CN109120625B - Method for analyzing and identifying large-bandwidth private connection - Google Patents
Method for analyzing and identifying large-bandwidth private connection Download PDFInfo
- Publication number
- CN109120625B CN109120625B CN201810993572.2A CN201810993572A CN109120625B CN 109120625 B CN109120625 B CN 109120625B CN 201810993572 A CN201810993572 A CN 201810993572A CN 109120625 B CN109120625 B CN 109120625B
- Authority
- CN
- China
- Prior art keywords
- users
- dns
- user
- private
- bandwidth
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses a large-bandwidth private connection analysis and identification method, which comprises the following steps: step 1) establishing daily traffic statistical baselines of various access bandwidth types, and filtering abnormal users according to set traffic threshold coefficients of each access bandwidth; step 2) classifying and analyzing the identified users with abnormal flow, wherein the same network access equipment, the similar inner and outer layer vlan ids and the user side access MAC addresses are similar, the online time and the offline time are consistent, the four identification parameters are combined, and all or part of the users which are in accordance with the identification parameters are grouped and classified; and checking the grouped users according to different priority levels according to the parameter matching degree, thereby identifying the binding private users. The invention can identify single user private connection and multi-user binding private connection.
Description
Technical Field
The invention relates to a method for analyzing and identifying large-bandwidth private connection based on Radius (broadband user internet authentication system) data and DNS (user domain name request data).
Background
Along with the strategy of accelerating the broadband network of an operator, the family broadband access bandwidth is continuously improved, and the event of illegal operation by utilizing family broadband bandwidth resources is endless, so that the network safety cannot be positioned, and the loss of customer resources is caused to the operator; bandwidth resale and black operation (selling one or more broadband resources to more users) cause poor internet access quality of end users, and social reverberation is poor network of operators, thus influencing the brands of the operators and reducing the trust of customers.
The DPI (deep packet inspection) identifies the number of terminals under a broadband user by monitoring an id sequence of an ip protocol layer of the user, and a cracking technology and equipment exist on a network, and meanwhile, the investment of the scheme is too large, so that the cost cannot be controlled when the capacity of the network is expanded continuously;
the method comprises the steps of deeply analyzing user behavior characteristics based on the DNS, identifying the number of terminals under a broadband user, and bypassing monitoring if the user does not use an operator DNS (public DNS management and control can be solved) or builds a DNS system by himself.
Disclosure of Invention
The invention provides a method for analyzing and identifying the private connection of the large bandwidth by identifying highly suspicious users by a data analysis method from the aspects of actual implementation process and final flow characteristics of the private connection of the broadband, organizing the internal check and confirmation of operators, and continuously improving the analysis strategy by checking and confirming the behaviors of the users.
The technical scheme adopted by the invention for solving the technical problems is as follows:
a large bandwidth private connection analysis and identification method comprises the following steps:
step 1) establishing daily traffic statistical baselines of various access bandwidth types, and filtering abnormal users according to set traffic threshold coefficients of each access bandwidth;
step 2) classifying and analyzing the identified users with abnormal flow, wherein the same network access equipment, the similar inner and outer layer vlan ids and the user side access MAC addresses are similar, the online time and the offline time are consistent, the four identification parameters are combined, and all or part of the users which are in accordance with the identification parameters are grouped and classified;
and checking the grouped users according to different priority levels according to the parameter matching degree, thereby identifying the binding private users.
Preferably, the method further comprises the following steps: step 3) analyzing DNS request quantity of the broadband user through DNS data, and classifying the private users: normally using an operator DNS, using a public DNS and using a self-built DNS;
self-built DNS, public DNS and operator DNS are ranked from high to low, and the private connection coefficient is highest by using the self-built DNS, thereby assisting in identifying the bound private connection user.
Preferably, the daily flow statistics baseline. Calculating a baseline according to the user flow of the whole network in the previous month every month;
the flow threshold coefficient of each access bandwidth is adjusted according to the number of identified users and the confirmation of a service department.
The invention can identify the private connection of a single user and the private connection of multi-user binding, solves the increasingly serious private connection problem of operators at lower cost, and avoids the phenomenon that the higher the bandwidth is accelerated, the faster the loss of customers is; the method avoids the situation that the quality of the network service of the end user cannot be guaranteed due to the fact that the end user purchases a pseudo bandwidth of a private access operator, and the enthusiasm and the brand public praise of broadband speed increase of the operator are also influenced; the safety and bad experience of the behavior of a private access operator such as monitoring and advertisement insertion in the network to the user are avoided; the situation that the security behavior initiated by the malicious user in the private access user group cannot be positioned is avoided.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The present invention will be described in detail below with reference to the accompanying drawings so that the above advantages of the present invention will be more apparent. Wherein the content of the first and second substances,
FIG. 1 is a flow chart of a method for analyzing and identifying large bandwidth private connections according to the present invention.
Detailed Description
The following detailed description of the embodiments of the present invention will be provided with reference to the drawings and examples, so that how to apply the technical means to solve the technical problems and achieve the technical effects can be fully understood and implemented. It should be noted that, as long as there is no conflict, the embodiments and the features of the embodiments of the present invention may be combined with each other, and the technical solutions formed are within the scope of the present invention.
Additionally, the steps illustrated in the flow charts of the figures may be performed in a computer system such as a set of computer-executable instructions and, although a logical order is illustrated in the flow charts, in some cases, the steps illustrated or described may be performed in an order different than here.
As shown in fig. 1, a method for analyzing and identifying large bandwidth private connection includes:
step 1) establishing daily traffic statistical baselines of various access bandwidth types, and filtering abnormal users according to set traffic threshold coefficients of each access bandwidth;
step 2) classifying and analyzing the identified users with abnormal flow, wherein the same network access equipment, the similar inner and outer layer vlan ids and the user side access MAC addresses are similar, the online time and the offline time are consistent, the four identification parameters are combined, and all or part of the users which are in accordance with the identification parameters are grouped and classified;
and checking the grouped users according to different priority levels according to the parameter matching degree, thereby identifying the binding private users.
Preferably, the method further comprises the following steps: step 3) analyzing DNS request quantity of the broadband user through DNS data, and classifying the private users: normally using an operator DNS, using a public DNS and using a self-built DNS;
self-built DNS, public DNS and operator DNS are ranked from high to low, and the private connection coefficient is highest by using the self-built DNS, thereby assisting in identifying the bound private connection user.
Preferably, the daily flow statistics baseline. Calculating a baseline according to the user flow of the whole network in the previous month every month;
the flow threshold coefficient of each access bandwidth is adjusted according to the number of identified users and the confirmation of a service department.
The invention can identify the private connection of a single user and the private connection of multi-user binding, solves the increasingly serious private connection problem of operators at lower cost, and avoids the phenomenon that the higher the bandwidth is accelerated, the faster the loss of customers is; the method avoids the situation that the quality of the network service of the end user cannot be guaranteed due to the fact that the end user purchases a pseudo bandwidth of a private access operator, and the enthusiasm and the brand public praise of broadband speed increase of the operator are also influenced; the safety and bad experience of the behavior of a private access operator such as monitoring and advertisement insertion in the network to the user are avoided; the situation that the security behavior initiated by the malicious user in the private access user group cannot be positioned is avoided.
In one embodiment, it consists essentially of:
step 1) identifying a single abnormal flow user based on Radius data, comprising:
setting a flow threshold coefficient (adjusted according to the number of identified users and the confirmation of a service department) of each access bandwidth by establishing a daily flow statistic baseline (calculating the baseline according to the flow of the whole network users in the previous month every month) of a plurality of access bandwidth types and filtering abnormal users;
the following table I:
step 2) binding the private users based on Radius data identification, comprising:
classifying and analyzing the identified users with abnormal flow, wherein the same network access equipment, the similar inner and outer layer vlan id and the user side access MAC address are similar, the online time and the offline time are consistent, the four identification parameters are combined, and all or part of the users which are in accordance with the identification parameters are grouped and classified; according to the actual situation, the grouped users are checked according to different priorities according to the parameter matching degree;
step 3) auxiliary DNS data identification, comprising:
analyzing DNS request quantity of a broadband user through DNS data, and classifying private users: normally using an operator DNS, using a public DNS and using a self-built DNS;
the self-built DNS, the public DNS and the operator DNS are sorted from high to low, and the private access coefficient of the self-built DNS is used for the highest;
the technical scheme of the invention has the following beneficial effects:
the increasingly serious private access problem of operators is solved at lower cost, and the higher the bandwidth is accelerated, the faster the customer loss is avoided;
the method avoids the situation that the quality of the network service of the end user cannot be guaranteed due to the fact that the end user purchases a pseudo bandwidth of a private access operator, and the enthusiasm and the brand public praise of broadband speed increase of the operator are also influenced;
the safety and bad experience of the behavior of a private access operator such as monitoring and advertisement insertion in the network to the user are avoided;
the situation that the security behavior initiated by malicious users in a private access user group cannot be positioned is avoided;
it should be noted that for simplicity of description, the above method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects.
Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (2)
1. A large bandwidth private connection analysis and identification method is characterized by comprising the following steps:
step 1) establishing daily traffic statistical baselines of various access bandwidth types, and filtering abnormal users according to set traffic threshold coefficients of each access bandwidth;
step 2) classifying and analyzing the identified users with abnormal flow;
the method specifically comprises the following steps:
the same network access equipment, the similar inner and outer layer vlan ids and the user side access MAC addresses are similar, the online time and the offline time are consistent, the four identification parameters are combined, and all or part of the users which are in accordance with the identification parameters are grouped and classified;
checking the grouped users according to different priority levels according to the parameter matching degree, and identifying binding private users; step 3) analyzing DNS request quantity of the broadband user through DNS data, and classifying the private users: normally using an operator DNS, using a public DNS and using a self-built DNS;
self-built DNS, public DNS and operator DNS are ranked from high to low, and the private connection coefficient is highest by using the self-built DNS, thereby assisting in identifying the bound private connection user.
2. The method according to claim 1, wherein the daily traffic statistics baseline is a baseline calculated according to previous-month user traffic on the whole network every month;
the flow threshold coefficient of each access bandwidth is adjusted according to the number of identified users and the confirmation of a service department.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810993572.2A CN109120625B (en) | 2018-08-29 | 2018-08-29 | Method for analyzing and identifying large-bandwidth private connection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810993572.2A CN109120625B (en) | 2018-08-29 | 2018-08-29 | Method for analyzing and identifying large-bandwidth private connection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109120625A CN109120625A (en) | 2019-01-01 |
| CN109120625B true CN109120625B (en) | 2021-06-08 |
Family
ID=64861177
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810993572.2A Active CN109120625B (en) | 2018-08-29 | 2018-08-29 | Method for analyzing and identifying large-bandwidth private connection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109120625B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111106980B (en) * | 2019-12-17 | 2021-08-03 | 武汉绿色网络信息服务有限责任公司 | Bandwidth binding detection method and device |
| CN113381968B (en) * | 2020-03-09 | 2022-10-18 | 中国移动通信集团设计院有限公司 | Broadband private connection prevention judgment method and device, electronic equipment and storage medium |
| CN112291113A (en) * | 2020-11-13 | 2021-01-29 | 中盈优创资讯科技有限公司 | Port bandwidth auditing method and device |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103036733B (en) * | 2011-10-09 | 2016-07-06 | 上海市南电信服务中心有限公司 | Unconventional network accesses monitoring system and the monitoring method of behavior |
| EP3076710B1 (en) * | 2013-12-27 | 2020-04-08 | Huawei Technologies Co., Ltd. | Offload method, user equipment, base station and access point |
| CN106656651A (en) * | 2016-10-14 | 2017-05-10 | 恒安嘉新(北京)科技有限公司 | Data transparent transmission detecting method and device |
| CN108322354B (en) * | 2017-01-18 | 2020-10-23 | 中国移动通信集团河南有限公司 | Method and device for identifying running-stealing flow account |
-
2018
- 2018-08-29 CN CN201810993572.2A patent/CN109120625B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN109120625A (en) | 2019-01-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109120625B (en) | Method for analyzing and identifying large-bandwidth private connection | |
| US8533819B2 (en) | Method and apparatus for detecting compromised host computers | |
| US8060927B2 (en) | Security state aware firewall | |
| CN108521408A (en) | Resist method of network attack, device, computer equipment and storage medium | |
| WO2021008560A1 (en) | Mobile application security analysis method based on blockchain technology | |
| CN105791213B (en) | Policy optimization device and method | |
| EP3542511B1 (en) | Process for a communication network and electronic control unit | |
| CN103746982B (en) | A kind of http network condition code automatic generation method and its system | |
| CN101809968A (en) | Facilitating heterogeneous authentication for allowing network access | |
| CN104640114B (en) | A kind of verification method and device of access request | |
| CN104239758A (en) | Man-machine identification method and system | |
| WO2023041039A1 (en) | Secure access control method, system and apparatus based on dns resolution, and device | |
| CN114553471A (en) | Tenant safety management system | |
| CN105306411A (en) | Data packet processing method and device | |
| US20170149821A1 (en) | Method And System For Protection From DDoS Attack For CDN Server Group | |
| CN112910854B (en) | Method and device for safe operation and maintenance of Internet of things, terminal equipment and storage medium | |
| CN113839945A (en) | Credible access control system and method based on identity | |
| CN104601578A (en) | Recognition method and device for attack message and core device | |
| CN113472545B (en) | Equipment network access method, device, equipment, storage medium and communication system | |
| Abedin et al. | Analysis of firewall policy rules using traffic mining techniques | |
| CN114389977A (en) | PCDN (Primary Contourlet distribution network) violation service detection method and device, electronic equipment and storage medium | |
| CN113141362A (en) | Intelligent terminal and server safety interaction control method | |
| CN114640536A (en) | Data access monitoring method | |
| CN113824738A (en) | Method and system for node communication management in block chain | |
| CN111901138A (en) | Visual auditing method for illegal access of industrial network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |