CN110913396A - False flow identification method and device, server and readable storage medium - Google Patents

False flow identification method and device, server and readable storage medium Download PDF

Info

Publication number
CN110913396A
CN110913396A CN201911256520.8A CN201911256520A CN110913396A CN 110913396 A CN110913396 A CN 110913396A CN 201911256520 A CN201911256520 A CN 201911256520A CN 110913396 A CN110913396 A CN 110913396A
Authority
CN
China
Prior art keywords
terminal
data
application software
traffic
terminal type
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911256520.8A
Other languages
Chinese (zh)
Other versions
CN110913396B (en
Inventor
段继玲
高畅
高雅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Miaozhen Systems Information Technology Co Ltd
Original Assignee
Miaozhen Systems Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Miaozhen Systems Information Technology Co Ltd filed Critical Miaozhen Systems Information Technology Co Ltd
Priority to CN201911256520.8A priority Critical patent/CN110913396B/en
Publication of CN110913396A publication Critical patent/CN110913396A/en
Application granted granted Critical
Publication of CN110913396B publication Critical patent/CN110913396B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The embodiment of the application provides a false flow identification method, a false flow identification device, a server and a readable storage medium, and relates to the technical field of data processing. The false flow identification method comprises the steps of carrying out first identification on acquired flow data in each mobile terminal during network communication of application software through a pre-established white list, carrying out second identification on the acquired flow data in each mobile terminal during network communication of the application software through a pre-established black list, and judging whether each flow data is false flow according to whether each flow data has the first identification and the second identification, so that the accuracy of false flow identification is improved.

Description

False flow identification method and device, server and readable storage medium
Technical Field
The application relates to the technical field of data processing, in particular to a false traffic identification method, a false traffic identification device, a server and a readable storage medium.
Background
The false traffic is a false number which is created by an operator or a traffic counterfeiter for illegal benefit through a cheating means such as automation or organization of human beings, and can also be called abnormal traffic. For example, a certain star sends a microblog, the forwarding amount reaches 2 billion in a short day, or the playing amount of some dramas reaches 10 billion in a short time. False traffic flooding can be harmful to the industry and even society.
The existing technology for identifying false traffic aiming at the mobile terminal cannot completely distinguish the false traffic, and more false traffic can be detected through time check and other ways. How to improve the accuracy of identifying false traffic is an urgent problem to be solved.
Disclosure of Invention
In view of the above, the present application aims to provide a false traffic identification method, device, server and readable storage medium.
In order to achieve the above purpose, the embodiments of the present application employ the following technical solutions:
in a first aspect, an embodiment provides a false traffic identification method, which is applied to a server in communication with at least one mobile terminal, where each mobile terminal is configured with at least one piece of application software, and the method includes:
acquiring traffic data of each application software network of each mobile terminal during communication aiming at each mobile terminal, wherein each traffic data comprises an identification of the application software, a device number of the mobile terminal and a terminal type corresponding to the device number;
searching whether a pre-established white list stores the equipment number of the mobile terminal included in the traffic data or not aiming at each traffic data, if so, judging whether the terminal type corresponding to the equipment number in the traffic data is consistent with the standard terminal type corresponding to the equipment number stored in the white list, and if not, marking the traffic data as a first identification;
searching whether an identifier of application software included in the traffic data is stored in a pre-established blacklist or not aiming at each piece of traffic data, and if so, making a second identifier for the traffic data;
and judging whether each flow data is false flow according to whether each flow data has the first identifier and the second identifier.
In an alternative embodiment, the white list is established by:
repeatedly acquiring first flow data of each application software network of each mobile terminal in a first preset time period for each mobile terminal;
determining a standard terminal type corresponding to the equipment number according to the identifier of the application software included in each piece of first streaming data based on the terminal type corresponding to the equipment number included in each piece of first streaming data;
and establishing a white list based on the equipment number of the mobile terminal included in each first stream data and the standard terminal type corresponding to the equipment number.
In an optional embodiment, the step of determining, based on the terminal type corresponding to the device number included in each piece of the first streaming data, a standard terminal type corresponding to the device number according to the identifier of the application software included in each piece of the first streaming data includes:
acquiring terminal types respectively corresponding to different application software according to the terminal types corresponding to the equipment numbers included in the first streaming data and identifiers of the application software included in the first streaming data, and counting the number of the different terminal types;
and taking the terminal type with the largest number as a standard terminal type corresponding to the equipment number included in each first stream data.
In an optional implementation manner, the step of using the terminal type with the largest number as the standard terminal type corresponding to the device number included in each piece of the first streaming data includes:
comparing the number of different terminal types, judging whether the terminal type with the largest number exists, and if the terminal type with the largest number exists, taking the terminal type with the largest number as a standard terminal type corresponding to the equipment number included in each first stream data;
if the terminal types with the largest quantity do not exist, second flow data during network communication of each application software of the mobile terminal in a second preset time period is obtained, wherein the time length of the second preset time period is longer than that of the first preset time period;
acquiring terminal types corresponding to different application software according to the terminal types corresponding to the equipment numbers included in the second streaming data and identifiers of the application software included in the second streaming data, counting the number of the different terminal types, and comparing the number of the different terminal types;
and until the terminal type with the maximum number is determined, taking the terminal type with the maximum number as the standard terminal type corresponding to the equipment number in each first stream data.
In an optional embodiment, after the step of using the terminal type with the largest number as the standard terminal type corresponding to the device number included in each piece of the first streaming data is performed, the method further includes:
acquiring the number of standard terminal types corresponding to the equipment numbers and the number of terminal types corresponding to the standard terminal types, which are included in each piece of the first streaming data determined at the previous time, and taking the number as a first number;
acquiring the number of standard terminal types corresponding to the equipment numbers and the number of terminal types corresponding to the standard terminal types, which are included in each of the currently determined first traffic data, and taking the number as a second number;
comparing the first quantity with the second quantity, and if the second quantity is greater than the first quantity, taking the standard terminal type corresponding to the equipment number included in each of the currently determined first stream data as a new standard terminal type;
and if the second quantity is not greater than the first quantity, keeping the standard terminal type corresponding to the equipment number included in each piece of the first stream data determined last time unchanged.
In an optional implementation manner, the step of establishing a white list based on the device number of the mobile terminal included in each piece of the first traffic data and the standard terminal type corresponding to the device number includes:
acquiring the number of standard terminal types included in each piece of first traffic data, wherein the number of the standard terminal types is consistent with the number of the terminal types with the largest number;
and judging whether the number is greater than a first preset number, and if so, establishing a white list based on the equipment number of the mobile terminal and the standard terminal type corresponding to the equipment number, which are included in each first stream data.
In an alternative embodiment, the blacklist is established by:
repeatedly acquiring first flow data of each application software network of each mobile terminal in a first preset time period for each mobile terminal;
judging whether each first flow data comprises a safety mark or not, if not, acquiring terminal types respectively corresponding to different application software according to the application software marks included in each first flow data, and counting the number of different terminal types;
and judging whether the number of the different terminal types is larger than a second preset number, if so, establishing the blacklist based on the identifiers of the application software corresponding to the terminal types of which the number is larger than the second preset number.
In a second aspect, an embodiment provides a false traffic identification apparatus applied to a server in communication with at least one mobile terminal, each of the mobile terminals being configured with at least one application software, the apparatus including:
an obtaining module, configured to obtain, for each mobile terminal, traffic data of each application software of the mobile terminal during network communication, where each traffic data includes an identifier of the application software, a device number of the mobile terminal, and a terminal type corresponding to the device number;
the first searching module is used for searching whether a pre-established white list stores the equipment number of the mobile terminal included in the traffic data or not aiming at each traffic data, if so, judging whether the terminal type corresponding to the equipment number in the traffic data is consistent with the standard terminal type corresponding to the equipment number stored in the white list, and if not, making a first identification for the traffic data;
the second searching module is used for searching whether the identifier of the application software included in the flow data is stored in a pre-established blacklist or not aiming at each flow data, and if the identifier of the application software included in the flow data is stored in the pre-established blacklist, making a second identifier for the flow data;
and the judging module is used for judging whether each flow data is false flow according to whether each flow data has the first identifier and the second identifier.
In a third aspect, an embodiment provides a server, where the server includes a processor, a memory, and a bus, where the memory stores machine-readable instructions executable by the processor, and when the server runs, the processor and the memory communicate with each other through the bus, and the processor executes the machine-readable instructions to perform the steps of the false traffic identification method in any one of the foregoing embodiments.
In a fourth aspect, embodiments provide a readable storage medium, in which a computer program is stored, and the computer program, when executed, implements the false traffic identification method according to any one of the foregoing embodiments.
The embodiment of the application provides a false traffic identification method, a false traffic identification device, a server and a readable storage medium, wherein the false traffic identification method comprises the steps of carrying out first identification on acquired traffic data in each mobile terminal during communication of each application software network through a pre-established white list, carrying out second identification on the acquired traffic data in each mobile terminal during communication of each application software network through a pre-established black list, and judging whether each traffic data is false traffic according to whether each traffic data has the first identification and the second identification. Thus, the accuracy of identifying false traffic is improved.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
Fig. 1 is a scene schematic diagram provided in an embodiment of the present application.
Fig. 2 is a block diagram of a server according to an embodiment of the present disclosure.
Fig. 3 is a flowchart of a false traffic identification method according to an embodiment of the present application.
Fig. 4 is a flowchart of a method for establishing a white list according to an embodiment of the present application.
Fig. 5 is a flowchart of a method for establishing a blacklist according to an embodiment of the present application.
Fig. 6 is a functional block diagram of a false traffic identification device according to an embodiment of the present disclosure.
Icon: 100-a server; 110-false traffic identification means; 111-an acquisition module; 112-a first lookup module; 113-a second lookup module; 114-a judgment module; 120-a memory; 130-a processor; 140-a communication unit; 200-a mobile terminal; 400-network.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application.
It is noted that relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
As introduced in the background art, the advertisement publisher is very important for transparency, standard unification and agent transparence in the media supply chain, and the 'black hole operation' existing in the false traffic not only wastes the budget of the advertisement publisher seriously, but also affects the measurement and evaluation on whether the advertisement delivered by the media is effective or not. The existing technology for identifying false traffic aiming at the mobile terminal cannot completely distinguish the false traffic, and more false traffic can be detected through time check and other ways. How to improve the accuracy of identifying false traffic is an urgent problem to be solved.
In view of the above, embodiments of the present application provide a method for identifying false traffic to solve the above problem.
Referring to fig. 1, fig. 1 is an interaction diagram illustrating a server 100 and at least one mobile terminal 200 according to an embodiment of the present disclosure. The server 100 may communicate with each of the mobile terminals 200 through the network 400 to implement data communication or interaction between the server 100 and each of the mobile terminals 200.
Referring to fig. 2, fig. 2 is a block diagram of a server 100 according to an embodiment of the present disclosure. The server 100 comprises a false traffic identification device 110, a memory 120, a processor 130, and a communication unit 140.
The elements of the memory 120, the processor 130 and the communication unit 140 are electrically connected to each other directly or indirectly to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The false traffic identification means 110 includes at least one software function module which can be stored in the memory 120 in the form of software or firmware (firmware) or solidified in an Operating System (OS) of the server 100. The processor 130 is used to execute executable modules stored in the memory 120, such as software functional modules and computer programs included in the false traffic identification device 110. Wherein the memory is used for storing programs or data. The Memory may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like.
The processor 130 may be an integrated circuit chip having signal processing capabilities. The Processor 130 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The communication module is used for establishing communication connection between the server 100 and other communication terminals through the network, and for transceiving data through the network.
In this embodiment, the server 100 may be, but is not limited to, a web server, an ftp (file transfer protocol) server, and the like.
The mobile terminal 200 may be, but is not limited to, a smart phone, a Personal Computer (PC), a tablet PC, a Personal Digital Assistant (PDA), a Mobile Internet Device (MID), and the like.
It should be understood that the configuration shown in fig. 2 is merely a schematic diagram of the configuration of the server 100, and that the server 100 may include more or less components than those shown in fig. 2, or have a different configuration than that shown in fig. 2. The components shown in fig. 2 may be implemented in hardware, software, or a combination thereof.
Based on the interaction diagram of the server 100 and at least one mobile terminal 200, please refer to fig. 3 in conjunction, where fig. 3 is a flowchart of a false traffic identification method provided in an embodiment of the present application, the false traffic identification method is applied to the server 100 in communication with at least one mobile terminal 200, and each mobile terminal 200 is configured with at least one application software. The flowchart shown in fig. 3 is explained in detail below.
Step S1, for each mobile terminal 200, obtaining traffic data during network communication of each application software of the mobile terminal 200, where each traffic data includes an identifier of the application software, a device number of the mobile terminal 200, and a terminal type corresponding to the device number.
Step S2, for each piece of traffic data, searching whether the white list established in advance stores the device number of the mobile terminal 200 included in the traffic data, if yes, determining whether the terminal type corresponding to the device number in the traffic data is consistent with the standard terminal type corresponding to the device number stored in the white list, and if not, making a first identifier for the traffic data.
Step S3, for each piece of traffic data, searching whether an identifier of application software included in the traffic data is stored in a pre-established blacklist, and if so, making a second identifier for the traffic data.
Step S4, determining whether each of the traffic data is a dummy traffic according to whether each of the traffic data has the first identifier and the second identifier.
Each mobile terminal 200 may include at least one application software, such as a video-type application software, a news-type application software, a social application software, or a game application software, among others.
When using application software to perform network communication with the outside, each mobile terminal 200 sends traffic data to the server 100, where the traffic data sent by different application software all carries an identifier of the application software, a device number of the mobile terminal 200, and a terminal type corresponding to the device number.
It should be noted that, in the traffic data sent by the different application software of each mobile terminal 200, the device numbers of the mobile terminals 200 included in the traffic data are consistent, and meanwhile, since the different application software usually marks the terminal type of the same mobile terminal 200 with different model code tables, the terminal type corresponding to the device number in the traffic data sent by the different application software included in each mobile terminal 200 is often represented by different model codes.
For example, in a possible case, the mobile terminal 200 is a smartphone of H brand P model, and the mobile terminal 200 includes application software a, application software B, application software C, and application software D. Also, the Equipment number (IMEI) of Mobile terminal 200 is 12345678.
The traffic data a sent by the application software a to the server 100 includes the identifier of the application software a: A. the equipment number is: 12345678 and the model code of the terminal type corresponding to the device number are: VOG-AL 00.
The identifier of the application software B included in the traffic data B sent by the application software B to the server 100 is: B. the equipment number is also: 12345678 and the model code of the terminal type corresponding to the device number are: VOG-AL 10.
The traffic data C sent by the application software C to the server 100 includes the identifier of the application software C: C. the equipment number is: 12345678 and the model code of the terminal type corresponding to the device number are: p30 Pro.
The traffic data D sent by the application software D to the server 100 includes the identifier of the application software D: D. the equipment number is: 12345678 and the model code of the terminal type corresponding to the device number are: VAG-AL 00.
Meanwhile, in order to avoid the occurrence of different model names for the same terminal type, in the embodiment of the application, different model names for the same terminal type are standardized in advance. For example, in a smartphone, M-family M3S, M-family M blue 3S, and M blue 3S are all referred to as M-family M blue 3S. Meanwhile, in the embodiment of the application, different model codes of the same terminal type are standardized in advance. For example, the terminal types corresponding to the model codes of the VOG-AL00, VOG-AL10, and P30 Pro are all H-brand P-model mobile terminals 200. Thus, false traffic can be more conveniently and rapidly identified.
Each mobile device is provided with only one standard terminal model and cannot change along with different application software, and when false traffic forged by the application software exists, the standard terminal models forged by different application software for the same mobile device cannot be completely consistent, so that whether the traffic data is the false traffic data can be judged by acquiring the terminal model corresponding to the device number included in the traffic data generated by different application software.
In this embodiment, the server 100 is further configured with a whitelist and a blacklist that are foreseen to be established, where the whitelist stores the device number of at least one mobile terminal 200 and a standard terminal type corresponding to each device number. The blacklist stores at least one identifier of the application software, and it should be noted that the identifier of the application software stored in the blacklist is used to indicate that the corresponding application software may be the application software which sends the false traffic.
Further, the flow data C sent by the application software C is taken as an example, and the above steps are described in detail.
After receiving the traffic data C, the server 100 searches whether a pre-established white list stores a device number included in the traffic data C: 12345678. if the traffic data C exists, whether the standard terminal model corresponding to the equipment number 12345678 in the pre-established white list is consistent with the terminal type corresponding to the equipment number 12345678 in the traffic data C is searched, if the standard terminal model is not consistent with the terminal type corresponding to the equipment number 12345678 in the traffic data C, the traffic data C is possibly false traffic, and at the moment, a first identification is made on the traffic data C.
Meanwhile, after receiving the traffic data C, the server 100 may also search whether an identifier "C" of the application software included in the traffic data C is stored in a blacklist that is foreseen to be established, and if so, make a second identifier for the traffic data C.
Finally, the traffic data C is determined to be false traffic due to the first identifier and the second identifier in the traffic data C. And if the traffic data C does not comprise the first identifier and the second identifier or the traffic data C only comprises the first identifier or the second identifier, determining that the traffic data C is not false traffic.
Therefore, by comparing each flow data with the white list and the black list, whether the flow data is the false flow or not is comprehensively judged from multiple aspects, and the accuracy of identifying the false flow is effectively improved.
As an embodiment, referring to fig. 4, the white list may be created by the following steps:
step S10, for each mobile terminal 200, repeatedly obtaining first traffic data during network communication of each application software of the mobile terminal 200 within a first preset time period.
Step S20, based on the terminal type corresponding to the device number included in each piece of the first streaming data, determining a standard terminal type corresponding to the device number according to the identifier of the application software included in each piece of the first streaming data.
Step S30, a white list is established based on the device number of the mobile terminal 200 included in each piece of the first traffic data and the standard terminal type corresponding to the device number.
The time length of the first preset time period may be one day, one week, one month, one year or any other time period. In the embodiment of the present application, for each mobile terminal 200, first traffic data in network communication of each application software included in the mobile terminal 200 in the last week is acquired at intervals of one week. Also, the first streaming data includes an identification of the application software, a device number of the mobile terminal 200, and a terminal type corresponding to the device number. It should be noted that, the too short or too long time duration of the first preset time period is lower in accuracy of identifying the false traffic according to the white list constructed by the first traffic data, and therefore, in order to improve accuracy of identifying the false traffic, the time duration of the first preset time period should be determined according to different practical situations.
Step S20 includes the following steps to determine the standard terminal type corresponding to the device number.
Firstly, based on the terminal type corresponding to the device number included in each first stream data, the terminal types corresponding to different application software are obtained according to the identifier of the application software included in each first stream data, and the number of the different terminal types is counted.
And then, taking the terminal type with the largest number as a standard terminal type corresponding to the equipment number included in each first stream data.
As a possible scenario, the number of different terminal types may be compared, and it is determined whether there is the terminal type with the largest number, and if there is the terminal type with the largest number, the terminal type with the largest number is used as the standard terminal type corresponding to the device number included in each of the first stream data.
Similarly, the mobile terminal 200 is an H-brand P-model smart phone as an example for specific description, and the mobile terminal 200 includes application software a, application software B, application software C, and application software D. Also, the Equipment number (IMEI) of Mobile terminal 200 is 12345678. (for specific data content included in the traffic data sent by different application software, see the description of the above related parts, which is not described herein again.)
Since the model code of the terminal type included in the first traffic data a sent by the application software a to the server 100 is: VOG-AL 00. Therefore, it refers to a terminal type of H brand P model.
Since the model code of the terminal type included in the first traffic data B sent by the application software B to the server 100 is: VOG-AL 10. Therefore, it refers to a terminal type of H brand P model.
Since the model code of the terminal type included in the first traffic data C sent by the application software C to the server 100 is: p30 Pro. Therefore, the terminal type referred to is also H brand P model.
Since the model code of the terminal type included in the first traffic data D sent by the application software D to the server 100 is: VAG-AL 00. Thus, it refers to a terminal type of M-brand M-model.
Analyzing the above data, it can be known that the number of terminal types of H brand P model is 3, and the number of terminal types of M brand M model is 1. Therefore, there are the largest number of terminal types, and the terminal type is the H-brand P-model, then the standard terminal type corresponding to the device number included in each first traffic data is the H-brand P-model.
As another possible scenario, when there is no terminal type with the largest number, second traffic data during network communication of each application software of the mobile terminal 200 within a second preset time period is obtained, where a time length of the second preset time period is greater than a time length of the first preset time period.
Then, based on the terminal type corresponding to the device number included in each piece of second traffic data, according to the identifier of the application software included in each piece of second traffic data, the terminal types corresponding to different application software are obtained, the number of different terminal types is counted, and the number of different terminal types is compared.
And until the terminal type with the maximum number is determined, taking the terminal type with the maximum number as the standard terminal type corresponding to the equipment number in each first stream data.
It should be noted that, when the time length of the first preset time period is one week, the time length of the second preset time period may be two weeks, three weeks or one month, as long as the time length is greater than the time length of the first preset time period.
For example, the model code of the terminal type included in the first traffic data a sent by the application software a to the server 100 is: VOG-AL 00. The terminal type referred to is H brand P model.
Since the model code of the terminal type included in the first traffic data B sent by the application software B to the server 100 is: VOG-AL 10. The terminal type referred to is H brand P model.
Since the model code of the terminal type included in the first traffic data C sent by the application software C to the server 100 is: VAG-AL 00. The terminal type referred to is M brand M model.
Since the model code of the terminal type included in the first traffic data D sent by the application software D to the server 100 is: VAG-AL 00. The terminal type referred to is M brand M model.
From the above data, it can be seen that the number of M-brands and P-brands of the terminal type is 2, and the number of H-brands and P-brands of the terminal type is also 2, and there is no terminal type with the largest number. Therefore, second traffic data during network communication of each application software of the mobile terminal 200 in a second preset time period is obtained, the above step of comparing the number of the terminal types is repeated until the terminal type with the largest number is determined, and the terminal type with the largest number is used as the standard terminal type corresponding to the device number in each first traffic data. Therefore, under the condition that the number of the terminal types is the same, the standard terminal type corresponding to the equipment number in each first stream data can be determined quickly and accurately.
Further, in this embodiment of the application, the step of establishing a white list based on the device number of the mobile terminal 200 included in each piece of the first traffic data and the standard terminal type corresponding to the device number in step S30 includes:
first, the number of standard terminal types included in each first stream data is obtained, wherein the number of standard terminal types is consistent with the number of the terminal types with the largest number.
And then, judging whether the number is greater than a first preset number, and if so, establishing a white list based on the equipment number of the mobile terminal 200 included in each first stream data and the standard terminal type corresponding to the equipment number.
Wherein the first preset number may be 1, 2, 3 … …. It will be appreciated that the greater the first predetermined number, the more accurately the generated white list identifies false traffic.
Further, in order to further improve the accuracy of identifying the false traffic, in this embodiment of the application, after the step of using the terminal type with the largest number as the standard terminal type corresponding to the device number included in each piece of the first traffic data is performed, the false traffic identification method may further include:
first, a standard terminal type corresponding to a device number included in each of the first stream data determined at the previous time and a number of terminal types corresponding to the standard terminal type are obtained, and the number is used as a first number.
Then, the number of the standard terminal types corresponding to the device numbers included in each of the currently determined first stream data and the number of the terminal types corresponding to the standard terminal types are obtained, and the number is used as a second number.
Then, comparing the first number with the second number, and if the second number is greater than the first number, taking the standard terminal type corresponding to the device number included in each of the currently determined first stream data as a new standard terminal type.
And finally, if the second quantity is not greater than the first quantity, keeping the standard terminal type corresponding to the equipment number included in each piece of the first stream data determined last time unchanged.
Since different users use different applications at different frequencies, the types of terminals simulated by the applications that produce false traffic may change over time. Therefore, in the embodiment of the application, the flow data in different time periods are continuously acquired, the content in the flow data acquired this time is compared with the content in the wandering data acquired last time, and the accuracy of identifying the false flow is effectively improved.
As an embodiment, please refer to fig. 5 in combination, the black list can be established by the following steps:
step S100, repeatedly obtaining, for each mobile terminal 200, first traffic data during network communication of each application software of the mobile terminal 200 within a first preset time period.
Step S200, determining whether each of the first traffic data includes a security label, and if not, obtaining terminal types respectively corresponding to different application software according to the application software labels included in each of the first traffic data, and counting the number of the different terminal types.
Step S300, judging whether the number of the different terminal types is larger than a second preset number, if so, establishing the blacklist based on the identifiers of the application software corresponding to the terminal types of which the number is larger than the second preset number.
The safety mark is used for indicating whether the application software sending the first flow data is safe application software or not. In the embodiment of the application, the corresponding plug-ins can be put into the application software which is safe to confirm in advance and does not generate false traffic, so that the first traffic data sent by the application software comprises the safety mark. In this manner, false traffic may be initially identified.
Since the application software that makes the false traffic will forge different terminal types for the same mobile terminal 200 in order to reach a certain amount of false browsing. Therefore, if the received first traffic data does not include the security indicator, in order to further identify whether the first traffic data is a false traffic, the embodiment of the present application further determines the first data traffic that does not include the security indicator.
For example, it is determined whether the number of different terminal types in the first traffic data sent by the same mobile terminal 200 exceeds a second preset number. And when the number of different terminal types exceeds a second preset number, establishing the blacklist based on the identifiers of the application software corresponding to the terminal types of which the number is greater than the second preset number. Wherein the second preset number may be 1, 2, 3 … …. It is understood that, when the second predetermined number is larger, the accuracy of identifying the false traffic using the blacklist is higher.
Referring to fig. 6, the present embodiment further provides a false traffic identification apparatus 110, which is applied to a server 100 in communication with at least one mobile terminal 200, where each mobile terminal 200 is configured with at least one application software, and the apparatus includes:
an obtaining module 111, configured to obtain, for each mobile terminal 200, traffic data during network communication of each application software of the mobile terminal 200, where each traffic data includes an identifier of the application software, a device number of the mobile terminal 200, and a terminal type corresponding to the device number.
The first searching module 112 is configured to search, for each piece of traffic data, whether a device number of the mobile terminal 200 included in the traffic data is stored in a pre-established white list, if yes, determine whether a terminal type corresponding to the device number in the traffic data is consistent with a standard terminal model corresponding to the device number stored in the white list, and if not, make a first identifier for the traffic data.
The second searching module 113 is configured to search, for each piece of traffic data, whether an identifier of application software included in the traffic data is stored in a pre-established blacklist, and if the identifier exists, make a second identifier for the traffic data.
A determining module 114, configured to determine whether each of the traffic data is a false traffic according to whether each of the traffic data has the first identifier and the second identifier.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the above-described false traffic identification device 110 may refer to the corresponding process in the foregoing method, and will not be described in too much detail herein.
The embodiment of the application also provides a readable storage medium, wherein a computer program is stored in the readable storage medium, and when the computer program is executed, the method for identifying the false traffic is realized.
In summary, the embodiment of the present application provides a false traffic identification method, an apparatus, a server, and a readable storage medium, where the false traffic identification method performs a first identifier on traffic data obtained when each application software network in each mobile terminal communicates through a pre-established white list, performs a second identifier on traffic data obtained when each application software network in each mobile terminal communicates through a pre-established black list, and determines whether each traffic data is false traffic according to whether each traffic data has the first identifier and the second identifier. Thus, the accuracy of identifying false traffic is improved.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A false traffic identification method applied to a server in communication with at least one mobile terminal, each of the mobile terminals being configured with at least one application software, the method comprising:
acquiring traffic data of each application software network of each mobile terminal during communication aiming at each mobile terminal, wherein each traffic data comprises an identification of the application software, a device number of the mobile terminal and a terminal type corresponding to the device number;
searching whether a pre-established white list stores the equipment number of the mobile terminal included in the traffic data or not aiming at each traffic data, if so, judging whether the terminal type corresponding to the equipment number in the traffic data is consistent with the standard terminal type corresponding to the equipment number stored in the white list, and if not, marking the traffic data as a first identification;
searching whether an identifier of application software included in the traffic data is stored in a pre-established blacklist or not aiming at each piece of traffic data, and if so, making a second identifier for the traffic data;
and judging whether each flow data is false flow according to whether each flow data has the first identifier and the second identifier.
2. The false traffic identification method according to claim 1, wherein the white list is established by:
repeatedly acquiring first flow data of each application software network of each mobile terminal in a first preset time period for each mobile terminal;
determining a standard terminal type corresponding to the equipment number according to the identifier of the application software included in each piece of first streaming data based on the terminal type corresponding to the equipment number included in each piece of first streaming data;
and establishing a white list based on the equipment number of the mobile terminal included in each first stream data and the standard terminal type corresponding to the equipment number.
3. The false traffic identification method according to claim 2, wherein the step of determining, based on the terminal type corresponding to the device number included in each of the first traffic data, a standard terminal type corresponding to the device number according to the identifier of the application software included in each of the first traffic data comprises:
acquiring terminal types respectively corresponding to different application software according to the terminal types corresponding to the equipment numbers included in the first streaming data and identifiers of the application software included in the first streaming data, and counting the number of the different terminal types;
and taking the terminal type with the largest number as a standard terminal type corresponding to the equipment number included in each first stream data.
4. The false traffic identification method according to claim 3, wherein the step of using the terminal type with the largest number as the standard terminal type corresponding to the device number included in each of the first traffic data comprises:
comparing the number of different terminal types, judging whether the terminal type with the largest number exists, and if the terminal type with the largest number exists, taking the terminal type with the largest number as a standard terminal type corresponding to the equipment number included in each first stream data;
if the terminal types with the largest quantity do not exist, second flow data during network communication of each application software of the mobile terminal in a second preset time period is obtained, wherein the time length of the second preset time period is longer than that of the first preset time period;
acquiring terminal types corresponding to different application software according to the terminal types corresponding to the equipment numbers included in the second streaming data and identifiers of the application software included in the second streaming data, counting the number of the different terminal types, and comparing the number of the different terminal types;
and until the terminal type with the maximum number is determined, taking the terminal type with the maximum number as the standard terminal type corresponding to the equipment number in each first stream data.
5. The false traffic identification method according to claim 3, wherein after the step of using the terminal type with the largest number as the standard terminal type corresponding to the device number included in each of the first traffic data is performed, the method further comprises:
acquiring the number of standard terminal types corresponding to the equipment numbers and the number of terminal types corresponding to the standard terminal types, which are included in each piece of the first streaming data determined at the previous time, and taking the number as a first number;
acquiring the number of standard terminal types corresponding to the equipment numbers and the number of terminal types corresponding to the standard terminal types, which are included in each of the currently determined first traffic data, and taking the number as a second number;
comparing the first quantity with the second quantity, and if the second quantity is greater than the first quantity, taking the standard terminal type corresponding to the equipment number included in each of the currently determined first stream data as a new standard terminal type;
and if the second quantity is not greater than the first quantity, keeping the standard terminal type corresponding to the equipment number included in each piece of the first stream data determined last time unchanged.
6. The false traffic identification method according to claim 3, wherein the step of establishing a white list based on the device number of the mobile terminal included in each of the first traffic data and the standard terminal type corresponding to the device number comprises:
acquiring the number of standard terminal types included in each piece of first traffic data, wherein the number of the standard terminal types is consistent with the number of the terminal types with the largest number;
and judging whether the number is greater than a first preset number, and if so, establishing a white list based on the equipment number of the mobile terminal and the standard terminal type corresponding to the equipment number, which are included in each first stream data.
7. The false traffic identification method according to claim 1, wherein the blacklist is established by:
repeatedly acquiring first flow data of each application software network of each mobile terminal in a first preset time period for each mobile terminal;
judging whether each first flow data comprises a safety mark or not, if not, acquiring terminal types respectively corresponding to different application software according to the application software marks included in each first flow data, and counting the number of different terminal types;
and judging whether the number of the different terminal types is larger than a second preset number, if so, establishing the blacklist based on the identifiers of the application software corresponding to the terminal types of which the number is larger than the second preset number.
8. A false traffic identification device for use in a server in communication with at least one mobile terminal, each of said mobile terminals being configured with at least one application, said device comprising:
an obtaining module, configured to obtain, for each mobile terminal, traffic data of each application software of the mobile terminal during network communication, where each traffic data includes an identifier of the application software, a device number of the mobile terminal, and a terminal type corresponding to the device number;
the first searching module is used for searching whether a pre-established white list stores the equipment number of the mobile terminal included in the traffic data or not aiming at each traffic data, if so, judging whether the terminal type corresponding to the equipment number in the traffic data is consistent with the standard terminal type corresponding to the equipment number stored in the white list, and if not, making a first identification for the traffic data;
the second searching module is used for searching whether the identifier of the application software included in the flow data is stored in a pre-established blacklist or not aiming at each flow data, and if the identifier of the application software included in the flow data is stored in the pre-established blacklist, making a second identifier for the flow data;
and the judging module is used for judging whether each flow data is false flow according to whether each flow data has the first identifier and the second identifier.
9. A server, characterized in that the server comprises a processor, a memory and a bus, the memory stores machine-readable instructions executable by the processor, when the server runs, the processor and the memory communicate with each other through the bus, and the processor executes the machine-readable instructions to execute the steps of the false traffic identification method according to any one of claims 1 to 7.
10. A readable storage medium, wherein a computer program is stored in the readable storage medium, which computer program, when executed, implements the false traffic identification method of any one of claims 1-7.
CN201911256520.8A 2019-12-10 2019-12-10 False flow identification method and device, server and readable storage medium Active CN110913396B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911256520.8A CN110913396B (en) 2019-12-10 2019-12-10 False flow identification method and device, server and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911256520.8A CN110913396B (en) 2019-12-10 2019-12-10 False flow identification method and device, server and readable storage medium

Publications (2)

Publication Number Publication Date
CN110913396A true CN110913396A (en) 2020-03-24
CN110913396B CN110913396B (en) 2022-05-17

Family

ID=69824111

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911256520.8A Active CN110913396B (en) 2019-12-10 2019-12-10 False flow identification method and device, server and readable storage medium

Country Status (1)

Country Link
CN (1) CN110913396B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111953654A (en) * 2020-07-08 2020-11-17 北京明略昭辉科技有限公司 False flow identification method and device
CN112202807A (en) * 2020-10-13 2021-01-08 北京明略昭辉科技有限公司 Grayscale replacement method and device for IP (Internet protocol) blacklist, electronic equipment and storage medium
CN113596011A (en) * 2021-07-23 2021-11-02 北京百度网讯科技有限公司 Traffic identification method and device, computing equipment and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109146546A (en) * 2018-07-23 2019-01-04 广州至真信息科技有限公司 A kind of method and device of cheating detection
CN109413103A (en) * 2018-12-11 2019-03-01 泰康保险集团股份有限公司 Processing method, device, equipment and the storage medium of fictitious users identification
US20190173905A1 (en) * 2016-08-08 2019-06-06 Alibaba Group Holding Limited Method and apparatus for identifying fake traffic
CN110198310A (en) * 2019-05-20 2019-09-03 腾讯科技(深圳)有限公司 A kind of anti-cheat method of network behavior, device and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190173905A1 (en) * 2016-08-08 2019-06-06 Alibaba Group Holding Limited Method and apparatus for identifying fake traffic
CN109146546A (en) * 2018-07-23 2019-01-04 广州至真信息科技有限公司 A kind of method and device of cheating detection
CN109413103A (en) * 2018-12-11 2019-03-01 泰康保险集团股份有限公司 Processing method, device, equipment and the storage medium of fictitious users identification
CN110198310A (en) * 2019-05-20 2019-09-03 腾讯科技(深圳)有限公司 A kind of anti-cheat method of network behavior, device and storage medium

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111953654A (en) * 2020-07-08 2020-11-17 北京明略昭辉科技有限公司 False flow identification method and device
CN111953654B (en) * 2020-07-08 2023-08-01 北京明略昭辉科技有限公司 False flow identification method and device
CN112202807A (en) * 2020-10-13 2021-01-08 北京明略昭辉科技有限公司 Grayscale replacement method and device for IP (Internet protocol) blacklist, electronic equipment and storage medium
CN113596011A (en) * 2021-07-23 2021-11-02 北京百度网讯科技有限公司 Traffic identification method and device, computing equipment and medium
CN113596011B (en) * 2021-07-23 2024-03-22 北京百度网讯科技有限公司 Flow identification method and device, computing device and medium

Also Published As

Publication number Publication date
CN110913396B (en) 2022-05-17

Similar Documents

Publication Publication Date Title
CN110913396B (en) False flow identification method and device, server and readable storage medium
CN111401416B (en) Abnormal website identification method and device and abnormal countermeasure identification method
CN110417778B (en) Access request processing method and device
CN110460587B (en) Abnormal account detection method and device and computer storage medium
CN113949748B (en) Network asset identification method and device, storage medium and electronic equipment
CN113489713B (en) Network attack detection method, device, equipment and storage medium
CN108038130B (en) Automatic false user cleaning method, device, equipment and storage medium
CN106469276B (en) Type identification method and device of data sample
CN107943949B (en) Method and server for determining web crawler
CN111414374B (en) Block chain transaction concurrent processing method, device and equipment
CN102739675A (en) Detection method and device of website security
CN106295346B (en) Application vulnerability detection method and device and computing equipment
CN110992135B (en) Risk identification method and device, electronic equipment and storage medium
CN105959294B (en) A kind of malice domain name discrimination method and device
CN110851334B (en) Flow statistics method, electronic equipment, system and medium
CN112765502B (en) Malicious access detection method, device, electronic equipment and storage medium
KR20160031590A (en) Malicious app categorization apparatus and malicious app categorization method
CN109977328A (en) A kind of URL classification method and device
CN110768865B (en) Deep packet inspection engine activation method and device and electronic equipment
CN106850349B (en) Feature information extraction method and device
CN117033552A (en) Information evaluation method, device, electronic equipment and storage medium
CN111131166B (en) User behavior prejudging method and related equipment
CN107995167B (en) Equipment identification method and server
CN106506507B (en) Method and device for generating flow detection rule
KR20220117866A (en) Security compliance automation method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant