CN105187446B - A kind of home gateway detection and the system and method for shielding user's business of networking - Google Patents

A kind of home gateway detection and the system and method for shielding user's business of networking Download PDF

Info

Publication number
CN105187446B
CN105187446B CN201510633338.5A CN201510633338A CN105187446B CN 105187446 B CN105187446 B CN 105187446B CN 201510633338 A CN201510633338 A CN 201510633338A CN 105187446 B CN105187446 B CN 105187446B
Authority
CN
China
Prior art keywords
business
networking
home gateway
file
field
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510633338.5A
Other languages
Chinese (zh)
Other versions
CN105187446A (en
Inventor
王恺
曹子伟
杨柳
郑学智
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fiberhome Telecommunication Technologies Co Ltd
Original Assignee
Fiberhome Telecommunication Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fiberhome Telecommunication Technologies Co Ltd filed Critical Fiberhome Telecommunication Technologies Co Ltd
Priority to CN201510633338.5A priority Critical patent/CN105187446B/en
Publication of CN105187446A publication Critical patent/CN105187446A/en
Application granted granted Critical
Publication of CN105187446B publication Critical patent/CN105187446B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of detection of home gateway and the system and method for shielding user's business of networking, this method to include:Home gateway obtains characteristic value file and blacklist file from management platform;Home gateway utilizes the characteristic value file of its acquisition, related service is detected from the packet of user's business of networking, and business of networking log file corresponding to generation returns to management platform preservation;Meanwhile access specific business of networking using the specific equipment of blacklist file screen;User is recorded using the business of networking of management platform inquiry home gateway institute access device.The present invention, home gateway utilizes the characteristic value and blacklist file that business of networking to be detected is obtained from management platform, detect user's business of networking type, and the specific business of networking of particular device access is shielded, avoid the problem of feature value changes to be detected cause home gateway to have to upgrade its image file.

Description

A kind of home gateway detection and the system and method for shielding user's business of networking
Technical field
The present invention relates to home gateway, and in particular to the system of a kind of detection of home gateway and shielding user's business of networking and Method.
Background technology
With the development of broadband technology and the popularization and application of intelligent terminal, in one family in addition to computer, also exist more Kind equipment needs to access internet, such as smart mobile phone, PAD portable equipments.The major way for solving this problem is kind with family Front yard gateway accessing various kinds of equipment simultaneously forwards multiple business, to realize the Internet, applications.
The good and bad jumbled together for internet content, in order to realize in family the safe and healthy ground application internet (in green of distinct device Net), it is extremely urgent to the demand that detects and shield user's business of networking, such as:
(1) protection to family's underage users is considered, parent wishes to know for which equipment, have accessed which industry Business, and shield some equipment and access some business;
(2) from the point of view of operator protects for mechanism of linked groups to public safety, there is also right under specific occasion The demand that user's business of networking understands.
In view of the above circumstances, the home gateway as home network networking nucleus equipment needs to have detection and shielding user The function of business of networking.At present, the function of home gateway detection and shielding user's business of networking is mainly deep by home gateway Packet inspection technical is spent to complete.However, the realization of this detection mode is gone in the image file for be cured to home gateway, if having What new business appearance or existing characteristic value changed, then need to utilize new image file again upgraded home gateway.Utilize Image file upgraded home gateway is not that any ordinary person can complete, and is difficult to make vast domestic consumer by this way Flexible Application.
In view of the above circumstances, it is necessary to which the mode that user's business of networking is detected and shielded to existing home gateway is improved, To facilitate domestic consumer's flexible Application.
The content of the invention
The technical problems to be solved by the invention are that existing home gateway detects and the mode of shielding user's business of networking is entered Row improves, the problem of to facilitate domestic consumer's flexible Application.
In order to solve the above-mentioned technical problem, the technical solution adopted in the present invention is to provide a kind of home gateway detection and screen The method of user's business of networking is covered, is comprised the following steps:
Home gateway obtains characteristic value file and blacklist file from management platform, and the characteristic value file is used to detect Go out related service and capture related keyword field, the particular device that the blacklist file is used to shield access home gateway accesses Specific business of networking;
Home gateway utilizes the characteristic value file of its acquisition, and related industry is detected from the packet of user's business of networking Business, and internet records file corresponding to generation returns to management platform preservation;Meanwhile accessed or shielded using blacklist file and be special The specific business of networking that locking equipment accesses;
The business of networking record for the equipment that user is accessed using management platform inquiry home gateway.
In the above-mentioned methods, the characteristic information of business of networking is included in the characteristic value file, home gateway is according to institute The characteristic information for stating business of networking detects related service and captures related keyword field.
In the above-mentioned methods, the characteristic value file is used for defining the rule of detection user's business of networking, including type, dynamic Work, agreement, port, number and regular 6 fields, wherein:
Type is the numbering of detected business, and every kind of business is designed with the type corresponding with the type in characteristic value file Field number;
Action is to detect the mode that the business is taken, including matches and capture;
Agreement is the IP protocol type of detected business;
Port is the transport layer mesh of detected business ground port numbers;
Number be the matching of detection business action need regular number, or grasping movement need regular number;
Rule refers to the foundation of matching and grasping movement.
In the above-mentioned methods, rule corresponding to matching action includes following field successively:Skew, characteristic length and characteristic According to the characteristic of characteristic length will be had by referring to the deviation post specified of transport layer load;
Rule includes following field successively corresponding to grasping movement:Skew, header length and header data, tail length and Tail data, refer to that transport layer load since deviation post, has the header data and tail length of corresponding header length Tail data, then and capture data therein.
In the above-mentioned methods, accessed using blacklist file screen particular device in specific business of networking, it is described specific Equipment is identified by its source MAC, and specific method is as follows:
For the business of matching action, follow-up field is some source MAC fields, and expression is directed to certain class business, as long as source MAC Meet any source MAC fields, then shield;
For the business of grasping movement, follow-up field is the additional some keyword fields of a source MAC field, represents to be directed to Certain class business, if particular source MAC is come from, and the value in any keyword field of captured data fit, then shield.
In the above-mentioned methods, the business record file records certain equipment of access home gateway in certain time period visit Ask that last time time, access frequency, duration and the related service comprising rules for grasping of related business of networking are grabbed The data taken;Each record is identified by type, source MAC and crawl data triple, wherein:
Type field is consistent with the type in example characteristic value file;
Source MAC fields are the equipment MAC of access home gateway;
The time that field is the last business of networking is accessed recently;
Hit-count field is the number that the business of networking is detected by home gateway service detection module;
Duration field is the duration of the business of networking;
It is the data that grasping movement obtains to capture data field, and the field value is acted as sky for matching.
In the above-mentioned methods, home gateway utilizes the characteristic value file of its acquisition, from the packet of user's business of networking The method for detecting related service is as follows:
Netlink communication interfaces, registering communication Hook Function are created first;
Then data packet analysis hook is hung up in the NF_BR_PRE_ROUTING nodes of linux kernel Netfliter frameworks Function so that when each terminal data bag under home gateway is forwarded by home gateway, the very first time is analyzed by priority treatment, its In:
Communication Hook Function is for receiving user's space platform interactive module characteristic value setting message, blacklist setting disappears Breath, matched rule chained list corresponding to generation and blacklist chained list;
Data packet analysis Hook Function to enter home gateway each two layer message analyze, if message characteristic with With certain node diagnostic value matching in regulation linked, then refer to detecting related business of networking;
If the business from certain source MAC matches with certain node rule in blacklist chained list, the packet loss does not turn Hair;In the case of other, then forward, and to the business information that detects of platform interactive module notice of user's space.
The system for being detected present invention also offers a kind of home gateway and shielding user's business of networking, including home gateway, Also include management platform,
The home gateway is provided with business detection module and platform interactive module, and the management platform is handed over provided with gateway Mutual module, customer data base and user's man-machine interface;
Business detection module obtains characteristic value file and blacklist file from management platform, and according in characteristic value file To the rule of different business setting, related service is detected from the packet of user's business of networking, captures the phase in packet Close field and pass platform interactive module back, user's business of networking record write-in industry that platform interactive module returns to business detection module Be engaged in log file, and be transmitted to the gateway interactive module of management platform, gateway interactive module again to the phase in customer data base inside the Pass Appearance is updated preservation;Business detection module accesses specific business of networking according to the specific equipment of blacklist file screen;
User is recorded using the business of networking of user's man-machine interface inquiry home gateway institute access device.
The present invention, home gateway utilize the characteristic value and blacklist text that business of networking to be detected is obtained from management platform Part, user's business of networking type is detected, and shield specific equipment and access specific business of networking, when business of networking to be detected Characteristic value when changing, it is only necessary to change the characteristic value file in management platform, then home gateway will be flat from management The characteristic value and blacklist file of newest business of networking to be detected are obtained on platform, without being risen because of feature value changes to be detected The image file of level home gateway, domestic consumer also will be easily to be operated.
Brief description of the drawings
Fig. 1 is the schematic diagram of the system of home gateway detection and shielding user's business of networking in the present invention;
Fig. 2 is the characteristic value File structural representation in the present invention;
Fig. 3 is the blacklist file structure schematic diagram in the present invention;
Fig. 4 is the business record file structure schematic diagram in the present invention;
Fig. 5 is matched rule list structure schematic diagram in the present invention;
Fig. 6 generates matched rule chained list and blacklist chained list flow chart for business detection module in the present invention;
Fig. 7 is business detection module data packet analysis flow chart in the present invention;
Fig. 8 is business detection module blacklist decision flow chart in the present invention;
Fig. 9 is platform interactive module business record list structure schematic diagram in the present invention;
Figure 10 is platform interactive module workflow diagram in the present invention.
Embodiment
The invention provides a kind of detection of home gateway and the system and method for shielding user's business of networking, home gateway profit With the characteristic value file and blacklist file of the business of networking to be detected got from management platform, user's business of networking is detected Type, and the specific business of networking of particular device access is shielded, avoid the feature value changes of business of networking to be detected and cause The problem of home gateway has to upgrade its image file so that domestic consumer can also flexible Application.With reference to specification The drawings and specific embodiments are described in detail to the present invention.
As shown in figure 1, the system of home gateway detection provided by the invention and shielding user's business of networking includes home network Close 10 and management platform 20.
Management platform 20 is provided with gateway interactive module 21, customer data base 22 and user's man-machine interface 23, wherein:
Characteristic value file, blacklist file and the user's business of networking record collected in every home gateway certain time It can be stored on customer data base.
Characteristic value file includes the characteristic information of different businesss of networking, for detecting related service and capturing related keyword Field.
The particular device that blacklist file is used to shield access home gateway accesses specific business of networking.
User can inquire the business of networking of home gateway institute load bearing equipment in a period of time by Man Machine Interface Record.
Home gateway 10 is provided with business detection module 11 and platform interactive module 12, and home gateway obtains from management platform Characteristic value file and blacklist file are taken, and according to the rule set in characteristic value file to different business, from user's online industry Related service is detected in the packet of business, the relevant field captured in packet passes platform interactive module back.Platform interacts mould User's business of networking record write-in business record file that block returns to business detection module, and the gateway for being transmitted to management platform is handed over Mutual module, gateway interactive module are updated preservation to the related content in customer data base again.In addition, home gateway is according to black The specific equipment of list file screen accesses specific business of networking, if the business of current accessed and corresponding equipment are located at black name Dan Shi, then association message is directly abandoned, reach the purpose for forbidding relevant device to access related business of networking.
First check for whether the characteristic value file in management platform and blacklist file have more when home gateway starts every time Newly, if renewal, then home gateway downloads newest characteristic value file from management platform first after starting and blacklist is literary Part, and original characteristic value file and blacklist file are covered, then entered using newest characteristic value file and blacklist file Row monitoring;Otherwise, without newest characteristic value file and blacklist file is downloaded from management platform, it is continuing with original spy Value indicative file and blacklist file are monitored.
Whole access devices that business record file storage home gateway detects access the record of business of networking, and pass through Platform interactive module carries out real-time update (additional record) to user's business of networking record in management platform.
Characteristic value file is used for defining the rule of detection user's business of networking, including type, action, agreement, port, number With regular 6 fields, different business can identify according to different characteristic values, as shown in Fig. 2 characteristic value file is specifically retouched State as follows:
" type " refers to the numbering of detected business;
" action " refers to detecting the two ways that the business is taken, including matches and capture that (the present embodiment is represented with 0 Match somebody with somebody, 1 represents crawl), matching, which refers to detecting, includes associated eigenvalue in packet load;Crawl refers to detecting data Paired characteristic value is included in bag load, and captures the data in packet between the paired characteristic value;
" agreement " refers to the IP protocol type of detected business;
" port " with referring to the transport layer mesh of detected business port numbers;
" number " refer to detection business " matching action " need rule number, or " grasping movement " need rule Number.For convenience of description, " number " maximum is 2 to the present embodiment.
Rule corresponding to matching action includes following field successively:" skew ", " characteristic length " and " characteristic ", refers to It is that " skew " position specified of transport layer load will have " characteristic " of " characteristic length ".
Rule includes following field successively corresponding to grasping movement:" skew ", " header length " and " header data ", " tail Minister's degree " and " tail data ", refer to that transport layer load since " skew " position, has " the head of correspondingly " header length " " tail data " of portion's data " and " tail length ", then and capture data therein.
The implication that a kind of QQ message field (MFLD) rule is detected in figure is as follows:
" 1,0,17,8000,2 " represent that the type of the business is 1 to characteristic value, and action is matching, is udp protocol, mesh ground terminal Mouth is 8000,2 matched rules be present.First matched rule be " 0,1,0x02 ", represent from transport layer offset load amount 0 Match somebody with somebody, critical field length is 1, content 0x02.Article 2 matched rule be " 255,1,0x03 ", represent from transport layer load tail Portion matches, length 1, content 0x03." skew " field is stored with unsigned char in the present embodiment, and 255 are specifically used to Refer to matching from afterbody, 0~254 refers to actual offset address.
The implication that the Host fields in HTTP GET messages are detected in figure is as follows:
" 0,1,6,80,1 " represents that the type of the business is 0 respectively, and action is crawl, is Transmission Control Protocol, mesh port be 80,1 rules for grasping be present.The rules for grasping " 0,8,0x0d, 0x0a, 0x48,0x6f, 0x73,0x74,0x3a, 0x20,2, 0x0d, 0x0a " represent the location lookup from transport layer offset load amount 0, and first critical field length is 8, and content is " 0x0d, 0x0a, 0x48,0x6f, 0x73,0x74,0x3a, 0x20 ", the second critical field length are 2, content for " 0x0d, 0x0a ", and capture the related data in the paired keyword.
Above only describes two characteristic values of detection QQ UDP messages, and detection HTTP GET messages and crawl Host Field, corresponding characteristic value can be set with regard to different business and crawl field as needed in specific implementation.
As shown in figure 3, the particular device that blacklist file is used for shielding access home gateway accesses specific business of networking, it is special Locking equipment is identified by its source MAC.
For the business of matching action, follow-up field is some source MAC fields, as long as showing to accord with certain class business source MAC Any source MAC fields are closed, then are shielded.
For the business of grasping movement, follow-up field is " source MAC fields " additional some " keywords (KeyString) field ", show to certain class business, if from particular source MAC and captured data fit it is any Value in KeyString fields, then shield.
As shown in figure 4, certain equipment that business record file records access home gateway accesses correlation in certain time period The number that last time time, access frequency, duration and the related service comprising rules for grasping of business of networking are captured According to.
Each record is by " type ", " source MAC ", " crawl data " triple identify;
" type " field is consistent with " type " in characteristic value file shown in Fig. 2;
" source MAC " fields show to access the equipment MAC of home gateway;
" accessing recently " field shows the time of the last business of networking;
" hit-count " field shows the number that the business of networking is detected by home gateway service detection module, can be anti- Mirror the access frequency of user;
" duration " field shows the duration of the business of networking, and the embodiment of the present invention is represented with minute, if business Detection module was detected in one minute from " source MAC " same " type " multiple messages, are only continued at 1 minute by business Reason.
" crawl data " field shows the data that grasping movement obtains, and is acted for matching, and the field value is sky.
As shown in figure 5, business detection module carries out detection process, platform interactive module by way of matched rule chained list Configuration is passed into business matching module after parsing characteristic value file, business matching module generates corresponding save to every rule Point, inserts matched rule chained list, and its field corresponds with characteristic value file.
Corresponding blacklist chained list can also refer to the realization of matched rule chained list, not repeat again.
Business detection module operates in kernel spacing.After load operating, Netlink communication interfaces are created first, and registration is logical Believe Hook Function;Then data packet analysis is hung up in the NF_BR_PRE_ROUTING nodes of linux kernel Netfliter frameworks Hook Function so that when each terminal data bag under home gateway is forwarded by home gateway, the very first time is by priority treatment point Analysis.
Communication Hook Function therein is used for receiving the setting of user's space platform interactive module characteristic value, and blacklist setting disappears Breath, matched rule chained list corresponding to generation and blacklist chained list.
Data packet analysis Hook Function therein is analyzed each two layer message for entering home gateway, if message is special Sign matches with certain node diagnostic value in matched rule chained list, then shows to detect the business of networking of correlation;If come from certain source MAC Business matched with certain node rule in blacklist chained list, then by the packet loss, do not forward;In the case of other, then forward, And to the business information that detects of platform interactive module notice of user's space.
As shown in fig. 6, business detection module receives the Netlink messages that platform interactive module transmits every time in the present invention Afterwards, the Hook Function can be called, and idiographic flow is as follows:
S101, receive user's space message;
S102, analytic message type;
If S103, characteristic value set message, S104 is gone to, otherwise goes to S110;
S104, message load is parsed, if legal, go to S105, otherwise go to S117, terminate to divide message Analysis;
S105, distribution matched rule node memory, go to S106;
S106, by the related words segment value parsed to the node valuation in S105, go to S107;
S107, matched rule chained list are locked, and go to S108;
S108, by node insert matched rule chained list, go to S109;
S109, the unblock of matched rule chained list, go to S117, terminate the analysis to message;
If S110, blacklist set message, S111 is gone to, otherwise goes to S117, terminates the analysis to message;
S111, message load is parsed, if legal, go to S112, otherwise go to S117, terminate to divide message Analysis;
S112, distribution blacklist regular node internal memory, go to S113;
S113, by the related words segment value parsed to the node valuation in S112, go to S114;
S114, blacklist regulation linked are locked, and go to S115;
S115, by node insert blacklist regulation linked, go to S116;
S116, the unblock of blacklist regulation linked, go to S117, terminate the analysis to message;
S117, end.
As shown in fig. 7, business detection module is as follows to the analysis process of packet in the present invention:
S201, network packet is received, go to S202;
S202, the source MAC for being resolved to the packet, protocol number, mesh ground port numbers, go to S203;
S203, matched rule chained list are locked, and go to S204;
S204, Iterative matching regulation linked, obtain corresponding node, go to S205 successively;
If the protocol number of S205, packet matches with current matching regular node protocol number, S206 is gone to, is otherwise gone to S223;
If the mesh of S206, packet port numbers matched with current matching regular node port numbers, go to S207, otherwise turn To S223;
If the action of S207, current matching regular node is matching, S208 is gone to;Otherwise S215 is gone to;
S208, Iterative matching rule, often obtain a matched rule, go to S209;
If S209, " skew " position in current matching rule, can exist correspondingly in the load of current data packet transport layer " characteristic " of " characteristic length ", then show to detect the business of correspondingly " type ".S210 is gone to, otherwise goes to S223;
If S210, Iterative matching rule are completed, S211 is gone to, otherwise goes to S208;
S211, the unblock of matched rule chained list, go to S212;
S212, judge that " source MAC " such " type " data whether there is (Fig. 8 meetings in blacklist regulation linked from being somebody's turn to do It is discussed in detail), if in the presence of S213 is gone to, otherwise go to S214;
S213, packet discard, go to S225;
S214, by current matched rule " type ", " source MAC " beams back the platform interactive module of user's space to packet; Go to S225;
If the action of S215, current matching regular node is crawl, S216 is gone to;Otherwise S223 is gone to;
S216, iteration rules for grasping, a rules for grasping is often obtained, goes to S217 processing;
If S217, it can be looked into the load of current data packet transport layer in current rules for grasping since " skew " position Look for, " tail data " of correspondingly " header data " and " tail length " of " header length " be present, then show to detect and correspondingly " grab Take " business, and capture data therein.S218 is gone to, otherwise goes to S223;
If S218, iteration rules for grasping are completed, S219 is gone to, otherwise goes to S216;
S219, the unblock of matched rule chained list, go to S220;
S220, judge that " source MAC " such " type " data whether there is (Fig. 8 meetings in blacklist regulation linked from being somebody's turn to do It is discussed in detail), if in the presence of S221 is gone to, otherwise go to S222;
S221, packet discard, go to S225;
S222, by current matched rule " type ", " source MAC " and the data grabbed beam back user's space to packet Platform interactive module;Go to S225;
If S223, matched rule chained list iteration are completed, S224 is gone to, otherwise goes to S204;
S224, the unblock of matched rule chained list;
S225, end.
As shown in figure 8, business detection module accesses specifically according to the specific equipment of blacklist file screen in the present invention The flow of business of networking is as follows:
S301, blacklist regulation linked are locked, and go to S302;
S302, iteration blacklist regulation linked, obtain corresponding node successively;
If the type of S303, blacklist node is consistent with current matching regulation linked node type, S304 is gone to, is otherwise turned To S311;
If S304, current matching regulation linked node action are crawl, S305 is gone to, otherwise goes to S309;
S305, judge whether current data packet source MAC is consistent with blacklist node source MAC;Judge that current data packet is grabbed Whether the data taken are consistent with a certain KeyString fields of blacklist node;Go to S306;
If S306, comparing result are true, then it is assumed that blacklist is hit, and is gone to S307, is otherwise gone to S311;
S307, the unblock of blacklist regulation linked, go to S308;
S308, function return very, show that blacklist is hit;
Whether S309, correction data bag source MAC are consistent with blacklist node source MAC list fields;
If S310, comparing result are true, S307 is gone to;Otherwise S311 is gone to;
If S311, blacklist regulation linked iteration are completed, S312 is gone to, otherwise goes to S302;
S312, the unblock of blacklist regulation linked;
S313, function return to vacation, show that blacklist is miss.
As shown in figure 9, platform interactive module is believed to the detection user business of networking that platform interactive module returns in the present invention Breath has three fields " type ", " source MAC ", " crawl data " (note:Type of action is that the business crawl data of matching are empty), put down Platform interactive module is by these information temporary storages in business record chained list." type " therein, " source MAC ", " crawl data " " life It is consistent with Fig. 4 descriptions that middle number " " accesses " " duration " recently." last time clocks the time " therein is visited for calculating business Ask the intermediate variable of duration.
As shown in Figure 10, platform interactive module workflow is as follows in the present invention:
S401, initialization Netlink sockets, establish communication interface with kernel, go to S402;
S402, Access Management Access platform, characteristic value file and blacklist file are obtained, goes to S403;
S403, parsing characteristic value file simultaneously set characteristic value to business detection module;Go to S404;
S404, parsing blacklist file simultaneously set blacklist to business detection module;Go to S405;
S405, Netlink sockets are monitored, S406 is gone to after receiving the message of business detection module;
S406, " type " is parsed from message, and " source MAC " " crawl data ", goes to S407;
S407, business record chained list are locked;Go to S408;
If S408, current business record chained list are sky, S409 is gone to, otherwise goes to S410;
S409, generation record node:" type ", " source MAC ", " crawl data " are the data that S406 is parsed;" hit time Number ", " duration " are initialized as 1;" accessing recently ", " last time timing time ", it is initialized as current time and adds chained list;Entirely Office's chained list node number is+1;Go to S413;
S410, search business record chained list in whether there is identical node --- i.e. triple " type ", " source MAC ", " crawl data " are completely the same;If going to S412, S411 is otherwise gone to;
S411, generation record node:" type ", " source MAC ", " crawl data " are the data that S406 is parsed;" hit time Number ", " duration " are initialized as 1;" accessing recently ", " last time timing time ", it is initialized as current time and adds chained list;Entirely Office's chained list node number is+1, goes to S413;
S412, the already present Node field of modification:" hit-count "+1;" accessing recently " is set as current time;If Current time exceedes " last time timing time " 60s, then " last time timing time " is set as into current time, and " duration "+ 1;Go to S413;
If S413, global chained list node number exceed threshold value, S415 is gone to, otherwise goes to S414;
S414, the unblock of business record chained list, go to S405;
S415, iteration business record chained list, by " type " of corresponding node, " source MAC ", " crawl data ", " hit time Number ", " access recently ", " duration " write-in business record file, discharge corresponding node resource, global chained list joint number successively- 1;Go to S416;
S416, the unblock of business record chained list, go to S417;
S417, business record chained list is uploaded to management platform, goes to S405;
In summary, the method for home gateway detection provided by the invention and shielding user's business of networking, including following step Suddenly:
Home gateway obtains characteristic value file and blacklist file from management platform;
Home gateway utilizes the characteristic value file of its acquisition, and related industry is detected from the packet of user's business of networking Business, and generate user's business of networking record and return to management platform preservation;Meanwhile access or shield specific using blacklist file The specific business of networking that equipment accesses;
The business of networking record for the equipment that user is accessed using management platform inquiry home gateway.
Because home gateway is from the characteristic value and blacklist file of management platform acquisition business of networking to be detected, when to be checked When the characteristic value of the business of networking of survey changes, it is only necessary to change the characteristic value file in management platform, then home gateway The characteristic value and blacklist file of newest business of networking to be detected will be obtained from management platform, without because of spy to be detected Value indicative changes and the image file of upgraded home gateway, domestic consumer will also be substantially increased general with easily being operated Logical customer flexibility.
The present invention is not limited to above-mentioned preferred forms, and anyone should learn that the knot made under the enlightenment of the present invention Structure changes, and the technical schemes that are same or similar to the present invention, each falls within protection scope of the present invention.

Claims (8)

1. a kind of home gateway detection and the method for shielding user's business of networking, it is characterised in that comprise the following steps:
Home gateway obtains characteristic value file and blacklist file from management platform, and the characteristic value file is used to detect phase Pass business simultaneously captures related keyword field, and the particular device access that the blacklist file is used to shield access home gateway is specific Business of networking;
Home gateway utilizes the characteristic value file of its acquisition, and related service is detected from the packet of user's business of networking, and Internet records file corresponding to generation returns to management platform preservation;Meanwhile visited using the specific equipment of blacklist file screen Ask specific business of networking;
The business of networking record for the equipment that user is accessed using management platform inquiry home gateway;
Certain equipment that the business record file records access home gateway accesses related business of networking in certain time period The data that last time time, access frequency, duration and the related service comprising rules for grasping are captured;Each note Record is identified by type, source MAC and crawl data triple, wherein:
Type field is consistent with the type in example characteristic value file;
Source MAC fields are the equipment MAC of access home gateway;
The time that field is the last business of networking is accessed recently;
Hit-count field is the number that the business of networking is detected by home gateway service detection module;
Duration field is the duration of the business of networking;
It is the data that grasping movement obtains to capture data field, and the field value is acted as sky for matching.
2. the method as described in claim 1, it is characterised in that include the feature letter of business of networking in the characteristic value file Breath, home gateway detect related service according to the characteristic information of the business of networking and capture related keyword field.
3. the method as described in claim 1, it is characterised in that the characteristic value file is used for defining detection user's business of networking Rule, including type, action, agreement, port, number and regular 6 fields, wherein:
Type is the numbering of detected business, and every kind of business is designed with the type field corresponding with the type in characteristic value file Numbering;
Action is to detect the mode that the business is taken, including matches and capture;
Agreement is the IP protocol type of detected business;
Port is the transport layer mesh of detected business ground port numbers;
Number be the matching of detection business action need regular number, or grasping movement need regular number;
Rule refers to the foundation of matching and grasping movement.
4. method as claimed in claim 3, it is characterised in that
Rule corresponding to matching action includes following field successively:Skew, characteristic length and characteristic, refer to that transport layer is born The deviation post specified carried will have the characteristic of characteristic length;
Rule includes following field successively corresponding to grasping movement:Skew, header length and header data, tail length and afterbody Data, refer to that transport layer load since deviation post, has the header data of corresponding header length and the tail of tail length Portion's data, then capture data therein.
5. the method as described in claim 1, it is characterised in that access or shield what particular device accessed using blacklist file In specific business of networking, the particular device is identified by its source MAC, and specific method is as follows:
For the business of matching action, follow-up field is some source MAC fields, and expression is directed to certain class business, as long as source MAC meets Any source MAC fields, then shield;
For the business of grasping movement, follow-up field is the additional some keyword fields of a source MAC field, and expression is directed to certain class Business, if particular source MAC is come from, and the value in any keyword field of captured data fit, then shield.
6. the method as described in claim 1, it is characterised in that home gateway utilizes the characteristic value file of its acquisition, from user The method that related service is detected in the packet of business of networking is as follows:
Netlink communication interfaces, registering communication Hook Function are created first;
Then data packet analysis hook letter is hung up in the NF_BR_PRE_ROUTING nodes of linux kernel Netfliter frameworks Number so that when each terminal data bag under home gateway is forwarded by home gateway, the very first time is analyzed by priority treatment, its In:
Communication Hook Function is used for receiving user's space platform interactive module characteristic value setting message, blacklist setting message, raw Into corresponding matched rule chained list and blacklist chained list;
Data packet analysis Hook Function is analyzed each two layer message for entering home gateway, if message characteristic is with matching rule Then certain node diagnostic value matching in chained list, then show to the business of networking for detecting correlation;
If the business from certain source MAC matches with certain node rule in blacklist chained list, the packet loss does not forward; In the case of other, then forward, and to the business information that detects of platform interactive module notice of user's space.
7. the method as described in claim 1, it is characterised in that after home gateway starts, according to characteristic value text in management platform The more new state of part and blacklist file, decide whether to re-download newest characteristic value file and blacklist file.
8. home gateway detects and the system of shielding user's business of networking, including home gateway, it is characterised in that also includes management Platform,
The home gateway is provided with business detection module and platform interactive module, and the management platform is provided with gateway interaction mould Block, customer data base and user's man-machine interface;
Business detection module obtains characteristic value file and blacklist file from management platform, and according in characteristic value file to not With the rule of business setting, related service is detected from the packet of user's business of networking, captures the related words in packet Section passes platform interactive module back, and user's business of networking that platform interactive module returns to business detection module records write-in business and remembered File is recorded, and is transmitted to the gateway interactive module of management platform, gateway interactive module is entered to the related content in customer data base again Row renewal preserves;The specific business of networking that business detection module accesses according to blacklist file screen particular device;
Certain equipment that the business record file records access home gateway accesses related business of networking in certain time period The data that last time time, access frequency, duration and the related service comprising rules for grasping are captured;Each note Record is identified by type, source MAC and crawl data triple, wherein:
Type field is consistent with the type in example characteristic value file;
Source MAC fields are the equipment MAC of access home gateway;
The time that field is the last business of networking is accessed recently;
Hit-count field is the number that the business of networking is detected by home gateway service detection module;
Duration field is the duration of the business of networking;
It is the data that grasping movement obtains to capture data field, and the field value is acted as sky for matching.
CN201510633338.5A 2015-09-29 2015-09-29 A kind of home gateway detection and the system and method for shielding user's business of networking Active CN105187446B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510633338.5A CN105187446B (en) 2015-09-29 2015-09-29 A kind of home gateway detection and the system and method for shielding user's business of networking

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510633338.5A CN105187446B (en) 2015-09-29 2015-09-29 A kind of home gateway detection and the system and method for shielding user's business of networking

Publications (2)

Publication Number Publication Date
CN105187446A CN105187446A (en) 2015-12-23
CN105187446B true CN105187446B (en) 2018-03-20

Family

ID=54909290

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510633338.5A Active CN105187446B (en) 2015-09-29 2015-09-29 A kind of home gateway detection and the system and method for shielding user's business of networking

Country Status (1)

Country Link
CN (1) CN105187446B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106487797B (en) * 2016-10-25 2020-07-07 腾讯科技(深圳)有限公司 Network data processing method and system
CN109934754B (en) * 2019-03-18 2021-09-14 重庆替比网络科技有限公司 Information publishing system for industry supervision and service
CN110048891A (en) * 2019-04-22 2019-07-23 上海市共进通信技术有限公司 The intelligent flow control method of man-machine interaction mode is realized based on residential gateway APP management terminal
CN112866140B (en) * 2020-12-16 2023-06-06 中国联合网络通信集团有限公司 Service matching method, gateway management platform, gateway equipment and server

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008086224A2 (en) * 2007-01-04 2008-07-17 Quest Software, Inc. Systems and methods for detecting and blocking malicious content in instant messages
CN103124226A (en) * 2012-12-03 2013-05-29 深圳市共进电子股份有限公司 Household broadband net-system play monitoring system and method
CN103595692A (en) * 2012-08-13 2014-02-19 中兴通讯股份有限公司 A method and a system which both analyze user network behaviors through household gateways
CN103888305A (en) * 2012-12-19 2014-06-25 中国电信股份有限公司 Home gateway-based monitoring method and system
CN104349370A (en) * 2013-08-01 2015-02-11 中兴通讯股份有限公司 Access control method, apparatus and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008086224A2 (en) * 2007-01-04 2008-07-17 Quest Software, Inc. Systems and methods for detecting and blocking malicious content in instant messages
CN103595692A (en) * 2012-08-13 2014-02-19 中兴通讯股份有限公司 A method and a system which both analyze user network behaviors through household gateways
CN103124226A (en) * 2012-12-03 2013-05-29 深圳市共进电子股份有限公司 Household broadband net-system play monitoring system and method
CN103888305A (en) * 2012-12-19 2014-06-25 中国电信股份有限公司 Home gateway-based monitoring method and system
CN104349370A (en) * 2013-08-01 2015-02-11 中兴通讯股份有限公司 Access control method, apparatus and system

Also Published As

Publication number Publication date
CN105187446A (en) 2015-12-23

Similar Documents

Publication Publication Date Title
EP3506141B1 (en) System for query injection detection using abstract syntax trees
US11552977B2 (en) Anomalous network node behavior identification using deterministic path walking
CN107292170B (en) Method, device and system for detecting SQL injection attack
CN102801697B (en) Malicious code detection method and system based on plurality of URLs (Uniform Resource Locator)
KR101010302B1 (en) Security management system and method of irc and http botnet
CN105187446B (en) A kind of home gateway detection and the system and method for shielding user's business of networking
CN102841990B (en) Method and system for detecting malicious codes based on uniform resource locator
CN101610264A (en) The management method of a kind of firewall system, safety service platform and firewall system
US20220239674A1 (en) Security appliance to monitor networked computing environment
CN104809404A (en) Data layer system of information security attack-defense platform
CN106657025A (en) Network attack behavior detection method and device
CN109074454A (en) Malware is grouped automatically based on artefact
CN107247902A (en) Malware categorizing system and method
CN106209759A (en) Detection resides in the apocrypha on network
CN107634931A (en) Processing method, cloud server, gateway and the terminal of abnormal data
CN106778260A (en) Attack detection method and device
CN102611713A (en) Entropy operation-based network intrusion detection method and device
CN110233831A (en) The detection method and device of malicious registration
CN111510463B (en) Abnormal behavior recognition system
CN106789486B (en) Method and device for detecting shared access, electronic equipment and computer readable storage medium
WO2019190403A1 (en) An industrial control system firewall module
CN106528805B (en) Mobile Internet rogue program URL intellectual analysis method for digging based on user
CN105939328A (en) Method and device for updating network attack feature library
CN117596078B (en) Model-driven user risk behavior discriminating method based on rule engine implementation
CN110175437A (en) It is a kind of for access terminal authorization control method, apparatus and host terminal

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant