CN114389977B - PCDN (physical downlink packet access) illegal service detection method and device, electronic equipment and storage medium - Google Patents

PCDN (physical downlink packet access) illegal service detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN114389977B
CN114389977B CN202111637659.4A CN202111637659A CN114389977B CN 114389977 B CN114389977 B CN 114389977B CN 202111637659 A CN202111637659 A CN 202111637659A CN 114389977 B CN114389977 B CN 114389977B
Authority
CN
China
Prior art keywords
account
target
broadband
address
internet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111637659.4A
Other languages
Chinese (zh)
Other versions
CN114389977A (en
Inventor
叶钧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202111637659.4A priority Critical patent/CN114389977B/en
Publication of CN114389977A publication Critical patent/CN114389977A/en
Application granted granted Critical
Publication of CN114389977B publication Critical patent/CN114389977B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks

Abstract

The invention relates to a PCDN (physical downlink control channel) violation service detection method, a device, electronic equipment and a storage medium, which relate to the technical field of network technology and security, and the invention provides broadband internet data generated by surfing the internet of a user at a preset time point from target network equipment aiming at each target network equipment in an operator network; determining at least one internet surfing behavior characteristic according to the acquired broadband internet surfing data; if the number of the target internet surfing behavior features exceeds the preset number, determining a target broadband account number using a broadband in the target internet surfing behavior features; if the account type of the target broadband account is a family account, determining that PCDN (physical downlink packet access) violation service exists in the target broadband account; if the account type of the target broadband account is an enterprise account, detecting whether PCDN violation service exists in the target broadband account according to the service type of the target broadband account. The invention can improve the accuracy of detection through behavior analysis and type verification.

Description

PCDN (physical downlink packet access) illegal service detection method and device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of network technologies and security technologies, and in particular, to a method, an apparatus, an electronic device, and a storage medium for detecting a PCDN violation service.
Background
The PCDN is a P2P content delivery network (English name: P2P CDN), and is a low-cost high-quality content delivery network service constructed by mining and utilizing mass fragmented idle resources of a telecom edge network based on P2P technology. After the customer accesses the service through the integrated PCDN SDK (hereinafter referred to as SDK), the customer can obtain the delivery quality equivalent to (or slightly higher than) the CDN, and meanwhile, the delivery cost is obviously reduced. The method is suitable for service scenes such as video on demand, live broadcast, large file downloading and the like.
The PCDN illegal service is the condition that enterprises and individual clients rent a large amount of broadband (including home broadband products, business broadband products and business private line products) of telecom operators, the purpose of the products is changed without permission, the uplink bandwidth used by themselves is aggregated into a large bandwidth to conduct traffic management, and the large bandwidth is sold in a PCDN service form at low price. PCDN violation traffic is often accompanied by rule-breaking behavior while also presenting serious security risks.
The PCDN illegal service detection method is still a traditional data analysis method in the current industry, such as a big data analysis method based on service installation address data or AAA internet bill. According to the method for analyzing the business installation address data, the data source is the registration information when the broadband account is opened, the authenticity and timeliness are poor, and the accuracy of the detection result is extremely low. The AAA internet bill analysis method is online data in a long period of time, so that the problems of overlarge data volume and large detection difficulty are faced, and the whole network cannot be efficiently and comprehensively checked.
Disclosure of Invention
The invention provides a PCDN (physical downlink control channel) violation service detection method, a device, electronic equipment and a storage medium, which directly acquire online data at a preset time point through network equipment to analyze online behavior and verify types, so that the detection accuracy is improved.
In a first aspect, a method for detecting PCDN violation service provided by an embodiment of the present invention includes:
for each target network device in an operator network, acquiring broadband internet surfing data generated by user internet surfing at a preset time point from the target network device; the target network equipment is network equipment for distributing IP addresses to broadband Internet users;
determining at least one internet surfing behavior characteristic according to the acquired broadband internet surfing data;
if the number of the target internet surfing behavior features exceeds the preset number, determining a target broadband account using a broadband in the target internet surfing behavior features; the target internet surfing behavior characteristic is an internet surfing behavior characteristic which does not meet the household broadband limiting condition;
for each target broadband account, if the account type of the target broadband account is a family account, determining that PCDN (physical downlink packet access) violation service exists in the target broadband account;
If the account type of the target broadband account is an enterprise account, detecting whether PCDN illegal services exist in the target broadband account according to the service type and the account use information of the target broadband account.
According to the method, broadband internet surfing data at a preset time point can be obtained through target network equipment, internet surfing behavior characteristics are analyzed, internet surfing behavior characteristics which do not meet the household broadband limiting conditions are found, when the number of the internet surfing behavior characteristics exceeds the preset number, broadband accounts with the internet surfing behavior characteristics are considered to be illegal risks, if the account type is determined to be a household account, the account type is determined to be illegal, if the account type is determined to be a government enterprise account, whether the rule is illegal or not is determined according to the service type and the account usage information, so that the method reduces the data quantity through analysis of the internet surfing behavior at the preset time point, improves the detection speed, and meanwhile, can improve the detection accuracy through behavior analysis and type verification.
In one possible implementation, the internet surfing behavior feature includes some or all of the following:
the same logical internet address uses the number of different broadband account numbers;
The number of times of dialing the same broadband account number;
the number of times of dialing the same broadband account number under the same MAC address;
the type of the IP address used in the broadband account dialing connection process;
upstream total flow rate for the same logical internet address.
According to the method, the internet surfing behavior characteristics can be determined through the aspects of the logical internet surfing address, the dialing times of the broadband account, the address type and the flow rate, the illegal behaviors are analyzed, and the detection accuracy is improved.
In one possible implementation, the logical internet address is determined by:
and taking the Loopback address of the target network equipment, the port of the target network equipment and the address formed by the Internet VLAN in the broadband Internet surfing data as a logic Internet surfing address.
The method can make the address formed by the Loopback address of the target network equipment, the port of the target network equipment and the Internet VLAN be the unique address as the logic Internet address, thereby making the logic Internet address unique and improving the detection convenience.
In one possible implementation manner, if the internet behavior feature is the number of different bandwidths used by the same logical internet address, the corresponding home use bandwidth constraint condition is that the number of different bandwidths used by the same logical internet address exceeds a preset number;
If the internet surfing behavior is characterized by the same number of times of dialing of the broadband account, the corresponding family use broadband limiting condition is that the same number of times of dialing of the broadband account exceeds a first preset number of times;
if the internet behavior characteristic is the number of times of dialing the same broadband account number under the same MAC address, the corresponding household use broadband limiting condition is that the number of times of dialing the same broadband account number under the same MAC address exceeds a second preset number of times;
if the internet behavior characteristic is the IP address type used in the broadband account dial-up connection process, the corresponding limitation condition of the home use broadband is that the IP address type used in the broadband account dial-up connection process is the IPv4 public network type;
if the internet surfing behavior is characterized by the uplink total flow rate of the same logical internet surfing address, the corresponding household use broadband limiting condition is that the uplink total flow rate of the same logical internet surfing address is larger than the downlink total flow rate.
According to the method, each Internet surfing behavior feature is judged through the home use broadband limiting condition corresponding to each Internet surfing behavior feature, so that the judgment is targeted, and the judgment accuracy is improved.
In one possible implementation manner, according to the service type and the account usage information of the target broadband account, detecting whether the target broadband account has the PCDN violation service includes:
If the company service type of the target broadband account is not the preset type and the internet geographic address in the account use information of the target broadband account is consistent with the installed address, determining that the PCDN violation service does not exist in the target broadband account; the preset type is a company service type without using requirements; the use requirement comprises a part or all of the same-address multi-dialing, the public network single stack and the public network double stack;
if the service type of the target broadband account is a preset type, the target broadband account has authentication information required by the account of the preset type, and the internet geographic address and the installed address in the account use information of the target broadband account are consistent, determining that PCDN (physical digital code division multiple access) illegal services do not exist in the target broadband account;
if the service type of the target broadband account is a preset type, and the target broadband account does not have authentication information required by the account of the preset type or the internet geographic address and the installed address in the account use information of the target broadband account are inconsistent, determining that PCDN (physical digital code division multiple access) violation service exists in the target broadband account.
According to the method, whether the violations exist is determined through the judgment of the service type and the judgment of whether the Internet surfing geographic address is consistent with the installed address, and whether the violations exist is judged through the triple judgment of the service type, the authentication information and the account number use information, so that the judgment accuracy is improved.
In a second aspect, a PCDN violation service detection device provided by an embodiment of the present invention includes:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring broadband internet surfing data generated by user internet surfing at a preset time point from target network equipment aiming at each target network equipment in an operator network; the target network equipment is network equipment for distributing IP addresses to broadband Internet users;
the determining module is used for determining at least one internet surfing behavior characteristic according to the acquired broadband internet surfing data; if the number of the target internet surfing behavior features exceeds the preset number, determining target broadband accounts used in the target internet surfing behavior features; the target internet surfing behavior characteristic is an internet surfing behavior characteristic which does not meet the household broadband limiting condition;
the violation judging module is used for determining that PCDN violation business exists in each target broadband account if the account type of the target broadband account is a family account; if the account type of the target broadband account is an enterprise account, detecting whether PCDN illegal services exist in the target broadband account according to the service type and the account use information of the target broadband account.
In one possible implementation, the internet surfing behavior feature includes some or all of the following:
the same logical internet address uses the number of different broadband account numbers;
the number of times of dialing the same broadband account number;
the number of times of dialing the same broadband account number under the same MAC address;
the type of the IP address used in the broadband account dialing connection process;
upstream total flow rate for the same logical internet address.
In one possible implementation manner, the violation judging module is specifically configured to:
if the company service type of the target broadband account is not the preset type and the internet geographic address in the account use information of the target broadband account is consistent with the installed address, determining that the PCDN violation service does not exist in the target broadband account; the preset type is a company service type without using requirements; the use requirement comprises a part or all of the same-address multi-dialing, the public network single stack and the public network double stack;
if the service type of the target broadband account is a preset type, the target broadband account has authentication information required by the account of the preset type, and the internet geographic address and the installed address in the account use information of the target broadband account are consistent, determining that PCDN (physical digital code division multiple access) illegal services do not exist in the target broadband account;
If the service type of the target broadband account is a preset type, and the target broadband account does not have authentication information required by the account of the preset type or the internet geographic address and the installed address in the account use information of the target broadband account are inconsistent, determining that PCDN (physical digital code division multiple access) violation service exists in the target broadband account.
In a third aspect, the present application further provides an electronic device, including: a processor and a memory;
a processor;
a memory for storing the processor-executable instructions;
wherein the processor is configured to execute the instructions to implement the PCDN violation traffic detection method according to any of the first aspects.
In a fourth aspect, the present application further provides a storage medium, which when executed by a processor of an electronic device, causes the electronic device to perform the PCDN violation traffic detection method according to any of the first aspects.
In addition, the technical effects caused by implementing any implementation manner of the first aspect when the second aspect to the fourth aspect are executed by the processing unit may refer to the technical effects caused by different implementation manners of the first aspect, which are not described herein again.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention and do not constitute a undue limitation on the invention.
Fig. 1 is a flowchart of a PCDN violation service detection method provided in an embodiment of the present invention;
fig. 2 is a structural diagram of a connection relationship between an electronic device and a plurality of target network devices according to an embodiment of the present invention;
FIG. 3 is a flowchart for obtaining broadband Internet surfing data according to an embodiment of the present invention;
fig. 4 is a block diagram of a PCDN violation service detecting device provided in an embodiment of the present invention;
fig. 5 is a block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to enable a person skilled in the art to better understand the technical solutions of the present invention, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings.
At present, enterprises and individual clients rent a large amount of broadband for telecom operators, the purpose of products is changed without permission, and the self-used uplink bandwidth is aggregated to form a large bandwidth for traffic management, so that the security is lower.
In order to avoid the above, embodiments of the present invention propose a solution, which is described in detail below with reference to the accompanying drawings.
Referring to fig. 1, an embodiment of the present invention proposes a PCDN violation service detection method, which is applied to an electronic device, and includes:
s100: for each target network device in an operator network, acquiring broadband internet surfing data generated by user internet surfing at a preset time point from the target network device; the target network equipment is used for distributing IP addresses to broadband Internet users;
wherein the target network device is a BAS/MSE network device; the preset time point may be any time point, for example, the preset time point is a time point after the electronic device is connected, and the broadband internet data is real-time broadband service online information on the BAS/MSE network device.
Broadband internet data such as broadband account numbers, IP addresses, MAC addresses, internet VLANs, BAS/MSE Loopback addresses, BAS ports, etc.
S101: determining at least one internet surfing behavior characteristic according to the acquired broadband internet surfing data;
the internet surfing behavior characteristics comprise the following parts or all of the following parts:
the same logical internet address uses the number of different broadband account numbers;
The number of times of dialing the same broadband account number;
the number of times of dialing the same broadband account number under the same MAC address;
the type of the IP address used in the broadband account dialing connection process;
upstream total flow rate for the same logical internet address.
The same logical internet address uses the number of different broadband accounts to indicate that the user uses the same internet path to internet through different broadband accounts, so that a plurality of broadband are installed at the same logical internet address. The ordinary family is 2-8 families, so the family account does not need to install a plurality of broadband. Therefore, the number of different broadband accounts used by the same logical internet address is counted, and whether the broadband account is a family account can be verified.
The same number of times of dialing the broadband account number indicates the number of times that the user uses the same broadband account number to surf the internet, and the number of times of surfing the internet at the same time of a common family is not too large, so that the same number of times of dialing the broadband account number is counted, and whether the broadband account number is the family account number can be verified.
The number of times of dialing the same broadband account number under the same MAC address, wherein the MAC address represents the address of a terminal, the address is set by the terminal in a factory, the number of times that a user uses the same terminal to surf the internet is represented, and the common call does not have too many times at the same time point, so that the number of times of dialing the same broadband account number under the same MAC address is counted, and whether the broadband account number is a family account number can be verified.
In general, the type of the address used for home configuration is not an IPV4 public network address, so that the type of the IP address used in the broadband account dial-up connection process can be verified whether the broadband account is a home account.
In general, the internet flow rate of the home cannot be larger than the downlink flow rate, and the uplink total flow rate of the same logical internet address can verify whether the broadband account is a home account.
Wherein the logical internet address is determined by:
and taking the Loopback address of the target network equipment, the port of the target network equipment and the address formed by the Internet VLAN in the broadband Internet surfing data as a logic Internet surfing address.
The target network device is BAS/MSE network device;
because the Loopback address of the BAS/MSE network equipment, the port of the target network equipment and the address formed by the Internet VLAN are unique, the unique address is used as the logical Internet address for distinguishing, and the number of different broadband accounts used by the same logical Internet address is studied.
S102: if the number of the target internet surfing behavior features exceeds the preset number, determining a target broadband account number using a broadband in the target internet surfing behavior features; the target internet surfing behavior characteristic is an internet surfing behavior characteristic which does not meet the household broadband limiting condition;
If the internet surfing behavior is characterized by the number of different bandwidths used by the same logical internet surfing address, the corresponding limitation condition of the home use bandwidth is that the number of different bandwidths used by the same logical internet surfing address exceeds the preset number;
if the internet behavior characteristic is the same number of times of dialing the broadband account, the corresponding family uses the broadband limiting condition to be that the same number of times of dialing the broadband account exceeds a first preset number of times;
if the internet behavior is characterized by the number of times of dialing the same broadband account number under the same MAC address, the corresponding household use broadband limiting condition is that the number of times of dialing the same broadband account number under the same MAC address exceeds a second preset number of times; for example, the second preset number of times is 1 time;
if the internet behavior characteristic is the IP address type used in the broadband account dial-up connection process, the corresponding limitation condition of the home use broadband is that the IP address type used in the broadband account dial-up connection process is the IPv4 public network type;
if the internet behavior is characterized by the uplink total flow rate of the same logical internet address, the corresponding household use broadband limiting condition is that the uplink total flow rate of the same logical internet address is larger than the downlink total flow rate.
Further, the number obtained by weighted summation of the numbers may be compared with a preset number. For example, each target internet surfing behavior feature is weighted to obtain a number.
The formula is as follows:
Q=∑K i ×T i
wherein K is i Weight of internet surfing behavior characteristic of ith target, T i The internet surfing behavior characteristic of the ith target. The weight of each target internet behavior feature is preset, for example, the number of different broadband accounts used by the same logical internet address exceeds the preset number, then K i ×T i Is 0.5 times 1; the number of dialing times of the same broadband account number exceeds the first preset number, then K i ×T i Is 0.3 times 1; phase under the same MAC addressThe number of dialing times of the same broadband account number exceeds a second preset number of times, then K i ×T i Is 0.3 times 1; the IP address type used in the broadband account dial-up connection process is IPv4 public network type, then K i ×T i Is 0.7 times 1; the uplink total flow rate of the same logical Internet address is larger than the downlink total flow rate, then K i ×T i Is 0.5 times 1; then the number is 2.3 compared to the preset number.
The first preset number of times may be the number of times of use of a general household, for example, 4 times, or the maximum value of the limit of the BAS/MSE to a single user. Of course, if the usage number of the ordinary family corresponds to a weight of 0.3, the maximum value of the bas/MSE to the single user restriction corresponds to a weight of 0.8.
The foregoing is merely exemplary, and the present invention is not limited thereto.
S103: for each target broadband account, if the account type of the target broadband account is a family account, determining that PCDN (physical downlink packet access) violation service exists in the target broadband account;
s104: if the account type of the target broadband account is an enterprise account, detecting whether PCDN violation business exists in the target broadband account according to the business type and the account use information of the target broadband account.
In detail, if the company service type of the target broadband account is not a preset type and the internet geographic address and the installed address in the account usage information of the target broadband account are consistent, determining that the PCDN violation service does not exist in the target broadband account; the preset type is a company service type without using requirements; the use requirement comprises a part or all of the same-address multi-dialing, the public network single stack and the public network double stack;
if the service type of the target broadband account is a preset type, the target broadband account has authentication information required by the account of the preset type, and the internet geographic address and the installed address in the account use information of the target broadband account are consistent, determining that PCDN (physical digital code division multiple access) illegal services do not exist in the target broadband account;
if the service type of the target broadband account is a preset type, and the target broadband account does not have authentication information required by the account of the preset type or the internet geographic address and the installed address in the account use information of the target broadband account are inconsistent, determining that PCDN (physical digital code division multiple access) violation service exists in the target broadband account.
The internet geographic address may determine an internet physical address by calling data of the CRM system according to a logical internet address of the target broadband account, that is, determining the internet physical address by using information such as a Loopback address of the target network device, a port of the target network device, an installation position of the device on the internet VLAN, an area using the device, and the like, for example, a number of a certain cell a building 102.
The installed address is recorded in the data of the CRM system by calling the data of the CRM system, so that the corresponding installed address can be directly found according to the target broadband account number.
Wherein, the preset type is science and technology type, and the non-preset type can be a hospital, a hotel and the like. The authentication information required by the account of the preset type can be a qualification certificate and an information security commitment.
In detail, the information such as user identity, business use, operation qualification and the like of the target broadband account can be queried through CRM system (customer relationship management) data.
The method comprises the steps that through a CRM system (customer relationship management), if the account type of a target broadband account is found to be a family account, determining that PCDN violation service exists in the target broadband account;
if the account type of the target broadband account is determined to be an enterprise account, judging whether the service type is scientific and technological, judging whether the internet geographic address in the account use information of the target broadband account is consistent with the installed address, and if the internet geographic address in the account use information of the target broadband account is not scientific and technological, judging that the internet geographic address in the account use information of the target broadband account is consistent with the installed address, and no PCDN illegal service exists; if the network address is scientific and technological, checking whether the network address is qualified, if the network address is qualified, the network address is consistent with the installed address, and if the network address is inconsistent with the installed address, the network address is inconsistent with the installed address.
As an example, referring to fig. 2, the electronic device 200 is connected to the target network devices 1 to n, respectively, and the electronic device 200 collects broadband internet data on the target network devices 1 to n in the IP metropolitan area network at any time node; for example, n pieces of broadband internet data are collected in total, and each piece of broadband internet data obtains information mn, so as to obtain an information sequence m= { M1, M2 … mn }.
Determining internet surfing behavior characteristics of broadband internet surfing data in each target network device, analyzing whether the internet surfing behavior characteristics meet corresponding household broadband use limiting conditions, and determining target broadband accounts using broadband in a plurality of target internet surfing behavior characteristics if the number of the target internet surfing behavior characteristics exceeds a preset number; and determining whether the PCDN violation service exists in the target broadband account by analyzing the account type, the service type and the account use information.
The process of obtaining broadband internet data from a target network device is shown in conjunction with fig. 3:
s300: using Socket application programming interface to realize TCP/IP data transmission between electronic equipment and target network equipment, simulating Telnet remote control connection;
s301: after telnet connection is established, the target network equipment sends user name input prompt information to the electronic equipment; the electronic equipment sends a user name field;
S302: the target network device sends a password input prompt message to the electronic device; the electronic equipment sends the password;
s303: the target network equipment verifies the user name and password information input before, and the electronic equipment is allowed to enter the target network equipment to acquire the operation authority after the verification is passed;
s304: the verification process of the password is returned when the verification fails; wherein the target network device supports verification of multiple groups of password; if all the password checks fail, the connection is interrupted and failure information is returned;
s305: the electronic equipment sends a query instruction to the network equipment and starts a timer;
s306: continuously monitoring socket connection and acquiring a data stream;
s307: detecting the data flow at regular time, and detecting whether an execution finishing signal is received; if yes, ending, otherwise, executing S308;
s308: whether the time-out is timed out is checked, if yes, the process is ended, otherwise S306 is executed.
The broadband internet access data are acquired information logs, and when the internet access behavior characteristics are determined, broadband internet access data such as broadband account numbers, IP addresses, MAC addresses, internet VLAN, BAS/MSE Loopback addresses, BAS ports and the like are read from character strings of the information logs;
counting the number of different broadband accounts used by the same logical internet address; the number of times of dialing the same broadband account number; the number of times of dialing the same broadband account number under the same MAC address; the type of the IP address used in the broadband account dialing connection process; upstream total flow rate for the same logical internet address.
Wherein the logical internet address is obtained according to BAS/MSE Loopback address+BAS port+internet VLAN.
Further, the information sequence m is grouped according to BAS/MSE Loopback addresses, namely, different target network devices are grouped; broadband internet data corresponding to each BAS/MSE can be regarded as an independent access area, and cross-regional comparison is not needed; independent feature analysis operations are performed on the packets M1, M2, … mn, and subsequent steps will be described with broadband internet data of a single target network device M.
The length of the information sequence M to be processed is N, and the cyclic operation is carried out on all elements M [ i ] in the M; loop operation is performed from sequence number i=0 to N-1;
(1) When i < N, defining a feature counter M [ i ]. Count=0, defining a valid flag M [ i ]. Tag=f;
(2) When i=0, M [ i ] feature counter=1, M [ i ] is marked with a valid flag;
(3) i=i+1, jump procedure (1);
(4) When i </SUB > N, starting sequence internal feature comparison, and executing cyclic operation on the element M [ j ] before M [ i ]; loop operation is performed from sequence number j=0 to i-1;
(5) When j < = i, judging the consistency of M [ i ] and M [ j ] characteristics, if yes, carrying out a flow (6); otherwise, performing a process (7);
(6) M [ j ] feature counter +1, jump procedure (3);
(7) j=j+1, jump procedure (5);
(8) When j > =i, M [ j ] circulates the task to finish execution; judging whether the M [ i ] is marked with a valid mark, if so, counting the M [ i ] characteristic counter +1, and jumping to the process (3); if not, directly skipping the process (3);
(9) When i > =n, M [ i ] circulates the task and finishes executing, output all information data that is effectively marked as T.
Performing online behavior feature analysis on m, and counting the number of different broadband accounts used by the same logical online address; the number of times of dialing the same broadband account number; the number of times of dialing the same broadband account number under the same MAC address; the type of the IP address used in the broadband account dialing connection process; upstream total flow rate for the same logical internet address. Screening out a surfing information sequence f with an effective mark set as T from m;
the analysis of the internet surfing behavior is characterized in that:
whether the number of different broadband used by the same logical internet address exceeds the preset number is judged, and the preset number is 10. More specifically, more than 10 broadband devices are installed on the same logical internet address, and most of the broadband devices are clients with real same-address multi-broadband requirements, such as party armies, campuses, hospitals and the like; the logical internet address is obtained by BAS/MSE Loopback address, BAS port and internet VLAN;
Whether the number of times of dialing the same broadband account exceeds a first preset number of times, wherein the first preset number of times is 4 times; the first preset number of times may also be a maximum value of the BAS/MSE restrictions on the individual users;
whether the number of times of dialing the same broadband account number exceeds a second preset number of times under the same MAC address, namely, the same broadband account number is dialed for multiple times, and the same MAC address is reused by multiple times of dialing;
whether the IP address type used in the broadband account dial-up connection process is an IPv4 public network type or not;
whether the uplink total flow rate of the same logical internet address is larger than the downlink total flow rate;
screening an information sequence M' which accords with the suspicious illegal PCDN internet surfing characteristics; if the number of the target internet surfing behavior features exceeds the preset number, determining a target broadband account using a broadband in the plurality of target internet surfing behavior features, wherein the target broadband account is a suspected illegal account, and the mark is set to be 1;
introducing CRM system (customer relationship management) data, and inquiring information such as user identity, business use, operation qualification, account use information and the like corresponding to a target broadband account with a set 1;
checking account types: if the account type is a family account, namely the user corresponding to the account type is personal, namely PCDN violation service exists, and a suspected violation flag is reserved for the target broadband account;
And (3) checking the service type: if the account type is enterprise account, that is, the user corresponding to the account type is company, if the user is company, some of the companies use part or all of the co-located multi-dialing, public network single stack and public network dual stack. For such companies, and the internet geographic address and the installed address in the account usage information of the target broadband account are consistent, no PCDN violation service is considered to exist. For example, the name of the analysis company, including hospitals, hotels, i.e., non-technical types.
And (3) qualification checking: if the name of the company is analyzed, the name comprises science and technology, the service type is science and technology, whether the service type has a relevant qualification certificate or not is checked, whether an information security commitment is signed or not is checked, the service type is provided, and the internet geographic address and the installed address in the account use information of the target broadband account are consistent, and the suspected illegal flag is set to be 0; otherwise, the suspected illegal marks are reserved;
and deleting the entry with the suspected violation mark of 0, and forming an analysis result according to the user corresponding to the target broadband account with the suspected violation mark.
The embodiment of the invention also provides a device for detecting PCDN illegal services, which is shown in combination with fig. 4 and comprises the following steps:
An obtaining module 400, configured to obtain, for each target network device in an operator network, broadband internet data generated by user surfing the internet at a preset time point from the target network device; the target network equipment is network equipment for distributing IP addresses to broadband Internet users;
a determining module 401, configured to determine at least one internet surfing behavior feature according to the acquired broadband internet surfing data; if the number of the target internet surfing behavior features exceeds the preset number, determining target broadband accounts used in the target internet surfing behavior features; the target internet surfing behavior characteristic is an internet surfing behavior characteristic which does not meet the household broadband limiting condition;
the violation judging module 402 is configured to determine, for each target broadband account, that a PCDN violation service exists in the target broadband account if the account type of the target broadband account is a home account; if the account type of the target broadband account is an enterprise account, detecting whether PCDN illegal services exist in the target broadband account according to the service type and the account use information of the target broadband account.
Optionally, the internet surfing behavior feature includes some or all of the following:
The same logical internet address uses the number of different broadband account numbers;
the number of times of dialing the same broadband account number;
the number of times of dialing the same broadband account number under the same MAC address;
the type of the IP address used in the broadband account dialing connection process;
upstream total flow rate for the same logical internet address.
Optionally, the determining module 401 is specifically configured to:
and taking the Loopback address of the target network equipment, the port of the target network equipment and the address formed by the Internet VLAN in the broadband Internet surfing data as a logic Internet surfing address.
Optionally, if the internet behavior feature is the number of different bandwidths used by the same logical internet address, the corresponding home use bandwidth constraint condition is that the number of different bandwidths used by the same logical internet address exceeds a preset number;
if the internet surfing behavior is characterized by the same number of times of dialing of the broadband account, the corresponding family use broadband limiting condition is that the same number of times of dialing of the broadband account exceeds a first preset number of times;
if the internet behavior characteristic is the number of times of dialing the same broadband account number under the same MAC address, the corresponding household use broadband limiting condition is that the number of times of dialing the same broadband account number under the same MAC address exceeds a second preset number of times;
If the internet behavior characteristic is the IP address type used in the broadband account dial-up connection process, the corresponding limitation condition of the home use broadband is that the IP address type used in the broadband account dial-up connection process is the IPv4 public network type;
if the internet surfing behavior is characterized by the uplink total flow rate of the same logical internet surfing address, the corresponding household use broadband limiting condition is that the uplink total flow rate of the same logical internet surfing address is larger than the downlink total flow rate.
Optionally, the violation determination module 402 is specifically configured to:
if the company service type of the target broadband account is not the preset type and the internet geographic address in the account use information of the target broadband account is consistent with the installed address, determining that the PCDN violation service does not exist in the target broadband account; the preset type is a company service type without using requirements; the use requirement comprises a part or all of the same-address multi-dialing, the public network single stack and the public network double stack;
if the service type of the target broadband account is a preset type, the target broadband account has authentication information required by the account of the preset type, and the internet geographic address and the installed address in the account use information of the target broadband account are consistent, determining that PCDN (physical digital code division multiple access) illegal services do not exist in the target broadband account;
If the service type of the target broadband account is a preset type, and the target broadband account does not have authentication information required by the account of the preset type or the internet geographic address and the installed address in the account use information of the target broadband account are inconsistent, determining that PCDN (physical digital code division multiple access) violation service exists in the target broadband account.
In an exemplary embodiment, a storage medium is also provided, e.g., a memory, comprising instructions executable by a processor of an electronic device to perform the above-described PCDN violation traffic detection method. Alternatively, the storage medium may be a non-transitory computer readable storage medium, which may be, for example, ROM, random Access Memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, and the like.
The embodiment of the invention provides electronic equipment, which comprises:
comprising the following steps: a processor and a memory;
a processor;
a memory for storing the processor-executable instructions;
wherein the processor is configured to execute the instructions to implement the PCDN violation traffic detection method according to any of the preceding claims.
Based on the above description, the electronic device structure of fig. 5 is proposed by way of example.
The electronic device may include a processor 510 and a memory 520 storing computer program instructions.
In particular, the processor 510 may include a Central Processing Unit (CPU), or an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or may be configured as one or more integrated circuits that implement embodiments of the present invention.
Memory 520 may include mass storage for data or instructions. By way of example, and not limitation, memory 520 may comprise a Hard Disk Drive (HDD), floppy Disk Drive, flash memory, optical Disk, magneto-optical Disk, magnetic tape, or universal serial bus (Universal Serial Bus, USB) Drive, or a combination of two or more of the foregoing. Memory 520 may include removable or non-removable (or fixed) media, where appropriate. Memory 520 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 520 is a non-volatile solid state memory. In particular embodiments, memory 520 includes Read Only Memory (ROM). The ROM may be mask programmed ROM, programmable ROM (PROM), erasable PROM (EPROM), electrically Erasable PROM (EEPROM), electrically rewritable ROM (EAROM), or flash memory, or a combination of two or more of these, where appropriate.
Processor 510 reads and executes computer program instructions stored in memory 520 to implement any of the PCDN violation service detection methods of the embodiments described above.
In one example, the electronic device may also include a communication interface 530 and a bus 540. As shown in fig. 5, the processor 510, the memory 520, and the communication interface 530 are connected to each other by a bus 540 and perform communication with each other.
The communication interface 530 is mainly used to implement communication between each module, device, unit and/or apparatus in the embodiment of the present invention.
Bus 540 includes hardware, software, or both that couple components of the electronic device to one another. By way of example, and not limitation, the buses may include an Accelerated Graphics Port (AGP) or other graphics bus, an Enhanced Industry Standard Architecture (EISA) bus, a Front Side Bus (FSB), a HyperTransport (HT) interconnect, an Industry Standard Architecture (ISA) bus, an infiniband interconnect, a Low Pin Count (LPC) bus, a memory bus, a micro channel architecture (MCa) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express (PCI-X) bus, a Serial Advanced Technology Attachment (SATA) bus, a video electronics standards association local (VLB) bus, or other suitable bus, or a combination of two or more of the above. Bus 540 may include one or more buses, where appropriate. Although embodiments of the invention have been described and illustrated with respect to a particular bus, the invention contemplates any suitable bus or interconnect.
The electronic device can execute the PCDN violation service detection method based on the received task, thereby realizing the PCDN violation service detection method and the device described in connection with figures 1-4.
In addition, in combination with the electronic device in the foregoing embodiment, the embodiment of the present invention may provide a storage medium, where the instructions in the storage medium are executed by a processor of the electronic device, so that the electronic device can perform the PCDN violation service detection method according to any of the foregoing embodiments.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims (10)

1. The method for detecting the PCDN violation service is characterized by comprising the following steps:
for each target network device in an operator network, acquiring broadband internet surfing data generated by user internet surfing at a preset time point from the target network device; the target network equipment is network equipment for distributing IP addresses to broadband Internet users;
determining at least one internet surfing behavior characteristic according to the acquired broadband internet surfing data;
if the number of the target internet surfing behavior features exceeds the preset number, determining a target broadband account using a broadband in the target internet surfing behavior features; the target internet surfing behavior characteristic is an internet surfing behavior characteristic which does not meet the household broadband limiting condition;
for each target broadband account, if the account type of the target broadband account is a family account, determining that PCDN (physical downlink packet access) violation service exists in the target broadband account;
If the account type of the target broadband account is an enterprise account, detecting whether PCDN illegal services exist in the target broadband account according to the service type and the account use information of the target broadband account.
2. The PCDN violation service detection method according to claim 1, wherein the internet surfing behavior feature includes some or all of:
the same logical internet address uses the number of different broadband account numbers;
the number of times of dialing the same broadband account number;
the number of times of dialing the same broadband account number under the same MAC address;
the type of the IP address used in the broadband account dialing connection process;
upstream total flow rate for the same logical internet address.
3. The PCDN violation service detection method according to claim 2, wherein the logical internet address is determined by:
and taking the Loopback address of the target network equipment, the port of the target network equipment and the address formed by the Internet VLAN in the broadband Internet surfing data as a logic Internet surfing address.
4. The PCDN violation service detection method according to claim 2, wherein:
if the internet surfing behavior is characterized by the number of different bandwidths used by the same logical internet surfing address, the corresponding limitation condition of the home use bandwidth is that the number of different bandwidths used by the same logical internet surfing address exceeds the preset number;
If the internet surfing behavior is characterized by the same number of times of dialing of the broadband account, the corresponding family use broadband limiting condition is that the same number of times of dialing of the broadband account exceeds a first preset number of times;
if the internet behavior characteristic is the number of times of dialing the same broadband account number under the same MAC address, the corresponding household use broadband limiting condition is that the number of times of dialing the same broadband account number under the same MAC address exceeds a second preset number of times;
if the internet behavior characteristic is the IP address type used in the broadband account dial-up connection process, the corresponding limitation condition of the home use broadband is that the IP address type used in the broadband account dial-up connection process is the IPv4 public network type;
if the internet surfing behavior is characterized by the uplink total flow rate of the same logical internet surfing address, the corresponding household use broadband limiting condition is that the uplink total flow rate of the same logical internet surfing address is larger than the downlink total flow rate.
5. The PCDN violation service detection method according to any of claims 1-4, wherein detecting whether a target broadband account has a PCDN violation service according to the service type and account usage information of the target broadband account includes:
if the company service type of the target broadband account is not the preset type and the internet geographic address in the account use information of the target broadband account is consistent with the installed address, determining that the PCDN violation service does not exist in the target broadband account; the preset type is a company service type without using requirements; the use requirement comprises a part or all of the same-address multi-dialing, the public network single stack and the public network double stack;
If the service type of the target broadband account is a preset type, the target broadband account has authentication information required by the account of the preset type, and the internet geographic address and the installed address in the account use information of the target broadband account are consistent, determining that PCDN (physical digital code division multiple access) illegal services do not exist in the target broadband account;
if the service type of the target broadband account is a preset type, and the target broadband account does not have authentication information required by the account of the preset type or the internet geographic address and the installed address in the account use information of the target broadband account are inconsistent, determining that PCDN (physical digital code division multiple access) violation service exists in the target broadband account.
6. A PCDN violation service detection device, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring broadband internet surfing data generated by user internet surfing at a preset time point from target network equipment aiming at each target network equipment in an operator network; the target network equipment is network equipment for distributing IP addresses to broadband Internet users;
the determining module is used for determining at least one internet surfing behavior characteristic according to the acquired broadband internet surfing data; if the number of the target internet surfing behavior features exceeds the preset number, determining target broadband accounts used in the target internet surfing behavior features; the target internet surfing behavior characteristic is an internet surfing behavior characteristic which does not meet the household broadband limiting condition;
The violation judging module is used for determining that PCDN violation business exists in each target broadband account if the account type of the target broadband account is a family account; if the account type of the target broadband account is an enterprise account, detecting whether PCDN illegal services exist in the target broadband account according to the service type and the account use information of the target broadband account.
7. The PCDN violation service detection device according to claim 6, wherein the internet surfing behavior feature includes some or all of:
the same logical internet address uses the number of different broadband account numbers;
the number of times of dialing the same broadband account number;
the number of times of dialing the same broadband account number under the same MAC address;
the type of the IP address used in the broadband account dialing connection process;
upstream total flow rate for the same logical internet address.
8. The PCDN violation service detecting device according to claim 6 or 7, wherein the violation judging module is specifically configured to:
if the company service type of the target broadband account is not the preset type and the internet geographic address in the account use information of the target broadband account is consistent with the installed address, determining that the PCDN violation service does not exist in the target broadband account; the preset type is a company service type without using requirements; the use requirement comprises a part or all of the same-address multi-dialing, the public network single stack and the public network double stack;
If the service type of the target broadband account is a preset type, the target broadband account has authentication information required by the account of the preset type, and the internet geographic address and the installed address in the account use information of the target broadband account are consistent, determining that PCDN (physical digital code division multiple access) illegal services do not exist in the target broadband account;
if the service type of the target broadband account is a preset type, and the target broadband account does not have authentication information required by the account of the preset type or the internet geographic address and the installed address in the account use information of the target broadband account are inconsistent, determining that PCDN (physical digital code division multiple access) violation service exists in the target broadband account.
9. An electronic device, comprising: a processor and a memory;
a processor;
a memory for storing the processor-executable instructions;
wherein the processor is configured to execute the instructions to implement the PCDN violation traffic detection method of any of claims 1-5.
10. A storage medium, comprising: the instructions in the storage medium, when executed by a processor of an electronic device, enable the electronic device to perform the PCDN violation traffic detection method of any of claims 1-5.
CN202111637659.4A 2021-12-29 2021-12-29 PCDN (physical downlink packet access) illegal service detection method and device, electronic equipment and storage medium Active CN114389977B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111637659.4A CN114389977B (en) 2021-12-29 2021-12-29 PCDN (physical downlink packet access) illegal service detection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111637659.4A CN114389977B (en) 2021-12-29 2021-12-29 PCDN (physical downlink packet access) illegal service detection method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114389977A CN114389977A (en) 2022-04-22
CN114389977B true CN114389977B (en) 2024-03-19

Family

ID=81200673

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111637659.4A Active CN114389977B (en) 2021-12-29 2021-12-29 PCDN (physical downlink packet access) illegal service detection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114389977B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116962255B (en) * 2023-09-20 2023-11-21 武汉博易讯信息科技有限公司 Detection method, system, equipment and readable medium for finding PCDN user

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130053166A (en) * 2011-11-15 2013-05-23 주식회사 크레블 Isp managed p2p cdn service system and providing method thereof
CN111600750A (en) * 2020-05-11 2020-08-28 北京庭宇科技有限公司 Speed limit detection method and system for PCDN network node flow
CN111988745A (en) * 2020-09-02 2020-11-24 腾讯科技(深圳)有限公司 Target user determination method, device, equipment and medium based on WiFi connection data
CN113179328A (en) * 2021-05-19 2021-07-27 上海七牛信息技术有限公司 Resource distribution method and system for PCDN (Primary Contourlet distribution) network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130053166A (en) * 2011-11-15 2013-05-23 주식회사 크레블 Isp managed p2p cdn service system and providing method thereof
CN111600750A (en) * 2020-05-11 2020-08-28 北京庭宇科技有限公司 Speed limit detection method and system for PCDN network node flow
CN111988745A (en) * 2020-09-02 2020-11-24 腾讯科技(深圳)有限公司 Target user determination method, device, equipment and medium based on WiFi connection data
CN113179328A (en) * 2021-05-19 2021-07-27 上海七牛信息技术有限公司 Resource distribution method and system for PCDN (Primary Contourlet distribution) network

Also Published As

Publication number Publication date
CN114389977A (en) 2022-04-22

Similar Documents

Publication Publication Date Title
KR101218253B1 (en) Fraud security detection system and method
CN107707435B (en) Message processing method and device
US8832816B2 (en) Authentication tokens for use in voice over internet protocol methods
CN108011873B (en) Illegal connection judgment method based on set coverage
CN114389977B (en) PCDN (physical downlink packet access) illegal service detection method and device, electronic equipment and storage medium
CN115567229A (en) Cloud-based internet access control method, device, medium, equipment and system
CN108322354B (en) Method and device for identifying running-stealing flow account
CN106453305A (en) Member live broadcast link stealing prevention method and device, and network server
RU2307392C1 (en) Method (variants) for protecting computer networks
CN109361618B (en) Data flow marking method and device, computer equipment and storage medium
RU2739206C1 (en) Method of protecting computer networks with identification of multiple simultaneous attacks
CN109302381B (en) Radius attribute extension method, device, electronic equipment and computer readable medium
CN109995733B (en) Capability service opening method, device, system, equipment and medium
CN109995731B (en) Method and device for improving cache spitting flow, computing equipment and storage medium
CN111585972A (en) Security protection method and device for gatekeeper and network system
CN104954485A (en) Data communication method applied to mobile terminal, proxy server and communication system
Jansky et al. Hunting sip authentication attacks efficiently
CN112738089B (en) Method and device for automatically backtracking source ip under complex network environment
KR101145771B1 (en) Internet protocol based filtering device and method, and legitimate user identifying device and method
CN114760267B (en) Domain name blocking method, device, equipment, medium and program product
CN111866772B (en) Method and device for preventing fraudulent calling, computer equipment and computer storage medium
US20240121255A1 (en) System and Method for Detecting Fraudulent Network Traffic
CN113507450B (en) Method and device for filtering internal and external network data based on parameter feature vector
CN111601072B (en) SCADA-based data processing method and device
CN109525454B (en) Data processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant