CN106789413A - A kind of method and apparatus for detecting proxy surfing - Google Patents
A kind of method and apparatus for detecting proxy surfing Download PDFInfo
- Publication number
- CN106789413A CN106789413A CN201611133870.1A CN201611133870A CN106789413A CN 106789413 A CN106789413 A CN 106789413A CN 201611133870 A CN201611133870 A CN 201611133870A CN 106789413 A CN106789413 A CN 106789413A
- Authority
- CN
- China
- Prior art keywords
- user terminal
- terminal
- identification information
- agent
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The embodiment of the present invention provides a kind of method for detecting proxy surfing, including:Pre-build agent equipment mark table;Receive the Web page request message that first user terminal sends after same Web server sets up TCP connections;Terminal type information in the Web page request message feeds back the message for detecting user terminal identification information to the first user terminal;Receive the message of the identification information comprising the first user terminal that the first user terminal sends;When the source IP address of the message of the identification information comprising the first user terminal is identified in table in the agent equipment, identification information and the agent equipment mark table according to the first user terminal determine whether the first user terminal is the user terminal surfed the Net by agent equipment.Meanwhile, the present invention also provides a kind of device for detecting proxy surfing.Embodiment of the present invention rate of false alarm is low, and user's online experience effect is good.
Description
Technical field
The invention belongs to data communication technology field, more particularly to a kind of method and apparatus for detecting proxy surfing.
Background technology
Proxy surfing, refers to realize that many people share the technology that an IP address is surfed the Net using router or agent software, custom
Claim " one drags N ".Most commonly multiple terminals carry out proxy surfing by a router, or on a main frame, install
Proxy server or network address translation software.In this case, multiple users can just share same account and be surfed the Net,
So as to bypass the account charge mode of operator, impairment of benefit is caused to operator, the normal construction of network is most influenceed at last.
Additionally, when internet-relevant violence occurs, the unlawful practices such as illegal speech, the pornographic video of upload are delivered, network supervision department
Cannot be traced to the source by account or IP address, the difficulty that audit is called to account afterwards to individual, increasing.
Into 21st century, network size is presented explosive growth, while internet-relevant violence, network intrusions behavior are also all the more
Seriously, therefore, governability door increasingly pay attention to specification internet behavior and Real-name Registration, however, and to reach genuine cyber identification
The target of system, then must solve the problems, such as user online agency.Solution main at present has following several:
The 1st, client software is installed, client timing monitors user's online situation, and photos and sending messages are to gateway;Gateway is according to user
Proxy surfing authority judges whether active user allows to use agency;If it is allowed, keeping network connection;If it is not allowed, handle
Active user kicks offline, while sending off line notice to client;After client has notice, the network for disconnecting active user connects
Connect.
2nd, using flash cookie technologies, testing equipment periodically intercepts the web access requests of terminal upload, to terminal
End returns to monotonic increase or the Digital ID for successively decreasing;Identity property value in flashcookie of the terminal in browser rs cache
It is space-time, Digital ID is write into identity property value;Testing equipment obtains the identity property value that terminal is uploaded, and obtains under Target IP
Identity property value sequence;Monotonicity according to identity property value sequence judges that whether mould is acted on behalf of in the corresponding online of the Target IP
Formula.
3rd, accounting message feature, including message timestamp rule, TCP connection quantity limitation, DNS request quantity limitation,
The modes such as message ID winding times.
It is existing detection user whether the method for proxy surfing at least there are problems that it is following:
1st, need install client-side program, install client popularization difficulty it is very big, and to face different desktop systems,
The compatibility issue of mobile terminal and various antivirus softwares, maintenance cost is high;
2nd, using flash cookie technologies, then can face on same main frame, there is multiple browsers and browser
The problem of compatibility mode, can so cause a main frame to be identified as more than two main frames, and now on same main frame, peace
The situation for filling several browsers is too universal, so False Rate is high;3rd, other collection message data fingerprint characteristics, such as TCP connections
The technologies such as number, DNS request number, the ID winding times of IP messages, have that individual difference is big, and rate of false alarm is high, pipe
The reason defect such as maintenance difficulties are big.
4th, the requirement to network manager is higher, it is necessary to set judgment threshold in the method for accounting message feature, and the threshold
The selection of value is the network maintenance experience for needing to enrich very much;
Therefore, in the prior art, or the method for identification proxy surfing is inaccurate, otherwise it is exactly to need that client is installed
End, it is necessary to which a kind of method that can be improved accuracy, be easy to the detection proxy surfing that deployment is implemented is provided.
The content of the invention
In order to solve the above-mentioned technical problem, the embodiment of the invention discloses a kind of method for detecting proxy surfing, including:
Pre-build agent equipment mark table;
Receive the Web page request message that first user terminal sends after same Web server sets up TCP connections;
Terminal type information in the Web page request message is fed back for detecting to the first user terminal
The message of user terminal identification information, in order to the first user terminal according to be used for detect user terminal identification information
Receive message described in first user terminal identification information;
Receive the message of the identification information comprising the first user terminal that the first user terminal sends;
When the identification information comprising the first user terminal message source IP address in the agent equipment mark
When in knowledge table, identification information and the agent equipment mark table according to the first user terminal determine the first user end
Whether end is the user terminal surfed the Net by agent equipment.
Optionally,
The terminal type is desktop terminal, and the first user terminal identification information is the IP of the first user terminal
Address;
The identification information and the agent equipment mark table according to the first user terminal determines that described first uses
The step of whether family terminal is the user terminal surfed the Net by agent equipment specifically includes:
When the IP address of the first user terminal is not in agent equipment mark table, it is determined that described first uses
Family terminal is the user terminal surfed the Net by agent equipment.
Optionally,
The agent equipment mark table also includes corresponding with first agent's device identification in agent equipment mark table
The hash values of the version information of user terminal operations system;
The terminal type is mobile terminal, and the first user terminal identification information is the behaviour of the first user terminal
Make the hash values of the version information of system;
The source IP address of the message for working as the identification information comprising the first user terminal is in the agent equipment mark
When in knowledge table, identification information and the agent equipment mark table according to the first user terminal determine the first user end
The step of whether end is the user terminal surfed the Net by agent equipment specifically includes:
When the source IP address and first agent's equipment mark of the message of the identification information comprising the first user terminal
When knowing matching, by the hash values of the version information of the operating system of the first user terminal and first agent's device identification
Correspondence, when the different hash values of the version information of the operating system of user terminal corresponding from first agent's device identification
When number is more than or equal to 2, it is determined that the first user terminal is the user terminal surfed the Net by first agent's equipment.
Optionally,
It is described according to the Web page request message to the first user terminal feedback detection messages before also include:
Close the TCP connections;
Methods described also includes:Feeding back the Web page to the user terminal according to the Web page request message please
The original access network address URL in message is sought, the mark of the first user terminal is being obtained in order to the first user terminal
Web page request message is sent according to the original access network address URL again after information.
Optionally, methods described also includes:
When the IP address of the first user terminal is not in agent equipment mark table, and, the first user
When the IP address of terminal is not in subscriber terminal equipment mark table, the IP address of the first user terminal is added to the use
Family Terminal Equipment Identifier table;
The use that the different IP addresses quantity in table determines to be surfed the Net by agent equipment is identified according to the subscriber terminal equipment
The quantity of family terminal.
The embodiment of the present invention further aspect is that also provide it is a kind of detect proxy surfing device, including:
Module is set up, for pre-building agent equipment mark table;
First receiver module, for receiving the Web that first user terminal sends after same Web server sets up TCP connections
Web-page requests message;
Sending module, for the terminal type information in the Web page request message to the first user end
End feedback is used to detect the message of user terminal identification information, is used to detect according in order to the first user terminal and uses
The identification information of first user terminal described in the Receive message of family terminal identification information;
Second receiver module, for receiving the mark comprising the first user terminal that the first user terminal sends
The message of information;
Determining module, the source IP address of the message of the identification information for including the first user terminal described in is in institute
When stating in agent equipment mark table, identification information and the agent equipment mark table according to the first user terminal determine institute
State whether first user terminal is the user terminal surfed the Net by agent equipment.
Optionally, the terminal type is desktop terminal, and the first user terminal identification information is the first user
The IP address of terminal;
The determining module specifically for:
When the IP address of the first user terminal is not in agent equipment mark table, it is determined that described first uses
Family terminal is the user terminal surfed the Net by agent equipment.
Optionally,
The agent equipment mark table also includes corresponding with first agent's device identification in agent equipment mark table
The hash values of the version information of user terminal operations system;
The terminal type is mobile terminal, and the first user terminal identification information is the behaviour of the first user terminal
Make the hash values of the version information of system;
The determining module specifically for:
When the source IP address and first agent's equipment mark of the message of the identification information comprising the first user terminal
When knowing matching, by the hash values of the version information of the operating system of the first user terminal and first agent's device identification
Correspondence, when the different hash values of the version information of the operating system of user terminal corresponding from first agent's device identification
When number is more than or equal to 2, it is determined that the first user terminal is the user terminal surfed the Net by first agent's equipment.
Optionally, described device also includes:
Switch module, for closing the TCP connections;
The sending module is additionally operable to, and the Web nets are fed back to the user terminal according to the Web page request message
Original access network address URL in page request message, the first user terminal is being obtained in order to the first user terminal
Web page request message is sent according to the original access network address URL again after identification information.
Optionally, described device also includes:
Add module, for when the IP address of the first user terminal not the agent equipment mark table in when, and,
When the IP address of the first user terminal is not in subscriber terminal equipment mark table, by the IP address of the first user terminal
It is added to the subscriber terminal equipment mark table;
Statistical module, the different IP addresses quantity for being identified according to the subscriber terminal equipment in table is determined by agency
The quantity of the user terminal of equipment online.
The beneficial effect of the embodiment of the present invention is that rate of false alarm is low, and user's online experience effect is good, proxy surfing terminal
Detection rates are fast, and main calculating and logical process task has all been placed on each subscriber terminal equipment, egress gateways equipment
Treatment logic is simple, and equipment can still accomplish surface speed forwarding;It is easy to dispose and promotes, without using client software, user
Acceptance level is high;Low cost, the development cost without client software or hardware, it is easy to upgrade maintenance;It is general moderately high, discrimination
Height, is adapted to the browser of main flow and mobile intelligent terminal system on the market.
Brief description of the drawings
Technical scheme in order to illustrate more clearly the embodiments of the present invention, below will be in embodiment or description of the prior art
The required accompanying drawing for using is briefly described, it should be apparent that, drawings in the following description are only some realities of the invention
Example is applied, for those of ordinary skill in the art, on the premise of not paying creative work, can also be according to these accompanying drawings
Obtain other accompanying drawings.
Fig. 1 is the system structure diagram of the embodiment of the present invention;
Fig. 2 is the method flow diagram of the embodiment of the present invention;
Fig. 3 is the structure drawing of device of the embodiment of the present invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made
Embodiment, belongs to the scope of protection of the invention.
The system construction drawing of the embodiment of the present invention is as shown in figure 1, proxy terminal (such as PC, mobile terminal) is set by agency
Standby (such as wireless router) accesses egress gateways (such as egress gateways router) and goes to access internet, rather than proxy terminal
(such as PC, mobile terminal) accesses egress gateways (such as egress gateways router) and goes to access because of spy not over agent equipment
Net.
The embodiment of the present invention provides a kind of method for detecting proxy surfing, as shown in Fig. 2 comprising the following steps:
S101, pre-builds agent equipment mark table;
S103, receives the Web page request message that first user terminal sends after same Web server sets up TCP connections;
S105, the terminal type information in the Web page request message feeds back to the first user terminal to be used
In the message of detection user terminal identification information, in order to the first user terminal according to for detecting user terminal mark
The identification information of first user terminal described in the Receive message of knowledge information;
S107, receives the message of the identification information comprising the first user terminal that the first user terminal sends;
S109, when the source IP address of the message of the identification information comprising the first user terminal sets in the agency
When in standby mark table, identification information and the agent equipment mark table according to the first user terminal determine that described first uses
Whether family terminal is the user terminal surfed the Net by agent equipment.
Optionally,
The terminal type is desktop terminal, and the first user terminal identification information is the IP of the first user terminal
Address;
The identification information and the agent equipment mark table according to the first user terminal determines that described first uses
The step of whether family terminal is the user terminal surfed the Net by agent equipment specifically includes:
When the IP address of the first user terminal is not in agent equipment mark table, it is determined that described first uses
Family terminal is the user terminal surfed the Net by agent equipment.
Optionally,
The agent equipment mark table also includes corresponding with first agent's device identification in agent equipment mark table
The hash values of the version information of user terminal operations system;
The terminal type is mobile terminal, and the first user terminal identification information is the behaviour of the first user terminal
Make the hash values of the version information of system;
The source IP address of the message for working as the identification information comprising the first user terminal is in the agent equipment mark
When in knowledge table, identification information and the agent equipment mark table according to the first user terminal determine the first user end
The step of whether end is the user terminal surfed the Net by agent equipment specifically includes:
When the source IP address and first agent's equipment mark of the message of the identification information comprising the first user terminal
When knowing matching, by the hash values of the version information of the operating system of the first user terminal and first agent's device identification
Correspondence, when the different hash values of the version information of the operating system of user terminal corresponding from first agent's device identification
When number is more than or equal to 2, it is determined that the first user terminal is the user terminal surfed the Net by first agent's equipment.
Optionally,
It is described according to the Web page request message to the first user terminal feedback detection messages before also include step
Suddenly:Close the TCP connections;
Methods described also includes:Feeding back the Web page to the user terminal according to the Web page request message please
The original access network address URL in message is sought, the mark of the first user terminal is being obtained in order to the first user terminal
Web page request message is sent according to the original access network address URL again after information.
Optionally, methods described also includes:
When the IP address of the first user terminal is not in agent equipment mark table, and, the first user
When the IP address of terminal is not in subscriber terminal equipment mark table, the IP address of the first user terminal is added to the use
Family Terminal Equipment Identifier table;
The use that the different IP addresses quantity in table determines to be surfed the Net by agent equipment is identified according to the subscriber terminal equipment
The quantity of family terminal.
In one embodiment of this invention, it is described with reference to concrete application scene:
Egress gateways equipment, a user terminal is identified with IP address, because proxy surfing equipment or agency are soft
Part can all carry out NAT address conversions, so whether surfed the Net by using agency regardless of the user terminal, for egress gateways
For equipment, the IP packets for receiving, its source IP address is entirely the same, remembers that the source IP address is ipsrc.Identification generation
The specific method for managing online includes:
Step one, egress gateways equipment, safeguard the user table UserTable corresponding to an ipsrc, are at least wrapped in the table
Containing source IP address, the information such as the hash values of User Agent, note source IP address is ipsrc, and the hash values of note User Agent are
uahash.When egress gateways equipment receives the IP packets of certain user for the first time, initialization uahash is 0;
Wherein, the entitled user agent of User Agent Chinese, abbreviation UA, it is a special string head so that service
Device is capable of identify that the operating system that user terminal uses and version, cpu type, browser and version, browser rendering engine, clear
Look at device language, browser plug-in etc..Statistical analysis discovery, User are carried out by the Intelligent mobile equipment to main flow on the market
The operating system and version information included in Agent character strings can be used for the identification of mobile terminal.
Step 2, egress gateways equipment periodically intercept the web access requests of user terminal uploads, are returned to user terminal
The detection page, and close TCP connection of the user terminal with outer net Web server;
Step 3, the main contents of the detection page can include following several:
A), the original network address url of the web access requests of user terminal uploads, can mark and be;
B) the UserAgent information of browser, is obtained;
C), according to UserAgent information, the type of user terminal is judged, type can divide intelligent mobile terminal and desktop
Two kinds of system;
D), for desktop system, it is possible to use the relevant interface function of WebRTC, the network interface card IP ground of user terminal is obtained
Location, can mark and be;Wherein, the method for obtaining the network interface card IP address of user terminal includes but is not limited to the correlation of WebRTC
Interface function;
Wherein, WebRTC is the technology that a supported web page browser carries out real-time voice dialogue or video conversation, and it is
Write by pure JavaScript language and formed, be built in browser, user need not use any plug-in unit or software, and
With powerful NAT penetration capacitys, so using the technology, can easily obtain the NIC address information of user terminal.
E), for intelligent mobile terminal, such as Android android system mobile phone, BlackBerry, i Phone, Ipad,
Windows phone etc., if browser supports WebRTC technologies, using the relevant interface function of WebRTC, obtain intelligent sliding
The network interface card IP address of dynamic terminal, it is ipx to make, if not supporting, just uses regular expression, extracts operating system and version information,
And hash calculating is carried out, obtain a positive integer value uax;
F) Ajax (Asynchronous Javascript And XML asynchronous JavaScript and XML), can be used,
Http testing result messages are sent to egress gateways equipment, in the url parameters of the message, the network interface card IP ground of user terminal is carried
Location, or uax values;
G), after the transmission of above-mentioned http testing results message terminates, refresh page is the original url of user's request, i.e.,
original_href。
Step 4, egress gateways equipment receive user terminal and send back the http testing result messages for coming, from http inspections
Survey in result message, parse the source IP address ipsrc of outgoing packet, and from the url of the message, parse user terminal network interface card ground
Location ipx or uax value;
Step 5, egress gateways equipment carry out the judgement of proxy surfing, if ipx is not zero, ipx are carried out with ipsrc
Compare, when both are unequal, it is possible to determine that proxy surfing behavior occurs;If uax values are not zero, in acquisition user's table
Uahash values, when uahash is zero, the value for updating uahash is uax, when uahash is not zero, compares uahash and uax
It is whether equal, when both are unequal, can determine whether that proxy surfing behavior occurs;
After step 6, egress gateways equipment judge that agency occurs, can be according to the treatment strategy being pre-configured with, to keeper
Output alarm, or suspension behavior is taken user.
The beneficial effect of the embodiment of the present invention is that rate of false alarm is low, and user's online experience effect is good, proxy surfing terminal
Detection rates are fast, and main calculating and logical process task has all been placed on each subscriber terminal equipment, egress gateways equipment
Treatment logic is simple, and equipment can still accomplish surface speed forwarding;It is easy to dispose and promotes, without using client software, user
Acceptance level is high;Low cost, the development cost without client software or hardware, it is easy to upgrade maintenance;It is general moderately high, discrimination
Height, is adapted to the browser of main flow and mobile intelligent terminal system on the market.
Inventive embodiments further aspect is that also provide it is a kind of detect proxy surfing device, as shown in figure 3, including:
Module 201 is set up, for pre-building agent equipment mark table;
First receiver module 203, for receiving what first user terminal sent after same Web server sets up TCP connections
Web page request message;
Sending module 205, for the terminal type information in the Web page request message to the first user
Terminal feeds back the message for detecting user terminal identification information, in order to the first user terminal according to be used for detect
The identification information of first user terminal described in the Receive message of user terminal identification information;
Second receiver module 207, for receiving that the first user terminal sends comprising the first user terminal
The message of identification information;
Determining module 209, for the source IP address of the message when the identification information comprising the first user terminal
When in agent equipment mark table, identification information and the agent equipment mark table according to the first user terminal are true
Whether the fixed first user terminal is the user terminal surfed the Net by agent equipment.
Optionally, the terminal type is desktop terminal, and the first user terminal identification information is the first user
The IP address of terminal;
The determining module 209 specifically for:
When the IP address of the first user terminal is not in agent equipment mark table, it is determined that described first uses
Family terminal is the user terminal surfed the Net by agent equipment.
Optionally,
The agent equipment mark table also includes corresponding with first agent's device identification in agent equipment mark table
The hash values of the version information of user terminal operations system;
The terminal type is mobile terminal, and the first user terminal identification information is the behaviour of the first user terminal
Make the hash values of the version information of system;
The determining module 209 specifically for:
When the source IP address and first agent's equipment mark of the message of the identification information comprising the first user terminal
When knowing matching, by the hash values of the version information of the operating system of the first user terminal and first agent's device identification
Correspondence, when the different hash values of the version information of the operating system of user terminal corresponding from first agent's device identification
When number is more than or equal to 2, it is determined that the first user terminal is the user terminal surfed the Net by first agent's equipment.
Optionally, described device also includes:
Switch module, for closing the TCP connections;
The sending module is additionally operable to, and the Web nets are fed back to the user terminal according to the Web page request message
Original access network address URL in page request message, the first user terminal is being obtained in order to the first user terminal
Web page request message is sent according to the original access network address URL again after identification information.
Optionally, described device also includes:
Add module 211, for when the IP address of the first user terminal not the agent equipment mark table in when,
And, when the IP address of the first user terminal is not in subscriber terminal equipment mark table, by the IP of the first user terminal
Address is added to the subscriber terminal equipment mark table;
Statistical module 213, determines to pass through for the different IP addresses quantity in the subscriber terminal equipment mark table
The quantity of the user terminal of agent equipment online.
The beneficial effect of the embodiment of the present invention is that rate of false alarm is low, and user's online experience effect is good, proxy surfing terminal
Detection rates are fast, and main calculating and logical process task has all been placed on each subscriber terminal equipment, egress gateways equipment
Treatment logic is simple, and equipment can still accomplish surface speed forwarding;It is easy to dispose and promotes, without using client software, user
Acceptance level is high;Low cost, the development cost without client software or hardware, it is easy to upgrade maintenance;It is general moderately high, discrimination
Height, is adapted to the browser of main flow and mobile intelligent terminal system on the market.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
The present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those within the art that:It still may be used
Modified with to the technical scheme described in foregoing embodiments, or equivalent is carried out to which part technical characteristic;
And these modification or replace, do not make appropriate technical solution essence depart from various embodiments of the present invention technical scheme spirit and
Scope.
Claims (10)
1. it is a kind of detect proxy surfing method, it is characterised in that including:
Pre-build agent equipment mark table;
Receive the Web page request message that first user terminal sends after same Web server sets up TCP connections;
Terminal type information in the Web page request message is fed back for detecting user to the first user terminal
The message of terminal identification information, is used to detect the report of user terminal identification information in order to the first user terminal according to
Text obtains the identification information of the first user terminal;
Receive the message of the identification information comprising the first user terminal that the first user terminal sends;
When the source IP address of the message of the identification information comprising the first user terminal identifies table in the agent equipment
When middle, identification information and the agent equipment mark table according to the first user terminal determine that the first user terminal is
No is the user terminal surfed the Net by agent equipment.
2. the method for claim 1, it is characterised in that
The terminal type is desktop terminal, and the first user terminal identification information is the IP ground of the first user terminal
Location;
The identification information and the agent equipment mark table according to the first user terminal determines the first user end
The step of whether end is the user terminal surfed the Net by agent equipment specifically includes:
When the IP address of the first user terminal is not in agent equipment mark table, it is determined that the first user end
End is the user terminal surfed the Net by agent equipment.
3. the method for claim 1, it is characterised in that
The agent equipment mark table also includes user corresponding with first agent's device identification in agent equipment mark table
The hash values of the version information of terminal operating system;
The terminal type is mobile terminal, and the first user terminal identification information is the operation system of the first user terminal
The hash values of the version information of system;
The source IP address of the message for working as the identification information comprising the first user terminal identifies table in the agent equipment
When middle, identification information and the agent equipment mark table according to the first user terminal determine that the first user terminal is
It is no be by agent equipment surf the Net user terminal the step of specifically include:
Source IP address and first agent's device identification when the message of the identification information comprising the first user terminal
Timing, by the hash values of the version information of the operating system of the first user terminal and first agent's device identification pair
Should, when the version information of the operating system of user terminal corresponding from first agent's device identification different hash values it is individual
When number is more than or equal to 2, it is determined that the first user terminal is the user terminal surfed the Net by first agent's equipment.
4. the method for claim 1, it is characterised in that
It is described according to the Web page request message to the first user terminal feedback detection messages before also include:Close
The TCP connections;
Methods described also includes:The web page request report is fed back to the user terminal according to the Web page request message
Original access network address URL in text, the identification information of the first user terminal is being obtained in order to the first user terminal
Web page request message is sent according to the original access network address URL again afterwards.
5. method as claimed in claim 2, it is characterised in that also include:
When the IP address of the first user terminal is not in agent equipment mark table, and, the first user terminal
IP address not subscriber terminal equipment mark table in when, the IP address of the first user terminal is added to user's end
End equipment identifies table;
User's end that the different IP addresses quantity in table determines to be surfed the Net by agent equipment is identified according to the subscriber terminal equipment
The quantity at end.
6. it is a kind of detect proxy surfing device, it is characterised in that including:
Module is set up, for pre-building agent equipment mark table;
First receiver module, for receiving the Web page that first user terminal sends after same Web server sets up TCP connections
Request message;
Sending module, it is anti-to the first user terminal for the terminal type information in the Web page request message
Present the message for detecting user terminal identification information, in order to the first user terminal according to be used for detect user's end
Hold the identification information of first user terminal described in the Receive message of identification information;
Second receiver module, for receiving the identification information comprising the first user terminal that the first user terminal sends
Message;
Determining module, the source IP address of the message of the identification information for including the first user terminal described in is in the generation
When in reason device identification table, identification information and the agent equipment mark table according to the first user terminal determine described the
Whether one user terminal is the user terminal surfed the Net by agent equipment.
7. device as claimed in claim 6, it is characterised in that the terminal type is desktop terminal, the first user end
End identification information is the IP address of the first user terminal;
The determining module specifically for:
When the IP address of the first user terminal is not in agent equipment mark table, it is determined that the first user end
End is the user terminal surfed the Net by agent equipment.
8. device as claimed in claim 6, it is characterised in that
The agent equipment mark table also includes user corresponding with first agent's device identification in agent equipment mark table
The hash values of the version information of terminal operating system;
The terminal type is mobile terminal, and the first user terminal identification information is the operation system of the first user terminal
The hash values of the version information of system;
The determining module specifically for:
Source IP address and first agent's device identification when the message of the identification information comprising the first user terminal
Timing, by the hash values of the version information of the operating system of the first user terminal and first agent's device identification pair
Should, when the version information of the operating system of user terminal corresponding from first agent's device identification different hash values it is individual
When number is more than or equal to 2, it is determined that the first user terminal is the user terminal surfed the Net by first agent's equipment.
9. device as claimed in claim 6, it is characterised in that described device also includes:
Switch module, for closing the TCP connections;
The sending module is additionally operable to, and feeding back the web page to the user terminal according to the Web page request message please
The original access network address URL in message is sought, the mark of the first user terminal is being obtained in order to the first user terminal
Web page request message is sent according to the original access network address URL again after information.
10. device as claimed in claim 7, it is characterised in that also include:
Add module, for when the IP address of the first user terminal not the agent equipment mark table in when, and, it is described
When the IP address of first user terminal is not in subscriber terminal equipment mark table, the IP address of the first user terminal is added
Table is identified to the subscriber terminal equipment;
Statistical module, the different IP addresses quantity for being identified according to the subscriber terminal equipment in table determines to pass through agent equipment
The quantity of the user terminal of online.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611133870.1A CN106789413B (en) | 2016-12-10 | 2016-12-10 | Method and device for detecting proxy internet surfing |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611133870.1A CN106789413B (en) | 2016-12-10 | 2016-12-10 | Method and device for detecting proxy internet surfing |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106789413A true CN106789413A (en) | 2017-05-31 |
CN106789413B CN106789413B (en) | 2019-12-06 |
Family
ID=58875911
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611133870.1A Active CN106789413B (en) | 2016-12-10 | 2016-12-10 | Method and device for detecting proxy internet surfing |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106789413B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107769999A (en) * | 2017-12-07 | 2018-03-06 | 锐捷网络股份有限公司 | A kind of method and apparatus for identifying user agent's online |
CN108055072A (en) * | 2017-11-20 | 2018-05-18 | 大唐软件技术股份有限公司 | A kind of network failure investigates method and apparatus |
CN109889485A (en) * | 2018-12-28 | 2019-06-14 | 顺丰科技有限公司 | A kind of user's abnormal operation behavioral value method, system and storage medium |
CN114338139A (en) * | 2021-12-27 | 2022-04-12 | 北京安博通科技股份有限公司 | Method for internet behavior management supporting terminal type control |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1795447A (en) * | 2002-05-15 | 2006-06-28 | 英特尔公司 | Automatic proxy detection |
CN1878096A (en) * | 2006-07-04 | 2006-12-13 | 陈玲玲 | Method for detecting number of computer users in inner compute network |
CN101035031A (en) * | 2007-04-03 | 2007-09-12 | 华为技术有限公司 | Method and device for detecting the number of the shared access host |
CN101064642A (en) * | 2006-04-29 | 2007-10-31 | 华为技术有限公司 | Method for improving IP multimedia subsystem register flow |
CN101112046A (en) * | 2004-12-28 | 2008-01-23 | 株式会社Kt | System and method for detecting and interception of ip sharer |
CN101442450A (en) * | 2008-12-24 | 2009-05-27 | 成都市华为赛门铁克科技有限公司 | Method, system and apparatus for detecting sharing access terminal quantity |
CN101631052A (en) * | 2009-08-25 | 2010-01-20 | 杭州华三通信技术有限公司 | Method and device for detecting number of access terminals |
-
2016
- 2016-12-10 CN CN201611133870.1A patent/CN106789413B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1795447A (en) * | 2002-05-15 | 2006-06-28 | 英特尔公司 | Automatic proxy detection |
CN101112046A (en) * | 2004-12-28 | 2008-01-23 | 株式会社Kt | System and method for detecting and interception of ip sharer |
CN101064642A (en) * | 2006-04-29 | 2007-10-31 | 华为技术有限公司 | Method for improving IP multimedia subsystem register flow |
CN1878096A (en) * | 2006-07-04 | 2006-12-13 | 陈玲玲 | Method for detecting number of computer users in inner compute network |
CN101035031A (en) * | 2007-04-03 | 2007-09-12 | 华为技术有限公司 | Method and device for detecting the number of the shared access host |
CN101442450A (en) * | 2008-12-24 | 2009-05-27 | 成都市华为赛门铁克科技有限公司 | Method, system and apparatus for detecting sharing access terminal quantity |
CN101631052A (en) * | 2009-08-25 | 2010-01-20 | 杭州华三通信技术有限公司 | Method and device for detecting number of access terminals |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108055072A (en) * | 2017-11-20 | 2018-05-18 | 大唐软件技术股份有限公司 | A kind of network failure investigates method and apparatus |
CN107769999A (en) * | 2017-12-07 | 2018-03-06 | 锐捷网络股份有限公司 | A kind of method and apparatus for identifying user agent's online |
CN109889485A (en) * | 2018-12-28 | 2019-06-14 | 顺丰科技有限公司 | A kind of user's abnormal operation behavioral value method, system and storage medium |
CN114338139A (en) * | 2021-12-27 | 2022-04-12 | 北京安博通科技股份有限公司 | Method for internet behavior management supporting terminal type control |
CN114338139B (en) * | 2021-12-27 | 2023-03-24 | 北京安博通科技股份有限公司 | Method for internet behavior management supporting terminal type control |
Also Published As
Publication number | Publication date |
---|---|
CN106789413B (en) | 2019-12-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2018121331A1 (en) | Attack request determination method, apparatus and server | |
US9185093B2 (en) | System and method for correlating network information with subscriber information in a mobile network environment | |
US9444835B2 (en) | Method for tracking machines on a network using multivariable fingerprinting of passively available information | |
US11399288B2 (en) | Method for HTTP-based access point fingerprint and classification using machine learning | |
US20230092522A1 (en) | Data packet processing method, apparatus, and electronic device, computer-readable storage medium, and computer program product | |
WO2017107780A1 (en) | Method, device and system for recognizing illegitimate proxy for charging fraud | |
US20170134957A1 (en) | System and method for correlating network information with subscriber information in a mobile network environment | |
CN103916490B (en) | DNS tamper-proof method and device | |
CN106789413A (en) | A kind of method and apparatus for detecting proxy surfing | |
CN105959313A (en) | Method and device for preventing HTTP proxy attack | |
CN108418847A (en) | A kind of network traffic cache system, method and device | |
CN105635073A (en) | Access control method and device and network access equipment | |
WO2016086755A1 (en) | Packet processing method and transparent proxy server | |
CN108234516B (en) | Method and device for detecting network flooding attack | |
Masoud et al. | On tackling social engineering web phishing attacks utilizing software defined networks (SDN) approach | |
CN104363265B (en) | Proxy surfing detection method and device | |
CN106411819A (en) | Method and apparatus for recognizing proxy Internet protocol address | |
EP4033717A1 (en) | Distinguishing network connection requests | |
US11394687B2 (en) | Fully qualified domain name (FQDN) determination | |
US20230254281A1 (en) | Local network device connection control | |
CN105991509A (en) | Session processing method and apparatus | |
Cohen | Source attribution for network address translated forensic captures | |
US11611556B2 (en) | Network connection request method and apparatus | |
US20180227434A1 (en) | Method and Network Entity for Control of Charging for Value Added Service (VAS) | |
KR102563247B1 (en) | Apparatus for Realtime Monitoring Performance Degradation of Network System |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |