CN105636076B - A kind of auditing method, device and the equipment of the behavior of violation terminal built-in - Google Patents
A kind of auditing method, device and the equipment of the behavior of violation terminal built-in Download PDFInfo
- Publication number
- CN105636076B CN105636076B CN201410626260.XA CN201410626260A CN105636076B CN 105636076 B CN105636076 B CN 105636076B CN 201410626260 A CN201410626260 A CN 201410626260A CN 105636076 B CN105636076 B CN 105636076B
- Authority
- CN
- China
- Prior art keywords
- business
- log
- terminal
- analysis
- website
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of auditing methods of violation terminal built-in behavior, this method comprises: obtaining terminal user corresponding business side log and network side log during business use and/or service order, all terminal users according to the business side log and network side log analysis of the acquisition each business within the corresponding business program request date whether one or several abnormal websites of central access, if it is present determining the business for abnormal traffic.The present invention further simultaneously discloses a kind of device for realizing the method and equipment.
Description
Technical field
The present invention relates to mobile communication technology field more particularly to a kind of auditing methods of violation terminal built-in behavior, dress
It sets and equipment.
Background technique
The violation terminal built-in behavior refers to: mobile phone fee suction software is built in user mobile phone by built-in planner, is led to
Cross the industry that fee suction software is ordered in the unwitting situation of user and uses offending service provider (SP)/content supplier (CP)
Business is divided into unlawful practice to make a profit eventually by value-added service is extracted.
Since violation terminal built-in behavior is deducted fees in the unwitting situation of user, result in a large amount of " ignorant
Customization is complained ".The user as caused by violation terminal built-in user behavior is remembered using business record and normal users using business
Record is difficult to distinguish, and service management personnel is caused to be difficult that violation business is collected evidence and punished, therefore, the evidence obtaining to violation business
The technical issues of as urgent need to resolve.
Currently, the analysis method for the behavior of violation terminal built-in specifically includes that mountain vallage machine dial testing method, 182 mistakes point
Analysis method.But above two analysis method has following defects that
For the dial testing method of mountain vallage machine, built-in planner is to there are the mountain vallage machine at fee suction back door, there are Special controlling machines
It just activates within 3 months after system, such as mobile phone factory fee suction, for test number shielding fee suction of operator etc., substantially reduces in this way
The effect of mountain vallage machine testing;Still further aspect, since smart phone price is increasingly cheap, the quantity of mountain vallage machine itself significantly under
Drop, this dial testing method can not find the fee suction behavior on smart phone, being of limited application in this way;
For 182 error analysis methods, since this method is a kind of currently used most commonly used violation terminal built-in behavior
Determination method causes the implementation of this method not reach so built-in planner takes for this method targetedly evades means
To expected effect.
Summary of the invention
To solve existing technical problem, the embodiment of the present invention provides a kind of side of checking of violation terminal built-in behavior
Method, device and equipment.
The embodiment of the invention provides a kind of auditing methods of violation terminal built-in behavior, this method comprises:
Obtain terminal user corresponding business side log and network side day during business use and/or service order
Will, all terminal users according to the business side log and network side log analysis of the acquisition each business are in corresponding business
In the program request date whether one or several abnormal websites of central access, if it is present determining the business for abnormal traffic.
Preferably, this method further include:
The secondary-confirmation reply of all terminal users according to the business side log analysis of the acquisition each business is
No concentrate is one or several contents, if it is, determining the business for abnormal traffic.
Wherein, all terminal users for analyzing each business are within the corresponding business program request date with the presence or absence of concentration
The case where accessing one or several abnormal websites, comprising:
The internet log for analyzing all terminal users of each business is determined according to the internet log by terminal user
The most website of access times;
Wireless Application Protocol (WAP) gateway log with the internet log phase same date is analyzed, according to the WAP gateway
Log statistic accesses the terminal type of the most website of the accessed number and the accessed page number of the website, such as
Terminal type described in fruit is fixed as a kind of or several classes or accessed webpage is fixed as one or several, then determines that the business is
Abnormal traffic.
Preferably, this method further include:
It extracts the better address in the WAP gateway log of a terminal user and carries out simulation testing processing, and will be after testing
The text file corresponding with the better address of downloading refers to the business program request inquired from Mobile Information Service Center (MISC)
Information is enabled to carry out the matching analysis.
Wherein, the abnormal website are as follows: terminal type is fixed as one or several or website in the access log of website
Accessed page fix is one or several website.
Device is checked the embodiment of the invention also provides a kind of violation terminal built-in behavior, which includes: acquisition mould
Block and analysis and processing module;Wherein,
The acquisition module, for obtaining terminal user's corresponding business during business use and/or service order
Side log and network side log;
The analysis and processing module, the business side log and network side log for being obtained according to the acquisition module
Analyze all terminal users of each business within the corresponding business program request date whether one or several abnormal nets of central access
It stands, if it is present determining the business for abnormal traffic.
Wherein, the analysis and processing module is also used to the business side log analysis obtained according to the acquisition module
Whether the secondary-confirmation reply of all terminal users of each business concentrates as one or several contents, if it is, determining
The business is abnormal traffic.
Wherein, the analysis and processing module analyzes all terminal users of each business within the corresponding business program request date
The case where abnormal websites one or several with the presence or absence of central access, comprising:
The internet log for analyzing all terminal users of each business is determined according to the internet log by terminal user
The most website of access times;
Wireless Application Protocol (WAP) gateway log with the internet log phase same date is analyzed, according to the WAP gateway
Log statistic accesses the terminal type of the most website of the accessed number and the accessed page number of the website, such as
Terminal type described in fruit is fixed as a kind of or several classes or accessed webpage is fixed as one or several, then determines that the business is
Abnormal traffic.
Wherein, the analysis and processing module is also used to extract the better address in the WAP gateway log of a terminal user
Carry out simulation testing processing, and by the text file corresponding with the better address downloaded after testing with from mobile information service
The business program request command information of center (MISC) inquiry carries out the matching analysis.
Equipment is checked the embodiment of the invention also provides a kind of violation terminal built-in behavior, which includes: institute above
The device stated.
Auditing method, device and the equipment of violation terminal built-in behavior provided in an embodiment of the present invention obtain terminal user
Corresponding business side log and network side log during business use and/or service order, the business according to the acquisition
All terminal users of each business of side log and network side log analysis are within the corresponding business program request date with the presence or absence of collection
Middle the case where accessing one or several abnormal websites, if it is present determining the business for abnormal traffic.The embodiment of the present invention is logical
The network side log and business side log for analyzing ignorant tailor end user are crossed, the backstage net of planner built in user can be positioned
Location.In this way, built-in access customization in violation of rules and regulations can be solved the problems, such as by subsequent testing process and/or network side closure process, it is thorough
Therefore bottom containment violation terminal built-in behavior can reach expected effect.In addition, the embodiment of the present invention does not have terminal type
Limitation, has wide range of applications, practical.
Detailed description of the invention
In attached drawing (it is not necessarily drawn to scale), similar appended drawing reference can describe phase in different views
As component.Similar reference numerals with different letter suffix can indicate the different examples of similar component.Attached drawing with example and
Unrestricted mode generally shows each embodiment discussed herein.
Fig. 1 is the auditing method implementation process schematic diagram of violation terminal built-in behavior described in the embodiment of the present invention;
Fig. 2 is the partial schematic diagram of " abnormal traffic is checked " report described in an application scenarios of the invention;
Fig. 3 is the partial schematic diagram of terminal type concentration degree report described in an application scenarios of the invention:
Fig. 4 is the partial schematic diagram of page concentration degree report described in an application scenarios of the invention;
The partial content of text file of the Fig. 5 to download after testing described in an application scenarios of the invention is shown in text volume
Collect the schematic diagram in device:
Fig. 6 is the user uplink demand (telecommunication) service flow diagram based on group control described in the embodiment of the present invention;
Fig. 7 checks apparatus structure schematic diagram for violation terminal built-in behavior described in the embodiment of the present invention.
Specific embodiment
In the embodiment of the present invention, terminal user's corresponding business during business use and/or service order is obtained
Side log and network side log, all ends according to each business of the business side log and network side log analysis of the acquisition
End subscriber within the corresponding business program request date the case where abnormal websites one or several with the presence or absence of central access, if it does,
Then determine the business for abnormal traffic.
In the embodiment of the present invention, the abnormal traffic is exception SP/CP business, and corresponding is normal SP/CP business,
Subsequent referred to as abnormal traffic and regular traffic.
In the embodiment of the present invention, it is described exception website defining principle be: in all access logs of the website whether
The case where being concentrated there are terminal type high concentration or accessed page height, it may be assumed that be in all access logs of the website
It is no there is a situation where terminal type be fixed as one or several or accessed page fix be it is one or several, if it does,
Then show the website for abnormal website.
The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.
Fig. 1 is the auditing method implementation process schematic diagram of violation terminal built-in behavior described in the embodiment of the present invention, such as Fig. 1 institute
Show, this method comprises:
Step 101: obtaining terminal user corresponding business side log and net during business use and/or service order
The log of network side;
In embodiments of the present invention, the business side log can include: terminal internet log, secondary-confirmation interactive log and
Service authentication log etc., the network side log can include: WAP gateway log and WAPPULL log etc..The business side day
Will can be obtained from Mobile Information Service Center (MISC), and the network side log can be obtained from WAP gateway.
Step 102: all terminals according to each business of the business side log and network side log analysis of the acquisition
User within the corresponding business program request date the case where abnormal websites one or several with the presence or absence of central access, if it is present
Execute step 103;Otherwise, step 104 is executed;
Step 103: determining the business for abnormal traffic.
Step 104: determining the business for regular traffic.
In an embodiment of the invention, this method further include: according to the acquisition business side log analysis each
Whether the secondary-confirmation reply of all terminal users of business concentrates in one or several contents, if it is, determining the industry
Business is abnormal traffic.
Analytic process is replied below with reference to secondary-confirmation of the concrete application scene to the terminal user to be retouched in detail
It states.
It is broadcast in operation flow in current dream site, many business open " arbitrarily reply secondary-confirmation " function.Such as:
After user mobile phone sends program request up-on command, Mobile Information Service Center (MISC) can issue a short message: " you will use xx
The xx business of company, information charge x member/item, service calls xx reply arbitrary content confirmation, no reply then not program request ".For just
For common family, reply content can be more dispersed, it may be possible to which Chinese character, letter, punctuation mark, number etc. are a variety of different interior
Hold;And for built-in planner provide plug-in, it will usually solidify the content of reply, such as: all reply " 1 " or
" Y ", for another example all reply " a-z " 26 letters in some or it is several.Therefore, pass through analysis MISC secondary-confirmation interaction day
Will counts the report of user's reply content concentration degree of each business, so that it may analyze the business with the presence or absence of violation terminal
Built-in behavior.
Two following case reports, the secondary-confirmation reply content for having respectively corresponded abnormal traffic and regular traffic are concentrated
Spend report data.Table 1 is the secondary-confirmation reply content concentration degree report data of regular traffic, as shown in the table:
Table 1
From above-mentioned table 1 (individually replying number) as can be seen that the secondary-confirmation reply content collection of the terminal user of the business
Moderate is more dispersed, and there are a variety of situations such as English alphabet, number, punctuation mark, Chinese character, meets normal users habit,
It can be determined that it is regular traffic.
Table 2 is the secondary-confirmation reply content concentration degree report data of abnormal traffic, as shown in the table:
| Period | Reply content | It is single to reply number | It is total to reply number | Accounting |
| 2013-06-10 | Arbitrarily | 8425 | 8710 | 96.73% |
| 2013-06-10 | 2 | 265 | 8710 | 3.04% |
| 2013-06-10 | OK | 4 | 8710 | 0.05% |
| 2013-06-10 | Arbitrary content | 3 | 8710 | 0.03% |
| 2013-06-10 | It is | 2 | 8710 | 0.02% |
| 2013-06-10 | 0 | 1 | 8710 | 0.01% |
| 2013-06-10 | 4 | 1 | 8710 | 0.01% |
| 2013-06-10 | 6 | 1 | 8710 | 0.01% |
| 2013-06-10 | e | 1 | 8710 | 0.01% |
| 2013-06-10 | s | 1 | 8710 | 0.01% |
| 2013-06-10 | t | 1 | 8710 | 0.01% |
| 2013-06-10 | m | 1 | 8710 | 0.01% |
| 2013-06-10 | a | 1 | 8710 | 0.01% |
| 2013-06-10 | 7 | 1 | 8710 | 0.01% |
| 2013-06-10 | 5 | 1 | 8710 | 0.01% |
| 2013-06-10 | 1 | 1 | 8710 | 0.01% |
Table 2
From above-mentioned table 2 (individually replying number) as can be seen that the secondary-confirmation reply content collection of the terminal user of the business
Moderate is very high, and 96.73% reply concentrates in " any " this content, hence it is evident that does not meet normal users habit, it is clear that
It is that plug-in is uniformly set caused by reply content, it is possible to determine that the business is abnormal traffic, it may be assumed that there are violation terminals for the business
Built-in behavior.
From the process of existing violation terminal built-in behavior it is found that fee suction software first can access scheme quotient update network address,
The instruction of corresponding fee suction (sending program request instruction to the port SP) is obtained, then again from triggering alternative family demand (telecommunication) service from the background.Therefore,
All users for analyzing each business whether there is the feelings of the certain abnormal websites of central access within the corresponding business program request date
Condition, it is possible to determine that whether there is the behavior of violation terminal built-in for the business, and can check out corresponding built-in planner backstage
Network address.
Abnormal website in this programme, in all access logs of the website with the presence or absence of terminal type high concentration or
The case where accession page high concentration, if it is present showing the website for abnormal website.For terminal type (User-
Agent for), when accessing normal website, it will there are many different types of terminal using browser carry out website access,
Correspondingly, the User-Agent recorded in WAP gateway is with regard to more dispersed;And abnormal website is then the alternative family of plug-in from from the background
It stealthily accesses, the User-Agent set is fixes some or certain several values.For accession page, normal website is general
The page for having multiple pages, and usually having graphic file, JavaScript script file, CSS style file etc;It is different
Normal website, the background update of terminal fee suction software because it only takes charge of, usually with regard to seldom several of only one or quantity
The page.Therefore, can be sentenced by counting the terminal type concentration degree report and page concentration degree report of each website in this programme
Surely correspond to website whether be built-in planner network address.
In an embodiment of the invention, the business side log and network side log analysis according to the acquisition is each
All terminal users of a business are within the corresponding business program request date with the presence or absence of one or several abnormal websites of central access
Situation, comprising:
The internet log for analyzing all terminal users of each business is determined according to the internet log by terminal user
The most website of access times;The WAP gateway log with the internet log phase same date is analyzed, according to the WAP gateway day
Will statistics accesses the terminal type of the most website of the accessed number and the accessed page number of the website, if
The terminal type is fixed as a kind of or several classes or accessed webpage is fixed as one or several, then determines that the business is different
Normal business.
Below with reference to a concrete application scene analysis according to abnormal website is judged the method for abnormal traffic into
Row detailed description.
Step 1: analyzing the internet log of all users of each business, obtains " abnormal traffic is checked " report, determines
By the most website of end-user access number;
Here, described " abnormal traffic is checked " reports tableau format as shown in Figure 2.From the point of view of report data, it is accused of violation industry
Whole 1074 of business have 898 users to have accessed the website " www.bldre.com ", accounting 83.6%, quilt using in user
Access times highest.
Step 2: analyzing the WAP gateway log with the internet log phase same date, and statistics accesses the terminal class of the website
Type concentration degree and page concentration degree report;
The terminal type concentration degree report tableau format as shown in figure 3, the website " www.bldre.com " all visits
It asks in log, terminal type is all fixed as " SQH_D480B_01/LB19504/WAP2.0Pr ", therefore is existed apparent different
Often.
The format of the page concentration degree report as shown in figure 4, the website " www.bldre.com " all access days
In will, 4 pages: queren.bin, lsmxconfig2.bin, ortherconfig.bin are fixed as, and
Ortherqueren.bin equally exists apparent exception.
In order to further verify whether abnormal website is real planner network address, in one embodiment of the invention, the party
Method further include:
It extracts the better address in the WAP gateway log of a terminal user and carries out simulation testing (for using HTTP
The planner backstage network address of GET agreement) processing, and by the text file corresponding with the better address downloaded after testing with from
The business program request command information (for the planner backstage network address of HTTP POST agreement) of MISC inquiry carries out the matching analysis, can
Confirm that current business is abnormal traffic, to further demonstrate the backstage net that the website is exactly a built-in planner
It stands.
In practical application, following testing processing method can be used:
Here, still by taking above-mentioned application scenarios as an example, in order to which whether the website determination " www.bldre.com " is built-in planner
Back bench web, better address in some user's WAP gateway log can be extracted and carry out testing, the address of extraction are as follows:
Http:// www.bldre.com/menu/lsmxconfig2.bin? soft_ver=07&free_type=0&client=
LSMXXYLYY&clien_ver=20111216&version=1&SMSP=13800451500& IMSI=
94600250743909729, the text file that content is " lsmxconfig2.bin " is downloaded after testing, is beaten with text editor
After opening this document, it can be seen that content shown in Fig. 5.
In Fig. 5, the partial content for being inverted display is the more new command of plug-in acquisition: sending 81342 and arrives
" JIOOIJLNOQO ", wherein " JIOOIJLNOQO " is the port SP converted by simple encryption, Encryption Algorithm I-0, J-
1, K-2, L-3, M-4, N-5, O-6, P-7, Q-8, R-9, the port numbers after decryption are " 10660135686 ".Finally by inquiry
The business program request command information of MISC, confirmation " send instruction 81342 to 10660135686 ", and the business being matched to is exactly above
Abnormal traffic check in violation business, to further demonstrate the backstage network address that the website is exactly a built-in planner.
From the prior art it is found that current " arbitrarily reply secondary-confirmation can be replied in view of terminal fee suction software with alternative family
Mode ", this programme propose new secondary-confirmation mode (as shown in Figure 6), i.e., " support is set by groups of users, by service group
The stochastic problem secondary-confirmation set " reaches prevention in violation of rules and regulations to intercept the alternative family secondary-confirmation of terminal fee suction software in business side
The purpose of terminal built-in behavior.
Fig. 6 is the user uplink demand (telecommunication) service flow diagram based on group control described in the embodiment of the present invention, such as Fig. 6 institute
Show, comprising:
Step 601: user initiates up-on command demand (telecommunication) service to Short Message Service Gateway;
Step 602: on-demand request is sent Business Management Platform by Short Message Service Gateway;
Step 603: Business Management Platform carries out the authentication operations such as subscription authentication, service authentication;
Step 604: Business Management Platform does groups of users authentication, judges which group user belongs to;
Step 605: groups of users secondary-confirmation strategy authentication judges secondary-confirmation plan corresponding to the groups of users of ownership
Slightly;
Step 606: Business Management Platform does service group's authentication, judges which group is business belong to;
Step 607: service group's secondary-confirmation strategy authentication judges secondary-confirmation plan corresponding to the service group of ownership
Slightly;
Step 608: Business Management Platform returns to the response of Short Message Service Gateway on-demand request, and it is secondary true that mark needs user to carry out
Recognize;
Step 609: Business Management Platform carries secondary-confirmation strategy to sms center forwarding secondary-confirmation request;
Step 610: sms center combines corresponding secondary-confirmation short message according to secondary-confirmation strategy;
Step 611: Short Message Service Gateway issues secondary-confirmation short message to user;
Step 612: user replys secondary-confirmation short message;
Step 613: sms center initiates program request confirmation request to Business Management Platform;
Step 614: Business Management Platform generates interim order relations;
Step 615: Business Management Platform sends program request confirmation response to Short Message Service Gateway;
Step 616: Short Message Service Gateway issues program request confirmation and responds to user.
Wherein, it is described to check that equipment will can be synchronized to " by groups of users, the stochastic problem being arranged by service group " in advance
Secondary-confirmation policy library, to realize the authentication of subsequent groups of users and service group.
In above-mentioned process, step 604 to step 607 is the method flow that the embodiment of the present invention newly increases, and service management is flat
Platform is interacted with secondary-confirmation policy library, to optimize in a manner of existing secondary-confirmation, is intercepted in violation from business control plane
Set behavior.
In addition, although above-mentioned stochastic problem secondary-confirmation mode can intercept the terminal fee suction software of planner built in part
The problem of alternative family demand (telecommunication) service, but be also only limitted to open the dream site multicast service of secondary-confirmation in MISC at present, it is built-in
Planner can continue to inhale by the business that the business of secondary-confirmation is not opened in replacement or does not access MISC as accounting code
Take.Therefore, in order to thoroughly cut off built-in long-range control of the planner to user terminal, contain violation terminal built-in row from the root
For, it is necessary to it is blocked from Background control network address of the network side to built-in planner.The specific mode that blocks includes following a kind of
Or it is several:
WAP gateway blocks: being intercepted in the position of WAP gateway, which is only capable of intercepting the update of CMWAP;
GGSN domain name blocks: intercepting domain name by the dns server of GGSN, can intercept simultaneously CMWAP and CMNET more
Newly, but IP is not supported to intercept;
GGSN firewall blocks: domain name or IP are intercepted by the firewall of GGSN, can intercept simultaneously CMWAP and
The update of CMNET.
As it can be seen that the Network Control Segment in this programme, is to intercept terminal fee suction software after built-in planner in network side
Platform website obtains fee suction code, to cut away built-in long-range control of the planner to user terminal from the root, thoroughly containment violation
Built-in behavior.
The embodiment of the present invention can be positioned by the network side log and business side log of the ignorant tailor end user of analysis
The backstage network address of planner built in user.In this way, it is interior to solve to block process by subsequent testing process and/or network side
Access customization problem in violation of rules and regulations is set, thoroughly contains therefore the behavior of violation terminal built-in can reach expected effect.In addition, of the invention
There is no limit to terminal type for embodiment, has wide range of applications, practical.
Device is checked the embodiment of the invention also provides a kind of violation terminal built-in behavior, as shown in fig. 7, the device 70
It include: to obtain module 701 and analysis and processing module 702;Wherein,
The acquisition module 701, for obtaining terminal user's corresponding industry during business use and/or service order
Business side log and network side log;
In embodiments of the present invention, the business side log can include: terminal internet log, secondary-confirmation interactive log and
Service authentication log etc., the network side log can include: WAP gateway log and WAPPULL log etc..The business side day
Will can be obtained from Mobile Information Service Center (MISC), and the network side log can be obtained from WAP gateway.
The analysis and processing module 702, the business side log and network for being obtained according to the acquisition module 701
All terminal users of each business of side log analysis within the corresponding business program request date with the presence or absence of central access one or
The case where several exception websites, if it is present determining the business for abnormal traffic.
Abnormal website in this programme, in all access logs of the website with the presence or absence of terminal type high concentration or
The case where accession page high concentration, if it is present showing the website for abnormal website.For terminal type (User-
Agent for), when accessing normal website, it will there are many different types of terminal using browser carry out website access,
Correspondingly, the User-Agent recorded in WAP gateway is with regard to more dispersed;And abnormal website is then the alternative family of plug-in from from the background
It stealthily accesses, the User-Agent set is fixes some or certain several values.For accession page, normal website is general
The page for having multiple pages, and usually having graphic file, JavaScript script file, CSS style file etc;It is different
Normal website, the background update of terminal fee suction software because it only takes charge of, usually with regard to seldom several of only one or quantity
The page.Therefore, can be sentenced by counting the terminal type concentration degree report and page concentration degree report of each website in this programme
Surely correspond to website whether be built-in planner network address.
In an embodiment of the invention, the analysis and processing module 702 is also used to obtain according to the acquisition module
It is one or several that whether the secondary-confirmation reply of all terminal users of each business of the business side log analysis, which concentrates,
Content, if it is, determining the business for abnormal traffic.
In an embodiment of the invention, the analysis and processing module 702 analyzes all terminal users of each business
Within the corresponding business program request date the case where abnormal websites one or several with the presence or absence of central access, comprising:
The internet log for analyzing all terminal users of each business is determined according to the internet log by terminal user
The most website of access times;
The WAP gateway log with the internet log phase same date is analyzed, accesses institute according to the WAP gateway log statistic
The terminal type of the most website of accessed number and the accessed page number of the website are stated, if the terminal type
It is fixed as a kind of or several classes or accessed webpage is fixed as one or several, then determine the business for abnormal traffic.
In an embodiment of the invention, the analysis and processing module 702, is also used to extract the WAP of a terminal user
Better address in gateway log carries out simulation testing processing, and the text corresponding with the better address that will be downloaded after testing
File carries out the matching analysis with the business program request command information inquired from MISC.
Equipment is checked the embodiment of the invention also provides a kind of violation terminal built-in behavior, which includes: institute above
Device is checked in the violation terminal built-in behavior stated.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program
Product.Therefore, the shape of hardware embodiment, software implementation or embodiment combining software and hardware aspects can be used in the present invention
Formula.Moreover, the present invention, which can be used, can use storage in the computer that one or more wherein includes computer usable program code
The form for the computer program product implemented on medium (including but not limited to magnetic disk storage and optical memory etc.).
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the scope of the present invention.
Claims (7)
1. a kind of auditing method of violation terminal built-in behavior, which is characterized in that this method comprises:
Obtain terminal user corresponding business side log and network side log during business use and/or service order;
The online day of all terminal users according to the business side log and network side log analysis of the acquisition each business
Will determines the website most by end-user access number according to the internet log;It analyzes with the internet log phase on the same day
The Wireless Application Protocol WAP gateway log of phase accesses the most net of the accessed number according to the WAP gateway log statistic
The terminal type stood and the accessed page number of the website, if the terminal type be fixed as a kind of or several classes or by
The webpage of access is fixed as one or several, then determines the business for abnormal traffic.
2. the method according to claim 1, wherein this method further include:
Whether the secondary-confirmation reply of all terminal users according to the business side log analysis of the acquisition each business collects
In be one or several contents, if it is, determining the business for abnormal traffic.
3. the method according to claim 1, wherein this method further include:
It extracts the better address in the WAP gateway log of a terminal user and carries out simulation testing processing, and will be downloaded after testing
Text file corresponding with the better address with from Mobile Information Service Center MISC inquire business program request command information
Carry out the matching analysis.
4. device is checked in a kind of violation terminal built-in behavior, which is characterized in that the device includes: to obtain module and analysis processing
Module;Wherein,
The acquisition module, for obtaining terminal user's corresponding business side day during business use and/or service order
Will and network side log;
The analysis and processing module, the business side log and network side log analysis for being obtained according to the acquisition module
The internet log of all terminal users of each business, it is most by end-user access number according to internet log determination
Website;The Wireless Application Protocol WAP gateway log with the internet log phase same date is analyzed, according to the WAP gateway day
Will statistics accesses the terminal type of the most website of the accessed number and the accessed page number of the website, if
The terminal type is fixed as a kind of or several classes or accessed webpage is fixed as one or several, then determines that the business is different
Normal business.
5. device according to claim 4, which is characterized in that the analysis and processing module is also used to according to the acquisition
Whether the secondary-confirmation reply of all terminal users of each business of the business side log analysis of module acquisition, which concentrates, is
One or several contents, if it is, determining the business for abnormal traffic.
6. device according to claim 4, which is characterized in that the analysis and processing module is also used to extract a terminal
Better address in the WAP gateway log of user carries out simulation testing processing, and by downloading after testing with the better address
Corresponding text file carries out the matching analysis with the business program request command information inquired from Mobile Information Service Center MISC.
7. equipment is checked in a kind of violation terminal built-in behavior, which is characterized in that the equipment includes: any in claim 4-6
Device described in.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410626260.XA CN105636076B (en) | 2014-11-07 | 2014-11-07 | A kind of auditing method, device and the equipment of the behavior of violation terminal built-in |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410626260.XA CN105636076B (en) | 2014-11-07 | 2014-11-07 | A kind of auditing method, device and the equipment of the behavior of violation terminal built-in |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105636076A CN105636076A (en) | 2016-06-01 |
| CN105636076B true CN105636076B (en) | 2019-06-07 |
Family
ID=56050454
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410626260.XA Active CN105636076B (en) | 2014-11-07 | 2014-11-07 | A kind of auditing method, device and the equipment of the behavior of violation terminal built-in |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105636076B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102917335A (en) * | 2011-08-01 | 2013-02-06 | 卓望数码技术(深圳)有限公司 | System, device and method for treatment of violation terminal built-in behaviors |
| CN102917334A (en) * | 2011-08-01 | 2013-02-06 | 卓望数码技术(深圳)有限公司 | System, device and method for treatment of violation terminal built-in behaviors |
| CN102917352A (en) * | 2011-08-01 | 2013-02-06 | 卓望数码技术(深圳)有限公司 | System, device and method for treatment of violation terminal built-in behaviors |
| CN103220658A (en) * | 2012-01-19 | 2013-07-24 | 中国移动通信集团广东有限公司 | Fee deduction preventing method and method, device and system of fee deduction preventing detection |
| CN103581909A (en) * | 2012-07-31 | 2014-02-12 | 华为技术有限公司 | Suspected mobile phone malicious software positioning method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8707427B2 (en) * | 2010-04-06 | 2014-04-22 | Triumfant, Inc. | Automated malware detection and remediation |
-
2014
- 2014-11-07 CN CN201410626260.XA patent/CN105636076B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102917335A (en) * | 2011-08-01 | 2013-02-06 | 卓望数码技术(深圳)有限公司 | System, device and method for treatment of violation terminal built-in behaviors |
| CN102917334A (en) * | 2011-08-01 | 2013-02-06 | 卓望数码技术(深圳)有限公司 | System, device and method for treatment of violation terminal built-in behaviors |
| CN102917352A (en) * | 2011-08-01 | 2013-02-06 | 卓望数码技术(深圳)有限公司 | System, device and method for treatment of violation terminal built-in behaviors |
| CN103220658A (en) * | 2012-01-19 | 2013-07-24 | 中国移动通信集团广东有限公司 | Fee deduction preventing method and method, device and system of fee deduction preventing detection |
| CN103581909A (en) * | 2012-07-31 | 2014-02-12 | 华为技术有限公司 | Suspected mobile phone malicious software positioning method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105636076A (en) | 2016-06-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9219787B1 (en) | Stateless cookie operations server | |
| CN102752326B (en) | The method of deal with data, server and system in the time of download file | |
| CN108632213B (en) | Equipment information processing method and device | |
| CN105262760A (en) | Method and device for preventing action of maliciously visiting login/register interface | |
| US9361457B1 (en) | Use of decoy data in a data store | |
| CN106789834B (en) | The method of user identity, gateway, PCRF network element and system for identification | |
| CN104009977A (en) | Information protection method and system | |
| US9042863B2 (en) | Service classification of web traffic | |
| CN104580133A (en) | Malicious program protection method and system and filtering table updating method thereof | |
| JP2009017298A (en) | Data analysis apparatus | |
| CN104640138B (en) | A kind of method and device of orientation problem terminal | |
| CN107105428A (en) | The method and device in quick completion end message storehouse | |
| CN103475746A (en) | Terminal service method and apparatus | |
| CN108055238A (en) | A kind of account verification method and system | |
| CN104168316A (en) | Webpage access control method and gateway | |
| KR102060262B1 (en) | Method and apparatus for recognizing service request for changing mobile phone number | |
| CN109688094B (en) | Suspicious IP configuration method, device, equipment and storage medium based on network security | |
| CN104640105A (en) | Method and system for mobile phone virus analyzing and threat associating | |
| CN111404937A (en) | Method and device for detecting server vulnerability | |
| CN102143085B (en) | Multi-dimensional network situation awareness method, equipment and system | |
| Wang et al. | Smart devices information extraction in home wi‐fi networks | |
| CN105636076B (en) | A kind of auditing method, device and the equipment of the behavior of violation terminal built-in | |
| CN105450462A (en) | On-line state monitoring method and system | |
| CN105635225A (en) | Method and system of using mobile terminal to access mobile internet-based server and mobile terminal | |
| CN105160250A (en) | Dynamic analysis method and device of APK (Android Packet) application software communication behavior |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |