CN105827593B - A kind of recognition methods and identifying system for exempting from flow fraudulent user - Google Patents
A kind of recognition methods and identifying system for exempting from flow fraudulent user Download PDFInfo
- Publication number
- CN105827593B CN105827593B CN201610130425.3A CN201610130425A CN105827593B CN 105827593 B CN105827593 B CN 105827593B CN 201610130425 A CN201610130425 A CN 201610130425A CN 105827593 B CN105827593 B CN 105827593B
- Authority
- CN
- China
- Prior art keywords
- flow
- user
- charging
- exempt
- exempting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 238000004364 calculation method Methods 0.000 claims abstract description 24
- 235000012054 meals Nutrition 0.000 claims description 22
- 241000209202 Bromus secalinus Species 0.000 claims description 19
- 238000007781 pre-processing Methods 0.000 claims description 9
- 238000004458 analytical method Methods 0.000 claims description 5
- 230000005611 electricity Effects 0.000 claims 1
- 230000004907 flux Effects 0.000 abstract description 8
- 238000012216 screening Methods 0.000 abstract description 6
- 238000004891 communication Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of recognition methods and identifying system for exempting from flow fraudulent user.The recognition methods includes: to pre-process to the telecommunications traffic data of user, and obtain user exempts from charging data on flows;Analytical calculation is carried out to the charging data on flows of exempting from of user, obtain user exempts from flow fraud Suspected Degree;Exempt from flow fraud Suspected Degree according to user, analyzes and determines whether user is doubtful to exempt from flow fraudulent user;Suspected Degree is cheated according to the doubtful flow of exempting from for exempting from flow fraudulent user, analyzes and determines whether user is to exempt from flow fraudulent user.The recognition methods can efficiently and accurately screening go out the form of expression be normal network protocol malice exempt from charging flow, exempt from flow fraudulent user so as to efficiently and accurately identify, so solves the problems, such as current flux charging loophole difficulty identify, intercept and trace to the source.
Description
Technical field
The present invention relates to fields of communication technology, and in particular, to a kind of recognition methods and identification for exempting from flow fraudulent user
System.
Background technique
Exempting from flow fraud is a kind of using operator's charge on traffic loophole, flat by building privately owned malicious traffic stream forwarding agency
Platform bypasses telecom operators' fee collecting system, reaches the free Telecoms Fraud behavior for using flow purpose.
The cardinal principle for exempting from flow fraud is agent platform to be forwarded by privately owned flow, by the online stream of common charging
Amount is converted to the special flow of telecom operators' not charging, these flows mainly include the particular protocols such as DNS flow and certain
Public good class, special defects website flowing of access.Since the existing fee collecting system of telecom operators can not differentiate that these are special
The true and false of flow is handled, it is difficult to which flow fraud is exempted from identification so doing free charging to such special flow.
Principle due to exempting from flow fraud is the malice carried out using proper network agreement or operator's charging regulation loophole
Traffic behavior is freely used, the form of expression is proper network agreement or network access request, therefore has and easily realize, difficult hair
The features such as existing, difficult retrospect, industry still lacks identification, intercepts, traces to the source and exempt from the correlation technique of flow fraud at present.
Telecom operators are such as right mainly by identifying to deployed with devices corresponding strategies in netting to customer flow at present
Customer flow type, size are differentiated, and filter improper flow, and normal stream amount carries out charging.But it is taken advantage of due to exempting from flow
Swindleness shows as not charging discharge pattern and normal discharge type or access request, telecom operators be difficult to judge by strategy into
Row identification and processing.
The major defect for the method for recognizing flux based on strategy that industry uses at present has:
One, is judged based on the single factor test of the indexs such as discharge pattern or size, and the form of expression can not be judged for proper network association
The malicious traffic stream of view;Two, can not trace to the source to flow fraudulent user, trace to privately owned malicious traffic stream forwarding agent platform
With processing.
Summary of the invention
The present invention is directed to the above-mentioned technical problems in the prior art, provides a kind of identification side for exempting from flow fraudulent user
Method and identifying system.The recognition methods can efficiently and accurately screening go out the form of expression be normal network protocol malice exempt to count
Take flow, exempts from flow fraudulent user so as to efficiently and accurately identify, and then the identification of solution current flux charging loophole difficulty,
The problem of intercepting and tracing to the source.
The present invention provides a kind of recognition methods for exempting from flow fraudulent user, comprising:
The telecommunications traffic data of user are pre-processed, obtain the user exempts from charging data on flows;
To the user exempt from charging data on flows carry out analytical calculation, obtain the user exempt from flow fraud it is doubtful
Degree;
Exempt from flow fraud Suspected Degree according to the user, analyzes and determines whether the user is that doubtful flow of exempting from cheats use
Family;
According to it is described it is doubtful exempt to exempt from described in flow fraudulent user flow fraud Suspected Degree, whether analyze and determine the user
To exempt from flow fraudulent user.
Preferably, the telecommunications traffic data to user pre-process, and obtain the user exempts from charging flow number
According to including:
Count the total flow that the user uses in the first set period of time;
Count the flow for exempting from the special discharge pattern of charging that the user uses in first set period of time;It is described
The flow for exempting from the special discharge pattern of charging is the flow of atypia user mobile Internet access business and the functional network for exempting from charging
Flowing of access;
IP address and domain name addresses are specified in the charging of exempting from for counting that the user uses in first set period of time
Flow.
Preferably, the charging data on flows of exempting to the user carries out analytical calculation, obtains the user and exempts to flow
Amount cheats Suspected Degree
The flow for exempting from the special discharge pattern of charging for calculating the user first accounts for the ratio of the total flow;
The ratio exempted from charging and the flow of IP address and domain name addresses is specified to account for the total flow of the user is calculated again
Example;
The second set period of time is chosen in first set period of time, calculates the user in the described second setting
Between the flow for exempting from the special discharge pattern of charging in section and the flow exempted from charging and specify IP address and domain name addresses
Continuous use record strip number accounts for the ratio of the total flow record strip number in its described second set period of time;
Suspected Degree is finally cheated according to the flow of exempting from that formula A=(X+Y+Z)/3 calculates the user, wherein A is the use
Exempt from flow fraud Suspected Degree in family;X is that the flow for exempting from the special discharge pattern of charging of the user accounts for the total flow
Ratio;Y is the ratio exempted from charging and the flow of IP address and domain name addresses is specified to account for the total flow of the user;Z is
The user in second set period of time described in exempt from the flow of the special discharge pattern of charging and described to exempt from charging specified
The continuous use record strip number of the flow of IP address and domain name addresses accounts for the record of the total flow in its described second set period of time
The ratio of item number.
Preferably, described that flow fraud Suspected Degree is exempted from according to the user, analyze and determine whether the user is doubtful
Exempting from flow fraudulent user includes:
Calculating exempts from flow and cheats average Suspected Degree;
The flow fraud Suspected Degree of exempting from of the user is compared with the average Suspected Degree of flow fraud of exempting from, when described
The flow fraud Suspected Degree of exempting from of user is greater than described when exempting from flow and cheating average Suspected Degree, then the user is that doubtful flow of exempting from is taken advantage of
Cheat user.
Preferably, the calculating exempt from flow and cheat average Suspected Degree include:
The user includes n, is cheated according to the flow of exempting from that formula Ai=(Xi+Yi+Zi)/3 calculates each user
Suspected Degree, wherein i=1,2,3 ..., n, i are integer;N > 1, and n is integer;Ai is that the flow of exempting from of i-th of user is taken advantage of
Cheat Suspected Degree;Xi is that the flow for exempting from the special discharge pattern of charging of i-th of user accounts for the ratio of the total flow;Yi
To exempt from the ratio that charging specifies the flow of IP address and domain name addresses to account for the total flow described in i-th of user;Zi is
I-th of user in second set period of time described in exempt from the flow of the special discharge pattern of charging and described exempt from charging
The continuous use record strip number of the flow of specified IP address and domain name addresses accounts for the total flow in its described second set period of time
The ratio of record strip number;
Exempt from flow according to formula A '=(A1+A2+ ...+An)/n calculating and cheat average Suspected Degree, wherein A ' is described
Exempt from flow and cheats average Suspected Degree.
Preferably, it is described according to it is described it is doubtful exempt to exempt from described in flow fraudulent user flow fraud Suspected Degree, analyze and determine
Whether the user is to exempt from flow fraudulent user to include:
Acquire it is described it is doubtful exempt from set meal flow and current balance ordered by flow fraudulent user, calculate and described doubtful exempt to flow
The summation for the flow that the set meal flow and current balance for measuring fraudulent user can be bought;
By it is described it is doubtful exempt from flow fraudulent user used in first set period of time described in exempt from charging special flow
The flow of amount type and the flow summation for exempting from the specified IP address of charging and domain name addresses and the doubtful flow of exempting from cheat use
The summation for the flow that the set meal flow and current balance at family can be bought is compared, when the doubtful flow fraudulent user of exempting from exists
The flow for exempting from the special discharge pattern of charging that is used in first set period of time and described exempt from charging and specify IP address
It can be bought with the flow summation of domain name addresses greater than the doubtful set meal flow for exempting from flow fraudulent user and current balance
When the summation of flow, determine that the doubtful flow fraudulent user of exempting from is to exempt from flow fraudulent user.
The present invention also provides a kind of identifying systems for exempting from flow fraudulent user, comprising: preprocessing module, for user's
Telecommunications traffic data are pre-processed, and obtain the user exempts from charging data on flows;
Analytical calculation module carries out analytical calculation for the charging data on flows of exempting to the user, obtains the user
Exempt from flow fraud Suspected Degree;And flow fraud Suspected Degree is exempted from according to the user, analyze and determine whether the user is doubtful
Seemingly exempt from flow fraudulent user;
Analyze and determine module, for according to it is described it is doubtful exempt to exempt from described in flow fraudulent user flow fraud Suspected Degree, point
Analysis judges whether the user is to exempt from flow fraudulent user.
Preferably, the preprocessing module includes:
First statistic unit, the total flow used in the first set period of time for counting the user;
Second statistic unit exempts from charging special flow for count that the user uses in first set period of time
Measure the flow of type;Wherein, the flow for exempting from the special discharge pattern of charging is the flow of atypia user mobile Internet access business
And exempt from the functional network flowing of access of charging;
Third statistic unit specifies IP for counting the charging of exempting from that the user uses in first set period of time
The flow of address and domain name addresses.
Preferably, the analytical calculation module includes:
First computing unit exempts from the flow of the special discharge pattern of charging and accounts for total stream for calculating described in the user
The ratio of amount;Calculate the ratio exempted from charging and the flow of IP address and domain name addresses is specified to account for the total flow of the user
Example;It calculates in the second set period of time chosen in first set period of time, it is special to exempt from charging described in the user
The continuous use record strip number of the flow of discharge pattern and the flow for exempting from the specified IP address of charging and domain name addresses accounts for its institute
State the ratio of the total flow record strip number in the second set period of time;And calculate the user's according to formula A=(X+Y+Z)/3
Exempt from flow fraud Suspected Degree, wherein A is that the flow of exempting from of the user cheats Suspected Degree;X is that the described of the user exempts from charging spy
The flow of different discharge pattern accounts for the ratio of the total flow;Y is that the described of the user exempts from charging with specifying IP address and domain name
The flow of location accounts for the ratio of the total flow;Z be the user in second set period of time described in exempt from charging special
The continuous use record strip number of the flow of discharge pattern and the flow for exempting from the specified IP address of charging and domain name addresses accounts for its institute
State the ratio of the total flow record strip number in the second set period of time;
Second computing unit exempts from the average Suspected Degree of flow fraud for calculating;
Comparison judgment unit, for by the user exempt from flow fraud Suspected Degree and it is described exempt from flow fraud be averaged it is doubtful
Degree is compared, and judges whether the user is doubtful to exempt from flow fraudulent user according to comparison result.
Preferably, the analytical judgment module includes:
Acquisition unit described doubtful exempts from set meal flow and current balance ordered by flow fraudulent user for acquiring;
Third computing unit can be purchased for calculating the doubtful set meal flow for exempting from flow fraudulent user and current balance
The summation for the flow bought;
Compare determination unit, for doubtful exempting from what flow fraudulent user used in first set period of time for described
The flow for exempting from the special discharge pattern of charging and it is described exempt from charging specify the flow summation of IP address and domain name addresses with it is described
The summation for the flow that the doubtful set meal flow for exempting from flow fraudulent user and current balance can be bought is compared, and according to comparing
As a result it determines and described doubtful exempts from whether flow fraudulent user is to exempt from flow fraudulent user.
Beneficial effects of the present invention: the recognition methods provided by the present invention for exempting from flow fraudulent user, by user's
Exempt from charging data on flows and carry out analytical calculation, efficiently and accurately screening can go out the malice that the form of expression is normal network protocol
Exempt from charging flow, exempt from flow fraudulent user so as to efficiently and accurately identify, and then solves current flux charging loophole difficulty and know
Not, the problem of intercepting and trace to the source.
The identifying system provided by the present invention for exempting from flow fraudulent user exempts from charging to user by analytical calculation module
Data on flows carry out analytical calculation, can efficiently and accurately screening go out the form of expression be normal network protocol malice exempt from charging
Flow exempts from flow fraudulent user so as to efficiently and accurately identify, and then solves the identification of current flux charging loophole difficulty, blocks
The problem of cutting and tracing to the source.
Detailed description of the invention
Fig. 1 is the flow chart for exempting from the recognition methods of flow fraudulent user in the embodiment of the present invention 1;
Fig. 2 is the functional block diagram for exempting from the identifying system of flow fraudulent user in the embodiment of the present invention 3;
Fig. 3 is the functional block diagram for exempting from the identifying system of flow fraudulent user in the embodiment of the present invention 4.
Description of symbols therein:
1. preprocessing module;11. the first statistic unit;12. the second statistic unit;13. third statistic unit;2. analysis meter
Calculate module;21. the first computing unit;22. the second computing unit;23. comparison judgment unit;3. analyzing and determining module;31. acquisition
Unit;32. third computing unit;33. comparing determination unit.
Specific embodiment
To make those skilled in the art more fully understand technical solution of the present invention, with reference to the accompanying drawing and it is embodied
Mode is described in further detail a kind of recognition methods for exempting from flow fraudulent user provided by the present invention and identifying system.
Embodiment 1:
The present embodiment provides a kind of recognition methods for exempting from flow fraudulent user, as shown in Figure 1, comprising:
Step S1: pre-processing the telecommunications traffic data of user, and obtain user exempts from charging data on flows.
Step S2: carrying out analytical calculation to the charging data on flows of exempting from of user, and obtain user exempts from flow fraud Suspected Degree.
Step S3: exempting from flow fraud Suspected Degree according to user, analyzes and determines whether user is that doubtful flow of exempting from cheats use
Family.
Step S4: Suspected Degree is cheated according to the doubtful flow of exempting from for exempting from flow fraudulent user, analyzes and determines whether user is to exempt from
Flow fraudulent user.
By above-mentioned recognition methods, analytical calculation is carried out by the charging data on flows of exempting to user, it can effectively, accurately
Ground judges that the form of expression exempts from charging flow for the malice of normal network protocol, so as to efficiently and accurately identify that exempting from flow takes advantage of
User is cheated, and then solves the problems, such as the identification of current flux charging loophole difficulty, intercept and trace to the source.
Embodiment 2:
The present embodiment provides a kind of recognition methods for exempting from flow fraudulent user, comprising:
Step S1: pre-processing the telecommunications traffic data of user, and obtain user exempts from charging data on flows.
The step specifically includes:
Step S11: the total flow that counting user uses in the first set period of time.
In the step, the first set period of time can arbitrarily be set, and such as the first set period of time can be set as to 30 days.
Step S12: what counting user used in the first set period of time exempts from the flow of the special discharge pattern of charging;Exempt to count
The flow for taking special discharge pattern is the flow of atypia user mobile Internet access business and the functional network access for exempting from charging
Flow.
In the step, the flow of atypia user's mobile Internet access business such as normal internet business OTT (by internet to
The various application services that family provides) class flow, TCP/IP (network communication protocol) flow etc., exempt from the functional network access of charging
Flow such as accesses DNS (domain name system) flow, HSRP (Hot Standy Router Protocol) flow.
Step S13: IP address and domain name addresses are specified in charging that counting user used in the first set period of time exempt from
Flow.
In the step, exempt from the special access that charging specifies IP address and the flow such as public good class of domain name addresses etc. that can exempt from charging
The flow of Target IP.
In step S1, it is single in detail that telecom operators acquire flow that user uses in the first set period of time first, user
Flow in detail it is single mainly include IMSI (international mobile subscriber identity), Subscriber Number, IMEI (mobile device world identification code),
The indexs such as access target IP (network protocol), discharge pattern, time, then according to the various indexs in the detailed list of flow to the flow
Singly pre-processed in detail, pretreatment mainly include the total flow that user is used in the first set period of time statistics, to
What family used in the first set period of time exempts from the statistics of the flow of the special discharge pattern of charging and to user in the first setting
The statistics exempted from charging and specify the flow of IP address and domain name addresses used in period.Wherein, it is main to exempt from charging data on flows
The flow of flow and specified IP address and domain name addresses including special discharge pattern.
Step S2: carrying out analytical calculation to the charging data on flows of exempting from of user, and obtain user exempts from flow fraud Suspected Degree.
In the step, selected data on flows of the sole user in the first set period of time is analyzed, and is specifically included:
Step S21: the flow for exempting from the special discharge pattern of charging of calculating user first accounts for the ratio X of total flow.
Step S22: the ratio Y for exempting from charging and the flow of IP address and domain name addresses being specified to account for total flow of user is calculated again.
Step S23: choosing the second set period of time in the first set period of time, calculates user in the second set period of time
The continuous use record of the interior flow for exempting from the special discharge pattern of charging and the flow for exempting from the specified IP address of charging and domain name addresses
Item number accounts for the ratio Z of the total flow record strip number in its second set period of time.
In the step, the second set period of time is a period of time in the first set period of time, the second setting time
The duration of section is less than or equal to the first set period of time, and the second set period of time can arbitrarily set under the foregoing conditions, such as can be with
Second set period of time is set as one day or a hour.
Continuous use record strip number refers to the flow for exempting from the special discharge pattern of charging and exempts from charging with specifying IP address and domain name
The record total number that the flow of location uses incessantly in the second set period of time, wherein can be and exempt from the special flow of charging
Record is used continuously in the flow of type, is also possible to exempt from the flow continuous use record of the specified IP address of charging and domain name addresses,
Can also be the flow for exempting from the special discharge pattern of charging and exempt from charging specifies the flow of IP address and domain name addresses mutually to adulterate
Continuous use record.In some hour such as in 30 days, a total of 100 discharge records, wherein exempt from the special class of traffic of charging
The flow of type and the continuous use for the flow for exempting from the specified IP address of charging and domain name addresses are recorded as 90, then ratio Z is 90%.
Step S24: finally calculate user exempts from flow fraud Suspected Degree A, wherein A=(X+Y+Z)/3.
In step S2, step can be all respectively adopted in the flow fraud Suspected Degree of exempting from of all users of telecom operators
S21-S24 is calculated.
Step S3: exempting from flow fraud Suspected Degree according to user, analyzes and determines whether user is that doubtful flow of exempting from cheats use
Family.
The step specifically includes:
Step S31: calculating exempts from flow and cheats average Suspected Degree.
In the step, it is assumed that the user of telecom operators includes n, and each user's exempts from flow fraud Suspected Degree Ai=
(Xi+Yi+Zi)/3, wherein i=1,2,3 ..., n, i are integer;N > 1, and n is integer;Then exempt from flow and cheats average Suspected Degree
A '=(A1+A2+ ...+An)/n.
Step S32: the flow fraud Suspected Degree of exempting from of user is compared with the average Suspected Degree of flow fraud is exempted from, works as user
Flow fraud Suspected Degree of exempting from be greater than when exempting from flow and cheating average Suspected Degree, then user is doubtful to exempt from flow fraudulent user.
By step S2 and step S3, can determine whether each user of telecom operators is that doubtful flow of exempting from cheats use
Family.
Step S4: Suspected Degree is cheated according to the doubtful flow of exempting from for exempting from flow fraudulent user, analyzes and determines whether user is to exempt from
Flow fraudulent user.
The step specifically includes:
Step S41: acquisition is doubtful to exempt from set meal flow and current balance ordered by flow fraudulent user, and calculating is doubtful to exempt to flow
The summation for the flow that the set meal flow and current balance for measuring fraudulent user can be bought.
Step S42: by it is doubtful exempt from that flow fraudulent user uses in the first set period of time exempt from the special class of traffic of charging
The flow of type and flow summation and the doubtful set meal flow for exempting from flow fraudulent user for exempting from charging specified IP address and domain name addresses
The summation for the flow that can be bought with current balance is compared, when doubtful flow fraudulent user of exempting from is in the first set period of time
The flow for exempting from the special discharge pattern of charging used specifies the flow summation of IP address and domain name addresses greater than doubtful with charging is exempted from
When the summation for the flow that the set meal flow and current balance for exempting from flow fraudulent user can be bought, determine that doubtful flow of exempting from cheats use
Family is to exempt from flow fraudulent user.
By step S4, can exempt from that flow fraudulent user will be exempted from flow fraudulent user to determine from doubtful.
1-2's the utility model has the advantages that is provided in embodiment 1-2 exempt from the recognition methods of flow fraudulent user to embodiment, by right
The charging data on flows of exempting from of user carries out analytical calculation, efficiently and accurately screening can go out the form of expression for normal network protocol
Malice exempt from charging flow, exempt from flow fraudulent user so as to efficiently and accurately identify, so solve current flux charging leakage
The problem of hole difficulty identifies, intercepts and trace to the source.
Embodiment 3:
The present embodiment provides a kind of identifying systems for exempting from flow fraudulent user, as shown in Fig. 2, including preprocessing module 1, use
It is pre-processed in the telecommunications traffic data to user, obtain user exempts from charging data on flows.Analytical calculation module 2, is used for
Analytical calculation is carried out to the charging data on flows of exempting from of user, obtain user exempts from flow fraud Suspected Degree;And exempted from according to user
Flow cheats Suspected Degree, analyzes and determines whether user is doubtful to exempt from flow fraudulent user.Module 3 is analyzed and determined, for according to doubtful
That seemingly exempts from flow fraudulent user exempts from flow fraud Suspected Degree, analyzes and determines whether user is to exempt from flow fraudulent user.
Identifying system in the present embodiment carries out analysis meter by exempt from charging data on flows of the analytical calculation module to user
It calculates, can judge that the form of expression exempts from charging flow for the malice of normal network protocol, efficiently and accurately so as to effective, quasi-
It really identifies and exempts from flow fraudulent user, and then solve the problems, such as the identification of current flux charging loophole difficulty, intercept and trace to the source.
Embodiment 4:
The present embodiment provides a kind of identifying systems for exempting from flow fraudulent user, as shown in figure 3, on the basis of embodiment 3,
Preprocessing module 1 in the present embodiment includes: the first statistic unit 11, is used in the first set period of time for counting user
Total flow.Second statistic unit 12 exempts from the special class of traffic of charging for what counting user used in the first set period of time
The flow of type;Wherein, the flow for exempting from the special discharge pattern of charging is the flow of atypia user mobile Internet access business and exempts to count
The functional network flowing of access taken.Third statistic unit 13 is exempted from for what counting user used in the first set period of time
The flow of IP address and domain name addresses is specified in charging.
Analytical calculation module 2 in the present embodiment includes: the first computing unit 21, for calculate user to exempt from charging special
The flow of discharge pattern accounts for the ratio X of total flow;The charging of exempting from for calculating user specifies the flow of IP address and domain name addresses to account for always
The ratio Y of flow;It calculates in the second set period of time chosen in the first set period of time, user's exempts from the special flow of charging
When the flow of type and the continuous use record strip number for the flow for exempting from the specified IP address of charging and domain name addresses account for its second setting
Between total flow record strip number in section ratio Z;And the flow of exempting from for calculating user cheats Suspected Degree A, wherein A=(X+Y+Z)/
3.Second computing unit 22 exempts from the average Suspected Degree of flow fraud for calculating.Assuming that the user of telecom operators includes n, respectively
A user's exempts from flow fraud Suspected Degree Ai=(Xi+Yi+Zi)/3, wherein i=1,2,3 ..., n, i are integer;N > 1, and n
For integer;Then exempt from flow and cheats average Suspected Degree A '=(A1+A2+ ...+An)/n.Comparison judgment unit 23, for by user's
Exempt from flow fraud Suspected Degree and be compared with the average Suspected Degree of flow fraud is exempted from, and judges whether user is doubtful according to comparison result
Seemingly exempt from flow fraudulent user.Wherein, when some user exempt from flow fraud Suspected Degree be greater than exempt from flow and cheat average Suspected Degree when,
Then the user exempts from flow fraudulent user to be doubtful.
Analytical judgment module 3 in the present embodiment includes: acquisition unit 31, doubtful exempts from flow fraudulent user institute for acquiring
The set meal flow and current balance of order.Third computing unit 32, for calculating the doubtful set meal flow for exempting from flow fraudulent user
The summation for the flow that can be bought with current balance.Compare determination unit 33, for by doubtful flow fraudulent user of exempting from first
The flow for exempting from the special discharge pattern of charging used in set period of time and the flow for exempting from charging specified IP address and domain name addresses
Summation is compared with the summation for the flow that the doubtful set meal flow for exempting from flow fraudulent user and current balance can be bought, and root
It is determined according to comparison result and doubtful exempts from whether flow fraudulent user is to exempt from flow fraudulent user.Wherein, exempt from flow when some is doubtful and take advantage of
The flow for exempting from the special discharge pattern of charging and exempt from the specified IP address of charging and domain that swindleness user uses in the first set period of time
The flow summation of name address is greater than the flow that the doubtful set meal flow for exempting from flow fraudulent user and the current balance can be bought
When summation, determine that the doubtful flow fraudulent user of exempting from is to exempt from flow fraudulent user.
3-4's the utility model has the advantages that is provided in embodiment 3-4 exempt from the identifying system of flow fraudulent user to embodiment, by point
Analysis computing module carries out analytical calculation to the charging data on flows of exempting from of user, and efficiently and accurately screening can go out the form of expression and is
The malice of proper network agreement exempts from charging flow, exempts from flow fraudulent user so as to efficiently and accurately identify, and then solves mesh
The problem of preceding charge on traffic loophole difficulty identifies, intercepts and trace to the source.
It is understood that the principle that embodiment of above is intended to be merely illustrative of the present and the exemplary implementation that uses
Mode, however the present invention is not limited thereto.For those skilled in the art, essence of the invention is not being departed from
In the case where mind and essence, various changes and modifications can be made therein, these variations and modifications are also considered as protection scope of the present invention.
Claims (7)
1. a kind of recognition methods for exempting from flow fraudulent user characterized by comprising
The telecommunications traffic data of user are pre-processed, obtain the user exempts from charging data on flows;
Analytical calculation is carried out to the charging data on flows of exempting from of the user, obtain the user exempts from flow fraud Suspected Degree;
Exempt from flow fraud Suspected Degree according to the user, analyzes and determines whether the user is doubtful to exempt from flow fraudulent user;
According to it is described it is doubtful exempt to exempt from described in flow fraudulent user flow fraud Suspected Degree, analyze and determine whether the user is to exempt from
Flow fraudulent user;
The telecommunications traffic data to user pre-process, and the charging data on flows of exempting from for obtaining the user includes:
Count the total flow that the user uses in the first set period of time;
Count the flow for exempting from the special discharge pattern of charging that the user uses in first set period of time;It is described to exempt to count
The flow for taking special discharge pattern is the flow of atypia user mobile Internet access business and the functional network access for exempting from charging
Flow;
Count the flow exempted from charging and specify IP address and domain name addresses that the user uses in first set period of time;
The charging data on flows of exempting to the user carries out analytical calculation, and obtain the user exempts from flow fraud Suspected Degree
Include:
The flow for exempting from the special discharge pattern of charging for calculating the user first accounts for the ratio of the total flow;
The ratio exempted from charging and the flow of IP address and domain name addresses is specified to account for the total flow of the user is calculated again;
The second set period of time is chosen in first set period of time, calculates the user in second set period of time
The interior flow for exempting from the special discharge pattern of charging and it is described exempt from charging specify IP address and domain name addresses flow it is continuous
Usage record item number accounts for the ratio of the total flow record strip number in its described second set period of time;
Suspected Degree is finally cheated according to the flow of exempting from that formula A=(X+Y+Z)/3 calculates the user, wherein A is the user's
Exempt from flow fraud Suspected Degree;X is that the flow for exempting from the special discharge pattern of charging of the user accounts for the ratio of the total flow;
Y is the ratio exempted from charging and the flow of IP address and domain name addresses is specified to account for the total flow of the user;Z is the use
Family in second set period of time described in exempt from the special discharge pattern of charging flow and it is described exempt from charging specify IP address
The total flow record strip number in its described second set period of time is accounted for the continuous use record strip number of the flow of domain name addresses
Ratio.
2. recognition methods according to claim 1, which is characterized in that it is described according to the user exempt from flow fraud it is doubtful
Degree, analyzes and determines whether the user is that doubtful flow fraudulent user of exempting from includes:
Calculating exempts from flow and cheats average Suspected Degree;
The flow fraud Suspected Degree of exempting from of the user is compared with the average Suspected Degree of flow fraud of exempting from, as the user
Flow fraud Suspected Degree of exempting from be greater than described when exempting from flow and cheating average Suspected Degree, then the user is doubtful to exempt from flow fraud and use
Family.
3. recognition methods according to claim 2, which is characterized in that the calculating exempts from flow and cheats average Suspected Degree packet
It includes:
The user includes n, according to formula Ai=(Xi+Yi+Zi)/3 calculate each user to exempt from flow fraud doubtful
Degree, wherein i=1,2,3 ..., n, i are integer;N > 1, and n is integer;Ai is that the flow fraud of exempting from of i-th of user is doubted
Like degree;Xi is that the flow for exempting from the special discharge pattern of charging of i-th of user accounts for the ratio of the total flow;Yi is
The ratio exempted from charging and the flow of IP address and domain name addresses is specified to account for the total flow of the i users;Zi is i-th
The user in second set period of time described in exempt from the flow of the special discharge pattern of charging and described to exempt from charging specified
The continuous use record strip number of the flow of IP address and domain name addresses accounts for the record of the total flow in its described second set period of time
The ratio of item number;
Exempt from flow according to formula A '=(A1+A2+ ...+An)/n calculating and cheat average Suspected Degree, wherein A ' exempts to flow to be described
Amount cheats average Suspected Degree.
4. recognition methods according to claim 2, which is characterized in that described according to the doubtful flow fraudulent user exempted from
It is described to exempt from flow fraud Suspected Degree, analyze and determine whether the user is to exempt from flow fraudulent user to include:
Acquire it is described it is doubtful exempt from set meal flow and current balance ordered by flow fraudulent user, calculate the doubtful flow of exempting from and take advantage of
The summation for the flow that the set meal flow and current balance for cheating user can be bought;
By it is described it is doubtful exempt from flow fraudulent user used in first set period of time described in exempt from the special class of traffic of charging
The flow of type and the flow summation and the doubtful flow fraudulent user of exempting from exempted from charging and specify IP address and domain name addresses
The summation for the flow that set meal flow and current balance can be bought is compared, when the doubtful flow fraudulent user of exempting from is described
The flow for exempting from the special discharge pattern of charging that is used in first set period of time and described exempt from charging and specify IP address and domain
The flow summation of name address is greater than the flow that the doubtful set meal flow for exempting from flow fraudulent user and current balance can be bought
Summation when, determine it is described it is doubtful exempt from flow fraudulent user be exempt from flow fraudulent user.
5. a kind of identifying system for exempting from flow fraudulent user characterized by comprising preprocessing module, for the electricity to user
Letter data on flows is pre-processed, and obtain the user exempts from charging data on flows;
Analytical calculation module carries out analytical calculation for the charging data on flows of exempting to the user, obtains exempting from for the user
Flow cheats Suspected Degree;And flow fraud Suspected Degree is exempted from according to the user, analyze and determine whether the user is doubtful exempt from
Flow fraudulent user;
Analyze and determine module, for according to it is described it is doubtful exempt to exempt from described in flow fraudulent user flow fraud Suspected Degree, analysis is sentenced
Whether the user of breaking is to exempt from flow fraudulent user;
The preprocessing module includes:
First statistic unit, the total flow used in the first set period of time for counting the user;
Second statistic unit exempts from the special class of traffic of charging for count that the user uses in first set period of time
The flow of type;Wherein, the flow for exempting from the special discharge pattern of charging be atypia user mobile Internet access business flow and
Exempt from the functional network flowing of access of charging;
Third statistic unit specifies IP address for counting the charging of exempting from that the user uses in first set period of time
With the flow of domain name addresses;
The analytical calculation module includes:
First computing unit exempts from the flow of the special discharge pattern of charging and accounts for the total flow for calculating described in the user
Ratio;Calculate the ratio exempted from charging and the flow of IP address and domain name addresses is specified to account for the total flow of the user;Meter
It calculates in the second set period of time chosen in first set period of time, the described of the user exempts from the special class of traffic of charging
The flow of type and it is described exempt from charging specify the continuous use record strip number of the flow of IP address and domain name addresses account for its described second
The ratio of total flow record strip number in set period of time;And flow is exempted from according to formula A=(X+Y+Z)/3 calculating user
Cheat Suspected Degree, wherein A is that the flow of exempting from of the user cheats Suspected Degree;X is that the described of the user exempts from the special flow of charging
The flow of type accounts for the ratio of the total flow;Y is the stream exempted from charging and specify IP address and domain name addresses of the user
Amount accounts for the ratio of the total flow;Z be the user in second set period of time described in exempt from the special class of traffic of charging
The flow of type and it is described exempt from charging specify the continuous use record strip number of the flow of IP address and domain name addresses account for its described second
The ratio of total flow record strip number in set period of time.
6. identifying system according to claim 5, which is characterized in that the analytical calculation module further include:
Second computing unit exempts from the average Suspected Degree of flow fraud for calculating;
Comparison judgment unit, for by the user exempt from flow fraud Suspected Degree and it is described exempt from flow cheat average Suspected Degree into
Row compares, and judges whether the user is doubtful to exempt from flow fraudulent user according to comparison result.
7. identifying system according to claim 6, which is characterized in that the analytical judgment module includes:
Acquisition unit described doubtful exempts from set meal flow and current balance ordered by flow fraudulent user for acquiring;
Third computing unit, for calculating the doubtful set meal flow for exempting from flow fraudulent user and current balance can buy
The summation of flow;
Compare determination unit, for doubtful exempting from described described in flow fraudulent user uses in first set period of time
Exempt from the special discharge pattern of charging flow and it is described exempt from charging specify the flow summation of IP address and domain name addresses with it is described doubtful
The summation for the flow that the set meal flow and current balance for exempting from flow fraudulent user can be bought is compared, and according to comparison result
It determines and described doubtful exempts from whether flow fraudulent user is to exempt from flow fraudulent user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610130425.3A CN105827593B (en) | 2016-03-08 | 2016-03-08 | A kind of recognition methods and identifying system for exempting from flow fraudulent user |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610130425.3A CN105827593B (en) | 2016-03-08 | 2016-03-08 | A kind of recognition methods and identifying system for exempting from flow fraudulent user |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105827593A CN105827593A (en) | 2016-08-03 |
| CN105827593B true CN105827593B (en) | 2019-01-18 |
Family
ID=56987942
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610130425.3A Active CN105827593B (en) | 2016-03-08 | 2016-03-08 | A kind of recognition methods and identifying system for exempting from flow fraudulent user |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105827593B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113556748A (en) * | 2021-06-23 | 2021-10-26 | 中国联合网络通信集团有限公司 | Signaling tracing identification method, device and system |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106412975B (en) * | 2016-09-30 | 2019-11-08 | 中国联合网络通信集团有限公司 | A kind of test method and device of content charging loophole |
| CN108322354B (en) * | 2017-01-18 | 2020-10-23 | 中国移动通信集团河南有限公司 | Method and device for identifying running-stealing flow account |
| CN108337652B (en) * | 2017-01-20 | 2020-12-01 | 中国移动通信集团河南有限公司 | Method and device for detecting flow fraud |
| CN108347443B (en) * | 2018-02-11 | 2021-02-02 | 中国联合网络通信集团有限公司 | Method and system for discovering malicious traffic-free server |
| CN108846096B (en) * | 2018-06-15 | 2021-04-13 | 中国联合网络通信集团有限公司 | Webpage prompting method, terminal, gateway equipment and user edge equipment |
| CN110891043B (en) * | 2018-09-11 | 2022-05-13 | 中国移动通信集团河北有限公司 | Method, apparatus, device and medium for identifying user |
| CN111314266B (en) * | 2018-12-11 | 2022-08-23 | 中国移动通信集团吉林有限公司 | Traffic fraud detection method and device, electronic equipment and storage medium |
| CN110113757A (en) * | 2019-05-07 | 2019-08-09 | 中国联合网络通信集团有限公司 | Fraudulent user recognition methods and system |
| CN110769395B (en) * | 2019-10-30 | 2022-07-22 | 北京达佳互联信息技术有限公司 | Traffic-free service synchronization method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102567788A (en) * | 2010-12-28 | 2012-07-11 | 中国移动通信集团重庆有限公司 | Real-time identification system and real-time identification method for fraudulent practice in communication services |
| CN103841204A (en) * | 2014-03-14 | 2014-06-04 | 北京奇虎科技有限公司 | Traffic-free downloading method, device and system based on mobile terminal |
| CN104967688A (en) * | 2015-06-30 | 2015-10-07 | 北京奇虎科技有限公司 | Method for accessing to network by using flow-free platform, mobile terminal and system |
-
2016
- 2016-03-08 CN CN201610130425.3A patent/CN105827593B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102567788A (en) * | 2010-12-28 | 2012-07-11 | 中国移动通信集团重庆有限公司 | Real-time identification system and real-time identification method for fraudulent practice in communication services |
| CN103841204A (en) * | 2014-03-14 | 2014-06-04 | 北京奇虎科技有限公司 | Traffic-free downloading method, device and system based on mobile terminal |
| CN104967688A (en) * | 2015-06-30 | 2015-10-07 | 北京奇虎科技有限公司 | Method for accessing to network by using flow-free platform, mobile terminal and system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113556748A (en) * | 2021-06-23 | 2021-10-26 | 中国联合网络通信集团有限公司 | Signaling tracing identification method, device and system |
| CN113556748B (en) * | 2021-06-23 | 2023-06-16 | 中国联合网络通信集团有限公司 | Signaling tracing identification method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105827593A (en) | 2016-08-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105827593B (en) | A kind of recognition methods and identifying system for exempting from flow fraudulent user | |
| CN108009844B (en) | Method and device for determining advertisement cheating behaviors and cloud server | |
| CN107948172A (en) | A kind of car networking Network Intrusion detection method and system based on artificial intelligence behavioural analysis | |
| CN104753863B (en) | A kind of defence method of distributed denial of service attack, equipment and system | |
| CN107274212A (en) | Cheating recognition methods and device | |
| CN106445796B (en) | Automatic detection method and device for cheating channel | |
| CN105069354A (en) | Attack tree model based Android software hybrid detection method | |
| CN109640312A (en) | " black card " recognition methods, electronic equipment and computer program product | |
| CN109361673A (en) | Network anomaly detection method based on data on flows sample statistics and balance comentropy estimation | |
| CN110493235A (en) | A kind of mobile terminal from malicious software synchronization detection method based on network flow characteristic | |
| CN106656651A (en) | Data transparent transmission detecting method and device | |
| CN104640138A (en) | Method and device for locating problematic terminals | |
| Choi et al. | Automated classifier generation for application-level mobile traffic identification | |
| CN103001972A (en) | Identification method and identification device and firewall for DDOS (distributed denial of service) attack | |
| CN104933150B (en) | Method and system with number are determined based on handset identity number | |
| Wang et al. | A smart automated signature extraction scheme for mobile phone number in human-centered smart home systems | |
| CN109413079A (en) | Fast-Flux Botnet detection method and system under a kind of high speed network | |
| CN108566384A (en) | A kind of flow attacking means of defence, device, protection server and storage medium | |
| Feng et al. | Cj-sniffer: Measurement and content-agnostic detection of cryptojacking traffic | |
| CN108182282A (en) | Address authenticity verification methods, device and electronic equipment | |
| Kivi | Measuring mobile user behavior and service usage: methods, measurement points, and future outlook | |
| Tarmazakov et al. | Modern approaches to prevent fraud in mobile communications networks | |
| CN113553571B (en) | Method and device for measuring reliability of terminal equipment | |
| CN114168423A (en) | Abnormal number calling monitoring method, device, equipment and storage medium | |
| CN109600751B (en) | Pseudo base station detection method based on network side user data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |