JP2010056693A - Method of deciding spam origination terminal, decision device, and decision program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a decision method, decision device and decision program, capable of deciding a terminal originating spam data as a spam origination terminal, even if the origination interval of spam data is lengthened. <P>SOLUTION: In the method of deciding a spam origination terminal, transmission and reception record information of data packet which is transmitted and received between terminals is stored, and the degree of relationship among a plurality of destination terminals which are the destinations of data packet originated from the same terminal is evaluated. Based on the degree of relationship, a score indicating the reliability of a fact that a source terminal which is the source of data packet is a spam origination terminal is calculated, and the spam data is originated for other terminal by deciding that a source terminal having a resulting score higher than a predetermined threshold is a spam origination terminal. A decision device and a decision program are also provided. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a determination method, a determination apparatus, and a determination program for determining a spam transmission terminal that transmits spam data to other terminals from among a plurality of terminals connected to a network.

  In recent years, malicious businesses that use IP (Internet Protocol) telephones to send unnecessary voice messages to IP telephone subscribers are increasing. Among these providers, VoIP (Voice over Internet Protocol) is used for advertising calls, etc., and IP telephone subscribers (hereinafter referred to as “normal users”) that make advertising calls (hereinafter referred to as “VoIP spammers”). "). Hereinafter, unnecessary voice message data transmitted by the VoIP spammer is referred to as VoIP spam.

  In this VoIP spammer, if the IP phone is based on the same VoIP base, the call charge is free, so the terminal that sends VoIP spam is connected to a communication network such as the Internet, and the terminal of an unspecified number of ordinary users from that terminal On the other hand, VoIP spam is sent free of charge a huge number of times. In order to protect a normal user from the damage of such VoIP spam, it is necessary to determine a VoIP spammer's terminal on the communication network and prevent the VoIP spam transmitted from the terminal from being transmitted to the normal user's terminal.

  Non-Patent Document 1 discloses a technique for determining a VoIP spammer terminal on a communication network. In the technology described in Non-Patent Document 1, a SIP (Session Initiation Protocol) signaling acquisition device is introduced into an ISP (Internet Services Provider), and as shown in FIG. 17, a fixed time for each SIP URI (Uniform Resource Identifier). The call rate of each terminal is calculated by measuring the number of INVITEs in the network, and when the call rate exceeds the threshold, it is determined that the terminal to which the SIP URI is assigned is the terminal that is sending VoIP spam The method to take is taken.

  This technology assumes that a VoIP spammer will continuously send VoIP spam to a number of SIP URIs on the machine. For this reason, the SIP URI assigned to the VoIP spammer's terminal is determined using the feature that the number of INVITEs transmitted by the VoIP spammer's terminal is larger than that of the normal user's terminal.

  In the example illustrated in FIG. 17, the call rate of the terminal with the SIP URI “050XXXX1111” is very high compared to the terminals with other SIP URIs, and the call rate exceeds a predetermined threshold, so the SIP URI is “050XXXX1111”. The user of the terminal is determined to be a VoIP spammer.

R. Schelegel, S. Niccolni, S. Tartarelli, M. Brunner, “SPam over Internet Telehoney (SPIT) Prevention Framework”, Proceedings of IEEE GLOBECOM 2006, San Francisco, USA, November 2006

  However, in the technology described in Non-Patent Document 1, there is a possibility that the SIP URI of the VoIP spammer terminal cannot be determined when the time interval for transmitting VoIP spam from the VoIP spammer terminal is long.

  For example, in order to make it difficult for the VoIP spammer to determine the SIP URI of his / her terminal by the technology of Non-Patent Document 1, the VoIP spammer makes a setting to increase the time interval for sending VoIP spam from his / her terminal, If VoIP spam transmission is distributed by round robin from multiple terminals using SIP URI, and the time interval for VoIP spam transmission from one terminal is extended, botnet is used. If a large number of devices are infected with malware that sends VoIP spam, and the VoIP spam sending interval is set to be long, and VoIP spam is sent, the call of the device that is sending VoIP spam Since the rate does not exceed the threshold, the terminal cannot be determined as a VoIP spammer terminal.

  The present invention relates to a determination method and a determination apparatus capable of determining a terminal that transmits various types of spam data including VoIP spam as a spam transmission terminal even when the transmission interval of spam data is extended. It is an object to provide a determination program.

  Accordingly, in the present invention according to claim 1, there is provided a determination method for determining a spam transmission terminal that transmits spam data to other terminals from a plurality of terminals connected to a network. Transmission / reception information acquisition step for acquiring transmission / reception information regarding transmission / reception of data packets from the received data packet, transmission / reception history information storage step for storing transmission / reception information acquired by the transmission / reception information acquisition step as transmission / reception history information for each data packet, and transmission / reception Based on the transmission / reception history information stored in the history information storage step, evaluate the degree of relationship between each of the plurality of destination terminals that are the destinations of data packets sent from the same terminal, and based on the degree of relationship, Calculates a score indicating the confidence that the source terminal that is the source of the data packet is a spam sender A score calculating step, and a determination method is score calculated by the score calculating step and a determining spammer terminal determining step high transmission terminal than a predetermined threshold spam originating terminal.

  Further, in the present invention according to claim 2, in the determination method according to claim 1, the score calculation step includes a relationship between the destination terminals when data packets are transmitted and received between the destination terminals. The process includes a step of calculating a higher score as the score of the source terminal as the number of destination terminal pairs evaluated as having a higher degree and evaluated as having a higher degree of relationship.

  Further, in the present invention according to claim 3, in the determination method according to claim 1 or claim 2, the score calculation step increases as the number of destination terminals that transmitted data packets to the source terminal decreases. The method includes a step of calculating a high score as the score of the terminal.

  Further, in the present invention according to claim 4, in the determination method according to claim 3, in the score calculation step, the communication time of the data packet between the destination terminal and the source terminal is shorter and / or The method includes a step of calculating a higher score as the score of the caller terminal as the number of communication times is smaller.

  Moreover, in this invention which concerns on Claim 5, in the determination method of any one of Claims 1-4, a score calculation process WHEREIN: Each transmission destination terminal is a data packet between several transmission destination terminals. If transmission / reception is performed, calculate the strength value of the degree of relationship between each destination terminal according to the communication time between each destination terminal and / or the number of communications, and the highest strength values for each destination terminal The step of calculating a higher score as the score of the transmission source terminal is included as the sum total value of is lower.

  According to a sixth aspect of the present invention, there is provided a determination apparatus for determining a spam transmission terminal that transmits spam data to other terminals from among a plurality of terminals connected to a network, wherein transmission / reception is performed between the terminals. Transmission / reception information acquisition unit for acquiring transmission / reception information related to transmission / reception of data packets from transmitted data packets, transmission / reception history information storage unit for storing transmission / reception information acquired by the transmission / reception information acquisition unit as transmission / reception history information of each data packet, and transmission / reception Based on the transmission / reception history information stored in the history information storage unit, the degree of relationship between each of a plurality of destination terminals that are the destinations of data packets transmitted from the same terminal is evaluated, and based on the degree of relationship, A score calculation unit that calculates a score indicating the reliability that the source terminal that is the source of the data packet is a spam source terminal And a determination device that score calculated by the score calculation unit and a and determining spammer terminal determining unit spammer terminal high transmission terminal than a predetermined threshold value.

  According to a seventh aspect of the present invention, there is provided a determination program for determining a spam transmission terminal that transmits spam data to other terminals from among a plurality of terminals connected to a network, wherein transmission / reception is performed between the terminals. Transmission / reception information acquisition procedure for acquiring transmission / reception information related to transmission / reception of data packets from transmitted data packets, transmission / reception history information storage procedure for storing transmission / reception information acquired by transmission / reception information acquisition procedure as transmission / reception history information of each data packet, and transmission / reception Based on the transmission / reception history information stored by the history information storage procedure, the degree of relationship between each of a plurality of destination terminals that are the destinations of data packets transmitted from the same terminal is evaluated, and based on the degree of relationship, A score indicating the reliability that the source terminal that is the source of the data packet is a spam source terminal is calculated. And score calculation procedure for, the calculated score is higher origination terminal than a predetermined threshold value and determining program for executing the determining spammer terminal determining procedure spam originating terminal to a computer by the score calculation procedure.

  In this invention which concerns on Claim 1, it is the determination method which determines the spam transmission terminal which transmits spam data to other terminals from the some terminal connected to the network, Comprising: It transmits / receives between each terminal Transmission / reception information acquisition step for acquiring transmission / reception information related to transmission / reception of data packets from the data packet, transmission / reception history information storage step for storing transmission / reception information acquired by the transmission / reception information acquisition step as transmission / reception history information of each data packet, and transmission / reception history information Based on the transmission / reception history information stored in the storing step, the degree of relationship between a plurality of destination terminals that are destinations of data packets transmitted from the same terminal is evaluated, and the data packet is determined based on the degree of relationship. Score that calculates a score indicating the reliability of the sender terminal that is the sender of the spam Since the determination method has a calculation step and a spam transmission terminal determination step of determining a transmission source terminal whose score calculated by the score calculation step is higher than a predetermined threshold as a spam transmission terminal, a terminal that transmits spam data is spam Even if the data transmission interval is increased, the spam transmission terminal randomly selects the spam data transmission destination terminal, and the spam data transmission destination terminal is selected in consideration of the degree of relation of the spam data. Therefore, it is possible to determine a terminal that is highly likely to be a spam transmission terminal from the degree of relationship between data packet transmission destination terminals.

  Further, in the present invention according to claim 2, in the determination method according to claim 1, the score calculation step includes a relationship between the destination terminals when data packets are transmitted and received between the destination terminals. It is characterized by including a step of calculating a higher score as a score of a source terminal as the number of destination terminal pairs evaluated as having a high degree and evaluated as having a high degree of relationship. Even if the data transmission interval is lengthened, the spam transmission terminal transmits spam data to a randomly selected terminal, so if the degree of relationship between the data packet destination terminals is low, the data packet It can be determined that there is a high possibility that the source terminal is a spam transmission terminal.

  Further, in the present invention according to claim 3, in the determination method according to claim 1 or claim 2, the score calculation step increases as the number of destination terminals that transmitted data packets to the source terminal decreases. Since the process includes a step of calculating a high score as the terminal score, even if the spam transmission terminal increases the transmission interval of spam data, the transmission destination terminal transmits a data packet to the transmission source terminal. Therefore, if the data packet is not transmitted from the transmission destination terminal of the data packet to the transmission source terminal, it can be determined that the transmission source terminal is likely to be a spam transmission terminal. Therefore, even if the degree of relationship between the spam data transmission destination terminals is accidentally high, it is difficult to make an erroneous determination unless the spam data transmission source terminal is a spam transmission terminal.

  Further, in the present invention according to claim 4, in the determination method according to claim 3, in the score calculation step, the communication time of the data packet between the destination terminal and the source terminal is shorter and / or Since the number of times of communication includes a step of calculating a high score as a score of the source terminal, even if the spam source terminal increases the spam data transmission interval, the source terminal From the communication time and the number of data packets between the destination terminal and the destination terminal, it is possible to determine the high degree of relationship between the source terminal and the destination terminal, and the source having a low degree of relationship with the destination terminal. It can be determined that the terminal is likely to be a spam transmission terminal.

  Moreover, in this invention which concerns on Claim 5, in the determination method of any one of Claims 1-4, a score calculation process WHEREIN: Each transmission destination terminal is a data packet between several transmission destination terminals. If transmission / reception is performed, calculate the strength value of the degree of relationship between each destination terminal according to the communication time between each destination terminal and / or the number of communications, and the highest strength values for each destination terminal If the source terminal that is not a spam sender terminal is sending data packets to a large number of destination terminals, the process includes a step of calculating a higher score as the score of the sender terminal as the total value of Even if there is a terminal that does not transmit and receive data packets between the destination terminals, if the strength value of the degree of relationship between other destination terminals is high, the source terminal Spam sending terminal Difficult to erroneous determination that there is.

  According to a sixth aspect of the present invention, there is provided a determination apparatus for determining a spam transmission terminal that transmits spam data to other terminals from among a plurality of terminals connected to a network, wherein transmission / reception is performed between the terminals. Transmission / reception information acquisition unit for acquiring transmission / reception information related to transmission / reception of data packets from transmitted data packets, transmission / reception history information storage unit for storing transmission / reception information acquired by the transmission / reception information acquisition unit as transmission / reception history information of each data packet, and transmission / reception Based on the transmission / reception history information stored in the history information storage unit, the degree of relationship between each of a plurality of destination terminals that are the destinations of data packets transmitted from the same terminal is evaluated, and based on the degree of relationship, A score calculation unit that calculates a score indicating the reliability that the source terminal that is the source of the data packet is a spam source terminal Since the determination device includes a spam transmission terminal determination unit that determines a transmission source terminal whose score calculated by the score calculation unit is higher than a predetermined threshold as a spam transmission terminal, the terminal that transmits the spam data transmits the spam data. Even when the interval is increased, the terminal can be determined as a spam transmission terminal.

  According to a seventh aspect of the present invention, there is provided a determination program for determining a spam transmission terminal that transmits spam data to other terminals from among a plurality of terminals connected to a network, wherein transmission / reception is performed between the terminals. Transmission / reception information acquisition procedure for acquiring transmission / reception information related to transmission / reception of data packets from transmitted data packets, transmission / reception history information storage procedure for storing transmission / reception information acquired by transmission / reception information acquisition procedure as transmission / reception history information of each data packet, and transmission / reception Based on the transmission / reception history information stored by the history information storage procedure, the degree of relationship between each of a plurality of destination terminals that are the destinations of data packets transmitted from the same terminal is evaluated, and based on the degree of relationship, A score indicating the reliability that the source terminal that is the source of the data packet is a spam source terminal is calculated. The spam calculation data is sent to the computer, and the spam transmission terminal determination procedure for determining the transmission source terminal whose score calculated by the score calculation procedure is higher than a predetermined threshold is the spam transmission terminal. Even if a terminal that makes a spam data transmission interval longer, the terminal can be determined as a spam transmission terminal.

(First embodiment)
Hereinafter, a first embodiment of a determination method, a determination apparatus, and a determination program for a terminal that transmits spam data according to the present invention will be specifically described with reference to the drawings. In the following description, unnecessary voice data (hereinafter, referred to as “unnecessary voice data”) is transmitted from a plurality of terminals connected to the Internet to other unspecified users using VoIP (Voice over Internet Protocol). ("VoIP spam")) Judgment method for determining the SIP URI (Session Initiation Protocol Uniform Resource Identifier) of the terminal that sends the message, a judgment device that implements the judgment method, and a judgment to be executed by the computer to realize the judgment method A case where the present invention is applied to a program will be described as an example, but the present invention is not limited to this, and a determination method for determining a terminal that transmits arbitrary spam data other than VoIP spam The present invention can be applied to a determination device and a determination program.

  Hereinafter, a terminal that transmits VoIP spam is referred to as a VoIP spammer, and a terminal other than the VoIP spammer is referred to as a normal user. In addition, when not distinguishing a VoIP spammer and a normal user, these are named generically and are only called a terminal.

  As shown in FIG. 1, the determination apparatus 1 according to the present embodiment is connected between an Internet 2 to which a normal user 3 and a VoIP spammer 5 are connected, and a SIP server 4. The data packet transmitted / received between the terminals is monitored, and the SIP URI of the VoIP spammer 5 that sends VoIP spam to the normal user 3 is determined.

  As described above, the determination apparatus 1 according to the present embodiment can be connected in-line between the SIP server 4 and the SIP client such as the normal user 3 or the VoIP spammer 5, so that it is additional to the existing system. Can be inserted. The determination device 1 is provided with a processing function for discarding a data packet transmitted from a specific SIP URI so that the data packet transmitted from the SIP URI of the determined VoIP spammer 5 is discarded. It is possible to prevent the user 3 from receiving normal VoIP spam.

