WO2015102356A1 - Method for selectively allowing or blocking internet access request traffic sharing authorized ip on basis of present time, and system for detecting current state of and blocking authorized ip sharing so as to perform method thereof - Google Patents

Abstract

The present invention relates to: an apparatus for detecting, from Internet service subscribers, a multi-access subscriber that uses an IP router and exceeds a number of lines allowed for a user in a current state, and allowing, with respect to an IP sharing state of a relevant IP sharing user, a terminal for which Internet access should be allowed to use the web on the basis of the current state, and blocking a terminal for which Internet access should be blocked, from using the web on the basis of the current state, when multiple users access an Internet service network provided by an ISP while sharing a single authorized IP by using an IP router such as NAT or an Internet router through IP address translation; and a blocking method using the apparatus.

Description

How to selectively allow or block the traffic of Internet access request sharing the public IP based on the current time, and the current status detection and blocking system of the public IP sharing to implement the method

The present invention is to provide a plurality of users to access the Internet service network provided by the ISP using an IP sharer through IP address translation, such as NAT or Internet sharer, while sharing one public IP in the current state among Internet service subscribers. Using the IP sharer, it detects subscribers accessing more than the line allowed for the user, and allows the web use of the terminal that should be allowed to access the Internet based on the current state for the IP sharing status of the IP sharing user. The present invention relates to a device for blocking the use of the web of the terminal should be blocked on the basis of the state and a blocking method using the device.

Recently, the Internet is frequently used while sharing a single public IP assigned to Internet service subscribers using an IP sharer while simultaneously using the network as client terminals such as multiple user PCs. In order to establish a firewall between the internal network and the external Internet network, NAT (Network Address Translation) is configured in a router and a lot of places use private IP internally.

On the other hand, while infrastructure such as equipment, network maintenance cost, and network speed are limited in the infrastructure established by existing Internet Service Providers (ISP), as the frequency of use of NAT or IP router increases, As the number of users connected to one line provided increased indiscriminate traffic, users who normally use only one client terminal (PC) for one-line Internet public IP or want to use the Internet There is a situation in which users who apply for the Internet public IP line as many as the number of client terminals and use it normally are relatively suffering the damage.

However, in order to accurately identify subscribers using the number of client terminals (user terminal, user PC) exceeding the public IP line according to the Internet service subscription line, the IP address of the actual user terminal (user PC) must be tracked. However, since the user's real IP (private IP) address inside the NAT or IP router is translated into a public IP address when traversing the NAT or IP router, the user's real IP address is not only externally known, It is also difficult to pinpoint how many private IPs are commonly used for IPs.

To solve this problem, it analyzes the TCP / IP packet and redirects all sessions from the requested page to the domain with the primary domain from the requested page, and uses a specific public IP (Internet IP) in the private network. Figure out the user's private IP, make a DB to know exactly how many users are using the internet at the same time, and use the IP pooled information and job (JOB) to make a private TCP connection to the Internet at the same time. As in Korean Patent Registration No. 10-0723657 (published May 23, 2007), which discloses a technique for selectively allowing / blocking on the basis of IP / IP, in order to obtain a private IP of a user's computer, a private IP of a user in an internal network is obtained. Install a separate applet (application program) that tells you the address, and use it on your computer to access the Internet through a web browser. Need to run applets (application programs) installed, but itgie the user to identify and remove or disable the operation of the installation and operations of these applets do not provide a fundamental solution to the problem.

On the other hand, the Republic of Korea Patent Publication No. 10-2009-0041752 (2009) as another conventional technology proposed as an alternative to solve the problem with the technology of installing a separate applet to obtain a private IP in the user terminal as described above 4. 29. According to the technique disclosed by the Public Disclosure, a client using a precision detection algorithm using a cookie generated in a plurality of terminals on a client side in a private network sharing and using multiple terminals to be detected Private network user of a specific public IP by using DB (Cookie) pool DB information and job scheduler (JOB) scheduler that operates at a certain time interval while using technology to find out the exact number of multiple terminals on the side Internet connection is exceeded in the private network based on TCP / IP Dandan technology has been presented.

However, in the router detection / blocking method or the router detection / blocking system according to the related art, a detection process for detecting a user using an excessive number of terminals (computers) using an IP router and detecting and blocking web traffic from such a user are provided. Since the process is unified, all subscribers' traffic, which has nothing to do with the use of shared equipment such as IP routers, is introduced into the router detection system, which not only puts a heavy load on the router detection system but also handles the traffic of all subscribers. The speed is affected by the processing performance of the router detection system, which slows down the Internet, and if an error or failure occurs in the router detection system, all the traffic of all subscribers becomes unprocessed and the Internet itself may be impossible. Problem The.

In addition, the above conventional technology uses a cookie stored in a specific area of the user's computer to detect and block an excessive user of the router, which is a standard HTTP protocol for providing persistence to the client side. It is provided to be manipulated by a web browser for extensions, but it is stored in a well-known location on your computer's hard disk and most computer users are familiar with how to delete cookies. If it accumulates, the Internet speed may be slowed down, and a web browser may provide a function of deleting and cleaning them after a certain period of time, for example, when using one computer for one public IP (IP router). If you do not use the Internet) If the web browser is generated again by deleting the cookies in the middle and generating the web traffic, the blocking system according to the prior art uses the traffic generated by other computers with the same public IP (that is, traffic using an IP router, etc.). There is a problem that can be blocked by judging wrong, this problem causes a great damage to the reliability of the service provided by the Internet service provider.

In addition, in the prior art, when the Internet access to the terminal exceeds the line allowed by the user using the IP sharer among the Internet service subscribers, at the same time the number of terminals using the Internet access within the line range allowed by the subscriber Is a collection of records including a delimiter for distinguishing terminals connected to the same IP in order to allow a terminal connected to the Internet to be subsequently accessed when the terminal connected to the Internet is in a suspended state in the current state. It operates a JOB scheduler that refreshes (updates) the existing time in the cookie pool DB (or UID POOL DB) as a delimiter list at regular intervals. For example, a job (JOB) scheduler that runs every 30 minutes is a cookie (Cookie). Report the registered internet access time among the registered records of the full DB By deleting information for a time there was no change in the connection time (e.g., for 20 minutes) record has been adopted a structure (see Fig. 5b) so that the information is updated.

However, in such a situation, for example, six workers each use four computers assigned to them to access the Internet to handle their work, but allow two people to work on the Internet for 12 hours and two shifts. If you have only two lines, the internet connection of two new shift workers will be disabled during the time when the previous two shift workers' Internet access history records are not deleted by the 30-minute job (JOB) scheduler. The maximum allowed time is 50 minutes, which is the sum of the job scheduler run time interval (eg, 30 minutes) and the record deletion reference time interval (eg, 20 minutes) when the job (JOB) scheduler is running. There is a problem that can cause a great inconvenience to the user.

On the other hand, if the task scheduler operation time interval and the record deletion reference time interval are minimized when the job scheduler is run to alleviate this problem, the problem of an increase in the load of the DB server operation due to the operation of the job scheduler is caused. In addition to this, there is a problem that the inconvenience of losing access to the Internet through his terminal may occur after a short time or other work from the user's point of view.

The present invention is a means for solving the problems of the prior art, the Internet connection request traffic of the terminal making a connection request by detecting the number of the plurality of user terminals on the private network using the same public IP and compared with the assigned allowable number (for example, In the method for selectively allowing or blocking HTTP request traffic using a method such as GET, POST, etc. as a request traffic generated from a subscriber in the TCP / IP-based HTTP protocol,

(I) In the case where the client terminal requests a connection to a web site on the Internet by running a web browser, a mirroring apparatus provided to a backbone network of an Internet service provider (ISP) is a client terminal. Mirroring the web site access request traffic generated from the web site access request traffic and sending the mirrored web site access request traffic to a push server to determine whether there is a suspicion of IP router overuse;

(II) whether the push server is a public IP selected as suspected of excessive use of the router by public IP and cookie information included in the previous access traffic processed by the push server. Public IP verification step for suspicious use of subscriber traffic to confirm;

(III) If the public IP is selected as a suspect of excessive use of the router, the push server checks whether the mirrored web site access request traffic is the traffic to be blocked or not in order to reduce the load of the detection / blocking web server. After coarse, if the traffic to be blocked is determined, the second false response traffic (hereinafter referred to as 'second false response traffic' to be distinguished from 'first false response traffic') is transmitted to the client terminal. Detecting / blocking retransmission traffic from the client terminal, which detects / blocks retransmission traffic that redirects to the detection / blocking web server by parameterizing the address of the web site to which the subscriber originally accessed through the 100% frame generated by the false client traffic. After sending to the web server, the detection / blocking web server receives Flash shared object stored as a configuration variable name such as the public IP of the subscriber extracted from the detection / blocking retransmission traffic and the UID transmitted from the subscriber client terminal through the 0% detection frame generated separately from the 100% frame ( 'Flash Shared Object': It is stored as binary data in an unknown location on the user's hard disk, so it is not easy for the user to delete, and has a feature that does not set the expiration date or expiration date of data that persists differently from cookies. By performing a router overuse detection algorithm that checks whether the router is in overuse state by using the unique variable value of), traffic of the subscriber that is not in the router overuse state allows access to the web site requested by the subscriber client terminal. Detect subscriber traffic in router overuse The router includes a router overuse detection / blocking decision step of determining whether to allow / block the access of the web site of the subscriber client terminal in the router overuse state according to additional screening conditions. It provides a method for selectively allowing / blocking the Internet access request traffic sharing a public IP characterized in that.

