CN114205820A - Method, device and computer equipment for detecting suspicious user carrying pseudo base station - Google Patents
Method, device and computer equipment for detecting suspicious user carrying pseudo base station Download PDFInfo
- Publication number
- CN114205820A CN114205820A CN202010896623.7A CN202010896623A CN114205820A CN 114205820 A CN114205820 A CN 114205820A CN 202010896623 A CN202010896623 A CN 202010896623A CN 114205820 A CN114205820 A CN 114205820A
- Authority
- CN
- China
- Prior art keywords
- target
- users
- cell
- user
- target user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/02—Services making use of location information
- H04W4/025—Services making use of location information using location based information parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/02—Services making use of location information
- H04W4/029—Location-based management or tracking services
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Alarm Systems (AREA)
Abstract
The embodiment of the invention relates to the technical field of communication, and discloses a method for detecting suspicious users carrying a pseudo base station, which comprises the following steps: acquiring signaling data; counting users to be screened, which have abnormal position updating times smaller than a preset threshold value in the same resident cell within a preset time period, as target users according to the abnormal position updating information; sequencing the target users according to the abnormal position updating times, and acquiring a first preset number of target users before sequencing to form a target user list; acquiring a track of a target user in a preset time period; screening out resident cells of which the resident time length of the target user is greater than the preset time length as target cells; acquiring the number of users with failed position updating in a target cell, and taking the target cell with the number of the users with failed position updating larger than a second preset number as a suspected cell; and determining the target user residing in the suspected cell in the target user list as a suspicious user according to the track. Through the mode, the embodiment of the invention realizes the accurate detection of the mobile base station.
Description
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to a method, a device and computer equipment for detecting suspicious users carrying pseudo base stations.
Background
The pseudo base station is illegal radio communication equipment utilizing the defect of the GSM one-way authentication, can temporarily cut off the contact between a mobile phone and an operator base station, and can send junk information to the mobile phone instead, and further can steal the telephone number information of a user. In the prior art, the detection of the pseudo base station depends on a terminal or a newly added detection module, a new function for preventing the pseudo base station from being accessed is required to be added at the terminal side, and the pseudo base station can still be accessed because a large number of issued terminals have no new function for preventing the pseudo base station from being accessed and cannot identify the pseudo base station; when the detection module is used for detecting the pseudo base station, when the area where the pseudo base station is located is confirmed and a tool for detecting the pseudo base station is used, tracking and positioning are difficult to achieve due to the mobility of the pseudo base station, so that the purpose is poor, the accuracy is low when the pseudo base station is detected, and the detection module cannot be applied to comprehensive detection of the pseudo base station in actual operation and maintenance.
Disclosure of Invention
In view of the above problems, embodiments of the present invention provide a method for detecting a suspicious user carrying a pseudo base station, which is used to solve the problem in the prior art that the pseudo base station detection accuracy is low.
According to an aspect of the embodiments of the present invention, a method for detecting a suspicious user carrying a pseudo base station is provided, where the method includes:
acquiring signaling data, wherein the signaling data comprises abnormal position updating information of a user to be screened;
counting users to be screened, with the abnormal position updating times smaller than a preset threshold value in the same resident cell within a preset time period, as target users according to the abnormal position updating information;
sequencing the target users according to the abnormal position updating times, acquiring a first preset number of target users before sequencing, and forming a target user list;
according to the updating information of the abnormal position of the target user, acquiring the track of the target user in the target user list in the preset time period, wherein the track comprises resident cell information of the target user in the preset time period;
based on the track, screening out resident cells of which the resident time of the target user is longer than preset time from the resident cells as target cells;
acquiring the number of users with failed position updating in the target cell, and taking the target cell with the number of users with failed position updating larger than a second preset number as a suspected cell;
and determining the target user residing in the suspected cell in the target user list as a suspicious user according to the track.
In an optional manner, acquiring signaling data includes: acquiring signaling data from an A-port signaling, wherein the A-port signaling comprises updating information, and the updating information comprises a user identifier, a resident cell, a location area, abnormal location updating information and updating time.
In an optional manner, counting, according to the abnormal location update information, users to be screened whose number of times of abnormal location update occurring in the same residential cell within a preset time period is less than a preset threshold, as target users, includes:
acquiring abnormal position updating information corresponding to a user to be screened and a corresponding resident cell from the updating information of the A port signaling;
counting the updating times of the abnormal positions of the users to be screened in the same resident cell;
and determining the users to be screened, of which the updating times of the abnormal positions are greater than a preset threshold value, as target users.
In an optional manner, determining, according to the trajectory, a target user who resides in the suspected cell in the target user list as a suspicious user includes:
determining a target user in a suspicious user list and with a track covering a suspected cell;
and determining the target user in the suspicious user list and with the track covering the suspected cell as the suspicious user.
In an optional mode, after determining the target users in the target user list and the trajectory covers the suspected cell, the method further includes the following steps:
determining whether the target user carries an engineering machine;
and when the target user is in a target user list, the track covers a suspected cell and carries an engineering machine, determining the target user as a suspicious user.
According to another aspect of the embodiments of the present invention, there is provided a suspicious user detection apparatus carrying a pseudo base station, including:
the data acquisition module is used for acquiring signaling data, wherein the signaling data comprises abnormal position updating information of at least one user to be screened;
the first screening module is used for counting users to be screened, of which the abnormal position updating times are smaller than a preset threshold value in the same resident cell within a preset time period, according to the abnormal position updating information, and taking the users as target users;
the second screening module is used for sorting the target users according to the abnormal position updating times, acquiring a first preset number of target users before sorting and forming a target user list;
a track determining module, configured to obtain a track of the target user in the target user list within the preset time period according to the update information of the abnormal position of the target user, where the track includes information of a residential area of the target user within the preset time period;
a target cell determination module, configured to screen, based on the trajectory, a resident cell in the resident cells, where a resident time of the target user is longer than a preset time, as a target cell;
a suspected cell determining module, configured to obtain the number of users who have failed to update the location in the target cell, and use the target cell with the number of users who have failed to update the location being greater than a second preset number as a suspected cell;
and the suspicious user determining module is used for determining the target user residing in the suspected cell in the target user list as a suspicious user according to the track.
In an optional manner, acquiring signaling data includes: acquiring signaling data from an A-port signaling, wherein the A-port signaling comprises updating information, and the updating information comprises a user identifier, a resident cell, a location area, abnormal location updating information and updating time.
In an optional manner, the first screening module, according to the abnormal location update information, counts users to be screened whose number of times of abnormal location update occurring in the same residential cell within a preset time period is less than a preset threshold, as target users, including:
acquiring abnormal position updating information corresponding to a user to be screened and a corresponding resident cell from the updating information of the A port signaling;
counting the updating times of the abnormal positions of the users to be screened in the same resident cell;
and determining the users to be screened, of which the updating times of the abnormal positions are greater than a preset threshold value, as target users.
According to another aspect of the embodiments of the present invention, a suspicious user detection device carrying a pseudo base station is provided, which includes a processor, a memory, a communication interface and a communication bus, where the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation of the method for detecting the suspicious user carrying the pseudo base station
According to another aspect of the embodiments of the present invention, a computer-readable storage medium is provided, where at least one executable instruction is stored in the storage medium, and when the executable instruction is executed on a suspected user detection device/apparatus carrying a pseudo base station, the suspected user detection device/apparatus carrying the pseudo base station performs the operations of the above-mentioned suspected user detection method carrying the pseudo base station.
According to the embodiment of the invention, the suspicious user list is output according to the abnormal position updating times, the suspicious user track is determined according to the user position updating records, and the suspicious user carrying the pseudo base station is determined according to the suspicious user track, the residence time of the suspicious user in the residence cell and the number of the updating failure users in the residence cell.
The foregoing description is only an overview of the technical solutions of the embodiments of the present invention, and the embodiments of the present invention can be implemented according to the content of the description in order to make the technical means of the embodiments of the present invention more clearly understood, and the detailed description of the present invention is provided below in order to make the foregoing and other objects, features, and advantages of the embodiments of the present invention more clearly understandable.
Drawings
The drawings are only for purposes of illustrating embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 shows a schematic flowchart of a method for detecting a suspicious user carrying a pseudo base station according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a suspected user detecting apparatus carrying a pseudo base station according to an embodiment of the present invention;
fig. 3 shows a schematic structural diagram of a suspicious user detection device carrying a pseudo base station according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein.
The names appearing in the embodiments of the present invention are explained as follows:
signaling of an A port: the GSM network a interface is the interface between BSC (base station controller) and MSC (mobile services switching center), which is the interface between the radio and core networks. The position information, the service type information and the like of the user can be obtained through the A interface signaling detection.
A position area: the maximum can be equivalent to one MSC area, and the minimum can be equivalent to the coverage area of one cell, which is the area when paging is initiated for the user, and is generally the sum of the coverage areas of several adjacent base stations.
MSC area: within this area, there is a common coding method and routing plan, there is a mobile switching center control area called the MSC service area, and an MSC area contains one or more location areas.
A cell: also called cells, the ideal shape is a regular hexagon, with one cell containing one base station.
CI: cell Identity (Cell Identity).
MSISDN (Mobile Subscriber International ISDN/PSTN number) (ISDN is Integrated Service Digital Network)): the calling user is a number which is required to be dialed for calling a mobile user in the GSM PLMN and has the function of being the fixed network PSTN number; is a number that uniquely identifies a mobile subscriber in a public telephone network switching network numbering plan.
LAC (location area code) is an area set for paging in a mobile communication system.
Fig. 1 shows a flowchart of an embodiment of the method for detecting a suspicious user carrying a pseudo base station according to the present invention, which is executed by a computer device. The computer device can be an electronic device such as a user terminal, a computer, a cloud platform and the like. As shown in fig. 1, the method comprises the steps of:
step 110: and acquiring signaling data, wherein the signaling data comprises abnormal position updating information of the user to be screened.
The method comprises the steps of obtaining signaling data from an A-port signaling (signal a), wherein the A-port signaling record comprises at least one user updating message to be screened, and the updating message comprises a user identifier, a resident cell, a location area, abnormal location updating message and updating time of the user to be screened. Wherein the abnormal location update information includes an abnormal location area at a preset time period. And determining the abnormal updating times according to the times of the abnormal position areas in the signaling data in the preset time period. In the embodiment of the present invention, the update information recorded in the port a signaling record further includes normal location update, periodic location update, IMSI attach update, call start time, call end time, and the like.
In the embodiment of the invention, the A-port signaling record can be acquired through a bridging technology.
The user identifier is a user MSISDN, i.e. a user identification number. The following information can be obtained according to the fields in the signaling data of the port a, wherein the explanation of each information is shown in the following table:
by reading the corresponding fields from the port A signaling record, the corresponding information can be obtained. Specifically, by reading the MSISDN field, the user identifier of the user to be screened, that is, the only number that can identify the user to be screened, can be obtained; by reading the cell field, the resident cell where the user to be screened resides in the preset time can be obtained; by reading the location area, the area where the user to be screened initiates paging can be obtained; by reading the abnormal position area, the users to be screened in the abnormal position area can be obtained.
Step 120: and counting users to be screened, which have abnormal position updating times smaller than a preset threshold value in the same resident cell within a preset time period, as target users according to the abnormal position updating information.
For the mobile pseudo base station, the suspect cannot have multiple abnormal position updates in the same cell in a moving state, so that the times of the abnormal position updates in the same resident cell for the users to be screened with the abnormal position updates are less. Therefore, the users to be screened, of which the number of times of updating the abnormal positions of the same resident cell in the preset time period is smaller than the preset threshold value, are counted as target users. The preset threshold is not specifically limited in the embodiments of the present invention, and may be set by a person skilled in the art according to a specific scenario. For example, it may be 1 to 5. And when the preset threshold value is 5, representing that the user to be screened is determined as a target user when the number of times of abnormal position updating of the user to be screened in the same resident cell is less than 5.
The preset time period may be a period for acquiring the signaling data, for example, a target user in a day may be determined, and thus, the period for acquiring the signaling data is a day. And acquiring signaling data in one day, and analyzing users to be screened, which have abnormal position updating times less than a preset threshold value in the same resident cell in one day, as target users.
The MSISDN, IMSI, cell number, location area number, total number of location updates, number of abnormal location updates occurring in the same cell, mobile phone model and home location of each user to be screened can be determined according to fields in the signaling data, and specific statistical information is shown in the following table:
the number of times of updating the abnormal position can be counted according to the field in the signaling data, and the number of times of updating the abnormal position appearing in each resident cell is counted by taking the cell as a dimension and is used as the number of times of updating the abnormal position of the same cell.
Specifically, counting users to be screened whose abnormal location update times are less than a preset threshold in the same resident cell within a preset time period according to the abnormal location update information, as target users, includes: acquiring abnormal position updating information corresponding to a user to be screened and a corresponding resident cell from the updating information of the A port signaling;
counting the updating times of the abnormal positions of the users to be screened in the same resident cell;
determining users to be screened with abnormal position updating times larger than a preset threshold value as target users
Step 130: and sequencing the target users according to the abnormal position updating times, acquiring a first preset number of target users before sequencing, and forming a target user list.
In the embodiment of the invention, the abnormal position of the target user in the target user list in the preset time period is updated according to the field information in the signaling data.
And sequencing the target users from at least more according to the updating times of the abnormal positions, and forming a target user list by sequencing the target users with a first preset number in front. The embodiment of the present invention does not specifically limit the specific numerical value of the first preset number, and may be set by a person skilled in the art according to a specific scenario. For example, the first predetermined number may be 100. That is, the target user list is a TOP100 list, and the target users on the target user list are the target users ranked 100 times before the abnormal location update times.
Step 140: and acquiring a track of the target user in the target user list within the preset time period according to the updating information of the abnormal position of the target user, wherein the track comprises resident cell information of the target user within the preset time period.
The signaling data in the preset time interval comprises the updating information of the target user on the target user list in the preset time interval, including updating time, user identification, resident cell, location area and abnormal location updating information.
And determining the track information of each target user on the target user list according to the updating time in the preset time period in the signaling data and the resident cell.
In the embodiment of the invention, the target user list and the track information corresponding to the target user are also output and displayed. The user can inquire the relevant information of the target user through a plurality of groups of inquiry conditions, such as time and location updated LAC.
Step 150: and screening out resident cells with the resident time length of the target user larger than the preset time length from the resident cells as target cells based on the tracks.
And counting the updating time in the track information to obtain the residence time of each target user in each resident cell, so as to count the residence time of each resident cell, and screening the resident cells with the residence time of the target user being greater than the preset residence time from the resident cells to serve as the target cells. That is, in the signaling of the port a, the difference between the time recorded for the first time and the time recorded for the last time in the data records of each target user continuously appearing in a certain resident cell is counted to obtain the resident time length of each target user in each resident cell.
The residence time duration is not specifically limited in the embodiment of the present invention, and a person skilled in the art may set the residence time duration according to a specific scenario, for example, in an embodiment of the present invention, the residence time duration may be one hour.
Step 160: and acquiring the number of users with failed position updating in the target cell, and taking the target cell with the number of users with failed position updating larger than a second preset number as a suspected cell.
And when the number of the users with the failed position updating of the target cell is larger than a second preset number, determining the corresponding target cell as a suspected cell.
The location updating failure includes location updating failure caused by location updating refusal, location updating failure caused by authentication failure, location updating failure caused by other reasons, and the like, and the data can be obtained through an A-port signaling data record.
In this embodiment of the present invention, the second preset number is 100, that is, when the number of users in a certain target cell that fail to update the location is greater than 100, the target cell is determined to be a suspected cell. The suspected cell is a cell in which a mobile pseudo base station exists with a high probability.
Step 170: and determining the target user residing in the suspected cell in the target user list as a suspicious user according to the track.
Wherein, specifically include:
determining a target user in a target user list and with a track covering a suspected cell;
and determining the target users in the target user list and with the tracks covering the suspected cells as suspicious users.
In the embodiment of the present invention, after determining a target user in a target user list and a trajectory of which covers a suspected cell, the method further includes the following steps:
determining whether the target user carries an engineering machine;
and when the target user is in a target user list, the track covers a suspected cell and carries an engineering machine, determining the target user as a suspicious user.
In the embodiment of the invention, whether the user carries the engineering machine or not is determined according to the IMEI field in the signaling data of the A port. This is due to the engineering machine having a specific IMEI.
In the embodiment of the invention, because the probability that the target user carrying the engineering machine carries the pseudo base station is higher, whether the target user is a suspicious user or not is further judged by combining whether the target user carries the engineering machine or not. The engineering machine can be a Nokia engineering machine or other types of engineering machines, and whether the user carries the engineering machine or not can be determined through the IMEI of the engineering machine.
In the embodiment of the invention, the query panel is also established according to the signaling data acquired in real time, the query panel can be clicked to query the position update record of the suspicious user by inputting time and suspicious user information (such as IMSI, IMEI or MSISDN) in the query panel, and the A interface position of the number of the suspicious person is presented in the query result.
And the query panel also comprises track information of the suspicious users. And presenting the activity track of the suspicious user in the map of the query panel according to the signaling data acquired in real time.
According to the embodiment of the invention, the suspicious user list is output according to the abnormal position updating times, the suspicious user track is determined according to the user position updating records, and the suspicious user carrying the pseudo base station is determined according to the suspicious user track, the residence time of the suspicious user in the residence cell and the number of the updating failure users in the residence cell.
Fig. 2 is a schematic structural diagram of an embodiment of a suspected user detecting device carrying a pseudo base station according to the present invention. As shown in fig. 2, the apparatus 200 includes: a data acquisition module 210, a first screening module 220, a second screening module 230, a trajectory determination module 240, a target cell determination module 250, a suspected cell determination module 260, and a suspected user determination module 270.
A data obtaining module 210, configured to obtain signaling data, where the signaling data includes abnormal location update information of a user to be screened;
the first screening module 220 is configured to count, according to the abnormal location update information, users to be screened whose number of times of abnormal location update occurring in the same residential cell within a preset time period is less than a preset threshold, as target users;
the second screening module 230 is configured to sort the target users according to the abnormal location update times, obtain a first preset number of target users before the sorting, and form a target user list;
a track determining module 240, configured to obtain a track of the target user in the target user list in the preset time period according to the update information of the abnormal position of the target user, where the track includes information of a residential area of the target user in the preset time period;
a target cell determining module 250, configured to screen, based on the trajectory, a resident cell in which a resident time of the target user is greater than a preset time from the resident cells, and use the resident cell as a target cell;
a suspected cell determining module 260, configured to obtain the number of users who fail to update the location in the target cell, and use the target cell whose number of users who fail to update the location is greater than a second preset number as a suspected cell;
and a suspicious user determining module 270, configured to determine, according to the trajectory, a target user who resides in the suspected cell in the target user list as a suspicious user.
In an optional manner, acquiring signaling data includes: acquiring signaling data from an A-port signaling, wherein the A-port signaling comprises updating information, and the updating information comprises a user identifier, a resident cell, a location area, abnormal location updating information and updating time.
In an optional manner, counting, according to the abnormal location update information, users to be screened whose number of times of abnormal location update occurring in the same residential cell within a preset time period is less than a preset threshold, as target users, includes:
acquiring abnormal position updating information corresponding to a user to be screened and a corresponding resident cell from the updating information of the A port signaling;
counting the updating times of the abnormal positions of the users to be screened in the same resident cell;
and determining the users to be screened, of which the updating times of the abnormal positions are greater than a preset threshold value, as target users.
In an optional manner, determining, according to the trajectory, a target user who resides in the suspected cell in the target user list as a suspicious user includes:
determining a target user in a suspicious user list and with a track covering a suspected cell;
and determining the target user in the suspicious user list and with the track covering the suspected cell as the suspicious user.
In an optional mode, after determining the target users in the target user list and the trajectory covers the suspected cell, the method further includes the following steps:
determining whether the target user carries an engineering machine;
and when the target user is in a target user list, the track covers a suspected cell and carries an engineering machine, determining the target user as a suspicious user.
According to the embodiment of the invention, the suspicious user list is output according to the abnormal position updating times, the suspicious user track is determined according to the user position updating records, and the suspicious user carrying the pseudo base station is determined according to the suspicious user track, the residence time of the suspicious user in the residence cell and the number of the updating failure users in the residence cell.
Fig. 3 is a schematic structural diagram illustrating an embodiment of the suspicious user detection device with a pseudo base station according to the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the suspicious user detection device with a pseudo base station.
As shown in fig. 3, the suspicious user detecting device carrying the pseudo base station may include: a processor (processor)302, a communication Interface 304, a memory 306, and a communication bus 308.
Wherein: the processor 302, communication interface 304, and memory 306 communicate with each other via a communication bus 308. A communication interface 304 for communicating with network elements of other devices, such as clients or other servers. The processor 302 is configured to execute the program 310, and may specifically perform relevant steps in the above embodiment of the method for detecting a suspicious user carrying a pseudo base station.
In particular, program 310 may include program code comprising computer-executable instructions.
The processor 302 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement an embodiment of the present invention. The suspicious user detection device carrying the pseudo base station comprises one or more processors, which can be processors of the same type, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 306 for storing a program 310. Memory 306 may comprise high-speed RAM memory and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
Specifically, the program 310 may be invoked by the processor 302 to enable the suspicious user equipment carrying the pseudo base station to perform the following operations:
acquiring signaling data, wherein the signaling data comprises abnormal position updating information of a user to be screened;
counting users to be screened, with the abnormal position updating times smaller than a preset threshold value in the same resident cell within a preset time period, as target users according to the abnormal position updating information;
sequencing the target users according to the abnormal position updating times, acquiring a first preset number of target users before sequencing, and forming a target user list;
according to the updating information of the abnormal position of the target user, acquiring the track of the target user in the target user list in the preset time period, wherein the track comprises resident cell information of the target user in the preset time period;
based on the track, screening out resident cells of which the resident time of the target user is longer than preset time from the resident cells as target cells;
acquiring the number of users with failed position updating in the target cell, and taking the target cell with the number of users with failed position updating larger than a second preset number as a suspected cell;
and determining the target user residing in the suspected cell in the target user list as a suspicious user according to the track.
In an optional manner, acquiring signaling data includes: acquiring signaling data from an A-port signaling, wherein the A-port signaling comprises updating information, and the updating information comprises a user identifier, a resident cell, a location area, abnormal location updating information and updating time.
In an optional manner, counting, according to the abnormal location update information, users to be screened whose number of times of abnormal location update occurring in the same residential cell within a preset time period is less than a preset threshold, as target users, includes:
acquiring abnormal position updating information corresponding to a user to be screened and a corresponding resident cell from the updating information of the A port signaling;
counting the updating times of the abnormal positions of the users to be screened in the same resident cell;
and determining the users to be screened, of which the updating times of the abnormal positions are greater than a preset threshold value, as target users.
In an optional manner, determining, according to the trajectory, a target user who resides in the suspected cell in the target user list as a suspicious user includes:
determining a target user in a suspicious user list and with a track covering a suspected cell;
and determining the target user in the suspicious user list and with the track covering the suspected cell as the suspicious user.
In an optional mode, after determining the target users in the target user list and the trajectory covers the suspected cell, the method further includes the following steps:
determining whether the target user carries an engineering machine;
and when the target user is in a target user list, the track covers a suspected cell and carries an engineering machine, determining the target user as a suspicious user.
According to the embodiment of the invention, the suspicious user list is output according to the abnormal position updating times, the suspicious user track is determined according to the user position updating records, and the suspicious user carrying the pseudo base station is determined according to the suspicious user track, the residence time of the suspicious user in the residence cell and the number of the updating failure users in the residence cell.
The embodiment of the present invention provides a computer-readable storage medium, where the storage medium stores at least one executable instruction, and when the executable instruction runs on a suspected user detection device/apparatus carrying a pseudo base station, the suspected user detection device/apparatus carrying the pseudo base station is enabled to execute the suspected user detection method carrying the pseudo base station in any method embodiment described above.
The executable instructions may be specifically configured to cause a suspected user detection device/apparatus carrying a pseudo base station to perform the following operations:
acquiring signaling data, wherein the signaling data comprises abnormal position updating information of a user to be screened;
counting users to be screened, with the abnormal position updating times smaller than a preset threshold value in the same resident cell within a preset time period, as target users according to the abnormal position updating information;
sequencing the target users according to the abnormal position updating times, acquiring a first preset number of target users before sequencing, and forming a target user list;
according to the updating information of the abnormal position of the target user, acquiring the track of the target user in the target user list in the preset time period, wherein the track comprises resident cell information of the target user in the preset time period;
based on the track, screening out resident cells of which the resident time of the target user is longer than preset time from the resident cells as target cells;
acquiring the number of users with failed position updating in the target cell, and taking the target cell with the number of users with failed position updating larger than a second preset number as a suspected cell;
and determining the target user residing in the suspected cell in the target user list as a suspicious user according to the track.
In an optional manner, acquiring signaling data includes: acquiring signaling data from an A-port signaling, wherein the A-port signaling comprises updating information, and the updating information comprises a user identifier, a resident cell, a location area, abnormal location updating information and updating time.
In an optional manner, counting, according to the abnormal location update information, users to be screened whose number of times of abnormal location update occurring in the same residential cell within a preset time period is less than a preset threshold, as target users, includes:
acquiring abnormal position updating information corresponding to a user to be screened and a corresponding resident cell from the updating information of the A port signaling;
counting the updating times of the abnormal positions of the users to be screened in the same resident cell;
and determining the users to be screened, of which the updating times of the abnormal positions are greater than a preset threshold value, as target users.
In an optional manner, determining, according to the trajectory, a target user who resides in the suspected cell in the target user list as a suspicious user includes:
determining a target user in a suspicious user list and with a track covering a suspected cell;
and determining the target user in the suspicious user list and with the track covering the suspected cell as the suspicious user.
In an optional mode, after determining the target users in the target user list and the trajectory covers the suspected cell, the method further includes the following steps:
determining whether the target user carries an engineering machine;
and when the target user is in a target user list, the track covers a suspected cell and carries an engineering machine, determining the target user as a suspicious user.
According to the embodiment of the invention, the suspicious user list is output according to the abnormal position updating times, the suspicious user track is determined according to the user position updating records, and the suspicious user carrying the pseudo base station is determined according to the suspicious user track, the residence time of the suspicious user in the residence cell and the number of the updating failure users in the residence cell.
The embodiment of the invention provides a suspicious user detection device with a pseudo base station, which is used for executing the suspicious user detection method with the pseudo base station.
The embodiment of the invention provides a computer program, which can be called by a processor to enable suspicious user detection equipment carrying a pseudo base station to execute the suspicious user detection method carrying the pseudo base station in any method embodiment.
An embodiment of the present invention provides a computer program product, where the computer program product includes a computer program stored on a computer-readable storage medium, and the computer program includes program instructions, when the program instructions are run on a computer, cause the computer to execute the method for detecting a suspicious user carrying a pseudo base station in any of the above-mentioned method embodiments.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specified otherwise.
Claims (10)
1. A method for detecting suspicious users carrying pseudo base stations is characterized in that the method comprises the following steps:
acquiring signaling data, wherein the signaling data comprises abnormal position updating information of a user to be screened;
counting users to be screened, with the abnormal position updating times smaller than a preset threshold value in the same resident cell within a preset time period, as target users according to the abnormal position updating information;
sequencing the target users according to the abnormal position updating times, acquiring a first preset number of target users before sequencing, and forming a target user list;
according to the updating information of the abnormal position of the target user, acquiring the track of the target user in the target user list in the preset time period, wherein the track comprises resident cell information of the target user in the preset time period;
based on the track, screening out resident cells of which the resident time of the target user is longer than preset time from the resident cells as target cells;
acquiring the number of users with failed position updating in the target cell, and taking the target cell with the number of users with failed position updating larger than a second preset number as a suspected cell;
and determining the target user residing in the suspected cell in the target user list as a suspicious user according to the track.
2. The method of claim 1, wherein obtaining signaling data comprises: acquiring signaling data from an A-port signaling, wherein the A-port signaling comprises updating information, and the updating information comprises a user identifier, a resident cell, a location area, abnormal location updating information and updating time.
3. The method according to claim 2, wherein counting users to be screened whose number of times of abnormal location update occurring in the same residential cell within a preset time period is less than a preset threshold according to the abnormal location update information, as target users, comprises:
acquiring abnormal position updating information corresponding to a user to be screened and a corresponding resident cell from the updating information of the A port signaling;
counting the updating times of the abnormal positions of the users to be screened in the same resident cell;
and determining the users to be screened, of which the updating times of the abnormal positions are greater than a preset threshold value, as target users.
4. The method according to any one of claims 1 to 3, wherein determining the target users who reside in the suspected cell in the target user list as suspicious users according to the trajectory comprises:
determining a target user in a suspicious user list and with a track covering a suspected cell;
and determining the target user in the suspicious user list and with the track covering the suspected cell as the suspicious user.
5. The method of claim 4, wherein after determining the target users in the list of target users whose trajectories cover suspected cells, further comprising the steps of:
determining whether the target user carries an engineering machine;
and when the target user is in a target user list, the track covers a suspected cell and carries an engineering machine, determining the target user as a suspicious user.
6. An apparatus for detecting suspicious users carrying pseudo base stations, the apparatus comprising:
the data acquisition module is used for acquiring signaling data, wherein the signaling data comprises abnormal position updating information of at least one user to be screened;
the first screening module is used for counting users to be screened, of which the abnormal position updating times are smaller than a preset threshold value in the same resident cell within a preset time period, according to the abnormal position updating information, and taking the users as target users;
the second screening module is used for sorting the target users according to the abnormal position updating times, acquiring a first preset number of target users before sorting and forming a target user list;
a track determining module, configured to obtain a track of the target user in the target user list within the preset time period according to the update information of the abnormal position of the target user, where the track includes information of a residential area of the target user within the preset time period;
a target cell determination module, configured to screen, based on the trajectory, a resident cell in the resident cells, where a resident time of the target user is longer than a preset time, as a target cell;
a suspected cell determining module, configured to obtain the number of users who have failed to update the location in the target cell, and use the target cell with the number of users who have failed to update the location being greater than a second preset number as a suspected cell;
and the suspicious user determining module is used for determining the target user residing in the suspected cell in the target user list as a suspicious user according to the track.
7. The apparatus of claim 6, wherein obtaining signaling data comprises: acquiring signaling data from an A-port signaling, wherein the A-port signaling comprises updating information, and the updating information comprises a user identifier, a resident cell, a location area, abnormal location updating information and updating time.
8. The apparatus according to claim 7, wherein the first filtering module counts users to be filtered whose number of times of abnormal location update occurring in the same residential cell within a preset time period is less than a preset threshold according to the abnormal location update information, and as target users, includes:
acquiring abnormal position updating information corresponding to a user to be screened and a corresponding resident cell from the updating information of the A port signaling;
counting the updating times of the abnormal positions of the users to be screened in the same resident cell;
and determining the users to be screened, of which the updating times of the abnormal positions are greater than a preset threshold value, as target users.
9. A suspected user detecting device carrying a pseudo base station, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, which causes the processor to execute the operation of the method for detecting the suspicious user carrying the pseudo base station according to any one of claims 1-5.
10. A computer-readable storage medium, wherein the storage medium has stored therein at least one executable instruction, which when executed on a suspected user detecting device/apparatus carrying a pseudo base station, causes the suspected user detecting device/apparatus carrying the pseudo base station to perform the operations of the suspected user detecting method carrying the pseudo base station according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010896623.7A CN114205820B (en) | 2020-08-31 | 2020-08-31 | Suspicious user detection method, suspicious user detection device and suspicious user detection computer equipment carrying pseudo base station |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010896623.7A CN114205820B (en) | 2020-08-31 | 2020-08-31 | Suspicious user detection method, suspicious user detection device and suspicious user detection computer equipment carrying pseudo base station |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114205820A true CN114205820A (en) | 2022-03-18 |
| CN114205820B CN114205820B (en) | 2023-08-15 |
Family
ID=80644293
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010896623.7A Active CN114205820B (en) | 2020-08-31 | 2020-08-31 | Suspicious user detection method, suspicious user detection device and suspicious user detection computer equipment carrying pseudo base station |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114205820B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117119434A (en) * | 2023-10-24 | 2023-11-24 | 北京大也智慧数据科技服务有限公司 | Personnel identification method, device, equipment and storage medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104661204A (en) * | 2015-01-05 | 2015-05-27 | 中国联合网络通信集团有限公司 | Positioning method and device for pseudo base station |
| CN105050092A (en) * | 2015-08-21 | 2015-11-11 | 广西英伦信息技术股份有限公司 | Method for locating false base station |
| CN105873068A (en) * | 2016-06-17 | 2016-08-17 | 珠海市魅族科技有限公司 | Pseudo base station identification method and device |
| US20160309332A1 (en) * | 2014-12-19 | 2016-10-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Network node and method for detecting false base stations |
| US20160381545A1 (en) * | 2015-06-26 | 2016-12-29 | Futurewei Technologies, Inc. | System and Method for Faked Base Station Detection |
| CN108243421A (en) * | 2016-12-26 | 2018-07-03 | 中国移动通信集团山东有限公司 | Pseudo-base station recognition methods and system |
| CN108271157A (en) * | 2016-12-30 | 2018-07-10 | 中移(杭州)信息技术有限公司 | A kind of pseudo-base station recognition methods and device |
| CN108513301A (en) * | 2017-02-23 | 2018-09-07 | 中国移动通信有限公司研究院 | A kind of disabled user's recognition methods and device |
| US20200162925A1 (en) * | 2017-05-31 | 2020-05-21 | Apple Inc. | Fake base station detection |
-
2020
- 2020-08-31 CN CN202010896623.7A patent/CN114205820B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160309332A1 (en) * | 2014-12-19 | 2016-10-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Network node and method for detecting false base stations |
| CN104661204A (en) * | 2015-01-05 | 2015-05-27 | 中国联合网络通信集团有限公司 | Positioning method and device for pseudo base station |
| US20160381545A1 (en) * | 2015-06-26 | 2016-12-29 | Futurewei Technologies, Inc. | System and Method for Faked Base Station Detection |
| CN105050092A (en) * | 2015-08-21 | 2015-11-11 | 广西英伦信息技术股份有限公司 | Method for locating false base station |
| CN105873068A (en) * | 2016-06-17 | 2016-08-17 | 珠海市魅族科技有限公司 | Pseudo base station identification method and device |
| CN108243421A (en) * | 2016-12-26 | 2018-07-03 | 中国移动通信集团山东有限公司 | Pseudo-base station recognition methods and system |
| CN108271157A (en) * | 2016-12-30 | 2018-07-10 | 中移(杭州)信息技术有限公司 | A kind of pseudo-base station recognition methods and device |
| CN108513301A (en) * | 2017-02-23 | 2018-09-07 | 中国移动通信有限公司研究院 | A kind of disabled user's recognition methods and device |
| US20200162925A1 (en) * | 2017-05-31 | 2020-05-21 | Apple Inc. | Fake base station detection |
Non-Patent Citations (5)
| Title |
|---|
| HAOCHENG ZHANG ET AL.: "PBSVis: A Visual System for Studying Behavior Patterns of Pseudo Base Stations", 《INTERNATIONAL CONFERENCE OF PIONEERING COMPUTER SCIENCE, ENGINEERS AND EDUCATORS》 * |
| YONGXING LI ET AL.: "Detecting and Tracking Pseudo Base Stations in GSM Signal Hijacking and Frauds: a Visualized Approach", 《INFORMATION SECURITY AND COMPUTER FRAUD》, vol. 5, no. 1 * |
| 付旭轮: "伪基站原理及其侦测定位方法", 科技风, no. 28 * |
| 姚景朋等: "伪基站检测识别系统的设计与实现", 电子设计工程, no. 08 * |
| 闫慧等: "基于大数据的伪基站准实时监控方法的研究", 电信工程技术与标准化, no. 12 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117119434A (en) * | 2023-10-24 | 2023-11-24 | 北京大也智慧数据科技服务有限公司 | Personnel identification method, device, equipment and storage medium |
| CN117119434B (en) * | 2023-10-24 | 2024-04-02 | 北京大也智慧数据科技服务有限公司 | Personnel identification method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114205820B (en) | 2023-08-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107948943B (en) | Method for identifying different network cards in double-card terminal and server | |
| CN105873068B (en) | Method and device for identifying pseudo base station | |
| EP2403288B1 (en) | System and method for determining commonly used communication terminals and for identifying noisy entities in large-scale link analysis | |
| CN106028279B (en) | Network registration method and device | |
| CN108513301B (en) | Illegal user identification method and device | |
| CN110063071B (en) | Cell selection method and terminal | |
| CN108271157B (en) | Pseudo base station identification method and device | |
| CN108391223B (en) | Method and device for determining lost user | |
| CN112866192B (en) | Method and device for identifying abnormal aggregation behaviors | |
| KR20200088437A (en) | Pseudo base station positioning method, terminal and computer readable storage medium | |
| CN112954626A (en) | Mobile phone signaling data analysis method and device, electronic equipment and storage medium | |
| US20100130191A1 (en) | Method for controlling information trace and core network element | |
| CN114205820B (en) | Suspicious user detection method, suspicious user detection device and suspicious user detection computer equipment carrying pseudo base station | |
| CN104883705A (en) | Problem positioning method for data service complaints and device thereof | |
| CN113301555A (en) | Resident cell determining method, resident cell determining device, resident cell determining equipment, resident cell determining medium and resident cell determining product | |
| EP2273805A1 (en) | A user region locating method and equipment | |
| CN1559043A (en) | Method and equipment for controlling information provided to a user in a network | |
| CN115988549A (en) | Terminal independent networking resident quality determination method, equipment and storage medium | |
| CN106790765A (en) | The recognition methods of insincere MAC Address and device, mobile terminal locating method | |
| CN113163361A (en) | Vehicle information processing method and device and server | |
| CN102547565A (en) | System for position management of mobile user and mobile network on basis of position analysis | |
| CN113810992B (en) | Data processing method and device | |
| CN113891236B (en) | Method, device and computer readable storage medium for checking position information of base station | |
| CN115242620B (en) | Voice service paging failure positioning method and device | |
| CN109842897B (en) | Method and device for verifying signaling data of terminal and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |