CN109951811B - Service number short message monitoring method, device and system - Google Patents
Service number short message monitoring method, device and system Download PDFInfo
- Publication number
- CN109951811B CN109951811B CN201711386484.8A CN201711386484A CN109951811B CN 109951811 B CN109951811 B CN 109951811B CN 201711386484 A CN201711386484 A CN 201711386484A CN 109951811 B CN109951811 B CN 109951811B
- Authority
- CN
- China
- Prior art keywords
- short message
- monitoring
- service number
- strategy
- network side
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method, a device and a system for monitoring a service number short message, which relate to the field of communication, wherein the method comprises the following steps: comparing the short message of the network side service number with the stored short message sample of the service number in a similar way; if the similar comparison result is matched, the short message is released or intercepted according to the audit result corresponding to the short message sample; and if the similar comparison result is not matched, performing strategy monitoring on the short message, and when the strategy monitoring result is that the short message is suspected, performing manual audit on the short message to obtain an audit result of the short message, and storing the short message and the audit result as a sample. The embodiment of the invention makes it possible to monitor the large-flow sending behavior.
Description
Technical Field
The invention relates to the field of communication, in particular to a method, a device and a system for monitoring a service number short message.
Background
The junk short messages sent by the current terminal numbers are basically effectively managed. However, a new spam sending behavior is out of water, i.e. sending advertisements through the port of the short message service provider.
The short message service provider usually controls the sending of the keywords according to the service range of the service number, so as to achieve the purpose of controlling the sending behavior of the short message service provider. However, with the increase of the port transmission volume of the service provider, a single monitoring server often cannot perform effective monitoring because of too large number traffic of the service provider, and particularly, such a monitoring method is performed on service numbers from other operators at the short message gateway side.
Disclosure of Invention
The embodiment of the invention provides a method, a device and a system for monitoring a service number short message, which at least solve the monitoring problem of a large-flow short message service provider and limit the type of a short message service sent by the service number short message service provider.
The service number short message monitoring method provided by the embodiment of the invention comprises the following steps:
comparing the short message of the network side service number with the stored short message sample of the service number in a similar way;
if the similar comparison result is matched, the short message is released or intercepted according to the audit result corresponding to the short message sample;
and if the similar comparison result is not matched, performing strategy monitoring on the short message, and when the strategy monitoring result is that the short message is suspected, performing manual audit on the short message to obtain an audit result of the short message, and storing the short message and the audit result as a sample.
Preferably, before comparing the short message of the network-side service number with the stored short message sample of the service number, the method further includes:
and receiving the short message of the network side service number input according to the preset load control strategy.
Preferably, the comparing the short message of the network side service number with the stored short message sample of the service number similarly includes:
and if the similarity between the short message of the network side service number and the stored short message sample of the service number exceeds a preset similarity threshold, determining that the similarity comparison result is matching.
Preferably, the performing policy monitoring on the short message includes:
if the short message of the network side service number meets the monitoring condition in a preset strategy, counting the short messages of the network side service number meeting the monitoring condition in the current statistical period to obtain a strategy hit count value;
when the strategy hit count value reaches the preset number in the preset strategy and/or the current statistical period is finished, sending the strategy hit count value as a current report value to a monitoring counting server, and acquiring the accumulated value of the short messages of the network side service number meeting the monitoring condition in a strategy statistical time period from the monitoring counting server;
and determining whether the short message of the network side service number is a suspected short message or not according to the current reported value, the accumulated value and the violation threshold value.
Preferably, after the manual audit of the short message, the method further comprises:
and releasing or intercepting the short message according to an audit result obtained by manually auditing the short message.
The service number short message monitoring device provided by the embodiment of the invention comprises: a processor, and a memory coupled to the processor; the memory is stored with a service number short message monitoring program which can run on the processor, and the service number short message monitoring program realizes the steps of the service number short message monitoring method when being executed by the processor.
The service number short message monitoring system provided by the embodiment of the invention comprises:
the monitoring analysis servers are used for carrying out similar comparison on the short message of the network side service number and the stored short message sample of the service number, if the similar comparison result is matched, the short message is released or intercepted according to the audit result corresponding to the short message sample, and if the similar comparison result is not matched, the strategy monitoring is carried out on the short message;
and the short message manual audit server is used for carrying out manual audit on the short message to obtain an audit result of the short message when the result of the strategy monitoring is that the short message is suspected, and storing the short message and the audit result as a sample.
Preferably, before comparing the short message of the network side service number with the stored short message sample of the service number, each monitoring and analyzing server receives the short message of the network side service number input according to a preset load control policy.
Preferably, the method further comprises the following steps:
the monitoring counting server is used for counting the accumulated value of all the short messages of the network side service number meeting the monitoring condition in the preset strategy within the strategy counting time period;
if the short message of the network side service number meets the monitoring condition in the preset strategy, the monitoring analysis server counts the short messages of the network side service number meeting the monitoring condition in the current statistical period to obtain a strategy hit count value, when the strategy hit count value reaches the preset number in the preset strategy and/or the current statistical period is finished, the strategy hit count value is used as a current report value to be sent to the monitoring counting server, the accumulated value is obtained from the monitoring counting server, and whether the short message of the network side service number is a suspected short message or not is determined according to the current report value, the accumulated value and an violation threshold value.
Preferably, after the manual audit is performed on the short message, the monitoring analysis server is further configured to pass or intercept the short message according to an audit result obtained by performing the manual audit on the short message.
The technical scheme provided by the embodiment of the invention has the following beneficial effects:
1. the embodiment of the invention limits the service range of the short message of the service provider by realizing the automatic audit function of the short message sample, and improves the treatment effect of the short message sending behavior of the short message service provider;
2. the embodiment of the invention improves the random short message flow processing capacity from a short message gateway or a center through a load sharing mode;
3. the embodiment of the invention reduces the system transaction amount of subsequent monitoring and counting by reporting the strategy hit accumulated value in a fixed time and quantity manner, thereby enabling the monitoring of the large-flow sending behavior to be possible.
Drawings
FIG. 1 is a flow chart of monitoring a service number by a short message according to an embodiment of the present invention;
fig. 2 is a block diagram of a service number short message monitoring system provided in an embodiment of the present invention;
FIG. 3 is a schematic diagram of component deployment and processing according to an exemplary embodiment of the present invention;
FIG. 4 is a schematic diagram of a process for policy analysis processing for providing suspected samples to a short message manual review module according to an exemplary embodiment of the present invention;
FIG. 5 is a schematic diagram of a policy violation threshold violation analysis in accordance with an exemplary embodiment of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings, and it should be understood that the preferred embodiments described below are only for the purpose of illustrating and explaining the present invention, and are not to be construed as limiting the present invention.
Fig. 1 is a flowchart of a service number short message monitoring method provided in an embodiment of the present invention, and as shown in fig. 1, the steps include:
step S10: and comparing the short message of the network side service number with the stored short message sample of the service number.
Before step S10, the method further includes: in the monitoring network, a plurality of monitoring analysis nodes (or monitoring analysis modules) may be employed, and the monitoring analysis nodes are distributed on at least two monitoring analysis servers, that is, at least one monitoring analysis node may be disposed on each monitoring analysis server. Therefore, according to a preset load control strategy, the short message of the network side service number can be input to each monitoring analysis node for similar comparison and strategy monitoring. In this embodiment, the multiple monitoring and analyzing nodes are utilized to perform load sharing, so as to improve the traffic handling capability of short messages from the network side short message sending device (for example, the short message sending device may be a short message gateway, a short message center, or the like).
For example, according to a called number carried by a short message of the network side service number, the short message of the network side service number received by the network side short message sending equipment is input to each monitoring analysis node.
The monitoring system of the embodiment of the invention adopts a plurality of monitoring analysis nodes. The problem is mainly reflected in that the general monitoring design is routed to the monitoring analysis node according to the calling party, so that the performance of the monitoring analysis node is insufficient. In this embodiment, the monitoring analysis node is routed according to the called number, and generally, the scale of the number of the service provider is much smaller than that of the called number, so that the called routing mode can enable the monitoring analysis node to obtain relatively uniform short message traffic.
Step S10 includes: and if the similarity between the network side service number short message and the short message sample exceeds a preset similarity threshold, the monitoring analysis node determines that the similarity comparison result is matching. For example, when the similarity exceeds 70%, the short message of the network side service number is determined to be matched with the short message sample.
Step S20: and if the similarity comparison result is matching, releasing or intercepting the short message according to the audit result corresponding to the short message sample.
Step S20 includes: and the monitoring analysis node searches an audit result corresponding to the short message sample from the sample container and informs the network side short message sending equipment to intercept or send the short message according to the audit result.
The embodiment limits the service range of the short message of the service provider by realizing the automatic audit of the short message sample, and improves the treatment effect of the short message sending behavior of the short message service provider.
Step S30: and if the similar comparison result is not matched, performing strategy monitoring on the short message, and when the strategy monitoring result is that the short message is suspected, performing manual audit on the short message to obtain an audit result of the short message, and storing the short message and the audit result as a sample.
The step of determining whether the short message of the network side service number is a suspected short message in step S30 specifically includes: if the short message of the network side service number meets the monitoring condition in a preset strategy (such as a content keyword matching strategy and/or a unit time sending flow strategy), counting the short messages of the network side service number meeting the monitoring condition in the current statistical period to obtain a strategy hit count value; when the strategy hit count value reaches the preset number in the preset strategy and/or the current statistical period is finished, sending the strategy hit count value as a current report value to a monitoring counting server, and acquiring the accumulated value of the short messages of the network side service number meeting the monitoring condition in a strategy statistical time period from the monitoring counting server; and then determining whether the short message of the network side service number is a suspected short message or not according to the current reported value, the accumulated value and a violation threshold value. The algorithm for determining whether the short message of the network side service number is a suspected short message according to the current reported value, the accumulated value and the violation threshold value may adopt a rough threshold violation algorithm, that is, if the violation threshold value is greater than the current reported value and less than the accumulated value, the short message of the network side service number is determined to be a suspected short message. For example, when monitoring short messages sent by a certain service number by using monitoring analysis nodes a, B, and C respectively arranged on monitoring servers a, B, and C, it is assumed that the monitoring analysis server a sends a report value hitting a preset policy D2 times within a statistical period, and at this time, the cumulative value of the monitoring counting server is 2 times (i.e., a: 2); the monitoring and analyzing server C then sends a report of hit to the predetermined policy D4 times, at which time the cumulative value of the monitoring and counting servers is 6 times (i.e. A + C: 2+ 4). If the violation threshold value of the policy D is 5, the monitoring analysis server C queries 6 times (> threshold 5, and the reported value of C is 4 times < threshold 5), and may determine that the short message of the service number is suspected to be violated.
Step S30, when the result of the policy monitoring is that the short message is a suspected short message, performing manual audit on the short message to obtain an audit result of the short message, and storing the short message and the audit result as a sample, specifically includes: and if the suspected short message is the suspected short message, manually auditing the suspected short message by using a short message manual audit server, specifically, sending the suspected short message to the short message manual audit server, auditing the suspected short message by using the short message manual audit server (provided with one or more short message manual audit nodes or modules), determining whether the suspected short message is the illegal short message, and giving a corresponding audit result. Further, after the suspected short message is manually audited, the auditing result of the suspected short message may be illegal or normal, when the short message is taken as a sample, if the suspected short message is illegal, the corresponding auditing result is intercepted, and if the suspected short message is normal, the corresponding auditing result is released. And finally, storing the short message and the audit result as a sample.
The embodiment reports the strategy hit accumulated value (namely the current reported value) quantitatively at regular time, reduces the system transaction amount of subsequent monitoring and counting, and provides support for monitoring large-flow sending behaviors. That is to say, in general, the monitoring is performed for the sender, and the monitoring analysis node of this embodiment adopts a called routing manner, and additionally sets a monitoring counting node (or a monitoring counting module, which is set on a monitoring counting server) to perform threshold statistics on the hit information of the sender. However, routing to the monitoring and counting node according to the sender also leads to insufficient performance of the monitoring and counting node, so in the embodiment, in the monitoring and analyzing node, a timing aggregation mode is adopted, that is, the hit information of the sender is aggregated within a period of time (or a current statistical period), the monitoring and counting node is submitted in a unified manner, and the number of processing requests received by the monitoring and counting node is reduced; meanwhile, in order to reduce the delay problem caused by timing convergence of most of the sending parties, a short message quantity threshold (or a preset quantity requirement) is specially set in the timing convergence, and when the threshold is reached, whether the timing time is met or not is not considered, and the hit information is immediately submitted to the monitoring counting node.
The sample comparison of the embodiment adopts a similar comparison mode, and can support million-level samples. The samples come from the manual short message auditing nodes, the short messages sent to the manual short message auditing nodes are provided by a general content keyword monitoring analysis process or a sending flow analysis process arranged in the monitoring analysis node, and only one similar short message of the same sender is submitted to the manual short message auditing nodes so as to reduce the auditing workload. The monitoring counting node is mainly used for serving a keyword analysis process in the monitoring analysis node and providing a threshold counting function.
It will be understood by those skilled in the art that all or part of the steps in the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, and the program may be stored in a computer readable storage medium. Furthermore, an embodiment of the present invention may further provide a storage medium, on which a service number short message monitoring program is stored, where the service number short message monitoring program, when executed by a processor, implements the steps of the service number short message monitoring method. The storage medium may include ROM/RAM, magnetic disk, optical disk, and U disk.
The embodiment of the invention also provides a service number short message monitoring device, which comprises: a processor, and a memory coupled to the processor; the memory is stored with a service number short message monitoring program which can run on the processor, and the service number short message monitoring program realizes the steps of the service number short message monitoring method when being executed by the processor.
The embodiment of the invention can effectively solve the monitoring problem of the large-flow short message service provider, limit the service range of the service provider and improve the monitoring effect.
Fig. 2 is a block diagram of a service number short message monitoring system provided in the embodiment of the present invention, as shown in fig. 2, including: multiple monitoring analysis servers, multiple monitoring counting servers and short message manual auditing server.
Each monitoring and analyzing server at least comprises a monitoring and analyzing node (or a monitoring and analyzing module) which is used for carrying out similarity comparison on the short message of the network side service number and the stored short message sample of the service number, if the similarity comparison result is matched, the short message is released or intercepted according to the auditing result corresponding to the short message sample, and if the similarity comparison result is not matched, the short message is strategy monitored. Furthermore, in the embodiment of the present invention, a plurality of monitoring and analyzing nodes exist in a distributed manner on different servers in a monitoring network, and perform monitoring and analysis on the input short messages of the same network side service number.
The short message manual audit server at least comprises a short message manual audit node (or a short message manual audit module) which is used for carrying out manual audit on the short message to obtain an audit result of the short message when the result of strategy monitoring is that the short message is suspected, and storing the short message and the audit result as a sample.
Each monitoring counting server at least comprises a monitoring counting node (or a monitoring counting module) for counting the accumulated value of all short messages of the network side service number meeting the monitoring condition in the preset strategy within the strategy counting time period. Furthermore, in the embodiment of the present invention, a plurality of monitoring and analyzing nodes exist in a distributed manner on different servers in a monitoring network, and each monitoring and analyzing node counts the accumulated value of short messages sent by the same network side service number.
Wherein the monitoring analysis nodes are larger than the number of the monitoring counting nodes.
For a certain monitoring and analyzing node, receiving a short message of the network side service number input according to a preset load control strategy, then performing similarity comparison on the received short message of the network side service number and a stored short message sample of the service number, if the similarity of the short message of the network side service number and the stored short message sample of the service number exceeds a preset similarity threshold, determining that the similarity comparison result is matched, at the moment, the monitoring and analyzing node searches an auditing result corresponding to the short message sample from a sample container, and informs the network side short message sending equipment to intercept or send the short message according to the auditing result, if the similarity of the short message of the network side service number and the stored short message sample exceeds the preset similarity threshold, the monitoring and analyzing node further determines whether the short message of the network side service number meets a monitoring condition in a preset strategy (such as a content keyword matching strategy and/or a unit time sending flow strategy, etc.), if the number of the short messages meets the monitoring condition in the current statistical period, counting the short messages of the service number meeting the monitoring condition in the current statistical period to obtain a strategy hit count value, when the strategy hit count value reaches a preset number in the preset strategy and/or the current statistical period is finished, sending the number serving as a current reported value to a monitoring counting node by a monitoring analysis node, obtaining the accumulated value from the monitoring counting node, determining whether the short messages of the service number at the network side are suspected short messages according to the current reported value, the accumulated value and a violation threshold value, and if the short messages are suspected short messages, sending the short messages to a short message manual node to determine whether the violation short messages are violation short messages. The manual short message audit node can take the suspected short message as a new short message sample, or modify the short message sample by using the manual short message audit node to obtain a new short message sample, and then store the new short message sample and a corresponding audit result, so that the monitoring analysis node performs sample comparison processing on a later received short message of the network side service number by using the new short message sample.
It should be noted that short messages of the same service number need to be basically and uniformly input to a plurality of monitoring and analyzing nodes for monitoring and analyzing, when any monitoring and analyzing node determines that the received short message hits a preset policy, a count value is periodically and quantitatively submitted to a monitoring and counting node for accumulating the sending amount of the short message of the service number, and the accumulated value is inquired from the monitoring and counting node, so that the number of transactions which the monitoring and counting node needs to process is greatly reduced. The preset policy may be a content keyword matching policy, a traffic sending policy, or other policies. Taking a keyword matching policy (including a monitoring condition (i.e., a keyword) and a preset number threshold) as an example, the short message hit preset policy means that the content of the short message matches the keyword in the preset policy, and the monitoring analysis node counts the number of short message transmissions of the calling number to a preset number. Taking a sending flow policy (including a monitoring condition (e.g., a service number attribute condition) and a preset number threshold) as an example, the short message hit preset policy means that the service number attribute of the short message matches with an attribute in the preset policy, and a count value of the sending number of the short message reaches the preset number.
Fig. 3 is a schematic diagram of component deployment and processing according to an exemplary embodiment of the present invention, and as shown in fig. 3, includes a monitoring analysis module 202, a monitoring counting module 203, and a manual short message audit module 204.
The monitoring analysis module 202 is responsible for performing policy hit analysis on the short message, such as a common keyword policy and a flow policy; meanwhile, an automatic short message audit function is provided. The module will report the summarized strategy hit count to the monitoring counting module for counting at regular time and quantity. Specifically, the monitoring analysis module 202 includes 2 components for policy analysis and sample auto-audit. The strategy analysis component mainly realizes the hit analysis of the keyword strategy and the flow strategy and reports the analysis result to the monitoring counting module 203 in a fixed time and quantity mode. In the embodiment of the invention, each number is timed for 1 second, 3 short messages are quantified, and the analysis results are summarized and reported. And the sample automatic auditing component adopts a minhash algorithm to compare the input short message with the existing short message sample, and if 70% of the input short message is similar to the existing short message sample, the input short message sample is regarded as a hit sample.
The monitoring counting module 202 is only responsible for counting the policy traffic reported by the monitoring analysis module and returning the current hit count of the policy. Specifically, the monitor count module 203 is responsible for accumulating the received policy count and returning the current accumulation result. In the embodiment of the invention, a high-frequency and sliding window accumulation method is realized, and multithreading is utilized, so that the system processing capacity is fully exerted, and the processing performance is improved.
And the manual short message auditing module 203 is responsible for auditing the illegal short messages reported by the monitoring and analyzing module and providing samples for the automatic short message auditing module. Specifically, the manual short message audit module 204 includes a page audit component and an automatic sample audit component. The page auditing component mainly comprises a WEB page and provides a friendly auditing interface for workers. The automatic sample audit component uses a component similar to the monitoring analysis module 202, and is mainly used for reducing the amount of manual audit messages.
The method for monitoring the service number short message comprises the following steps:
step A: the random short message of the service provider number from the short message gateway side or the short message center 201 is uniformly input to the monitoring analysis module 202.
And B: the monitoring and analysis module 202 first enters a short message into the sample automatic audit component to determine if a sample is hit. And if the result is hit, releasing or intercepting is executed according to the audit opinions of the sample, and the monitoring process is finished. If not, executing the key word strategy and the flow strategy set by the system, and counting the hit in the current statistical period. In the counting period, if the message quantity sent by a certain number reaches the set threshold value, the strategy hit counting information is sent to the monitoring counting module according to the user number module value, and the hit accumulated value of all strategies of the current number in the module is cleared. After the statistical period is over, the rest strategy hit statistical information is sent to the monitoring counting module 203 according to the above principle, and then the hit accumulated values of all strategies of the current number in the module are cleared.
And C: after receiving the policy counting request from the monitoring and analyzing module 202, the monitoring and counting module 203 counts according to a reporting policy counting rule, such as high frequency or accumulation using a sliding window, and then returns the count in the current policy counting time period to the requesting monitoring and analyzing module 202.
Step D: after receiving the policy current count of the number, the monitoring analysis module 202 determines whether violation occurs according to the count value, the threshold, and the current report amount. If the threshold is reached, the message will violate the threshold and be sent to the manual short message audit module 204. At this time, for the audit mode, a first issue and then review or a first issue and then issue strategy can be adopted. If the short message is sent first and then examined, the monitoring analysis module 202 directly passes the short message accumulated in the current statistical period, and the monitoring process is ended. If the short message is checked and then sent, the monitoring analysis module 202 is required to cache the current short message, and the monitoring process can be ended only after the audit result of the short message manual audit module 204 is received.
Step E: after receiving the audit request from the monitoring and analyzing module 202, the manual short message audit module 204 first compares the audit request with the self-audited short message sample, and if an audit result exists, directly returns the audit result. If not, submitting to a WEB page for display, and after manual auditing, returning an auditing result to the monitoring analysis module 202. Also, manual short message audit module 204 may modify the previous audit results.
Step F: after receiving the audit result, the monitoring and analyzing module 202 stores the audit sample and the audit result in a sample container in the module for subsequent use. At this time, if the mode is the forward-to-backward mode, the short message similar to the sample needs to be disposed according to the audit result.
Taking the mode of examination before issue as an example, the specific process is shown in fig. 3, and includes:
step 101: the random short message from the short message gateway/center 201 is sent to the monitoring analysis module 202 through a polling mode, so as to ensure that each monitoring analysis module 202 in the system obtains uniform and consistent message traffic.
In step 101, the monitoring and analyzing module 202 of the embodiment of the present invention realizes load sharing, and can increase the system processing capacity by increasing the number of nodes, thereby providing effective analysis performance for the large-flow sending behavior of the service provider.
Step 102: the monitoring and analyzing module 202 sends the policy hit information summarized periodically or quantitatively within 1 second of the statistical time period to the policy counting module 203.
Step 103: after receiving the policy count request from the monitoring analysis module 202, the policy count module 203 performs accumulation according to the count mode specified in the policy, and returns the current accumulated value to the requesting monitoring analysis module 202.
Step 104: after receiving the policy current accumulated value and determining that the user behavior violates the rule, the monitoring analysis module 202 sends the violating user and subsequent messages to the short message manual audit module 204.
Step 105: the short message manual audit module 204 sends the audit result to the monitoring analysis module 202, and then the monitoring analysis module 202 caches the result in the automatic sample audit component.
In steps 104 and 105, a sample cache with a total amount of millions is constructed through a minhash text similarity algorithm, and the sending content of the service provider number is effectively limited.
Step 106: the monitoring analysis module 202 returns an interception or release instruction to the short message gateway/center 201 according to the audit result. The audit result can be a sample automatic audit component from the module or from the short message manual audit module 204.
Fig. 4 is a schematic diagram of a policy analysis processing procedure for providing suspected samples for a manual short message audit module according to an exemplary embodiment of the present invention, and as shown in fig. 4, the exemplary policy monitoring processing procedure for the monitoring analysis module 202 according to this embodiment includes:
step 401: the monitoring analysis module 202 performs policy analysis on the input short message and records the hit policy information.
Step 402: the monitoring and analyzing module 202 collects and counts the hit policy information and the policy information stored before the sending user, and registers the current number of short messages of the sending user.
Step 403: the monitoring analysis module 202 compares the number of short messages currently registered by the sending user with the aggregation threshold, and if the number of short messages reaches the aggregation threshold, the monitoring analysis module 203 directly queries the current count value of the hit policy, and the step 405 is executed; if not, the sending user is placed in the message waiting area, and step 404 is entered, in this embodiment, the sending user will wait for about 1 second in the waiting area, then perform the query of the counting node 203, and enter step 405.
In step 403, the message traffic is collected in a fixed time and quantity manner, so that the message volume sent from the monitoring analysis module 202 to the monitoring counting module 203 is effectively reduced, and meanwhile, the optimized monitoring counting module 203 effectively improves the message counting processing capacity, so that the large traffic monitoring of the service provider is implemented.
In step 403 of this embodiment, the timing and the quantifying will result in the delay of sending all the short messages being increased by about 1 second at most, but in general, the delay is acceptable for the short message system.
Step 406: the monitoring analysis module 202 performs threshold analysis after querying that the sending user hits the current policy count value.
As shown in fig. 4, in step 403, the monitoring analysis module 202 in this embodiment sets the aggregation threshold to be 3, and then, adds a reasonably set policy, so as to reduce the service number traffic sent to the monitoring counting module to one third of the original traffic; and the 1 second timing is set for subsequent processing, so that the monitoring problem of the small-flow sending behavior is effectively solved. In this way, the present embodiment performs traffic attenuation on the traffic sending behavior of the service number, but does not affect the monitoring effect at the same time.
Fig. 5 is a schematic diagram of policy violation threshold violation analysis according to an exemplary embodiment of the present invention, and as shown in fig. 5, the exemplary embodiment is a process of policy threshold violation analysis: according to the sent count value N (or the current reported value), the inquired back message count value M (or the accumulated value) and the policy violation threshold T, the sending behavior of the aggregation can be determined to be all misses, all hits or partial hits and partial misses. For example, the statistical value of the short message hit strategy D sent by a certain service number in the statistical period is sequentially 2 times, 3 times and 4 times at monitoring analysis nodes a, B and C; and sending the data to a monitoring counting node according to a certain sequence, wherein the inquired accumulated values in the strategy statistical period are 2 times (A: 2), 6 times (A + C: 2+4) and 9 times (A + B + C: 2+3+4) in sequence. If the hit threshold of the policy D is 5, only the node B and the node C query the accumulated value greater than the threshold 5. Node C queries 6 times (> threshold 5, and C sends statistics value 4 times < threshold 5), and can send statistics value 2 and C sends statistics value 4 by a, and determines that the violation position is in the 3 rd short message.
In summary, the embodiments of the present invention have the following technical effects:
1. the embodiment of the invention can limit the service range of the short message of the service provider and improve the treatment effect of the short message sending behavior of the short message service provider by realizing the automatic audit function of the short message sample in the monitoring analysis module;
2. the embodiment of the invention improves the capacity of processing the random short message flow from a short message gateway or a center by realizing a load sharing mode on a monitoring analysis module networking;
3. the embodiment of the invention reduces the system transaction amount received by the subsequent monitoring counting module by implementing the strategy hit accumulated value reported in a fixed time and a fixed quantity in the monitoring analysis module, thereby enabling the monitoring of the large-flow sending behavior to be possible.
Although the present invention has been described in detail hereinabove, the present invention is not limited thereto, and various modifications can be made by those skilled in the art in light of the principle of the present invention. Thus, modifications made in accordance with the principles of the present invention should be understood to fall within the scope of the present invention.
Claims (10)
1. A service number short message monitoring method is applied to a plurality of monitoring analysis nodes distributed on at least two monitoring analysis servers, and comprises the following steps:
each monitoring analysis node carries out similar comparison on the short message of the network side service number and the stored short message sample of the service number;
if the similar comparison result is matched, the short message is released or intercepted according to the audit result corresponding to the short message sample;
and if the similar comparison result is not matched, determining whether the short message of the network side service number is a suspected short message according to a strategy hit count value of the short message of the network side service number meeting the monitoring condition in the current statistical period, an accumulated value in a strategy statistical time period and a violation threshold value, and manually auditing the short message by using a short message manual auditing server when the short message is determined to be the suspected short message to obtain an auditing result of the short message, and storing the short message and the auditing result as a sample.
2. The method of claim 1, further comprising, before comparing the short message of the network-side service number with the stored short message sample of the service number, the following steps:
and receiving the short message of the network side service number input according to the preset load control strategy.
3. The method of claim 2, wherein the comparing the short message of the network-side service number with the stored short message sample of the service number comprises:
and if the similarity between the short message of the network side service number and the stored short message sample of the service number exceeds a preset similarity threshold, determining that the similarity comparison result is matching.
4. The method of claim 2, wherein the determining whether the short message of the network-side service number is a suspected short message according to the policy hit count value of the short message of the network-side service number meeting the monitoring condition in the current statistical period, the accumulated value of the short message of the network-side service number in the policy statistical period, and a violation threshold value comprises:
if the short message of the network side service number meets the monitoring condition in a preset strategy, counting the short messages of the network side service number meeting the monitoring condition in the current statistical period to obtain a strategy hit count value;
when the strategy hit count value reaches the preset number in the preset strategy and/or the current statistical period is finished, sending the strategy hit count value as a current report value to a monitoring counting server, and acquiring the accumulated value of the short messages of the network side service number meeting the monitoring condition in a strategy statistical time period from the monitoring counting server;
and determining whether the short message of the network side service number is a suspected short message or not according to the current reported value, the accumulated value and the violation threshold value.
5. The method according to any of claims 1-4, further comprising, after the manual audit of the short message:
and releasing or intercepting the short message according to an audit result obtained by manually auditing the short message.
6. A service number short message monitoring device is characterized by comprising: a processor, and a memory coupled to the processor; the memory stores a service number short message monitoring program which can run on the processor, and the service number short message monitoring program realizes the steps of the service number short message monitoring method according to any one of claims 1 to 5 when being executed by the processor.
7. The utility model provides a service number SMS monitored control system, its characterized in that, the system includes a plurality of control analysis server and the artifical audit server of SMS that are equipped with a control analysis node at least, wherein:
each monitoring analysis node is used for carrying out similarity comparison on the short message of the network side service number and the stored short message sample of the service number, if the similarity comparison result is matched, the short message is released or intercepted according to the audit result corresponding to the short message sample, and if the similarity comparison result is not matched, whether the short message of the network side service number is a suspected short message or not is determined according to the strategy hit count value of the short message of the network side service number meeting the monitoring condition in the current statistical period, the accumulated value in the strategy statistical time period and the violation threshold value;
and the short message manual audit server is used for carrying out manual audit on the short message to obtain an audit result of the short message when the short message is determined to be suspected, and storing the short message and the audit result as a sample.
8. The system according to claim 7, wherein each of the monitoring and analyzing nodes receives the short message of the network side service number input according to a preset load control policy before comparing the short message of the network side service number with the stored short message sample of the service number.
9. The system of claim 8, further comprising:
the monitoring counting server is used for counting the accumulated value of all the short messages of the network side service number meeting the monitoring condition in the preset strategy within the strategy counting time period;
if the short message of the network side service number meets the monitoring condition in the preset strategy, the monitoring analysis node counts the short messages of the network side service number meeting the monitoring condition in the current statistical period to obtain a strategy hit count value, when the strategy hit count value reaches the preset number in the preset strategy and/or the current statistical period is finished, the strategy hit count value is used as a current report value to be sent to the monitoring counting server, the accumulated value is obtained from the monitoring counting server, and whether the short message of the network side service number is a suspected short message or not is determined according to the current report value, the accumulated value and a violation threshold value.
10. The system according to claim 9, wherein after the manual audit of the short message, the monitoring analysis node is further configured to pass or intercept the short message according to an audit result obtained by the manual audit of the short message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711386484.8A CN109951811B (en) | 2017-12-20 | 2017-12-20 | Service number short message monitoring method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711386484.8A CN109951811B (en) | 2017-12-20 | 2017-12-20 | Service number short message monitoring method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109951811A CN109951811A (en) | 2019-06-28 |
| CN109951811B true CN109951811B (en) | 2021-04-20 |
Family
ID=67005265
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711386484.8A Active CN109951811B (en) | 2017-12-20 | 2017-12-20 | Service number short message monitoring method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109951811B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111726764B (en) * | 2020-06-28 | 2021-11-19 | 北京百度网讯科技有限公司 | Information transmission amount monitoring method, device, equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101052177A (en) * | 2006-11-15 | 2007-10-10 | 深圳凯虹移动通信有限公司 | Mobile terminal for filtering main call interference and its method |
| CN101848441A (en) * | 2010-05-18 | 2010-09-29 | 中兴通讯股份有限公司 | Suspicious short message deferrable transmitting method, device thereof and system thereof |
| CN101938565A (en) * | 2010-09-10 | 2011-01-05 | 中兴通讯股份有限公司 | Short message processing method and mobile terminal |
| CN102821370A (en) * | 2011-06-08 | 2012-12-12 | 中兴通讯股份有限公司 | Method and system for reporting suspicious numbers based on intelligent network |
| US9143907B1 (en) * | 2013-10-21 | 2015-09-22 | West Corporation | Providing data messaging support by intercepting and redirecting received short message service (SMS) messages |
| CN105323733A (en) * | 2014-06-27 | 2016-02-10 | 中兴通讯股份有限公司 | Short message filtering method and device |
-
2017
- 2017-12-20 CN CN201711386484.8A patent/CN109951811B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101052177A (en) * | 2006-11-15 | 2007-10-10 | 深圳凯虹移动通信有限公司 | Mobile terminal for filtering main call interference and its method |
| CN101848441A (en) * | 2010-05-18 | 2010-09-29 | 中兴通讯股份有限公司 | Suspicious short message deferrable transmitting method, device thereof and system thereof |
| CN101938565A (en) * | 2010-09-10 | 2011-01-05 | 中兴通讯股份有限公司 | Short message processing method and mobile terminal |
| CN102821370A (en) * | 2011-06-08 | 2012-12-12 | 中兴通讯股份有限公司 | Method and system for reporting suspicious numbers based on intelligent network |
| US9143907B1 (en) * | 2013-10-21 | 2015-09-22 | West Corporation | Providing data messaging support by intercepting and redirecting received short message service (SMS) messages |
| CN105323733A (en) * | 2014-06-27 | 2016-02-10 | 中兴通讯股份有限公司 | Short message filtering method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109951811A (en) | 2019-06-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Babcock et al. | Distributed top-k monitoring | |
| EP2563062B1 (en) | Long connection management apparatus and link resource management method for long connection communication | |
| WO2018121331A1 (en) | Attack request determination method, apparatus and server | |
| US8566527B2 (en) | System and method for usage analyzer of subscriber access to communications network | |
| US7669241B2 (en) | Streaming algorithms for robust, real-time detection of DDoS attacks | |
| US20030229760A1 (en) | Storage-assisted quality of service (QoS) | |
| CN106202581B (en) | A kind of data search method and device | |
| CN107301215B (en) | Search result caching method and device and search method and device | |
| US9137325B2 (en) | Efficiently isolating malicious data requests | |
| CN105681397A (en) | Network traffic data storage method and system, query method and device | |
| CN106095575B (en) | A kind of devices, systems, and methods of log audit | |
| CN112016030B (en) | Message pushing method, device, server and computer storage medium | |
| CN107454120A (en) | The method of network attack defending system and defending against network attacks | |
| CN111740868A (en) | Alarm data processing method and device and storage medium | |
| CN110222034A (en) | A kind of database maintenance method and device | |
| CN109951811B (en) | Service number short message monitoring method, device and system | |
| CN114640504A (en) | CC attack protection method, device, equipment and storage medium | |
| CN116760649B (en) | Data security protection and early warning method based on big data | |
| CN109818933A (en) | Catching method, device, system, equipment and the medium of attack | |
| CN103916463B (en) | Network access statistical analysis method and system | |
| CN114143263B (en) | Method, equipment and medium for limiting current of user request | |
| CN111131285B (en) | Active protection method for random domain name attack | |
| US11681680B2 (en) | Method, device and computer program product for managing index tables | |
| CN114185681A (en) | Automatic current-limiting processing method and device | |
| CN112148508A (en) | Information processing method and related device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |