CN105516165A - Method, device and system for identifying illegal proxy for charging fraud - Google Patents

Method, device and system for identifying illegal proxy for charging fraud Download PDF

Info

Publication number
CN105516165A
CN105516165A CN201510969780.5A CN201510969780A CN105516165A CN 105516165 A CN105516165 A CN 105516165A CN 201510969780 A CN201510969780 A CN 201510969780A CN 105516165 A CN105516165 A CN 105516165A
Authority
CN
China
Prior art keywords
address
server
core network
proxy server
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510969780.5A
Other languages
Chinese (zh)
Other versions
CN105516165B (en
Inventor
王彩娟
朱璎
郑磊斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201510969780.5A priority Critical patent/CN105516165B/en
Publication of CN105516165A publication Critical patent/CN105516165A/en
Priority to PCT/CN2016/109060 priority patent/WO2017107780A1/en
Application granted granted Critical
Publication of CN105516165B publication Critical patent/CN105516165B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4552Lookup mechanisms between a plurality of directories; Synchronisation of directories, e.g. metadirectories
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Abstract

The invention discloses a method for identifying an illegal proxy for charging fraud. The method comprises the steps: a core network device obtains the URL of a target website and the IP address of a target server, which are carried in a service message; the core network device searches the IP address of a server corresponding to the target website from a preset white list including correspondence relationship of free websites and the IP addresses of legal servers; when the IP address of the server corresponding to the target website does not contain the IP address of the target server, the core network device identifies that the target server is a suspected illegal proxy server. According to the method for identifying the illegal proxy for charging fraud, which is provided by the embodiment of the invention, the illegal proxy for the charging fraud can be accurately identified, and the charging fraud is effectively prevented.

Description

A kind of method, equipment and system identifying the illegal agency that charging is swindled
Technical field
The present invention relates to technical field of network security, be specifically related to a kind of method, the equipment and system that identify the illegal agency that charging is swindled.
Background technology
Along with the large scale deployment in economic development and mobile communication market, traditional voice and novel " flow " business have extensively been employed and have promoted.But in some areas, mobile network's flow rate costly, under this background, network much utilize preferential charging policy leak to carry out the behavior of charging swindle with regard to existing.Such as: charging execution function entity (PolicyandChargingEnforcementFunction, PCEF) filter condition (0.facebook.com) of free packaged service is provided with on, user utilizes this freely condition of coming, when user wants business (www.test.com) of access pay, disguise oneself as the true access service message (www.test.com) that needs are paid coin free service message (0.facebook.com/www.test.com).At camouflage message by after Charging Detection, camouflage message is delivered on proxy server.Charging swindle ignored by proxy server, obtains the network address (UniformResourceLocator, URL) (www.test.com) of user's actual services, is forwarded to service server.Equally, user's downlink message also can be forwarded on PCEF after proxy server processes, is then forwarded on subscriber equipment, realizes obtaining preferential rate access actual services by cheating.
For this kind of camouflage message, always the network address of actual services ceaselessly changes hiding field, cause developer always to need ceaselessly to upgrade, as long as the Web address field of actual services is slightly changed in camouflage message, will can't detect.
For the above-mentioned HTTP (Hypertexttransferprotocol existed in network, HTTP) charging swindle scene, PCEF can obtain the internet protocol (InternetProtocol of the proxy server of swindle in advance, IP) address, but swindle industrial chain can change the IP address of the proxy server of swindle at any time, cause the identification of the proxy server to swindle inaccurate.
Summary of the invention
In order to solve problem very poor to the recognition effect of charging swindle in prior art, the embodiment of the present invention provides a kind of method identifying the illegal agency that charging is swindled, and can identify the illegal agency for charging swindle accurately, thus effective blocking-up charging swindle.The embodiment of the present invention additionally provides corresponding equipment and system.
First aspect present invention provides a kind of method identifying the illegal agency that charging is swindled, the method is applied to the equipment of the core network of communication system, in communication system, independently PCEF, the GGSN/PGW being embedded with PCEF, visualization device, DNSServer etc. belong to equipment of the core network, and described method comprises: equipment of the core network obtains the IP address of object network address URL and the destination server carried in service message; Described equipment of the core network searches the IP address of the server corresponding with described object network address from the white list set up in advance, comprises the corresponding relation of the IP address of free address and legal server in described white list; When not comprising the IP address of described destination server in the IP address of the server corresponding with described object network address, destination server described in described equipment of the core network identification is doubtful illegal proxy server.With in prior art to compared with the very poor problem of the recognition effect of swindling charging, the method for the illegal agency of the identification charging swindle that the embodiment of the present invention provides, can identify the illegal agency for charging swindle accurately, thus effectively blocks charging swindle.
Alternatively, after described in described equipment of the core network identification, destination server is doubtful illegal proxy server, described method also comprises:
The IP address of described destination server is added in gray list by described equipment of the core network, the corresponding relation between the IP address comprising described free address and described doubtful illegal proxy server in described gray list.
Alternatively, described method also comprises:
Described equipment of the core network monitors the flow accounting of the doubtful illegal proxy server in described gray list, and described flow accounting is the ratio of free flow and total flow on described doubtful illegal proxy server;
Flow accounting described in preset time period is transferred in blacklist higher than the IP address of the doubtful illegal proxy server of the first preset threshold value by described equipment of the core network, the corresponding relation between the IP address comprising described free address and illegal proxy server in described blacklist.
Alternatively, described method also comprises:
Described equipment of the core network monitors the flow accounting of the doubtful illegal proxy server in described gray list, and described flow accounting is the ratio of free flow and total flow on described doubtful illegal proxy server;
Flow accounting described in preset time period is transferred in described white list lower than the IP address of the doubtful illegal proxy server of the second preset threshold value by described equipment of the core network.
Alternatively, described method also comprises
Described equipment of the core network obtains the legal network address of domain name message;
When described legal network address is free address, described equipment of the core network obtains the IP address of the legal server corresponding with described legal network address from the dns response message that name server sends;
Described equipment of the core network is by corresponding the adding in described white list in IP address of the legal server of described legal network address and described correspondence.
Alternatively, after described in described equipment of the core network identification, destination server is doubtful illegal proxy server, described method also comprises:
Described equipment of the core network, according to the prevention and control strategy for illegal agency, processes described service message.
Second aspect present invention provides a kind of equipment of the core network, is applied to communication system, and in communication system, independently PCEF, the GGSN/PGW being embedded with PCEF, visualization device, DNSServer etc. belong to equipment of the core network, and equipment of the core network comprises:
Acquiring unit, for obtaining the IP address of object network address URL and the destination server carried in service message;
Searching unit, for searching the IP address of server corresponding to the described object network address that obtains with described acquiring unit from the white list set up in advance, in described white list, comprising the corresponding relation of the IP address of free address and legal server;
Recognition unit, for when with described search do not comprise the IP address of described destination server in the IP address of server corresponding to described object network address that unit finds time, identify that described destination server is doubtful illegal proxy server.
With in prior art to compared with the very poor problem of the recognition effect of swindling charging, the equipment of the core network that the embodiment of the present invention provides, can identify the illegal agency for charging swindle accurately, thus effectively blocks charging swindle.
Alternatively, described equipment of the core network also comprises:
First adding device, for after described in described recognition unit identification, destination server is doubtful illegal proxy server, the IP address of described destination server is added in gray list, the corresponding relation between the IP address comprising described free address and described doubtful illegal proxy server in described gray list.
Alternatively, described equipment of the core network also comprises:
First monitoring unit, for monitoring the flow accounting of the doubtful illegal proxy server in described gray list, described flow accounting is the ratio of free flow and total flow on described doubtful illegal proxy server;
First buanch unit, for the flow accounting of the first monitoring unit monitoring described in preset time period is transferred in blacklist higher than the IP address of the doubtful illegal proxy server of the first preset threshold value, the corresponding relation between the IP address comprising described free address and illegal proxy server in described blacklist.
Alternatively, described equipment of the core network also comprises:
Second monitoring unit, for monitoring the flow accounting of the doubtful illegal proxy server in described gray list, described flow accounting is the ratio of free flow and total flow on described doubtful illegal proxy server;
Second buanch unit, for transferring to the flow accounting of the second monitoring unit monitoring described in preset time period in described white list lower than the IP address of the doubtful illegal proxy server of the second preset threshold value.
Alternatively, described equipment of the core network also comprises: the second adding device,
Described acquiring unit, also for obtaining the legal network address of domain name message, when described legal network address is free address, obtains the IP address of the legal server corresponding with described legal network address from the dns response message that name server sends;
Described second adding device, for obtaining corresponding the adding in described white list in IP address of the legal server of the described correspondence of described legal network address and the acquisition of described acquiring unit by described acquiring unit.
Alternatively, described equipment of the core network also comprises:
Processing unit, for identifying after described destination server is doubtful illegal proxy server at described recognition unit, according to the prevention and control strategy for illegal agency, processes described service message.
Third aspect present invention provides a kind of equipment of the core network, be applied to communication system, in communication system, independently PCEF, the GGSN/PGW being embedded with PCEF, visualization device, DNSServer etc. belong to equipment of the core network, equipment of the core network comprises: transceiver, processor and memory, stores the program that processor performs the illegal agency identifying charging swindle in described memory;
Processor is for performing following steps:
Obtain the IP address of object network address URL and the destination server carried in service message;
From the white list set up in advance, search the IP address of the server corresponding with described object network address, in described white list, comprise the corresponding relation of the IP address of free address and legal server;
When not comprising the IP address of described destination server in the IP address of the server corresponding with described object network address, identify that described destination server is doubtful illegal proxy server.
Alternatively, described processor also for the IP address of described destination server is added in gray list, the corresponding relation between the IP address comprising described free address and described doubtful illegal proxy server in described gray list.
Alternatively, described processor is also for monitoring the flow accounting of the doubtful illegal proxy server in described gray list, and described flow accounting is the ratio of free flow and total flow on described doubtful illegal proxy server; Flow accounting described in preset time period is transferred in blacklist higher than the IP address of the doubtful illegal proxy server of the first preset threshold value, the corresponding relation between the IP address comprising described free address and illegal proxy server in described blacklist.
Alternatively, described processor is also for monitoring the flow accounting of the doubtful illegal proxy server in described gray list, and described flow accounting is the ratio of free flow and total flow on described doubtful illegal proxy server; Flow accounting described in preset time period is transferred in described white list lower than the IP address of the doubtful illegal proxy server of the second preset threshold value.