  The normal user 3 and the VoIP spammer 5 connected to the Internet 2 are both devices having an IP telephone function, and the SIP server 4 is based on various data included in a data packet transmitted from a certain terminal. It is an apparatus that executes various processes related to the connection between the terminal of the data packet and the terminal of the destination. Hereinafter, a terminal that transmits a data packet is referred to as a source terminal, and a terminal that is a destination is referred to as a destination terminal.

  The determination apparatus 1 of the present embodiment calculates a score (index) indicating the reliability that the terminal is the VoIP spammer 5 for each SIP URI of each terminal based on the call history between the users, and the result A terminal having a score that is higher than a predetermined threshold is determined to be a VoIP spammer 5. A specific method for calculating the score will be described in detail later.

  The determination device 1 includes a table for determining whether each terminal is a VoIP spammer 5, as shown in the lower right part of FIG. In this embodiment, as shown in this table, if the terminal score is in the range of 0 to 29, the terminal is the normal user 3, and if the terminal score is in the range of 30 to 79, the terminal is If the score of a terminal that is suspected of being a VoIP spammer 5 or a terminal is in the range of 80 to 100, the terminal is determined to be a VoIP spammer 5.

  Then, as shown in the upper right part of FIG. 2, the determination device 1 is suspicious of the SIP URI of each terminal, the score of the terminal, and whether the terminal is a normal user 3 or a VoIP spammer 5. An alert indicating whether it is a terminal or a VoIP spammer 5 is displayed on a predetermined display device.

  In particular, the determination device 1 evaluates the degree of relationship between each destination terminal of data packets transmitted from the same terminal based on the call history of each terminal, and takes a higher value as the degree of relationship is stronger. The VoIP spammer 5 calculates VoIP spam by calculating the cluster coefficient, calculating the score of the source terminal using this cluster count, and determining whether the source terminal is the VoIP spammer 5 using this score. Even when the time interval for transmitting is increased, it is possible to accurately determine that the terminal is the VoIP spammer 5.

  In other words, since the VoIP spammer 5 sends VoIP spam to a randomly selected SIP URI terminal, there is an acquaintance relationship between users of a plurality of destination terminals selected as VoIP spam destinations. There is a high possibility that there is no human relationship. On the other hand, if the user 3 is a normal user, when a data packet is transmitted, a user terminal having a human relationship such as an acquaintance is selected as a transmission destination terminal. There is a high possibility. Therefore, if there is a human relationship between the users of the destination terminals, the possibility that data packets have been transmitted / received in the past between the users increases.

  Using this feature, in the determination device 1 of the present embodiment, the degree of relationship between the destination terminals of the data packets transmitted from the same terminal is determined from the history information regarding the transmission / reception of the data packets that is the call history of each terminal. A cluster count is obtained, and the cluster count is used to calculate a score indicating the reliability that the source terminal of the data packet is the VoIP spammer 5. If the resulting score is higher than a predetermined threshold, the transmission is performed. The former terminal is determined to be a VoIP spammer 5.

  As described above, since the VoIP spammer 5 randomly selects a VoIP spam destination terminal, the VoIP spammer 5 cannot transmit VoIP spam in consideration of human relations between users of the VoIP spam destination terminals. This determination device 1 determines whether or not the source terminal of the data packet is the VoIP spammer 5 in consideration of the degree of relationship between the VoIP spam transmission destination terminals, which is difficult for the VoIP spammer 5 to intervene. Therefore, it is possible to accurately determine whether or not the data packet source terminal is the VoIP spammer 5.

  Here, the cluster coefficient used when the determination apparatus 1 calculates the score of each terminal will be described with reference to FIG. In FIG. 3, “●” represents a data packet transmission source terminal, “◯” represents a data packet transmission destination terminal, and “−” represents a link between the transmission source terminal and the transmission destination terminal. Here, the link indicates that a data packet has been transmitted from the source terminal to the destination terminal in the past.

  As shown in FIG. 3, when a link exists between the destination terminals, it is considered that there is a human relationship such as an acquaintance relationship between the users of the destination terminals, and the source terminal is the normal user 3 Can be determined. On the other hand, if there is a link between the source terminal and the destination terminal, but there is no link between the destination terminals, it is considered that there is no human relationship between the users of the destination terminal. VoIP spammer 5 can be determined. In this case, the cluster coefficient of the normal user 3 is higher than that of the VoIP spammer 5.

  A cluster coefficient is calculated | required by the triangle comprised by a transmission origin terminal and two transmission destination terminals with which the link was comprised between the transmission origin terminals. Whether or not a triangle is composed of a user x whose cluster coefficient is to be obtained and arbitrary destination terminals y and z is determined by assuming that Lxy is a link between the users x and y.

  It can be expressed using Equation 1 below. Here, Δ is considered to be the relationship between the user x of the transmission source terminal to be score-calculated and the users y and z of two terminals among the transmission destination terminals from which the transmission source terminal has transmitted data packets in the past. In this case, it is expressed whether or not there is a human relationship such as a common acquaintance relationship between these users x, y, and z.

  In the present embodiment, it is assumed that an acquaintance is that a call has been made between two parties. Lxy in the above equation 1 represents whether or not a call has been made in the past between the users x and y. When a call is made between the users x and y, Lxy = 1, and when a call is not made, Lxy = 0. Lyz and Lzx have the same meaning.

  A value obtained by multiplying these Lxy, Lyz, and Lzx is Δ. That is, this Δ is a call history in the past between the user x and the user y, and there is a call history in the past between the user y and the user z, and the user z and the user x If there is a call history in the past, Δ = 1. Here, since the users y and z are destination terminals selected from the past call history of the user x, the values of Lxy and Lzx are always 1. In Δ, it is important whether or not there is a call history in the past between the user y and the user z that are the destination terminals.

  In other words, the fact that there has been a call history in the past between the user y and the user z means that there is a predetermined human relationship such as a common acquaintance relationship between the users x, y, and z. . As the number of combinations of users y and x with Δ = 1 for the user x increases, it means that the user x has transmitted data packets according to human relations in the past. It can be determined that the terminal is unlikely to be a VoIP spammer 5.

  The cluster coefficient in the present embodiment represents the number of combinations of users y and z where Δ = 1. Here, a specific calculation method for calculating the cluster coefficient Cx will be described.

When obtaining the cluster coefficient Cx, first, NΔ, which is the total sum of _Δ , is obtained. This N _Δ is the sum of the triangles that the terminal of the user x (source terminal) that is the target of calculation of the cluster coefficient Cx and the link destination terminal (the destination terminal that has a link with the source terminal) constitutes To express. This N _Δ is

  It can be expressed using Equation 2 below. Then, when the number of all the destination terminals from which the user x terminal has transmitted data packets in the past is k, the cluster coefficient Cx of the user x terminal is:

  It can be expressed by the following mathematical formula 3. This cluster coefficient is calculated based on the number of triangles, assuming that a link triangle is formed by the user x's terminal and all the destination terminals from which the user x's terminal has transmitted data packets in the past. This shows how many triangles actually existed.

  Therefore, when there is no human relationship between the users of all the destination terminals, the cluster coefficient Cx = 0, and when there is a sufficient human relationship between the users of the destination terminals, the cluster coefficient is “1”. Close to. This cluster coefficient Cx is determined by the past communication history of the source terminal as described above, and should be changed intentionally from the VoIP spammer 5 that randomly selects the SIP URI of the destination terminal. I can't. In the determination apparatus 1 of the present embodiment, the score of the source terminal is calculated using this cluster coefficient Cx.

  In the present embodiment, when the score is Sc, the score Sc is calculated by the formula Sc = 100-100 × Cx. Note that the method of calculating the score Sc is not limited to this, and any method can be used as long as the reliability of the source terminal being the VoIP spammer 5 can be obtained using the cluster coefficient Cx. It may be determined by any other method. For example, by using a Bayesian network, the probability of being a VoIP spammer 5 may be calculated from the value of the cluster coefficient Cx, and the probability multiplied by 100 may be used as the score Sc.

  Then, the determination device 1 compares the score Sc of the transmission source terminal calculated as described above with a predetermined threshold value, and determines the transmission source terminal having a score Sc higher than this threshold value as the VoIP spammer 5. As this threshold value, samples of a plurality of VoIP spammers 5 are prepared, and the average value of the scores Sc of the samples is used.

  This threshold value determination method is not limited to the above method, and may be determined by any other determination method as long as the VoIP spammer 5 can be accurately determined from the score Sc. For example, a sample of the normal user 3 may be prepared, the standard deviation of the score Sc of the sample may be obtained, and the threshold value may be obtained from this standard deviation. Further, as a threshold value, a predetermined value such as “80” based on an empirical rule may be fixed as the threshold value.

  In this embodiment, using the score Sc and the threshold value calculated in this way, a service intended for VoIP spam countermeasures is provided to the normal user 3. Here, an example of a service that can be provided by the present embodiment will be described with reference to FIG.

Service (1)
According to the present embodiment, as shown in FIG. 4, it is possible to provide a nuisance call distribution service using score information. This service (1) is provided with an answering machine (answering machine) 6 that distributes only VoIP spam to normal users 3 in advance, and causes the answering machine to receive data packets determined by the judging device 1 as VoIP spam. . As a result, even if VoIP spam is sent, the ring tone of the normal user 3 does not sound, so that the normal user 3 can be protected from the damage of the VoIP spam.

Service (2)
Moreover, according to this embodiment, as shown in FIG. 4, a score providing service can be provided. In this service (2), a score range for allowing the normal user 3 to determine the VoIP spammer 5 is set in advance. The determination device 1 inserts the score Sc of the source terminal of the data packet into the signaling information of the data packet transmitted to the normal user 3. Then, the normal user 3 rejects the incoming call when it is determined as VoIP spam from the score Sc of the source terminal inserted in the received signaling information and the preset score range.

  Here, it is set so that an incoming call is permitted if the score Sc inserted in the signaling information is in the range of 0 to 29, and the incoming call is rejected if the score Sc is in the range of 30 to 100. Yes. The range of the score Sc set for the normal user 3 is configured so that each user can arbitrarily change the setting.

  Next, a specific configuration of the determination apparatus 1 in the present embodiment will be described with reference to FIG. FIG. 5 is a functional block diagram illustrating the configuration of the determination apparatus 1. As illustrated in FIG. 5, the determination apparatus 1 includes a packet processing unit 100, a control unit 110, and a storage unit 120.

  The packet processing unit 100 monitors the contents of data packets transmitted from the source terminal to the destination terminal. A packet monitoring unit 101 and a packet information acquisition unit 102 that extracts and acquires specific information necessary for calculating the score Sc from the data packet based on the monitoring result of the packet monitoring unit 101 are provided. The packet monitoring unit 101 and the packet acquisition unit 102 perform a predetermined operation when the control unit 110 executes a predetermined determination program.

  The packet monitoring unit 101 monitors whether or not a SIP packet for extracting user statistical information necessary for obtaining the score Sc is received. The SIP packet is INVITE, BYE, CANCEL, 200OK.

  When the packet monitoring unit 101 detects that a SIP packet has arrived, the packet information acquisition unit 102 acquires the SIP packet and transmits it to the user statistical information extraction unit 111 described later.

  The control unit 110 is configured by a computer having a CPU (Central Processing Unit), a ROM (Read Only Memory), and a RAM (Random Access Memory). The CPU reads a determination program stored in the ROM, By using and executing the RAM as a work area, a user statistical information extraction unit 111 that extracts and acquires user statistical information regarding transmission / reception of data packets from the SIP packet received from the packet information acquisition unit 102, and calculates a score Sc The score calculation unit 112 functions as a VoIP spammer determination unit 113 that determines whether or not the source terminal is the VoIP spammer 5 based on the score Sc of the source terminal corresponding to each SIP URI.

  The user statistical information extraction unit 111 extracts user statistical information with reference to information on the SIP header and IP header of the SIP packet received from the packet information acquisition unit 102. Then, when extracting the user statistical information, the user statistical information extracting unit 111 extracts the From URI, To URI, Method, Call_ID, Status Code, Reason Phrase, Cseq, and packet acquisition time (time) of the SIP header of the SIP packet. Then, each item (source, destination, Call_ID, call start time (time), call end time (time)) in the call table described later is extracted. Note that the user statistical information extraction unit 111 does not extract user statistical information for other SIP packets.

  In the present embodiment, the time (time) when 200 OK is returned from the caller's INVITE is set as the call start time (time). At this time, the user statistical information extraction unit 111 writes the caller, callee, Call_ID, and call start time (time) in the call table. Further, when BYE is sent, the user statistical information extraction unit 111 searches the call table for data corresponding to the Call_ID, the transmission source, and the transmission destination (the transmission source and the transmission destination are opposite to the data in the call table). The time (time) when the BYE arrives is written as the call end time (time).

  In addition, when CANCEL is sent, the user statistical information extraction unit 111 sets the time (time) when the CANCEL arrives in the call table data corresponding to the destination, the source, and Call_ID to the call start time ( Time) and call end time (time).

  Then, the user statistical information extraction unit 111 creates an inter-user call table, which will be described in detail later, based on this call table. The inter-user call table is unique for a source and destination pair. The user statistical information extraction unit 111 searches the inter-user call table for the same pair as the caller and callee in the call table, and updates the record. When there is no same pair, the user statistical information extraction unit 111 newly creates the pair in the inter-user call table.

  In addition, the user statistical information extraction unit 111 obtains the call start time (time), the communication side end time (time) of the call table, the call time between the caller and the callee, and the call time in the call table between users. In addition to the number of calls, the total call time is updated. Note that, for the inter-user call table for calculating the score Sc, the equivalent of the call table may be temporarily stored in the terminal memory and directly written into the inter-user call table.

The score calculation unit 112 calculates Δ using the above equation 1 for each SIP URI of each source terminal, calculates N _Δ that is the sum of Δ using the above equation 2, and then calculates the above equation 3 Is used to calculate the score Sc and the resulting score Sc is stored in the user score information storage unit 122 described later.

  As described above, Δ calculated by the score calculation unit 112 represents the degree of human relation between the score calculation target terminal and two transmission destination terminals. Here, a specific example of a method for calculating Δ will be described.

  The score calculation unit 112 calculates two values by selecting two destination terminals from all the destination terminals related to the terminal whose score is to be calculated. At this time, the score calculation unit 112 calculates the combination of all the two destination terminals.

  For example, when a certain source terminal x is a score calculation target and a, b, c, and d are destination terminals of the terminal x, all of these combinations are (x, a, b), (x, a, c), (x, a, d), (x, b, a), (x, b, c), (x, b, d), (x, c, a), (x, c, b) , (X, c, d), (x, d, a), (x, d, b), (x, d, c). Then, the score calculation unit 112 calculates Δ for all these combinations. For combinations that are the same if the order is changed, such as (x, a, b) and (x, b, a), Δ of (x, b, a) is ( The result of Δ of x, a, b) may be used. Lxy is 1 if there is a record of source x, destination y, or source y, destination x in the inter-user call table, and 0 otherwise.

  The VoIP spammer determination unit 113 compares the preset threshold value with the score Sc calculated by the score calculation unit 112, and determines the SIP URI of the terminal corresponding to the score Sc equal to or higher than the threshold value as the VoIP spammer 5. Then, the VoIP spammer determination unit 113 writes and stores the SIP URI of the terminal determined to be the VoIP spammer 5 in the VoIP spammer storage unit 124 described later.

  The storage unit 120 includes a user statistical information storage unit 121, a user score information storage unit 122, a score threshold storage unit 123, and a VoIP spammer storage unit 124. The storage unit 120 is configured by a large-capacity nonvolatile memory.

  The user statistical information storage unit 121 stores a call table shown in FIG. 6A and an inter-user call table shown in FIG. As shown in FIG. 6A, the call table includes the SIP URI of each source terminal as the source, the SIP URI of the destination terminal as the destination from which the data packet was transmitted from the source terminal, Call_ID in the current call, the call start time in the current call, and the call end time in the current call are stored.

  In addition, in the inter-user call table, the SIP URI of the transmission source terminal and the SIP URI of the transmission destination terminal of the data packet transmitted from the SIP URI are stored as a pair (pair). The total call time and the total number of calls made for calls made with the destination terminal are stored.

  In the user score information storage unit 122, the score Sc of each transmission source terminal calculated by the score calculation unit 112 is stored corresponding to the SIP URI of each transmission source terminal. The score threshold storage unit 123 stores the above-described threshold to be compared with the score Sc.

  The VoIP spammer storage unit 124 stores the SIP URI of the caller terminal determined as the VoIP spammer 5 by the VoIP spammer determination unit 113.

  Next, information processing when the CPU of the control unit 110 executes the determination program according to the present embodiment will be described. First, a user statistical information extraction flow (1) executed by the control unit 110 when extracting user statistical information will be described.

  When the user information is extracted by the determination apparatus 1, the control unit 110 executes a process for causing the packet processing unit 100 to acquire a packet as shown in FIG. 7 (step S100). Is determined whether or not INVITE, BYE, CANCEL, and 200OK (step S101).

  If the acquired packet is determined to be INVITE, BYE, CANCEL, or 200 OK (step S101: Yes), the control unit 110 determines from the SIP header and the packet acquisition time (time) to the user statistical information extraction unit 111. When the process for extracting the user statistical information is executed and it is determined that the acquired packet is not INVITE, BYE, CANCEL, or 200OK (step S101: No), the process ends.

  Then, the control unit 110 stores the user statistical information extracted in step S102 in the user statistical information storage unit 121 of the storage unit 120. At this time, the source (SIP URI of the source terminal), destination (SIP URI of the destination terminal), Call_ID, call start time (time), and call end time (time) in the user statistical information are written in the call table. Processing is executed (step S103).

  Thereafter, the control unit 110 executes a process of overwriting the source, destination, total call time, and total number of calls in the inter-user call table to the user statistical information storage unit 121 using the call table. Is terminated.

  Here, the case where both the call table and the inter-user call table are stored in the storage unit 120 has been described, but the call table and the inter-user call table are separate databases from the storage unit 120 of the determination apparatus 1. If it is configured so that it can be stored in, the call table creation and the inter-user call table can be created by separate processing flows.

  In this case, the control unit 110 executes the process shown in the user statistical information extraction flow (2) shown in FIG. When the process shown in the user statistics information extraction flow (2) is started, the control unit 110 executes the processes of steps S200 to S203 to create a call table. Further, the control unit 110 executes the process of step S204 shown in FIG. 8 to create an inter-user call table. The processing executed in steps S200 to S203 is the same as the processing executed in steps S100 to S103 shown in FIG. 7, and the processing executed in step S204 is the step shown in FIG. Since the process is the same as the process executed in S104, the description thereof is omitted here.

  Next, processing executed by the control unit 110 when the determination device 1 calculates the score Sc offline and determines the VoIP spammer 5 from the resulting score Sc will be described with reference to FIG. The timing for starting the calculation of the offline score Sc can be calculated at a timing set at an arbitrary timing such as every day or every two days.

  When calculating the score Sc offline, as shown in FIG. 9, the control unit 110 firstly calculates k of the score calculation target from the inter-user call table (the destination terminal that the source terminal of the score calculation target has called in the past). Number) is calculated (step S300). At this time, the SIP URI of the terminal for which the score is to be calculated can be set under any condition, such as all SIP URIs, or the SIP URI of the terminal that has made 10 or more calls since the previous score Sc calculation. ing.

  Thereafter, the control unit 110 executes processing for calculating Δ from the inter-user call table (step S301). The process for calculating Δ will be specifically described later with reference to FIG.

  Next, the control unit 110 executes a process of calculating the cluster coefficient Cx from k calculated in step S300 and Δ calculated in step S301 (step S303). In this process, the calculation is performed using the above-described Expression 3.

  Next, the control unit 110 executes a process for calculating the score Sc from the cluster coefficient Cx calculated in step S303 (step S304). Here, as described above, the calculation is performed using the equation Sc = 100-100 × Cx.

  Next, the control unit 110 compares the score Sc calculated in step S303 with the threshold value stored in the score threshold value storage unit 123, and determines that the SIP URI of the user whose score Sc is equal to or greater than the threshold value is the VoIP spammer 5. (Step S304). After that, the processing for writing the SIP URI determined as the VoIP spammer 5 in Step S304 to the VoIP spammer storage unit 124 is executed (Step S305), and the processing is terminated.

  Next, a specific example of calculating Δ by performing Δ calculation executed in step S301 of the flowchart shown in FIG. 9 will be described. Here, an example of calculating Δ when the determination apparatus 1 stores a call table between users as shown in the right table of FIG. 10 will be described.

  When obtaining Δ, first, a past call destination of the score calculation target terminal x is checked with reference to the inter-user call table. Here, if the SIP URI of terminal x is 050-XXXX-5697, the SIP URI of the destination terminal is 050-XXXX-1111, 050-XXXX-2222, 050-XXXX-3333, 050-XXXX-4444, It becomes 050-XXXX-5555.

  Next, unselected y is selected from the destinations. At this time, y is selected from the above four destinations. Here, it is assumed that a terminal whose SIP URI is 050-XXXX-1111 is selected as y of the destination terminal.

  Next, unselected z is selected as z from the destinations. At this time, z selects a terminal having a SIP URI different from y. Here, it is assumed that a terminal having a SIP URI of 050-XXXX-2222 is selected as z of another destination terminal. In this case, since it can be seen from the inter-user call table that a call has been made between y and z in the past, Δ ≠ 0 in the combination of x, y, and z.

  Next, x and y remain the same as the previous time, and an unselected z is selected as z. Here, assume that a terminal having a SIP URI of 050-XXXX-3333 is selected as z. In this case, since it can be seen from the inter-user call table that no call has been made between y and z, Δ = 0. Thereafter, selection of z is repeated.

  When there is no unselected z, the unselected y is selected next, and the unselected z is similarly selected while y is fixed, and the calculation of Δ is repeated. Δ is obtained for all combinations of the five destination terminals of the SIP URI 050-XXXX-5697.

  Here, the Δ calculation processing executed by the control unit 110 when Δ is obtained for all combinations as described above will be specifically described with reference to the left flowchart of FIG. When Δ is calculated by the determination apparatus 1, as shown in FIG. 10, the control unit 110 first executes a process of checking a past destination of the user x to be calculated for Δ from the inter-user call table. (Step S400).

  Subsequently, the control unit 110 determines whether or not there is an unselected destination y (step S401). When it is determined that there is an unselected destination y (step S401: Yes), the destination Is selected (step S402), and if it is determined that there is no unselected destination y (step S401: No), the process is terminated.

  When one destination y is selected in step S402, control unit 110 determines whether or not there is an unselected destination z from the inter-user call table (step S403). When it is determined that there is a destination (step S403: Yes), a process of selecting one destination z from unselected destinations z is executed (step S404), and when it is determined that there is no unselected destination ( Step S403: No), the process proceeds to step S401.

  When one destination z is selected in step S404, a process for calculating Δ of x, y, z is executed (step S405). At this time, Δ is calculated using Equation 1 described above, and then the process proceeds to step S403.

  Further, the determination apparatus 1 of the present embodiment is configured so that the processing related to the calculation of the score Sc by the offline processing and the determination of the VoIP spammer 5 described with reference to the flowchart of FIG. 9 can be executed as real-time processing when online. is doing.

  This real-time process is a process for calculating the score Sc while acquiring user statistical information. In the present embodiment, when an INVITE is acquired, when the terminal has transmitted a specified number of times (for example, 10 times) from the time when the score Sc was previously calculated for the source terminal of the INVITE, Calculate the score Sc. The score Sc may be calculated every time the determination device 1 acquires INVITE.

  Next, real-time processing relating to calculation of the score Sc and determination of the VoIP spammer 5 will be described with reference to FIG. In this real-time processing, as shown in FIG. 11, in the real-time processing, first, packet processing for causing the packet processing unit 100 to acquire a packet is executed (step S500), and then user statistical information is obtained from the packet acquired in step S500. Is extracted (step S501).

  Thereafter, the control unit 110 determines whether or not the packet extracted in step S501 is an INVITE (step S502). If it is determined that the packet is not an INVITE (step S502: No), the process is terminated and the INVITE. If it is determined (step S502: Yes), processing for extracting the SIP URI of the terminal that sent the INVITE is executed (step S503).

  Thereafter, the control unit 110 determines whether or not the terminal has made the specified number of times of transmission since the previous calculation of the score Sc for the terminal of the SIP URI extracted in step S503 (step S504). If it is determined that the call has not been made (step S504: No), the process is terminated, and if it is determined that the specified number of calls has been made (step S504: Yes), the process of calculating the score Sc of the SIP URI that sent the INVITE Is executed (step S505). Note that the predetermined number of times in step S504 can be set to an arbitrary number.

  Then, in the control unit 110, a process of writing the score Sc calculated in step S505 to the user score information storage unit 122 is executed (step S506), and then whether or not the score Sc is equal to or greater than a threshold value. Judgment is made (step S507).

  Here, when the control unit 110 determines that the score Sc is less than the threshold value (step S507: No), the process ends. On the other hand, when it is determined that the score Sc is equal to or greater than the threshold (step S507: Yes), the control unit 110 determines that the SIP URI corresponding to the score Sc is the SIP URI of the user who performs the VoIP spammer 5 (step S507). S508), a process for writing the SIP URI to the VoIP spammer storage unit 124 is executed (step S509), and then the process ends.

  As described above, in the determination apparatus 1 according to the first embodiment, spam transmission that transmits spam data (for example, VoIP spam) from a plurality of terminals connected to a communication network such as the Internet 2 to other terminals. When determining a terminal (VoIP spammer 5), transmission / reception information (for example, INVITE) related to transmission / reception of the data packet is acquired from a data packet transmitted / received between the terminals, and the acquired transmission / reception information is transmitted to each data packet. Is stored in the user statistical information storage unit 121 as transmission / reception history information (for example, user statistical information).

  Then, the determination device 1 evaluates the degree of relationship between a plurality of destination terminals that are destinations of data packets transmitted from the same terminal based on the stored transmission / reception history information, and the degree of the relationship Based on the above, a score Sc indicating the reliability that the transmission source terminal of the data packet is the spam transmission terminal is calculated.

  Thereafter, the determination device 1 compares the calculated score Sc of the transmission source terminal with a predetermined threshold value set in advance, and sets the transmission source terminal whose score Sc is higher than or equal to the predetermined threshold value as a spam transmission terminal. Is determined.

  Thus, in the determination apparatus 1 of the present embodiment, focusing on the fact that there is a low possibility that there is a human relationship between the users of the destination terminals that the VoIP spammer 5 randomly selects as the destination terminals of the VoIP spam. If the relationship between the destination terminals of the data packet is low among the source terminals that have transmitted the data packet to the source terminal, it is determined that the source terminal is likely to be the VoIP spammer 5. Even if the spammer 5 sets a long VoIP spam transmission interval, the VoIP spammer 5 can be accurately identified.

  Further, in the determination device 1, when the score Sc of each terminal is calculated, if the data packet is transmitted / received between the destination terminals, it is evaluated that the relation degree between the destination terminals is high. As the number of destination terminal pairs evaluated as having a high degree of relationship is smaller, a higher score Sc is calculated as the score Sc of the source terminal. That is, the determination apparatus 1 indirectly evaluates the human relationship between users of the destination terminals based on the communication history performed between the destination terminals.

  The VoIP spammer 5 cannot transmit VoIP spam in consideration of the human relationship regarding the user of the VoIP spam destination terminal. In the determination apparatus 1 of the present embodiment, the human relationship between the users of the destination terminals that the VoIP spammer 5 cannot intervene in this way is evaluated, and the data packet is transmitted to the terminal of the user who has evaluated that there is no human relationship Since the VoIP spammer 5 changes the transmission source terminal that continues to be a VoIP spammer 5, even if the VoIP spammer 5 changes the transmission timing of VoIP spam, the VoIP spammer 5 can be accurately determined.

(Second Embodiment)
Next, a second embodiment of the present invention will be described. In the second embodiment, the cluster coefficient between the VoIP spammer 5 and the normal user 3 is expanded to produce a larger difference between the two cluster coefficients, thereby increasing the difference in the score. A determination method and a determination method of the VoIP spammer 5 that prevents a specific omission of the VoIP spammer 5 will be described. In the following description, the same reference numerals are given to the same components as those in the first embodiment.

  Even if VoIP spammer 5 sends VoIP spam to an unspecified number of randomly selected destination terminals, depending on the destination (SIP URI), by chance, VoIP spammer 5 and two destination terminals It is expected that link triangles will be constructed.

  In this case, if there are a large number of triangles formed by accidentally configured links, the terminal may be erroneously determined as the normal user 3 even though VoIP spam is actually transmitted. Therefore, in this second embodiment, even if the VoIP spammer 5 forms a triangle with two destination terminals and a link, a difference in strength is provided in the triangle by the link so that the triangle does not have a large cluster coefficient.

  The strength provided in the triangle is used to represent the strength of the human relationship between users of the case terminals constituting the triangle. This is because the VoIP spammer 5 has a low possibility of receiving data packets from the destination terminal, and the VoIP spam is unnecessary voice data, so that the call time is short. This is because it is considered that there is a difference in the human relationship between the VoIP spammer 5 and the normal user 3 between the destination terminals constituting the triangle.

  FIG. 12 shows triangles with different intensities and cluster coefficients related to the source terminal of the score calculation target in the triangles.

  In FIG. 12, the source terminal of the score calculation target is indicated by “●”, the destination terminal from which the source terminal has transmitted a data packet in the past is indicated by “O”, and the cluster coefficient of the first embodiment is indicated by Cx, The expanded cluster coefficient in the second embodiment is indicated by Cx ′. Each of the cluster coefficients Cx and Cx ′ indicates that the closer the numerical value is to 1, the higher the possibility that the transmission source terminal is the normal user 3.

  As shown in the column of VoIP spammer in FIG. 12, when the source terminal is VoIP spammer 5, and there is a link between the two destination terminals by chance, that is, the user of the terminal that has received VoIP spam. If they happen to be acquaintances, the method of the first embodiment misidentifies the VoIP spammer 5 as the normal user 3 because the source terminal and the two destination terminals form a triangle. There is a risk.

  Therefore, in the second embodiment, when a link triangle is formed by three terminals, if the source terminal for score calculation has received a data packet from the destination terminal, the strength of the triangle If it is high and no data packet has been received, it is evaluated that the intensity of the triangle is low.

  In the example shown in FIG. 12, when the score calculation target terminal is a triangle of the normal user 3, the source terminal also receives from the destination terminal, so the strength of the triangle is high and the cluster coefficient Cx ′ is the maximum. The value is as high as 1.

  On the other hand, when the score calculation target terminal is a triangle of VoIP spammer 5, since the source terminal has never received from the destination terminal, the strength of the triangle is low and the cluster coefficient Cx ′ is also a low value of 0.1 Have taken.

  The directionality of the link is determined by the source terminal and the destination terminal. In the first embodiment, the link between the users x and y is Lxy. In the second embodiment, the link from the user x to the user y is Lxy, and the link from the user y to the user x is Lyx. I try to divide it.

  Specifically, in the first embodiment, the presence / absence of the link is indicated by whether Lxy is “1” or “0”, and in the second embodiment, the weight of the link from user x to user y is set to Wxy. And represented by 0 to 1. The link weight is determined by the total call time between the terminals.

  In this embodiment, Wxy = 0.1 when the total call time is 0 to 60 seconds, Wxy = 0.2 when the total call time is 60 to 120 seconds,..., Wxy = 1.0 when the total call time is 600 seconds or more. Determine Wxy by dividing time. The link weight Wxy may be determined by the total number of calls between the terminals. Also, when a weight is desired to be generated in a call in the direction received by the transmission source terminal for which the score is to be calculated, a coefficient α (1, 2,. In this case, select a value of 2 or greater.

  That is, in order to place importance on the link by reception, a coefficient of α (α ≧ 1) is given to Wyx and Wzx, and the normal user 3 and the VoIP spammer 5 cause a difference in the strength of the triangle by the link. Δ ′ after introducing link directionality and weight is

  It calculates with the following numerical formula 4.

  In addition, the cluster coefficient Cx ′ expanded using this Δ ′ is

  It calculates with the following numerical formula 5. Then, using the cluster coefficient Cx ′ thus calculated, the score Sc of each terminal is calculated by the same formula as in the first embodiment, and the terminal whose score Sc exceeds the predetermined threshold is determined as the VoIP spammer 5 To do.

  As described above, in the determination method of the VoIP spammer 5 in the second embodiment, when the score Sc is calculated, the smaller the number of destination terminals that have transmitted data packets to the source terminal, the higher the score of the source terminal. A high score is calculated. That is, the VoIP spammer 5 is determined based on the human relationship between the users of the transmission source terminal and the transmission destination terminal.

  As a result, there is a possibility that a human relationship exists between the users of the VoIP spammer 5 and the destination terminal even if there is a human relationship between the users of the destination terminal that received the VoIP spam from the VoIP spammer 5. If it is determined that the terminal is low, it is possible to accurately determine that the source terminal is the VoIP spammer 5.

  Moreover, in the determination method of the VoIP spammer 5 in the second embodiment, as the communication time of the data packet between the destination terminal and the source terminal is shorter and / or the number of times of communication is smaller, It is determined that the link with the destination terminal is weak, and a high score is calculated as the score of the source terminal.

  As a result, even if there is a link between the destination terminals that received VoIP spam from the VoIP spammer 5, if the link is weak, if the link is weak, the source terminal is accurately determined to be the VoIP spammer 5. can do.

(Third embodiment)
Next, a third embodiment of the present invention will be described. Here, the same components as those in the first embodiment will be described with the same reference numerals. In the equation (Equation 3) for obtaining the cluster coefficient Cx in the first embodiment described above, the cluster coefficient tends to be smaller as the transmission is made to many destination terminals even for the normal user 3 due to the characteristics of the equation.

  For this reason, when using the above Equation 3, in order for the cluster coefficient to take the maximum value of 1.0, a link must exist between all the destination terminals. Even if there is a human relationship such as a friendship relationship between the users of the destination terminals, it is assumed that there is no link between the destination terminals.

Therefore, in the third embodiment, it calculates the N _delta used when calculating the score Sc, further extends the Cx, the score Sc using the Cx'' and its expanded N _delta'', VoIP spammers 5 Determine. The cluster coefficient Cx of the first embodiment counts the number of triangles that the score calculation target terminal configures with the link destination terminal. For normalization, there is a link when there are links between all link destination terminals. The number of triangles by was used.

  On the other hand, in the third embodiment, the cluster coefficient Cx ″ is focused on how many destination terminals constitute a link triangle among the destination terminals that are the link destinations of the score calculation target terminals. The numerator of the equation for obtaining is the sum of the strengths of the triangles having the highest strength among the triangles formed by the destination terminals of the link destinations. The strength of the triangle with the highest strength of the destination terminal that does not form a triangle by the link is “0”. In order to normalize, the number of linked terminals is used.

  As a result, for example, as shown in the right part of FIG. 13, the score calculation target terminal (“●” shown in FIG. 13) is linked to the link destination terminal (“◯” shown in FIG. 13). Even if the number of triangles formed by is less than the score calculation target terminal shown in the left part of FIG. "" Becomes 1.0.

  If the score Sc calculation target terminal is composed of multiple triangles by links with one destination terminal and other multiple destination terminals, select the triangle with the highest strength among them. The score Sc calculation target terminal is assumed to be a triangle formed by the link configured with the above-mentioned one destination terminal. Cx ″ of the third embodiment is

  It calculates with the following numerical formula 6. Then, using the cluster coefficient Cx ″ calculated in this way, the score Sc of each terminal is calculated by the same formula as in the first embodiment, and a terminal whose score Sc exceeds a predetermined threshold is defined as a VoIP spammer 5. judge.

  When the cluster coefficient Cx described in the first embodiment is used, even if the user 3 is normal, the cluster coefficient Cx decreases as the number of outgoing call destination terminals increases. 5 may be erroneously determined.

  In the case of the first embodiment, the cluster coefficient Cx is smaller if the call is not made between all the destination terminals for the score calculation target terminal, and the cluster coefficient Cx is the square of the number of destination terminals. It is because it becomes small in inverse proportion to.

  Even if the score calculation target terminal is the normal user 3, if the number of destination terminals is very large, there is a low possibility that a call is being made between all the destination terminals. However, although there is no call between all the destination terminals, there is a high possibility that a call is made with one or two destination terminals.

  Therefore, in the third embodiment, in consideration of this point, a normal user with a large number of destination terminals is obtained by determining how many terminals among the destination terminals form a triangle by a link with a score calculation target terminal. 3 to prevent the cluster coefficient Cx ″ of 3 from becoming small, and the occurrence of erroneous determination that determines that the normal user 3 is the VoIP spammer 5 is suppressed.

  Here, an example of a calculation procedure of the cluster coefficient Cx ″ in the third embodiment will be described with reference to FIG. In FIG. 14, reference numeral 1 is assigned to a terminal that obtains a cluster coefficient, and reference signs 2, 3, 4, 5, and 6 are assigned to a plurality of terminals that obtain a cluster coefficient at a destination of the terminal. The user who obtains the coefficient Cx ″, “◯” indicates the transmission destination of the user who obtains the cluster coefficient Cx ″. In FIG. 14, if the user of the terminal of code 1 is x and the user of the terminal of code 2 is y, the candidate of user z is another user (terminals of code 3 to 6).

  When calculating the cluster coefficient Cx ″, when this z is sequentially replaced with terminals 3 to 6, the triangle having the highest strength is selected from the triangles of each combination. At this time, the user x, y terminal is fixed, and the combination when the user z terminal is exchanged is represented by the code attached to each terminal (1,2,3), (1,2,4), (1,2,5), (1,2,6).

  It is the meaning in Σ in Equation 6 to select the triangle with the highest link strength among the triangles. The intensity is obtained by an expression in max in Expression 6. For example, when the call time between 1-2, 1-4, and 2-4 is much longer than the call time between other users, the combination (1,2,4) is selected. . As a result, the triangle having the highest link strength for the terminal of code 2 is obtained, and is obtained as the sum of the equations.

  Next, when user y is a terminal of code 3, instead of z being a terminal of codes 2, 4, 5, 6, a triangle having the highest link strength is selected in the same manner. Similarly, in the case where y is a terminal of 4, 5, and 6, a triangle having the highest link strength is selected for each y.

  In the case of a terminal in which a triangle by a link is not configured, such as a terminal of reference numeral 5, that is, a terminal of reference numeral 5 is not making a call with another destination terminal, the link strengths Wyz and Wzy in all z Is “0”, the strength of the triangle having the highest link strength is “0”.

  If a triangle having the maximum link strength is selected for each of the terminals with codes 2, 3, 4, 5 and 6, an expanded cluster coefficient Cx ″ can be obtained. Then, using the cluster coefficient Cx ″ thus calculated, the score Sc of each terminal is calculated by the same formula as in the first embodiment, and the terminal whose score Sc exceeds a predetermined threshold is determined as the VoIP spammer 5.

  As described above, in the determination method of the VoIP spammer 5 in the third embodiment, when calculating the score Sc, when each destination terminal transmits and receives data packets to and from a plurality of destination terminals, Calculate the strength value of the degree of relationship between each destination terminal according to the communication time between each destination terminal and / or the number of communications, and the lower the sum value of the highest strength values for each destination terminal is, The high score is calculated as the score of the caller terminal.

  As a result, when the normal user 3 who is the target of score calculation has made a call with a large number of destination terminals in the past, even if a call has not been made in the past between several destination terminals, When a call is made between the destination terminals and the strength of the link between the destination terminals is high, the cluster coefficient Cx ″ is not reduced and the score Sc is lowered. It becomes difficult to mistakenly be identified as VoIP spammer 5.

  In the first to third embodiments described above, as shown in FIG. 1, the determination device 1 is connected between the Internet 2 to which the normal user 3 and the VoIP spammer 5 are connected and the SIP server 4. The case where the data packet transmitted / received between the terminals is monitored and the SIP URI of the VoIP spammer 5 that sends the VoIP spam to the normal user 3 is determined as an example has been described as an example. It is not limited to.

  For example, as shown in FIG. 15, the determination device 1 of the present embodiment includes a terminal adapter such as TAP 7 between the SIP server 4 and a SIP client such as a normal user 3 or a VoIP spammer 5 on the Internet 2. , Out-line connection is also possible. Thus, even when the determination apparatus 1 is connected out-line, the determination apparatus 1 can be additionally connected to an existing system.

  Further, in order to realize the determination method of the VoIP spammer 5 according to the present embodiment, the determination device 1 is not necessarily provided. For example, as shown in FIG. It can also be realized by incorporating a SIP URI determination program (software) 8 of the VoIP spammer 5 that causes the computer to implement the determination method of the VoIP spammer 5 according to the embodiment.

  In such a configuration, the SIP URI determination program 8 of the VoIP spammer 5 is operated as a separate process from the SIP server software. Then, the SIP server 4 executes the SIP URI determination program 8 of the VoIP spammer 5 and acquires a data packet from the network interface 9.

  As described above, when the SIP URI of the VoIP spammer 5 that operates in a process different from the SIP server software is provided in the SIP server 4, when the SIP URI of the VoIP spammer 5 is specified, the SIP server Since the process of discarding data packets from the user can be notified immediately in the target process being executed by the software, the VoIP spam transmitted from the VoIP spammer 5 can be prevented from being normally received by the user 3. .

It is explanatory drawing which shows the connection form of the determination apparatus which concerns on 1st Embodiment. It is explanatory drawing which shows the determination method which concerns on 1st Embodiment. It is explanatory drawing of the cluster coefficient which concerns on 1st Embodiment. It is explanatory drawing which shows an example of the usage method of the score which concerns on 1st Embodiment. It is a functional block diagram which shows the structure of the determination apparatus which concerns on 1st Embodiment. It is explanatory drawing of a call table and an inter-user call table. It is a flowchart which shows the process performed by the control part of the determination apparatus which concerns on 1st Embodiment. It is a flowchart which shows the process performed by the control part of the determination apparatus which concerns on 1st Embodiment. It is a flowchart which shows the process performed by the control part of the determination apparatus which concerns on 1st Embodiment. It is a flowchart which shows the process performed by the control part of the determination apparatus which concerns on 1st Embodiment. It is a flowchart which shows the process performed by the control part of the determination apparatus which concerns on 1st Embodiment. It is explanatory drawing of the cluster coefficient which concerns on 2nd Embodiment. It is explanatory drawing of the cluster coefficient which concerns on 3rd Embodiment. It is explanatory drawing of the cluster coefficient which concerns on 3rd Embodiment. It is explanatory drawing which shows the modification of the connection form of a determination apparatus. It is explanatory drawing which shows the implementation aspect of a determination program. It is explanatory drawing of the conventional determination method.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Determination apparatus 2 Internet 3 Normal user 4 SIP server 5 VoIP spammer 100 Packet processing part 101 Packet monitoring part 102 Packet information acquisition part 110 Control part 111 User statistical information extraction part 112 Score calculation part 113 VoIP spammer determination part 120 Storage part 121 User Statistical information storage unit 122 User score information storage unit 123 Score threshold storage unit 124 VoIP spammer storage unit

Claims (7)

A determination method for determining a spam sending terminal that sends spam data to other terminals from a plurality of terminals connected to a network,
A transmission / reception information acquisition step of acquiring transmission / reception information related to transmission / reception of the data packet from data packets transmitted / received between the terminals,
Transmission / reception history information storage step for storing the transmission / reception information acquired by the transmission / reception information acquisition step as transmission / reception history information of each data packet;
Based on the transmission / reception history information stored in the transmission / reception history information storage step, the degree of relationship between a plurality of destination terminals that are destinations of data packets transmitted from the same terminal is evaluated, and the relationship Based on the degree, a score calculation step of calculating a score indicating the reliability that the source terminal that is the source of the data packet is the spam source terminal;
A spam transmission terminal determination step for determining the transmission source terminal as the spam transmission terminal whose score calculated by the score calculation step is higher than a predetermined threshold;
The determination method characterized by having.   The score calculation step evaluates that the degree of relationship between the destination terminals is high when the data packet is transmitted and received between the destination terminals, and evaluates that the degree of relationship is high The determination method according to claim 1, further comprising a step of calculating the higher score as the score of the transmission source terminal as the number of terminal pairs is smaller.   The score calculation step includes a step of calculating a higher score as the score of the source terminal as the number of the destination terminals that transmitted data packets to the source terminal is smaller. The determination method according to claim 2.   The score calculation step calculates a higher score as the score of the source terminal as the communication time of the data packet between the destination terminal and the source terminal is shorter and / or the number of times of communication is smaller The determination method according to claim 3, further comprising a step of:   The score calculation step depends on the communication time and / or the number of communication between each of the destination terminals when each of the destination terminals transmits / receives a data packet to / from a plurality of the destination terminals. Calculating the strength value of the degree of relationship between each of the destination terminals, and calculating the higher score as the score of the source terminal as the sum of the highest strength values for each of the destination terminals is lower The determination method according to any one of claims 1 to 4, further comprising: A determination device for determining a spam transmission terminal that transmits spam data to other terminals from a plurality of terminals connected to a network,
A transmission / reception information acquisition unit that acquires transmission / reception information related to transmission / reception of the data packet from data packets transmitted / received between the terminals;
A transmission / reception history information storage unit for storing transmission / reception information acquired by the transmission / reception information acquisition unit as transmission / reception history information of each data packet;
Based on the transmission / reception history information stored in the transmission / reception history information storage unit, the degree of relationship between a plurality of destination terminals that are transmission destinations of data packets transmitted from the same terminal is evaluated, and the relationship Based on the degree, a score calculation unit that calculates a score indicating the reliability that the transmission source terminal that is the transmission source of the data packet is the spam transmission terminal;
A spam transmission terminal determination unit that determines the source terminal whose score calculated by the score calculation unit is higher than a predetermined threshold as the spam transmission terminal;
The determination apparatus characterized by having. A determination program for determining a spam transmission terminal that transmits spam data to other terminals from a plurality of terminals connected to a network,
Transmission / reception information acquisition procedure for acquiring transmission / reception information related to transmission / reception of the data packet from data packets transmitted / received between the terminals,
Transmission / reception history information storage procedure for storing transmission / reception information acquired by the transmission / reception information acquisition procedure as transmission / reception history information of each data packet;
Based on the transmission / reception history information stored by the transmission / reception history information storage procedure, the degree of relationship between a plurality of destination terminals that are destinations of data packets transmitted from the same terminal is evaluated, and the relationship Based on the degree, a score calculation procedure for calculating a score indicating the reliability that the transmission source terminal of the data packet is the spam transmission terminal;
A spam transmission terminal determination procedure for determining that the source terminal whose score calculated by the score calculation procedure is higher than a predetermined threshold is the spam transmission terminal;
The determination program characterized by causing a computer to execute.

Images