In addition, the present invention is a more specific method including the processing steps in the case of not being a public IP selected as a router overuse suspect in the router overuse suspect public IP verification step of subscriber traffic,

(I) When a client terminal requests a connection to a web site on the Internet by running a web browser, a mirroring device provided to a backbone network of an Internet service provider (ISP) is provided from the client terminal. Mirroring the generated web site access request traffic and transmitting the mirrored web site access request traffic to a push server to check whether there is a suspicion of IP router overuse;

(II) whether the push server is a public IP selected as suspected of excessive use of the router by public IP and cookie information included in the previous access traffic processed by the push server. Public IP verification step for suspicious use of subscriber traffic to confirm;

(III-A) If it is not a public IP selected as a router overuse suspect, whether the push server is selected as a router overuse suspect using public IP and cookie information included in the mirrored website access request traffic. After verifying that the router is overused, it registers the relevant IP and defines a unique variable that sets the cookie validity time, such as the sign variable, on the client terminal and sets the current time as the value. A router overuse suspect selection / registration step of transmitting a first false response traffic to a client terminal, the first false response traffic comprising a command to store a message and a redirection command to induce a subscriber to reconnect to a web site to which the subscriber originally connected;

(III-B) If the public IP selected as suspicious to use the router excessively, the push server checks whether the mirrored web site access request traffic is the traffic to be blocked or not to reduce the load of the detection / blocking web server. After the step is performed, the second false response traffic is transmitted to the client terminal when the traffic is determined to be blocked, and the subscriber is transmitted through the 100% frame generated at the subscriber client terminal by the second false response traffic. The detection / blocking web server receives the transmitted / rejected retransmission traffic from the client terminal from the client terminal to the detection / blocking web server by redirecting to the detection / blocking web server. Subscriber's empty extracted from the detection / blocking retransmission traffic To check whether the router is in overuse state by using the unique variable value of the flash shared object received from the subscriber client terminal through the IP and the 0% detection frame generated separately from the 100% frame. By performing a router overuse detection algorithm, subscriber traffic that is not router overuse allows access to a web site requested by a subscriber client terminal and detects router overuse detection that detects subscriber traffic in a router overuse state. And proceeding with the router overuse detection / blocking decision step of determining whether to allow / block the access of the web site of the subscriber client terminal in the router overuse state according to the additional screening condition, and

The mirrored website access request traffic, which has undergone the router overuse suspect selection / registration step, is discarded from the push server regardless of whether the router overuse suspect is selected, thereby allowing internet access by the original website access request traffic. As possible,

When the router overuse state is detected in the router overuse state detection / block determination step of the router overuse state detection, the detection / blocking web server is attached by the subscriber client terminal to the detection / blocking retransmission traffic as a parameter. By redirecting to the original intended website, the router overuse state detection step of the router overuse state detection / blocking decision step In the process of determining whether to allow or block access to the web site of the subscriber client terminal when the web site access is allowed according to the additional screening condition, the detection / blocking web server is set as a parameter to the detection / blocking retransmission traffic by the subscriber client terminal.A method for selectively allowing / blocking Internet access request traffic sharing a public IP, characterized by allowing access to a website by redirecting to an attached originally intended website.

Here, the subscriber traffic detection step of the router overuse state constituting the router overuse state detection / blocking step performed by the detection / blocking web server is more specifically.

Requesting, by the detection / blocking web server, a unique variable value stored in a flash shared object ('Flash Shared Object') of a subscriber client terminal (subscriber PC) with a configuration variable name such as a UID through a 0% detection frame;

In the step of requesting the unique variable value, the subscriber client terminal receiving the unique variable value of the UID from the client terminal and currently connected to the DB server among the UID list within 24 hours (first set time) of the corresponding subscriber IP (ID) ( If a value equal to the UID value of the subscriber PC) exists and is determined to be a unique variable value of the valid UID, allowing the client terminal of the subscriber to access the website requesting the connection while updating the access time of the UID to the DB server. Proceed; And

In the requesting of the unique variable value, the UID list does not receive the unique variable value of the UID from the client terminal or the unique variable value of the UID is received within 24 hours (the first setting time) of the corresponding IP (ID). If there is no value equal to the UID value of the currently connected subscriber client terminal (subscriber PC), it is determined to be a unique variable value of the invalid UID.

The number of valid UID lists within 24 hours (first set time) of the subscriber's IP (ID) existing in the current DB server and the number of router PCs allowed for the subscriber's IP (ID) are inquired.

(a) If the number of valid UID lists is less than the allowed number of PCs, it is determined that the router is not currently in overuse state, and a unique variable value of a new UID is generated for the currently connected subscriber client terminal (subscriber PC). Allow the subscriber's client terminal to access the website requesting the connection, storing it in the client terminal and registering it with the DB server with the access time; and

(b) If the number of valid UID lists is greater than or equal to the number of PCs allowed, it is determined that the router is currently in overuse state, and the currently connected subscriber client terminal (subscriber PC) may be allowed to access the Internet according to additional screening conditions. It is preferably configured to proceed to the step of blocking / allowing the access request traffic to determine whether or not to block.

Furthermore, as described above, the step of determining whether to block or allow access request traffic, which determines whether to allow or block Internet access according to additional screening processing conditions,

(b1) From the list of valid UIDs within the first setting time T-1 (for example, 24 hours) of the corresponding subscriber IP (ID) existing in the DB server, the registered access time is based on the current time. -2; if there is a UID that has passed more than 30 minutes, delete the list of UIDs with the oldest connection time from the DB server, and unique variables of the new UID for the currently connected subscriber client terminal (subscriber PC). Generate the value and store it in the subscriber client terminal and register the DB server with the access time, and allow the subscriber's client terminal to access the website requesting the connection; and

(b2) Among the valid UID lists within the first setting time T-1 (for example, 24 hours) of the corresponding subscriber IP (ID) existing in the DB server 240, the registered access time is set to the second based on the current time. If there is no UID exceeding the time T-2 (e.g., 30 minutes), it is further configured to proceed to block the access to the website that requested the access for the currently connected subscriber client terminal (subscriber PC). Would be preferred.

According to the present invention, the method of the present invention detects the number of a plurality of user client terminals on a private network using the same public IP and compares the Internet access request traffic of a client terminal making an access request with an assigned allowed number to the IP sharing state. Device system for selectively allowing or blocking accordingly,

Backbone of an Internet Service Provider (ISP) for mirroring website access request traffic generated from a client terminal when a client terminal of an Internet service subscriber requests a connection to a website on the Internet by running a web browser. A mirroring device located in a network;

If the subscriber public IP of the mirrored website access request traffic is a public IP selected as suspected of excessive use of the router by the public IP and cookie information included in the previous access traffic processed by the push server, If the public IP is selected as a suspect, the method checks whether the mirrored website access request traffic is the traffic to be blocked or not to reduce the load of the detection / blocking web server. Through the 100% frame generated in the subscriber client terminal, the detection / blocking retransmission traffic that redirects the detection / blocking web server to the detection / blocking web server by parameterizing the address of the web site to which the subscriber originally attempted to access is transmitted from the client terminal to the detection / blocking web server. False response traffic to the client terminal Push server sending false response traffic); and

Name of a configuration variable such as a public IP of a subscriber extracted from the detection / blocking retransmission traffic transmitted from the subscriber client terminal, and a UID transmitted from the subscriber client terminal through a 0% detection frame generated separately from the 100% frame Router over-use state by executing the router over-use detection algorithm by storing the unique variable value of 'Flash Shared Object' stored in the DB server and retrieving the list stored during the first set time from the connection time. Subscriber traffic is redirected by the subscriber client terminal to the originally intended website attached as a parameter to the detection / blocking retransmission traffic, and the router overuse condition detection for detecting the subscriber traffic of the router overuse status is performed. Excessive router on It provides a public IP sharing state detection and blocking system comprising a detection / blocking web server that determines whether to allow / block access to the website of the subscriber client terminal in the use state according to additional screening conditions.

On the other hand, the device system according to the present invention is a public IP sharing state detection and blocking system for providing a processing function when the public IP is selected as suspected excessive use of the router,

Backbone of an Internet Service Provider (ISP) for mirroring website access request traffic generated from a client terminal when a client terminal of an Internet service subscriber requests a connection to a website on the Internet by running a web browser. A mirroring device located in a network;

If the subscriber public IP of the mirrored website access request traffic is a public IP selected as a suspected router overuse by the public IP and cookie information included in the previously processed access traffic, If it is not a public IP, it sends public IP and HOST information included in the mirrored web site access request traffic to the analysis server to check whether the router is overused. (C) defining a unique variable that sets the valid time, and storing a cookie with the current time as a value on the client terminal, and a redirect command for inducing the subscriber to reconnect to the website to which he or she originally connected. Send the first false response traffic to the client terminal, and If the public IP is selected as suspected of excessive use of the client, the client detects the detection / blocking retransmission traffic that redirects to the detection / blocking web server by parameterizing the address of the web site to which the subscriber originally connected through the 100% frame generated at the subscriber client terminal. A push server for transmitting the second false response traffic to the client terminal so as to be transmitted from the terminal to the detection / blocking web server;

The subscriber's public IP and access host information received from the push server are stored in the DB server along with access time data, and the number of access requests for each subscriber is determined by identifying the number of access requests to a specific host with the same public IP during the set time. An analysis server for determining whether to select a router overuse suspect by determining whether the number of IP sharing allowable PCs managed by policy is exceeded, and transmitting the determination result along with the corresponding public IP to the push server;

Name of a configuration variable such as a public IP of a subscriber extracted from the detection / blocking retransmission traffic transmitted from the subscriber client terminal, and a UID transmitted from the subscriber client terminal through a 0% detection frame generated separately from the 100% frame Router over-use state by executing the router over-use detection algorithm by storing the unique variable value of 'Flash Shared Object' stored in the DB server and retrieving the list stored during the first set time from the connection time. Subscriber traffic is redirected by the subscriber client terminal to the originally intended website attached as a parameter to the detection / blocking retransmission traffic, and the router overuse condition detection for detecting the subscriber traffic of the router overuse status is performed. On router and Whether the subscriber client terminal in use, web site access allow / block, including the detection / prevention Web server that is determined by the further screening processing conditions provides a public IP sharing state detection and prevention system, characterized in that formed.

According to the present invention, after detecting suspicious use of the router in advance, only the subscriber using the public IP detects the actual use of the router and blocks the web traffic. It is almost unaffected by the detection system, and there is almost no decrease in internet speed in detecting suspicious use of the router. If an error or failure occurs in the detection system, it does not affect the subscriber's internet. do.

In addition, the steps of detecting and blocking the exact state of overuse of the router are not a cookie that can be easily deleted by the user, but a 'Flash Shared Object' (binary form) in an unknown location on the user's hard disk. Is not easy to be deleted by the user and has a feature that does not set the expiration date or expiration date of data that is different from cookies. to provide.

In addition, by dynamically classifying and processing the terminals that should be allowed to access and the terminals that should be blocked in the actual blocking phase, it provides high efficiency to the whole system. By minimizing, the fundamental service efficiency of the Internet access service can be greatly improved.

1 is an overall configuration diagram of a detection / blocking system according to the present invention,

2A and 2B are operational state diagrams illustrating a process of selecting a router overuse suspect through a push server and an analysis server in a detection / blocking system according to the present invention;

3 is an operational state diagram illustrating a process of detecting and blocking a router excessive use state through a push server and a detection / blocking web server in the detection / blocking system according to the present invention.

4a to 4d are flow charts of the method invention according to the invention,

5A and 5B are time charts illustrating processes in which a router excessive use state detection and blocking step according to the present invention shown in FIG. 5C is performed as a comparative example.

6A to 7C are diagrams showing embodiments of web traffic transmitted during a router overuse suspect selection step according to the present invention;

8 and 9A to 10B are diagrams showing embodiments of web traffic transmitted during a router overuse detection / blocking determination step according to the present invention.

Hereinafter, with reference to the accompanying drawings, to detect the number of a plurality of user terminals on the private network using the same public IP and to selectively allow or block the Internet access request traffic of the terminal making a connection request compared to the assigned allowable number It will be described with respect to a preferred embodiment of the present invention provided.

With reference to the drawings shown in FIGS. 4A-10B in addition to the basic structural and operational state diagrams shown in FIGS. 1 to 3, the preferred embodiment of the public IP sharing state detection and blocking system according to the present invention is first described. Let's take a look.

As shown in FIG. 1, a preferred embodiment of the public IP sharing state detection and blocking system 200 according to the present invention includes a mirroring device 210, a push server 220, an analysis server 230, and a DB server ( 240, and a detection / blocking web server 260, which will be described in more detail.

The mirroring device 210, when the client terminal (PC-1, PC-2, PC-3, PC-4) of the Internet service subscriber requests a web site on the Internet 300 by running a web browser It is a device located in the backbone network of the Internet service provider (ISP) for mirroring the web site access request traffic generated from the client terminal

The push server 220 checks whether the subscriber public IP of the mirrored website access request traffic is a public IP selected as an overuse of the router, and if the public server is not a public IP selected as the overuse of the router, the overuse of the router is suspected. In order to confirm whether or not to be selected as a ruler, the public IP and host information included in the mirrored web site access request traffic are transmitted to the analysis server 230, and a cookie valid time is set as a sign variable. Define a unique variable that is set to save the cookie with the current time as a value in the client terminal (PC-1, PC-2, PC-3, PC-4) and the subscriber was originally Forwarding a first false response traffic (see FIG. 6B) to the client terminal (PC-1, PC-2, PC-3, PC-4) that includes a redirect command to reconnect to the web site, and if If the public IP is selected as suspected of excessive use of the router, the step of determining whether the traffic is the target for determining whether or not to block the load of the detection / blocking web server is performed ('S250' of FIGS. 4A and 4C), and determining whether to block the router. If the target traffic corresponds to the detection / blocking retransmission traffic redirected to the detection / blocking web server 260 by parameterizing the address of the web site to which the subscriber originally accessed through the 100% frame generated at the subscriber client terminal (FIG. 10A and FIG. 10B) is a device for transmitting second false response traffic (see FIGS. 9A and 9B) to the client terminal so that the client terminal is transmitted from the client terminal to the detection / blocking web server 260.

The analysis server 230 stores the subscriber's public IP and access host information transmitted from the push server 220 together with the access time data in the DB server 240 and uses the same public IP for the set time. By determining the number of access requests for a specific host and determining whether the number of access requests has exceeded the allowance of IP sharing allowed PCs that are managed policy by subscriber, it is decided whether to select a router overuse suspect, and the result of the decision Is a device for transmitting to the push server 220 with the corresponding public IP,

The detection / blocking web server 260 is generated separately from the subscriber's public IP extracted from the detection / blocking retransmission traffic transmitted from the subscriber client terminal (see FIGS. 10A and 10B) and the 100% frame. The unique variable value of the flash shared object ('Flash Shared Object') stored in the configuration variable name such as the UID received from the subscriber client terminal through the 0% detection frame is stored in the DB server 240 and the first time from the access time. By performing a router overuse detection algorithm by searching the list stored during the set time, subscriber traffic that is not in the router overuse state is redirected by the subscriber client terminal to the original target website attached as a parameter to the detection / blocking retransmission traffic. Redirects and shares to detect subscriber traffic in router overuse conditions The device determines whether to allow / block access to a website of a subscriber client terminal in a router overuse state after performing the overuse state detection according to additional screening conditions.

In addition, the system according to the present invention further includes a policy management web server 250 for storing the IP sharing allowable PC number list managed by each subscriber in the DB server 240 and changing these information. More preferable.

According to a preferred embodiment of the specific method as shown in FIG. 4A, which is shown in flow chart form, the operating state of the device system shown in FIGS. 2A, 2B and 3 in connection with the method invention according to the invention The present invention provides a method of selectively allowing or blocking Internet access request traffic of a terminal making an access request by detecting a plurality of user terminals on a private network using the same public IP and comparing the allocated allowable numbers.

(I) a mirroring device 210 provided to a backbone network of an Internet service provider (ISP) when a client terminal requests a connection to a web site on the Internet by driving a web browser; Mirroring the web site access request traffic generated from the client terminal and transmitting the mirrored web site access request traffic to the push server 220 to check whether the IP router is overused ('S100). ')Wow;

(II) The push server 220 selects a subscriber public IP of the mirrored web site access request traffic as suspected of excessive router use by public IP and cookie information included in previous access traffic processed by the push server. Public IP verification step (S200) suspected of excessive use of subscriber traffic to determine whether the public IP;

(III-A) If it is not a public IP selected as suspected of excessive use of the router, the push server 220 uses the public IP and cookie using the public IP and cookie information included in the mirrored website access request traffic. After verifying whether the suspect is selected as a suspect of overuse of the router, register the relevant IP, and define a unique variable that sets the cookie validity time such as the sign variable on the client terminal. Router overuse selection / registration step of transmitting the first false response traffic to the client terminal including a command to store the set cookie and a redirection command to induce the subscriber to reconnect to the website to which the user originally connected. 'S210');

(III-B) If the public IP selected as a suspicious use of the router, the push server 220 is a target to determine whether the mirrored website access request traffic is blocked in order to reduce the load of the detection / blocking web server. After checking whether the traffic is traffic ('S250'), if the traffic to be blocked or not is determined, the second false response traffic is transmitted to the client terminal ('S300'). The detection / blocking retransmission traffic that redirects the detection / blocking web server 260 to the detection / blocking web server 260 by parameterizing the address of the web site to which the subscriber originally attempted to connect through the 100% frame generated at the web site 260 is detected / blocked. After the transmission, the detection / blocking web server 260 is extracted from the received detection / blocking retransmission traffic. Whether the router is in overuse state by using a unique variable value of the flash shared object received from the subscriber client terminal through the subscriber's public IP and a 0% detection frame generated separately from the 100% frame. Router overuse detection ('S410') is performed to detect the subscriber traffic in the router overuse state by performing the router overuse detection algorithm. A router overuse detection / blocking decision step (S400) for determining whether to allow / block web site access ('S420a'), and

The mirrored website access request traffic that has passed through the router overuse suspect selection / registration step (S210) is discarded by the push server 220 regardless of whether the router overuse suspect is selected (S220). ) Allowing Internet access by the original website access request traffic ('S230'),

In the router excessive use state detection / block determination step (S400), the router excessive use state detection ('S410') is not determined as the router overuse state or the subscriber client terminal in the router overuse state is allowed to access the website. In the process of determining whether or not to block ('S420a'), when access to the web site is allowed according to an additional screening condition, the detection / blocking web server 260 may use the subscriber client terminal as a parameter to the detection / blocking retransmission traffic. It provides a method for selectively allowing / blocking Internet access request traffic sharing a public IP, which is characterized by allowing access to a website by redirecting to an attached originally intended website ('S420b1').

Here, the router overuse suspect selection / registration step (S210) is a mirrored 'website access request traffic' of the subscriber client terminal ( If the mirrored subscriber traffic is not 'website access request traffic', the push server simply needs to discard the mirrored subscriber traffic. Unique features such as 'UI (Uniform Resource Identifier)', 'Referer' (remaining trace of each web site through hyperlink when surfing the internet with web browser), and 'Cookie' Examine the status of one variable (e.g. sign variable), and the 'Host' is used to determine the pre-established primary monitored host (e.g., the top 10 web sites, such as major portal sites). (The next setting condition ⓐ), and only if all the following setting conditions (the following setting conditions ⓑ, ⓒ, ⓓ) for the unique variables of the remaining 'URI', 'Referer' and 'Cookie' are satisfied The router over-use suspect detection step using IP, and cookie information is set to continue, otherwise the mirrored web site access request traffic is set to be discarded.

-Setting condition ⓐ: Is 'Host' the main monitored host? In other words, this condition is satisfied when it is the main monitored host, and the reason for this setting is that the push server is too large for only the pre-configured web sites, for example, the top 10 web site access ranks. The purpose is to significantly reduce the traffic processing load associated with suspicious use detection. Thus, if the 'HOST' is not the primary monitored host, the push server discards the subscriber's mirrored traffic, so that the response traffic of the HOST is originated by the subscriber's website access request traffic. Will be sent / output normally. Here, it is preferable that the host monitored by the push server 220 is set to mean a host including all subdomains. For example, the host monitored by the push server 220 is 'naver.com'. In this case, it refers to * .naver.com that includes all subdomains such as 'www.naver.com', 'search.naver.com', and 'abcnaver.com'. Therefore, when setting the cookie (Cookie) to the subscriber or transmits the access host information to the analysis server 230, it is set or transmitted based on the host criteria monitored by the push server 220, for example, the access host of the subscriber 'www .naver.com 'and the host monitored by the push server 220 is' naver.com', the cookie is set to the 'naver.com' domain ('domain =.' of the first false response traffic of FIG. 6B). naver.com .; '), and the analysis server 230 also transmits host information to' naver.com ', and if the cookie is set to the' naver.com 'domain,' * .naver.com ' At the time of connection, cookie set unconditionally is attached to request traffic.

-Setting condition ⓑ: Is the ending part of 'URI' corresponds to '/' or '/?'? In other words, the push server needs to satisfy this condition to detect suspicious use of the router. However, an error may occur when the ending part of the 'URI' redirects traffic that is not '/' or '/?'. Because.

-Setting condition ⓒ: Is there no 'Referer'? In other words, the push server confirms that the traffic is not redirected from this condition, which is a condition to prevent an infinite loop.

-Setting condition ⓓ: Is there no value of 'sign' in 'Cookie'? If the 'cookie' has a unique variable value of 'sign', it may be set at a predetermined time (e.g., 1 hour; storing the 'sign' variable value using the same client terminal as the previously connected client terminal). Survival time) Since the traffic is secondary to the web site through the web browser, it is not the traffic to be monitored / detected by the router, so the push server is sufficient to discard the mirrored subscriber traffic.

In addition, the router overuse state detection / blocking determination step 'S400' constituting the router overuse state detection ('S410') is shown in FIG. The detection / blocking web server 260 requests a unique variable value stored as a configuration variable name, for example, a UID variable name, in a 'Flash Shared Object' of the subscriber client terminal (subscriber PC) through a 0% detection frame (S411). "),

In step 'S411', the UID value of the subscriber client terminal (subscriber PC) that receives the unique variable value of the UID from the client terminal and is currently connected to the DB server 240 within the UID list within 24 hours of the subscriber IP (ID). If the same value as is present and determined as a unique variable value of the valid UID, allowing the client terminal of the subscriber to access the website requesting the connection while updating the access time of the UID to the DB server 240 ('S412). ') Proceed; And

In step 'S411', the subscriber station does not receive the unique variable value of the UID from the client terminal or the unique variable value of the UID is received, but the subscriber client terminal (subscriber) currently connected in the UID list within 24 hours of the corresponding IP (ID). If a value equal to the UID value of PC) does not exist and is determined to be a unique variable value of an invalid UID,

By querying the number of valid UID list within 24 hours of the corresponding subscriber IP (ID) existing in the DB server 240 and the number of allowed router PCs of the corresponding subscriber IP (ID) ('S413'),

(a) If the number of valid UID lists is less than the allowed number of PCs, it is determined that the router is not currently in overuse state, and a unique variable value of a new UID is generated for the currently connected subscriber client terminal (subscriber PC). The client terminal stores the client terminal and registers the DB server 240 together with the access time while allowing the subscriber's client terminal to access the website that requested the connection ('S414a'), and

(b) If the number of valid UID lists is greater than or equal to the number of PCs allowed, it is determined that the router is currently in overuse state ('S414b'), and the subscriber client terminal (subscriber PC) currently connected is subject to additional screening conditions. Proceed to the step of blocking / allowing access request traffic (see 'S420a' and FIG. 4D of FIG. 4A), which determines whether to allow or block Internet access according to the following process.

(b1) Among the valid UID lists within the first setting time T-1 (for example, 24 hours) of the corresponding subscriber IP (ID) existing in the DB server 240, the registered access time is set as the second based on the current time. If there is a UID that has elapsed longer than the time (T-2; for example, 30 minutes), the DBD 240 deletes the list of the UIDs with the oldest connection time, and then accesses the currently connected subscriber client terminal (subscriber PC). Generate a unique variable value of the new UID and store it in the subscriber client terminal and register it with the access time at the DB server 240 while allowing the subscriber's client terminal to access the website requesting access ('S420b1').

(b2) If there is no UID in the list of valid UIDs within 24 hours of the subscriber's IP (ID) existing in the DB server 240 that has exceeded 30 minutes from the current time, The connected subscriber client terminal (subscriber PC) is blocked to access the website requesting the connection (S420b2).

Therefore, for example, the first setting time T-1 of 24 hours, which is the duration of the UID list, is set to confirm the number of terminals connecting through the router (i.e., in case of reconnection within 24 hours). Only the access time is updated without generating the UID), and the access priority is continuously maintained during the first setting time (T-1), which is the UID duration, for a terminal that has no Internet website access for more than 20 hours, and is further connected. There is an unreasonable situation in which the connection of the terminal is continuously discontinued. A solution to this problem is required. As a solution, the website access is flexibly allowed within the current state without exceeding the number of lines allowed. Based on the access time of the currently connected additional terminal is set separately from the first setting time (T-1) of the duration of the UID list so that Access priority by deleting the UID of the existing terminal that has passed the second set time (T-2) after connecting to the Internet, creating a new UID for the newly connected terminal, and registering it with the DB server to allow access to the website. Allow dynamic allocation.

Here, the step (S420b2) of the detection / blocking web server 260 blocking the access to the website requested by the client terminal of the subscriber may be performed as shown in FIGS. 4A and 4D. The blocking step may not provide any response to the subscriber according to the policy, and may alternatively proceed to redirecting to the blocking message page or the warning message page as shown in FIG. 4D.

Hereinafter, according to the method invention according to the present invention and the apparatus system for performing the method described above, the processing of the case of accessing the Internet web site through the IP router 100 as a plurality of client terminals (subscriber PCs) in detail. The process will be described in more detail with reference to the accompanying drawings to supplement the understanding of the structure of the present invention, and further describe specific embodiments of the present invention, as well as to describe the operation state, its effects, and effects in more detail. .

2A and 2B, a plurality of client terminals (subscriber PCs) (PC-1, PC-2, PC-3, PC-4) are used by using an IP router 100 such as NAT equipment. In the case where private networks are configured to each attempt to access the Internet, for example, the first PC PC-1 runs a web browser to request subscriber access traffic (see 'Subscriber request traffic' in FIG. 6A). ), This web site access request traffic (hereinafter, simply referred to as 'subscriber request traffic') is the back of the Internet Service Provider (ISP) as indicated by the arrow '①' of FIG. 2A. In the backbone network, the mirrored device 210 is mirrored, and the mirrored web site access request traffic is transmitted to the push server 220 to check whether the IP router is overused. See 'S100' step of 4a).

Then, the push server 220 authenticates the subscriber (the subscriber ID of FIG. 2A is 'USER-1') of the web site connection request traffic mirrored in the public IP verification step (S200) of the subscriber traffic shown in FIG. 4A. If the IP ('IP-Addr1' of FIG. 2A) is a public IP selected as a router overuse suspect, and is not a public IP selected as a router overuse suspect, it is included in the mirrored website access request traffic. Using the public IP and cookie information, the router overuse suspect selection / registration step ('S210') is performed to verify and register whether the router is overused.

Here, looking at the progress of the router overuse suspect selection / registration step (S210) in more detail, the push server 220 first checks whether the mirrored traffic is 'website access request traffic' ( In step S211 of FIG. 4B), if the mirrored subscriber traffic is not 'website access request traffic', the push server simply allows the web site access by the original traffic by discarding the mirrored subscriber traffic. Will be enough.

Furthermore, in the case of 'website access request traffic', checking whether the 'Host' of the setting condition ⓐ is the main monitored host ('S212'), and the ending part of the 'URI' of the setting condition ⓑ '/' 'Or' /? 'And checking whether there is no' Referer 'in the setting condition ⓒ (' S213 '), and' Cookie 'included in the website access request traffic under the setting condition ⓓ' The sign 'step' checks whether there is no variable value (S214).

In the case of the subscriber request traffic shown in Fig. 6A, it is 'website access request traffic' and the above-described setting condition ⓐ ('Host' is the main monitored host), ⓑ (the ending part of 'URI' is '/' or '/?'), Ⓒ (there is no 'Referer'), ⓓ (there is no sign variable in 'Cookie'; it means the PC that requested the connection for the first time in a certain time) 220 transmits subscriber IP and access host information to the analysis server 230 (step S215a of FIG. 4B), and the analysis server 230 corresponds to a router overuse suspect based thereon. Is detected (step S216a of FIG. 4B).

At this time, the analysis server 230 stores the subscriber IP and access host information received from the push server 220 in the DB server 240 and records the storage time together, and the same within a predetermined time (for example, 1 hour). If the number of access requests is made to the same host as the public IP many times, and the number of accesses does not exceed the limit of the number of IP sharing allowable PCs that are managed policy by subscriber by the policy management web server 250, it is not selected as suspected of excessive use of the router. (See FIG. 2A).

On the other hand, the push server 220 is a subscriber client terminal (subscriber PC; PC-1) at the same time or time difference (regardless of order) and the subscriber IP and the access HOST information transmission (refer to arrow ③ in Fig. 2a) to the analysis server 230; In this case, the first false response traffic is transmitted (see arrow 2 of FIG. 2A), which causes the following operation to be performed at the subscriber PC, which is illustrated in FIG. 6B.

(i) sign is defined to store a cookie (Cookie) with the current time as the value on the subscriber's PC (PC-1), (ii) the valid time of the sign variable is set to 1 hour (3,600 seconds), ( iii) a redirection command that prompts the subscriber to reconnect to the web site to which they originally connected.

Accordingly, the reconnection traffic generated from subscriber PC (PC-1) is illustrated in FIG. 6C of the accompanying drawings. On the other hand, since such a reconnection traffic has a 'Referer' and a cookie having a variable value of sign (sign = 1265344202: see FIG. 6C), the mirroring device 210 is mirrored again to the push server 220. Although transmitted, the push server 220 is discarded.

On the other hand, when the web browser of the first PC (PC-1) is restarted within 1 hour to generate subscriber request traffic (additional access traffic), additional access traffic by the same IP / same user PC (PC-1) As shown in FIG. 7A, since there is no 'Referer' in such additional access traffic, there is a cookie having a variable value of sign (sign = 1265344202: see FIG. 7A) in the mirroring apparatus 210. Even if it is mirrored and transmitted to the push server 220, it is discarded in the push server 220.

Next, the web browser of the second PC (PC-2) is started to process the subscriber request traffic in the same way (without the process description), and the third PC (PC-3) runs the web browser to access the Internet website. In the case of generating subscriber request traffic (in this case, 'subscriber request traffic' in FIG. 7B), such subscriber request traffic is also indicated by an Internet service provider (ISP) as indicated by arrow '①' in FIG. 2B. In the backbone network of the provider, the mirrored device 210 is mirrored, and the mirrored web site access request traffic is transmitted to the push server 220 to check whether there is a suspicion of excessive use of the IP router ( See step S100 of FIG. 4A).

Then, the push server 220 authenticates the subscriber (the subscriber ID of FIG. 2B is 'USER-1') of the web site access request traffic mirrored in the public IP verification step (S200) of the subscriber traffic shown in FIG. 4A. If the IP ('IP-Addr1' in FIG. 2B) is a public IP selected as a router overuse suspect, and is not a public IP selected as a router overuse suspect, the IP address included in the mirrored website access request traffic is included. Using the public IP and cookie information, the router overuse suspect selection / registration step ('S210') is performed to verify and register whether the router is overused.

Here, during the process of selecting / registering the suspicious use of the router, the analysis server 230 detects whether the suspicion of excessive use of the router corresponds to the suspicious use of the router (step S216a of FIG. 4B). The process up to now is the same as the case of the first PC (PC-1) described above.

However, in this case, unlike in FIG. 2A, as shown in FIG. 2B, the same web site of the subscriber (the subscriber ID of FIG. 2B is 'USER-1') using the public IP of 'IP-Addr1' is shown. Since the number of access has reached the state exceeding the allowance of the number of IP sharing allowed PCs that are managed policy by subscriber by the policy management web server 250. The analysis server 230 selects a router overuse suspect and stores its public IP (IP-Addr1) in the form of a router overuse suspect IP list, and transmits it to the push server 220 at a predetermined time interval. See arrow '④' in 2b).

Meanwhile, even in this case, the push server 220 transmits the subscriber IP and the access HOST information to the analysis server 230 (see arrow '③' in FIG. 2B) to select the overuse of the router. Is transmitted to the subscriber client terminal (subscriber PC; PC-3) as described above (see arrow '②' in FIG. 2B), and the first false response traffic is also shown in FIG. 6B. Same as the one shown in (except for the cookie value itself).

Accordingly, the reconnection traffic generated from the subscriber PC (PC-3) by the first false response traffic (see arrow '②' in FIG. 2B) is also the same as that illustrated in FIG. 6C (the cookie value itself of the cookie is In this reconnection traffic, there is a 'Referer', and since the sign value of the cookie having a variable value of sign is present (see FIG. 6C), the mirroring device 210 is mirrored again to push server 220. Even if it is transmitted to the push server 220 is discarded (refer to 'S213', 'S214'-> 'NO'-> 'S220' of Figure 4b), the normal access to the web site that the subscriber requested access is allowed. In short, the presence or absence of a unique sign variable value in a cookie affects the selection / registration process of suspicious use of routers, but does not affect (blocks) whether or not the web traffic is blocked. On PC In the case of such arbitrary cookies (if the wrong decision as the router heavy users, according to the prior art), even if that occurs will help to avoid blocking Web traffic to maintain the reliability of the internet service provider.

On the other hand, after the web browser of the first PC (PC-1) is started and the cookie sign variable is set, the first PC (PC- Subscriber request traffic generated by running the web browser of 1) becomes traffic as shown in Fig. 7C.

Furthermore, as a result of this process, a third party (PC-3) requests web site access request traffic again as shown in FIG. 3 while the subscriber over-use suspect selection / registered subscriber uses the Internet through a plurality of client terminals. (See arrow '⑤' in FIG. 3), this Internet web site access request traffic (see FIG. 8) is also located in the backbone network of the Internet Service Provider (ISP). The web site access request traffic, which is mirrored using the mirroring device 210 and is mirrored, is transmitted to the push server 220 (see arrow '6' in FIG. 3 and 'S100' in FIG. 4A), and the push server. Step 220 is a public IP verification step of the subscriber traffic to check whether the subscriber public IP of the mirrored website access request traffic is a public IP selected as suspected excessive use of the router (Fig. 3) Table '⑦', see 'S200' of FIG. 4A), in this case, as described above, since it is a public IP (IP-Addr1) that is already selected as an overuse of the router, the push server 220 As shown in FIGS. 4A and 4C, the step (S250 of FIGS. 4A and 4C) is performed first to determine whether the traffic is a target to be blocked or not, and if the traffic is to be blocked or not, the process of FIG. The second false response traffic (see FIGS. 9A and 9B) is transmitted to the client terminal, eg, the subscriber PC (PC-3) (see arrow '8' in FIG. 3 and 'S300' in FIG. 4A).

Here, the step (S250) of confirming whether the traffic is the target to be determined as shown in FIG. 4A is more specifically illustrated in FIG. 4C so as to reduce the load of the detection / blocking web server 260. As described above, the push server 220 checks whether the mirrored traffic is 'website access request traffic' (step S251 of FIG. 4C), and the access host HOST of the mirrored traffic is enlarged and monitored. Target site '(' S252 '), and the ending portion of the URI of the mirrored traffic corresponds to' / 'or' /? '(The ending portion of the URI is not' / 'or' /? ') If the traffic is redirected, an error may occur when the detection / blocking web server 260 redirects back to the site to which the user originally attempted to connect, and there is no Referer (push server if redirecting traffic with Referer). Infinite by Loops) and checks ('S253'), and if one or more of the conditions are not met in the checking steps (S251 ',' S252 ', and' S253 ') ( As shown in FIG. 4C, the mirrored traffic is discarded (S220) and normal access to the web site requested by the subscriber is allowed (S230).

Further, in the step (S250) of determining whether the traffic is the target to be blocked or not, if the condition of the traffic to be blocked or not is satisfied (the determination result of FIG. 4C is all 'Yes') (request to access the website) At about 10% of the traffic), the aforementioned push server 220 transmits the second false response traffic (see FIGS. 9A and 9B) to the subscriber PC (PC-3) ('S300'). .

Here, 'expanded monitored site' is a redirection error (e.g., HTTP protocol is a general-purpose protocol, and is used in other applications such as Nate-on, for example, among web sites in the top 1,000 web site access rankings). If the push server redirects traffic, it is desirable to select the one that does not occur.

9A and 9B show two embodiments of the second false response traffic (selected according to the requirements of the ISP), and according to the first embodiment shown in FIG. 'Search', which contains branch frames, that is, 100% frames (URL of the web site to which the subscriber originally attempted to connect) and 0% detection frames (URL of the detection / blocking web server; commands to get the UID from the client terminal and compare it with the DB server. .jsp '; generating false response traffic consisting of parameters of the web site to which the subscriber originally attempted to access, and according to the second embodiment shown in FIG. 9B, the push server 220 is 100% Generate a second false response traffic consisting only of the frame (the URL of the detection / blocking web server; specifying 'check.jsp'; parameterizing the URL address of the website to which the subscriber originally attempted to access), as shown in FIG.As described above, the detection / blocking web server 260 is divided into iframes in the check.jsp, and a separate 0% detection frame (URL of the detection / blocking web server; commands for obtaining a UID from a client terminal and comparing the result with a DB server Specify the listed search.jsp; parameterize the address of the web site to which the subscriber originally attempted to access. Connect to the detection / blocking web server 260 that detects and blocks the shared state by attaching the address of the web site to which the subscriber originally attempted to access to the 0% detection frame of the first embodiment and the 100% frame of the second embodiment as a parameter. To generate traffic (e.g., 'detection / blocking retransmission traffic' of FIGS. 10A and 10B), and the reason for dividing the frame is without changing the address bar of the web browser (so that the subscriber is not aware). This is for accessing to the detection / blocking web server 260 which detects and blocks the sharing state, thereby allowing the subscriber to access the detection / blocking web server 260 which detects and blocks the sharing state without changing the web browser screen ( 'Detection / blocking retransmission traffic' of FIG. 10A or FIG. 10B) (see arrow '⑨' of FIG. 3).

Of course, such a subscriber's detection / blocking retransmission traffic will also be transmitted through the backbone network of the ISP and then mirrored by the mirroring device 210 to be transmitted to the push server 220. However, such mirroring traffic is illustrated in FIGS. 10A and 10B. As shown in the 'Referer' is attached is naturally discarded by the push server 220.

Comparing the features of the above-described two types of second false response traffic embodiments, the first embodiment is characterized in that a warning / blocking page can be operated only in the form of a popup / general page, and the second embodiment In the example, the warning / blocking page can be operated in the form of an HTML layer that can always be displayed even if the pop-up is blocked in addition to the pop-up / normal page type.

As described above, the step (S300) of transmitting the second false response traffic is performed so that the detection / blocking retransmission traffic shown in FIG. 10A (or FIG. 10B) is detected / blocked the web server 260 (FIGS. 10A and 10B). Is transmitted as a URL of 'ipsd.com'), the detection / blocking web server 260 then transmits the subscriber's public IP extracted from the detection / blocking retransmission traffic, and the 100% frame. The controller stores the unique variable value of the 'Flash Shared Object' received from the subscriber client terminal through the separately generated 0% detection frame in the DB server 240 and searches the list stored during the first setting time from the access time to overuse the router. By performing a state detection algorithm, subscriber traffic that is not in a router overuse state is sent by the subscriber client terminal as a parameter attached to the detection / blocking retransmission traffic. Redirects to the desired website ('S412', 'S414a' Note: by greatly minimizing the workload in the unblocked and allowed access to the Internet, the service efficiency of the Internet access service can be greatly improved), Detects the subscriber traffic in the overuse state (refer to the state determined as the current router overuse state of the 'S414b'). Is determined according to the additional sorting treatment conditions (S420a).

In addition, the router overuse state detecting step (S410) of detecting the subscriber traffic in the router overuse state may be performed with reference to FIG. 3 in which the progress state is shown and FIG. 4D in which the progress process is shown in a flowchart form. Specifically, the detection / blocking web server 260 stores the unique variable value stored as the UID in the 'Flash Shared Object' of the subscriber PC ('PC-3' of FIG. 3) through the 0% detection frame described above. Requesting (arrow '⑩' of FIG. 3, reference numeral 'S411' of FIG. 4D),

In step 'S411', the UID value of the subscriber client terminal (subscriber PC) that receives the unique variable value of the UID from the client terminal and is currently connected to the DB server 240 within the UID list within 24 hours of the subscriber IP (ID). If the same value as is present and determined as a unique variable value of the valid UID, allowing the client terminal of the subscriber to access the website requesting the connection while updating the access time of the UID to the DB server 240 ('S412). ') Proceed; And

In step 'S411', the subscriber station does not receive the unique variable value of the UID from the client terminal or the unique variable value of the UID is received, but the subscriber client terminal (subscriber) currently connected in the UID list within 24 hours of the corresponding IP (ID). If a value equal to the UID value of PC) does not exist and is determined to be a unique variable value of an invalid UID,

By querying the number of valid UID list within 24 hours of the corresponding subscriber IP (ID) existing in the DB server 240 and the number of allowed router PCs of the corresponding subscriber IP (ID) ('S413'),

(a) If the number of valid UID lists is less than the allowed number of PCs, it is determined that the router is not currently in overuse state, and a unique variable value of a new UID is generated for the currently connected subscriber client terminal (subscriber PC). Stored in the client terminal and registered to the DB server 240 with the access time, and redirected to the URL (http://www.naver.com) the user wants to go to the client as shown by the arrow '⑫' of FIG. The terminal permits access to the website requesting access ('S414a'). At this time, the push server 220 redirects the generated parent frame to remove the divided frame (top refresh).

(b) If the number of valid UID lists is greater than or equal to the number of PCs allowed, it is determined that the router is currently in overuse state ('S414b'), and the subscriber client terminal (subscriber PC) currently connected is subject to additional screening conditions. Proceed to the step of blocking / allowing access request traffic (see 'S420a' and FIG. 4D of FIG. 4A), which determines whether to allow or block Internet access according to the following process.

(b1) If the access time registered among the valid UID lists within the first setting time T-1 (for example, 24 hours) of the corresponding subscriber IP (ID) existing in the DB server 240 is based on the current time, the second time. If there is a UID that has elapsed longer than the set time (T-2; for example, 30 minutes) (see comparison of FIGS. 5A, 5B, and 5C), the DB server 240 displays a list of the UIDs with the oldest connection time. Delete and generate a unique variable value of a new UID for the currently connected subscriber client terminal (subscriber PC) and store it in the subscriber client terminal (subscriber PC; 'PC-3' in FIG. 3) (arrow '⑩' in FIG. 3) 4d, the user's client terminal requests to connect to the web site while registering with the connection time at the same time as 'S414a' of FIG. 4D and 'UID-Field-Update' of FIG. 5c). Is allowed ('S420b1') (in the case of FIG. 5C).

Alternatively, regardless of the presence or absence of the UID (UID-2 in FIG. 5C) that has elapsed beyond the second set time T-2 (e.g., 30 minutes) for the first set time (24 hours) in which it remains valid The state of continuously blocking access to the website of the additionally connecting terminal (UID-3 in FIG. 5C) is shown in FIG. 5A as a comparative example, and as a primary solution to the problem according to the present invention. As proposed by 2009-0041752, as shown in FIG. 5B, the entire DB is updated by using the JOB scheduler at a predetermined time interval (30 minutes in the drawing) instead of individual user centers (JOB ①, JOB ②, JOB). ③) There is another comparative example of deleting a list without a connection record for 20 minutes from the time of updating, but comparing FIG. 5B illustrating such a comparative example with FIG. 5C showing a processing result according to the processing method according to the present invention. In addition, the method of FIG. 5C can be confirmed to be effective. In addition, according to the method of FIG. 5C, the DB update is performed only when necessary, and the task of repeatedly updating the entire DB using the JOB scheduler can be repeatedly performed. It also reduces the burden on the DB server.

(b2) On the other hand, the access time registered among the valid UID lists within the first setting time T-1 (for example, 24 hours) of the corresponding subscriber IP (ID) existing in the DB server 240 is based on the current time. If there is no UID exceeding the second set time T-2 (e.g., 30 minutes), access to the website requesting access to the subscriber client terminal (subscriber PC; PC-3) that is additionally connected at present is requested. It proceeds to block ('S420b2').

Here, the number of valid UID lists within 24 hours (first setting time; T-1) of the corresponding subscriber IP (ID) existing in the DB server 240 and the number of router PCs allowed for the corresponding subscriber IP (ID) Looking at the step ('S413') in more detail, as shown in the arrow '⑪' of Figure 3 using a subscriber IP allows the shared PC of the subscriber IP (or subscriber ID) of the subscriber IP (or subscriber ID) in the DB server 240 After querying the number (see the lower table in FIG. 3), the subscriber's IP (ID) and the UID list within 24 hours (see the upper table in FIG. 3; discard the UID list after 24 hours) in the DB server 240 The number of UID stores that have been validly counted ('2' in the upper table of FIG. 3) is currently counted ('T5' in the upper table of FIG. 3). In the case of '2'), the router is in overuse state (thus, as shown in FIG. Is determined to be an overuse state, and as described above, subsequent processing is performed according to additional screening conditions as shown in step S420a and subsequent steps (S420b1 or S420b2) in FIG. 4D. .

On the other hand, if the subscriber is to block access to the website requesting access ('S420b2'), the blocking may not respond to the subscriber according to the policy, or may be redirected to the warning message page or block message page. have.

In the warning message page or blocking message page, in addition to displaying a warning or blocking state, a UID is newly generated due to the format of a subscriber client terminal (user PC) or the deletion of a 'Flash Shared Object', and the like, and the blocking state is reached. In consideration of this, a separate 'connection allow request button' is provided on the blocking screen to release the blocking state of the current client terminal, and instead, the DB server 240 first accesses within 24 hours among the existing allowed client terminals. In this case, an additional step of initializing (deleting) the UID of the client terminal (which was initially accessed within 24 hours since the access information is continuously updated) may be adopted, or such a request may be made through a telephone or the like. When received by the ISP, the ISP administrator may access the DB server 240 through the policy management web server 250. It may be possible to adopt a method of releasing the blocking state by initializing (deleting) the existing client information (UID) stored in the.

On the other hand, unlike in the preferred embodiment of the present invention illustrated in the above drawings in another embodiment of the present invention, the push server (without configuring the analysis server 230 separately from the push server 220) It may be understood from the above description that the function may be integrated into the 220, and the operation thereof is substantially the same, so a detailed description thereof will be omitted to avoid duplication.

Although the code used in the web traffic illustrated in FIGS. 6A to 10B is written based on jsp / java in order to explain the present invention through specific embodiments, they are only examples and can be replaced by other means. It will be understood by anyone of the present invention, and various embodiments described in the specification of the present application described above are presented for purposes of illustration only to help understanding of the present invention, and the scope of the present invention is not limited thereto, and the present invention belongs to the field. Those skilled in the art will appreciate that various modifications and implementations can be made within the scope of the technical idea as set forth in the appended claims.

Claims (18)

1. In the method for detecting the number of the plurality of user terminals on the private network using the same public IP and selectively allow or block the Internet access request traffic of the terminal making the connection request compared to the assigned allowable number,

   (I) a mirroring device 210 provided to a backbone network of an Internet service provider (ISP) when a client terminal requests a connection to a web site on the Internet by driving a web browser; Mirroring the web site access request traffic generated from the client terminal and transmitting the mirrored web site access request traffic to the push server 220 to check whether the IP router is overused ('S100'). )Wow;

   (II) The push server 220 selects a subscriber public IP of the mirrored web site access request traffic as suspected of excessive router use by public IP and cookie information included in previous access traffic processed by the push server. Public IP verification step (S200) suspected of excessive use of subscriber traffic to determine whether the public IP;

   (III) If the public IP selected as a suspicious use of the router, in order to reduce the load of the detection / blocking web server, the push server 220 checks whether the mirrored website access request traffic is the traffic to be determined whether to block or not. Performing a step 'S250', and if the blocking target traffic corresponds to the blocking target traffic, transmitting the second false response traffic to the client terminal ('S300'), and the second false response traffic is generated in the subscriber client terminal. The detection / blocking retransmission traffic that redirects the detection / blocking web server 260 to the detection / blocking web server 260 by parameterizing the address of the web site to which the subscriber originally attempted to connect through the 100% frame is transmitted from the client terminal to the detection / blocking web server 260. After that, the detection / blocking web server 260 is configured to extract subscribers extracted from the received detection / blocking retransmission traffic. Checking whether the router is in overuse state by using a unique variable value of the flash shared object received from the subscriber client terminal through the public IP and the 0% detection frame generated separately from the 100% frame. By performing the router overuse detection algorithm, the traffic of the subscriber that is not in the router overuse state allows access to the website requested by the subscriber client terminal, and the router overuse detection detects the subscriber traffic in the router overuse state. Step ('S410') to determine whether or not the subscriber client terminal in the router overuse state to allow or block access to the Web site according to additional screening conditions ('S420a') router overuse detection / blocking determination step ('S400) '), And

   The router overuse state detection / blocking step (S400) is configured, and the router overuse state detection step (S410) of detecting subscriber traffic in a router overuse state may include:

   The detection / blocking web server 260 requests a unique variable value stored as a configuration variable name, such as a UID, from a flash shared object of the subscriber client terminal (subscriber PC) through a 0% detection frame. Step S411,

   In step 'S411', the subscriber terminal receives a unique variable value of the UID from the client terminal and is currently connected to the DB server 240 among the UID list within the first set time T-1 of the subscriber IP (ID). If a value equal to the UID value of the subscriber PC exists and is determined to be a unique variable value of the valid UID, the DB server 240 updates the access time of the UID, and accesses the website requested by the client terminal of the subscriber. Proceeding to allow (S412); And

   In step 'S411', a unique variable value of the UID is not received from the client terminal or a unique variable value of the UID is received, but is currently present in the UID list within the first setting time (T-1) of the corresponding IP (ID). If a value equal to the UID value of the connected subscriber client terminal (subscriber PC) does not exist and is determined to be a unique variable value of an invalid UID,

   The number of valid UID lists within the first setting time (T-1) of the corresponding subscriber IP (ID) existing in the DB server 240 and the number of allowed router PCs of the corresponding subscriber IP (ID) are inquired ('S413). '),

   (a) If the number of valid UID lists is less than the allowed number of PCs, it is determined that the router is not currently in overuse state, and a unique variable value of a new UID is generated for the currently connected subscriber client terminal (subscriber PC). The client terminal stores the client terminal and registers the DB server 240 together with the access time while allowing the subscriber's client terminal to access the website that requested the connection ('S414a'), and

   (b) If the number of valid UID lists is greater than or equal to the number of PCs allowed, it is determined that the router is currently in overuse state ('S414b'), and the subscriber client terminal (subscriber PC) currently connected is subject to additional screening conditions. A method of selectively allowing blocking of Internet access request traffic sharing a public IP, characterized by proceeding to a step of blocking / allowing access request traffic (S420a) determining whether to allow or block Internet access.
2. In the method for detecting the number of the plurality of user terminals on the private network using the same public IP and selectively allow or block the Internet access request traffic of the terminal making the connection request compared to the assigned allowable number,

   (I) a mirroring device 210 provided to a backbone network of an Internet service provider (ISP) when a client terminal requests a connection to a web site on the Internet by driving a web browser; Mirroring the web site access request traffic generated from the client terminal and transmitting the mirrored web site access request traffic to the push server 220 to check whether the IP router is overused ('S100). ')Wow;

   (II) The push server 220 selects a subscriber public IP of the mirrored web site access request traffic as suspected of excessive router use by public IP and cookie information included in previous access traffic processed by the push server. Public IP verification step (S200) suspected of excessive use of subscriber traffic to determine whether the public IP;

   (III-A) If it is not a public IP selected as suspected of excessive use of the router, the push server 220 uses the public IP and cookie using the public IP and cookie information included in the mirrored website access request traffic. After verifying whether the suspect is selected as a suspect of overuse of the router, register the relevant IP, and define a unique variable that sets the cookie validity time such as the sign variable on the client terminal. Router overuse selection / registration step of transmitting the first false response traffic to the client terminal including a command to store the set cookie and a redirection command to induce the subscriber to reconnect to the website to which the user originally connected. 'S210');

   (III-B) If the public IP selected as a suspicious use of the router, the push server 220 is a target to determine whether the mirrored website access request traffic is blocked in order to reduce the load of the detection / blocking web server. After checking whether the traffic is traffic ('S250'), if the traffic to be blocked or not is determined, the second false response traffic is transmitted to the client terminal ('S300'). The detection / blocking retransmission traffic that redirects the detection / blocking web server 260 to the detection / blocking web server 260 by parameterizing the address of the web site to which the subscriber originally attempted to connect through the 100% frame generated at the web site 260 is detected / blocked. After the transmission, the detection / blocking web server 260 is extracted from the received detection / blocking retransmission traffic. Router excessive use state by using unique variable value of Flash Shared Object received from subscriber client terminal through 0% detection frame generated separately from the subscriber's public IP and the 100% frame After performing the router overuse detection algorithm for checking whether the router overuse condition is detected, the subscriber overuse state detection ('S410') for detecting the subscriber traffic in the overuse state of the router is performed. Router over-use detection / block determination step ('S400') to determine whether to allow / block web site access ('S420a'), and

   The mirrored website access request traffic that has passed through the router overuse suspect selection / registration step (S210) is discarded by the push server 220 regardless of whether the router overuse suspect is selected (S220). ) Permitting Internet access by the original website access request traffic ('S230'), and

   The router overuse state detection / blocking step (S400) is configured, and the router overuse state detection step (S410) of detecting subscriber traffic in a router overuse state may include:

   The detection / blocking web server 260 requests a unique variable value stored as a configuration variable name, such as a UID, from a flash shared object of the subscriber client terminal (subscriber PC) through a 0% detection frame. Step S411,

   In step 'S411', the subscriber terminal receives a unique variable value of the UID from the client terminal and is currently connected to the DB server 240 among the UID list within the first set time T-1 of the subscriber IP (ID). If a value equal to the UID value of the subscriber PC exists and is determined to be a unique variable value of the valid UID, the DB server 240 updates the access time of the UID, and accesses the website requested by the client terminal of the subscriber. Proceeding to allow (S412); And

   In step 'S411', a unique variable value of the UID is not received from the client terminal or a unique variable value of the UID is received, but is currently present in the UID list within the first setting time (T-1) of the corresponding IP (ID). If a value equal to the UID value of the connected subscriber client terminal (subscriber PC) does not exist and is determined to be a unique variable value of an invalid UID,

   The number of valid UID lists within the first setting time (T-1) of the corresponding subscriber IP (ID) existing in the DB server 240 and the number of allowed router PCs of the corresponding subscriber IP (ID) are inquired ('S413). '),

   (a) If the number of valid UID lists is less than the allowed number of PCs, it is determined that the router is not currently in overuse state, and a unique variable value of a new UID is generated for the currently connected subscriber client terminal (subscriber PC). The client terminal stores the client terminal and registers the DB server 240 together with the access time while allowing the subscriber's client terminal to access the website that requested the connection ('S414a'), and

   (b) If the number of valid UID lists is greater than or equal to the number of PCs allowed, it is determined that the router is currently in overuse state ('S414b'), and the subscriber client terminal (subscriber PC) currently connected is subject to additional screening conditions. A method of selectively allowing blocking of Internet access request traffic sharing a public IP, characterized by proceeding to a step of blocking / allowing access request traffic (S420a) determining whether to allow or block Internet access.
3. The method according to claim 1 or 2,

   Determining whether to block or allow the access request traffic to determine whether to allow or block Internet access according to the additional screening conditions,

   (b1) Among the valid UID lists within the first setting time (T-1) of the corresponding subscriber IP (ID) existing in the DB server 240, the registered access time is based on the current time. If there is a UID that has elapsed beyond 2), the DBD server 240 deletes the UID list having the oldest access time, and assigns a unique variable value of the new UID to the currently connected subscriber client terminal (subscriber PC). The public IP is generated and stored in the subscriber client terminal and registered in the DB server 240 together with the access time while allowing the subscriber's client terminal to access the website requesting the connection ('S420b1'). Selective Blocking of Shared Internet Access Request Traffic.
4. The method of claim 3,

   Determining whether to block or allow the access request traffic to determine whether to allow or block Internet access according to the additional screening conditions,

   (b2) Among the list of valid UIDs within the first setting time T-1 of the corresponding subscriber IP (ID) existing in the DB server 240, the registered access time is based on the current time. If there is no UID exceeding 2), the public IP address of the subscriber client terminal (subscriber PC) currently connected is blocked ('S420b2'). Selective Blocking of Shared Internet Access Request Traffic.
5. The method of claim 2, wherein the selecting / registering suspicion of excessive use of the router (S210) is performed.

   Checking, by the push server 220, whether the mirrored traffic is 'website access request traffic' (S211);

   Checking, by the push server 220, whether the mirrored traffic is a 'host' of a set condition ⓐ as a main monitored host ('S212');

   Checking, by the push server 220, whether the mirrored traffic corresponds to an '/' or '/?' Ending of the 'URI' of the setting condition ⓑ and whether there is no 'Referer' of the setting condition ⓒ ( 'S213'), and

   The push server 220 includes the step of checking whether the mirrored traffic has a variable value of 'sign' in 'Cookie' of the setting condition ⓓ ('S214'). A method of selectively blocking allowed Internet access request traffic.
6. [6] The method of claim 5, wherein the main monitored host is a web site within the top ten web site access rankings.
7. The method of claim 3, wherein the determining whether the mirrored traffic is traffic to be blocked or not (S250) is performed.

   The push server 220 checks whether the mirrored traffic is 'website access request traffic' (S251),

   The push server 220 checks whether the access host (HOST) of the mirrored traffic is an 'extended monitoring target site' ('S252'),

   The push server 220 goes through a process of checking whether an ending part of the URI of the mirrored traffic corresponds to '/' or '/?' And whether there is no Referer ('S253').

   If the push server 220 does not satisfy one or more of each of the conditions in the checking steps S251, S252, and S253, the mirrored traffic is discarded (S220) and the subscriber is terminated. Allows normal access to the requested web site ('S230'), and

   The push server 220 transmits the second false response traffic to the client terminal when the push server 220 satisfies each condition in the checking steps S251, S252, and S253. Selective allow blocking method of the Internet access request traffic sharing the public IP, characterized in that the step is made to proceed.
8. The method of claim 7, wherein the step (S420b2) of blocking access to the website requesting access to the currently connected subscriber client terminal (subscriber PC) provides no response to the subscriber according to the policy. Selective allow blocking of Internet access request traffic sharing a public IP.
9. 8. The method of claim 7, wherein the step of blocking access (S420b2) of the currently connected subscriber client terminal (subscriber PC) to the website requesting access further comprises the step of redirecting to a block message page or a warning message page. A method of selectively allowing blocking of Internet access request traffic sharing a public IP, characterized in that for making.
10. The method of claim 3, wherein the second false response traffic transmitted from the push server 220 to the subscriber client terminal detects the frame of the subscriber client terminal at 100% frame (the URL of the web site to which the subscriber originally attempted to connect) and 0%. 2 of the frame (URL of detection / blocking web server; specify 'search.jsp' which contains commands to get UID from client terminal and compare and check with DB server; parameterize the address of web site to which subscriber originally connected) And selectively blocking the Internet access request traffic sharing the public IP, characterized by dividing into four frames.
11. The method of claim 3, wherein the second false response traffic transmitted from the push server 220 to the subscriber client terminal is 100% frame (URL of the detection / blocking web server; 'check.jsp') of the subscriber client terminal. Designate; consist only of parameters of the URL of the web site to which the subscriber originally attempted to access), and

    The detection / blocking web server 260 divides a frame into a separate 0% detection frame (a URL of a detection / blocking web server; 'search.jsp' including commands for taking a UID from a client terminal and comparing and checking it with a DB server). Specifying a parameter of the address of the web site to which the subscriber originally attempted to access).
12. Detects the number of multiple user client terminals on the private network using the same public IP and compares them with the allowed number of allowances, and selectively allows or blocks the Internet access request traffic of the client terminal making the connection request according to the IP sharing status. As,

    Backbone of an Internet Service Provider (ISP) for mirroring website access request traffic generated from a client terminal when a client terminal of an Internet service subscriber requests a connection to a website on the Internet by running a web browser. A mirroring device 210 located in a network (Back Bone Network);

    If the subscriber public IP of the mirrored website access request traffic is a public IP selected as suspected of excessive use of the router by the public IP and cookie information included in the previous access traffic processed by the push server, If the public IP is selected as a suspect, the method checks whether the mirrored website access request traffic is the traffic to be blocked or not to reduce the load of the detection / blocking web server. Detection / blocking retransmission traffic from the client terminal for detection / blocking retransmission traffic redirected to the detection / blocking web server 260 by parameterizing the address of the web site to which the subscriber originally attempted to connect through the 100% frame generated at the subscriber client terminal. False response to client terminal to be sent to And the push server 220 to send the traffic,

    Name of a configuration variable such as a public IP of a subscriber extracted from the detection / blocking retransmission traffic transmitted from the subscriber client terminal, and a UID transmitted from the subscriber client terminal through a 0% detection frame generated separately from the 100% frame Algorithm for overuse state by storing unique variable value of 'Flash Shared Object' stored in DB in the DB server 240 and searching the list stored during the first set time (T-1) from the access time By performing the above, the subscriber traffic that is not in the router overuse state is redirected by the subscriber client terminal to the originally intended website attached as a parameter to the detection / blocking retransmission traffic, and the router that detects the subscriber traffic in the router overuse state. Detect excessive use status Is whether the subscriber client terminal in use, web site access allow / block is made, including the detection / prevention web server 260 for further screening based on the processing conditions, and

    The detection / blocking web server 260 performs a router overuse state detection,

    The detection / blocking web server 260 requests a unique variable value stored as a configuration variable name such as a UID from a flash shared object of the subscriber client terminal (subscriber PC) through a 0% detection frame. ,

    Receives the unique variable value of the UID from the client terminal, and of the subscriber client terminal (subscriber PC) currently connected to the DB server 240 among the UID list within the first set time (T-1) of the subscriber IP (ID). If the same value as the UID value exists and is determined to be a unique variable value of the valid UID, allowing the client terminal of the subscriber to access the website requesting the connection while updating the access time of the UID to the DB server 240; And

    The subscriber terminal does not receive the unique variable value of the UID from the client terminal, or receives the unique variable value of the UID, but is currently connected from the list of UIDs within the first setting time (T-1) of the corresponding IP (ID). If a value equal to the UID value of the subscriber PC) does not exist and is determined to be a unique variable value of the invalid UID, the first set time T-1 of the corresponding subscriber IP ID currently existing in the DB server 240. Inquiry of the number of valid UID list within and the number of allowed router PCs of the corresponding subscriber IP (ID) ('S413'),

    (a) If the number of valid UID lists is less than the allowed number of PCs, it is determined that the router is not currently in overuse state, and a unique variable value of a new UID is generated for the currently connected subscriber client terminal (subscriber PC). The client terminal stores the client terminal and registers the DB server 240 together with the access time while allowing the subscriber's client terminal to access the website that requested the connection ('S414a'), and

    (b) If the number of valid UID lists is greater than or equal to the number of PCs allowed, it is determined that the router is currently in overuse state ('S414b'), and the subscriber client terminal (subscriber PC) currently connected is subject to additional screening conditions. Public IP sharing status detection and blocking system, characterized in that it is configured to determine whether to allow or block Internet access (S420a).
13. Detects the number of multiple user client terminals on the private network using the same public IP and compares them with the allowed number of allowances, and selectively allows or blocks the Internet access request traffic of the client terminal making the connection request according to the IP sharing status. As,

    Backbone of an Internet Service Provider (ISP) for mirroring website access request traffic generated from a client terminal when a client terminal of an Internet service subscriber requests a connection to a website on the Internet by running a web browser. A mirroring device 210 located in a network (Back Bone Network);

    If the subscriber public IP of the mirrored website access request traffic is a public IP selected as suspected of excessive use of the router by the public IP and cookie information included in the previous access traffic processed by the push server, If it is not a public IP selected as suspicious, the public IP and HOST information included in the mirrored web site access request traffic are transmitted to the analysis server to check whether the router is overused. Similarly, this command defines a unique variable that sets the cookie validity time to save the cookie with the current time as a value on the client terminal, and redirects to encourage the subscriber to reconnect to the website to which they originally connected. Send the first false response traffic including the command to the client terminal And, if the public IP selected as suspected of excessive use of the router, the step of checking whether the mirrored website access request traffic is the traffic to be blocked or not, in order to reduce the load of the detection / blocking web server, If the traffic to be determined is determined, detection / blocking retransmission traffic that redirects to the detection / blocking web server by parameterizing the address of the web site to which the subscriber originally attempted to access through the 100% frame generated at the subscriber client terminal is detected from the client terminal. Push server 220 for transmitting the second false response traffic to the client terminal to be transmitted to the / blocking web server 260,

    The subscriber's public IP and HOST information received from the push server are stored in the DB server 240 together with the access time data, and the number of access requests for a specific host with the same public IP during the setting time is determined. By determining whether the number of access requests exceeds the allowance of the number of IP sharing allowed PCs that are managed policy by subscriber, it is determined whether to select a router overuse suspect, and the result of the determination together with the corresponding public IP is applied to the push server 220. Analysis server 230 for transmitting to),

    Name of a configuration variable such as a public IP of a subscriber extracted from the detection / blocking retransmission traffic transmitted from the subscriber client terminal, and a UID transmitted from the subscriber client terminal through a 0% detection frame generated separately from the 100% frame Algorithm for overuse state by storing unique variable value of 'Flash Shared Object' stored in DB in the DB server 240 and searching the list stored during the first set time (T-1) from the access time By performing the above, the subscriber traffic that is not in the router overuse state is redirected by the subscriber client terminal to the originally intended website attached as a parameter to the detection / blocking retransmission traffic, and the router that detects the subscriber traffic in the router overuse state. Detect excessive use status Is whether the subscriber client terminal in use, web site access allow / block is made, including the detection / prevention web server 260 for further screening based on the processing conditions, and

    The detection / blocking web server 260 performs a router overuse state detection,

    The detection / blocking web server 260 requests a unique variable value stored as a configuration variable name such as a UID from a flash shared object of the subscriber client terminal (subscriber PC) through a 0% detection frame. ,

    Receives the unique variable value of the UID from the client terminal, and of the subscriber client terminal (subscriber PC) currently connected to the DB server 240 among the UID list within the first set time (T-1) of the subscriber IP (ID). If the same value as the UID value exists and is determined to be a unique variable value of the valid UID, allowing the client terminal of the subscriber to access the website requesting the connection while updating the access time of the UID to the DB server 240; And

    The subscriber terminal does not receive the unique variable value of the UID from the client terminal, or receives the unique variable value of the UID, but is currently connected from the list of UIDs within the first setting time (T-1) of the corresponding IP (ID). If a value equal to the UID value of the subscriber PC) does not exist and is determined to be a unique variable value of the invalid UID, the first set time T-1 of the corresponding subscriber IP ID currently existing in the DB server 240. Inquiry of the number of valid UID list within and the number of allowed router PCs of the corresponding subscriber IP (ID) ('S413'),

    (a) If the number of valid UID lists is less than the allowed number of PCs, it is determined that the router is not currently in overuse state, and a unique variable value of a new UID is generated for the currently connected subscriber client terminal (subscriber PC). The client terminal stores the client terminal and registers the DB server 240 together with the access time while allowing the subscriber's client terminal to access the website that requested the connection ('S414a'), and

    (b) If the number of valid UID lists is greater than or equal to the number of PCs allowed, it is determined that the router is currently in overuse state ('S414b'), and the subscriber client terminal (subscriber PC) currently connected is subject to additional screening conditions. Public IP sharing status detection and blocking system, characterized in that it is configured to determine whether to allow or block Internet access (S420a).
14. The method according to claim 12 or 13,

    Determining whether to block / allow access request traffic, which determines whether to allow or block Internet access according to the additional screening condition,

    (b1) Among the valid UID lists within the first setting time (T-1) of the corresponding subscriber IP (ID) existing in the DB server 240, the registered access time is based on the current time. If there is a UID that has elapsed beyond 2), the DBD server 240 deletes the UID list having the oldest access time, and assigns a unique variable value of the new UID to the currently connected subscriber client terminal (subscriber PC). Public IP sharing, which is generated and stored in the subscriber client terminal and registered in the DB server 240 with the access time while allowing the subscriber's client terminal to access the website requesting access ('S420b1'). Condition detection and blocking system.
15. The method of claim 14,

    Determining whether to block / allow access request traffic, which determines whether to allow or block Internet access according to the additional screening condition,

    (b2) Among the list of valid UIDs within the first setting time T-1 of the corresponding subscriber IP (ID) existing in the DB server 240, the registered access time is based on the current time. If there is no UID exceeding 2), the public IP which is proceeded to block access ("S420b2") to the website requesting access to the currently connected subscriber client terminal (subscriber PC). Shared state detection and blocking system.
16. The method of claim 14,

    Policy management web server 250 that can be stored in the DB server 240 to the IP sharing allowable number of PCs that are managed policy by subscriber in the DB server 240 and additionally detect and block the public IP sharing status, characterized in that system.
17. The method of claim 14,

    The push server 220 indicates that the second false response traffic transmitted by the push server 220 to the subscriber client terminal is equal to 0% of the frame of the subscriber client terminal (the URL of the web site to which the subscriber originally attempted to connect) and 0. % Detection frame (URL of detection / blocking web server; designate 'search.jsp' which contains commands to get UID from client terminal and compare and check with DB server; parameterize the address of web site to which subscriber originally connected) Public IP sharing state detection and blocking system, characterized in that formed to divide into two frames.
18. The method of claim 14,

    The push server 220 transmits the second false response traffic transmitted from the push server 220 to the subscriber client terminal 100% of the frame of the subscriber client terminal (the URL address of the web site that the subscriber wants to access as a parameter. Formed only), and

    The detection / blocking web server 260 divides a frame into a separate 0% detection frame (a URL of a detection / blocking web server; 'search.jsp' including commands for taking a UID from a client terminal and comparing and checking it with a DB server). Public IP sharing status detection and blocking system, characterized in that it is configured to create a parameter;

Images