Alternatively, described processor is also for obtaining the legal network address of domain name message; When described legal network address is free address, from the dns response message that name server sends, obtain the IP address of the legal server corresponding with described legal network address; By corresponding the adding in described white list in IP address of the legal server of described legal network address and described correspondence.
Alternatively, described processor also for according to the prevention and control strategy for illegal agency, processes described service message.
Fourth aspect present invention provides a kind of system identifying the illegal agency that charging is swindled, and comprising: charging execution function entity PCEF and name server,
Described PCEF is the equipment of the core network described in above-mentioned second aspect or the arbitrary optional implementation of second aspect.
Fifth aspect present invention provides a kind of system identifying the illegal agency that charging is swindled, and comprising: charging execution function entity PCEF, visualization device and name server,
The above-mentioned second aspect of described visualization device or the equipment of the core network described in the arbitrary optional implementation of second aspect.
With in prior art to compared with the very poor problem of the recognition effect of swindling charging, the system of the illegal agency of the identification charging swindle that the embodiment of the present invention provides, can identify the illegal agency for charging swindle accurately, thus effectively blocks charging swindle.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, below the accompanying drawing used required in describing embodiment is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those skilled in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is an embodiment schematic diagram of communication system in the embodiment of the present invention;
Fig. 2 is an embodiment schematic diagram of the system identifying the illegal agency that charging is swindled in the embodiment of the present invention;
Fig. 3 is ash in the embodiment of the present invention, white, blacklist transfer of content schematic diagram;
Fig. 4 is an embodiment schematic diagram of the process setting up white list in the embodiment of the present invention;
Fig. 5 is another embodiment schematic diagram of the process setting up white list in the embodiment of the present invention;
Fig. 6 is an embodiment schematic diagram of the method identifying the illegal agency that charging is swindled in the embodiment of the present invention;
Fig. 7 is an embodiment schematic diagram of equipment of the core network in the embodiment of the present invention;
Fig. 8 is another embodiment schematic diagram of equipment of the core network in the embodiment of the present invention;
Fig. 9 is another embodiment schematic diagram of equipment of the core network in the embodiment of the present invention;
Figure 10 is another embodiment schematic diagram of equipment of the core network in the embodiment of the present invention;
Figure 11 is another embodiment schematic diagram of equipment of the core network in the embodiment of the present invention;
Figure 12 is another embodiment schematic diagram of equipment of the core network in the embodiment of the present invention;
Figure 13 is another embodiment schematic diagram of equipment of the core network in the embodiment of the present invention.
Embodiment
The embodiment of the present invention provides a kind of method identifying the illegal agency that charging is swindled, and can identify the illegal agency for charging swindle accurately, thus effective blocking-up charging swindle.The embodiment of the present invention additionally provides corresponding equipment and system.Below be described in detail respectively.
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those skilled in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Fig. 1 is an embodiment schematic diagram of communication system in the embodiment of the present invention.
Consult Fig. 1, one embodiment of the communication system that the embodiment of the present invention provides comprises: subscriber equipment (UserEquipment, UE), resident's Access Network (ResidentialAccessNetwork, RAN), charging execution function entity (PolicyandChargingEnforcementFunction, PCEF), ticketing equipment (Billing), visualization device, name server (DomainNameSystemServer, and the service server that provides of service provider (ServiceProvider, SP) DNSServer).Wherein, upper can being provided with of UE helps user to obtain the client of free flow or preferential flow in the mode of swindle.The radio reception device such as base station or evolution base station can be comprised in RAN.PCEF can embed Gateway GPRS Support Node (GatewayGPRSSupportNode, GGSN) or packet switch gateway (PacketDataNetworkGateway, PGW) with built in version, also independently can arrange PCEF.Operator is by Billing dispense flow rate service identification, and the service log-on information of customer flow and charging identifier management, implements on-line/off-line billing function.Visualization device can show the data cases of network, for the timely awareness network data of operator.Domain name can be converted to the IP address that network can identify by DNSServer.Wherein, independently PCEF, the GGSN/PGW being embedded with PCEF, visualization device, DNSServer etc. belong to equipment of the core network.
The core network device of the illegal agency of identification charging that the embodiment of the present invention provides swindle mainly comprises independently PCEF, is embedded with the GGSN/PGW of PCEF, or has the visualization device of the illegal agent capability identifying charging swindle.
Fig. 2 is an embodiment schematic diagram of the system identifying the illegal agency that charging is swindled in the embodiment of the present invention.
Below in conjunction with Fig. 2, illustrate in the embodiment of the present invention and rely on independently PCEF (also can be certainly, the GGSN/PGW being embedded with PCEF) to identify the process of the illegal agency that charging is swindled:
The service message that the subscriber equipment that PCEF reception RAN transmits sends, the object network address URL carried in this service message and the IP address of destination server; Such as: object network address is www.google.com, the IP address of destination server is 74.125.71.120.
PCEF obtains URL from the network layer of service message, obtains the IP address of destination server from IP layer.
PCEF searches the IP address of the server corresponding with described object network address from the white list set up in advance, comprises the corresponding relation of the IP address of free address and legal server in described white list.
Because function main in the embodiment of the present invention is the proxy server preventing from having flow swindle function obtain free flow in the mode of swindle, preferential flow can certainly be comprised, so the network address in white list is all free address or preferential network address, when PCEF finds www.google.com from white list, then can determine the IP address of legal server corresponding with www.google.com network address in white list, detailed process can be consulted table 1 and be understood: as shown in table 1:
Table 1: white list
The IP address of the legal server corresponding to www.google.com can be determined from table 1.
When not comprising the IP address of described destination server in the IP address of the server corresponding with described object network address URL, PCEF identifies that described destination server is doubtful illegal proxy server.
The IP address 74.125.71.120 not comprising destination server in the IP address of the legal server corresponding to www.google.com can be determined from table 1.Certainly, be omit in the IP address in hypothesis table 1 corresponding to www.google.com in the IP address do not write out not comprise this object IP address herein, then can determine that IP address be the server of 74.125.71.120 is doubtful illegal proxy server.Consider to have and identify error, so do not draw black by the proxy server identified, but be defined as doubtful illegal proxy server, determine whether doubtful illegal proxy server is real illegal proxy server again by further monitoring and observation.
After identifying doubtful illegal proxy server, can prevention and control strategy be passed through, reduce operator's loss as blocked, returning the mode such as toll rate and bandwidth restriction.
PCEF identifies that described destination server is after doubtful illegal proxy server, the IP address of described destination server is added in gray list, the corresponding relation between the IP address comprising described free address and described doubtful illegal proxy server in described gray list.
PCEF can carry out continuous surveillance to the doubtful illegal proxy server in gray list, thus further qualitative doubtful illegal proxy server.
PCEF monitors the flow accounting of the doubtful illegal proxy server in described gray list, described flow accounting is the ratio of free flow and total flow on described doubtful illegal proxy server, namely based on the doubtful free flow of illegal proxy server IP and the ratio of total flow;
Flow accounting described in preset time period is transferred in blacklist higher than the IP address of the doubtful illegal proxy server of the first preset threshold value by PCEF, the corresponding relation between the IP address comprising described free address and illegal proxy server in described blacklist.
Flow accounting described in preset time period is transferred in described white list lower than the IP address of the doubtful illegal proxy server of the second preset threshold value.
First preset threshold value and the second preset threshold value can be the values pre-set, and the first preset threshold value and the second preset threshold value can dynamic conditioning according to demand.
PCEF continues to monitor the flow under each IP address in gray list, record the flow accounting of free flow/total flow, if higher than pre-configured blacklist threshold value, as 90%, namely the first preset threshold value, then by then by flow accounting higher than 90% IP address transfer in blacklist list.If lower than pre-configured white list threshold value, as 50%, namely the second preset threshold value, then transfer to flow accounting in white list list lower than 50%IP address.
Such as: as shown in Figure 3, PCEF monitors flow accounting in gray list under certain IP address higher than the first preset threshold value, illustrate that doubtful illegal proxy server corresponding to this IP address is illegal proxy server, then this IP address is transferred in blacklist, charging antifraud system can be inputted for the IP address in blacklist to process, can also trace to its source for the server that these IP addresses are corresponding, investigate the legal liabilities of the personnel that these illegal proxy servers are set.PCEF to monitor in gray list certain IP address down-off accounting lower than the second preset threshold value, illustrates that doubtful illegal proxy server corresponding to this IP address is legal proxy server, is then transferred in white list this IP address.
Wherein, the first preset threshold value and the second preset threshold value can adjust according to demand, do not limit concrete numerical value.
Can there is the switch of an automatic blacklist in the embodiment of the present invention, blacklist can manual configuration, also needs to support automatically to be converted into blacklist from gray list.Blacklist needs aging, if the illegal proxy server marked in blacklist in predetermined amount of time does not have service message, from blacklist, then delete the IP address of this illegal proxy server, namely periodic refreshing blacklist, from blacklist, delete the IP address of having lost efficacy.
Embodiment described above can identify the illegal agency for charging swindle accurately, thus effective blocking-up charging swindle.
The use that described above is all to white list, gray list and blacklist, introduce the self adaptation process of establishing of white list, gray list and blacklist below:
The corresponding relation of the legal network address of registered in advance and the IP address of legal server can be stored in name server.Set up in the process of white list in self study, during initial condition, white list list is empty, comprises IP address two row of free address and legal server.
As shown in Figure 4, PCEF obtains legal network address (URL) from the domain name messages such as Get/POST/Connect, then according to already present free rate group (RatingGroup, RG) confirm whether this legal network address belongs to free address, in free RG, comprise registered all free addresses.When confirming that this legal network address is free address, then this legal network address is added in the free address row of white list.When URL is www.google.com, the white list obtained is as shown in table 2:
Table 2: white list
Freely (preferential) network address The IP address of legal server
www.google.com
Then, as shown in Figure 5, PCEF obtains the corresponding relation of the IP address of www.google.com and legal server from name server by dns response message, suppose the IP address of the legal server got be 74.125.71.104,173.194.64.199 ...Then again the IP address of correspondence is added in white list, obtain white list as shown in table 3.
Table 3: white list
Like this, the process of repetition corresponding to Fig. 4 and Fig. 5 and the adding procedure of table 2 and table 3, just can set up white list automatically.
If still the IP address of correspondence is not in IP white list in free url list for the URL of certain request, then this IP joins gray list.Content before this process has description, and also have description to white list or the process of transferring to blacklist in aforementioned process about the transfer of content in gray list, therefore it is no longer repeated herein.
After setting up black, white, gray list, can also notify that visualization device judges the black-white-gray list of swindle:
PCEF notifies Visualization Platform each stream whether black/white/gray list, increases a field in source data.
Visualization Platform is added up for gray list, finds out suspicious black agency based on flow accounting and user's accounting etc.
Professional service confirms black agency by packet capturing analysis etc., and blacklist input charging antifraud system is processed.
Reject legal server IP under special screne, IP when disposing WAPGW rejects, and normal WAPGW, has free flow, also has charge flow.Different from actual object IP by the IP address of DNS query, WAPGWIPserver enters gray list, then judges the flow accounting threshold value of WAPGWIP, concerning normal WAPGW, has charge flow, therefore can judge whether normal WAPGW.
When user adopts UC, Operamini browser access business, user uses UC to browse several situation:
1, do not open cloud to accelerate, browser directly accesses ISP;
2, open cloud to accelerate, partial service is conducted interviews by the proxy server of UC, and now, HOST and IP is different, enters gray list, is judged by IP global traffic accounting.
User deploys the cache class business such as CDN, high in the clouds acceleration, and when deployment CDN or cloud accelerate, from existing packet capturing, network address with CDN printed words, will remove the IP of IP i.e. the CDN website of DNS query.
It is free that such as PCEF configures * facebook*, when user accesses facebook, carries the network address (this network address can be identified as freely at PCEF) of similar * facebook.CDN.amazon.*, the IP address of object IP i.e. CDN.Now, CDNIP is added into white list.
To cache class website, an IP can be used by multiple content, if not free URL uses this IP, and can by normal billing at PCEF.
Collecting ServerIP white list by believable DNS message, identify Proxy agency, avoiding swindle industrial chain by forging DNSServer response message altered data.
In the embodiment of the present invention, after the free RG list of configuration, carry out accurate fixation and recognition swindle proxy server IP by adding up free flow and total flow accounting at Preset Time, before solving, operator can not the situation of obtaining information.Prevention and control action can be configured according to the swindle proxy server IP of PCEF self study at PCEF, as blocked, returning toll rate, bandwidth restriction etc., lower operator's loss.
Content described above is all using PCEF as executive agent, or to describe using the equipment of the core network being embedded with PCEF as executive agent, in fact, can also be the process of visualization device has coordinated the identification charging in the embodiment of the present invention to swindle illegal agency with PCEF:
Can be that visualization device sets up white list, gray list and blacklist, then after PCEF receives service message, the IP address of object network address and the destination server carried in service message is parsed from service message, then the IP address of object network address and destination server is sent to visualization device by PCEF, doubtful illegal proxy server is identified by visualization device, and the flow accounting of the doubtful illegal proxy server of further monitor ash list is carried out by visualization device, perform gray list to white list, transfer of content between gray list to blacklist, detailed process is substantially identical with the process performed by above-mentioned PCEF, no longer do too much introduction herein.
Visualization device according to free RG, can also add up the TOPNServerIP of free flow.The list of Visualization Platform support configuration free address, inter-trust domain list of file names, learn free IP white list by DNS.After the TOPServerIP removing IP white list of free flow, all the other are considered as gray list.Visualization Platform adds up free flow, total flow, the free flow accounting of each ServerIP simultaneously, support from gray list, to export the IP blacklist list of doubtful swindle according to self-defined free flow threshold, freely flow accounting threshold value, IP in certain gray list, may be normal Proxy, such as UC browser also may be the IP address of swindle Proxy.For swindle Proxy, its most flow is all free flow, tentatively can judge to swindle IP from free flow accounting, for swindle ProxyIP, can drill through the Top user of swindle further.This form can carry out immediate inquiring, timed task inquiry and send, and attendant can specify blacklist/gray list IP to carry out packet capturing analysis, to determine fraud and fraudulent mean based on this form further.
Visualization device can represent the effect of identification and control on PCEF to operator.
Prior art configures prevention and control action again by manual identified, manual configuration swindle proxy server IP.Compared with prior art, this embodiment introduces the mode of new identification charging swindle----automatically identify the proxy server IP swindled, the automatic closed loop of charging swindle prevention and control can be realized.
Visualization device can configure the IP address of credible dns server, can be that operator provides, and also can inquire about DNS configuration on gateway, and configuration free address url list, such as existing network facebook is free, then configure " * .facebook.* ".
Initially, IP white list is empty.
Following 3 conditions are met: be then saved in IP white list by the IP list in DNSTLV in source data;
In a, source data, ServerIP is credible dns server IP;
B, protocol type are DNS;
In c, DNSTLV, DNShost and free URL can mate;
Visualization Platform can direct configuration of IP white list in addition, to adapt to the scene of the free rule of gateway configuration L3/L4 layer.
In the embodiment of the present invention, collecting ServerIP white list by believable DNS message, identify Proxy agency, avoiding swindle industrial chain by forging DNSServer response message altered data.
After the free RG list of configuration, to add up free flow preset time and total flow accounting carries out accurate fixation and recognition swindle proxy server IP by shunting user and serverIP, before solving, operator can not the situation of obtaining information.
Visualization Platform can indicate the swindle proxy server IP list of PCEF self study, and configures prevention and control action.
The original demand that Visualization Platform gathers charge information on PCEF is not derive from charging antifraud, but the distribution situation of user's access service is provided to operator, charging antifraud depends on original reported data, by the process closed loop self study swindle proxy server of Visualization Platform, farthest make use of existing networking and operation level framework, be easy to dispose.
This embodiment introduces the mode of new identification charging swindle----automatically identify the proxy server IP swindled, the automatic closed loop of charging swindle prevention and control can be realized.And the system of illegal agency of identification charging swindle that the embodiment of the present invention provides also has the following advantages:
Be suitable for wide: no matter actual services image watermarking is where, and all can not affect judgement and the identification of swindle server ip, the scope of application is wider.
Automatic learning: after configuration coin free service RG list, do not need manual configuration by the IP address of the swindle proxy server mating free RG, obtained by equipment self study, adapt to the feature of swindle proxy server IP dynamic change, improve maintainability.
Consult Fig. 6, an embodiment of the method for the illegal agency of the identification charging swindle that the embodiment of the present invention provides comprises:
101, equipment of the core network obtains the IP address of object network address URL and the destination server carried in service message.
102, described equipment of the core network searches the IP address of the server corresponding with described object network address from the white list set up in advance, comprises the corresponding relation of the IP address of free address and legal server in described white list.
When 103, not comprising the IP address of described destination server in the IP address of the server corresponding with described object network address, destination server described in described equipment of the core network identification is doubtful illegal proxy server.
The embodiment of the present invention provides a kind of method identifying the illegal agency that charging is swindled, and can identify the illegal agency for charging swindle accurately, thus effective blocking-up charging swindle.
Alternatively, on the basis of embodiment corresponding to above-mentioned Fig. 6, in first embodiment of the method for the illegal agency of the identification charging swindle that the embodiment of the present invention provides, after described in described equipment of the core network identification, destination server is doubtful illegal proxy server, described method can also comprise:
The IP address of described destination server is added in gray list by described equipment of the core network, the corresponding relation between the IP address comprising described free address and described doubtful illegal proxy server in described gray list.
Alternatively, on the basis of first embodiment of the method for the illegal agency of above-mentioned identification charging swindle, in second embodiment of the method for the illegal agency of the identification charging swindle that the embodiment of the present invention provides,
Described equipment of the core network monitors the flow accounting of the doubtful illegal proxy server in described gray list, and described flow accounting is the ratio of free flow and total flow on described doubtful illegal proxy server;
Flow accounting described in preset time period is transferred in blacklist higher than the IP address of the doubtful illegal proxy server of the first preset threshold value by described equipment of the core network, the corresponding relation between the IP address comprising described free address and illegal proxy server in described blacklist.
Alternatively, on the basis of first embodiment of the method for the illegal agency of above-mentioned identification charging swindle, in the 3rd embodiment of the method for the illegal agency of the identification charging swindle that the embodiment of the present invention provides,
Described equipment of the core network monitors the flow accounting of the doubtful illegal proxy server in described gray list, and described flow accounting is the ratio of free flow and total flow on described doubtful illegal proxy server;
Flow accounting described in preset time period is transferred in described white list lower than the IP address of the doubtful illegal proxy server of the second preset threshold value by described equipment of the core network.
Alternatively, on the basis of any embodiment of the method for the illegal agency of above-mentioned identification charging swindle, in the 4th embodiment of the method for the illegal agency of the identification charging swindle that the embodiment of the present invention provides, described method also comprises
Described equipment of the core network obtains the legal network address of domain name message;
When described legal network address is free address, described equipment of the core network obtains the IP address of the legal server corresponding with described legal network address from the dns response message that name server sends;
Described equipment of the core network is by corresponding the adding in described white list in IP address of the legal server of described legal network address and described correspondence.
Alternatively, on the basis of any embodiment of the method for the illegal agency of above-mentioned identification charging swindle, in 5th embodiment of the method for the illegal agency of the identification charging swindle that the embodiment of the present invention provides, after described in described equipment of the core network identification, destination server is doubtful illegal proxy server, described method can also comprise:
Described equipment of the core network, according to the prevention and control strategy for illegal agency, processes described service message.
The embodiment that Fig. 6 is corresponding or the description that arbitrary embodiment can consult Fig. 1 to Fig. 5 part are understood, and it is no longer repeated herein.
Consult Fig. 7, an embodiment of the equipment of the core network 30 that the embodiment of the present invention provides comprises:
Acquiring unit 301, for obtaining the IP address of object network address and the destination server carried in service message;
Search unit 302, for the IP address of server corresponding to the described object network address of searching from the white list set up in advance with described acquiring unit 301 obtains, in described white list, comprise the corresponding relation of the IP address of free address and legal server;
Recognition unit 303, for when with described search do not comprise the IP address of described destination server in the IP address of server corresponding to described object network address that unit 302 finds time, identify that described destination server is doubtful illegal proxy server.
In the embodiment of the present invention, acquiring unit 301 obtains the IP address of object network address and the destination server carried in service message; Search the IP address that unit 302 searches the server corresponding with the described object network address that described acquiring unit 301 obtains from the white list set up in advance, in described white list, comprise the corresponding relation of the IP address of free address and legal server; Recognition unit 303 when with described search do not comprise the IP address of described destination server in the IP address of server corresponding to described object network address that unit 302 finds time, identify that described destination server is doubtful illegal proxy server.The equipment of the core network that the embodiment of the present invention provides can identify the illegal agency for charging swindle accurately, thus effective blocking-up charging swindle.
Alternatively, on the basis of embodiment corresponding to above-mentioned Fig. 7, consult Fig. 8, in first embodiment of the equipment of the core network 30 that the embodiment of the present invention provides, described equipment of the core network 30 also comprises:
First adding device 304, after identifying that described destination server is doubtful illegal proxy server at described recognition unit 303, the IP address of described destination server is added in gray list, the corresponding relation between the IP address comprising described free address and described doubtful illegal proxy server in described gray list.
Alternatively, on the basis of embodiment corresponding to above-mentioned Fig. 8, consult Fig. 9, in second embodiment of the equipment of the core network 30 that the embodiment of the present invention provides, described equipment of the core network 30 also comprises:
First monitoring unit 305, adds the flow accounting of the doubtful illegal proxy server in described gray list to for monitoring described first adding device 304, described flow accounting is the ratio of free flow and total flow on described doubtful illegal proxy server;
First buanch unit 306, flow accounting for being monitored by the first monitoring unit 305 described in preset time period is transferred in blacklist higher than the IP address of the doubtful illegal proxy server of the first preset threshold value, the corresponding relation between the IP address comprising described free address and illegal proxy server in described blacklist.
Alternatively, on the basis of embodiment corresponding to above-mentioned Fig. 8, consult Figure 10, in the 3rd embodiment of the equipment of the core network 30 that the embodiment of the present invention provides, described equipment of the core network 30 also comprises:
Second monitoring unit 307, adds the flow accounting of the doubtful illegal proxy server in described gray list to for monitoring described first adding device 304, described flow accounting is the ratio of free flow and total flow on described doubtful illegal proxy server;
Second buanch unit 308, transfers in described white list lower than the IP address of the doubtful illegal proxy server of the second preset threshold value for the flow accounting monitored by the second monitoring unit 307 described in preset time period.
Alternatively, on the basis of embodiment corresponding to above-mentioned Fig. 7, consult Figure 11, in the 4th embodiment of the equipment of the core network 30 that the embodiment of the present invention provides, described equipment of the core network also comprises: the second adding device 309,
Described acquiring unit 301, also for obtaining the legal network address of domain name message, when described legal network address is free address, obtains the IP address of the legal server corresponding with described legal network address from the dns response message that name server sends;
Described second adding device 309, for obtaining corresponding the adding in described white list in IP address of the legal server of the described correspondence of described legal network address and the acquisition of described acquiring unit by described acquiring unit 301.
Alternatively, on the basis of embodiment corresponding to above-mentioned Fig. 7, consult Figure 12, in the 5th embodiment of the equipment of the core network 30 that the embodiment of the present invention provides, described equipment of the core network 30 also comprises:
Processing unit 311, for identifying after described destination server is doubtful illegal proxy server at described recognition unit 303, according to the prevention and control strategy for illegal agency, processes described service message.
Figure 13 is the structural representation of the equipment of the core network 30 that the embodiment of the present invention provides.Described equipment of the core network 30 comprises processor 310, memory 350 and I/O I/O equipment 330, and memory 350 can comprise read-only memory and random access memory, and provides operational order and data to processor 310.A part for memory 350 can also comprise nonvolatile RAM (NVRAM).
In some embodiments, memory 350 stores following element, executable module or data structure, or their subset, or their superset:
In embodiments of the present invention, by calling the operational order (this operational order can store in an operating system) that memory 350 stores,
Obtain the IP address of object network address and the destination server carried in service message;
From the white list set up in advance, search the IP address of the server corresponding with described object network address, in described white list, comprise the corresponding relation of the IP address of free address and legal server;
When not comprising the IP address of described destination server in the IP address of the server corresponding with described object network address, identify that described destination server is doubtful illegal proxy server.
The equipment of the core network that the embodiment of the present invention provides, can identify the illegal agency for charging swindle accurately, thus effective blocking-up charging swindle.
The operation of processor 310 control core net equipment 30, processor 310 can also be called CPU (CentralProcessingUnit, CPU).Memory 350 can comprise read-only memory and random access memory, and provides instruction and data to processor 310.A part for memory 350 can also comprise nonvolatile RAM (NVRAM).In concrete application, each assembly of equipment of the core network 30 is coupled by bus system 320, and wherein bus system 320 is except comprising data/address bus, can also comprise power bus, control bus and status signal bus in addition etc.But for the purpose of clearly demonstrating, in the drawings various bus is all designated as bus system 320.
The method that the invention described above embodiment discloses can be applied in processor 310, or is realized by processor 310.Processor 310 may be a kind of integrated circuit (IC) chip, has the disposal ability of signal.In implementation procedure, each step of said method can be completed by the instruction of the integrated logic circuit of the hardware in processor 310 or software form.Above-mentioned processor 310 can be general processor, digital signal processor (DSP), application-specific integrated circuit (ASIC) (ASIC), ready-made programmable gate array (FPGA) or other programmable logic devices, discrete gate or transistor logic, discrete hardware components.Can realize or perform disclosed each method, step and the logic diagram in the embodiment of the present invention.The processor etc. of general processor can be microprocessor or this processor also can be any routine.Step in conjunction with the method disclosed in the embodiment of the present invention directly can be presented as that hardware decoding processor is complete, or combines complete by the hardware in decoding processor and software module.Software module can be positioned at random asccess memory, flash memory, read-only memory, in the storage medium of this area maturations such as programmable read only memory or electrically erasable programmable memory, register.This storage medium is positioned at memory 350, and processor 310 reads the information in memory 350, completes the step of said method in conjunction with its hardware.
Alternatively, processor 310 also for the IP address of described destination server is added in gray list, the corresponding relation between the IP address comprising described free address and described doubtful illegal proxy server in described gray list.
Alternatively, processor 310 also for:
Monitor the flow accounting of the doubtful illegal proxy server in described gray list, described flow accounting is the ratio of free flow and total flow on described doubtful illegal proxy server;
Flow accounting described in preset time period is transferred in blacklist higher than the IP address of the doubtful illegal proxy server of the first preset threshold value, the corresponding relation between the IP address comprising described free address and illegal proxy server in described blacklist.
Alternatively, processor 310 also for:
Monitor the flow accounting of the doubtful illegal proxy server in described gray list, described flow accounting is the ratio of free flow and total flow on described doubtful illegal proxy server;
Flow accounting described in preset time period is transferred in described white list lower than the IP address of the doubtful illegal proxy server of the second preset threshold value.
Alternatively, processor 310 also for:
Obtain the legal network address of domain name message;
When described legal network address is free address, from the dns response message that name server sends, obtain the IP address of the legal server corresponding with described legal network address;
By corresponding the adding in described white list in IP address of the legal server of described legal network address and described correspondence.
Alternatively, processor 310 also for according to the prevention and control strategy for illegal agency, processes described service message.
The description that above equipment of the core network 30 can consult Fig. 1 to Fig. 6 part is understood, and this place does not do and too much repeats.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is that the hardware that can carry out instruction relevant by program has come, this program can be stored in a computer-readable recording medium, and storage medium can comprise: ROM, RAM, disk or CD etc.
The method of the illegal agency of the identification charging swindle provided the embodiment of the present invention above, equipment and system are described in detail, apply specific case herein to set forth principle of the present invention and execution mode, the explanation of above embodiment just understands method of the present invention and core concept thereof for helping; Meanwhile, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.

Claims (14)

1. identify the method for the illegal agency that charging is swindled, it is characterized in that, comprising:
Equipment of the core network obtains the IP address of object network address URL and the destination server carried in service message;
Described equipment of the core network searches the IP address of the server corresponding with described object network address from the white list set up in advance, comprises the corresponding relation of the IP address of free address and legal server in described white list;
When not comprising the IP address of described destination server in the IP address of the server corresponding with described object network address, destination server described in described equipment of the core network identification is doubtful illegal proxy server.
2. method according to claim 1, is characterized in that, after described in described equipment of the core network identification, destination server is doubtful illegal proxy server, described method also comprises:
The IP address of described destination server is added in gray list by described equipment of the core network, the corresponding relation between the IP address comprising described free address and described doubtful illegal proxy server in described gray list.
3. method according to claim 2, is characterized in that, described method also comprises:
Described equipment of the core network monitors the flow accounting of the doubtful illegal proxy server in described gray list, and described flow accounting is the ratio of free flow and total flow on described doubtful illegal proxy server;
Flow accounting described in preset time period is transferred in blacklist higher than the IP address of the doubtful illegal proxy server of the first preset threshold value by described equipment of the core network, the corresponding relation between the IP address comprising described free address and illegal proxy server in described blacklist.
4. method according to claim 2, is characterized in that, described method also comprises:
Described equipment of the core network monitors the flow accounting of the doubtful illegal proxy server in described gray list, and described flow accounting is the ratio of free flow and total flow on described doubtful illegal proxy server;
Flow accounting described in preset time period is transferred in described white list lower than the IP address of the doubtful illegal proxy server of the second preset threshold value by described equipment of the core network.
5., according to the arbitrary described method of claim 1-4, it is characterized in that, described method also comprises
Described equipment of the core network obtains the legal network address of domain name message;
When described legal network address is free address, described equipment of the core network obtains the IP address of the legal server corresponding with described legal network address from the dns response message that name server sends;
Described equipment of the core network is by corresponding the adding in described white list in IP address of the legal server of described legal network address and described correspondence.
6., according to the arbitrary described method of claim 1-4, it is characterized in that, after described in described equipment of the core network identification, destination server is doubtful illegal proxy server, described method also comprises:
Described equipment of the core network, according to the prevention and control strategy for illegal agency, processes described service message.
7. an equipment of the core network, is characterized in that, comprising:
Acquiring unit, for obtaining the IP address of object network address URL and the destination server carried in service message;
Searching unit, for searching the IP address of server corresponding to the described object network address that obtains with described acquiring unit from the white list set up in advance, in described white list, comprising the corresponding relation of the IP address of free address and legal server;
Recognition unit, for when with described search do not comprise the IP address of described destination server in the IP address of server corresponding to described object network address that unit finds time, identify that described destination server is doubtful illegal proxy server.
8. equipment of the core network according to claim 7, is characterized in that, described equipment of the core network also comprises:
First adding device, for after described in described recognition unit identification, destination server is doubtful illegal proxy server, the IP address of described destination server is added in gray list, the corresponding relation between the IP address comprising described free address and described doubtful illegal proxy server in described gray list.
9. equipment of the core network according to claim 8, is characterized in that, described equipment of the core network also comprises:
First monitoring unit, for monitoring the flow accounting of the doubtful illegal proxy server in described gray list, described flow accounting is the ratio of free flow and total flow on described doubtful illegal proxy server;
First buanch unit, for the flow accounting of the first monitoring unit monitoring described in preset time period is transferred in blacklist higher than the IP address of the doubtful illegal proxy server of the first preset threshold value, the corresponding relation between the IP address comprising described free address and illegal proxy server in described blacklist.
10. equipment of the core network according to claim 8, is characterized in that, described equipment of the core network also comprises:
Second monitoring unit, for monitoring the flow accounting of the doubtful illegal proxy server in described gray list, described flow accounting is the ratio of free flow and total flow on described doubtful illegal proxy server;
Second buanch unit, for transferring to the flow accounting of the second monitoring unit monitoring described in preset time period in described white list lower than the IP address of the doubtful illegal proxy server of the second preset threshold value.
11. according to the arbitrary described equipment of the core network of claim 7-10, and it is characterized in that, described equipment of the core network also comprises: the second adding device,
Described acquiring unit, also for obtaining the legal network address of domain name message, when described legal network address is free address, obtains the IP address of the legal server corresponding with described legal network address from the dns response message that name server sends;
Described second adding device, for obtaining corresponding the adding in described white list in IP address of the legal server of the described correspondence of described legal network address and the acquisition of described acquiring unit by described acquiring unit.
12. according to the arbitrary described equipment of the core network of claim 7-10, and it is characterized in that, described equipment of the core network also comprises:
Processing unit, for identifying after described destination server is doubtful illegal proxy server at described recognition unit, according to the prevention and control strategy for illegal agency, processes described service message.
13. 1 kinds of systems identifying the illegal agency that charging is swindled, is characterized in that, comprising: charging execution function entity PCEF and name server,
Described PCEF is the arbitrary described equipment of the core network of the claims 7-12.
14. 1 kinds of systems identifying the illegal agency that charging is swindled, is characterized in that, comprising: charging execution function entity PCEF, visualization device and name server,
The arbitrary described equipment of the core network of described visualization device the claims 7-12.
CN201510969780.5A 2015-12-22 2015-12-22 A kind of method illegally acted on behalf of, equipment and the system of identification charging fraud Active CN105516165B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201510969780.5A CN105516165B (en) 2015-12-22 2015-12-22 A kind of method illegally acted on behalf of, equipment and the system of identification charging fraud
PCT/CN2016/109060 WO2017107780A1 (en) 2015-12-22 2016-12-08 Method, device and system for recognizing illegitimate proxy for charging fraud

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510969780.5A CN105516165B (en) 2015-12-22 2015-12-22 A kind of method illegally acted on behalf of, equipment and the system of identification charging fraud

Publications (2)

Publication Number Publication Date
CN105516165A true CN105516165A (en) 2016-04-20
CN105516165B CN105516165B (en) 2019-05-28

Family

ID=55723801

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510969780.5A Active CN105516165B (en) 2015-12-22 2015-12-22 A kind of method illegally acted on behalf of, equipment and the system of identification charging fraud

Country Status (2)

Country Link
CN (1) CN105516165B (en)
WO (1) WO2017107780A1 (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017107780A1 (en) * 2015-12-22 2017-06-29 华为技术有限公司 Method, device and system for recognizing illegitimate proxy for charging fraud
CN107896232A (en) * 2017-12-27 2018-04-10 北京奇艺世纪科技有限公司 A kind of IP address appraisal procedure and device
CN108337652A (en) * 2017-01-20 2018-07-27 中国移动通信集团河南有限公司 A kind of method and device of detection flows fraud
CN108347443A (en) * 2018-02-11 2018-07-31 中国联合网络通信集团有限公司 Malice exempts from the discovery method and system of traffic server
CN108809891A (en) * 2017-04-27 2018-11-13 贵州白山云科技有限公司 A kind of server intrusion detection method and device
CN108846096A (en) * 2018-06-15 2018-11-20 中国联合网络通信集团有限公司 Reminding method, terminal, gateway and the customer edge of webpage
CN108933867A (en) * 2017-05-27 2018-12-04 中国移动通信集团公司 A kind of method and device thereof of prevention and control information fraud, equipment, storage medium
CN109525682A (en) * 2017-09-19 2019-03-26 中国移动通信有限公司研究院 Method for processing business, device, network element entity and computer readable storage medium
CN109831461A (en) * 2019-03-29 2019-05-31 新华三信息安全技术有限公司 A kind of distributed denial of service ddos attack defence method and device
CN109996201A (en) * 2018-01-02 2019-07-09 中国移动通信有限公司研究院 A kind of Network Access Method and the network equipment
CN110198248A (en) * 2018-02-26 2019-09-03 北京京东尚科信息技术有限公司 The method and apparatus for detecting IP address
CN111294311A (en) * 2018-12-06 2020-06-16 中国移动通信集团河南有限公司 Flow charging method and system for preventing flow fraud
CN107809752B (en) * 2017-10-16 2020-08-21 南京网元通信技术有限公司 Mobile network flow fraud verification method based on software simulation
CN112256308A (en) * 2020-11-12 2021-01-22 腾讯科技(深圳)有限公司 Target application updating method and device

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111814643A (en) * 2020-06-30 2020-10-23 杭州科度科技有限公司 Black and gray URL (Uniform resource locator) identification method and device, electronic equipment and medium
CN115002203A (en) * 2021-03-02 2022-09-02 京东科技信息技术有限公司 Data packet capturing method, device, equipment and computer readable medium
CN114091014A (en) * 2021-10-29 2022-02-25 珠海大横琴科技发展有限公司 Data processing method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102130791A (en) * 2010-01-14 2011-07-20 深圳市深信服电子科技有限公司 Method, device and gateway server for detecting agent on gateway server
CN102891794A (en) * 2011-07-22 2013-01-23 华为技术有限公司 Data packet transmission control method and gateway device
CN103139205A (en) * 2013-01-30 2013-06-05 华为技术有限公司 Message processing method, device and network server
US20140185490A1 (en) * 2012-05-09 2014-07-03 Telefonaktiebolaget L M Ericsson (Publ) Handling communication sessions in a communications network
CN104486091A (en) * 2014-12-05 2015-04-01 中国联合网络通信集团有限公司 Charging method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101795272B (en) * 2010-01-22 2012-09-19 北京网御星云信息技术有限公司 Illegal website filtering method and device
CN103220296B (en) * 2013-04-26 2015-05-27 腾讯科技(深圳)有限公司 Method, equipment and system of data interaction
CN105516165B (en) * 2015-12-22 2019-05-28 华为技术有限公司 A kind of method illegally acted on behalf of, equipment and the system of identification charging fraud

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102130791A (en) * 2010-01-14 2011-07-20 深圳市深信服电子科技有限公司 Method, device and gateway server for detecting agent on gateway server
CN102891794A (en) * 2011-07-22 2013-01-23 华为技术有限公司 Data packet transmission control method and gateway device
US20140185490A1 (en) * 2012-05-09 2014-07-03 Telefonaktiebolaget L M Ericsson (Publ) Handling communication sessions in a communications network
CN103139205A (en) * 2013-01-30 2013-06-05 华为技术有限公司 Message processing method, device and network server
CN104486091A (en) * 2014-12-05 2015-04-01 中国联合网络通信集团有限公司 Charging method and device

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017107780A1 (en) * 2015-12-22 2017-06-29 华为技术有限公司 Method, device and system for recognizing illegitimate proxy for charging fraud
CN108337652A (en) * 2017-01-20 2018-07-27 中国移动通信集团河南有限公司 A kind of method and device of detection flows fraud
CN108337652B (en) * 2017-01-20 2020-12-01 中国移动通信集团河南有限公司 Method and device for detecting flow fraud
CN108809891B (en) * 2017-04-27 2019-12-20 贵州白山云科技股份有限公司 Server intrusion detection method and device
CN108809891A (en) * 2017-04-27 2018-11-13 贵州白山云科技有限公司 A kind of server intrusion detection method and device
CN108933867A (en) * 2017-05-27 2018-12-04 中国移动通信集团公司 A kind of method and device thereof of prevention and control information fraud, equipment, storage medium
CN108933867B (en) * 2017-05-27 2021-04-13 中国移动通信集团公司 Method and device for preventing and controlling information fraud, equipment and storage medium
CN109525682B (en) * 2017-09-19 2021-08-06 中国移动通信有限公司研究院 Service processing method, device, network element entity and computer readable storage medium
CN109525682A (en) * 2017-09-19 2019-03-26 中国移动通信有限公司研究院 Method for processing business, device, network element entity and computer readable storage medium
CN107809752B (en) * 2017-10-16 2020-08-21 南京网元通信技术有限公司 Mobile network flow fraud verification method based on software simulation
CN107896232A (en) * 2017-12-27 2018-04-10 北京奇艺世纪科技有限公司 A kind of IP address appraisal procedure and device
CN109996201A (en) * 2018-01-02 2019-07-09 中国移动通信有限公司研究院 A kind of Network Access Method and the network equipment
CN109996201B (en) * 2018-01-02 2021-01-15 中国移动通信有限公司研究院 Network access method and network equipment
CN108347443B (en) * 2018-02-11 2021-02-02 中国联合网络通信集团有限公司 Method and system for discovering malicious traffic-free server
CN108347443A (en) * 2018-02-11 2018-07-31 中国联合网络通信集团有限公司 Malice exempts from the discovery method and system of traffic server
CN110198248A (en) * 2018-02-26 2019-09-03 北京京东尚科信息技术有限公司 The method and apparatus for detecting IP address
CN110198248B (en) * 2018-02-26 2022-04-26 北京京东尚科信息技术有限公司 Method and device for detecting IP address
CN108846096A (en) * 2018-06-15 2018-11-20 中国联合网络通信集团有限公司 Reminding method, terminal, gateway and the customer edge of webpage
CN111294311A (en) * 2018-12-06 2020-06-16 中国移动通信集团河南有限公司 Flow charging method and system for preventing flow fraud
CN111294311B (en) * 2018-12-06 2022-05-13 中国移动通信集团河南有限公司 Traffic charging method and system for preventing traffic fraud
CN109831461A (en) * 2019-03-29 2019-05-31 新华三信息安全技术有限公司 A kind of distributed denial of service ddos attack defence method and device
CN109831461B (en) * 2019-03-29 2021-10-26 新华三信息安全技术有限公司 Distributed denial of service (DDoS) attack defense method and device
CN112256308A (en) * 2020-11-12 2021-01-22 腾讯科技(深圳)有限公司 Target application updating method and device

Also Published As

Publication number Publication date
CN105516165B (en) 2019-05-28
WO2017107780A1 (en) 2017-06-29

Similar Documents

Publication Publication Date Title
CN105516165A (en) Method, device and system for identifying illegal proxy for charging fraud
KR101662605B1 (en) System and method for correlating network information with subscriber information in a mobile network environment
CN102884764B (en) Message receiving method, deep packet inspection device, and system
US20140317278A1 (en) Traffic Analysis for HTTP User Agent Based Device Category Mapping
US11316948B2 (en) Exit node benchmark feature
US20170134957A1 (en) System and method for correlating network information with subscriber information in a mobile network environment
US10075303B2 (en) Method and apparatus for performing charging control to a sponsored data application
US20120198061A1 (en) User Interest and Identity Control on Internet
CN104219230B (en) Identify method and the device of malicious websites
CN108156042A (en) It provides with caching related information to core network in access network
CN108206769A (en) Method, apparatus, equipment and the medium of screen quality alarm
CN108322354B (en) Method and device for identifying running-stealing flow account
CN106411819A (en) Method and apparatus for recognizing proxy Internet protocol address
Griffioen et al. Quantifying autonomous system ip churn using attack traffic of botnets
CN106067879B (en) The detection method and device of information
CN116057903A (en) Performance measurement by user communication device
CN102075588B (en) Method and system for realizing network address translation (NAT) transversing and equipment
CN103716804B (en) Wireless data communication network user network behavior analyzing method, device and system
CN103686658A (en) Method and system for realizing application content charging
US10817592B1 (en) Content tracking system that dynamically tracks and identifies pirated content exchanged over a network
CN109995889B (en) Method and device for updating mapping relation table, gateway equipment and storage medium
CN110198294A (en) Security attack detection method and device
CN107707469A (en) Method and apparatus for test access path
CN111294311B (en) Traffic charging method and system for preventing traffic fraud
CN115580563B (en) Mirror image data processing method and device of cloud network and electronic equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant