CN109639628A - Private connects behavioral value method, the network equipment, system and storage medium - Google Patents
Private connects behavioral value method, the network equipment, system and storage medium Download PDFInfo
- Publication number
- CN109639628A CN109639628A CN201811259689.4A CN201811259689A CN109639628A CN 109639628 A CN109639628 A CN 109639628A CN 201811259689 A CN201811259689 A CN 201811259689A CN 109639628 A CN109639628 A CN 109639628A
- Authority
- CN
- China
- Prior art keywords
- source
- address
- data message
- terminal device
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Abstract
The embodiment of the present application provides a kind of private and connects behavioral value method, the network equipment, system and storage medium.In the embodiment of the present application, firstly, from the data message received, the identical data message of identification source IP address;And according to the information with terminal device Identity Association carried in the identical data message of source IP address, the terminal device quantity to send datagram with the source IP address is determined;If being greater than designated terminal quantity with the terminal device quantity that the source IP address sends datagram, it is determined that there are privates to connect behavior for source IP address.In this way, can identify that private connects behavior without the corresponding client-side program of installation and operation on subscriber terminal equipment, and then the burden of the terminal device of user can be reduced, help to improve user's online experience.
Description
Technical field
This application involves technical field of network security more particularly to a kind of private to connect behavioral value method, the network equipment, system
And storage medium.
Background technique
Private connects net and refers to that sharing an IP address using the more people of wireless access point (Access Point, AP) realization surfs the Internet
Technology.Possess identical Internet protocol (Internet Protocol, IP) address with legitimate user since private meets user, passes
System network management device or network access equipment not will do it alarm in this case, IP address conflict will not occur
Early warning.In this way, illegal user can use the access authority that the user identity authorized obtains network, network management band is not only given
Carry out huge puzzlement, and network internal resource is caused to be abused, brings economy and danger to user.
Existing private connects behavioral value method, and to generally require the installation and operation on the terminal device in the network corresponding
Client-side program, this undoubtedly will increase the operation burden of terminal device, reduces user's online experience.
Summary of the invention
The many aspects of the application provide a kind of private and connect behavioral value method, the network equipment, system and storage medium, to
Without identifying that private connects behavior, and then reduction in the case where the corresponding client-side program of installation and operation on subscriber terminal equipment
The burden of the terminal device of user improves user's online experience.
The embodiment of the present application provides a kind of private and connects behavioral value method, comprising:
From the data message received, the identical data message of identification source IP address;
According to the information with terminal device Identity Association carried in the identical data message of the source IP address, determine with
The terminal device quantity that the source IP address sends datagram;
If being greater than designated terminal quantity with the terminal device quantity that the source IP address sends datagram, it is determined that described
There are privates to connect behavior for source IP address.
The embodiment of the present application also provides a kind of network equipment, comprising: memory, processor and communication component, wherein
The communication component, for receiving data message;
The memory, for storing computer program;
The processor, for being coupled with the memory, for executing the computer program, to be used for:
From the data message that the communication component receives, the identical data message of identification source IP address;
According to the information with terminal device Identity Association carried in the identical data message of the source IP address, determine with
The terminal device quantity that the source IP address sends datagram;
If being greater than designated terminal quantity with the terminal device quantity that the source IP address sends datagram, it is determined that described
There are privates to connect behavior for source IP address.
The embodiment of the present application also provides a kind of private and connects behavioral value system, comprising: network management device and the network pipe
Manage the terminal device of equipment management;
Wherein, the terminal device, for sending datagram to the network management device;
The network management device, is used for: from the data message received, the identical datagram of identification source IP address
Text;According to the information with terminal device Identity Association carried in the identical data message of the source IP address, determine with described
The terminal device quantity that source IP address sends datagram;If the terminal device quantity to be sent datagram with the source IP address
Greater than designated terminal quantity, it is determined that there are privates to connect behavior for the source IP address.
The embodiment of the present application also provides a kind of computer readable storage medium for being stored with computer program, and feature exists
In the computer program is performed the step, it can be achieved that in the above method.
In the embodiment of the present application, firstly, from the data message received, the identical datagram of identification source IP address
Text;And according to the information with terminal device Identity Association carried in the identical data message of source IP address, determine with the source IP
The terminal device quantity that address sends datagram;If the terminal device quantity to be sent datagram with the source IP address is greater than
Designated terminal quantity, it is determined that there are privates to connect behavior for source IP address.In this way, without the installation and operation phase on subscriber terminal equipment
The client-side program answered can identify that private connects behavior, and then can reduce the burden of the terminal device of user, help to improve user
Online experience.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present application, constitutes part of this application, this Shen
Illustrative embodiments and their description please are not constituted an undue limitation on the present application for explaining the application.In the accompanying drawings:
Fig. 1 is the structural schematic diagram that a kind of private that one embodiment of the application provides connects behavioral value system;
A kind of private that one exemplary embodiment of Fig. 2 the application provides connects the flow diagram of behavioral value method;
Fig. 3 is a kind of structural schematic diagram for network equipment that one exemplary embodiment of the application provides.
Specific embodiment
To keep the purposes, technical schemes and advantages of the application clearer, below in conjunction with the application specific embodiment and
Technical scheme is clearly and completely described in corresponding attached drawing.Obviously, described embodiment is only the application one
Section Example, instead of all the embodiments.Based on the embodiment in the application, those of ordinary skill in the art are not doing
Every other embodiment obtained under the premise of creative work out, shall fall in the protection scope of this application.
It is corresponding that installation and operation on the terminal device of network behavior detection method needs in a network is connect for existing private
Client-side program and the technical issues of increase the operation burden of terminal device, the embodiment of the present application provides a solution, base
This thinking is: from the data message received, the identical data message of identification source IP address;And it is identical according to source IP address
The information with terminal device Identity Association carried in data message, determination are set with the terminal that the source IP address sends datagram
Standby quantity;If being greater than designated terminal quantity with the terminal device quantity that the source IP address sends datagram, it is determined that source IP
There are privates to connect behavior for address.In this way, can be identified without the corresponding client-side program of installation and operation on subscriber terminal equipment
Private connects behavior, and then can reduce the burden of the terminal device of user, helps to improve user's online experience.
Below in conjunction with attached drawing, the technical scheme provided by various embodiments of the present application will be described in detail.
Fig. 1 is the structural schematic diagram that a kind of private provided by the embodiments of the present application connects behavioral value system.As shown in Figure 1, should
System 10 includes: the terminal device 10b of network management device 10a and network management device 10a management.It is presented in Fig. 1
Network management device 10a and terminal device 10b is exemplary illustration, is not limited the way of realization of the two, quantity.
Wherein, wired or wireless connection is used between network management device 10a and terminal device 10b.Optionally, network pipe
Managing equipment 10a can be communicated to connect by mobile network and terminal device 10b, and correspondingly, the network formats of mobile network can be with
For 2G (GSM), 2.5G (GPRS), 3G (WCDMA, TD-SCDMA, CDMA2000, UTMS), 4G (LTE), 4G+ (LTE+), WiMax
Any one in.Optionally, network management device 10a can also be set by the modes such as bluetooth, WiFi, infrared ray and terminal
Standby 10b is communicated to connect.
In the present embodiment, network management device 10a refers to that the hardware for carrying out network management to terminal device 10b is set
It applies.For example, network management device 10a can be hub, gateway, interchanger, router, light cat, wireless access points
The equipment that (Wireless Access Point, AP) etc. has routing function, but not limited to this.Network management device 10a can also
Think server.Wherein server can be one, be also possible to more.The realization shape of the present embodiment not Limited service device
Formula.For example, server can be the server apparatus such as General Server, Cloud Server, cloud host, virtual center.Wherein, it services
The composition of device equipment mainly includes that processor, hard disk, memory, system bus etc. are similar with general computer architecture.
In the present embodiment, terminal device 10b refers to what user used, has and the function such as calculates, surfs the Internet, communicates needed for user
The equipment of energy, such as can be smart phone, tablet computer, PC, wearable device etc..Terminal device 10b is generally included
At least one processing unit and at least one processor.The quantity of processing unit and memory depend on terminal device configuration and
Type.Memory may include volatibility, such as RAM, also may include non-volatile, such as read-only memory (Read-
Only Memory, ROM), flash memory etc., or can also simultaneously include two kinds of.Operation system is typically stored in memory
Unite (Operating System, OS), one or more application software, also can store program data etc..In addition to processing is single
Except member and memory, terminal device also will include the basic configuration such as network card chip, IO bus, audio-video component.Optionally, root
According to the way of realization of terminal device 10b, terminal device 10b also may include some peripheral equipments, such as keyboard, mouse, input
Pen, printer etc..These peripheral equipments are well known in the art, and this will not be repeated here.
In the present embodiment, system of real name online is realized in a local network, accomplishes one IP of a people, i.e., an IP address is by one
Terminal device is used.But if user's private meets AP, then an IP can be shared by more terminal devices, it is likely to occur in this way
IP address conflict, not only reduces the online experience of legitimate user, and compromises the interests of legitimate user.In the present embodiment
In, an IP address is defined as private by the behavior that more terminal devices are shared and connects behavior.In addition, in the present embodiment, by net
The terminal device by the relevant regulations access to LAN such as local area network access that network management equipment 10a is managed is defined as legal use
Family;The terminal device for connecing AP access network based on ethernet by private is defined as illegal user.
In the present embodiment, it is contemplated that for an IP address, the terminal of either legitimate user or illegal user are set
It is standby, when it is surfed the Internet using terminal device 10b, number relevant to internet behavior can be sent to network management device 10a
According to message, information containing source IP address in these data messages, and transmitted by the terminal device for sharing same IP address
Data message, source IP address are identical.Based on this, in the present embodiment, network management device 10a can be from the datagram received
Wen Zhong, the identical data message of identification source IP address.
It is alternatively possible to presetting private in network management device 10a connects the behavioral value period, and start a timer or
Counter connects the progress timing of behavioral value period to the private.When private, which connects the behavioral value period, to be reached, received from current period
To data message in, the identical data message of identification source IP address.In the present embodiment, not to private connect the behavioral value period into
Row limits.Preferably, in order to guarantee the private accuracy for connecing behavioral value, private connect the behavioral value period should not be arranged it is too long, such as
It can be half an hour, 5 minutes, 10 minutes etc..
Certainly, in order to reduce the frequent influence for carrying out private and connecing normal operation of the behavioral value to network management device 10a,
It is longer that private can connect to the setting time in behavioral value period, such as one week, one month etc., in this way, in order to guarantee that private connects behavioral value
Accuracy, the number that receives in for the previous period can be reached from current period when connecing the behavioral value period whenever private and reaching
According in message, the identical data message of identification source IP address.For example, current period reaches preceding half an hour, 5 minutes, 10 minutes etc.,
But not limited to this.
Alternatively, user can operate the control assembly of associated button or corresponding software interface on network management device 10a
The relevant operation that user is responded Deng, network management device 10a, from the operation before a period of time in the data message that receives
In, the identical data message of identification source IP address.For example, half an hour, 5 minutes, 10 minutes etc. before the relevant operation of response user,
But not limited to this.
Further, due to often carrying the information with terminal device Identity Association in data message, in this implementation
In example, network management device 10a can be according to carrying in the identical data message of source IP address and terminal device Identity Association
Information determines the terminal device quantity to send datagram with same source IP address;And if data are sent with the source IP address
The terminal device quantity of message is greater than designated terminal quantity, it is determined that there are privates to connect behavior for the source IP address.Wherein it is determined that with same
The terminal device quantity that one source IP address sends datagram can be accurate quantity, for example, 1,2,10 etc.,
It can be numberical range, that is, determine numerical value model belonging to the terminal device quantity to send datagram with same source IP address
It encloses, which can be greater than designated terminal quantity etc. for greater than numerical value known to some.
It should be noted that in the present embodiment, in order to safeguard the online equity of legitimate user, improving the upper of legitimate user
Dictyosome is tested, and typically only allows for a terminal device to use the same IP address, it is therefore intended that terminal quantity is traditionally arranged to be
1.Certainly, designated terminal quantity can also flexibly be set according to the actual demand of user, such as one family, can
The multiple terminal devices (mobile phone, computer etc.) that can want kinsfolk share an IP address, and designated terminal quantity can basis
The quantity of terminal device used in kinsfolk carries out flexible setting.
It should also be noted that, in the present embodiment, detecting a certain IP address to network management device 10a, there are privates to connect
Processing mode after behavior can not take any punitive measures without limiting.Certainly, for the ease of later network pipe
The online equity of reason and maintenance legitimate user, network management device 10a, can when detecting that a certain IP address connects behavior there are private
Certain punitive measures is taken, for example, can block and the connection that there is private and connect the corresponding terminal device of the source IP address of behavior;Or
Person limits the network speed of the private corresponding terminal device of source IP address for connecing behavior of the presence, for example, it is corresponding to limit the source IP address
Online bandwidth of terminal device etc., but not limited to this.It wherein, can basis to the duration for the source IP address punishment for connecing behavior in the presence of private
Actual demand carries out flexible setting, such as 2 hours, one day, two days etc..
In the present embodiment, network management device is known from receiving in the data message that managed terminal device is sent
The identical data message of other source IP address;And it is closed according to what is carried in the identical data message of source IP address with terminal device identity
The information of connection determines the terminal device quantity to send datagram with the source IP address;If sending data with the source IP address
The terminal device quantity of message is greater than designated terminal quantity, it is determined that there are privates to connect behavior for source IP address.In this way, without in user
The corresponding client-side program of installation and operation on terminal device can identify that private connects behavior, and then the terminal that can reduce user is set
Standby burden helps to improve user's online experience.
In an alternative embodiment, it is contemplated that in data message transmitted by terminal device 10b, set there are a variety of with terminal
The information of standby Identity Association, network management device 10a is according to the information of these and terminal device 10b Identity Association, it may be determined that with
The identity for the terminal device 10b that identical source IP address sends datagram, and send the terminal device 10b of these data messages
Quantity.User carries out internet behavior difference using terminal device 10b, to datagram transmitted by network management device 10a
What is carried in text is different from the information of terminal device 10b Identity Association.Therefore, network management device 10a is according to source IP address
The information with terminal device 10b Identity Association carried in identical data message, determination are sent datagram with the source IP address
When the terminal device 10b quantity of text, it can be determined according to different types of related information and be sent datagram with same source IP address
The quantity of the terminal device 10b of text.Below with reference to different internet behaviors, i.e., different application scenarios, to network management device
It is exemplary that 10a determines that the optional embodiment of the quantity of the terminal device 10b to send datagram with same source IP address carries out
Explanation.
Embodiment 1: in application scenarios A, user accesses web page using terminal device 10b, for example, utilizing web net
Page carries out information inquiry, login mailbox, shopping at network, game login etc., in the data message that used browser issues
HTTP message head can be carried, can include user agent (User Agent, UA) information in HTTP message head, be used for browser
A string of characters of self information are identified, browser brand, version, kernel, place operating system environment, terminal is generally comprised and sets
The information such as standby host type are based on this, it is known that UA information and terminal device 10b Identity Association.It therefore, can be identical by source IP address
Data message in the UA information that carries, determine the terminal device quantity to send datagram with same source IP address.
Further, it is contemplated that one or more virtual machine may be installed, user starts terminal device on terminal device 10b
When virtual machine on 10b generates internet behavior, virtual machine also can send corresponding data message to network management device 10a, this
Also the UA information with virtual machine Identity Association can be carried in a little data messages.Therefore, the accurate of behavioral value is connect in order to improve private
Degree, can be by the UA Information Filtration of virtual machine in the data message received.In the present embodiment, the UA packet of virtual machine contains
Special virtual machine feature field is based on this, and network management device 10a is carried according in the identical data message of source IP address
UA information, before the quantity for determining the terminal device to send datagram with same source IP address, can first judge source IP address
In the UA information carried in identical data message, if there is the UA information comprising virtual machine feature field;Include if it exists
The UA information of virtual machine feature field, then by the UA Information Filtration comprising virtual machine feature field.
Optionally, the filtering rule being filtered to the UA information comprising virtual machine feature field can be preset, for example, can be pre-
If the priority between virtual machine feature field, and according to the priority between preset virtual machine feature field, void will be included
The UA information of quasi- machine feature field successively filters out.Wherein, the number of priority can be carried out according to the type of virtual machine feature field
Flexible setting, for example, virtual machine feature field has 4 seed types, settable 4 priority.
In another example for network management device 10a, especially gateway, router, interchanger, AP etc. are received
Data message, the upstream data that the terminal device 10b managed is reported, the downlink data for also thering is server to issue, and
In the present embodiment, for ease of description and distinguishes, in the embodiment of the present application, uplink data messages will be filtered and be defined as
Rule is filtered out, downlink data message will be filtered and be defined as filtering into rule.Optionally, since detection is terminal device
The private of 10b connects behavior, is handled mainly for upstream data.Therefore, downlink data message can also be filtered out.It is based on
This, the filtering rule of network management device 10a can filter out rule higher than filtering into rule for same priority, and miss rule is write from memory
Recognize by filtering into rule process.That is, the priority of upstream data is higher than the priority of downlink data, it is unsatisfactory for the data of filtering rule
Message is filtered according to downlink data.
Based on above-mentioned analysis, optionally, following format can be used in filtering rule:
1,out,"Nexus One Build/FRF91"
Wherein, digital " 1 " represents priority, the pattern string " Nexus that " out " represents filtering direction to filter out, in double quotation marks
One Build/FRF91 " represents the data flow for needing to filter.In the embodiment of the present application, the data flow for needing to filter is virtual
Machine feature field.Correspondingly, filter method can also be " in ", that is, filter into.
Optionally, it in order to improve the scalability of filtering rule and adapt to the demands such as system in future update, can will filter
Rule is deposited in feature database and is safeguarded.
Further, if a source IP address is shared by more terminal devices, the data that these terminal devices are issued
UA information in message is different, be based on this, and network management device 10a in the identical data message of source IP address according to carrying
UA information, when determining the terminal device quantity to send datagram with same source IP address, the identical number of statistics available source IP address
Data are sent according to the quantity of difference UA information present in message, and using the quantity of different UA information as with same source IP address
The terminal device quantity of message.
Optionally, if a source IP address is shared by more terminal devices, if used by these terminal devices
The type of operating system difference or terminal device is different, the UA into data message transmitted by network management device 10a
Information is also just different.Based on this, network management device 10a is determining UA information different in the identical data message of source IP address
Quantity when, can be counted in the identical data message of source IP address according to the UA information in the identical data message of source IP address
The quantity of existing different operating system;And using the quantity of different operating system as in the identical data message of source IP address not
With the quantity of UA information;And/or according to the UA information in the identical data message of source IP address, it is identical to count source IP address
The quantity of different type of machines present in data message;And using the quantity of different type of machines as in the identical data message of source IP address
The quantity of different UA information.
It should be noted that for the reality of the above-mentioned quantity for determining UA information using different operating system and different type of machines
Mode is applied, the quantity of different UA information is equal to different operating system and a fairly large number of quantity of different type of machines.For example, if operation
System only has a seed type, and type has more than or equal to 2 seed types, then the quantity of difference UA information is the class of different type of machines
The quantity of type.
It should also be noted that, in the embodiment of the present application, the type that different operating system refers not only to operating system is different,
Also the version number including operating system is different.Different type of machines refers not only to manufacturer's difference, also includes that concrete model is different.Wherein, right
Operation system information in UA information generally comprises OS name and version number, and format is as follows:
Windows NT 5.1;
Mac OS X 10_11_6)
Android 5.1.1;
Mac OS X 10_12)
iPhone OS 10_0
iPhone OS 10_0_1
iPhone OS 10.0.1;
Windows NT 10.0;
Windows NT 5.1)
It optionally, can be by operating system for the new system for improving the scalability of operation system information to support appearance
Information is deposited in feature database.Its format is as follows:
1,Windows,"Windows NT",PC
2,Mac,"Mac OS X",PC
3,iPhone,"iPhone OS",Mobile
Wherein, main rule by ID, systematic name, by double quotation marks cause Lai pattern string and optional terminal type group
At, but not limited to this.Digital 1-3 indicates operating system ID, can carry out flexible setting, for example, it is also possible to which Mac is operated system
System is set as 1 etc..
Further, in order to avoid user is there may be some demands, the case where temporarily sharing IP address is needed, in these feelings
Under condition, when more terminal devices share same IP address, some of them terminal device only may temporarily occur, if network pipe
Reason equipment 10a detects certain source IP address in this case, and there are privates to connect behavior, and sets to the corresponding terminal of the source IP address
It is standby to take punitive measures, then it can be not easy to user and use network.Based on this, connect to improve network management device 10a progress private
Robustness and flexibility when behavioral value, network management device 10a exist in the identical data message of statistics source IP address
Different operating system quantity when, can be identical to source IP address according to the UA information in the identical data message of source IP address
Data message present in the frequency of occurrence of same operation system counted respectively;When the frequency of occurrence of a certain operating system
When more than or equal to preset first threshold, effective operating system is set by the operating system;And by effective operating system
Quantity of the quantity as different operating system in the UA information in the identical data message of source IP address.Wherein, first threshold can
Flexible setting is carried out according to actual needs, in the embodiment of the present application without limitation.Optionally, to the frequency of occurrence of operating system
After being counted, it can be deposited in feature database according to aforesaid operations system format (operating system storage rule).
Correspondingly, network management device 10a is counting different type of machines present in the identical data message of source IP address
It, can also be according to the UA information in the identical data message of source IP address, to being deposited in the identical data message of source IP address when quantity
The frequency of occurrence of identical type counted respectively;When the frequency of occurrence of a certain type is greater than or equal to preset second
When threshold value, then using the type as effective type;And using the quantity of effective type as in the identical data message of source IP address
UA information in different type of machines quantity.Wherein, second threshold can carry out flexible setting according to actual needs, implement in the application
In example without limitation.It optionally, can be according to type storage format (type storage rule after being counted to the frequency of occurrence of type
It then) is deposited in feature database, wherein type storage rule is made of type ID, type designation and condition code, wherein type
ID is made of brand ID and sub- ID again.Wherein, the description of brand ID and sub- ID are to safeguard and customized statement side for convenience
Formula, brand ID are encoded to the brand of terminal device, and sub- ID indicates that the concrete model of terminal device is encoded, condition code
For to terminal device brand and concrete model encode after the coding that is formed.Such as: A is the brand of terminal device 1, can be incited somebody to action
Its brand ID is respectively labeled as 1;A1 and A2 is respectively the concrete model for being all two terminal devices 1 and terminal device 2 of brand A,
Its model can be respectively labeled as 1 and 2, then condition code is then respectively 1-1 and 1-2.
It is worth noting that in the embodiment of the present application, by above-mentioned filtering rule, operating system storage rule and type
Storage rule requires to carry out pattern match.To improve matching efficiency, can be matched by mode Series Code into the same state machine
It is distinguished after middle mode further according to mode ID associated when adding pattern string.Optionally, mode ID is the parameter of void* type,
The data of a long word length can be stored, it is contemplated that compatibility only stores one 32 data here, wherein high 4 storages
Rule type, remaining 28 are used to each regular interior.
Optionally, filtering direction and priority need to be saved for above-mentioned filtering rule, optionally, filtering direction can occupy 1
Position, therefore can at most support 27 priority.
Optionally, need to record operating system ID, mode string length and terminal class for aforesaid operations system storage rule
Type.Wherein terminal type can account for 2, and mode string length can occupy 8, remaining digit distributes to system identifier.
Further, need to record brand ID and sub- ID for type storage rule, it is contemplated that matched number currently on the market
Amount can distribute 9 to brand ID, and remaining 19 bit allocation gives sub- ID.
Embodiment 2: in application scenarios B, user using terminal device 10b when being surfed the Internet, for example, utilizing browsing
Device, which opens webpage, the information in browsing webpage, clicks corresponding link carries out page turning or sliding progress axis etc., each into
Cheng Zhong, server can distribute TCP port number to the process of request connection.For same terminal device 10b, user surfs the Internet
Process corresponding to the TCP port number that is assigned to be different, it is general have meet certain rule.For example, for
The source port number of the TCP connection of the newly-built process of Windows, iOS, Mac system is global incremental one by one, i.e. this process
TCP port number is greater than the TCP port number of last time process.And for different terminal devices, although its a series of online process
It is full that the online that a TCP port number sequence will be generated, but be different terminal device carries out generated TCP port number sequence
The rule of foot is different.Therefore, it is known that the changing rule and terminal device Identity Association of TCP source port number.Based on this, network
Management equipment 10a is determined according to the information with terminal device Identity Association carried in the identical data message of source IP address
When the terminal device quantity to be sent datagram with same source IP address, it can be carried according in the identical data message of source IP address
TCP source port number, determine the terminal device quantity that sends datagram with source IP address.
Further, with different rules present in the identical data message of the statistics available source IP address of network management device 10a
The number of the TCP source port sequence of variation;And by with it is different rule variation TCP source port sequences number, as with
The quantity for the terminal device that same source IP address sends datagram.
Optionally, in embodiment 2, the also settable ageing time period, and start a timer or counter pair
The ageing time period carries out timing.It, will after network management device 10a gets TCP port number within an ageing time period
It is within the ageing time period, and the TCP port number obtained before is compared, if there is TCP port number before meeting
Changing rule then updates the TCP port number into the same sequence, the changing rule of TCP port number before not meeting, then
Using the TCP port number as the starting of a new sequence.For when reaching in ageing time period, in ageing time week
The sequence not updated in phase, then fall its aging, is not re-used as the foundation of judgement.Wherein, the ageing time period can be according to reality
Border demand carries out flexible setting, in the embodiment of the present application without limitation.
Embodiment 3: in application scenarios C, user is possibly also with the APP on terminal device 10b or passes through browser
Corresponding login window is searched for log in corresponding website or platform and carry out instant messaging, shopping at network, online game, transmitting-receiving postal
Part etc..On same terminal device, it is limited using the user that same application carries out corresponding internet behavior, for example, sharp more
Instant messaging is carried out with a certain instant message applications;In another example such as certain shopping platform carry out shopping at network etc., the account logged in
Number number more be limited.Therefore, can be arranged in network management device 10a allows same terminal device to use same application
The upper limit number m for the virtual identity account that can be logged in, then, it is assumed that designated terminal quantity is n, then n terminal is with identical sources
IP address is m*n using the upper limit number for the virtual identity account of the application logged in, can be by m*n or greater than some of m*n
Numerical value is set as default account quantity, which can determine the terminal to send datagram with identical source IP address
Whether quantity is greater than designated terminal quantity, wherein m and n is positive integer.In this way, when using the application in same source IP address
The quantity of virtual identity account when being more than default account quantity, it is determined that the number of terminals to be sent datagram with the source IP address
Amount is greater than preset designated terminal quantity.Based on this, network management device 10a is according in the identical data message of source IP address
The information with terminal device Identity Association carried determines the terminal device quantity to send datagram with same source IP address
When, the quantity of different virtual identity accounts under same application present in the identical data message of statistics available source IP address, if phase
Quantity with the different virtual identity accounts under application is greater than default account quantity, and determination is sent datagram with the source IP address
Terminal device quantity be greater than above-mentioned designated terminal quantity, that is, can determine that there are privates to connect behavior for the source IP address.Wherein, allow same
One terminal device can be carried out flexibly according to actual needs using the upper limit number m for the virtual identity account of same application logged in
Setting, in the embodiment of the present application without limitation.It is worth noting that in embodiment 3, determine with identical sources IP
The terminal quantity that location sends datagram is a numberical range, which is greater than designated terminal quantity.
Further, the accuracy rate that behavior is detected is connect to private in order to improve, optional accidentally careful rate is lower or user is frequent
The virtual identity account of the application used is detected, such as virtual identity account, the shopping at network platform of instant message applications
Virtual identity account etc., but not limited to this.
Further, in embodiment 3, the also settable ageing time period, and start a timer or counter pair
The ageing time period carries out timing.Within an ageing time period, network management device 10a gets virtual identity account
Afterwards, by it within the ageing time period, the virtual identity account obtained before is compared, if with obtaining before this period
The virtual identity account obtained is identical, then without counting;It is right if different from the virtual identity account obtained before this period
Number using the virtual identity account of this application adds 1.When ageing time period is reached, void that this period is obtained
Quasi- identity account aging is fallen, and is not re-used as the foundation of judgement.Wherein, the ageing time period can flexibly be set according to actual needs
It sets, in the embodiment of the present application without limitation.
Other than private provided by the above embodiment connects behavioral value system, the embodiment of the present application also provides a kind of private and connects row
Behavioral value method is connect to private provided herein and is illustrated below from the angle of network management device for detection method.
Fig. 2 is the flow diagram that a kind of private that one exemplary embodiment of the application provides connects behavioral value method.The party
Method is suitable for network management device.As shown in Fig. 2, this method comprises:
201, from the data message received, the identical data message of identification source IP address.
202, according to the information with terminal device Identity Association carried in the identical data message of source IP address, determine with
The terminal device quantity that same source IP address sends datagram.
If 203, being greater than designated terminal quantity with the terminal device quantity that the source IP address sends datagram, it is determined that should
There are privates to connect behavior for source IP address.
In the present embodiment, it is contemplated that for an IP address, the terminal of either legitimate user or illegal user are set
It is standby, it is to send data message relevant to internet behavior to network management device when it is surfed the Internet using terminal device,
Information containing source IP address in these data messages, and datagram transmitted by the terminal device for sharing same IP address
Text, source IP address are identical.Based on this, in step 201, it can identify that source IP address is identical from the data message received
Data message.
It is alternatively possible to which default private connects the behavioral value period, and one timer of starting or counter connect behavior to the private
Detection cycle carries out timing.When private, which connects the behavioral value period, to be reached, from the data message that current period receives, identification
The identical data message of source IP address.In the present embodiment, the behavioral value period is not connect to private to be defined.Preferably, in order to
Guarantee that private connects the accuracy of behavioral value, private connect the behavioral value period should not be arranged it is too long, such as can for half an hour, 5 minutes,
10 minutes etc..
Certainly, the influence that behavioral value runs well to network management device 10a is connect in order to reduce frequent progress private, it can
It is longer that private is connect into the setting time in behavioral value period, such as one week, one month etc., in this way, being examined to guarantee that private connects behavior
The accuracy of survey can be received out of current period arrival for the previous period when connecing the behavioral value period whenever private and reaching
In data message, the identical data message of identification source IP address.For example, current period reaches preceding half an hour, 5 minutes, 10 minutes
Deng, but not limited to this.
Alternatively, user can operate associated button or control assembly of corresponding software interface on network management device etc.,
Network management device responds the relevant operation of user, from the data message received in a period of time before the operation, knows
The identical data message of other source IP address.For example, half an hour, 5 minutes, 10 minutes etc. before the relevant operation of response user, but not
It is limited to this.
Further, due to often carrying the information with terminal device Identity Association in data message, in step
In 202 and 203, it can be determined according to the information with terminal device Identity Association carried in the identical data message of source IP address
The terminal device quantity to be sent datagram with same source IP address;And the if terminal to be sent datagram with the source IP address
Number of devices is greater than designated terminal quantity, it is determined that there are privates to connect behavior for the source IP address.Wherein, in step 202, determine with
The terminal device quantity that same source IP address sends datagram can be accurate quantity, for example, 1,2,10 etc.,
It may be numberical range, that is, determine numerical value model belonging to the terminal device quantity to send datagram with same source IP address
It encloses, which can be greater than designated terminal quantity etc. for greater than numerical value known to some.
It should be noted that in the present embodiment, in order to safeguard the online equity of legitimate user, improving the upper of legitimate user
Dictyosome is tested, and typically only allows for a terminal device to use the same IP address, it is therefore intended that terminal quantity is traditionally arranged to be
1.Certainly, designated terminal quantity can also flexibly be set according to the actual demand of user, such as one family, can
The multiple terminal devices (mobile phone, computer etc.) that can want kinsfolk share an IP address, and designated terminal quantity can basis
The quantity of terminal device used in kinsfolk carries out flexible setting.
It should also be noted that, in the present embodiment, to detecting that a certain IP address meets the processing side after behavior in the presence of private
Formula can not take any punitive measures without limiting.Certainly, for the ease of later network management and the legal use of maintenance
The online equity at family can take certain punitive measures when detecting that a certain IP address connects behavior there are private, for example, can
It blocks and there is the private connection for connecing the corresponding terminal device of the source IP address of behavior;Or limit the private source IP for connecing behavior of the presence
The network speed of the corresponding terminal device in address, for example, limiting the online bandwidth etc. of the corresponding terminal device of the source IP address, but unlimited
In this.Wherein, flexible setting, such as 2 can be carried out according to actual needs to the duration for the source IP address punishment for connecing behavior in the presence of private
A hour, one day, two days etc..
In the present embodiment, firstly, from receiving in the data message that managed terminal device is sent, identification source IP
The identical data message in location;And according to the letter with terminal device Identity Association carried in the identical data message of source IP address
Breath determines the terminal device quantity to send datagram with the source IP address;If sent datagram with the source IP address
Terminal device quantity is greater than designated terminal quantity, it is determined that there are privates to connect behavior for source IP address.In this way, without being set in user terminal
The standby corresponding client-side program of upper installation and operation, can identify that private connects behavior, so can reduce user terminal device it is negative
Load, helps to improve user's online experience.
In an alternative embodiment, it is contemplated that in data message transmitted by terminal device, there are a variety of and terminal devices
The information of Identity Association, network management device is according to the information of these and terminal device Identity Association, it may be determined that with identical sources IP
The identity for the terminal device that address sends datagram, and send the quantity of the terminal device of these data messages.User's benefit
Internet behavior difference, carry into data message transmitted by network management device and terminal device are carried out with terminal device
The information of Identity Association is different.Therefore, in step 202, can be determined according to different types of related information with same source IP
The quantity for the terminal device that address sends datagram.Below with reference to different internet behaviors, i.e., different application scenarios, to step
Rapid 202 optional embodiment illustrates.
Embodiment 1: it is based on above-mentioned application scenarios A, it is known that UA information and terminal device Identity Association.Therefore, step 202
A kind of optional embodiment are as follows: according to the UA information carried in the identical data message of source IP address, determine with same source IP
The terminal device quantity that address sends datagram.
Further, it is contemplated that one or more virtual machine may be installed, user starts on terminal device on terminal device
Virtual machine when generating internet behavior, virtual machine also can send corresponding data message, these datagrams to network management device
Also the UA information with virtual machine Identity Association can be carried in text.Therefore, it in order to provide the private accuracy for connecing behavioral value, can will connect
The UA Information Filtration of virtual machine in the data message received.In the present embodiment, the UA packet of virtual machine contains special void
Quasi- machine feature field, is based on this, according to the UA information carried in the identical data message of source IP address, determines with same source IP
Before the quantity for the terminal device that address sends datagram, the UA carried in the identical data message of source IP address can be first judged
In information, if there is the UA information comprising virtual machine feature field;It if it exists include the UA information of virtual machine feature field, then
By the UA Information Filtration comprising virtual machine feature field.
Optionally, the filtering rule being filtered to the UA information comprising virtual machine feature field can be preset, for example, can be pre-
If the priority between virtual machine feature field, and according to the priority between preset virtual machine feature field, void will be included
The UA information of quasi- machine feature field successively filters out.Wherein, the number of priority can be carried out according to the type of virtual machine feature field
Flexible setting.Wherein, the associated description of priority and filtering rule between virtual machine feature field can be found in above-mentioned
Related content in system embodiment, details are not described herein.
Further, if a source IP address is shared by more terminal devices, the data that these terminal devices are issued
UA information in message is different, is based on this, according to the UA information carried in the identical data message of source IP address, determines with same
A kind of optional embodiment for the terminal device quantity that source IP address sends datagram are as follows: the identical data of statistics source IP address
The quantity of difference UA information present in message, and the quantity of different UA information is sent datagram as with same source IP address
The terminal device quantity of text.
Optionally, if a source IP address is shared by more terminal devices, if used by these terminal devices
The type of operating system difference or terminal device is different, and the UA information in data message sent is also just different.Based on this,
Determine the optional embodiment of the quantity of UA information different in the identical data message of source IP address are as follows: according to source IP address phase
UA information in same data message counts the quantity of different operating system present in the identical data message of source IP address;
And using the quantity of different operating system as the quantity of difference UA information in the identical data message of source IP address;And/or according to
UA information in the identical data message of source IP address counts different type of machines present in the identical data message of source IP address
Quantity;And using the quantity of different type of machines as the quantity of difference UA information in the identical data message of source IP address.
It should be noted that for the reality of the above-mentioned quantity for determining UA information using different operating system and different type of machines
Mode is applied, the quantity of different UA information is equal to different operating system and a fairly large number of quantity of different type of machines.For example, if operation
System only has a seed type, and type has more than or equal to 2 seed types, then the quantity of difference UA information is the class of different type of machines
The quantity of type.Wherein, the definition for different operating system and different type of machines and operating system storage rule, type storage rule
Associated description then can be found in the related content in the above system embodiment, and details are not described herein.
Further, in order to avoid user is there may be some demands, the case where temporarily sharing IP address is needed, in these feelings
Under condition, when more terminal devices share same IP address, some of them terminal device only may temporarily occur, if this
In the case of detect certain source IP address there are privates to connect behavior, and punitive measures is taken to the corresponding terminal device of the source IP address,
User can be then not easy to and use network.Based on this, robustness and flexibility when behavioral value are connect to private in order to improve, is being counted
It, can be according to the identical datagram of source IP address when the quantity of different operating system present in the identical data message of source IP address
UA information in text counts the frequency of occurrence of same operation system present in the identical data message of source IP address respectively
Number;When the frequency of occurrence of a certain operating system is greater than or equal to preset first threshold, set effective for the operating system
Operating system;And using the quantity of effective operating system as different operation in the UA information in the identical data message of source IP address
The quantity of system.Wherein, first threshold can carry out flexible setting according to actual needs, in the embodiment of the present application without limitation.
It optionally, can be according to aforesaid operations system format (operating system storage rule after being counted to the frequency of occurrence of operating system
Then) deposited in feature database.
It correspondingly, can also basis when counting the quantity of different type of machines present in the identical data message of source IP address
UA information in the identical data message of source IP address, to identical type present in the identical data message of source IP address
Frequency of occurrence is counted respectively;When the frequency of occurrence of a certain type is greater than or equal to preset second threshold, then by the machine
Type is as effective type;And using the quantity of effective type as machines different in the UA information in the identical data message of source IP address
The quantity of type.Wherein, second threshold can carry out flexible setting according to actual needs, in the embodiment of the present application without limitation.It can
Selection of land after counting to the frequency of occurrence of type, can be deposited in spy according to type storage format (type storage rule)
It levies in library.Wherein, the related content in the above system embodiment can be found in for the associated description of type storage rule, herein not
It repeats again.
Embodiment 2: it is based on above-mentioned application scenarios B, it is known that the changing rule and terminal device identity of TCP source port number close
Connection.Another optional embodiment of step 202 are as follows: according to the TCP source port carried in the identical data message of source IP address
Number, determine the terminal device quantity to send datagram with source IP address.
Further, with the TCP source port of different rule variations present in the identical data message of statistics available source IP address
The number of number sequence;And by with the number of the TCP source port sequence of different rule variations, sent as with same source IP address
The quantity of the terminal device of data message.
For in embodiment 2, the associated description in setting ageing time period can be found in the phase of the above system embodiment
Hold inside the Pass, details are not described herein.
Embodiment 3: being based on above-mentioned application scenarios C, settable to allow same terminal device stepping on using same application
The upper limit number m of the virtual identity account of record, then, it is assumed that designated terminal quantity is n, then n terminal is with identical source IP address
Upper limit number using the virtual identity account of the application logged in is m*n, can set m*n or some numerical value greater than m*n
It is set to default account quantity, which can determine that the terminal quantity to send datagram with identical source IP address is
It is no to be greater than designated terminal quantity.Wherein, m and n is positive integer.In this way, when using the virtual of the application in same source IP address
When the quantity of identity account is more than default account quantity, it is determined that be greater than with the terminal quantity that the source IP address sends datagram
Preset designated terminal quantity.Based on this, another optional embodiment of step 202 are as follows: the identical number of statistics source IP address
Different virtual identity accounts according to the quantity of virtual identity accounts different under same application present in message, under applying if they are the same
Quantity be greater than default account quantity, determine be greater than with the terminal device quantity that the source IP address sends datagram it is above-mentioned specified
Terminal quantity can determine that there are privates to connect behavior for the source IP address.Wherein, allow same terminal device using same application can
The upper limit number m of the virtual identity account of login can carry out flexible setting according to actual needs, not do in the embodiment of the present application
It limits.It is worth noting that in embodiment 3, the terminal quantity to be sent datagram with identical source IP address determined
For a numberical range, which is greater than designated terminal quantity.
Further, the accuracy rate that behavior is detected is connect to private in order to improve, optional accidentally careful rate is lower or user is frequent
The virtual identity account of the application used is detected, such as virtual identity account, the shopping at network platform of instant message applications
Virtual identity account etc., but not limited to this.
For in embodiment 3, the specific descriptions in setting ageing time period be can be found in the above system embodiment
Related content, details are not described herein.
It should be noted that the executing subject of each step of above-described embodiment institute providing method may each be same equipment,
Alternatively, this method is also by distinct device as executing subject.For example, step 201 and 202 executing subject can be equipment A;Again
For example, the executing subject of step 201 can be equipment A, the executing subject of step 202 can be equipment B;Etc..
In addition, containing in some processes of the description in above-described embodiment and attached drawing according to particular order appearance
Multiple operations, but it should be clearly understood that these operations can not execute or parallel according to its sequence what appears in this article
It executes, serial number of operation such as 201,202 etc. is only used for distinguishing each different operation, and serial number itself does not represent any
Execute sequence.In addition, these processes may include more or fewer operations, and these operations can execute in order or
It is parallel to execute.
Fig. 3 is a kind of structural schematic diagram of the network equipment provided by the embodiments of the present application.As shown in figure 3, network management is set
Standby includes: memory 30a, processor 30b and communication component 30c.
Wherein, memory 30a for storing computer program, and can be configured to store various other data to support
Operation on network management device.Wherein, the computer program stored in memory 30a can be performed in processor 30b, to realize
Corresponding control logic.Memory 30a can be by any kind of volatibility or non-volatile memory device or their combination
It realizes, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable
Read-only memory (EPROM), programmable read only memory (PROM), read-only memory (ROM), magnetic memory, flash memory,
Disk or CD.
Wherein, communication component 30c is configured to facilitate wired or wireless way between network management device and other equipment
Communication.Network management device can access the wireless network based on communication standard, such as WiFi, 2G or 3G or their combination.
In one exemplary embodiment, communication component via broadcast channel receive broadcast singal from external broadcasting management system or
Broadcast related information.In one exemplary embodiment, the communication component can be based on near-field communication (NFC) technology, and radio frequency is known
Not (RFID) technology, Infrared Data Association (IrDA) technology, ultra wide band (UWB) technology, bluetooth (BT) technology and other technologies are come
It realizes.
Wherein, communication component 30c, for receiving data message.
Memory 30a, for storing computer program;
Processor 30b, for being coupled with memory 30a, for executing related computer program, to be used for: from communication set
In the data message that part 30c is received, the identical data message of identification source IP address;According to the identical data message of source IP address
The information with terminal device Identity Association of middle carrying determines the terminal device number to send datagram with same source IP address
Amount;If being greater than designated terminal quantity with the terminal device quantity that the source IP address sends datagram, it is determined that the source IP address
There are privates to connect behavior.
In an alternative embodiment, processor 30b is determining the terminal device to send datagram with same source IP address
When quantity, it is specifically used for: according to the UA information carried in the identical data message of source IP address, determines with same source IP address hair
The terminal device quantity of data message is sent, the UA information and terminal device Identity Association;And/or according to the identical number of source IP address
According to the TCP source port number carried in message, the terminal device quantity to send datagram with same source IP address is determined, wherein
The changing rule and terminal device Identity Association of TCP source port number;And/or it is carried according in the identical data message of source IP address
Virtual identity account, determine the terminal device quantity that sends datagram with same source IP address.
Optionally, processor 30c is determined according to the UA information carried in the identical data message of source IP address with same
It before the terminal device quantity that source IP address sends datagram, is also used to: judging to take in the identical data message of source IP address
In the UA information of band, if there is the UA information comprising virtual machine feature field;It if it exists, then will include virtual machine feature field
UA Information Filtration.
Further, processor 30c includes: according to preset virtual will include the UA Information Filtration of virtual machine feature field
Priority between machine feature field successively filters out the UA information comprising virtual machine feature field.
In an alternative embodiment, processor 30c according to the UA information carried in the identical data message of source IP address,
When the determining terminal device quantity to be sent datagram with same source IP address, it is specifically used for: the identical number of statistics source IP address
Data are sent according to the quantity of difference UA information present in message, and using the quantity of different UA information as with same source IP address
The terminal device quantity of message.
Further, the quantity of processor 30c difference UA information present in the identical data message of statistics source IP address
When, it is specifically used for: according to the UA information in the identical data message of source IP address, counts in the identical data message of source IP address
The quantity of existing different operating system;And using the quantity of different operating system as in the identical data message of source IP address not
With the quantity of UA information;And/or according to the UA information in the identical data message of source IP address, count the identical number of source IP address
According to the quantity of different type of machines present in message;And using the quantity of different type of machines as in the identical data message of source IP address not
With the quantity of UA information.
Further, the number of processor 30c different operating system present in the identical data message of statistics source IP address
When amount, it is specifically used for: according to the UA information in the identical data message of source IP address, in the identical data message of source IP address
The frequency of occurrence of existing same operation system is counted respectively;When the frequency of occurrence of operating system is more than or equal to preset
When first threshold, which is effective operating system;And it is the quantity of effective operating system is identical as source IP address
The quantity of different operating system in UA information in data message.
Correspondingly, when the quantity of processor 30c different type of machines present in the identical data message of statistics source IP address,
It is specifically used for: according to the UA information in the identical data message of source IP address, to existing in the identical data message of source IP address
The frequency of occurrence of identical type counted respectively;When the frequency of occurrence of type is greater than or equal to preset second threshold
When, which is effective type;And using the quantity of effective type as in the UA information in the identical data message of source IP address
The quantity of different type of machines.
In another alternative embodiment, processor 30c is according to the source TCP carried in the identical data message of source IP address
Port numbers are specifically used for when determining the terminal device quantity to send datagram with same source IP address: statistics source IP address phase
With the number of the TCP source port sequences of different rule variations present in same data message;And it will be with different rule variations
TCP source port sequence number, the quantity as the terminal device to be sent datagram with same source IP address.
In a further alternative embodiment, processor 30c is virtual according to carrying in the identical data message of source IP address
Identity account is specifically used for when determining the terminal device quantity to send datagram with same source IP address: statistics source IP address
The quantity of different virtual identity accounts under same application present in identical data message, the difference under applying if they are the same are virtual
The quantity of identity account is greater than default account quantity, determines that the terminal device quantity to send datagram with same source IP address is big
In above-mentioned designated terminal quantity.
In yet another alternative embodiment, processor 30c is also used to after determining that source IP address connects behavior there are private: resistance
It is disconnected with there is the private connection for connecing the corresponding terminal device of the source IP address of behavior;Or with limiting the private source IP for connecing behavior of the presence
The network speed of the corresponding terminal device in location.
In some optional embodiments, as shown in figure 3, the network equipment can also include: power supply module 30d etc. optional
Component.Members are only schematically provided in Fig. 3, are not meant to that the network equipment must be comprising all components shown in Fig. 3, also not
Mean that the network equipment can only include component shown in Fig. 3.
Wherein, the various assemblies that power supply module 30d is configured as the network equipment provide electric power.Power supply module 30d can wrap
Include power-supply management system, one or more power supplys and other with the equipment where power supply module generate, manage, and distribute electric power phase
Associated component.
It should be noted that in the present embodiment, the hardware facility for network management.It can for by each wired or
Wireless network terminal equipment connects together, then by the network equipment of wired or wireless network access network based on ethernet.For example, can be with
It is the equipment that hub, gateway, interchanger, router, light cat, AP etc. have routing function, can also be with server, but be not limited to
This.
In the present embodiment, the network equipment identifies source from receiving in the data message that managed terminal device is sent
The identical data message of IP address;And according to carrying in the identical data message of source IP address and terminal device Identity Association
Information determines the terminal device quantity to send datagram with the source IP address;If sent datagram with the source IP address
Terminal device quantity be greater than designated terminal quantity, it is determined that there are privates to connect behavior for source IP address.In this way, without in user terminal
The corresponding client-side program of installation and operation in equipment can identify that private connects behavior, and then the terminal device of user can be reduced
Burden, helps to improve user's online experience.
The embodiment of the present application also provides a kind of computer readable storage medium for being stored with computer program, the computer journey
Sequence is performed the step, it can be achieved that in the above method.
It should be noted that the description such as " first " herein, " second ", is for distinguishing different message, equipment, mould
Block etc. does not represent sequencing, does not also limit " first " and " second " and is different type.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
In a typical configuration, calculating equipment includes one or more processors (CPU), input/output interface, net
Network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/or
The forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable medium
Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves
State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable
Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM),
Digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other magnetic storage devices
Or any other non-transmission medium, can be used for storage can be accessed by a computing device information.As defined in this article, it calculates
Machine readable medium does not include temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludability
It include so that the process, method, commodity or the equipment that include a series of elements not only include those elements, but also to wrap
Include other elements that are not explicitly listed, or further include for this process, method, commodity or equipment intrinsic want
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including described want
There is also other identical elements in the process, method of element, commodity or equipment.
The above description is only an example of the present application, is not intended to limit this application.For those skilled in the art
For, various changes and changes are possible in this application.All any modifications made within the spirit and principles of the present application are equal
Replacement, improvement etc., should be included within the scope of the claims of this application.
Claims (11)
1. a kind of private connects behavioral value method characterized by comprising
From the data message received, the identical data message of identification source IP address;
According to the information with terminal device Identity Association carried in the identical data message of the source IP address, determine with described
The terminal device quantity that source IP address sends datagram;
If being greater than designated terminal quantity with the terminal device quantity that the source IP address sends datagram, it is determined that the source IP
There are privates to connect behavior for address.
2. the method according to claim 1, wherein described according in the identical data message of the source IP address
The information with terminal device Identity Association carried determines the terminal device quantity to send datagram with the source IP address,
Include:
According to the UA information carried in the identical data message of the source IP address, determination is sent datagram with the source IP address
The terminal device quantity of text, the UA information and terminal device Identity Association;
And/or
According to the TCP source port number carried in the identical data message of the source IP address, determine with source IP address transmission
The terminal device quantity of data message, the changing rule and terminal device Identity Association of TCP source port number;
And/or
According to the virtual identity account carried in the identical data message of the source IP address, determine with source IP address transmission
The terminal device quantity of data message.
3. according to the method described in claim 2, it is characterized in that, described according in the identical data message of the source IP address
The UA information of carrying determines the terminal device quantity to send datagram with the source IP address, comprising:
Count the quantity of difference UA information present in the identical data message of the source IP address, and by the difference UA information
Quantity as the terminal device quantity to be sent datagram with the source IP address;
Wherein, described according to the TCP source port number carried in the identical data message of the source IP address, it determines with the source IP
The terminal device quantity that address sends datagram, comprising:
It counts present in the identical data message of the source IP address with of the TCP source port sequence of different rule variations
Number;And by the number of the TCP source port sequence with different rule variations, send datagram as with the source IP address
The quantity of the terminal device of text;
Wherein, described according to the virtual identity account carried in the identical data message of the source IP address, it determines with the source
The terminal device quantity that IP address sends datagram, comprising:
The quantity of different virtual identity accounts under same application present in the identical data message of the source IP address is counted, if
The quantity of different virtual identity accounts under same application is greater than default account quantity, determines and sends data with the source IP address
The terminal device quantity of message is greater than the designated terminal quantity.
4. according to the method described in claim 2, it is characterized in that, being taken according in the identical data message of the source IP address
The UA information of band, before the quantity for determining the terminal device to send datagram with the source IP address, further includes:
Judge in the UA information carried in the identical data message of the source IP address, if exist comprising virtual machine feature field
UA information;
If it exists, then by the UA Information Filtration comprising the virtual machine feature field.
5. according to the method described in claim 4, it is characterized in that, described by the UA information comprising the virtual machine feature field
It filters out and includes:
According to the priority between preset virtual machine feature field, successively by the UA information comprising the virtual machine field
It filters out.
6. according to the method described in claim 3, it is characterized in that, in the identical data message of the statistics source IP address
The quantity of different UA information, comprising:
According to the UA information in the identical data message of the source IP address, count in the identical data message of the source IP address
The quantity of existing different operating system;And using the quantity of the different operating system as the identical data of the source IP address
The quantity of difference UA information in message;And/or
According to the UA information in the identical data message of the source IP address, count in the identical data message of the source IP address
The quantity of existing different type of machines;And using the quantity of the different type of machines as in the identical data message of the source IP address not
With the quantity of UA information.
7. according to the method described in claim 6, it is characterized in that, described according in the identical data message of the source IP address
UA information, count the quantity of different operating system present in the identical data message of the source IP address, comprising:
According to the UA information in the identical data message of the source IP address, to being deposited in the identical data message of the source IP address
The frequency of occurrence of same operation system counted respectively;
When the frequency of occurrence of operating system is greater than or equal to preset first threshold, the operating system is effectively operation system
System;And it is grasped using the quantity of effective operating system as different in the UA information in the identical data message of the source IP address
Make the quantity of system;
Wherein, the UA information according in the identical data message of the source IP address, it is identical to count the source IP address
The quantity of different type of machines present in data message, comprising:
According to the UA information in the identical data message of the source IP address, to being deposited in the identical data message of the source IP address
The frequency of occurrence of identical type counted respectively;
When the frequency of occurrence of type is greater than or equal to preset second threshold, the type is effective type;And have described
Imitate quantity of the quantity of type as different type of machines in the UA information in the identical data message of the source IP address.
8. method according to claim 1-7, which is characterized in that further include:
It blocks and there is the private connection for connecing the corresponding terminal device of the source IP address of behavior;Or
Limit the network speed of the corresponding terminal device of source IP address that behavior is connect in the presence of private.
9. a kind of network equipment characterized by comprising memory, processor and communication component, wherein
The communication component, for receiving data message;
The memory, for storing computer program;
The processor, for being coupled with the memory, for executing the computer program, to be used for:
From the data message that the communication component receives, the identical data message of identification source IP address;
According to the information with terminal device Identity Association carried in the identical data message of the source IP address, determine with described
The terminal device quantity that source IP address sends datagram;
If being greater than designated terminal quantity with the terminal device quantity that the source IP address sends datagram, it is determined that the source IP
There are privates to connect behavior for address.
10. a kind of private connects behavioral value system characterized by comprising network management device and the network management device pipe
The terminal device of reason;
Wherein, the terminal device, for sending datagram to the network management device;
The network management device, is used for: from the data message received, the identical data message of identification source IP address;Root
According to the information with terminal device Identity Association carried in the identical data message of the source IP address, determine with the source IP
The terminal device quantity that location sends datagram;Refer to if being greater than with the terminal device quantity that the source IP address sends datagram
Determine terminal quantity, it is determined that there are privates to connect behavior for the source IP address.
11. a kind of computer readable storage medium for being stored with computer program, which is characterized in that the computer program is held
, it can be achieved that step in any one of claim 1-8 the method when row.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811259689.4A CN109639628A (en) | 2018-10-26 | 2018-10-26 | Private connects behavioral value method, the network equipment, system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811259689.4A CN109639628A (en) | 2018-10-26 | 2018-10-26 | Private connects behavioral value method, the network equipment, system and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109639628A true CN109639628A (en) | 2019-04-16 |
Family
ID=66066746
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811259689.4A Pending CN109639628A (en) | 2018-10-26 | 2018-10-26 | Private connects behavioral value method, the network equipment, system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109639628A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111131255A (en) * | 2019-12-25 | 2020-05-08 | 中国联合网络通信集团有限公司 | Network private connection identification method and device |
| CN112153044A (en) * | 2020-09-23 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Flow data detection method and related equipment |
| CN113037588A (en) * | 2021-02-26 | 2021-06-25 | 恒安嘉新(北京)科技股份公司 | Terminal number determination method and device, electronic equipment and storage medium |
| CN114124900A (en) * | 2021-11-03 | 2022-03-01 | 中盈优创资讯科技有限公司 | Method and device for positioning private access small routing equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101035031A (en) * | 2007-04-03 | 2007-09-12 | 华为技术有限公司 | Method and device for detecting the number of the shared access host |
| CN101436965A (en) * | 2008-11-29 | 2009-05-20 | 成都市华为赛门铁克科技有限公司 | Detection method, apparatus and system sharing access client terminal quantity |
| CN101808018A (en) * | 2010-03-26 | 2010-08-18 | 杭州华三通信技术有限公司 | Method and device for detecting quantity of access terminals |
| US8005044B2 (en) * | 2007-01-23 | 2011-08-23 | Samsung Electronics Co., Ltd | Apparatus and method for transmitting service guide in broadband wireless access system |
| CN103650457B (en) * | 2013-06-26 | 2016-09-28 | 华为技术有限公司 | The detection method of a kind of shared access, equipment and terminal unit |
| CN105991630A (en) * | 2015-03-26 | 2016-10-05 | 杭州迪普科技有限公司 | Shared access detection method and device |
-
2018
- 2018-10-26 CN CN201811259689.4A patent/CN109639628A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8005044B2 (en) * | 2007-01-23 | 2011-08-23 | Samsung Electronics Co., Ltd | Apparatus and method for transmitting service guide in broadband wireless access system |
| CN101035031A (en) * | 2007-04-03 | 2007-09-12 | 华为技术有限公司 | Method and device for detecting the number of the shared access host |
| CN101436965A (en) * | 2008-11-29 | 2009-05-20 | 成都市华为赛门铁克科技有限公司 | Detection method, apparatus and system sharing access client terminal quantity |
| CN101808018A (en) * | 2010-03-26 | 2010-08-18 | 杭州华三通信技术有限公司 | Method and device for detecting quantity of access terminals |
| CN103650457B (en) * | 2013-06-26 | 2016-09-28 | 华为技术有限公司 | The detection method of a kind of shared access, equipment and terminal unit |
| CN105991630A (en) * | 2015-03-26 | 2016-10-05 | 杭州迪普科技有限公司 | Shared access detection method and device |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111131255A (en) * | 2019-12-25 | 2020-05-08 | 中国联合网络通信集团有限公司 | Network private connection identification method and device |
| CN111131255B (en) * | 2019-12-25 | 2022-03-15 | 中国联合网络通信集团有限公司 | Network private connection identification method and device |
| CN112153044A (en) * | 2020-09-23 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Flow data detection method and related equipment |
| CN112153044B (en) * | 2020-09-23 | 2021-11-12 | 腾讯科技(深圳)有限公司 | Flow data detection method and related equipment |
| CN113037588A (en) * | 2021-02-26 | 2021-06-25 | 恒安嘉新(北京)科技股份公司 | Terminal number determination method and device, electronic equipment and storage medium |
| CN114124900A (en) * | 2021-11-03 | 2022-03-01 | 中盈优创资讯科技有限公司 | Method and device for positioning private access small routing equipment |
| CN114124900B (en) * | 2021-11-03 | 2023-08-01 | 中盈优创资讯科技有限公司 | Method and device for positioning private small-route equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109639628A (en) | Private connects behavioral value method, the network equipment, system and storage medium | |
| CN108009844B (en) | Method and device for determining advertisement cheating behaviors and cloud server | |
| Wang et al. | A smart home gateway platform for data collection and awareness | |
| US20180253755A1 (en) | Method and apparatus for identification of fraudulent click activity | |
| US20160224901A1 (en) | Multiple device correlation | |
| CN107786601B (en) | Information processing method, terminal and server | |
| US11250434B2 (en) | Payment method and device | |
| US20140284390A1 (en) | Networked monitor for heating ventilation and air conditioning systems | |
| CN108366045A (en) | A kind of setting method and device of air control scorecard | |
| CN107404481B (en) | User information recognition methods and device | |
| US20180227270A1 (en) | Router address type identification method and apparatus | |
| CN107517203B (en) | User behavior baseline establishing method and device | |
| US11722371B2 (en) | Utilizing unstructured data in self-organized networks | |
| WO2014082648A1 (en) | Method for anonymisation by transmitting a data set between different entities | |
| CN107018000A (en) | Account correlating method and device | |
| Li et al. | Cellular smartphone traffic and user behavior analysis | |
| CN105491172B (en) | It is a kind of for determining the method and apparatus of the information of home location of network address | |
| EP2708090B1 (en) | Sensor data distribution system | |
| US10956606B2 (en) | Masking of sensitive personal information based on anomaly detection | |
| CN108133123B (en) | Application program identification method and system | |
| CN106557342A (en) | A kind of implementation method and device of service logic | |
| CN104104526A (en) | Network logging-on behavior monitoring method, device and system | |
| CN113593073A (en) | NFC intelligent inspection method based on background management system and inspection system | |
| CN107623605A (en) | The method and system of network traffics duplicate removal | |
| CN111372197A (en) | Early warning method and related device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190416 |
|
| RJ01 | Rejection of invention patent application after publication |