CN105187446B - A kind of home gateway detection and the system and method for shielding user's business of networking - Google Patents
A kind of home gateway detection and the system and method for shielding user's business of networking Download PDFInfo
- Publication number
- CN105187446B CN105187446B CN201510633338.5A CN201510633338A CN105187446B CN 105187446 B CN105187446 B CN 105187446B CN 201510633338 A CN201510633338 A CN 201510633338A CN 105187446 B CN105187446 B CN 105187446B
- Authority
- CN
- China
- Prior art keywords
- business
- networking
- home gateway
- file
- field
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of detection of home gateway and the system and method for shielding user's business of networking, this method to include:Home gateway obtains characteristic value file and blacklist file from management platform;Home gateway utilizes the characteristic value file of its acquisition, related service is detected from the packet of user's business of networking, and business of networking log file corresponding to generation returns to management platform preservation;Meanwhile access specific business of networking using the specific equipment of blacklist file screen;User is recorded using the business of networking of management platform inquiry home gateway institute access device.The present invention, home gateway utilizes the characteristic value and blacklist file that business of networking to be detected is obtained from management platform, detect user's business of networking type, and the specific business of networking of particular device access is shielded, avoid the problem of feature value changes to be detected cause home gateway to have to upgrade its image file.
Description
Technical field
The present invention relates to home gateway, and in particular to the system of a kind of detection of home gateway and shielding user's business of networking and
Method.
Background technology
With the development of broadband technology and the popularization and application of intelligent terminal, in one family in addition to computer, also exist more
Kind equipment needs to access internet, such as smart mobile phone, PAD portable equipments.The major way for solving this problem is kind with family
Front yard gateway accessing various kinds of equipment simultaneously forwards multiple business, to realize the Internet, applications.
The good and bad jumbled together for internet content, in order to realize in family the safe and healthy ground application internet (in green of distinct device
Net), it is extremely urgent to the demand that detects and shield user's business of networking, such as:
(1) protection to family's underage users is considered, parent wishes to know for which equipment, have accessed which industry
Business, and shield some equipment and access some business;
(2) from the point of view of operator protects for mechanism of linked groups to public safety, there is also right under specific occasion
The demand that user's business of networking understands.
In view of the above circumstances, the home gateway as home network networking nucleus equipment needs to have detection and shielding user
The function of business of networking.At present, the function of home gateway detection and shielding user's business of networking is mainly deep by home gateway
Packet inspection technical is spent to complete.However, the realization of this detection mode is gone in the image file for be cured to home gateway, if having
What new business appearance or existing characteristic value changed, then need to utilize new image file again upgraded home gateway.Utilize
Image file upgraded home gateway is not that any ordinary person can complete, and is difficult to make vast domestic consumer by this way
Flexible Application.
In view of the above circumstances, it is necessary to which the mode that user's business of networking is detected and shielded to existing home gateway is improved,
To facilitate domestic consumer's flexible Application.
The content of the invention
The technical problems to be solved by the invention are that existing home gateway detects and the mode of shielding user's business of networking is entered
Row improves, the problem of to facilitate domestic consumer's flexible Application.
In order to solve the above-mentioned technical problem, the technical solution adopted in the present invention is to provide a kind of home gateway detection and screen
The method of user's business of networking is covered, is comprised the following steps:
Home gateway obtains characteristic value file and blacklist file from management platform, and the characteristic value file is used to detect
Go out related service and capture related keyword field, the particular device that the blacklist file is used to shield access home gateway accesses
Specific business of networking;
Home gateway utilizes the characteristic value file of its acquisition, and related industry is detected from the packet of user's business of networking
Business, and internet records file corresponding to generation returns to management platform preservation;Meanwhile accessed or shielded using blacklist file and be special
The specific business of networking that locking equipment accesses;
The business of networking record for the equipment that user is accessed using management platform inquiry home gateway.
In the above-mentioned methods, the characteristic information of business of networking is included in the characteristic value file, home gateway is according to institute
The characteristic information for stating business of networking detects related service and captures related keyword field.
In the above-mentioned methods, the characteristic value file is used for defining the rule of detection user's business of networking, including type, dynamic
Work, agreement, port, number and regular 6 fields, wherein:
Type is the numbering of detected business, and every kind of business is designed with the type corresponding with the type in characteristic value file
Field number;
Action is to detect the mode that the business is taken, including matches and capture;
Agreement is the IP protocol type of detected business;
Port is the transport layer mesh of detected business ground port numbers;
Number be the matching of detection business action need regular number, or grasping movement need regular number;
Rule refers to the foundation of matching and grasping movement.
In the above-mentioned methods, rule corresponding to matching action includes following field successively:Skew, characteristic length and characteristic
According to the characteristic of characteristic length will be had by referring to the deviation post specified of transport layer load;
Rule includes following field successively corresponding to grasping movement:Skew, header length and header data, tail length and
Tail data, refer to that transport layer load since deviation post, has the header data and tail length of corresponding header length
Tail data, then and capture data therein.
In the above-mentioned methods, accessed using blacklist file screen particular device in specific business of networking, it is described specific
Equipment is identified by its source MAC, and specific method is as follows:
For the business of matching action, follow-up field is some source MAC fields, and expression is directed to certain class business, as long as source MAC
Meet any source MAC fields, then shield;
For the business of grasping movement, follow-up field is the additional some keyword fields of a source MAC field, represents to be directed to
Certain class business, if particular source MAC is come from, and the value in any keyword field of captured data fit, then shield.
In the above-mentioned methods, the business record file records certain equipment of access home gateway in certain time period visit
Ask that last time time, access frequency, duration and the related service comprising rules for grasping of related business of networking are grabbed
The data taken;Each record is identified by type, source MAC and crawl data triple, wherein:
Type field is consistent with the type in example characteristic value file;
Source MAC fields are the equipment MAC of access home gateway;
The time that field is the last business of networking is accessed recently;
Hit-count field is the number that the business of networking is detected by home gateway service detection module;
Duration field is the duration of the business of networking;
It is the data that grasping movement obtains to capture data field, and the field value is acted as sky for matching.
In the above-mentioned methods, home gateway utilizes the characteristic value file of its acquisition, from the packet of user's business of networking
The method for detecting related service is as follows:
Netlink communication interfaces, registering communication Hook Function are created first;
Then data packet analysis hook is hung up in the NF_BR_PRE_ROUTING nodes of linux kernel Netfliter frameworks
Function so that when each terminal data bag under home gateway is forwarded by home gateway, the very first time is analyzed by priority treatment, its
In:
Communication Hook Function is for receiving user's space platform interactive module characteristic value setting message, blacklist setting disappears
Breath, matched rule chained list corresponding to generation and blacklist chained list;
Data packet analysis Hook Function to enter home gateway each two layer message analyze, if message characteristic with
With certain node diagnostic value matching in regulation linked, then refer to detecting related business of networking;
If the business from certain source MAC matches with certain node rule in blacklist chained list, the packet loss does not turn
Hair;In the case of other, then forward, and to the business information that detects of platform interactive module notice of user's space.
The system for being detected present invention also offers a kind of home gateway and shielding user's business of networking, including home gateway,
Also include management platform,
The home gateway is provided with business detection module and platform interactive module, and the management platform is handed over provided with gateway
Mutual module, customer data base and user's man-machine interface;
Business detection module obtains characteristic value file and blacklist file from management platform, and according in characteristic value file
To the rule of different business setting, related service is detected from the packet of user's business of networking, captures the phase in packet
Close field and pass platform interactive module back, user's business of networking record write-in industry that platform interactive module returns to business detection module
Be engaged in log file, and be transmitted to the gateway interactive module of management platform, gateway interactive module again to the phase in customer data base inside the Pass
Appearance is updated preservation;Business detection module accesses specific business of networking according to the specific equipment of blacklist file screen;
User is recorded using the business of networking of user's man-machine interface inquiry home gateway institute access device.
The present invention, home gateway utilize the characteristic value and blacklist text that business of networking to be detected is obtained from management platform
Part, user's business of networking type is detected, and shield specific equipment and access specific business of networking, when business of networking to be detected
Characteristic value when changing, it is only necessary to change the characteristic value file in management platform, then home gateway will be flat from management
The characteristic value and blacklist file of newest business of networking to be detected are obtained on platform, without being risen because of feature value changes to be detected
The image file of level home gateway, domestic consumer also will be easily to be operated.
Brief description of the drawings
Fig. 1 is the schematic diagram of the system of home gateway detection and shielding user's business of networking in the present invention;
Fig. 2 is the characteristic value File structural representation in the present invention;
Fig. 3 is the blacklist file structure schematic diagram in the present invention;
Fig. 4 is the business record file structure schematic diagram in the present invention;
Fig. 5 is matched rule list structure schematic diagram in the present invention;
Fig. 6 generates matched rule chained list and blacklist chained list flow chart for business detection module in the present invention;
Fig. 7 is business detection module data packet analysis flow chart in the present invention;
Fig. 8 is business detection module blacklist decision flow chart in the present invention;
Fig. 9 is platform interactive module business record list structure schematic diagram in the present invention;
Figure 10 is platform interactive module workflow diagram in the present invention.
Embodiment
The invention provides a kind of detection of home gateway and the system and method for shielding user's business of networking, home gateway profit
With the characteristic value file and blacklist file of the business of networking to be detected got from management platform, user's business of networking is detected
Type, and the specific business of networking of particular device access is shielded, avoid the feature value changes of business of networking to be detected and cause
The problem of home gateway has to upgrade its image file so that domestic consumer can also flexible Application.With reference to specification
The drawings and specific embodiments are described in detail to the present invention.
As shown in figure 1, the system of home gateway detection provided by the invention and shielding user's business of networking includes home network
Close 10 and management platform 20.
Management platform 20 is provided with gateway interactive module 21, customer data base 22 and user's man-machine interface 23, wherein:
Characteristic value file, blacklist file and the user's business of networking record collected in every home gateway certain time
It can be stored on customer data base.
Characteristic value file includes the characteristic information of different businesss of networking, for detecting related service and capturing related keyword
Field.
The particular device that blacklist file is used to shield access home gateway accesses specific business of networking.
User can inquire the business of networking of home gateway institute load bearing equipment in a period of time by Man Machine Interface
Record.
Home gateway 10 is provided with business detection module 11 and platform interactive module 12, and home gateway obtains from management platform
Characteristic value file and blacklist file are taken, and according to the rule set in characteristic value file to different business, from user's online industry
Related service is detected in the packet of business, the relevant field captured in packet passes platform interactive module back.Platform interacts mould
User's business of networking record write-in business record file that block returns to business detection module, and the gateway for being transmitted to management platform is handed over
Mutual module, gateway interactive module are updated preservation to the related content in customer data base again.In addition, home gateway is according to black
The specific equipment of list file screen accesses specific business of networking, if the business of current accessed and corresponding equipment are located at black name
Dan Shi, then association message is directly abandoned, reach the purpose for forbidding relevant device to access related business of networking.
First check for whether the characteristic value file in management platform and blacklist file have more when home gateway starts every time
Newly, if renewal, then home gateway downloads newest characteristic value file from management platform first after starting and blacklist is literary
Part, and original characteristic value file and blacklist file are covered, then entered using newest characteristic value file and blacklist file
Row monitoring;Otherwise, without newest characteristic value file and blacklist file is downloaded from management platform, it is continuing with original spy
Value indicative file and blacklist file are monitored.
Whole access devices that business record file storage home gateway detects access the record of business of networking, and pass through
Platform interactive module carries out real-time update (additional record) to user's business of networking record in management platform.
Characteristic value file is used for defining the rule of detection user's business of networking, including type, action, agreement, port, number
With regular 6 fields, different business can identify according to different characteristic values, as shown in Fig. 2 characteristic value file is specifically retouched
State as follows:
" type " refers to the numbering of detected business;
" action " refers to detecting the two ways that the business is taken, including matches and capture that (the present embodiment is represented with 0
Match somebody with somebody, 1 represents crawl), matching, which refers to detecting, includes associated eigenvalue in packet load;Crawl refers to detecting data
Paired characteristic value is included in bag load, and captures the data in packet between the paired characteristic value;
" agreement " refers to the IP protocol type of detected business;
" port " with referring to the transport layer mesh of detected business port numbers;
" number " refer to detection business " matching action " need rule number, or " grasping movement " need rule
Number.For convenience of description, " number " maximum is 2 to the present embodiment.
Rule corresponding to matching action includes following field successively:" skew ", " characteristic length " and " characteristic ", refers to
It is that " skew " position specified of transport layer load will have " characteristic " of " characteristic length ".
Rule includes following field successively corresponding to grasping movement:" skew ", " header length " and " header data ", " tail
Minister's degree " and " tail data ", refer to that transport layer load since " skew " position, has " the head of correspondingly " header length "
" tail data " of portion's data " and " tail length ", then and capture data therein.
The implication that a kind of QQ message field (MFLD) rule is detected in figure is as follows:
" 1,0,17,8000,2 " represent that the type of the business is 1 to characteristic value, and action is matching, is udp protocol, mesh ground terminal
Mouth is 8000,2 matched rules be present.First matched rule be " 0,1,0x02 ", represent from transport layer offset load amount 0
Match somebody with somebody, critical field length is 1, content 0x02.Article 2 matched rule be " 255,1,0x03 ", represent from transport layer load tail
Portion matches, length 1, content 0x03." skew " field is stored with unsigned char in the present embodiment, and 255 are specifically used to
Refer to matching from afterbody, 0~254 refers to actual offset address.
The implication that the Host fields in HTTP GET messages are detected in figure is as follows:
" 0,1,6,80,1 " represents that the type of the business is 0 respectively, and action is crawl, is Transmission Control Protocol, mesh port be
80,1 rules for grasping be present.The rules for grasping " 0,8,0x0d, 0x0a, 0x48,0x6f, 0x73,0x74,0x3a, 0x20,2,
0x0d, 0x0a " represent the location lookup from transport layer offset load amount 0, and first critical field length is 8, and content is
" 0x0d, 0x0a, 0x48,0x6f, 0x73,0x74,0x3a, 0x20 ", the second critical field length are 2, content for " 0x0d,
0x0a ", and capture the related data in the paired keyword.
Above only describes two characteristic values of detection QQ UDP messages, and detection HTTP GET messages and crawl Host
Field, corresponding characteristic value can be set with regard to different business and crawl field as needed in specific implementation.
As shown in figure 3, the particular device that blacklist file is used for shielding access home gateway accesses specific business of networking, it is special
Locking equipment is identified by its source MAC.
For the business of matching action, follow-up field is some source MAC fields, as long as showing to accord with certain class business source MAC
Any source MAC fields are closed, then are shielded.
For the business of grasping movement, follow-up field is " source MAC fields " additional some " keywords
(KeyString) field ", show to certain class business, if from particular source MAC and captured data fit it is any
Value in KeyString fields, then shield.
As shown in figure 4, certain equipment that business record file records access home gateway accesses correlation in certain time period
The number that last time time, access frequency, duration and the related service comprising rules for grasping of business of networking are captured
According to.
Each record is by " type ", " source MAC ", " crawl data " triple identify;
" type " field is consistent with " type " in characteristic value file shown in Fig. 2;
" source MAC " fields show to access the equipment MAC of home gateway;
" accessing recently " field shows the time of the last business of networking;
" hit-count " field shows the number that the business of networking is detected by home gateway service detection module, can be anti-
Mirror the access frequency of user;
" duration " field shows the duration of the business of networking, and the embodiment of the present invention is represented with minute, if business
Detection module was detected in one minute from " source MAC " same " type " multiple messages, are only continued at 1 minute by business
Reason.
" crawl data " field shows the data that grasping movement obtains, and is acted for matching, and the field value is sky.
As shown in figure 5, business detection module carries out detection process, platform interactive module by way of matched rule chained list
Configuration is passed into business matching module after parsing characteristic value file, business matching module generates corresponding save to every rule
Point, inserts matched rule chained list, and its field corresponds with characteristic value file.
Corresponding blacklist chained list can also refer to the realization of matched rule chained list, not repeat again.
Business detection module operates in kernel spacing.After load operating, Netlink communication interfaces are created first, and registration is logical
Believe Hook Function;Then data packet analysis is hung up in the NF_BR_PRE_ROUTING nodes of linux kernel Netfliter frameworks
Hook Function so that when each terminal data bag under home gateway is forwarded by home gateway, the very first time is by priority treatment point
Analysis.
Communication Hook Function therein is used for receiving the setting of user's space platform interactive module characteristic value, and blacklist setting disappears
Breath, matched rule chained list corresponding to generation and blacklist chained list.
Data packet analysis Hook Function therein is analyzed each two layer message for entering home gateway, if message is special
Sign matches with certain node diagnostic value in matched rule chained list, then shows to detect the business of networking of correlation;If come from certain source MAC
Business matched with certain node rule in blacklist chained list, then by the packet loss, do not forward;In the case of other, then forward,
And to the business information that detects of platform interactive module notice of user's space.
As shown in fig. 6, business detection module receives the Netlink messages that platform interactive module transmits every time in the present invention
Afterwards, the Hook Function can be called, and idiographic flow is as follows:
S101, receive user's space message;
S102, analytic message type;
If S103, characteristic value set message, S104 is gone to, otherwise goes to S110;
S104, message load is parsed, if legal, go to S105, otherwise go to S117, terminate to divide message
Analysis;
S105, distribution matched rule node memory, go to S106;
S106, by the related words segment value parsed to the node valuation in S105, go to S107;
S107, matched rule chained list are locked, and go to S108;
S108, by node insert matched rule chained list, go to S109;
S109, the unblock of matched rule chained list, go to S117, terminate the analysis to message;
If S110, blacklist set message, S111 is gone to, otherwise goes to S117, terminates the analysis to message;
S111, message load is parsed, if legal, go to S112, otherwise go to S117, terminate to divide message
Analysis;
S112, distribution blacklist regular node internal memory, go to S113;
S113, by the related words segment value parsed to the node valuation in S112, go to S114;
S114, blacklist regulation linked are locked, and go to S115;
S115, by node insert blacklist regulation linked, go to S116;
S116, the unblock of blacklist regulation linked, go to S117, terminate the analysis to message;
S117, end.
As shown in fig. 7, business detection module is as follows to the analysis process of packet in the present invention:
S201, network packet is received, go to S202;
S202, the source MAC for being resolved to the packet, protocol number, mesh ground port numbers, go to S203;
S203, matched rule chained list are locked, and go to S204;
S204, Iterative matching regulation linked, obtain corresponding node, go to S205 successively;
If the protocol number of S205, packet matches with current matching regular node protocol number, S206 is gone to, is otherwise gone to
S223;
If the mesh of S206, packet port numbers matched with current matching regular node port numbers, go to S207, otherwise turn
To S223;
If the action of S207, current matching regular node is matching, S208 is gone to;Otherwise S215 is gone to;
S208, Iterative matching rule, often obtain a matched rule, go to S209;
If S209, " skew " position in current matching rule, can exist correspondingly in the load of current data packet transport layer
" characteristic " of " characteristic length ", then show to detect the business of correspondingly " type ".S210 is gone to, otherwise goes to S223;
If S210, Iterative matching rule are completed, S211 is gone to, otherwise goes to S208;
S211, the unblock of matched rule chained list, go to S212;
S212, judge that " source MAC " such " type " data whether there is (Fig. 8 meetings in blacklist regulation linked from being somebody's turn to do
It is discussed in detail), if in the presence of S213 is gone to, otherwise go to S214;
S213, packet discard, go to S225;
S214, by current matched rule " type ", " source MAC " beams back the platform interactive module of user's space to packet;
Go to S225;
If the action of S215, current matching regular node is crawl, S216 is gone to;Otherwise S223 is gone to;
S216, iteration rules for grasping, a rules for grasping is often obtained, goes to S217 processing;
If S217, it can be looked into the load of current data packet transport layer in current rules for grasping since " skew " position
Look for, " tail data " of correspondingly " header data " and " tail length " of " header length " be present, then show to detect and correspondingly " grab
Take " business, and capture data therein.S218 is gone to, otherwise goes to S223;
If S218, iteration rules for grasping are completed, S219 is gone to, otherwise goes to S216;
S219, the unblock of matched rule chained list, go to S220;
S220, judge that " source MAC " such " type " data whether there is (Fig. 8 meetings in blacklist regulation linked from being somebody's turn to do
It is discussed in detail), if in the presence of S221 is gone to, otherwise go to S222;
S221, packet discard, go to S225;
S222, by current matched rule " type ", " source MAC " and the data grabbed beam back user's space to packet
Platform interactive module;Go to S225;
If S223, matched rule chained list iteration are completed, S224 is gone to, otherwise goes to S204;
S224, the unblock of matched rule chained list;
S225, end.
As shown in figure 8, business detection module accesses specifically according to the specific equipment of blacklist file screen in the present invention
The flow of business of networking is as follows:
S301, blacklist regulation linked are locked, and go to S302;
S302, iteration blacklist regulation linked, obtain corresponding node successively;
If the type of S303, blacklist node is consistent with current matching regulation linked node type, S304 is gone to, is otherwise turned
To S311;
If S304, current matching regulation linked node action are crawl, S305 is gone to, otherwise goes to S309;
S305, judge whether current data packet source MAC is consistent with blacklist node source MAC;Judge that current data packet is grabbed
Whether the data taken are consistent with a certain KeyString fields of blacklist node;Go to S306;
If S306, comparing result are true, then it is assumed that blacklist is hit, and is gone to S307, is otherwise gone to S311;
S307, the unblock of blacklist regulation linked, go to S308;
S308, function return very, show that blacklist is hit;
Whether S309, correction data bag source MAC are consistent with blacklist node source MAC list fields;
If S310, comparing result are true, S307 is gone to;Otherwise S311 is gone to;
If S311, blacklist regulation linked iteration are completed, S312 is gone to, otherwise goes to S302;
S312, the unblock of blacklist regulation linked;
S313, function return to vacation, show that blacklist is miss.
As shown in figure 9, platform interactive module is believed to the detection user business of networking that platform interactive module returns in the present invention
Breath has three fields " type ", " source MAC ", " crawl data " (note:Type of action is that the business crawl data of matching are empty), put down
Platform interactive module is by these information temporary storages in business record chained list." type " therein, " source MAC ", " crawl data " " life
It is consistent with Fig. 4 descriptions that middle number " " accesses " " duration " recently." last time clocks the time " therein is visited for calculating business
Ask the intermediate variable of duration.
As shown in Figure 10, platform interactive module workflow is as follows in the present invention:
S401, initialization Netlink sockets, establish communication interface with kernel, go to S402;
S402, Access Management Access platform, characteristic value file and blacklist file are obtained, goes to S403;
S403, parsing characteristic value file simultaneously set characteristic value to business detection module;Go to S404;
S404, parsing blacklist file simultaneously set blacklist to business detection module;Go to S405;
S405, Netlink sockets are monitored, S406 is gone to after receiving the message of business detection module;
S406, " type " is parsed from message, and " source MAC " " crawl data ", goes to S407;
S407, business record chained list are locked;Go to S408;
If S408, current business record chained list are sky, S409 is gone to, otherwise goes to S410;
S409, generation record node:" type ", " source MAC ", " crawl data " are the data that S406 is parsed;" hit time
Number ", " duration " are initialized as 1;" accessing recently ", " last time timing time ", it is initialized as current time and adds chained list;Entirely
Office's chained list node number is+1;Go to S413;
S410, search business record chained list in whether there is identical node --- i.e. triple " type ", " source MAC ",
" crawl data " are completely the same;If going to S412, S411 is otherwise gone to;
S411, generation record node:" type ", " source MAC ", " crawl data " are the data that S406 is parsed;" hit time
Number ", " duration " are initialized as 1;" accessing recently ", " last time timing time ", it is initialized as current time and adds chained list;Entirely
Office's chained list node number is+1, goes to S413;
S412, the already present Node field of modification:" hit-count "+1;" accessing recently " is set as current time;If
Current time exceedes " last time timing time " 60s, then " last time timing time " is set as into current time, and " duration "+
1;Go to S413;
If S413, global chained list node number exceed threshold value, S415 is gone to, otherwise goes to S414;
S414, the unblock of business record chained list, go to S405;
S415, iteration business record chained list, by " type " of corresponding node, " source MAC ", " crawl data ", " hit time
Number ", " access recently ", " duration " write-in business record file, discharge corresponding node resource, global chained list joint number successively-
1;Go to S416;
S416, the unblock of business record chained list, go to S417;
S417, business record chained list is uploaded to management platform, goes to S405;
In summary, the method for home gateway detection provided by the invention and shielding user's business of networking, including following step
Suddenly:
Home gateway obtains characteristic value file and blacklist file from management platform;
Home gateway utilizes the characteristic value file of its acquisition, and related industry is detected from the packet of user's business of networking
Business, and generate user's business of networking record and return to management platform preservation;Meanwhile access or shield specific using blacklist file
The specific business of networking that equipment accesses;
The business of networking record for the equipment that user is accessed using management platform inquiry home gateway.
Because home gateway is from the characteristic value and blacklist file of management platform acquisition business of networking to be detected, when to be checked
When the characteristic value of the business of networking of survey changes, it is only necessary to change the characteristic value file in management platform, then home gateway
The characteristic value and blacklist file of newest business of networking to be detected will be obtained from management platform, without because of spy to be detected
Value indicative changes and the image file of upgraded home gateway, domestic consumer will also be substantially increased general with easily being operated
Logical customer flexibility.
The present invention is not limited to above-mentioned preferred forms, and anyone should learn that the knot made under the enlightenment of the present invention
Structure changes, and the technical schemes that are same or similar to the present invention, each falls within protection scope of the present invention.
Claims (8)
1. a kind of home gateway detection and the method for shielding user's business of networking, it is characterised in that comprise the following steps:
Home gateway obtains characteristic value file and blacklist file from management platform, and the characteristic value file is used to detect phase
Pass business simultaneously captures related keyword field, and the particular device access that the blacklist file is used to shield access home gateway is specific
Business of networking;
Home gateway utilizes the characteristic value file of its acquisition, and related service is detected from the packet of user's business of networking, and
Internet records file corresponding to generation returns to management platform preservation;Meanwhile visited using the specific equipment of blacklist file screen
Ask specific business of networking;
The business of networking record for the equipment that user is accessed using management platform inquiry home gateway;
Certain equipment that the business record file records access home gateway accesses related business of networking in certain time period
The data that last time time, access frequency, duration and the related service comprising rules for grasping are captured;Each note
Record is identified by type, source MAC and crawl data triple, wherein:
Type field is consistent with the type in example characteristic value file;
Source MAC fields are the equipment MAC of access home gateway;
The time that field is the last business of networking is accessed recently;
Hit-count field is the number that the business of networking is detected by home gateway service detection module;
Duration field is the duration of the business of networking;
It is the data that grasping movement obtains to capture data field, and the field value is acted as sky for matching.
2. the method as described in claim 1, it is characterised in that include the feature letter of business of networking in the characteristic value file
Breath, home gateway detect related service according to the characteristic information of the business of networking and capture related keyword field.
3. the method as described in claim 1, it is characterised in that the characteristic value file is used for defining detection user's business of networking
Rule, including type, action, agreement, port, number and regular 6 fields, wherein:
Type is the numbering of detected business, and every kind of business is designed with the type field corresponding with the type in characteristic value file
Numbering;
Action is to detect the mode that the business is taken, including matches and capture;
Agreement is the IP protocol type of detected business;
Port is the transport layer mesh of detected business ground port numbers;
Number be the matching of detection business action need regular number, or grasping movement need regular number;
Rule refers to the foundation of matching and grasping movement.
4. method as claimed in claim 3, it is characterised in that
Rule corresponding to matching action includes following field successively:Skew, characteristic length and characteristic, refer to that transport layer is born
The deviation post specified carried will have the characteristic of characteristic length;
Rule includes following field successively corresponding to grasping movement:Skew, header length and header data, tail length and afterbody
Data, refer to that transport layer load since deviation post, has the header data of corresponding header length and the tail of tail length
Portion's data, then capture data therein.
5. the method as described in claim 1, it is characterised in that access or shield what particular device accessed using blacklist file
In specific business of networking, the particular device is identified by its source MAC, and specific method is as follows:
For the business of matching action, follow-up field is some source MAC fields, and expression is directed to certain class business, as long as source MAC meets
Any source MAC fields, then shield;
For the business of grasping movement, follow-up field is the additional some keyword fields of a source MAC field, and expression is directed to certain class
Business, if particular source MAC is come from, and the value in any keyword field of captured data fit, then shield.
6. the method as described in claim 1, it is characterised in that home gateway utilizes the characteristic value file of its acquisition, from user
The method that related service is detected in the packet of business of networking is as follows:
Netlink communication interfaces, registering communication Hook Function are created first;
Then data packet analysis hook letter is hung up in the NF_BR_PRE_ROUTING nodes of linux kernel Netfliter frameworks
Number so that when each terminal data bag under home gateway is forwarded by home gateway, the very first time is analyzed by priority treatment, its
In:
Communication Hook Function is used for receiving user's space platform interactive module characteristic value setting message, blacklist setting message, raw
Into corresponding matched rule chained list and blacklist chained list;
Data packet analysis Hook Function is analyzed each two layer message for entering home gateway, if message characteristic is with matching rule
Then certain node diagnostic value matching in chained list, then show to the business of networking for detecting correlation;
If the business from certain source MAC matches with certain node rule in blacklist chained list, the packet loss does not forward;
In the case of other, then forward, and to the business information that detects of platform interactive module notice of user's space.
7. the method as described in claim 1, it is characterised in that after home gateway starts, according to characteristic value text in management platform
The more new state of part and blacklist file, decide whether to re-download newest characteristic value file and blacklist file.
8. home gateway detects and the system of shielding user's business of networking, including home gateway, it is characterised in that also includes management
Platform,
The home gateway is provided with business detection module and platform interactive module, and the management platform is provided with gateway interaction mould
Block, customer data base and user's man-machine interface;
Business detection module obtains characteristic value file and blacklist file from management platform, and according in characteristic value file to not
With the rule of business setting, related service is detected from the packet of user's business of networking, captures the related words in packet
Section passes platform interactive module back, and user's business of networking that platform interactive module returns to business detection module records write-in business and remembered
File is recorded, and is transmitted to the gateway interactive module of management platform, gateway interactive module is entered to the related content in customer data base again
Row renewal preserves;The specific business of networking that business detection module accesses according to blacklist file screen particular device;
Certain equipment that the business record file records access home gateway accesses related business of networking in certain time period
The data that last time time, access frequency, duration and the related service comprising rules for grasping are captured;Each note
Record is identified by type, source MAC and crawl data triple, wherein:
Type field is consistent with the type in example characteristic value file;
Source MAC fields are the equipment MAC of access home gateway;
The time that field is the last business of networking is accessed recently;
Hit-count field is the number that the business of networking is detected by home gateway service detection module;
Duration field is the duration of the business of networking;
It is the data that grasping movement obtains to capture data field, and the field value is acted as sky for matching.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510633338.5A CN105187446B (en) | 2015-09-29 | 2015-09-29 | A kind of home gateway detection and the system and method for shielding user's business of networking |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510633338.5A CN105187446B (en) | 2015-09-29 | 2015-09-29 | A kind of home gateway detection and the system and method for shielding user's business of networking |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105187446A CN105187446A (en) | 2015-12-23 |
CN105187446B true CN105187446B (en) | 2018-03-20 |
Family
ID=54909290
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510633338.5A Active CN105187446B (en) | 2015-09-29 | 2015-09-29 | A kind of home gateway detection and the system and method for shielding user's business of networking |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105187446B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106487797B (en) * | 2016-10-25 | 2020-07-07 | 腾讯科技(深圳)有限公司 | Network data processing method and system |
CN109934754B (en) * | 2019-03-18 | 2021-09-14 | 重庆替比网络科技有限公司 | Information publishing system for industry supervision and service |
CN110048891A (en) * | 2019-04-22 | 2019-07-23 | 上海市共进通信技术有限公司 | The intelligent flow control method of man-machine interaction mode is realized based on residential gateway APP management terminal |
CN112866140B (en) * | 2020-12-16 | 2023-06-06 | 中国联合网络通信集团有限公司 | Service matching method, gateway management platform, gateway equipment and server |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008086224A2 (en) * | 2007-01-04 | 2008-07-17 | Quest Software, Inc. | Systems and methods for detecting and blocking malicious content in instant messages |
CN103124226A (en) * | 2012-12-03 | 2013-05-29 | 深圳市共进电子股份有限公司 | Household broadband net-system play monitoring system and method |
CN103595692A (en) * | 2012-08-13 | 2014-02-19 | 中兴通讯股份有限公司 | A method and a system which both analyze user network behaviors through household gateways |
CN103888305A (en) * | 2012-12-19 | 2014-06-25 | 中国电信股份有限公司 | Home gateway-based monitoring method and system |
CN104349370A (en) * | 2013-08-01 | 2015-02-11 | 中兴通讯股份有限公司 | Access control method, apparatus and system |
-
2015
- 2015-09-29 CN CN201510633338.5A patent/CN105187446B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008086224A2 (en) * | 2007-01-04 | 2008-07-17 | Quest Software, Inc. | Systems and methods for detecting and blocking malicious content in instant messages |
CN103595692A (en) * | 2012-08-13 | 2014-02-19 | 中兴通讯股份有限公司 | A method and a system which both analyze user network behaviors through household gateways |
CN103124226A (en) * | 2012-12-03 | 2013-05-29 | 深圳市共进电子股份有限公司 | Household broadband net-system play monitoring system and method |
CN103888305A (en) * | 2012-12-19 | 2014-06-25 | 中国电信股份有限公司 | Home gateway-based monitoring method and system |
CN104349370A (en) * | 2013-08-01 | 2015-02-11 | 中兴通讯股份有限公司 | Access control method, apparatus and system |
Also Published As
Publication number | Publication date |
---|---|
CN105187446A (en) | 2015-12-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3506141B1 (en) | System for query injection detection using abstract syntax trees | |
US11552977B2 (en) | Anomalous network node behavior identification using deterministic path walking | |
CN107292170B (en) | Method, device and system for detecting SQL injection attack | |
CN102801697B (en) | Malicious code detection method and system based on plurality of URLs (Uniform Resource Locator) | |
KR101010302B1 (en) | Security management system and method of irc and http botnet | |
CN105187446B (en) | A kind of home gateway detection and the system and method for shielding user's business of networking | |
CN102841990B (en) | Method and system for detecting malicious codes based on uniform resource locator | |
CN101610264A (en) | The management method of a kind of firewall system, safety service platform and firewall system | |
US20220239674A1 (en) | Security appliance to monitor networked computing environment | |
CN104809404A (en) | Data layer system of information security attack-defense platform | |
CN106657025A (en) | Network attack behavior detection method and device | |
CN109074454A (en) | Malware is grouped automatically based on artefact | |
CN107247902A (en) | Malware categorizing system and method | |
CN106209759A (en) | Detection resides in the apocrypha on network | |
CN107634931A (en) | Processing method, cloud server, gateway and the terminal of abnormal data | |
CN106778260A (en) | Attack detection method and device | |
CN102611713A (en) | Entropy operation-based network intrusion detection method and device | |
CN110233831A (en) | The detection method and device of malicious registration | |
CN111510463B (en) | Abnormal behavior recognition system | |
CN106789486B (en) | Method and device for detecting shared access, electronic equipment and computer readable storage medium | |
WO2019190403A1 (en) | An industrial control system firewall module | |
CN106528805B (en) | Mobile Internet rogue program URL intellectual analysis method for digging based on user | |
CN105939328A (en) | Method and device for updating network attack feature library | |
CN117596078B (en) | Model-driven user risk behavior discriminating method based on rule engine implementation | |
CN110175437A (en) | It is a kind of for access terminal authorization control method, apparatus and host terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |