CN105827593A - Traffic-free fraud user recognition method and recognition system - Google Patents
Traffic-free fraud user recognition method and recognition system Download PDFInfo
- Publication number
- CN105827593A CN105827593A CN201610130425.3A CN201610130425A CN105827593A CN 105827593 A CN105827593 A CN 105827593A CN 201610130425 A CN201610130425 A CN 201610130425A CN 105827593 A CN105827593 A CN 105827593A
- Authority
- CN
- China
- Prior art keywords
- flow
- user
- exempting
- charging
- exempt
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a traffic-free fraud user recognition method and recognition system. The recognition method comprises the steps that telecommunication traffic data of a user are preprocessed so that free billing traffic data of the user are acquired; the free billing traffic data of the user are analyzed and calculated so that the traffic-free fraud suspected degree of the user is acquired; whether the user is a suspected traffic-free fraud user is analyzed and judged according to the traffic-free fraud suspected degree of the user; and whether the user is a traffic-free fraud user is analyzed and judged according to the traffic-free fraud suspected degree of the suspected traffic-free fraud user. According to the recognition method, malicious free billing traffic represented as a normal network protocol can be effectively and accurately screened out so that the traffic-free fraud user can be effectively and accurately recognized, and thus the problems of difficulty of recognition, interception and source tracing of current traffic billing flaws can be solved.
Description
Technical field
The present invention relates to communication technical field, in particular it relates to a kind of recognition methods exempting from flow fraudulent user and identification system.
Background technology
Exempting from flow swindle is that one utilizes operator's charge on traffic leak, forwards agent platform by building privately owned malicious traffic stream, walks around telecom operators' fee collecting system, reach freely to use the Telecoms Fraud behavior of flow purpose.
The cardinal principle exempting from flow swindle is, agent platform is forwarded by privately owned flow, the surfing flow of common charging is converted to the special flow of telecom operators' not charging, and these flows mainly include the particular protocol flows such as DNS, and some public good class, the flowing of access of special defects website.Owing to the existing fee collecting system of telecom operators cannot differentiate the true and false of these special flows, process so all this type of special flow to be done free charging, it is difficult to identify and exempt from flow fraud.
It is that the malice utilizing proper network agreement or operator's charging regulation leak to carry out freely uses traffic behavior owing to exempting from the principle of flow swindle, the form of expression is proper network agreement or network access request, therefore have easily realization, difficult find, the feature such as difficulty is reviewed, current industry still lacks identifications, intercepts, traces to the source and exempt from the correlation technique that flow is swindled.
Telecom operators are mainly by being identified customer flow deployed with devices corresponding strategies in net at present, as differentiated customer flow type, size, and filter improper flow, and normal stream amount carries out charging.But all showing as not charging discharge pattern and normal discharge type or access request owing to exempting from flow swindle, telecom operators are difficult to judge be identified and process by strategy.
The major defect of the method for recognizing flux based on strategy that industry uses has at present:
One. single factor test based on the index such as discharge pattern or size judges, it is impossible to judge the malicious traffic stream that the form of expression is proper network agreement;Two. flow fraudulent user cannot be traced to the source, forward agent platform to review and process privately owned malicious traffic stream.
Summary of the invention
The present invention is directed to above-mentioned technical problem present in prior art, it is provided that a kind of recognition methods exempting from flow fraudulent user and identification system.This recognition methods examination efficiently and accurately can go out the malice that the form of expression is proper network agreement and exempt from charging flow such that it is able to identifies efficiently and accurately and exempts from flow fraudulent user, and then the problem solving current flux charging leak difficulty identification, intercepting and trace to the source.
The present invention provides a kind of recognition methods exempting from flow fraudulent user, including:
The telecommunications traffic data of user are carried out pretreatment, it is thus achieved that described user exempts from charging data on flows;
Described user exempts from charging data on flows be analyzed calculating, it is thus achieved that described user exempts from flow swindle Suspected Degree;
Exempt from flow swindle Suspected Degree according to described user, analyze and judge that whether described user is doubtful to exempt from flow fraudulent user;
Exempt from flow swindle Suspected Degree described in flow fraudulent user according to described doubtful exempting from, analyze and judge that whether described user is for exempting from flow fraudulent user.
Preferably, the described telecommunications traffic data to user carry out pretreatment, it is thus achieved that the charging data on flows of exempting from of described user includes:
Add up the total flow that described user uses in first sets the time period;
Add up the flow exempting from the special discharge pattern of charging that described user uses in described first sets the time period;The described flow that flow is atypia user's mobile Internet access business exempting from the special discharge pattern of charging and the functional network flowing of access exempting from charging;
Add up described user charging of exempting from of use within the described first setting time period and specify IP address and the flow of domain name addresses.
Preferably, described charging data on flows of exempting from described user is analyzed calculating, it is thus achieved that the flow swindle Suspected Degree of exempting from of described user includes:
First calculate and exempt from the flow of the special discharge pattern of charging described in described user and account for the ratio of described total flow;
Calculate again and exempt from charging described in described user and specify the flow of IP address and domain name addresses to account for the ratio of described total flow;
Within the described first setting time period, chose for the second setting time period, calculate described user and described within the described second setting time period, exempt from the continuous ratio using record strip number to account for the total flow record strip number in its described second setting time period of the flow of the special discharge pattern of charging and the described flow exempting from charging appointment IP address and domain name addresses;
The flow of exempting from calculating described user finally according to formula A=(X+Y+Z)/3 swindles Suspected Degree, and wherein, A is that the flow of exempting from of described user swindles Suspected Degree;X is to exempt from the flow of the special discharge pattern of charging described in described user to account for the ratio of described total flow;Y is to exempt from charging described in described user to specify the flow of IP address and domain name addresses to account for the ratio of described total flow;Z is described user exempts from the flow of the special discharge pattern of charging and the described flow exempting from charging appointment IP address and the domain name addresses continuous ratio using record strip number to account for the total flow record strip number in its described second setting time period described within the described second setting time period.
Preferably, the described flow of exempting from according to described user swindles Suspected Degree, analyzes and judges whether described user is that doubtful flow fraudulent user of exempting from includes:
Calculating is exempted from flow and is swindled average Suspected Degree;
The flow swindle Suspected Degree of exempting from of described user is swindled average Suspected Degree is compared with described flow of exempting from, when described user exempt from flow swindle Suspected Degree be more than described in exempt from flow swindle average Suspected Degree time, the most described user is doubtful to exempt from flow fraudulent user.
Preferably, described calculating exempt from flow swindle average Suspected Degree include:
Described user includes n, exempts from flow swindle Suspected Degree, wherein, i=1 according to what formula Ai=(Xi+Yi+Zi)/3 calculated each described user, 2,3 ..., n, i are integer;N > 1, and n is integer;Ai is that the flow of exempting from of user described in i-th swindles Suspected Degree;Xi is to exempt from the flow of the special discharge pattern of charging described in user described in i-th to account for the ratio of described total flow;Yi is to exempt from charging described in user described in i-th to specify the flow of IP address and domain name addresses to account for the ratio of described total flow;Zi is user described in i-th exempts from the flow of the special discharge pattern of charging and the described flow exempting from charging appointment IP address and the domain name addresses continuous ratio using record strip number to account for the total flow record strip number in its described second setting time period described within the described second setting time period;
According to formula A '=(A1+A2+ ...+An)/n calculate described in exempt from flow and swindle average Suspected Degree, wherein, A ' be described in exempt from flow and swindle average Suspected Degree.
Preferably, described doubtful exempt to exempt from described in flow fraudulent user flow swindle Suspected Degree according to described, analyze and judge that whether described user includes for exempting from flow fraudulent user:
Gather the described doubtful set meal flow exempted from ordered by flow fraudulent user and current balance, calculate the described doubtful set meal flow exempting from flow fraudulent user and the summation of flow that current balance can be bought;
By described doubtful flow fraudulent user of exempting from exempting from the flow of the special discharge pattern of charging described in described first sets and use in the time period and the described summation exempting from the flow that charging specifies the flow summation of IP address and domain name addresses can buy with the described doubtful set meal flow exempting from flow fraudulent user and current balance compares, when described doubtful exempt from flow fraudulent user exempt from described in described first sets and use in the time period flow of the special discharge pattern of charging and described exempt from the flow that charging specifies the flow summation of IP address and domain name addresses can buy more than the described doubtful set meal flow exempting from flow fraudulent user and current balance summation time, determine that described doubtful flow fraudulent user of exempting from is for exempting from flow fraudulent user.
The present invention also provides for a kind of identification system exempting from flow fraudulent user, including: pretreatment module, for the telecommunications traffic data of user are carried out pretreatment, it is thus achieved that described user exempts from charging data on flows;
Analytical calculation module, is analyzed calculating for described user exempts from charging data on flows, it is thus achieved that described user exempts from flow swindle Suspected Degree;And exempt from flow swindle Suspected Degree according to described user, analyze and judge that whether described user is doubtful to exempt from flow fraudulent user;
Analyze judge module, for exempting from flow swindle Suspected Degree described in flow fraudulent user according to described doubtful exempting from, analyze and judge that whether described user is for exempting from flow fraudulent user.
Preferably, described pretreatment module includes:
First statistic unit, for adding up the total flow that described user uses in first sets the time period;
Second statistic unit, for adding up the flow exempting from the special discharge pattern of charging that described user uses in described first sets the time period;Wherein, exempt from the flow that flow is atypia user's mobile Internet access business of the special discharge pattern of charging described in and exempt from the functional network flowing of access of charging;
3rd statistic unit, IP address and the flow of domain name addresses are specified in the charging of exempting from used in described first sets the time period for adding up described user.
Preferably, described analytical calculation module includes:
First computing unit, accounts for the ratio of described total flow for calculating the flow exempting from the special discharge pattern of charging described in described user;Calculate and exempt from charging described in described user and specify the flow of IP address and domain name addresses to account for the ratio of described total flow;Calculating in the second setting time period chosen within the described first setting time period, the record strip number that uses continuously exempting from the flow of the special discharge pattern of charging and the described flow exempting from charging appointment IP address and domain name addresses described in described user accounts for the ratio of the total flow record strip number in its described second setting time period;And swindle Suspected Degree according to the flow of exempting from of formula A=(X+Y+Z)/3 described user of calculating, wherein, A is that the flow of exempting from of described user swindles Suspected Degree;X is to exempt from the flow of the special discharge pattern of charging described in described user to account for the ratio of described total flow;Y is to exempt from charging described in described user to specify the flow of IP address and domain name addresses to account for the ratio of described total flow;Z is described user exempts from the flow of the special discharge pattern of charging and the described flow exempting from charging appointment IP address and the domain name addresses continuous ratio using record strip number to account for the total flow record strip number in its described second setting time period described within the described second setting time period;
Second computing unit, exempts from flow for calculating and swindles average Suspected Degree;
According to comparative result, comparison judgment unit, for being compared with the described flow average Suspected Degree of swindle of exempting from by the flow swindle Suspected Degree of exempting from of described user, and judges that whether described user is doubtful to exempt from flow fraudulent user.
Preferably, described analysis judge module includes:
Collecting unit, for gathering the described doubtful set meal flow exempted from ordered by flow fraudulent user and current balance;
3rd computing unit, for calculating the described doubtful set meal flow exempting from flow fraudulent user and the summation of flow that current balance can be bought;
Relatively determine unit, for by described doubtful flow fraudulent user of exempting from exempting from the flow of the special discharge pattern of charging described in described first sets and use in the time period and the described summation exempting from the flow that charging specifies the flow summation of IP address and domain name addresses can buy with the described doubtful set meal flow exempting from flow fraudulent user and current balance compares, and determine that whether described doubtful flow fraudulent user of exempting from is for exempting from flow fraudulent user according to comparative result.
Beneficial effects of the present invention: the recognition methods exempting from flow fraudulent user provided by the present invention, it is analyzed calculating by user exempts from charging data on flows, examination efficiently and accurately can go out the malice that the form of expression is proper network agreement and exempt from charging flow, it is thus possible to identify efficiently and accurately and exempt from flow fraudulent user, and then the problem solving current flux charging leak difficulty identification, intercepting and trace to the source.
The identification system exempting from flow fraudulent user provided by the present invention, by analytical calculation module, user is exempted from charging data on flows to be analyzed calculating, examination efficiently and accurately can go out the malice that the form of expression is proper network agreement and exempt from charging flow, it is thus possible to identify efficiently and accurately and exempt from flow fraudulent user, and then the problem solving current flux charging leak difficulty identification, intercepting and trace to the source.
Accompanying drawing explanation
Fig. 1 is the flow chart of the recognition methods exempting from flow fraudulent user in the embodiment of the present invention 1;
Fig. 2 is the theory diagram of the identification system exempting from flow fraudulent user in the embodiment of the present invention 3;
Fig. 3 is the theory diagram of the identification system exempting from flow fraudulent user in the embodiment of the present invention 4.
Description of reference numerals therein:
1. pretreatment module;11. first statistic units;12. second statistic units;13. the 3rd statistic units;2. analytical calculation module;21. first computing units;22. second computing units;23. comparison judgment units;3. analyze judge module;31. collecting units;32. the 3rd computing units;33. compare and determine unit.
Detailed description of the invention
For making those skilled in the art be more fully understood that technical scheme, with detailed description of the invention, a kind of recognition methods exempting from flow fraudulent user provided by the present invention and identification system are described in further detail below in conjunction with the accompanying drawings.
Embodiment 1:
The present embodiment provides a kind of recognition methods exempting from flow fraudulent user, as it is shown in figure 1, include:
Step S1: the telecommunications traffic data of user are carried out pretreatment, it is thus achieved that user exempts from charging data on flows.
Step S2: user is exempted from charging data on flows and is analyzed calculating, it is thus achieved that user exempts from flow swindle Suspected Degree.
Step S3: exempt from flow swindle Suspected Degree according to user, analyzes and judges that whether user is doubtful to exempt from flow fraudulent user.
Step S4: swindle Suspected Degree according to the doubtful flow of exempting from exempting from flow fraudulent user, analyze and judge that whether user is for exempting from flow fraudulent user.
By above-mentioned recognition methods, it is analyzed calculating by user exempts from charging data on flows, can judge that the malice that the form of expression is proper network agreement exempts from charging flow efficiently and accurately, it is thus possible to identify efficiently and accurately and exempt from flow fraudulent user, and then the problem solving current flux charging leak difficulty identification, intercepting and trace to the source.
Embodiment 2:
The present embodiment provides a kind of recognition methods exempting from flow fraudulent user, including:
Step S1: the telecommunications traffic data of user are carried out pretreatment, it is thus achieved that user exempts from charging data on flows.
This step specifically includes:
Step S11: the total flow that counting user uses in first sets the time period.
In this step, the first setting time period can arbitrarily set, as being set as 30 days the first setting time period.
Step S12: the flow exempting from the special discharge pattern of charging that counting user uses in first sets the time period;Exempt from the flow that flow is atypia user's mobile Internet access business of the special discharge pattern of charging and exempt from the functional network flowing of access of charging.
In this step, the most normal business of networking OTT of flow (the various application services provided a user with by the Internet) class flow, TCP/IP (network communication protocol) flow etc. of atypia user's mobile Internet access business, the functional network flowing of access exempting from charging such as accesses DNS (domain name system) flow, HSRP (Hot Standy Router Protocol) flow etc..
Step S13: IP address and the flow of domain name addresses are specified in the charging of exempting from that counting user uses in first sets the time period.
In this step, exempt from charging and specify the flow such as public good class etc. of IP address and domain name addresses can exempt from the flow of special access Target IP of charging.
In step S1, first telecom operators gather the flow list in detail that user uses in first sets the time period, the flow of user is single in detail mainly includes IMSI (international mobile subscriber identity), Subscriber Number, IMEI (mobile device world identification code), access Target IP (procotol), discharge pattern, the indexs such as time, then according to the flow various indexs in single in detail, this flow the most singly carried out pretreatment, pretreatment mainly includes the statistics to the total flow that user uses in first sets the time period, first, user is set use in the time period exempt from the stream statistics of variables of the special discharge pattern of charging and user's use in first sets the time period is exempted from charging appointment IP address and the stream statistics of variables of domain name addresses.Wherein, exempt from charging data on flows mainly include the flow of special discharge pattern and specify IP address and the flow of domain name addresses.
Step S2: user is exempted from charging data on flows and is analyzed calculating, it is thus achieved that user exempts from flow swindle Suspected Degree.
In this step, selected sole user is analyzed in the first data on flows set in the time period, specifically includes:
Step S21: the flow exempting from the special discharge pattern of charging first calculating user accounts for ratio X of total flow.
Step S22: the charging of exempting from calculating user again specifies the flow of IP address and domain name addresses to account for ratio Y of total flow.
Step S23: chose for the second setting time period in first sets the time period, calculates user's flow exempting from the special discharge pattern of charging within the second setting time period and the record strip number that uses continuously of the flow exempting from charging appointment IP address and domain name addresses accounts for ratio Z of the total flow record strip number in its second setting time period.
In this step, second setting time period was in a period of time in the first setting time period, second sets the duration of time period less than or equal to the first setting time period, second setting time period can the most arbitrarily set, as being set as one day or one hour the second setting time period.
Record strip number is used to refer to exempt from the flow of the special discharge pattern of charging and exempt from the record total number that charging specifies the flow of IP address and domain name addresses to use incessantly in second sets the time period continuously, wherein, can be that the flow exempting from the special discharge pattern of charging uses record continuously, can also be to exempt from charging to specify the flow of IP address and domain name addresses to use record continuously, it is also possible to be to exempt from the flow of the special discharge pattern of charging and exempt from charging and specify what the flow of IP address and domain name addresses mutually adulterated to use record continuously.Within certain hour in 30 days, a total of 100 discharge records, wherein, the flow exempting from the special discharge pattern of charging and using continuously of the flow exempting from charging appointment IP address and domain name addresses are recorded as 90, then ratio Z is 90%.
Step S24: finally calculate user exempts from flow swindle Suspected Degree A, wherein, A=(X+Y+Z)/3.
In step S2, the flow swindle Suspected Degree of exempting from of all users of telecom operators all can be respectively adopted step S21-S24 calculate.
Step S3: exempt from flow swindle Suspected Degree according to user, analyzes and judges that whether user is doubtful to exempt from flow fraudulent user.
This step specifically includes:
Step S31: calculate and exempt from the flow average Suspected Degree of swindle.
In this step, it is assumed that the user of telecom operators includes n, each user exempts from flow swindle Suspected Degree Ai=(Xi+Yi+Zi)/3, wherein, i=1, and 2,3 ..., n, i are integer;N > 1, and n is integer;Then exempt from flow swindle average Suspected Degree A '=(A1+A2+ ...+An)/n.
Step S32: exempting from user flow swindle Suspected Degree and exempting from flow and swindle average Suspected Degree to compare, exempts from flow swindle Suspected Degree more than when exempting from flow and swindle average Suspected Degree as user, then user exempts from flow fraudulent user for doubtful.
By step S2 and step S3, it is possible to determine that whether each users of telecom operators is doubtful to exempt from flow fraudulent user.
Step S4: swindle Suspected Degree according to the doubtful flow of exempting from exempting from flow fraudulent user, analyze and judge that whether user is for exempting from flow fraudulent user.
This step specifically includes:
Step S41: gather the doubtful set meal flow exempted from ordered by flow fraudulent user and current balance, calculates the doubtful set meal flow exempting from flow fraudulent user and the summation of flow that current balance can be bought.
Step S42: doubtful flow the fraudulent user flow exempting from the special discharge pattern of charging used in first sets the time period and the summation exempting from the flow that charging specifies the flow summation of IP address and domain name addresses can buy with the doubtful set meal flow exempting from flow fraudulent user and current balance exempted from is compared, when the doubtful summation exempting from the flow that flow the fraudulent user flow exempting from the special discharge pattern of charging used in first sets the time period and the flow summation exempting from charging appointment IP address and domain name addresses can be bought more than the doubtful set meal flow exempting from flow fraudulent user and current balance, determine that doubtful flow fraudulent user of exempting from is for exempting from flow fraudulent user.
By step S4, it is possible to exempt from that flow fraudulent user will be exempted from flow fraudulent user determine from doubtful.
The beneficial effect of embodiment 1-2: the recognition methods exempting from flow fraudulent user provided in embodiment 1-2, it is analyzed calculating by user exempts from charging data on flows, examination efficiently and accurately can go out the malice that the form of expression is proper network agreement and exempt from charging flow, it is thus possible to identify efficiently and accurately and exempt from flow fraudulent user, and then the problem solving current flux charging leak difficulty identification, intercepting and trace to the source.
Embodiment 3:
The present embodiment provides a kind of identification system exempting from flow fraudulent user, as in figure 2 it is shown, include pretreatment module 1, for the telecommunications traffic data of user are carried out pretreatment, it is thus achieved that user exempts from charging data on flows.Analytical calculation module 2, is analyzed calculating for user exempts from charging data on flows, it is thus achieved that user exempts from flow swindle Suspected Degree;And exempt from flow swindle Suspected Degree according to user, analyze and judge that whether user is doubtful to exempt from flow fraudulent user.Analyze judge module 3, for swindling Suspected Degree according to the doubtful flow of exempting from exempting from flow fraudulent user, analyze and judge that whether user is for exempting from flow fraudulent user.
Identification system in the present embodiment, by analytical calculation module, user is exempted from charging data on flows to be analyzed calculating, can judge that the malice that the form of expression is proper network agreement exempts from charging flow efficiently and accurately, it is thus possible to identify efficiently and accurately and exempt from flow fraudulent user, and then the problem solving current flux charging leak difficulty identification, intercepting and trace to the source.
Embodiment 4:
The present embodiment provides a kind of identification system exempting from flow fraudulent user, as it is shown on figure 3, on the basis of embodiment 3, the pretreatment module 1 in the present embodiment includes: the first statistic unit 11, and the total flow used in first sets the time period for counting user.Second statistic unit 12, the flow exempting from the special discharge pattern of charging used in first sets the time period for counting user;Wherein, exempt from the flow that flow is atypia user's mobile Internet access business of the special discharge pattern of charging and exempt from the functional network flowing of access of charging.3rd statistic unit 13, IP address and the flow of domain name addresses are specified in the charging of exempting from used in first sets the time period for counting user.
Analytical calculation module 2 in the present embodiment includes: the first computing unit 21, accounts for ratio X of total flow for calculating the flow exempting from the special discharge pattern of charging of user;The charging of exempting from calculating user specifies the flow of IP address and domain name addresses to account for ratio Y of total flow;Calculating second chosen in first sets the time period and set in the time period, the flow exempting from the special discharge pattern of charging of user accounts for ratio Z of the total flow record strip number in its second setting time period with the record strip number that uses continuously of the flow exempting from charging appointment IP address and domain name addresses;And calculate user exempt from flow swindle Suspected Degree A, wherein, A=(X+Y+Z)/3.Second computing unit 22, exempts from flow for calculating and swindles average Suspected Degree.Assuming that the user of telecom operators includes n, each user exempts from flow swindle Suspected Degree Ai=(Xi+Yi+Zi)/3, wherein, i=1, and 2,3 ..., n, i are integer;N > 1, and n is integer;Then exempt from flow swindle average Suspected Degree A '=(A1+A2+ ...+An)/n.According to comparative result, comparison judgment unit 23, for exempting from user flow swindle Suspected Degree and exempting from flow and swindle average Suspected Degree to compare, and judges that whether user is doubtful to exempt from flow fraudulent user.Wherein, exempt from flow swindle Suspected Degree more than when exempting from flow and swindle average Suspected Degree as certain user, then this user exempts from flow fraudulent user for doubtful.
Analysis judge module 3 in the present embodiment includes: collecting unit 31, for gathering the doubtful set meal flow exempted from ordered by flow fraudulent user and current balance.3rd computing unit 32, for calculating the doubtful set meal flow exempting from flow fraudulent user and the summation of flow that current balance can be bought.Relatively determine unit 33, for doubtful flow the fraudulent user flow exempting from the special discharge pattern of charging used in first sets the time period and the summation exempting from the flow that charging specifies the flow summation of IP address and domain name addresses can buy with the doubtful set meal flow exempting from flow fraudulent user and current balance exempted from being compared, and determine that whether doubtful flow fraudulent user of exempting from is for exempting from flow fraudulent user according to comparative result.Wherein, when certain is doubtful exempt from flow fraudulent user set the flow exempting from the special discharge pattern of charging used in the time period first and exempt from the summation of the flow that charging specifies the flow summation of IP address and domain name addresses can buy more than this doubtful set meal flow exempting from flow fraudulent user and current balance time, determine that this doubtful flow fraudulent user of exempting from is for exempting from flow fraudulent user.
The beneficial effect of embodiment 3-4: the identification system exempting from flow fraudulent user provided in embodiment 3-4, by analytical calculation module, user is exempted from charging data on flows to be analyzed calculating, examination efficiently and accurately can go out the malice that the form of expression is proper network agreement and exempt from charging flow, it is thus possible to identify efficiently and accurately and exempt from flow fraudulent user, and then the problem solving current flux charging leak difficulty identification, intercepting and trace to the source.
It is understood that the principle that is intended to be merely illustrative of the present of embodiment of above and the illustrative embodiments that uses, but the invention is not limited in this.For those skilled in the art, without departing from the spirit and substance in the present invention, can make various modification and improvement, these modification and improvement are also considered as protection scope of the present invention.
Claims (10)
1. the recognition methods exempting from flow fraudulent user, it is characterised in that including:
The telecommunications traffic data of user are carried out pretreatment, it is thus achieved that described user exempts from charging data on flows;
Described user exempts from charging data on flows be analyzed calculating, it is thus achieved that described user exempts from flow swindle Suspected Degree;
Exempt from flow swindle Suspected Degree according to described user, analyze and judge that whether described user is doubtful to exempt from flow fraudulent user;
Exempt from flow swindle Suspected Degree described in flow fraudulent user according to described doubtful exempting from, analyze and judge that whether described user is for exempting from flow fraudulent user.
Recognition methods the most according to claim 1, it is characterised in that the described telecommunications traffic data to user carry out pretreatment, it is thus achieved that the charging data on flows of exempting from of described user includes:
Add up the total flow that described user uses in first sets the time period;
Add up the flow exempting from the special discharge pattern of charging that described user uses in described first sets the time period;The described flow that flow is atypia user's mobile Internet access business exempting from the special discharge pattern of charging and the functional network flowing of access exempting from charging;
Add up described user charging of exempting from of use within the described first setting time period and specify IP address and the flow of domain name addresses.
Recognition methods the most according to claim 2, it is characterised in that described charging data on flows of exempting from described user is analyzed calculating, it is thus achieved that the flow swindle Suspected Degree of exempting from of described user includes:
First calculate and exempt from the flow of the special discharge pattern of charging described in described user and account for the ratio of described total flow;
Calculate again and exempt from charging described in described user and specify the flow of IP address and domain name addresses to account for the ratio of described total flow;
Within the described first setting time period, chose for the second setting time period, calculate described user and described within the described second setting time period, exempt from the continuous ratio using record strip number to account for the total flow record strip number in its described second setting time period of the flow of the special discharge pattern of charging and the described flow exempting from charging appointment IP address and domain name addresses;
The flow of exempting from calculating described user finally according to formula A=(X+Y+Z)/3 swindles Suspected Degree, and wherein, A is that the flow of exempting from of described user swindles Suspected Degree;X is to exempt from the flow of the special discharge pattern of charging described in described user to account for the ratio of described total flow;Y is to exempt from charging described in described user to specify the flow of IP address and domain name addresses to account for the ratio of described total flow;Z is described user exempts from the flow of the special discharge pattern of charging and the described flow exempting from charging appointment IP address and the domain name addresses continuous ratio using record strip number to account for the total flow record strip number in its described second setting time period described within the described second setting time period.
Recognition methods the most according to claim 3, it is characterised in that the described flow of exempting from according to described user swindles Suspected Degree, analyzes and judges whether described user is that doubtful flow fraudulent user of exempting from includes:
Calculating is exempted from flow and is swindled average Suspected Degree;
The flow swindle Suspected Degree of exempting from of described user is swindled average Suspected Degree is compared with described flow of exempting from, when described user exempt from flow swindle Suspected Degree be more than described in exempt from flow swindle average Suspected Degree time, the most described user is doubtful to exempt from flow fraudulent user.
Recognition methods the most according to claim 4, it is characterised in that described calculating is exempted from the flow average Suspected Degree of swindle and included:
Described user includes n, exempts from flow swindle Suspected Degree, wherein, i=1 according to what formula Ai=(Xi+Yi+Zi)/3 calculated each described user, 2,3 ..., n, i are integer;N > 1, and n is integer;Ai is that the flow of exempting from of user described in i-th swindles Suspected Degree;Xi is to exempt from the flow of the special discharge pattern of charging described in user described in i-th to account for the ratio of described total flow;Yi is to exempt from charging described in user described in i-th to specify the flow of IP address and domain name addresses to account for the ratio of described total flow;Zi is user described in i-th exempts from the flow of the special discharge pattern of charging and the described flow exempting from charging appointment IP address and the domain name addresses continuous ratio using record strip number to account for the total flow record strip number in its described second setting time period described within the described second setting time period;
According to formula A '=(A1+A2+ ...+An)/n calculate described in exempt from flow and swindle average Suspected Degree, wherein, A ' be described in exempt from flow and swindle average Suspected Degree.
Recognition methods the most according to claim 4, it is characterised in that described doubtful exempt to exempt from described in flow fraudulent user flow swindle Suspected Degree according to described, analyzes and judges that whether described user includes for exempting from flow fraudulent user:
Gather the described doubtful set meal flow exempted from ordered by flow fraudulent user and current balance, calculate the described doubtful set meal flow exempting from flow fraudulent user and the summation of flow that current balance can be bought;
By described doubtful flow fraudulent user of exempting from exempting from the flow of the special discharge pattern of charging described in described first sets and use in the time period and the described summation exempting from the flow that charging specifies the flow summation of IP address and domain name addresses can buy with the described doubtful set meal flow exempting from flow fraudulent user and current balance compares, when described doubtful exempt from flow fraudulent user exempt from described in described first sets and use in the time period flow of the special discharge pattern of charging and described exempt from the flow that charging specifies the flow summation of IP address and domain name addresses can buy more than the described doubtful set meal flow exempting from flow fraudulent user and current balance summation time, determine that described doubtful flow fraudulent user of exempting from is for exempting from flow fraudulent user.
7. the identification system exempting from flow fraudulent user, it is characterised in that including: pretreatment module, for carrying out pretreatment to the telecommunications traffic data of user, it is thus achieved that described user exempts from charging data on flows;
Analytical calculation module, is analyzed calculating for described user exempts from charging data on flows, it is thus achieved that described user exempts from flow swindle Suspected Degree;And exempt from flow swindle Suspected Degree according to described user, analyze and judge that whether described user is doubtful to exempt from flow fraudulent user;
Analyze judge module, for exempting from flow swindle Suspected Degree described in flow fraudulent user according to described doubtful exempting from, analyze and judge that whether described user is for exempting from flow fraudulent user.
Identification system the most according to claim 7, it is characterised in that described pretreatment module includes:
First statistic unit, for adding up the total flow that described user uses in first sets the time period;
Second statistic unit, for adding up the flow exempting from the special discharge pattern of charging that described user uses in described first sets the time period;Wherein, exempt from the flow that flow is atypia user's mobile Internet access business of the special discharge pattern of charging described in and exempt from the functional network flowing of access of charging;
3rd statistic unit, IP address and the flow of domain name addresses are specified in the charging of exempting from used in described first sets the time period for adding up described user.
Identification system the most according to claim 8, it is characterised in that described analytical calculation module includes:
First computing unit, accounts for the ratio of described total flow for calculating the flow exempting from the special discharge pattern of charging described in described user;Calculate and exempt from charging described in described user and specify the flow of IP address and domain name addresses to account for the ratio of described total flow;Calculating in the second setting time period chosen within the described first setting time period, the record strip number that uses continuously exempting from the flow of the special discharge pattern of charging and the described flow exempting from charging appointment IP address and domain name addresses described in described user accounts for the ratio of the total flow record strip number in its described second setting time period;And swindle Suspected Degree according to the flow of exempting from of formula A=(X+Y+Z)/3 described user of calculating, wherein, A is that the flow of exempting from of described user swindles Suspected Degree;X is to exempt from the flow of the special discharge pattern of charging described in described user to account for the ratio of described total flow;Y is to exempt from charging described in described user to specify the flow of IP address and domain name addresses to account for the ratio of described total flow;Z is described user exempts from the flow of the special discharge pattern of charging and the described flow exempting from charging appointment IP address and the domain name addresses continuous ratio using record strip number to account for the total flow record strip number in its described second setting time period described within the described second setting time period;
Second computing unit, exempts from flow for calculating and swindles average Suspected Degree;
According to comparative result, comparison judgment unit, for being compared with the described flow average Suspected Degree of swindle of exempting from by the flow swindle Suspected Degree of exempting from of described user, and judges that whether described user is doubtful to exempt from flow fraudulent user.
Identification system the most according to claim 9, it is characterised in that described analysis judge module includes:
Collecting unit, for gathering the described doubtful set meal flow exempted from ordered by flow fraudulent user and current balance;
3rd computing unit, for calculating the described doubtful set meal flow exempting from flow fraudulent user and the summation of flow that current balance can be bought;
Relatively determine unit, for by described doubtful flow fraudulent user of exempting from exempting from the flow of the special discharge pattern of charging described in described first sets and use in the time period and the described summation exempting from the flow that charging specifies the flow summation of IP address and domain name addresses can buy with the described doubtful set meal flow exempting from flow fraudulent user and current balance compares, and determine that whether described doubtful flow fraudulent user of exempting from is for exempting from flow fraudulent user according to comparative result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610130425.3A CN105827593B (en) | 2016-03-08 | 2016-03-08 | A kind of recognition methods and identifying system for exempting from flow fraudulent user |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610130425.3A CN105827593B (en) | 2016-03-08 | 2016-03-08 | A kind of recognition methods and identifying system for exempting from flow fraudulent user |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105827593A true CN105827593A (en) | 2016-08-03 |
| CN105827593B CN105827593B (en) | 2019-01-18 |
Family
ID=56987942
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610130425.3A Active CN105827593B (en) | 2016-03-08 | 2016-03-08 | A kind of recognition methods and identifying system for exempting from flow fraudulent user |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105827593B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106412975A (en) * | 2016-09-30 | 2017-02-15 | 中国联合网络通信集团有限公司 | Content charging vulnerability test methods, and apparatuses |
| CN108322354A (en) * | 2017-01-18 | 2018-07-24 | 中国移动通信集团河南有限公司 | One kind is escaped the recognition methods of flow account and device |
| CN108337652A (en) * | 2017-01-20 | 2018-07-27 | 中国移动通信集团河南有限公司 | A kind of method and device of detection flows fraud |
| CN108347443A (en) * | 2018-02-11 | 2018-07-31 | 中国联合网络通信集团有限公司 | Malice exempts from the discovery method and system of traffic server |
| CN108846096A (en) * | 2018-06-15 | 2018-11-20 | 中国联合网络通信集团有限公司 | Reminding method, terminal, gateway and the customer edge of webpage |
| CN110113757A (en) * | 2019-05-07 | 2019-08-09 | 中国联合网络通信集团有限公司 | Fraudulent user recognition methods and system |
| CN110769395A (en) * | 2019-10-30 | 2020-02-07 | 北京达佳互联信息技术有限公司 | Flow-free service synchronization method and device |
| CN110891043A (en) * | 2018-09-11 | 2020-03-17 | 中国移动通信集团河北有限公司 | Method, apparatus, device and medium for identifying user |
| CN111314266A (en) * | 2018-12-11 | 2020-06-19 | 中国移动通信集团吉林有限公司 | Traffic fraud detection method and device, electronic equipment and storage medium |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113556748B (en) * | 2021-06-23 | 2023-06-16 | 中国联合网络通信集团有限公司 | Signaling tracing identification method, device and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102567788A (en) * | 2010-12-28 | 2012-07-11 | 中国移动通信集团重庆有限公司 | Real-time identification system and real-time identification method for fraudulent practice in communication services |
| CN103841204A (en) * | 2014-03-14 | 2014-06-04 | 北京奇虎科技有限公司 | Traffic-free downloading method, device and system based on mobile terminal |
| CN104967688A (en) * | 2015-06-30 | 2015-10-07 | 北京奇虎科技有限公司 | Method for accessing to network by using flow-free platform, mobile terminal and system |
-
2016
- 2016-03-08 CN CN201610130425.3A patent/CN105827593B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102567788A (en) * | 2010-12-28 | 2012-07-11 | 中国移动通信集团重庆有限公司 | Real-time identification system and real-time identification method for fraudulent practice in communication services |
| CN103841204A (en) * | 2014-03-14 | 2014-06-04 | 北京奇虎科技有限公司 | Traffic-free downloading method, device and system based on mobile terminal |
| CN104967688A (en) * | 2015-06-30 | 2015-10-07 | 北京奇虎科技有限公司 | Method for accessing to network by using flow-free platform, mobile terminal and system |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106412975B (en) * | 2016-09-30 | 2019-11-08 | 中国联合网络通信集团有限公司 | A kind of test method and device of content charging loophole |
| CN106412975A (en) * | 2016-09-30 | 2017-02-15 | 中国联合网络通信集团有限公司 | Content charging vulnerability test methods, and apparatuses |
| CN108322354A (en) * | 2017-01-18 | 2018-07-24 | 中国移动通信集团河南有限公司 | One kind is escaped the recognition methods of flow account and device |
| CN108322354B (en) * | 2017-01-18 | 2020-10-23 | 中国移动通信集团河南有限公司 | Method and device for identifying running-stealing flow account |
| CN108337652A (en) * | 2017-01-20 | 2018-07-27 | 中国移动通信集团河南有限公司 | A kind of method and device of detection flows fraud |
| CN108337652B (en) * | 2017-01-20 | 2020-12-01 | 中国移动通信集团河南有限公司 | Method and device for detecting flow fraud |
| CN108347443A (en) * | 2018-02-11 | 2018-07-31 | 中国联合网络通信集团有限公司 | Malice exempts from the discovery method and system of traffic server |
| CN108347443B (en) * | 2018-02-11 | 2021-02-02 | 中国联合网络通信集团有限公司 | Method and system for discovering malicious traffic-free server |
| CN108846096A (en) * | 2018-06-15 | 2018-11-20 | 中国联合网络通信集团有限公司 | Reminding method, terminal, gateway and the customer edge of webpage |
| CN110891043A (en) * | 2018-09-11 | 2020-03-17 | 中国移动通信集团河北有限公司 | Method, apparatus, device and medium for identifying user |
| CN110891043B (en) * | 2018-09-11 | 2022-05-13 | 中国移动通信集团河北有限公司 | Method, apparatus, device and medium for identifying user |
| CN111314266A (en) * | 2018-12-11 | 2020-06-19 | 中国移动通信集团吉林有限公司 | Traffic fraud detection method and device, electronic equipment and storage medium |
| CN110113757A (en) * | 2019-05-07 | 2019-08-09 | 中国联合网络通信集团有限公司 | Fraudulent user recognition methods and system |
| CN110769395A (en) * | 2019-10-30 | 2020-02-07 | 北京达佳互联信息技术有限公司 | Flow-free service synchronization method and device |
| CN110769395B (en) * | 2019-10-30 | 2022-07-22 | 北京达佳互联信息技术有限公司 | Traffic-free service synchronization method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105827593B (en) | 2019-01-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105827593A (en) | Traffic-free fraud user recognition method and recognition system | |
| US9204293B2 (en) | Apparatuses, methods, and computer program products for data retention and lawful intercept for law enforcement agencies | |
| WO2017107780A1 (en) | Method, device and system for recognizing illegitimate proxy for charging fraud | |
| CN105681312A (en) | Mobile internet exceptional user detection method based on frequent itemset mining | |
| CN106911523A (en) | The method and system that mobile interchange network users are positioned by LTE indulging in the internet | |
| Murynets et al. | Analysis and detection of SIMbox fraud in mobility networks | |
| CN104640138A (en) | Method and device for locating problematic terminals | |
| CN106656651A (en) | Data transparent transmission detecting method and device | |
| CN110493235A (en) | A kind of mobile terminal from malicious software synchronization detection method based on network flow characteristic | |
| US10079943B2 (en) | Method and system for detecting anomalies in consumption of data and charging of data services | |
| Midoglu et al. | Opportunities and challenges of using crowdsourced measurements for mobile network benchmarking a case study on RTR open data | |
| Wang et al. | A smart automated signature extraction scheme for mobile phone number in human-centered smart home systems | |
| CN103067532A (en) | Method and system of unified identification management of mobile internet users | |
| CN107809752A (en) | A kind of mobile network flow fraud verification method based on software emulation | |
| Alsadi et al. | Study to use NEO4J to analysis and detection SIM-BOX fraud | |
| CN109104381A (en) | A kind of mobile application recognition methods based on third party's flow HTTP message | |
| CN105992212A (en) | Method of detecting mobile phone malicious charge | |
| CN102469450B (en) | Method and device for recognizing virus characteristics of mobile phone | |
| KR20120057293A (en) | Method and apparatus of charging the network usage ofVoIP traffic for VoIP service provider | |
| KR20230084207A (en) | Voice over IP traffic classification and processing system and method | |
| CN104602239A (en) | Mobile communication copy card determination method and system | |
| Mizumura et al. | Smartphone application usage prediction using cellular network traffic | |
| CN102905220A (en) | Method and device for obtaining test files, test terminal and server | |
| Gegenhuber et al. | Zero-Rating, One Big Mess: Analyzing Differential Pricing Practices of European MNOs | |
| Kehelwala et al. | Real-time grey call detection system using complex event processing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |