WO2016082626A1 - Internet user detection method and device - Google Patents

Internet user detection method and device Download PDF

Info

Publication number
WO2016082626A1
WO2016082626A1 PCT/CN2015/091583 CN2015091583W WO2016082626A1 WO 2016082626 A1 WO2016082626 A1 WO 2016082626A1 CN 2015091583 W CN2015091583 W CN 2015091583W WO 2016082626 A1 WO2016082626 A1 WO 2016082626A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
clock offset
value
message
average value
Prior art date
Application number
PCT/CN2015/091583
Other languages
French (fr)
Chinese (zh)
Inventor
孙春艳
宋科
张廷友
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016082626A1 publication Critical patent/WO2016082626A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks

Definitions

  • the present invention relates to the field of communications, and in particular to a method and apparatus for detecting a user on the Internet.
  • FIG. 1 is a schematic diagram of the working principle of a NAT according to the related art.
  • the working principle of the NAT in the related art is described in conjunction with FIG. 1 .
  • the working principle includes the following steps:
  • Step S14 Finally, the NAT host transmits the packet to the client that originally sent the packet.
  • the TCP sliding window detection method determines the number of users by determining the number of different sliding windows by obtaining the Window Size field of the TCP protocol of the network transmission protocol.
  • the limitation of this method is that it can be applied to different systems, such as Andriod and iOS, but the window size of different terminals of the same system may be the same, and the number of terminals of the same system cannot be detected.
  • Applying the feature detection method to detect various accounts such as the number of QQ accounts, the operating system, and the browser version may involve infringing user privacy.
  • FIG. 2 is a flowchart of a method for detecting a user on the Internet according to an embodiment of the present invention
  • FIG. 5 is a flow chart of a clock offset detection method in accordance with an alternate embodiment of the present invention.
  • Step S202 Acquire a first clock offset average value of the first packet, and a second clock offset average value of the second packet.
  • Step S204 determining a difference between the first clock offset average value and the second clock offset average value
  • m N (p 2 + p 3 +... + p N ) / (N-1);
  • the difference between the average values of the clock offsets of the first packet and the second packet of the two adjacent packets is obtained, and then the difference between the difference and the predetermined threshold is compared to determine whether the number of Internet users is increased.
  • the solution solves the limitation of the scheme for detecting the number of users on the Internet in the related art, and can accurately detect the number of hosts that illegally access the broadband users, and meets the requirements of the operator.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides an Internet user detection method and device. The method comprises: acquiring a first clock offset average value of a first packet and a second clock offset average value of a second packet, the first packet and the second packet being neighboring packets; determining the difference between the first clock offset average value and the second clock offset average value; and comparing an absolute value of the difference with a predetermined threshold, and determining, according to the comparison result, whether to increase Internet users. By means of the present invention, the problem in the related art that a limitation exists in the solution of detecting the quantity of Internet users is resolved, and further, the quantity of hosts that wideband users illegally access can be accurately detected, so that the requirement of an operator is met.

Description

上网用户的检测方法及装置Internet user detection method and device 技术领域Technical field
本发明涉及通信领域,具体而言,涉及一种上网用户的检测方法及装置。The present invention relates to the field of communications, and in particular to a method and apparatus for detecting a user on the Internet.
背景技术Background technique
网络地址转换(Network Address Translation简称为NAT)是通过将专用网络地址,如企业内部网Intranet,转换为公用地址如互联网Internet,从而对外隐藏了内部管理的IP地址。这样,通过在内部使用非注册的IP地址,并将它们转换为一小部分外部注册的IP地址,从而减少了IP地址注册的费用以及节省了目前越来越缺乏的地址空间也即IPV4。同时,这也隐藏了内部网络结构,从而降低了内部网络受到攻击的风险。Network Address Translation (NAT) is an internal management IP address that is hidden by converting a private network address, such as an intranet intranet, into a public address such as the Internet. In this way, by using unregistered IP addresses internally and converting them to a small number of externally registered IP addresses, the cost of IP address registration is reduced and the address space that is increasingly lacking, namely IPV4, is saved. At the same time, this also hides the internal network structure, which reduces the risk of internal network attacks.
图1是根据相关技术中NAT的工作原理示意图,结合图1对相关技术中NAT的工作原理进行说明,该工作原理包括如下步骤:FIG. 1 is a schematic diagram of the working principle of a NAT according to the related art. The working principle of the NAT in the related art is described in conjunction with FIG. 1 . The working principle includes the following steps:
步骤S11:终端client的网关gateway设定为安全应用网关主机,所以当要连上网络Internet的时候,该封包就会被送到NAT主机,这候的封包Header的源IP(source IP)为192.168.1.100;Step S11: The gateway gateway of the terminal client is set as the security application gateway host, so when the network Internet is to be connected, the packet is sent to the NAT host, and the source IP of the packet header is 192.168. .1.100;
步骤S12:而透过这个NAT主机,它会将client的对外联机封包的source IP也就是192.168.1.100伪装成ppp0(假设为拨接情况)这个接口所具有的公共IP,因为是公共IP了,所以这个封包就可以连上Internet了,同时NAT主机并且会记忆这个联机的封包是由IP地址为:192.168.1.100的client端传送来的;Step S12: Through the NAT host, it will masquerade the source IP of the client's external online packet, that is, 192.168.1.100, as a public IP of the interface of ppp0 (assumed to be dialed), because it is a public IP. So this packet can be connected to the Internet, and the NAT host will remember that the online packet is transmitted by the client with the IP address: 192.168.1.100;
步骤S13:由Internet传送回来的封包,当然由NAT主机来接收了,这时NAT主机会去查询原本记录的路由信息,并将目标IP由ppp0上面的公共IP改回原来的192.168.1.100;Step S13: the packet sent back by the Internet is of course received by the NAT host. At this time, the NAT host will query the routing information of the original record, and change the target IP from the public IP above ppp0 back to the original 192.168.1.100;
步骤S14:最后则由NAT主机将该封包传送给原先发送封包的Client。Step S14: Finally, the NAT host transmits the packet to the client that originally sent the packet.
NAT设备或软件的使用对用户是有利的,但对运营商的网络内容审计等工作是极为不利的。运营商的终端用户,通过NAT软件/NAT设备,将运营商提供的Internet连接共享给其内网的多台主机/终端,使得多台主机/终端可以同时使用该Internet连接上网。NAT下检测共享上网的用户数目,该需求通常来自固网家庭宽带接入服务运营商。实现这种检测,有利于运营商分析用户行为,了解潜在用户数量。The use of NAT devices or software is beneficial to the user, but is extremely detrimental to the operator's network content auditing and the like. The terminal user of the operator shares the Internet connection provided by the operator to multiple hosts/terminals of the intranet through the NAT software/NAT device, so that multiple hosts/terminals can simultaneously use the Internet connection to access the Internet. The number of users sharing the Internet is detected under NAT. This requirement usually comes from the fixed-line home broadband access service provider. Implementing this detection will help operators analyze user behavior and understand the number of potential users.
现在主要是在网关上执行用户行为检测,如图1中的所示位置。目前相关技术中 有几种检测方法:如TTL检测法,一旦经过一个处理它的路由器,TTL值就减1.根据这个特性,检测用户上行报文TTL值是否是32、64、128,如果不是,说明用户使用了NAT。但是,有的厂家可能会生产特殊的路由器,不减少TTL值,因此,该方法就会失效。User behavior detection is now performed primarily on the gateway, as shown in Figure 1. Currently related technology There are several detection methods: such as TTL detection method, once a router that processes it, the TTL value is decremented by 1. According to this characteristic, it is detected whether the TTL value of the user uplink packet is 32, 64, 128. If not, the user is used. NAT. However, some manufacturers may produce special routers that do not reduce the TTL value, so this method will fail.
此外,还有一种方法为TCP滑动窗口检测法,该方法通过获取网络传输协议TCP协议的Window Size字段,判断不同的滑动窗口数目决定用户数目。此方法的局限性在于对于不同系统,比如Andriod和iOS,可以适用,但是对于同一系统的不同终端Window Size可能会一样,检测不出同一系统的终端数目。应用特征检测法,检测各种账户比如QQ账户个数、操作系统以及浏览器版本,会涉及侵犯用户隐私。In addition, there is another method for the TCP sliding window detection method, which determines the number of users by determining the number of different sliding windows by obtaining the Window Size field of the TCP protocol of the network transmission protocol. The limitation of this method is that it can be applied to different systems, such as Andriod and iOS, but the window size of different terminals of the same system may be the same, and the number of terminals of the same system cannot be detected. Applying the feature detection method to detect various accounts such as the number of QQ accounts, the operating system, and the browser version may involve infringing user privacy.
针对相关技术中检测上网用户数的方案存在局限性的问题,目前尚未提出有效的解决方案。In view of the limitation of the scheme for detecting the number of Internet users in the related art, an effective solution has not been proposed yet.
发明内容Summary of the invention
本发明实施例的主要目的在于提供一种上网用户的检测方法及装置,以至少解决相关技术中检测上网用户数的方案存在局限性的问题。The main purpose of the embodiments of the present invention is to provide a method and a device for detecting an Internet user, so as to at least solve the problem that the scheme for detecting the number of Internet users in the related art has limitations.
根据本发明实施例的一个方面,提供了一种上网用户的检测方法,包括:获取第一报文的第一时钟偏移平均值,以及第二报文的第二时钟偏移平均值,其中,所述第一报文和所述第二报文为相邻报文;确定所述第一时钟偏移平均值与所述第二时钟偏移平均值的差值;比较所述差值的绝对值与预定阈值的大小,并依据比较结果确定是否增加上网用户。According to an aspect of the embodiments of the present invention, a method for detecting a network user includes: obtaining a first clock offset average value of the first packet, and a second clock offset average value of the second packet, where The first packet and the second packet are adjacent messages; determining a difference between the first clock offset average value and the second clock offset average value; comparing the difference values The absolute value is the size of the predetermined threshold, and based on the comparison result, it is determined whether to increase the number of Internet users.
可选地,所述第一报文和所述第二报文均为上行传输控制协议TCP报文。Optionally, the first packet and the second packet are both uplink transmission control protocol TCP packets.
可选地,通过以下方式获取第一报文的第一时钟偏移平均值或第二报文的第二时钟偏移平均值:pN=(tN-t1)/(rN-r1);mN=(p2+p3+...+pN)/(N-1);其中,pN为报文N的时钟偏移值,mN为报文N的时钟偏移平均值;tN为报文N的时间戳,rN为报文N的系统时间;pN为报文N的时钟偏移值;mN为时钟偏移的平均值,N为自然数。Optionally, the first clock offset average of the first packet or the second clock offset average of the second packet is obtained by: p N =(t N -t 1 )/(r N -r 1 ); m N = (p 2 + p 3 +... + p N ) / (N-1); where p N is the clock offset value of the message N, and m N is the clock offset of the message N The average value; t N is the timestamp of the message N, r N is the system time of the message N; p N is the clock offset value of the message N; m N is the average value of the clock offset, and N is a natural number.
可选地,所述N不小于100。Optionally, the N is not less than 100.
可选地,根据比较结果确定是否为多用户共享上网包括:当所述绝对值大于所述预定阈值时,则上网用户数加1;当所述绝对值不大于所述预定阈值时,则确定上网用户数没增加。 Optionally, determining whether to share the Internet for multiple users according to the comparison result includes: when the absolute value is greater than the predetermined threshold, the number of Internet users is increased by 1; when the absolute value is not greater than the predetermined threshold, determining The number of Internet users has not increased.
根据本发明实施例的另一个方面,提供了一种上网用户的检测装置,包括:获取模块,设置为获取第一报文的第一时钟偏移平均值,以及第二报文的第二时钟偏移平均值,其中,所述第一报文和所述第二报文为相邻报文;确定模块,设置为确定所述第一时钟偏移平均值与所述第二时钟偏移平均值的差值;比较模块,设置为比较所述差值的绝对值与预定阈值的大小,并依据比较结果确定是否增加上网用户。According to another aspect of the embodiments of the present invention, a device for detecting a user on the Internet includes: an obtaining module, configured to acquire a first clock offset average value of the first packet, and a second clock of the second packet An offset average, wherein the first packet and the second packet are adjacent messages; and the determining module is configured to determine the first clock offset average and the second clock offset average And a comparison module, configured to compare the absolute value of the difference with a predetermined threshold, and determine whether to increase the number of users according to the comparison result.
可选地,所述第一报文和所述第二报文均为上行传输控制协议TCP报文。Optionally, the first packet and the second packet are both uplink transmission control protocol TCP packets.
可选地,通过以下方式获取第一报文的第一时钟偏移平均值或第二报文的第二时钟偏移平均值:pN=(tN-t1)/(rN-r1);mN=(p2+p3+...+pN)/(N-1);其中,pN为报文N的时钟偏移值,mN为报文N的时钟偏移平均值;tN为报文N的时间戳,rN为报文N的系统时间;pN为报文N的时钟偏移值;mN为时钟偏移的平均值,N为自然数。Optionally, the first clock offset average of the first packet or the second clock offset average of the second packet is obtained by: p N =(t N -t 1 )/(r N -r 1 ); m N = (p 2 + p 3 +... + p N ) / (N-1); where p N is the clock offset value of the message N, and m N is the clock offset of the message N The average value; t N is the timestamp of the message N, r N is the system time of the message N; p N is the clock offset value of the message N; m N is the average value of the clock offset, and N is a natural number.
可选地,N不小于100。Alternatively, N is not less than 100.
可选地,所述比较模块还设置为,当所述绝对值大于所述预定阈值时,则上网用户数加1;当所述绝对值不大于所述预定阈值时,则上网用户数没增加。Optionally, the comparing module is further configured to: when the absolute value is greater than the predetermined threshold, the number of Internet users is increased by one; when the absolute value is not greater than the predetermined threshold, the number of Internet users is not increased. .
通过本发明实施例,采用获取相邻两报文第一报文和第二报文的时钟偏移平均值的差值,进而比较该差值与预定阈值的大小来确定上网用户数是否增加的方式,解决了相关技术中检测上网用户数的方案存在局限性的问题,进而可以准确地检测出非法接入宽带用户的主机数,满足了运营商的需求。In the embodiment of the present invention, the difference between the average values of the clock offsets of the first packet and the second packet of the two adjacent packets is obtained, and then the difference between the difference and the predetermined threshold is compared to determine whether the number of Internet users is increased. The solution solves the limitation of the scheme for detecting the number of users on the Internet in the related art, and can accurately detect the number of hosts that illegally access the broadband users, and meets the requirements of the operator.
附图说明DRAWINGS
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings described herein are intended to provide a further understanding of the invention, and are intended to be a part of the invention. In the drawing:
图1是根据相关技术中NAT的工作原理示意图;1 is a schematic diagram of a working principle of a NAT according to the related art;
图2是根据本发明实施例的上网用户的检测方法流程图;2 is a flowchart of a method for detecting a user on the Internet according to an embodiment of the present invention;
图3是根据本发明实施例的上网用户的检测装置结构框图;3 is a structural block diagram of a detecting device for a web user according to an embodiment of the present invention;
图4是根据本发明可选实施的DPI设备在网络中的部署图;4 is a diagram of deployment of a DPI device in a network in accordance with an alternative implementation of the present invention;
图5是根据本发明可选实施例的时钟偏移检测方法的流程图。 5 is a flow chart of a clock offset detection method in accordance with an alternate embodiment of the present invention.
具体实施方式detailed description
下文中将参考附图并结合实施例来详细说明本发明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。The invention will be described in detail below with reference to the drawings in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
在本实施例中提供了一种上网用户的检测方法,图2是根据本发明实施例的上网用户的检测方法流程图,如图2所示,该流程包括如下步骤:In this embodiment, a method for detecting a user on the Internet is provided. FIG. 2 is a flowchart of a method for detecting a user on the Internet according to an embodiment of the present invention. As shown in FIG. 2, the process includes the following steps:
步骤S202:获取第一报文的第一时钟偏移平均值,以及第二报文的第二时钟偏移平均值;Step S202: Acquire a first clock offset average value of the first packet, and a second clock offset average value of the second packet.
其中,第一报文和第二报文为相邻报文;The first packet and the second packet are adjacent packets.
步骤S204:确定第一时钟偏移平均值与第二时钟偏移平均值的差值;Step S204: determining a difference between the first clock offset average value and the second clock offset average value;
步骤S206:比较差值的绝对值与预定阈值的大小,并依据比较结果确定是否增加上网用户。Step S206: Comparing the absolute value of the difference with the predetermined threshold, and determining whether to increase the online user according to the comparison result.
通过本实施例,采用获取相邻两报文第一报文和第二报文的时钟偏移平均值的差值,进而比较该差值与预定阈值的大小来确定上网用户数是否增加的方式,解决了相关技术中检测上网用户数的方案存在局限性的问题,进而可以准确地检测出非法接入宽带用户的主机数,满足了运营商的需求。In this embodiment, the difference between the average value of the clock offsets of the first packet and the second packet of the two adjacent packets is obtained, and then the difference between the difference and the predetermined threshold is compared to determine whether the number of Internet users is increased. The solution to the limitation of detecting the number of Internet users in the related art is solved, and the number of hosts illegally accessing the broadband users can be accurately detected to meet the requirements of the operator.
对于本实施例中涉及到的第一报文和第二报文,在本实施例的一个可选实施例中均为上行传输控制协议TCP报文。In an optional embodiment of the present embodiment, the first packet and the second packet are both uplink transmission control protocol TCP packets.
此外,在本实施例中获取第一报文的第一时钟偏移平均值或第二报文的第二时钟偏移平均值的方式有多种,而在本实施例的一个可选实施方式中可以采用如下方式获取始终偏移平均值:In addition, in the embodiment, there are multiple ways to obtain the first clock offset average value of the first packet or the second clock offset average value of the second packet, and an optional implementation manner in this embodiment. The average offset average can be obtained as follows:
pN=(tN-t1)/(rN-r1);p N =(t N -t 1 )/(r N -r 1 );
mN=(p2+p3+...+pN)/(N-1);m N = (p 2 + p 3 +... + p N ) / (N-1);
其中,pN为报文N的时钟偏移值,mN为报文N的时钟偏移平均值;tN为报文N的时间戳,rN为报文N的系统时间;pN为报文N的时钟偏移值;mN为时钟偏移的平均值,N为自然数。需要说明的是,上述报文N可以是本实施例中涉及到的第一报文也可以是第二报文。Where p N is the clock offset of the packet N, m N is the average of the clock offset of the packet N; t N is the timestamp of the packet N, and r N is the system time of the packet N; p N is The clock offset value of the message N; m N is the average value of the clock offset, and N is a natural number. It should be noted that the foregoing packet N may be the first packet or the second packet involved in this embodiment.
在本实施例中由于一开始采样数目较小,均值有较大误差,因此对于本实施例涉及到的N优选为不小于100。需要说明的是该N的取值仅仅是本实施例的举例,可以 根据运营商的需求进行相应的调整。In this embodiment, since the number of samples initially is small, the mean value has a large error, so N for the present embodiment is preferably not less than 100. It should be noted that the value of the N is only an example of the embodiment, and Make adjustments according to the needs of operators.
在本实施例的另一个可选实施方式中,根据比较结果确定是否为多用户共享上网可以通过如下方式实现:当所述绝对值大于所述预定阈值时,则上网用户数加1;当所述绝对值不大于所述预定阈值时,则上网用户数没增加。In another optional implementation manner of this embodiment, determining whether to share the Internet for multiple users according to the comparison result may be implemented by: when the absolute value is greater than the predetermined threshold, the number of Internet users is increased by one; When the absolute value is not greater than the predetermined threshold, the number of Internet users does not increase.
在本实施例中还提供了一种上网用户的检测装置,该装置用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”“单元”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。In this embodiment, a detection device for the Internet user is also provided, which is used to implement the above-mentioned embodiments and preferred embodiments, and has not been described again. As used below, the term "module" "unit" may implement a combination of software and/or hardware of a predetermined function. Although the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
图3是根据本发明实施例的上网用户的检测装置结构框图,如图3所示,该装置包括:获取模块32,设置为获取第一报文的第一时钟偏移平均值,以及第二报文的第二时钟偏移平均值,其中,第一报文和第二报文为相邻报文;确定模块34与获取模块32耦合连接,设置为确定第一时钟偏移平均值与第二时钟偏移平均值的差值;比较模块36与确定模块34耦合连接,设置为比较差值的绝对值与预定阈值的大小,并依据比较结果确定是否增加上网用户。3 is a structural block diagram of a detecting device for a web user according to an embodiment of the present invention. As shown in FIG. 3, the device includes: an obtaining module 32, configured to obtain a first clock offset average value of the first packet, and a second The second clock offset average of the packet, wherein the first packet and the second packet are adjacent packets; the determining module 34 is coupled to the obtaining module 32, and is configured to determine the first clock offset average and the first The difference between the two clock offset average values; the comparison module 36 is coupled to the determining module 34, and is configured to compare the absolute value of the difference value with the predetermined threshold value, and determine whether to increase the online user according to the comparison result.
在本实施例的一个可选实施方式中该第一报文和第二报文均为上行传输控制协议TCP报文。In an optional implementation manner of this embodiment, the first packet and the second packet are both uplink transmission control protocol TCP packets.
可选地,本实施例可以通过以下方式获取第一报文的第一时钟偏移平均值或第二报文的第二时钟偏移平均值:Optionally, in this embodiment, the first clock offset average value of the first packet or the second clock offset average value of the second packet is obtained by:
pN=(tN-t1)/(rN-r1);p N =(t N -t 1 )/(r N -r 1 );
mN=(p2+p3+...+pN)/(N-1);m N = (p 2 + p 3 +... + p N ) / (N-1);
其中,pN为报文N的时钟偏移值,mN为报文N的时钟偏移平均值;tN为报文N的时间戳,rN为报文N的系统时间;pN为报文N的时钟偏移值;mN为时钟偏移的平均值,N为自然数。Where p N is the clock offset of the packet N, m N is the average of the clock offset of the packet N; t N is the timestamp of the packet N, and r N is the system time of the packet N; p N is The clock offset value of the message N; m N is the average value of the clock offset, and N is a natural number.
在本实施例中由于一开始采样数目较小,均值有较大误差,因此对于本实施例涉及到的N优选为不小于100。需要说明的是该N的取值仅仅是本实施例的举例,并不对本发明构成限定,也就是说可以根据运营商的需求进行相应的调整。In this embodiment, since the number of samples initially is small, the mean value has a large error, so N for the present embodiment is preferably not less than 100. It should be noted that the value of the N is only an example of the embodiment, and is not limited to the present invention, that is, the corresponding adjustment can be made according to the needs of the operator.
对于本实施例中涉及到的比较模块36还可以设置为,当绝对值大于预定阈值时,则上网用户数加1;当绝对值不大于预定阈值时,则上网用户数没增加。For the comparison module 36 involved in this embodiment, the number of Internet users is increased by 1 when the absolute value is greater than the predetermined threshold, and the number of Internet users is not increased when the absolute value is not greater than the predetermined threshold.
为了更好的对本发明进行说明,下面结合附图以及本发明可选实施的具体实施例 进行举例说明。In order to better explain the present invention, the following embodiments in conjunction with the accompanying drawings and alternative embodiments of the present invention Give an example.
本可选实施例提供了一种在NAT下多用户共享上网检测的方法,通过该方法可以检测出共享上网的用户数目,进而满足运营商的需求。The optional embodiment provides a method for detecting the Internet access of a multi-user under the NAT. The method can detect the number of users sharing the Internet and meet the requirements of the operator.
实施例一Embodiment 1
在相关技术中因为存在不同操作系统,或者相同操作系统的不同机器设备,其时钟偏移都可能稍有不同。因此,可以通过检查上行报文中的时间戳,来判断发送者的时间偏移。In the related art, the clock offset may be slightly different because there are different operating systems or different machine devices of the same operating system. Therefore, the time offset of the sender can be determined by checking the timestamp in the uplink message.
对于时间戳来说,IP选项、ICMP、TCP选项,都可以添加时间戳。但在本实施例一中以TCP选项的时间戳为例进行说明;对于TCP选项的时间戳,虽然Windows系统默认不会填写,但Linux/Unix系统(如:Android、iPhoneOS)都会携带,而且很多网站也都是Linux系统的,所以网络中还是有一定比例的流量,是含有TCP.OPTION.TSVAL时间戳的。For timestamps, IP options, ICMP, and TCP options can all be time stamped. However, in the first embodiment, the timestamp of the TCP option is taken as an example for description; for the timestamp of the TCP option, although the Windows system does not fill in by default, the Linux/Unix system (eg, Android, iPhoneOS) will carry, and many The website is also a Linux system, so there is still a certain percentage of traffic in the network, which contains the TCP.OPTION.TSVAL timestamp.
表1是根据本发明可选实施例的TCP.OPTION.Tsval字段定义图,如表1所示:Table 1 is a TCP.OPTION.Tsval field definition map in accordance with an alternative embodiment of the present invention, as shown in Table 1:
TCP Timestamps Option(Tsopt):TCP Timestamps Option (Tsopt):
Kind:8Kind:8
Length:10 bytesLength: 10 bytes
Kind=8Kind=8 1010 TS Value(TSval)TS Value (TSval) TS Echo Reply(TSecr)TS Echo Reply (TSecr)
表1Table 1
在RFC1323《TCP Extensions for High Performance》文档中,定义了TCP.OPTION.TSval值。因为不同操作系统,填写TCP.OPTION.TSVAL的取值频率很多都各不相同,因此,只能取每个TCP流自己的相对时间偏移比率。In the RFC1323 "TCP Extensions for High Performance" document, the TCP.OPTION.TSval value is defined. Because of different operating systems, the frequency of filling in TCP.OPTION.TSVAL is very different. Therefore, you can only take the relative time offset ratio of each TCP stream.
在本实施例一中获取时间偏移比率的原理为:采样每个流前N个报文的时间戳和系统时间,其中时间戳用t1、t2、…tN表示,系统时间用r1、r2、…rN表示,时钟偏移值用p1、p2、…pN表示,时钟偏移的平均值用m1、m2、…mN表示。第一个报文作为计算的基准值。The principle of obtaining the time offset ratio in the first embodiment is: sampling the timestamp and system time of the N packets before each stream, where the timestamp is represented by t 1 , t 2 , ... t N , and the system time is r 1 , r 2 , ... r N indicate that the clock offset value is represented by p 1 , p 2 , ... p N , and the average value of the clock offset is represented by m 1 , m 2 , ... m N . The first message is used as the base value for the calculation.
报文1时钟偏移值:作为计算的基准值,不取。 Message 1 clock offset value: As the calculated reference value, it is not taken.
报文2时钟偏移值:p2=(t2-t1)/(r2-r1)Message 2 clock offset value: p 2 = (t 2 - t 1 ) / (r 2 - r 1 )
平均值:m2=p2 Average value: m 2 = p 2
报文3时钟偏移值:p3=(t3-t1)/(r3-r1)Message 3 clock offset value: p 3 = (t 3 - t 1 ) / (r 3 - r 1 )
平均值:m1=(p1+p3)/2Average: m 1 = (p 1 + p 3 )/2
报文N时钟偏移值:pN=(tN-t1)/(rN-r1)Message N clock offset value: p N = (t N - t 1 ) / (r N - r 1 )
平均值:mN=(p2+p3+...+pN)/(N-1)Average: m N = (p 2 + p 3 +... + p N ) / (N-1)
观察时钟偏移平均值(m1、m2、…mN)的轨迹,由于一开始采样数目较小,均值有较大误差,建议从m100之后开始观察(即前面100个采样数据只作为计算,不作为判断依据)。持续观察每个时钟偏移平均值,如果发现当前值比前一个满足下面条件,就认为用户数目增加1,判断条件为:Observe the trajectory of the clock offset average (m 1 , m 2 , ... m N ). Since the number of samples at the beginning is small and the mean has a large error, it is recommended to observe from m100 (that is, the first 100 samples are only used for calculation. , not as a basis for judgment). Continuously observe the average value of each clock offset. If the current value is found to satisfy the following conditions, the number of users is considered to increase by 1. The judgment condition is:
Figure PCTCN2015091583-appb-000001
l=100,101,...,N
Figure PCTCN2015091583-appb-000001
 l=100,101,...,N
其中
Figure PCTCN2015091583-appb-000002
为可允许的波动范围,误差在这范围内,认为平稳波动,用户数不增加。如果超过这个范围,就认为用户数目增加1。among them
Figure PCTCN2015091583-appb-000002
For the allowable range of fluctuations, the error is within this range, and it is considered to be stable fluctuations, and the number of users does not increase. If this range is exceeded, the number of users is considered to increase by one.
通过本实施例一能够准确地检测出非法接入宽带用户的主机数,从而满足了运营商的需求。Through the first embodiment, the number of hosts illegally accessing broadband users can be accurately detected, thereby meeting the needs of operators.
对于本可选实施的方式可以运用在深度包检测(Deep Packet Inspection简称为DPI)设备上。DPI技术是近年来出现的一种协议识别技术,DPI技术在分析包头的基础上,增加了对应用层的分析,是一种基于应用层的流量检测和控制技术,图4是根据本发明可选实施的DPI设备在网络中的部署图,如图4所示,当IP数据包、TCP或UDP数据流经过基于DPI技术的网络设备时,DPI引擎通过深入读取IP包载荷的内容来对OSI 7层协议中的应用层信息进行分析,从而识别出IP包的应用层协议。DPI设备可以在网络中对流量进行分流分析。The method of this optional implementation can be applied to a Deep Packet Inspection (DPI) device. DPI technology is a protocol identification technology that has emerged in recent years. Based on the analysis of the packet header, DPI technology adds analysis to the application layer. It is an application layer-based traffic detection and control technology. Figure 4 is based on the present invention. The deployment diagram of the selected DPI device in the network, as shown in FIG. 4, when the IP data packet, TCP or UDP data stream passes through the network device based on the DPI technology, the DPI engine reads the content of the IP packet payload deeply. The application layer information in the OSI 7 layer protocol is analyzed to identify the application layer protocol of the IP packet. DPI devices can perform traffic offload analysis on the network.
实施例二Embodiment 2
图5是根据本发明可选实施例的时钟偏移检测方法的流程图,如图5所示,该方法包括:FIG. 5 is a flowchart of a method for detecting a clock offset according to an alternative embodiment of the present invention. As shown in FIG. 5, the method includes:
步骤S502:记录报文的系统时间; Step S502: Record the system time of the message;
其中,对于持续的流,记录每个上行报文到来的系统时间,记为rN。步骤102,解析报文的TCP.OPTION.Tsval字段获取时间戳,记为tNFor the continuous stream, record the system time of each incoming packet, which is denoted as r N . Step 102, parsing of packets TCP.OPTION.Tsval acquisition timestamp field, referred to as t N;
步骤S504:解析报文,获取时间戳;Step S504: Parsing the packet and obtaining a timestamp.
步骤S506:计算始终偏移值;Step S506: calculating an always offset value;
其中,根据公式pN=(tN-t1)/(rN-r1),计算每个报文的时钟偏移值。第一个报文的时间戳和系统时间作为计算的基准值。Wherein, the clock offset value of each message is calculated according to the formula p N = (t N - t 1 ) / (r N - r 1 ). The timestamp of the first message and the system time are used as the reference values for the calculation.
步骤S508:计算始终偏移平均值轨迹;Step S508: calculating an always-offset average trajectory;
其中,根据公式mN=(p2+p3+...+pN)/(N-1),计算每个报文的时钟偏移平均值。Among them, the average value of the clock offset of each message is calculated according to the formula m N = (p 2 + p 3 + ... + p N ) / (N-1).
步骤S510:观察时钟偏移平均值轨迹;Step S510: Observing a clock offset average track;
步骤S512:将检测的用户数返回给上层;Step S512: returning the detected number of users to the upper layer;
持续观察每个时钟偏移平均值,根据公式
Figure PCTCN2015091583-appb-000003
如果发现当前值比前一个满足公式条件,就认为用户数目增加1。Continuously observe the average value of each clock offset, according to the formula
Figure PCTCN2015091583-appb-000003
 If the current value is found to satisfy the formula condition, the number of users is considered to increase by 1.
以上仅为本发明的可选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above is only an alternative embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.
工业实用性Industrial applicability
通过本发明实施例,采用获取相邻两报文第一报文和第二报文的时钟偏移平均值的差值,进而比较该差值与预定阈值的大小来确定上网用户数是否增加的方式,解决了相关技术中检测上网用户数的方案存在局限性的问题,进而可以准确地检测出非法接入宽带用户的主机数,满足了运营商的需求。 In the embodiment of the present invention, the difference between the average values of the clock offsets of the first packet and the second packet of the two adjacent packets is obtained, and then the difference between the difference and the predetermined threshold is compared to determine whether the number of Internet users is increased. The solution solves the limitation of the scheme for detecting the number of users on the Internet in the related art, and can accurately detect the number of hosts that illegally access the broadband users, and meets the requirements of the operator.

Claims (10)

  1. 一种上网用户的检测方法,包括:A method for detecting a user on the Internet includes:
    获取第一报文的第一时钟偏移平均值,以及第二报文的第二时钟偏移平均值,其中,所述第一报文和所述第二报文为相邻报文;Obtaining a first clock offset average value of the first packet, and a second clock offset average value of the second packet, where the first packet and the second packet are adjacent packets;
    确定所述第一时钟偏移平均值与所述第二时钟偏移平均值的差值;Determining a difference between the first clock offset average value and the second clock offset average value;
    比较所述差值的绝对值与预定阈值的大小,并依据比较结果确定是否增加上网用户。Comparing the absolute value of the difference with the predetermined threshold, and determining whether to increase the online user according to the comparison result.
  2. 根据权利要求1所述的方法,其中,所述第一报文和所述第二报文均为上行传输控制协议TCP报文。The method according to claim 1, wherein the first message and the second message are both uplink transmission control protocol TCP messages.
  3. 根据权利要求2所述的方法,其中,通过以下方式获取第一报文的第一时钟偏移平均值或第二报文的第二时钟偏移平均值:The method according to claim 2, wherein the first clock offset average of the first message or the second clock offset average of the second message is obtained by:
    pN=(tN-t1)/(rN-r1);p N =(t N -t 1 )/(r N -r 1 );
    mN=(p2+p3+...+pN)/(N-1);m N = (p 2 + p 3 +... + p N ) / (N-1);
    其中,pN为报文N的时钟偏移值,mN为报文N的时钟偏移平均值;tN为报文N的时间戳,rN为报文N的系统时间;pN为报文N的时钟偏移值;mN为时钟偏移的平均值,N为自然数。Where p N is the clock offset of the packet N, m N is the average of the clock offset of the packet N; t N is the timestamp of the packet N, and r N is the system time of the packet N; p N is The clock offset value of the message N; m N is the average value of the clock offset, and N is a natural number.
  4. 根据权利要求3所述的方法,其中,N不小于100。The method of claim 3 wherein N is not less than 100.
  5. 根据权利要求4所述的方法,其中,根据比较结果确定是否为多用户共享上网包括:The method according to claim 4, wherein determining whether to share the Internet for multiple users according to the comparison result comprises:
    当所述绝对值大于所述预定阈值时,则上网用户数加1;当所述绝对值不大于所述预定阈值时,则确定上网用户数没增加。When the absolute value is greater than the predetermined threshold, the number of Internet users is increased by one; when the absolute value is not greater than the predetermined threshold, it is determined that the number of Internet users is not increased.
  6. 一种上网用户的检测装置,包括:A detecting device for an Internet user, comprising:
    获取模块,设置为获取第一报文的第一时钟偏移平均值,以及第二报文的第二时钟偏移平均值,其中,所述第一报文和所述第二报文为相邻报文;An acquiring module, configured to obtain a first clock offset average value of the first packet, and a second clock offset average value of the second packet, where the first packet and the second packet are phase Neighboring message
    确定模块,设置为确定所述第一时钟偏移平均值与所述第二时钟偏移平均值的差值;Determining a module, configured to determine a difference between the first clock offset average value and the second clock offset average value;
    比较模块,设置为比较所述差值的绝对值与预定阈值的大小,并依据比较结果确定是否增加上网用户。 The comparison module is configured to compare the absolute value of the difference value with a predetermined threshold value, and determine whether to increase the online user according to the comparison result.
  7. 根据权利要求6所述的装置,其中,所述第一报文和所述第二报文均为上行传输控制协议TCP报文。The apparatus according to claim 6, wherein the first message and the second message are both uplink transmission control protocol TCP messages.
  8. 根据权利要求7所述的装置,其中,通过以下方式获取第一报文的第一时钟偏移平均值或第二报文的第二时钟偏移平均值:The apparatus according to claim 7, wherein the first clock offset average of the first message or the second clock offset average of the second message is obtained by:
    pN=(tN-t1)/(rN-r1);p N =(t N -t 1 )/(r N -r 1 );
    mN=(p2+p3+...+pN)/(N-1);m N = (p 2 + p 3 +... + p N ) / (N-1);
    其中,pN为报文N的时钟偏移值,mN为报文N的时钟偏移平均值;tN为报文N的时间戳,rN为报文N的系统时间;pN为报文N的时钟偏移值;mN为时钟偏移的平均值,N为自然数。Where p N is the clock offset of the packet N, m N is the average of the clock offset of the packet N; t N is the timestamp of the packet N, and r N is the system time of the packet N; p N is The clock offset value of the message N; m N is the average value of the clock offset, and N is a natural number.
  9. 根据权利要求8所述的装置,其中,N不小于100。The apparatus of claim 8 wherein N is not less than 100.
  10. 根据权利要求9所述的装置,其中,The apparatus according to claim 9, wherein
    所述比较模块还设置为,当所述绝对值大于所述预定阈值时,则上网用户数加1;当所述绝对值不大于所述预定阈值时,则上网用户数没增加。 The comparison module is further configured to: when the absolute value is greater than the predetermined threshold, the number of Internet users is increased by one; when the absolute value is not greater than the predetermined threshold, the number of Internet users is not increased.
PCT/CN2015/091583 2014-11-25 2015-10-09 Internet user detection method and device WO2016082626A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410686090.4A CN105703962A (en) 2014-11-25 2014-11-25 Internet access user detection method and device
CN201410686090.4 2014-11-25

Publications (1)

Publication Number Publication Date
WO2016082626A1 true WO2016082626A1 (en) 2016-06-02

Family

ID=56073562

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/091583 WO2016082626A1 (en) 2014-11-25 2015-10-09 Internet user detection method and device

Country Status (2)

Country Link
CN (1) CN105703962A (en)
WO (1) WO2016082626A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107018043A (en) * 2017-04-24 2017-08-04 北京安博通科技股份有限公司 A kind of detection method and device of shared verification

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1878096A (en) * 2006-07-04 2006-12-13 陈玲玲 Method for detecting number of computer users in inner compute network
CN101895552A (en) * 2010-07-22 2010-11-24 北京天融信科技有限公司 Security gateway and method thereof for detecting proxy surfing
CN101980477A (en) * 2010-10-09 2011-02-23 北京星网锐捷网络技术有限公司 Method and device for detecting number of shadow users, and network equipment
CN102377620A (en) * 2011-12-09 2012-03-14 浙江大学 Method for detecting broadband private connection based on open system interconnection (OSI) transmission layer timestamp

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1878096A (en) * 2006-07-04 2006-12-13 陈玲玲 Method for detecting number of computer users in inner compute network
CN101895552A (en) * 2010-07-22 2010-11-24 北京天融信科技有限公司 Security gateway and method thereof for detecting proxy surfing
CN101980477A (en) * 2010-10-09 2011-02-23 北京星网锐捷网络技术有限公司 Method and device for detecting number of shadow users, and network equipment
CN102377620A (en) * 2011-12-09 2012-03-14 浙江大学 Method for detecting broadband private connection based on open system interconnection (OSI) transmission layer timestamp

Also Published As

Publication number Publication date
CN105703962A (en) 2016-06-22

Similar Documents

Publication Publication Date Title
US11811809B2 (en) Rule-based network-threat detection for encrypted communications
US11956338B2 (en) Correlating packets in communications networks
US8627477B2 (en) Method, apparatus, and system for detecting a zombie host
US8578468B1 (en) Multi-factor client authentication
US8254286B2 (en) Method and system for detection of NAT devices in a network
US10116538B2 (en) Attributing network address translation device processed traffic to individual hosts
WO2016082627A1 (en) Method and device for detecting internet sharing by multiple users
US11438302B1 (en) Selection of an egress IP address for egress traffic of a distributed cloud computing network
Cohen Source attribution for network address translated forensic captures
WO2016082626A1 (en) Internet user detection method and device
Kumar et al. An innovative UDP port scanning technique
WO2016095751A1 (en) Domain name analysis method and apparatus
Naaz et al. Investigating DHCP and DNS Protocols Using Wireshark
US20120047271A1 (en) Network address translation device and method of passing data packets through the network address translation device
Castiglione et al. Device tracking in private networks via napt log analysis
EP4262148A1 (en) Network security with server name indication
Paxton et al. Identifying network packets across translational boundaries
RU2690752C1 (en) Method, apparatus, computer-readable information media and a system for building connections between a client and a destination device or terminal
Wicinski RFC 9076: DNS Privacy Considerations
CN117354182A (en) Service identification method, system, device, storage medium and program product
Slehat et al. Securing teredo client from NAT holes vulnerability
US8572283B2 (en) Selectively applying network address port translation to data traffic through a gateway in a communications network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15863928

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15863928

Country of ref document: EP

Kind code of ref document: A1