WO2017079980A1 - Charging fraud detection method and apparatus - Google Patents

Charging fraud detection method and apparatus Download PDF

Info

Publication number
WO2017079980A1
WO2017079980A1 PCT/CN2015/094592 CN2015094592W WO2017079980A1 WO 2017079980 A1 WO2017079980 A1 WO 2017079980A1 CN 2015094592 W CN2015094592 W CN 2015094592W WO 2017079980 A1 WO2017079980 A1 WO 2017079980A1
Authority
WO
WIPO (PCT)
Prior art keywords
charging
server
fraud
handshake
domain name
Prior art date
Application number
PCT/CN2015/094592
Other languages
French (fr)
Chinese (zh)
Inventor
郭�东
王淑君
赵文军
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2015/094592 priority Critical patent/WO2017079980A1/en
Publication of WO2017079980A1 publication Critical patent/WO2017079980A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the embodiments of the present invention relate to the field of communications technologies, and in particular, to a method and an apparatus for detecting charging fraud.
  • the charging method is usually adopted: before the service encryption transmission, that is, during the establishment of the handshake between the user equipment (User Equipment, UE) and the server, according to the transmission between the UE and the server.
  • the packet obtains the domain name of the server to be accessed by the UE, and then obtains a pre-configured charging policy that matches the domain name. If the matching charging policy is a normal charging policy, the encrypted transmission service is normally charged after the handshake. If the matching charging policy is a preferential charging policy, the service preferentially charged for the encrypted transmission after the handshake is charged.
  • the cryptographic service generally performs the handshake of the Transport Layer Security (TLS) protocol to complete the authentication of the client and the server, and exchanges the key for encrypted transmission.
  • TLS Transport Layer Security
  • the gateway In the TLS end-to-end negotiation process, if the client and the server are malicious. The process of falsifying the access to the preferential website will cause the gateway to consider the preferential charging of the subsequent encrypted transmission, resulting in billing fraud, which will bring serious economic losses to the operator.
  • the existing Deep Packet Inspection (DPI) technology cannot be used to identify the behavior characteristics of the service to identify the charging fraud. Therefore, there is It is necessary to propose a method to solve the above problem.
  • DPI Deep Packet Inspection
  • the embodiments of the present invention provide a method and a device for detecting charging fraud, which can identify the charging fraud existing in the encrypted transmission service.
  • a method for detecting a charging fraud includes:
  • the charging fraud detecting device records the first transport layer security TLS handshake process between the UE and the server. Handshake information transmitted in the middle;
  • the charging fraud detecting device establishes a second TLS handshake with the server by using the recorded handshake information
  • the detecting device of the charging fraud determines whether the second TLS handshake is successfully established
  • the charging fraud detecting means determines that there is no charging fraud. If the second TLS handshake establishment fails, the charging fraud detecting means determines that there is charging fraud.
  • the method further includes:
  • the charging fraud detecting device stores the correspondence between the domain name requested by the UE and the Internet Protocol IP address in the trusted access set;
  • the charging fraud detecting means stores the correspondence between the domain name and the IP address that the UE requests to access in the untrusted access set.
  • the method before the handshake information transmitted during the first TLS handshake is established between the UE and the server, the method is Also includes:
  • the detecting device of the charging fraud determines whether the correspondence between the domain name and the IP address that the UE requests to access belongs to the trusted access set and/or the non-trusted access set;
  • the charging fraud detecting apparatus performs recording of the UE and the The step of establishing handshake information transmitted during the first TLS handshake between the servers.
  • the method before the establishing the second TLS handshake with the server by using the recorded handshake information, the method further includes:
  • the charging fraud detecting device determines whether the certificate returned by the server is valid
  • the charging fraud detecting means performs the step of establishing the second TLS handshake with the server using the recorded handshake information, and if invalid, the charging fraud detecting means determines that there is a charging fraud.
  • the certificate returned by the server is effective: the certificate returned by the server belongs to a trusted certificate set, and the server returns The domain name in the certificate is the same as the domain name requested by the UE.
  • the apparatus for detecting a charge fraud includes:
  • a recording unit configured to record handshake information transmitted during the first transport layer secure TLS handshake process between the UE and the server, when the charging policy corresponding to the domain name requested by the user equipment UE is a preferential charging policy;
  • a handshake checking unit configured to establish a second TLS handshake with the server by using the handshake information recorded by the recording unit
  • a first determining unit configured to determine whether the second TLS handshake is successfully established
  • a determining unit configured to determine that there is no charging fraud when the second TLS handshake is successfully established, and determine that there is charging fraud when the second TLS handshake establishment fails.
  • the apparatus further includes:
  • a set maintenance unit configured to: when the determining unit determines that there is no charging fraud, storing, in the trusted access set, a correspondence between the domain name requested by the UE and the Internet Protocol IP address; determining, by the determining unit, When the fee is fraudulent, the correspondence between the domain name requested by the UE and the IP address is stored in the untrusted access set.
  • the device further includes:
  • a second determining unit configured to determine whether a correspondence between the domain name and the IP address that the UE requests to access belongs to the trusted access set and/or the non-trusted access set, if the domain name and IP that the UE requests to access The correspondence between the addresses does not belong to the trusted access set and does not belong to the non-trusted access set, and the recording unit records the handshake transmitted during the first TLS handshake between the UE and the server. information.
  • the device further includes:
  • a third determining unit configured to determine whether the certificate returned by the server is valid, and if valid, the handshake checking unit establishes the second TLS handshake with the server by using the recorded handshake information, and if invalid, The determining unit determines that there is a billing fraud.
  • the certificate returned by the server is effective: the certificate returned by the server belongs to a trusted certificate set, and the server returns The domain name in the certificate is the same as the domain name requested by the UE.
  • the detecting device for the charging fraud is a unified packet gateway UGW.
  • a device for detecting a charge fraud includes a processor and a memory, where the processor and the memory are connected by using a communication bus, where the memory stores the first aspect or the first aspect.
  • the handshake information transmitted during the first TLS handshake process between the UE and the server is recorded, and the UE establishes a handshake information between the UE and the server.
  • the TLS handshake process is checked by using the recorded handshake information, that is, the detecting device initiates a second TLS handshake to the server by using the recorded handshake information, and if the second TLS handshake establishment fails, determining that there is a charging fraud, thereby Billing fraud existing in the encrypted transmission service can be identified.
  • FIG. 1 is a schematic flowchart of a method for detecting charging fraud according to an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of another method for detecting a charging fraud according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of signaling interaction of a method for detecting charging fraud according to an embodiment of the present invention
  • FIG. 4 is a schematic structural diagram of a device for detecting a charge fraud according to an embodiment of the present invention.
  • FIG. 5 is another schematic structural diagram of a device for detecting charging fraud according to an embodiment of the present invention.
  • Embodiments provide a method and apparatus for detecting billing fraud that can identify billing fraud.
  • FIG. 1 is a schematic flowchart of a method for detecting a charging fraud according to an embodiment of the present invention.
  • the method in this embodiment includes:
  • the charging policy corresponding to the domain name requested by the UE is a preferential charging policy
  • record handshake information transmitted during the first TLS handshake process between the UE and the server is a preferential charging policy
  • the detecting device of the charging fraud may obtain the server that the UE requests to access during the process of the Transmission Control Protocol (TCP) handshake or the Transport Layer Security (TLS) handshake between the UE and the server.
  • domain name For example, the domain name corresponding to the destination IP address obtained by the domain name system (DNS) can be reversed according to the destination IP address carried in the TCP connection establishment request message sent by the UE; If the query is unsuccessful, the server name indication (SNI) parameter carried in the ClientHello message initiated by the UE may be identified, and the SNI parameter value is the domain name requested by the UE. If the SNI parameter fails to be obtained, the server response may be identified.
  • the domain name in the certificate message which is the domain name that the UE requests to access.
  • the specific acquisition method is not limited here.
  • the server in the embodiment of the present invention may be a Service Provider (SP) server.
  • SP Service Provider
  • the so-called preferential charging strategy can be a charging strategy such as free, unified payment, and low payment.
  • the recorded handshake information mainly includes the ClientHello message sent by the UE to the server, and may further include other messages sent by the UE to the server and messages returned by the server to the UE, which are not specifically limited herein.
  • the detecting device attempts to establish a second TLS handshake with the server by using the recorded handshake information.
  • first and second are only used to distinguish the TLS handshake established between different objects, where the first TLS handshake is a TLS handshake established between the UE and the server, and the second TLS handshake is an TLS handshake established between the detection device and the server.
  • the specific process of establishing two TLS handshakes can be considered the same.
  • step 103 Determine whether the second TLS handshake is successfully established. If not, perform step 104 to determine that there is a charging fraud. Otherwise, perform step 105 to determine that there is no charging fraud.
  • the detecting device checks the TLS handshake process by the recorded handshake information, thereby being able to identify the encrypted transmission service, the UE fraud, the server fraud, and the UE and the server. Cooperative fraud.
  • FIG. 2 is a schematic flowchart of another method for detecting a charging fraud according to an embodiment of the present invention.
  • the method in this embodiment includes:
  • the charging policy corresponding to the domain name requested by the UE is a preferential charging policy, determine whether the correspondence between the domain name and the Internet Protocol (IP) address requested by the UE belongs to the trusted access set, if , step 209 is performed, if not, step 202 is performed;
  • IP Internet Protocol
  • the charging fraud detecting device may pre-configure or identify a server that does not perform charging fraud, and use such a server as a trusted server to save the correspondence between the domain name and the IP address of the trusted server. Trusted access collection.
  • the identified server that performs the billing fraud is used as a non-trusted server, and the correspondence between the domain name and the IP address of the non-trusted server is saved to form an untrusted access set.
  • the correspondence between the domain name and the IP address that the UE requests to access belongs to the trusted access set, it is considered that there is no charging fraud, and the service is preferentially charged for the subsequent transmission. If the correspondence between the domain name and the IP address requested by the UE does not belong to the The letter accesses the collection and continues to detect.
  • step 202 determining whether the correspondence between the domain name and the IP address that the UE requests to access belongs to the non-trusted access set, if yes, step 210 is performed, if not, step 203 is performed;
  • the detecting device of the charging fraud considers that there is charging fraud, and the traffic that is subsequently transmitted is normally charged, and if the domain name and IP address that the UE requests to access The corresponding relationship does not belong to the trusted access set or the non-trusted access set, and the charging fraud detecting device continues to detect.
  • step 201 and step 202 can be replaced, and the charging fraud can be quickly detected through steps 201 and 202.
  • the trusted device set may be pre-stored in the detecting device, and the trusted certificate set includes The certificate of the trusted server, the certificate of the trusted server may be provided by the cooperative OTT manufacturer, or may be extracted from the handshake message by visiting the website. If the certificate returned by the server belongs to the trusted certificate set, and the domain name in the certificate returned by the server is consistent with the domain name requested by the UE, the certificate returned by the server is considered valid.
  • the detection of whether the certificate returned by the server is valid may be other methods, for example, detecting whether the certificate returned by the server is issued by the trusted certificate issuer or the certificate returned by the third-party trusted system authentication server, which is not specifically limited herein.
  • the detecting device may attempt to establish a second TLS handshake with the server by using the recorded handshake information at a timely time (for example, when the service transmission starts, during the transmission, during the service idle time, etc.).
  • step 206 determining whether the second TLS handshake is successfully established, if successful, executing step 207, otherwise performing step 208;
  • the above detection process may be initiated periodically or irregularly during the subsequent service transmission.
  • the charging fraud can be quickly identified.
  • the detecting device checks the TLS handshake process by the recorded handshake information, thereby enabling Identifying encrypted transmissions, UE fraud, server fraud, and UE-server cooperative fraud.
  • FIG. 3 is a schematic diagram of a signaling interaction of a method for detecting a charging fraud according to an embodiment of the present invention.
  • the method in this embodiment may be mainly divided into three phases.
  • the first phase is a TCP handshake phase between the UE and the server.
  • the second phase is the TLS handshake phase between the UE and the server, and the third phase is the handshake verification phase.
  • the detecting device obtains the IP address of the server that the UE requests to access according to the TCP SYN request sent by the UE to the server, and queries the DNS record to obtain the domain name corresponding to the IP address, if the pre-configured charging policy corresponding to the domain name is configured. For the preferential billing strategy, you need to perform billing Fraud detection.
  • the domain name that the UE requests to access may also be in the TLS handshake phase.
  • FIG. 3 only takes the domain name that the UE requests to access in the TCP handshake phase as an example for description.
  • the detecting device extracts the SNI parameter carried in the ClientHello message sent by the UE to the server to obtain the domain name requested by the UE, and determines that the UE requests the access. Whether the correspondence between the domain name and the IP address belongs to the trusted access set and/or the non-trusted access set. If the correspondence between the domain name and the IP address requested by the UE is neither belong to the trusted access set nor belong to the non-trusted access set.
  • the TLS handshake information is recorded. After the server returns the certificate, it is determined whether the certificate returned by the server is valid. If the certificate returned by the server is valid, the handshake verification phase is entered.
  • the detecting device may use the recorded handshake information to initiate a TLS handshake (ie, a second TLS handshake) to the server, and if the second TLS handshake fails, determine that there is a charging fraud, subsequent normal charging, and the UE Corresponding relationship between the domain name and the IP address requested to be accessed is stored in the untrusted access set; if the second TLS handshake is successful, it is determined that there is no charging fraud, subsequent preferential charging, and the domain name and IP address corresponding to the UE requesting access The relationship is stored in a trusted access collection.
  • a TLS handshake ie, a second TLS handshake
  • the charging fraud detecting apparatus can be implemented on a unified packet gateway (UGW) or on other network devices having the UGW function.
  • UGW unified packet gateway
  • the apparatus for detecting billing fraud in the embodiment of the present invention includes:
  • the recording unit 401 is configured to record handshake information transmitted during the first transport layer security TLS handshake process between the UE and the server, when the charging policy corresponding to the domain name requested by the user equipment UE is a preferential charging policy;
  • the handshake checking unit 402 is configured to establish a second TLS handshake with the server by using the handshake information recorded by the recording unit 401.
  • the first determining unit 403 is configured to determine whether the second TLS handshake is successfully established.
  • the determining unit 404 is configured to determine that there is no charging fraud when the second TLS handshake is successfully established, and determine that there is a charging fraud when the second TLS handshake establishment fails.
  • the apparatus of this embodiment further includes:
  • the aggregation maintenance unit 405 is configured to: when the determining unit 404 determines that there is no charging fraud, store the correspondence between the domain name requested by the UE and the Internet Protocol IP address in the trusted access set; in the determining unit 404 Determining the domain name and IP that the UE requests to access when there is charging fraud The correspondence of addresses is stored in the untrusted access set.
  • the apparatus of this embodiment further includes:
  • the second determining unit 406 is configured to determine whether the correspondence between the domain name and the IP address that the UE requests to access belongs to the trusted access set and/or the non-trusted access set, if the domain name requested by the UE is The mapping of the IP address does not belong to the trusted access set and does not belong to the non-trusted access set, and the recording unit 401 records the transmission during the first TLS handshake between the UE and the server. Handshake information.
  • the apparatus of this embodiment further includes:
  • the third determining unit 407 is configured to determine whether the certificate returned by the server is valid, and if valid, the handshake checking unit 402 establishes the second TLS handshake with the server by using the recorded handshake information, if invalid.
  • the determining unit 404 determines that there is a billing fraud.
  • the valid certificate returned by the server includes: the certificate returned by the server belongs to a trusted certificate set, and the domain name in the certificate returned by the server is consistent with the domain name requested by the UE.
  • the device described in the embodiment of the present invention may perform the method described in the embodiment shown in FIG. 2, and the technical implementation process and technical effects may be referred to the detailed description of the embodiment shown in FIG. 2, and details are not described herein again.
  • FIG. 5 is a schematic diagram of another structure of a charging fraud detecting apparatus according to an embodiment of the present invention.
  • the charging fraud detecting apparatus of this embodiment includes a processor 501 and a memory 502, and the processor 501 and the memory 502 are connected by using a communication bus.
  • the memory 502 stores an instruction for implementing the method for detecting the charging fraud shown in FIG. 2, and the processor 501 retrieves the instruction in the memory 502, and can perform the charging as described in the embodiment shown in FIG. Fraud detection method.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit. It can be electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • the technical solution of the present invention which is essential or contributes to the prior art, or all or part of the technical solution, may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Disclosed are a charging fraud detection method and apparatus, the method comprising: when a charging strategy corresponding to a domain name to which a UE requests access is a preferential charging strategy, a charging fraud detection apparatus recording handshake information transmitted in the process of establishing a first TLS handshake between the UE and a server; the charging fraud detection apparatus establishing a second TLS handshake with the server by using the recorded handshake information; the charging fraud detection apparatus determining whether the second TLS handshake is successfully established; and if the second TLS handshake is successfully established, determining that there is no charging fraud, and if the second TLS handshake fails to be established, determining that there is charging fraud.

Description

一种计费欺诈的检测方法及装置Method and device for detecting billing fraud 技术领域Technical field
本发明实施例涉及通信技术领域,尤其涉及一种计费欺诈的检测方法及装置。The embodiments of the present invention relate to the field of communications technologies, and in particular, to a method and an apparatus for detecting charging fraud.
背景技术Background technique
运营商为了吸引用户,提升用户满意度,会制定各种免费费率,统付等优惠计费策略。针对采用密文传输的加密业务,通常采用的计费方式是:在业务加密传输之前,即在用户设备(User Equipment,UE)与服务器之间建立握手的过程中,根据UE与服务器之间传递的报文获取UE要访问的服务器的域名,然后获取预先配置的与该域名匹配的计费策略,如果匹配的计费策略为正常计费策略,则对握手之后加密传输的业务正常计费,如果匹配的计费策略为优惠计费策略,则对握手之后加密传输的业务优惠计费。In order to attract users and improve user satisfaction, operators will formulate various free rates, unified payment and other preferential charging strategies. For the cryptographic service using ciphertext transmission, the charging method is usually adopted: before the service encryption transmission, that is, during the establishment of the handshake between the user equipment (User Equipment, UE) and the server, according to the transmission between the UE and the server. The packet obtains the domain name of the server to be accessed by the UE, and then obtains a pre-configured charging policy that matches the domain name. If the matching charging policy is a normal charging policy, the encrypted transmission service is normally charged after the handshake. If the matching charging policy is a preferential charging policy, the service preferentially charged for the encrypted transmission after the handshake is charged.
目前加密业务一般通过传输层安全(Transport Layer Security,TLS)协议握手,完成客户端与服务器的身份验证,并交换密钥进行加密传输,在TLS端到端的协商过程中,如果客户端与服务器恶意地伪造访问优惠网站的过程,则会使网关认为对后续加密传输的业务优惠计费,造成了计费欺诈,计费欺诈将会给运营商带来严重的经济损失。针对上述计费欺诈,由于业务采用的是加密传输方式,解密受限,因此无法采用现有的深度业务感知(Deep Packet Inspection,DPI)技术识别业务的行为特征以识别计费欺诈,因此,有必要提出一种方法解决上述问题。Currently, the cryptographic service generally performs the handshake of the Transport Layer Security (TLS) protocol to complete the authentication of the client and the server, and exchanges the key for encrypted transmission. In the TLS end-to-end negotiation process, if the client and the server are malicious. The process of falsifying the access to the preferential website will cause the gateway to consider the preferential charging of the subsequent encrypted transmission, resulting in billing fraud, which will bring serious economic losses to the operator. For the above-mentioned charging fraud, since the service adopts the encrypted transmission mode and the decryption is limited, the existing Deep Packet Inspection (DPI) technology cannot be used to identify the behavior characteristics of the service to identify the charging fraud. Therefore, there is It is necessary to propose a method to solve the above problem.
发明内容Summary of the invention
有鉴于此,本发明实施例提供了一种计费欺诈的检测方法及装置,能够识别加密传输的业务中存在的计费欺诈。In view of this, the embodiments of the present invention provide a method and a device for detecting charging fraud, which can identify the charging fraud existing in the encrypted transmission service.
第一方面,本发明实施例提供的计费欺诈的检测方法,包括:In a first aspect, a method for detecting a charging fraud provided by an embodiment of the present invention includes:
当用户设备UE请求访问的域名对应的计费策略为优惠计费策略时,计费欺诈的检测装置记录所述UE与服务器之间建立第一传输层安全TLS握手过程 中传输的握手信息;When the charging policy corresponding to the domain name requested by the user equipment UE is a preferential charging policy, the charging fraud detecting device records the first transport layer security TLS handshake process between the UE and the server. Handshake information transmitted in the middle;
计费欺诈的检测装置利用记录的所述握手信息与所述服务器建立第二TLS握手;The charging fraud detecting device establishes a second TLS handshake with the server by using the recorded handshake information;
计费欺诈的检测装置判断所述第二TLS握手是否建立成功;The detecting device of the charging fraud determines whether the second TLS handshake is successfully established;
若所述第二TLS握手建立成功,则计费欺诈的检测装置确定不存在计费欺诈,若所述第二TLS握手建立失败,则计费欺诈的检测装置确定存在计费欺诈。If the second TLS handshake is successfully established, the charging fraud detecting means determines that there is no charging fraud. If the second TLS handshake establishment fails, the charging fraud detecting means determines that there is charging fraud.
结合第一方面,在第一方面的第一种实施方式中,所述方法还包括:In conjunction with the first aspect, in a first implementation manner of the first aspect, the method further includes:
当确定不存在计费欺诈时,计费欺诈的检测装置将所述UE请求访问的域名与互联网协议IP地址的对应关系存入可信访问集合;When it is determined that there is no billing fraud, the charging fraud detecting device stores the correspondence between the domain name requested by the UE and the Internet Protocol IP address in the trusted access set;
当确定存在计费欺诈时,计费欺诈的检测装置将所述UE请求访问的域名与IP地址的对应关系存入非可信访问集合。When it is determined that there is a charging fraud, the charging fraud detecting means stores the correspondence between the domain name and the IP address that the UE requests to access in the untrusted access set.
结合第一方面的第一种实施方式,在第一方面的第二种实施方式中,在记录所述UE与所述服务器之间建立第一TLS握手过程中传输的握手信息之前,所述方法还包括:With reference to the first implementation manner of the first aspect, in a second implementation manner of the first aspect, before the handshake information transmitted during the first TLS handshake is established between the UE and the server, the method is Also includes:
计费欺诈的检测装置判断所述UE请求访问的域名与IP地址的对应关系是否属于所述可信访问集合和/或所述非可信访问集合;The detecting device of the charging fraud determines whether the correspondence between the domain name and the IP address that the UE requests to access belongs to the trusted access set and/or the non-trusted access set;
若所述UE请求访问的域名与IP地址的对应关系既不属于所述可信访问集合,也不属于所述非可信访问集合,则计费欺诈的检测装置执行记录所述UE与所述服务器之间建立第一TLS握手过程中传输的握手信息的步骤。If the correspondence between the domain name and the IP address that the UE requests to access does not belong to the trusted access set and does not belong to the non-trusted access set, the charging fraud detecting apparatus performs recording of the UE and the The step of establishing handshake information transmitted during the first TLS handshake between the servers.
结合第一方面的第二种实施方式,在第一方面的第三种实施方式中,在利用记录的所述握手信息与所述服务器建立所述第二TLS握手之前,所述方法还包括:With the second implementation of the first aspect, in a third implementation manner of the first aspect, before the establishing the second TLS handshake with the server by using the recorded handshake information, the method further includes:
计费欺诈的检测装置判断所述服务器返回的证书是否有效;The charging fraud detecting device determines whether the certificate returned by the server is valid;
若有效,则计费欺诈的检测装置执行利用记录的所述握手信息与所述服务器建立所述第二TLS握手的步骤,若无效,则计费欺诈的检测装置确定存在计费欺诈。If valid, the charging fraud detecting means performs the step of establishing the second TLS handshake with the server using the recorded handshake information, and if invalid, the charging fraud detecting means determines that there is a charging fraud.
结合第一方面的第三种实施方式,在第一方面的第四种实施方式中,所述服务器返回的证书有效包括:所述服务器返回的证书属于可信证书集合,且所述服务器返回的证书中的域名与所述UE请求访问的域名一致。 With reference to the third implementation manner of the first aspect, in a fourth implementation manner of the first aspect, the certificate returned by the server is effective: the certificate returned by the server belongs to a trusted certificate set, and the server returns The domain name in the certificate is the same as the domain name requested by the UE.
第二方面,本发明实施例提供的计费欺诈的检测装置,包括:In a second aspect, the apparatus for detecting a charge fraud provided by the embodiment of the present invention includes:
记录单元,用于当用户设备UE请求访问的域名对应的计费策略为优惠计费策略时,记录所述UE与服务器之间建立第一传输层安全TLS握手过程中传输的握手信息;a recording unit, configured to record handshake information transmitted during the first transport layer secure TLS handshake process between the UE and the server, when the charging policy corresponding to the domain name requested by the user equipment UE is a preferential charging policy;
握手核查单元,用于利用所述记录单元记录的所述握手信息与所述服务器建立第二TLS握手;a handshake checking unit, configured to establish a second TLS handshake with the server by using the handshake information recorded by the recording unit;
第一判断单元,用于判断所述第二TLS握手是否建立成功;a first determining unit, configured to determine whether the second TLS handshake is successfully established;
确定单元,用于在所述第二TLS握手建立成功时,确定不存在计费欺诈,在所述第二TLS握手建立失败时,确定存在计费欺诈。And a determining unit, configured to determine that there is no charging fraud when the second TLS handshake is successfully established, and determine that there is charging fraud when the second TLS handshake establishment fails.
结合第二方面,在第二方面的第一种实施方式中,所述装置还包括:In conjunction with the second aspect, in a first implementation of the second aspect, the apparatus further includes:
集合维护单元,用于在所述确定单元确定不存在计费欺诈时,将所述UE请求访问的域名与互联网协议IP地址的对应关系存入可信访问集合;在所述确定单元确定存在计费欺诈时,将所述UE请求访问的域名与IP地址的对应关系存入非可信访问集合。And a set maintenance unit, configured to: when the determining unit determines that there is no charging fraud, storing, in the trusted access set, a correspondence between the domain name requested by the UE and the Internet Protocol IP address; determining, by the determining unit, When the fee is fraudulent, the correspondence between the domain name requested by the UE and the IP address is stored in the untrusted access set.
结合第二方面的第一种实施方式,在第二方面的第二种实施方式中,所述装置还包括:With reference to the first embodiment of the second aspect, in a second implementation manner of the second aspect, the device further includes:
第二判断单元,用于判断所述UE请求访问的域名与IP地址的对应关系是否属于所述可信访问集合和/或所述非可信访问集合,若所述UE请求访问的域名与IP地址的对应关系既不属于所述可信访问集合,也不属于所述非可信访问集合,则所述记录单元记录所述UE与所述服务器之间建立第一TLS握手过程中传输的握手信息。a second determining unit, configured to determine whether a correspondence between the domain name and the IP address that the UE requests to access belongs to the trusted access set and/or the non-trusted access set, if the domain name and IP that the UE requests to access The correspondence between the addresses does not belong to the trusted access set and does not belong to the non-trusted access set, and the recording unit records the handshake transmitted during the first TLS handshake between the UE and the server. information.
结合第二方面的第二种实施方式,在第二方面的第三种实施方式中,所述装置还包括:With reference to the second embodiment of the second aspect, in a third implementation manner of the second aspect, the device further includes:
第三判断单元,用于判断所述服务器返回的证书是否有效,若有效,则所述握手核查单元利用所记录的所述握手信息与所述服务器建立所述第二TLS握手,若无效,则所述确定单元确定存在计费欺诈。a third determining unit, configured to determine whether the certificate returned by the server is valid, and if valid, the handshake checking unit establishes the second TLS handshake with the server by using the recorded handshake information, and if invalid, The determining unit determines that there is a billing fraud.
结合第二方面的第三种实施方式,在第二方面的第四种实施方式中,所述服务器返回的证书有效包括:所述服务器返回的证书属于可信证书集合,且所述服务器返回的证书中的域名与所述UE请求访问的域名一致。With reference to the third implementation manner of the second aspect, in a fourth implementation manner of the second aspect, the certificate returned by the server is effective: the certificate returned by the server belongs to a trusted certificate set, and the server returns The domain name in the certificate is the same as the domain name requested by the UE.
结合第二方面,或第二方面的第一种、或第二种、或第三种、或第四种实 施方式,在第二方面的第五种实施方式中,所述计费欺诈的检测装置为统一分组网关UGW。Combining the second aspect, or the first, or second, or third, or fourth of the second aspect The fifth embodiment of the second aspect, the detecting device for the charging fraud is a unified packet gateway UGW.
第三方面,本发明实施例提供的计费欺诈的检测装置,包括处理器和存储器,所述处理器和所述存储器通过通信总线连接,所述存储器中保存有实现第一方面或第一方面的任意一种实施方式所述的计费欺诈的检测方法的指令,所述处理器调取所述存储器中的指令,可以执行第一方面或第一方面的任意一种实施方式所述的计费欺诈的检测方法。In a third aspect, a device for detecting a charge fraud according to an embodiment of the present invention includes a processor and a memory, where the processor and the memory are connected by using a communication bus, where the memory stores the first aspect or the first aspect. The instruction of the method for detecting a charge fraud according to any one of the embodiments, wherein the processor invokes an instruction in the memory, and may execute the meter according to any one of the first aspect or the first aspect Fee fraud detection method.
从以上技术方案可以看出,本发明实施例具有以下优点:It can be seen from the above technical solutions that the embodiments of the present invention have the following advantages:
本发明实施例中,一旦发现UE请求访问的域名对应的计费策略为优惠计费策略,则记录UE与服务器之间建立第一TLS握手过程中传输的握手信息,在UE与服务器之间建立第一TSL握手之后,利用所记录的握手信息核查TLS握手过程,即检测装置利用所记录的握手信息向服务器发起第二TLS握手,如果第二TLS握手建立失败,则确定存在计费欺诈,从而可以识别加密传输的业务中存在的计费欺诈。In the embodiment of the present invention, once the charging policy corresponding to the domain name requested by the UE is found to be a preferential charging policy, the handshake information transmitted during the first TLS handshake process between the UE and the server is recorded, and the UE establishes a handshake information between the UE and the server. After the first TSL handshake, the TLS handshake process is checked by using the recorded handshake information, that is, the detecting device initiates a second TLS handshake to the server by using the recorded handshake information, and if the second TLS handshake establishment fails, determining that there is a charging fraud, thereby Billing fraud existing in the encrypted transmission service can be identified.
附图说明DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any creative work.
图1为本发明实施例计费欺诈的检测方法一个流程示意图;1 is a schematic flowchart of a method for detecting charging fraud according to an embodiment of the present invention;
图2为本发明实施例计费欺诈的检测方法另一流程示意图;2 is a schematic flowchart of another method for detecting a charging fraud according to an embodiment of the present invention;
图3为本发明实施例计费欺诈的检测方法一个信令交互示意图;3 is a schematic diagram of signaling interaction of a method for detecting charging fraud according to an embodiment of the present invention;
图4为本发明实施例计费欺诈的检测装置一个结构示意图;4 is a schematic structural diagram of a device for detecting a charge fraud according to an embodiment of the present invention;
图5为本发明实施例计费欺诈的检测装置另一结构示意图。FIG. 5 is another schematic structural diagram of a device for detecting charging fraud according to an embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所 获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be described with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. Based on the embodiments of the present invention, those skilled in the art will be able to do without creative work. All other embodiments obtained are within the scope of the invention.
通过背景技术的描述可知,针对加密传输的业务,如果同时存在优惠计费策略,则容易出现计费欺诈的行为,针对这种欺诈,现有技术中还没有有效的解决方案,因而,本发明实施例提供了一种计费欺诈的检测方法及装置,能够识别计费欺诈。It can be seen from the description of the background art that for the encrypted transmission service, if there is a preferential charging policy at the same time, the behavior of charging fraud is prone to occur, and there is no effective solution in the prior art for such fraud, and thus the present invention Embodiments provide a method and apparatus for detecting billing fraud that can identify billing fraud.
请参阅图1,图1为本发明实施例计费欺诈的检测方法一个流程示意图,本实施例的方法包括:Referring to FIG. 1, FIG. 1 is a schematic flowchart of a method for detecting a charging fraud according to an embodiment of the present invention. The method in this embodiment includes:
101、当UE请求访问的域名对应的计费策略为优惠计费策略时,记录UE与服务器之间建立第一TLS握手过程中传输的握手信息;101. When the charging policy corresponding to the domain name requested by the UE is a preferential charging policy, record handshake information transmitted during the first TLS handshake process between the UE and the server.
具体实现中,计费欺诈的检测装置可在UE与服务器进行传输控制协议(Transmission Control Protocol,TCP)握手或传输层安全(Transport Layer Security,TLS)握手的过程中,获取UE请求访问的服务器的域名。例如,可根据UE发送的TCP连接建立请求消息中的携带的目的IP地址反查域名系统(Domain Name System,DNS),获取的与该目的IP地址对应的域名即为UE请求访问的域名;如果查询不成功,则可以识别UE发起的ClientHello消息中携带的服务器名称标识(server name indication,SNI)参数,SNI参数取值即UE请求访问的域名;如果SNI参数获取失败,则可以识别服务器响应的certificate消息中的域名,该域名即UE请求访问的域名,具体获取方法此处不做限定。本发明实施例中的服务器可以是服务提供者(Service Provider,SP)服务器。In a specific implementation, the detecting device of the charging fraud may obtain the server that the UE requests to access during the process of the Transmission Control Protocol (TCP) handshake or the Transport Layer Security (TLS) handshake between the UE and the server. domain name. For example, the domain name corresponding to the destination IP address obtained by the domain name system (DNS) can be reversed according to the destination IP address carried in the TCP connection establishment request message sent by the UE; If the query is unsuccessful, the server name indication (SNI) parameter carried in the ClientHello message initiated by the UE may be identified, and the SNI parameter value is the domain name requested by the UE. If the SNI parameter fails to be obtained, the server response may be identified. The domain name in the certificate message, which is the domain name that the UE requests to access. The specific acquisition method is not limited here. The server in the embodiment of the present invention may be a Service Provider (SP) server.
所谓优惠计费策略可以是免费、统付、少付费等计费策略。The so-called preferential charging strategy can be a charging strategy such as free, unified payment, and low payment.
所记录的握手信息中主要包括UE向服务器发送的ClientHello消息,当然还可以包括UE向服务器发送的其他消息以及服务器向UE返回的消息,此处不做具体限定。The recorded handshake information mainly includes the ClientHello message sent by the UE to the server, and may further include other messages sent by the UE to the server and messages returned by the server to the UE, which are not specifically limited herein.
102、利用记录的所述握手信息与所述服务器建立第二TLS握手;102. Establish a second TLS handshake with the server by using the recorded handshake information.
即在UE与服务器建立第一TLS握手之后,检测装置利用所记录的握手信息尝试与服务器建立第二TLS握手。That is, after the UE establishes the first TLS handshake with the server, the detecting device attempts to establish a second TLS handshake with the server by using the recorded handshake information.
上述第一、第二仅用于区分不同对象之间建立的TLS握手,其中第一TLS握手为UE与服务器之间建立的TLS握手,第二TLS握手为检测装置与服务器之间建立的TLS握手,两次TLS握手建立的具体过程可以认为是相同的。 The foregoing first and second are only used to distinguish the TLS handshake established between different objects, where the first TLS handshake is a TLS handshake established between the UE and the server, and the second TLS handshake is an TLS handshake established between the detection device and the server. The specific process of establishing two TLS handshakes can be considered the same.
103、判断第二TLS握手是否建立成功,若不成功,则执行步骤104确定存在计费欺诈,否则,执行步骤105确定不存在计费欺诈。103. Determine whether the second TLS handshake is successfully established. If not, perform step 104 to determine that there is a charging fraud. Otherwise, perform step 105 to determine that there is no charging fraud.
本实施例中,在UE与服务器建立第一TLS握手之后,检测装置通过记录的握手信息核查TLS握手过程,从而能够识别加密传输的业务中,UE的欺诈,服务器的欺诈,以及UE与服务器的合作欺诈。In this embodiment, after the UE establishes the first TLS handshake with the server, the detecting device checks the TLS handshake process by the recorded handshake information, thereby being able to identify the encrypted transmission service, the UE fraud, the server fraud, and the UE and the server. Cooperative fraud.
图2为本发明实施例计费欺诈的检测方法另一流程示意图,本实施例的方法包括:2 is a schematic flowchart of another method for detecting a charging fraud according to an embodiment of the present invention. The method in this embodiment includes:
201、当UE请求访问的域名对应的计费策略为优惠计费策略时,判断所述UE请求访问的域名、互联网协议(Internet Protocol,IP)地址的对应关系是否属于可信访问集合,若属于,则执行步骤209,若不属于,则执行步骤202;201. When the charging policy corresponding to the domain name requested by the UE is a preferential charging policy, determine whether the correspondence between the domain name and the Internet Protocol (IP) address requested by the UE belongs to the trusted access set, if , step 209 is performed, if not, step 202 is performed;
具体实现中,计费欺诈的检测装置可预先配置或识别不会进行计费欺诈的服务器,将这类服务器作为可信服务器,将可信服务器的的域名及IP地址的对应关系保存起来,形成可信访问集合。另外,将识别出的进行了计费欺诈的服务器作为非可信服务器,将非可信服务器的域名及IP地址的对应关系保存起来,形成非可信访问集合。In a specific implementation, the charging fraud detecting device may pre-configure or identify a server that does not perform charging fraud, and use such a server as a trusted server to save the correspondence between the domain name and the IP address of the trusted server. Trusted access collection. In addition, the identified server that performs the billing fraud is used as a non-trusted server, and the correspondence between the domain name and the IP address of the non-trusted server is saved to form an untrusted access set.
若UE请求访问的域名、IP地址的对应关系属于可信访问集合,则认为不存在计费欺诈,对后续传输的业务优惠计费,若UE请求访问的域名、IP地址的对应关系不属于可信访问集合,则继续检测。If the correspondence between the domain name and the IP address that the UE requests to access belongs to the trusted access set, it is considered that there is no charging fraud, and the service is preferentially charged for the subsequent transmission. If the correspondence between the domain name and the IP address requested by the UE does not belong to the The letter accesses the collection and continues to detect.
202、判断UE请求访问的域名及IP地址的对应关系是否属于非可信访问集合,若属于,则执行步骤210,若不属于,则执行步骤203;202, determining whether the correspondence between the domain name and the IP address that the UE requests to access belongs to the non-trusted access set, if yes, step 210 is performed, if not, step 203 is performed;
若UE请求访问的域名、IP地址的对应关系属于非可信访问集合,则计费欺诈的检测装置认为存在计费欺诈,对后续传输的业务正常计费,若UE请求访问的域名、IP地址的对应关系既不属于可信访问集合,也不属于非可信访问集合,则计费欺诈的检测装置继续检测。If the correspondence between the domain name and the IP address that the UE requests to access belongs to the non-trusted access set, the detecting device of the charging fraud considers that there is charging fraud, and the traffic that is subsequently transmitted is normally charged, and if the domain name and IP address that the UE requests to access The corresponding relationship does not belong to the trusted access set or the non-trusted access set, and the charging fraud detecting device continues to detect.
需要说明的是,步骤201与步骤202的执行先后顺序可替换,通过步骤201与步骤202可以快速检测计费欺诈。It should be noted that the execution sequence of step 201 and step 202 can be replaced, and the charging fraud can be quickly detected through steps 201 and 202.
203、记录UE与服务器之间建立第一TLS握手过程中传输的握手信息;203. Record handshake information transmitted during the first TLS handshake between the UE and the server.
204、判断服务器返回的证书是否有效;若无效,则执行步骤210,若有效,则执行步骤205;204, determining whether the certificate returned by the server is valid; if invalid, executing step 210, if valid, executing step 205;
具体实现中,检测装置中可预先存储可信证书集合,可信证书集合中包含 可信服务器的证书,可信服务器的证书可由合作的OTT厂家提供,或者通过访问网站从握手消息中提取。若服务器返回的证书属于可信证书集合,且服务器返回的证书中的域名与UE请求访问的域名一致,则认为服务器返回的证书有效。当然,检测服务器返回的证书是否有效还可以采用其他方式,例如检测服务器返回的证书是否由可信证书颁发者颁发,或者去第三方可信系统认证服务器返回的证书,此处不作具体限定。In a specific implementation, the trusted device set may be pre-stored in the detecting device, and the trusted certificate set includes The certificate of the trusted server, the certificate of the trusted server may be provided by the cooperative OTT manufacturer, or may be extracted from the handshake message by visiting the website. If the certificate returned by the server belongs to the trusted certificate set, and the domain name in the certificate returned by the server is consistent with the domain name requested by the UE, the certificate returned by the server is considered valid. Certainly, the detection of whether the certificate returned by the server is valid may be other methods, for example, detecting whether the certificate returned by the server is issued by the trusted certificate issuer or the certificate returned by the third-party trusted system authentication server, which is not specifically limited herein.
205、根据记录的握手信息与服务器建立TLS握手;205. Establish a TLS handshake with the server according to the recorded handshake information.
即在UE与服务器建立第一TLS握手之后,检测装置可以适时(例如业务传输开始时,传输过程中,业务闲时等)利用所记录的握手信息尝试与服务器建立第二TLS握手。That is, after the UE establishes the first TLS handshake with the server, the detecting device may attempt to establish a second TLS handshake with the server by using the recorded handshake information at a timely time (for example, when the service transmission starts, during the transmission, during the service idle time, etc.).
206、判断第二TLS握手是否建立成功,若成功,则执行步骤207,否则执行步骤208;206, determining whether the second TLS handshake is successfully established, if successful, executing step 207, otherwise performing step 208;
207、确定存在计费欺诈,正常计费,并将UE请求访问的域名及IP地址的对应关系存入非可信访问集合;207. Determine that there is a charging fraud, normal charging, and store the correspondence between the domain name and the IP address that the UE requests to access in the non-trusted access set.
208、确定不存在计费欺诈,优惠计费,并将UE请求访问的域名及IP地址的对应关系存入可信访问集合;208. Determine that there is no charging fraud, preferential charging, and store the correspondence between the domain name and the IP address that the UE requests to access in the trusted access set.
209、确定不存在计费欺诈,优惠计费;209. Determine that there is no billing fraud, and preferential billing;
210、确定存在计费欺诈,正常计费。210. Determine that there is charging fraud and normal charging.
以上检测过程可以在后续业务传输的过程中,周期性地或不定时的发起。The above detection process may be initiated periodically or irregularly during the subsequent service transmission.
本实施例中,通过维护可信访问集合与非可信访问集合,可以快速识别计费欺诈,在UE与服务器建立第一TLS握手之后,检测装置通过记录的握手信息核查TLS握手过程,从而能够识别加密传输的业务中,UE的欺诈,服务器的欺诈,以及UE与服务器的合作欺诈。In this embodiment, by maintaining the trusted access set and the non-trusted access set, the charging fraud can be quickly identified. After the UE establishes the first TLS handshake with the server, the detecting device checks the TLS handshake process by the recorded handshake information, thereby enabling Identifying encrypted transmissions, UE fraud, server fraud, and UE-server cooperative fraud.
请参阅图3,图3为本发明实施例计费欺诈的检测方法一个信令交互示意图,本实施例的方法主要可分为三个阶段,第一阶段为UE与服务器建立TCP握手阶段,第二阶段为UE与服务器建立TLS握手阶段,第三阶段为握手核查阶段,下面详细说明:Referring to FIG. 3, FIG. 3 is a schematic diagram of a signaling interaction of a method for detecting a charging fraud according to an embodiment of the present invention. The method in this embodiment may be mainly divided into three phases. The first phase is a TCP handshake phase between the UE and the server. The second phase is the TLS handshake phase between the UE and the server, and the third phase is the handshake verification phase. The following details:
在TCP握手阶段,检测装置根据UE向服务器发送的TCP SYN请求获取UE请求访问的服务器的IP地址,查询DNS记录获取与该IP地址对应的域名,如果预先配置的与该域名对应的计费策略为优惠计费策略,则需要进行计费欺 诈的检测。另外,UE请求访问的域名的获取还可以是在TLS握手阶段,图3仅以在TCP握手阶段获取UE请求访问的域名为例进行说明。In the TCP handshake phase, the detecting device obtains the IP address of the server that the UE requests to access according to the TCP SYN request sent by the UE to the server, and queries the DNS record to obtain the domain name corresponding to the IP address, if the pre-configured charging policy corresponding to the domain name is configured. For the preferential billing strategy, you need to perform billing Fraud detection. In addition, the domain name that the UE requests to access may also be in the TLS handshake phase. FIG. 3 only takes the domain name that the UE requests to access in the TCP handshake phase as an example for description.
在TLS握手(即第一TLS握手)阶段,当需要进行计费欺诈的检测时,检测装置提取UE向服务器发送的ClientHello消息中携带的SNI参数以获取UE请求访问的域名,判断UE请求访问的域名及IP地址的对应关系是否属于可信访问集合和/或非可信访问集合,如果UE请求访问的域名及IP地址的对应关系既不属于可信访问集合,也不属于非可信访问集合,则记录TLS握手信息,在服务器返回证书之后,判断服务器返回的证书是否有效,如果服务器返回的证书有效,则进入握手核查阶段。In the TLS handshake (ie, the first TLS handshake), when the detection of the charging fraud is required, the detecting device extracts the SNI parameter carried in the ClientHello message sent by the UE to the server to obtain the domain name requested by the UE, and determines that the UE requests the access. Whether the correspondence between the domain name and the IP address belongs to the trusted access set and/or the non-trusted access set. If the correspondence between the domain name and the IP address requested by the UE is neither belong to the trusted access set nor belong to the non-trusted access set. The TLS handshake information is recorded. After the server returns the certificate, it is determined whether the certificate returned by the server is valid. If the certificate returned by the server is valid, the handshake verification phase is entered.
在握手核查阶段,检测装置可以利用所记录的握手信息,向服务器发起TLS握手(即第二TLS握手),如果第二TLS握手失败,则确定存在计费欺诈,后续正常计费,并将UE请求访问的域名及IP地址的对应关系存入非可信访问集合;如果第二TLS握手成功,则确定不存在计费欺诈,后续优惠计费,且将UE请求访问的域名及IP地址的对应关系存入可信访问集合。In the handshake verification phase, the detecting device may use the recorded handshake information to initiate a TLS handshake (ie, a second TLS handshake) to the server, and if the second TLS handshake fails, determine that there is a charging fraud, subsequent normal charging, and the UE Corresponding relationship between the domain name and the IP address requested to be accessed is stored in the untrusted access set; if the second TLS handshake is successful, it is determined that there is no charging fraud, subsequent preferential charging, and the domain name and IP address corresponding to the UE requesting access The relationship is stored in a trusted access collection.
下面介绍本发明实施例提供的计费欺诈的检测装置,计费欺诈的检测装置可以实现在统一分组网关(unified packet gateway,UGW)上,也可以实现在具有UGW功能的其他网络设备上,请参阅图4,本发明实施例的计费欺诈的检测装置包括:The following describes the charging fraud detecting apparatus provided by the embodiment of the present invention. The charging fraud detecting apparatus can be implemented on a unified packet gateway (UGW) or on other network devices having the UGW function. Referring to FIG. 4, the apparatus for detecting billing fraud in the embodiment of the present invention includes:
记录单元401,用于当用户设备UE请求访问的域名对应的计费策略为优惠计费策略时,记录所述UE与服务器之间建立第一传输层安全TLS握手过程中传输的握手信息;The recording unit 401 is configured to record handshake information transmitted during the first transport layer security TLS handshake process between the UE and the server, when the charging policy corresponding to the domain name requested by the user equipment UE is a preferential charging policy;
握手核查单元402,用于利用所述记录单元401记录的所述握手信息与所述服务器建立第二TLS握手;The handshake checking unit 402 is configured to establish a second TLS handshake with the server by using the handshake information recorded by the recording unit 401.
第一判断单元403,用于判断所述第二TLS握手是否建立成功;The first determining unit 403 is configured to determine whether the second TLS handshake is successfully established.
确定单元404,用于在所述第二TLS握手建立成功时,确定不存在计费欺诈,在所述第二TLS握手建立失败时,确定存在计费欺诈。The determining unit 404 is configured to determine that there is no charging fraud when the second TLS handshake is successfully established, and determine that there is a charging fraud when the second TLS handshake establishment fails.
进一步地,本实施例的装置还包括:Further, the apparatus of this embodiment further includes:
集合维护单元405,用于在所述确定单元404确定不存在计费欺诈时,将所述UE请求访问的域名与互联网协议IP地址的对应关系存入可信访问集合;在所述确定单元404确定存在计费欺诈时,将所述UE请求访问的域名与IP 地址的对应关系存入非可信访问集合。The aggregation maintenance unit 405 is configured to: when the determining unit 404 determines that there is no charging fraud, store the correspondence between the domain name requested by the UE and the Internet Protocol IP address in the trusted access set; in the determining unit 404 Determining the domain name and IP that the UE requests to access when there is charging fraud The correspondence of addresses is stored in the untrusted access set.
进一步地,本实施例的装置还包括:Further, the apparatus of this embodiment further includes:
第二判断单元406,用于判断所述UE请求访问的域名与IP地址的对应关系是否属于所述可信访问集合和/或所述非可信访问集合,若所述UE请求访问的域名与IP地址的对应关系既不属于所述可信访问集合,也不属于所述非可信访问集合,则所述记录单元401记录所述UE与所述服务器之间建立第一TLS握手过程中传输的握手信息。The second determining unit 406 is configured to determine whether the correspondence between the domain name and the IP address that the UE requests to access belongs to the trusted access set and/or the non-trusted access set, if the domain name requested by the UE is The mapping of the IP address does not belong to the trusted access set and does not belong to the non-trusted access set, and the recording unit 401 records the transmission during the first TLS handshake between the UE and the server. Handshake information.
进一步地,本实施例的装置还包括:Further, the apparatus of this embodiment further includes:
第三判断单元407,用于判断所述服务器返回的证书是否有效,若有效,则所述握手核查单元402利用所记录的所述握手信息与所述服务器建立所述第二TLS握手,若无效,则所述确定单元404确定存在计费欺诈。The third determining unit 407 is configured to determine whether the certificate returned by the server is valid, and if valid, the handshake checking unit 402 establishes the second TLS handshake with the server by using the recorded handshake information, if invalid The determining unit 404 determines that there is a billing fraud.
进一步地,所述服务器返回的证书有效包括:所述服务器返回的证书属于可信证书集合,且所述服务器返回的证书中的域名与所述UE请求访问的域名一致。Further, the valid certificate returned by the server includes: the certificate returned by the server belongs to a trusted certificate set, and the domain name in the certificate returned by the server is consistent with the domain name requested by the UE.
本发明实施例所述的装置可以执行图2所示实施例所述的方法,其技术实现过程和技术效果可参考图2所示实施例的详细描述,此处不再赘述。The device described in the embodiment of the present invention may perform the method described in the embodiment shown in FIG. 2, and the technical implementation process and technical effects may be referred to the detailed description of the embodiment shown in FIG. 2, and details are not described herein again.
图5为本发明实施例计费欺诈的检测装置另一结构示意图,本实施例计费欺诈的检测装置包括处理器501和存储器502,所述处理器501和所述存储器502通过通信总线连接,所述存储器502中保存有实现图2所示计费欺诈的检测方法的指令,所述处理器501调取所述存储器502中的指令,可以执行如图2所示实施例所述的计费欺诈的检测方法。FIG. 5 is a schematic diagram of another structure of a charging fraud detecting apparatus according to an embodiment of the present invention. The charging fraud detecting apparatus of this embodiment includes a processor 501 and a memory 502, and the processor 501 and the memory 502 are connected by using a communication bus. The memory 502 stores an instruction for implementing the method for detecting the charging fraud shown in FIG. 2, and the processor 501 retrieves the instruction in the memory 502, and can perform the charging as described in the embodiment shown in FIG. Fraud detection method.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接, 可以是电性,机械或其它的形式。In the several embodiments provided by the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit. It can be electrical, mechanical or other form.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, or all or part of the technical solution, may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .
以上所述,以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。 The above embodiments are only used to illustrate the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that The technical solutions described in the embodiments are modified, or the equivalents of the technical features are replaced by the equivalents of the technical solutions of the embodiments of the present invention.

Claims (12)

  1. 一种计费欺诈的检测方法,其特征在于,包括:A method for detecting billing fraud, characterized in that it comprises:
    当用户设备UE请求访问的域名对应的计费策略为优惠计费策略时,计费欺诈的检测装置记录所述UE与服务器之间建立第一传输层安全TLS握手过程中传输的握手信息;When the charging policy corresponding to the domain name requested by the user equipment UE is a preferential charging policy, the charging fraud detecting device records the handshake information transmitted during the establishment of the first transport layer secure TLS handshake between the UE and the server;
    所述计费欺诈的检测装置利用记录的所述握手信息与所述服务器建立第二TLS握手;The charging fraud detecting device establishes a second TLS handshake with the server by using the recorded handshake information;
    所述计费欺诈的检测装置判断所述第二TLS握手是否建立成功;The charging fraud detecting device determines whether the second TLS handshake is successfully established;
    若所述第二TLS握手建立成功,则所述计费欺诈的检测装置确定不存在计费欺诈,若所述第二TLS握手建立失败,则所述计费欺诈的检测装置确定存在计费欺诈。If the second TLS handshake is successfully established, the charging fraud detecting means determines that there is no charging fraud, and if the second TLS handshake establishment fails, the charging fraud detecting means determines that there is charging fraud .
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method of claim 1 further comprising:
    当确定不存在计费欺诈时,所述计费欺诈的检测装置将所述UE请求访问的域名与互联网协议IP地址的对应关系存入可信访问集合;When it is determined that there is no billing fraud, the charging fraud detecting device stores the correspondence between the domain name requested by the UE and the Internet Protocol IP address in the trusted access set;
    当确定存在计费欺诈时,所述计费欺诈的检测装置将所述UE请求访问的域名与IP地址的对应关系存入非可信访问集合。When it is determined that there is a charging fraud, the charging fraud detecting means stores the correspondence between the domain name and the IP address that the UE requests to access in the non-trusted access set.
  3. 根据权利要求2所述的方法,其特征在于,在记录所述UE与所述服务器之间建立第一TLS握手过程中传输的握手信息之前,所述方法还包括:The method according to claim 2, wherein before the handshake information transmitted during the first TLS handshake is established between the UE and the server, the method further includes:
    所述计费欺诈的检测装置判断所述UE请求访问的域名与IP地址的对应关系是否属于所述可信访问集合和/或所述非可信访问集合;The charging fraud detecting device determines whether the correspondence between the domain name and the IP address that the UE requests to access belongs to the trusted access set and/or the non-trusted access set;
    若所述UE请求访问的域名与IP地址的对应关系既不属于所述可信访问集合,也不属于所述非可信访问集合,则所述计费欺诈的检测装置执行记录所述UE与所述服务器之间建立第一TLS握手过程中传输的握手信息的步骤。If the correspondence between the domain name and the IP address that the UE requests to access does not belong to the trusted access set and does not belong to the non-trusted access set, the charging fraud detecting apparatus performs recording of the UE and The step of establishing handshake information transmitted during the first TLS handshake process between the servers.
  4. 根据权利要求3所述的方法,其特征在于,在利用记录的所述握手信息与所述服务器建立所述第二TLS握手之前,所述方法还包括:The method according to claim 3, wherein before the establishing the second TLS handshake with the server by using the recorded handshake information, the method further comprises:
    所述计费欺诈的检测装置判断所述服务器返回的证书是否有效;The charging fraud detecting device determines whether the certificate returned by the server is valid;
    若有效,则所述计费欺诈的检测装置执行利用记录的所述握手信息与所述服务器建立所述第二TLS握手的步骤,若无效,则所述计费欺诈的检测装置确定存在计费欺诈。 If valid, the charging fraud detecting means performs the step of establishing the second TLS handshake with the server by using the recorded handshake information, and if invalid, the charging fraud detecting means determines that there is charging Fraud.
  5. 根据权利要求4所述方法,其特征在于,所述服务器返回的证书有效包括:所述服务器返回的证书属于可信证书集合,且所述服务器返回的证书中的域名与所述UE请求访问的域名一致。The method according to claim 4, wherein the certificate returned by the server is effective: the certificate returned by the server belongs to a trusted certificate set, and the domain name in the certificate returned by the server is requested by the UE. The domain name is the same.
  6. 一种计费欺诈的检测装置,其特征在于,包括:A device for detecting billing fraud, comprising:
    记录单元,用于当用户设备UE请求访问的域名对应的计费策略为优惠计费策略时,记录所述UE与服务器之间建立第一传输层安全TLS握手过程中传输的握手信息;a recording unit, configured to record handshake information transmitted during the first transport layer secure TLS handshake process between the UE and the server, when the charging policy corresponding to the domain name requested by the user equipment UE is a preferential charging policy;
    握手核查单元,用于利用所述记录单元记录的所述握手信息与所述服务器建立第二TLS握手;a handshake checking unit, configured to establish a second TLS handshake with the server by using the handshake information recorded by the recording unit;
    第一判断单元,用于判断所述第二TLS握手是否建立成功;a first determining unit, configured to determine whether the second TLS handshake is successfully established;
    确定单元,用于在所述第二TLS握手建立成功时,确定不存在计费欺诈,在所述第二TLS握手建立失败时,确定存在计费欺诈。And a determining unit, configured to determine that there is no charging fraud when the second TLS handshake is successfully established, and determine that there is charging fraud when the second TLS handshake establishment fails.
  7. 根据权利要求6所述的装置,其特征在于,所述装置还包括:The device according to claim 6, wherein the device further comprises:
    集合维护单元,用于在所述确定单元确定不存在计费欺诈时,将所述UE请求访问的域名与互联网协议IP地址的对应关系存入可信访问集合;在所述确定单元确定存在计费欺诈时,将所述UE请求访问的域名与IP地址的对应关系存入非可信访问集合。And a set maintenance unit, configured to: when the determining unit determines that there is no charging fraud, storing, in the trusted access set, a correspondence between the domain name requested by the UE and the Internet Protocol IP address; determining, by the determining unit, When the fee is fraudulent, the correspondence between the domain name requested by the UE and the IP address is stored in the untrusted access set.
  8. 根据权利权利7所述的装置,其特征在于,所述装置还包括:The device according to claim 7, wherein the device further comprises:
    第二判断单元,用于判断所述UE请求访问的域名与IP地址的对应关系是否属于所述可信访问集合和/或所述非可信访问集合,若所述UE请求访问的域名与IP地址的对应关系既不属于所述可信访问集合,也不属于所述非可信访问集合,则所述记录单元记录所述UE与所述服务器之间建立第一TLS握手过程中传输的握手信息。a second determining unit, configured to determine whether a correspondence between the domain name and the IP address that the UE requests to access belongs to the trusted access set and/or the non-trusted access set, if the domain name and IP that the UE requests to access The correspondence between the addresses does not belong to the trusted access set and does not belong to the non-trusted access set, and the recording unit records the handshake transmitted during the first TLS handshake between the UE and the server. information.
  9. 根据权利要求8所述的装置,其特征在于,所述装置还包括:The device according to claim 8, wherein the device further comprises:
    第三判断单元,用于判断所述服务器返回的证书是否有效,若有效,则所述握手核查单元利用所记录的所述握手信息与所述服务器建立所述第二TLS握手,若无效,则所述确定单元确定存在计费欺诈。a third determining unit, configured to determine whether the certificate returned by the server is valid, and if valid, the handshake checking unit establishes the second TLS handshake with the server by using the recorded handshake information, and if invalid, The determining unit determines that there is a billing fraud.
  10. 根据权利要求9所述的装置,其特征在于,所述服务器返回的证书有效包括:所述服务器返回的证书属于可信证书集合,且所述服务器返回的证书中的域名与所述UE请求访问的域名一致。 The device according to claim 9, wherein the certificate returned by the server is effective: the certificate returned by the server belongs to a trusted certificate set, and the domain name in the certificate returned by the server and the UE request access The domain name is the same.
  11. 根据权利要求6至10任意一项所述的装置,其特征在于,所述计费欺诈的检测装置为统一分组网关UGW。The apparatus according to any one of claims 6 to 10, characterized in that the means for detecting fraudulent fraud is a unified packet gateway UGW.
  12. 一种计费欺诈的检测装置,其特征在于,包括:处理器和存储器,所述处理器和所述存储器通过通信总线连接,所述存储器中保存有实现权利要求1至5任一项所述的计费欺诈的检测方法的指令,所述处理器调取所述存储器中的指令,可以执行权利要求1至5任一项所述的计费欺诈的检测方法。 A device for detecting fraudulent fraud, comprising: a processor and a memory, wherein the processor and the memory are connected by a communication bus, wherein the memory stores the implementation of any one of claims 1 to 5 The instruction of the method for detecting the billing fraud, the processor retrieving the instruction in the memory, and performing the method for detecting the billing fraud according to any one of claims 1 to 5.
PCT/CN2015/094592 2015-11-13 2015-11-13 Charging fraud detection method and apparatus WO2017079980A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2015/094592 WO2017079980A1 (en) 2015-11-13 2015-11-13 Charging fraud detection method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2015/094592 WO2017079980A1 (en) 2015-11-13 2015-11-13 Charging fraud detection method and apparatus

Publications (1)

Publication Number Publication Date
WO2017079980A1 true WO2017079980A1 (en) 2017-05-18

Family

ID=58694656

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/094592 WO2017079980A1 (en) 2015-11-13 2015-11-13 Charging fraud detection method and apparatus

Country Status (1)

Country Link
WO (1) WO2017079980A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109383310A (en) * 2017-08-11 2019-02-26 罗伯特·博世有限公司 Method and apparatus for giving electric vehicle charging
WO2019096308A1 (en) * 2017-11-17 2019-05-23 华为技术有限公司 Method and device for identifying encrypted data stream

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040210756A1 (en) * 2003-04-15 2004-10-21 Microsoft Corporation Pass-thru for client authentication
US7228291B2 (en) * 2000-03-07 2007-06-05 International Business Machines Corporation Automated trust negotiation
CN101449257A (en) * 2006-05-26 2009-06-03 微软公司 Policy driven, credential delegation for single sign on and secure access to network resources
CN102948131A (en) * 2010-04-21 2013-02-27 思杰系统有限公司 Systems and methods for split proxying of SSL via WAN appliances

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7228291B2 (en) * 2000-03-07 2007-06-05 International Business Machines Corporation Automated trust negotiation
US20040210756A1 (en) * 2003-04-15 2004-10-21 Microsoft Corporation Pass-thru for client authentication
CN101449257A (en) * 2006-05-26 2009-06-03 微软公司 Policy driven, credential delegation for single sign on and secure access to network resources
CN102948131A (en) * 2010-04-21 2013-02-27 思杰系统有限公司 Systems and methods for split proxying of SSL via WAN appliances

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109383310A (en) * 2017-08-11 2019-02-26 罗伯特·博世有限公司 Method and apparatus for giving electric vehicle charging
WO2019096308A1 (en) * 2017-11-17 2019-05-23 华为技术有限公司 Method and device for identifying encrypted data stream
US11706254B2 (en) 2017-11-17 2023-07-18 Huawei Technologies Co., Ltd. Method and apparatus for identifying encrypted data stream

Similar Documents

Publication Publication Date Title
EP2850770B1 (en) Transport layer security traffic control using service name identification
US10326730B2 (en) Verification of server name in a proxy device for connection requests made using domain names
TWI587672B (en) Login authentication method, client, server and system
US8418242B2 (en) Method, system, and device for negotiating SA on IPv6 network
JP5018329B2 (en) Program for controlling communication device and communication device
US20140298021A1 (en) Method and system for storing information by using tcp communication
WO2019062666A1 (en) System, method, and apparatus for securely accessing internal network
EP3633949B1 (en) Method and system for performing ssl handshake
US9258278B2 (en) Unidirectional deep packet inspection
US10257171B2 (en) Server public key pinning by URL
CN108243176B (en) Data transmission method and device
WO2014101634A1 (en) Attack defense method and device
US11470060B2 (en) Private exchange of encrypted data over a computer network
CN105429962B (en) A kind of general go-between service construction method and system towards encryption data
US10277576B1 (en) Diameter end-to-end security with a multiway handshake
CN111314381A (en) Safety isolation gateway
WO2017079980A1 (en) Charging fraud detection method and apparatus
CN114553430A (en) SDP-based novel power service terminal safe access system
CN111611620B (en) Access request processing method and related device of access platform
WO2015081560A1 (en) Instant messaging client recognition method and recognition system
CN105790932A (en) Encryption method through using machine codes as bases
WO2016176858A1 (en) Request transmission method and client
KR101333305B1 (en) Apparatus and method for managing safe transmission control protocol connection
WO2017024588A1 (en) Service processing method and apparatus
CN107682371A (en) A kind of malice AP detection method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15908110

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15908110

Country of ref document: EP

Kind code of ref document: A1