mobile Internet access Subscriber Number is counter, including:
Radius receives authentication module, for by being divided the institute for obtaining checking authorization and accounting aaa server and sending and receiving There are remote authentication dial-in user service Radius messages, and brush selects accounting request message from Radius messages;
Radius processing modules, for obtaining the IP address and Mobile Directory Number of user from accounting request message MDN numbers;According to the type of accounting request message, IP address and MDN numbers to user carry out database manipulation;
It is counter to External Number to look into module, for monitor it is counter look into interface, from it is counter look into interface and obtain the number of service provider site counter look into Request, number it is counter make a thorough investigation of ask in comprising service provider site need the anti-IP address looked into;Carried out according to the needs anti- The IP address looked into, in the IP address of user and the record of MDN numbers that are preserved from database, find and the needs are counter is looked into IP address corresponding to MDN numbers, and the MDN numbers found are returned into service provider site, so as to service provider Website provide the secondary checking that WAP WAP logs in or NET modes exempt from authenticate automated log on;
Wherein, the HTTP HTTP for needing the anti-IP address service looked into be received from service provider site Obtained in request, the service provider site, which provides the secondary checking that WAP WAP is logged in, to be included:Service provider Website by the MDN numbers in the HTTP request compared with the anti-MDN numbers checked in, if the two is consistent, basis MDN numbers in the HTTP request, which are realized, exempts to authenticate automated log on.
8. device according to claim 7, it is characterised in that the Radius receives authentication module, including:
Message sink submodule, it is all remote for being sent and received by light splitting acquisition checking authorization and accounting aaa server Journey certification dial-in user service Radius messages;
Validation verification submodule, for the IP address according to preset packet data serving node PDSN, obtained from light splitting Effective Radius messages are extracted in all Radius messages;
Type of message identifying processing submodule, for carrying out brush choosing according to the code fields of effective Radius messages, if Code fields are 4, then the Radius messages are accounting request messages.
9. device according to claim 8, it is characterised in that the validation verification submodule, specifically for light splitting The source IP address of all Radius messages obtained is matched with preset packet data serving node PDSN IP address, such as The match is successful for fruit, then the Radius messages are effective Radius messages, extracts the Radius messages, if matching is unsuccessful, Abandon the Radius messages.
10. device according to claim 7, it is characterised in that the Radius processing modules, including:
Charge type identifies submodule, starts for accounting request message to be divided into charging according to Acct-Status-Type fields Message, accounting completion packet and charging midamble;
Charging handles submodule, for starting message or accounting completion packet for charging, extracts the Framed- in outgoing packet IP-Address fields and Calling-Station-Id fields, wherein, Framed-IP-Address field references PDSN is use The MDN numbers of the IP address Calling-Station-Id field references users of family distribution;
Database manipulation submodule, for the type according to accounting request message, IP address and MDN numbers to user enter line number Operated according to storehouse.
11. device according to claim 7, it is characterised in that the database manipulation submodule, be specifically used for
Whether if the type of accounting request message, which is charging, starts message, checking has the IP address or MDN of user in database The record of number, if having the IP address of user or the record of MDN numbers in database, former record is deleted, insertion includes user IP address and MDN numbers new record, if there is no the record of the IP address of user or MDN numbers in database, insertion bag The new record of IP address and MDN numbers containing user;
Whether if the type of accounting request message is accounting completion packet, checking has the IP address or MDN of user in database The record of number, if having the IP address of user or the record of MDN numbers in database, former record is deleted, if in database There is no the record of the IP address of user or MDN numbers, database is not operated.
System is looked into 12. a kind of mobile Internet access Subscriber Number is counter, including:Mobile Internet access as described in claim any one of 7-11 Subscriber Number is counter to look into device and service provider site, and service provider site is used to look into device to mobile Internet access Subscriber Number is counter Counter make a thorough investigation of of number is sent to ask, number it is counter make a thorough investigation of ask in comprising service provider site need the anti-IP address looked into, and The secondary checking of WAP WAP logins is provided according to the anti-MDN numbers checked in or the authentication of exempting from of NET modes is stepped on automatically Record;
Wherein, the HTTP HTTP for needing the anti-IP address service looked into be received from service provider site Obtained in request, the service provider site is providing what WAP WAP was logged according to the anti-MDN numbers checked in During secondary checking, specifically for the MDN numbers in HTTP request compared with the anti-MDN numbers checked in, if the two one Cause, then the MDN numbers in HTTP request, which are realized, exempts to authenticate automated log on.
13. system according to claim 12, it is characterised in that the service provider site checks according to counter MDN numbers provide when exempting to authenticate automated log on of NET modes, are specifically used for
The user routeing by public network IP address is received to ask;Public network IP address during user is asked is as needing counter looked into IP address, and by the counter IP address looked into of the needs carry number it is counter make a thorough investigation of ask in carry out that number is counter to be seen to obtain MDN numbers;Realized according to the anti-MDN numbers checked in and exempt to authenticate automated log on.
CN201310170495.8A 2013-05-10 2013-05-10 Mobile Internet access Subscriber Number inverse-checking method, device and system Active CN104144417B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310170495.8A CN104144417B (en) 2013-05-10 2013-05-10 Mobile Internet access Subscriber Number inverse-checking method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310170495.8A CN104144417B (en) 2013-05-10 2013-05-10 Mobile Internet access Subscriber Number inverse-checking method, device and system

Publications (2)

Publication Number Publication Date
CN104144417A CN104144417A (en) 2014-11-12
CN104144417B true CN104144417B (en) 2018-01-23

Family

ID=51853467

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310170495.8A Active CN104144417B (en) 2013-05-10 2013-05-10 Mobile Internet access Subscriber Number inverse-checking method, device and system

Country Status (1)

Country Link
CN (1) CN104144417B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110085234A (en) * 2019-04-29 2019-08-02 苏州狗尾草智能科技有限公司 Access automatic speech recognition system
CN115001734B (en) * 2022-04-17 2024-03-22 广西电网有限责任公司电力科学研究院 IP (Internet protocol) reverse check system and method for power network safety monitoring

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100598461B1 (en) * 2005-05-13 2006-07-10 엘지전자 주식회사 System for transmitting multimedia message and controlling method thereof
CN101163000A (en) * 2006-10-13 2008-04-16 中兴通讯股份有限公司 Secondary authentication method and system
CN101399853A (en) * 2007-09-24 2009-04-01 中国移动通信集团公司 Customer identification server, data service processing system and method
CN101854360A (en) * 2010-05-21 2010-10-06 恒安嘉新(北京)科技有限公司 Device and method for tracing to the source of mobile subscriber cellphone number according to IP (Internet Protocol) address
CN102014368A (en) * 2009-09-07 2011-04-13 中国移动通信集团公司 Method, system and device for acquiring position information of user equipment
CN102036209A (en) * 2010-11-18 2011-04-27 南京安讯科技有限责任公司 Method and device for identity authentication and charging of mobile interconnection network user

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067532A (en) * 2012-10-19 2013-04-24 中太数据通信(深圳)有限公司 Method and system of unified identification management of mobile internet users

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100598461B1 (en) * 2005-05-13 2006-07-10 엘지전자 주식회사 System for transmitting multimedia message and controlling method thereof
CN101163000A (en) * 2006-10-13 2008-04-16 中兴通讯股份有限公司 Secondary authentication method and system
CN101399853A (en) * 2007-09-24 2009-04-01 中国移动通信集团公司 Customer identification server, data service processing system and method
CN102014368A (en) * 2009-09-07 2011-04-13 中国移动通信集团公司 Method, system and device for acquiring position information of user equipment
CN101854360A (en) * 2010-05-21 2010-10-06 恒安嘉新(北京)科技有限公司 Device and method for tracing to the source of mobile subscriber cellphone number according to IP (Internet Protocol) address
CN102036209A (en) * 2010-11-18 2011-04-27 南京安讯科技有限责任公司 Method and device for identity authentication and charging of mobile interconnection network user

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《VOIP系统的实现及Radius协议在其中的应用》;马巧华;《中国优秀硕士学位论文全文数据库 信息科技辑》;20030615(第2期);第30-33页 *

Also Published As

Publication number Publication date
CN104144417A (en) 2014-11-12

Similar Documents

Publication Publication Date Title
JP4722056B2 (en) Method and apparatus for personalization and identity management
CN106789834B (en) The method of user identity, gateway, PCRF network element and system for identification
CN103812836B (en) A kind of website sends the system and method that user reserves information
CN105228140B (en) A kind of data access method and device
CN101005503A (en) Method and data processing system for intercepting communication between a client and a service
CN106851632A (en) A kind of smart machine accesses the method and device of WLAN
JP2014527326A (en) Wireless LAN connection device and operation method thereof
US9973399B2 (en) IPV6 address tracing method, apparatus, and system
CN104735027B (en) A kind of safety certifying method and authentication server
CN102932775A (en) Method and device for carrying out terminal identification by combining IMEI and UA
WO2010123385A1 (en) Identifying and tracking users in network communications
CN108900484A (en) A kind of generation method and device of access authority information
CN103067532A (en) Method and system of unified identification management of mobile internet users
EP3016423A1 (en) Network safety monitoring method and system
CN108737407A (en) A kind of method and device for kidnapping network flow
KR101506594B1 (en) Method and system for subscriber to log in internet content provider(icp) website in identity/location separation network and login device thereof
CN108093390A (en) A kind of smart machine of feature based information finds method
CN104144417B (en) Mobile Internet access Subscriber Number inverse-checking method, device and system
CN102420808A (en) Method for realizing single signon on telecom on-line business hall
CN106982434B (en) Wireless local area network security access method and device
CN105429880B (en) The network equipment and its method for carrying out routing forwarding
CN109309907A (en) Method, apparatus and its relevant device for charge on traffic
CN106131243A (en) A kind of user's internet behavior auditing method and audit device
CN102868539A (en) Method and system for managing nationwide billing identification gateways
CN104869180B (en) The method and apparatus of controlling terminal communication range

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant