CN106789413A - A kind of method and apparatus for detecting proxy surfing - Google Patents

A kind of method and apparatus for detecting proxy surfing Download PDF

Info

Publication number
CN106789413A
CN106789413A CN201611133870.1A CN201611133870A CN106789413A CN 106789413 A CN106789413 A CN 106789413A CN 201611133870 A CN201611133870 A CN 201611133870A CN 106789413 A CN106789413 A CN 106789413A
Authority
CN
China
Prior art keywords
user terminal
terminal
identification information
agent
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611133870.1A
Other languages
Chinese (zh)
Other versions
CN106789413B (en
Inventor
姚尚平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruijie Networks Co Ltd filed Critical Ruijie Networks Co Ltd
Priority to CN201611133870.1A priority Critical patent/CN106789413B/en
Publication of CN106789413A publication Critical patent/CN106789413A/en
Application granted granted Critical
Publication of CN106789413B publication Critical patent/CN106789413B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Abstract

The embodiment of the present invention provides a kind of method for detecting proxy surfing, including:Pre-build agent equipment mark table;Receive the Web page request message that first user terminal sends after same Web server sets up TCP connections;Terminal type information in the Web page request message feeds back the message for detecting user terminal identification information to the first user terminal;Receive the message of the identification information comprising the first user terminal that the first user terminal sends;When the source IP address of the message of the identification information comprising the first user terminal is identified in table in the agent equipment, identification information and the agent equipment mark table according to the first user terminal determine whether the first user terminal is the user terminal surfed the Net by agent equipment.Meanwhile, the present invention also provides a kind of device for detecting proxy surfing.Embodiment of the present invention rate of false alarm is low, and user's online experience effect is good.

Description

A kind of method and apparatus for detecting proxy surfing
Technical field
The invention belongs to data communication technology field, more particularly to a kind of method and apparatus for detecting proxy surfing.
Background technology
Proxy surfing, refers to realize that many people share the technology that an IP address is surfed the Net using router or agent software, custom Claim " one drags N ".Most commonly multiple terminals carry out proxy surfing by a router, or on a main frame, install Proxy server or network address translation software.In this case, multiple users can just share same account and be surfed the Net, So as to bypass the account charge mode of operator, impairment of benefit is caused to operator, the normal construction of network is most influenceed at last. Additionally, when internet-relevant violence occurs, the unlawful practices such as illegal speech, the pornographic video of upload are delivered, network supervision department Cannot be traced to the source by account or IP address, the difficulty that audit is called to account afterwards to individual, increasing.
Into 21st century, network size is presented explosive growth, while internet-relevant violence, network intrusions behavior are also all the more Seriously, therefore, governability door increasingly pay attention to specification internet behavior and Real-name Registration, however, and to reach genuine cyber identification The target of system, then must solve the problems, such as user online agency.Solution main at present has following several:
The 1st, client software is installed, client timing monitors user's online situation, and photos and sending messages are to gateway;Gateway is according to user Proxy surfing authority judges whether active user allows to use agency;If it is allowed, keeping network connection;If it is not allowed, handle Active user kicks offline, while sending off line notice to client;After client has notice, the network for disconnecting active user connects Connect.
2nd, using flash cookie technologies, testing equipment periodically intercepts the web access requests of terminal upload, to terminal End returns to monotonic increase or the Digital ID for successively decreasing;Identity property value in flashcookie of the terminal in browser rs cache It is space-time, Digital ID is write into identity property value;Testing equipment obtains the identity property value that terminal is uploaded, and obtains under Target IP Identity property value sequence;Monotonicity according to identity property value sequence judges that whether mould is acted on behalf of in the corresponding online of the Target IP Formula.
3rd, accounting message feature, including message timestamp rule, TCP connection quantity limitation, DNS request quantity limitation, The modes such as message ID winding times.
It is existing detection user whether the method for proxy surfing at least there are problems that it is following:
1st, need install client-side program, install client popularization difficulty it is very big, and to face different desktop systems, The compatibility issue of mobile terminal and various antivirus softwares, maintenance cost is high;
2nd, using flash cookie technologies, then can face on same main frame, there is multiple browsers and browser The problem of compatibility mode, can so cause a main frame to be identified as more than two main frames, and now on same main frame, peace The situation for filling several browsers is too universal, so False Rate is high;3rd, other collection message data fingerprint characteristics, such as TCP connections The technologies such as number, DNS request number, the ID winding times of IP messages, have that individual difference is big, and rate of false alarm is high, pipe The reason defect such as maintenance difficulties are big.
4th, the requirement to network manager is higher, it is necessary to set judgment threshold in the method for accounting message feature, and the threshold The selection of value is the network maintenance experience for needing to enrich very much;
Therefore, in the prior art, or the method for identification proxy surfing is inaccurate, otherwise it is exactly to need that client is installed End, it is necessary to which a kind of method that can be improved accuracy, be easy to the detection proxy surfing that deployment is implemented is provided.
The content of the invention
In order to solve the above-mentioned technical problem, the embodiment of the invention discloses a kind of method for detecting proxy surfing, including:
Pre-build agent equipment mark table;
Receive the Web page request message that first user terminal sends after same Web server sets up TCP connections;
Terminal type information in the Web page request message is fed back for detecting to the first user terminal The message of user terminal identification information, in order to the first user terminal according to be used for detect user terminal identification information Receive message described in first user terminal identification information;
Receive the message of the identification information comprising the first user terminal that the first user terminal sends;
When the identification information comprising the first user terminal message source IP address in the agent equipment mark When in knowledge table, identification information and the agent equipment mark table according to the first user terminal determine the first user end Whether end is the user terminal surfed the Net by agent equipment.
Optionally,
The terminal type is desktop terminal, and the first user terminal identification information is the IP of the first user terminal Address;
The identification information and the agent equipment mark table according to the first user terminal determines that described first uses The step of whether family terminal is the user terminal surfed the Net by agent equipment specifically includes:
When the IP address of the first user terminal is not in agent equipment mark table, it is determined that described first uses Family terminal is the user terminal surfed the Net by agent equipment.
Optionally,
The agent equipment mark table also includes corresponding with first agent's device identification in agent equipment mark table The hash values of the version information of user terminal operations system;
The terminal type is mobile terminal, and the first user terminal identification information is the behaviour of the first user terminal Make the hash values of the version information of system;
The source IP address of the message for working as the identification information comprising the first user terminal is in the agent equipment mark When in knowledge table, identification information and the agent equipment mark table according to the first user terminal determine the first user end The step of whether end is the user terminal surfed the Net by agent equipment specifically includes:
When the source IP address and first agent's equipment mark of the message of the identification information comprising the first user terminal When knowing matching, by the hash values of the version information of the operating system of the first user terminal and first agent's device identification Correspondence, when the different hash values of the version information of the operating system of user terminal corresponding from first agent's device identification When number is more than or equal to 2, it is determined that the first user terminal is the user terminal surfed the Net by first agent's equipment.
Optionally,
It is described according to the Web page request message to the first user terminal feedback detection messages before also include: Close the TCP connections;
Methods described also includes:Feeding back the Web page to the user terminal according to the Web page request message please The original access network address URL in message is sought, the mark of the first user terminal is being obtained in order to the first user terminal Web page request message is sent according to the original access network address URL again after information.
Optionally, methods described also includes:
When the IP address of the first user terminal is not in agent equipment mark table, and, the first user When the IP address of terminal is not in subscriber terminal equipment mark table, the IP address of the first user terminal is added to the use Family Terminal Equipment Identifier table;
The use that the different IP addresses quantity in table determines to be surfed the Net by agent equipment is identified according to the subscriber terminal equipment The quantity of family terminal.
The embodiment of the present invention further aspect is that also provide it is a kind of detect proxy surfing device, including:
Module is set up, for pre-building agent equipment mark table;
First receiver module, for receiving the Web that first user terminal sends after same Web server sets up TCP connections Web-page requests message;
Sending module, for the terminal type information in the Web page request message to the first user end End feedback is used to detect the message of user terminal identification information, is used to detect according in order to the first user terminal and uses The identification information of first user terminal described in the Receive message of family terminal identification information;
Second receiver module, for receiving the mark comprising the first user terminal that the first user terminal sends The message of information;
Determining module, the source IP address of the message of the identification information for including the first user terminal described in is in institute When stating in agent equipment mark table, identification information and the agent equipment mark table according to the first user terminal determine institute State whether first user terminal is the user terminal surfed the Net by agent equipment.
Optionally, the terminal type is desktop terminal, and the first user terminal identification information is the first user The IP address of terminal;
The determining module specifically for:
When the IP address of the first user terminal is not in agent equipment mark table, it is determined that described first uses Family terminal is the user terminal surfed the Net by agent equipment.
Optionally,
The agent equipment mark table also includes corresponding with first agent's device identification in agent equipment mark table The hash values of the version information of user terminal operations system;
The terminal type is mobile terminal, and the first user terminal identification information is the behaviour of the first user terminal Make the hash values of the version information of system;
The determining module specifically for:
When the source IP address and first agent's equipment mark of the message of the identification information comprising the first user terminal When knowing matching, by the hash values of the version information of the operating system of the first user terminal and first agent's device identification Correspondence, when the different hash values of the version information of the operating system of user terminal corresponding from first agent's device identification When number is more than or equal to 2, it is determined that the first user terminal is the user terminal surfed the Net by first agent's equipment.
Optionally, described device also includes:
Switch module, for closing the TCP connections;
The sending module is additionally operable to, and the Web nets are fed back to the user terminal according to the Web page request message Original access network address URL in page request message, the first user terminal is being obtained in order to the first user terminal Web page request message is sent according to the original access network address URL again after identification information.
Optionally, described device also includes:
Add module, for when the IP address of the first user terminal not the agent equipment mark table in when, and, When the IP address of the first user terminal is not in subscriber terminal equipment mark table, by the IP address of the first user terminal It is added to the subscriber terminal equipment mark table;
Statistical module, the different IP addresses quantity for being identified according to the subscriber terminal equipment in table is determined by agency The quantity of the user terminal of equipment online.
The beneficial effect of the embodiment of the present invention is that rate of false alarm is low, and user's online experience effect is good, proxy surfing terminal Detection rates are fast, and main calculating and logical process task has all been placed on each subscriber terminal equipment, egress gateways equipment Treatment logic is simple, and equipment can still accomplish surface speed forwarding;It is easy to dispose and promotes, without using client software, user Acceptance level is high;Low cost, the development cost without client software or hardware, it is easy to upgrade maintenance;It is general moderately high, discrimination Height, is adapted to the browser of main flow and mobile intelligent terminal system on the market.
Brief description of the drawings
Technical scheme in order to illustrate more clearly the embodiments of the present invention, below will be in embodiment or description of the prior art The required accompanying drawing for using is briefly described, it should be apparent that, drawings in the following description are only some realities of the invention Example is applied, for those of ordinary skill in the art, on the premise of not paying creative work, can also be according to these accompanying drawings Obtain other accompanying drawings.
Fig. 1 is the system structure diagram of the embodiment of the present invention;
Fig. 2 is the method flow diagram of the embodiment of the present invention;
Fig. 3 is the structure drawing of device of the embodiment of the present invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made Embodiment, belongs to the scope of protection of the invention.
The system construction drawing of the embodiment of the present invention is as shown in figure 1, proxy terminal (such as PC, mobile terminal) is set by agency Standby (such as wireless router) accesses egress gateways (such as egress gateways router) and goes to access internet, rather than proxy terminal (such as PC, mobile terminal) accesses egress gateways (such as egress gateways router) and goes to access because of spy not over agent equipment Net.
The embodiment of the present invention provides a kind of method for detecting proxy surfing, as shown in Fig. 2 comprising the following steps:
S101, pre-builds agent equipment mark table;
S103, receives the Web page request message that first user terminal sends after same Web server sets up TCP connections;
S105, the terminal type information in the Web page request message feeds back to the first user terminal to be used In the message of detection user terminal identification information, in order to the first user terminal according to for detecting user terminal mark The identification information of first user terminal described in the Receive message of knowledge information;
S107, receives the message of the identification information comprising the first user terminal that the first user terminal sends;
S109, when the source IP address of the message of the identification information comprising the first user terminal sets in the agency When in standby mark table, identification information and the agent equipment mark table according to the first user terminal determine that described first uses Whether family terminal is the user terminal surfed the Net by agent equipment.
Optionally,
The terminal type is desktop terminal, and the first user terminal identification information is the IP of the first user terminal Address;
The identification information and the agent equipment mark table according to the first user terminal determines that described first uses The step of whether family terminal is the user terminal surfed the Net by agent equipment specifically includes:
When the IP address of the first user terminal is not in agent equipment mark table, it is determined that described first uses Family terminal is the user terminal surfed the Net by agent equipment.
Optionally,
The agent equipment mark table also includes corresponding with first agent's device identification in agent equipment mark table The hash values of the version information of user terminal operations system;
The terminal type is mobile terminal, and the first user terminal identification information is the behaviour of the first user terminal Make the hash values of the version information of system;
The source IP address of the message for working as the identification information comprising the first user terminal is in the agent equipment mark When in knowledge table, identification information and the agent equipment mark table according to the first user terminal determine the first user end The step of whether end is the user terminal surfed the Net by agent equipment specifically includes:
When the source IP address and first agent's equipment mark of the message of the identification information comprising the first user terminal When knowing matching, by the hash values of the version information of the operating system of the first user terminal and first agent's device identification Correspondence, when the different hash values of the version information of the operating system of user terminal corresponding from first agent's device identification When number is more than or equal to 2, it is determined that the first user terminal is the user terminal surfed the Net by first agent's equipment.
Optionally,
It is described according to the Web page request message to the first user terminal feedback detection messages before also include step Suddenly:Close the TCP connections;
Methods described also includes:Feeding back the Web page to the user terminal according to the Web page request message please The original access network address URL in message is sought, the mark of the first user terminal is being obtained in order to the first user terminal Web page request message is sent according to the original access network address URL again after information.
Optionally, methods described also includes:
When the IP address of the first user terminal is not in agent equipment mark table, and, the first user When the IP address of terminal is not in subscriber terminal equipment mark table, the IP address of the first user terminal is added to the use Family Terminal Equipment Identifier table;
The use that the different IP addresses quantity in table determines to be surfed the Net by agent equipment is identified according to the subscriber terminal equipment The quantity of family terminal.
In one embodiment of this invention, it is described with reference to concrete application scene:
Egress gateways equipment, a user terminal is identified with IP address, because proxy surfing equipment or agency are soft Part can all carry out NAT address conversions, so whether surfed the Net by using agency regardless of the user terminal, for egress gateways For equipment, the IP packets for receiving, its source IP address is entirely the same, remembers that the source IP address is ipsrc.Identification generation The specific method for managing online includes:
Step one, egress gateways equipment, safeguard the user table UserTable corresponding to an ipsrc, are at least wrapped in the table Containing source IP address, the information such as the hash values of User Agent, note source IP address is ipsrc, and the hash values of note User Agent are uahash.When egress gateways equipment receives the IP packets of certain user for the first time, initialization uahash is 0;
Wherein, the entitled user agent of User Agent Chinese, abbreviation UA, it is a special string head so that service Device is capable of identify that the operating system that user terminal uses and version, cpu type, browser and version, browser rendering engine, clear Look at device language, browser plug-in etc..Statistical analysis discovery, User are carried out by the Intelligent mobile equipment to main flow on the market The operating system and version information included in Agent character strings can be used for the identification of mobile terminal.
Step 2, egress gateways equipment periodically intercept the web access requests of user terminal uploads, are returned to user terminal The detection page, and close TCP connection of the user terminal with outer net Web server;
Step 3, the main contents of the detection page can include following several:
A), the original network address url of the web access requests of user terminal uploads, can mark and be;
B) the UserAgent information of browser, is obtained;
C), according to UserAgent information, the type of user terminal is judged, type can divide intelligent mobile terminal and desktop Two kinds of system;
D), for desktop system, it is possible to use the relevant interface function of WebRTC, the network interface card IP ground of user terminal is obtained Location, can mark and be;Wherein, the method for obtaining the network interface card IP address of user terminal includes but is not limited to the correlation of WebRTC Interface function;
Wherein, WebRTC is the technology that a supported web page browser carries out real-time voice dialogue or video conversation, and it is Write by pure JavaScript language and formed, be built in browser, user need not use any plug-in unit or software, and With powerful NAT penetration capacitys, so using the technology, can easily obtain the NIC address information of user terminal.
E), for intelligent mobile terminal, such as Android android system mobile phone, BlackBerry, i Phone, Ipad, Windows phone etc., if browser supports WebRTC technologies, using the relevant interface function of WebRTC, obtain intelligent sliding The network interface card IP address of dynamic terminal, it is ipx to make, if not supporting, just uses regular expression, extracts operating system and version information, And hash calculating is carried out, obtain a positive integer value uax;
F) Ajax (Asynchronous Javascript And XML asynchronous JavaScript and XML), can be used, Http testing result messages are sent to egress gateways equipment, in the url parameters of the message, the network interface card IP ground of user terminal is carried Location, or uax values;
G), after the transmission of above-mentioned http testing results message terminates, refresh page is the original url of user's request, i.e., original_href。
Step 4, egress gateways equipment receive user terminal and send back the http testing result messages for coming, from http inspections Survey in result message, parse the source IP address ipsrc of outgoing packet, and from the url of the message, parse user terminal network interface card ground Location ipx or uax value;
Step 5, egress gateways equipment carry out the judgement of proxy surfing, if ipx is not zero, ipx are carried out with ipsrc Compare, when both are unequal, it is possible to determine that proxy surfing behavior occurs;If uax values are not zero, in acquisition user's table Uahash values, when uahash is zero, the value for updating uahash is uax, when uahash is not zero, compares uahash and uax It is whether equal, when both are unequal, can determine whether that proxy surfing behavior occurs;
After step 6, egress gateways equipment judge that agency occurs, can be according to the treatment strategy being pre-configured with, to keeper Output alarm, or suspension behavior is taken user.
The beneficial effect of the embodiment of the present invention is that rate of false alarm is low, and user's online experience effect is good, proxy surfing terminal Detection rates are fast, and main calculating and logical process task has all been placed on each subscriber terminal equipment, egress gateways equipment Treatment logic is simple, and equipment can still accomplish surface speed forwarding;It is easy to dispose and promotes, without using client software, user Acceptance level is high;Low cost, the development cost without client software or hardware, it is easy to upgrade maintenance;It is general moderately high, discrimination Height, is adapted to the browser of main flow and mobile intelligent terminal system on the market.
Inventive embodiments further aspect is that also provide it is a kind of detect proxy surfing device, as shown in figure 3, including:
Module 201 is set up, for pre-building agent equipment mark table;
First receiver module 203, for receiving what first user terminal sent after same Web server sets up TCP connections Web page request message;
Sending module 205, for the terminal type information in the Web page request message to the first user Terminal feeds back the message for detecting user terminal identification information, in order to the first user terminal according to be used for detect The identification information of first user terminal described in the Receive message of user terminal identification information;
Second receiver module 207, for receiving that the first user terminal sends comprising the first user terminal The message of identification information;
Determining module 209, for the source IP address of the message when the identification information comprising the first user terminal When in agent equipment mark table, identification information and the agent equipment mark table according to the first user terminal are true Whether the fixed first user terminal is the user terminal surfed the Net by agent equipment.
Optionally, the terminal type is desktop terminal, and the first user terminal identification information is the first user The IP address of terminal;
The determining module 209 specifically for:
When the IP address of the first user terminal is not in agent equipment mark table, it is determined that described first uses Family terminal is the user terminal surfed the Net by agent equipment.
Optionally,
The agent equipment mark table also includes corresponding with first agent's device identification in agent equipment mark table The hash values of the version information of user terminal operations system;
The terminal type is mobile terminal, and the first user terminal identification information is the behaviour of the first user terminal Make the hash values of the version information of system;
The determining module 209 specifically for:
When the source IP address and first agent's equipment mark of the message of the identification information comprising the first user terminal When knowing matching, by the hash values of the version information of the operating system of the first user terminal and first agent's device identification Correspondence, when the different hash values of the version information of the operating system of user terminal corresponding from first agent's device identification When number is more than or equal to 2, it is determined that the first user terminal is the user terminal surfed the Net by first agent's equipment.
Optionally, described device also includes:
Switch module, for closing the TCP connections;
The sending module is additionally operable to, and the Web nets are fed back to the user terminal according to the Web page request message Original access network address URL in page request message, the first user terminal is being obtained in order to the first user terminal Web page request message is sent according to the original access network address URL again after identification information.
Optionally, described device also includes:
Add module 211, for when the IP address of the first user terminal not the agent equipment mark table in when, And, when the IP address of the first user terminal is not in subscriber terminal equipment mark table, by the IP of the first user terminal Address is added to the subscriber terminal equipment mark table;
Statistical module 213, determines to pass through for the different IP addresses quantity in the subscriber terminal equipment mark table The quantity of the user terminal of agent equipment online.
The beneficial effect of the embodiment of the present invention is that rate of false alarm is low, and user's online experience effect is good, proxy surfing terminal Detection rates are fast, and main calculating and logical process task has all been placed on each subscriber terminal equipment, egress gateways equipment Treatment logic is simple, and equipment can still accomplish surface speed forwarding;It is easy to dispose and promotes, without using client software, user Acceptance level is high;Low cost, the development cost without client software or hardware, it is easy to upgrade maintenance;It is general moderately high, discrimination Height, is adapted to the browser of main flow and mobile intelligent terminal system on the market.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although The present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those within the art that:It still may be used Modified with to the technical scheme described in foregoing embodiments, or equivalent is carried out to which part technical characteristic; And these modification or replace, do not make appropriate technical solution essence depart from various embodiments of the present invention technical scheme spirit and Scope.

Claims (10)

1. it is a kind of detect proxy surfing method, it is characterised in that including:
Pre-build agent equipment mark table;
Receive the Web page request message that first user terminal sends after same Web server sets up TCP connections;
Terminal type information in the Web page request message is fed back for detecting user to the first user terminal The message of terminal identification information, is used to detect the report of user terminal identification information in order to the first user terminal according to Text obtains the identification information of the first user terminal;
Receive the message of the identification information comprising the first user terminal that the first user terminal sends;
When the source IP address of the message of the identification information comprising the first user terminal identifies table in the agent equipment When middle, identification information and the agent equipment mark table according to the first user terminal determine that the first user terminal is No is the user terminal surfed the Net by agent equipment.
2. the method for claim 1, it is characterised in that
The terminal type is desktop terminal, and the first user terminal identification information is the IP ground of the first user terminal Location;
The identification information and the agent equipment mark table according to the first user terminal determines the first user end The step of whether end is the user terminal surfed the Net by agent equipment specifically includes:
When the IP address of the first user terminal is not in agent equipment mark table, it is determined that the first user end End is the user terminal surfed the Net by agent equipment.
3. the method for claim 1, it is characterised in that
The agent equipment mark table also includes user corresponding with first agent's device identification in agent equipment mark table The hash values of the version information of terminal operating system;
The terminal type is mobile terminal, and the first user terminal identification information is the operation system of the first user terminal The hash values of the version information of system;
The source IP address of the message for working as the identification information comprising the first user terminal identifies table in the agent equipment When middle, identification information and the agent equipment mark table according to the first user terminal determine that the first user terminal is It is no be by agent equipment surf the Net user terminal the step of specifically include:
Source IP address and first agent's device identification when the message of the identification information comprising the first user terminal Timing, by the hash values of the version information of the operating system of the first user terminal and first agent's device identification pair Should, when the version information of the operating system of user terminal corresponding from first agent's device identification different hash values it is individual When number is more than or equal to 2, it is determined that the first user terminal is the user terminal surfed the Net by first agent's equipment.
4. the method for claim 1, it is characterised in that
It is described according to the Web page request message to the first user terminal feedback detection messages before also include:Close The TCP connections;
Methods described also includes:The web page request report is fed back to the user terminal according to the Web page request message Original access network address URL in text, the identification information of the first user terminal is being obtained in order to the first user terminal Web page request message is sent according to the original access network address URL again afterwards.
5. method as claimed in claim 2, it is characterised in that also include:
When the IP address of the first user terminal is not in agent equipment mark table, and, the first user terminal IP address not subscriber terminal equipment mark table in when, the IP address of the first user terminal is added to user's end End equipment identifies table;
User's end that the different IP addresses quantity in table determines to be surfed the Net by agent equipment is identified according to the subscriber terminal equipment The quantity at end.
6. it is a kind of detect proxy surfing device, it is characterised in that including:
Module is set up, for pre-building agent equipment mark table;
First receiver module, for receiving the Web page that first user terminal sends after same Web server sets up TCP connections Request message;
Sending module, it is anti-to the first user terminal for the terminal type information in the Web page request message Present the message for detecting user terminal identification information, in order to the first user terminal according to be used for detect user's end Hold the identification information of first user terminal described in the Receive message of identification information;
Second receiver module, for receiving the identification information comprising the first user terminal that the first user terminal sends Message;
Determining module, the source IP address of the message of the identification information for including the first user terminal described in is in the generation When in reason device identification table, identification information and the agent equipment mark table according to the first user terminal determine described the Whether one user terminal is the user terminal surfed the Net by agent equipment.
7. device as claimed in claim 6, it is characterised in that the terminal type is desktop terminal, the first user end End identification information is the IP address of the first user terminal;
The determining module specifically for:
When the IP address of the first user terminal is not in agent equipment mark table, it is determined that the first user end End is the user terminal surfed the Net by agent equipment.
8. device as claimed in claim 6, it is characterised in that
The agent equipment mark table also includes user corresponding with first agent's device identification in agent equipment mark table The hash values of the version information of terminal operating system;
The terminal type is mobile terminal, and the first user terminal identification information is the operation system of the first user terminal The hash values of the version information of system;
The determining module specifically for:
Source IP address and first agent's device identification when the message of the identification information comprising the first user terminal Timing, by the hash values of the version information of the operating system of the first user terminal and first agent's device identification pair Should, when the version information of the operating system of user terminal corresponding from first agent's device identification different hash values it is individual When number is more than or equal to 2, it is determined that the first user terminal is the user terminal surfed the Net by first agent's equipment.
9. device as claimed in claim 6, it is characterised in that described device also includes:
Switch module, for closing the TCP connections;
The sending module is additionally operable to, and feeding back the web page to the user terminal according to the Web page request message please The original access network address URL in message is sought, the mark of the first user terminal is being obtained in order to the first user terminal Web page request message is sent according to the original access network address URL again after information.
10. device as claimed in claim 7, it is characterised in that also include:
Add module, for when the IP address of the first user terminal not the agent equipment mark table in when, and, it is described When the IP address of first user terminal is not in subscriber terminal equipment mark table, the IP address of the first user terminal is added Table is identified to the subscriber terminal equipment;
Statistical module, the different IP addresses quantity for being identified according to the subscriber terminal equipment in table determines to pass through agent equipment The quantity of the user terminal of online.
CN201611133870.1A 2016-12-10 2016-12-10 Method and device for detecting proxy internet surfing Active CN106789413B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611133870.1A CN106789413B (en) 2016-12-10 2016-12-10 Method and device for detecting proxy internet surfing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611133870.1A CN106789413B (en) 2016-12-10 2016-12-10 Method and device for detecting proxy internet surfing

Publications (2)

Publication Number Publication Date
CN106789413A true CN106789413A (en) 2017-05-31
CN106789413B CN106789413B (en) 2019-12-06

Family

ID=58875911

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611133870.1A Active CN106789413B (en) 2016-12-10 2016-12-10 Method and device for detecting proxy internet surfing

Country Status (1)

Country Link
CN (1) CN106789413B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107769999A (en) * 2017-12-07 2018-03-06 锐捷网络股份有限公司 A kind of method and apparatus for identifying user agent's online
CN108055072A (en) * 2017-11-20 2018-05-18 大唐软件技术股份有限公司 A kind of network failure investigates method and apparatus
CN109889485A (en) * 2018-12-28 2019-06-14 顺丰科技有限公司 A kind of user's abnormal operation behavioral value method, system and storage medium
CN114338139A (en) * 2021-12-27 2022-04-12 北京安博通科技股份有限公司 Method for internet behavior management supporting terminal type control

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1795447A (en) * 2002-05-15 2006-06-28 英特尔公司 Automatic proxy detection
CN1878096A (en) * 2006-07-04 2006-12-13 陈玲玲 Method for detecting number of computer users in inner compute network
CN101035031A (en) * 2007-04-03 2007-09-12 华为技术有限公司 Method and device for detecting the number of the shared access host
CN101064642A (en) * 2006-04-29 2007-10-31 华为技术有限公司 Method for improving IP multimedia subsystem register flow
CN101112046A (en) * 2004-12-28 2008-01-23 株式会社Kt System and method for detecting and interception of ip sharer
CN101442450A (en) * 2008-12-24 2009-05-27 成都市华为赛门铁克科技有限公司 Method, system and apparatus for detecting sharing access terminal quantity
CN101631052A (en) * 2009-08-25 2010-01-20 杭州华三通信技术有限公司 Method and device for detecting number of access terminals

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1795447A (en) * 2002-05-15 2006-06-28 英特尔公司 Automatic proxy detection
CN101112046A (en) * 2004-12-28 2008-01-23 株式会社Kt System and method for detecting and interception of ip sharer
CN101064642A (en) * 2006-04-29 2007-10-31 华为技术有限公司 Method for improving IP multimedia subsystem register flow
CN1878096A (en) * 2006-07-04 2006-12-13 陈玲玲 Method for detecting number of computer users in inner compute network
CN101035031A (en) * 2007-04-03 2007-09-12 华为技术有限公司 Method and device for detecting the number of the shared access host
CN101442450A (en) * 2008-12-24 2009-05-27 成都市华为赛门铁克科技有限公司 Method, system and apparatus for detecting sharing access terminal quantity
CN101631052A (en) * 2009-08-25 2010-01-20 杭州华三通信技术有限公司 Method and device for detecting number of access terminals

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108055072A (en) * 2017-11-20 2018-05-18 大唐软件技术股份有限公司 A kind of network failure investigates method and apparatus
CN107769999A (en) * 2017-12-07 2018-03-06 锐捷网络股份有限公司 A kind of method and apparatus for identifying user agent's online
CN109889485A (en) * 2018-12-28 2019-06-14 顺丰科技有限公司 A kind of user's abnormal operation behavioral value method, system and storage medium
CN114338139A (en) * 2021-12-27 2022-04-12 北京安博通科技股份有限公司 Method for internet behavior management supporting terminal type control
CN114338139B (en) * 2021-12-27 2023-03-24 北京安博通科技股份有限公司 Method for internet behavior management supporting terminal type control

Also Published As

Publication number Publication date
CN106789413B (en) 2019-12-06

Similar Documents

Publication Publication Date Title
WO2018121331A1 (en) Attack request determination method, apparatus and server
US9185093B2 (en) System and method for correlating network information with subscriber information in a mobile network environment
US9444835B2 (en) Method for tracking machines on a network using multivariable fingerprinting of passively available information
US11399288B2 (en) Method for HTTP-based access point fingerprint and classification using machine learning
US20230092522A1 (en) Data packet processing method, apparatus, and electronic device, computer-readable storage medium, and computer program product
WO2017107780A1 (en) Method, device and system for recognizing illegitimate proxy for charging fraud
US20170134957A1 (en) System and method for correlating network information with subscriber information in a mobile network environment
CN103916490B (en) DNS tamper-proof method and device
CN106789413A (en) A kind of method and apparatus for detecting proxy surfing
CN105959313A (en) Method and device for preventing HTTP proxy attack
CN108418847A (en) A kind of network traffic cache system, method and device
CN105635073A (en) Access control method and device and network access equipment
WO2016086755A1 (en) Packet processing method and transparent proxy server
CN108234516B (en) Method and device for detecting network flooding attack
Masoud et al. On tackling social engineering web phishing attacks utilizing software defined networks (SDN) approach
CN104363265B (en) Proxy surfing detection method and device
CN106411819A (en) Method and apparatus for recognizing proxy Internet protocol address
EP4033717A1 (en) Distinguishing network connection requests
US11394687B2 (en) Fully qualified domain name (FQDN) determination
US20230254281A1 (en) Local network device connection control
CN105991509A (en) Session processing method and apparatus
Cohen Source attribution for network address translated forensic captures
US11611556B2 (en) Network connection request method and apparatus
US20180227434A1 (en) Method and Network Entity for Control of Charging for Value Added Service (VAS)
KR102563247B1 (en) Apparatus for Realtime Monitoring Performance Degradation of Network System

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant