CN105516165B - A kind of method illegally acted on behalf of, equipment and the system of identification charging fraud - Google Patents

A kind of method illegally acted on behalf of, equipment and the system of identification charging fraud Download PDF

Info

Publication number
CN105516165B
CN105516165B CN201510969780.5A CN201510969780A CN105516165B CN 105516165 B CN105516165 B CN 105516165B CN 201510969780 A CN201510969780 A CN 201510969780A CN 105516165 B CN105516165 B CN 105516165B
Authority
CN
China
Prior art keywords
address
server
equipment
core network
proxy server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510969780.5A
Other languages
Chinese (zh)
Other versions
CN105516165A (en
Inventor
王彩娟
朱璎
郑磊斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201510969780.5A priority Critical patent/CN105516165B/en
Publication of CN105516165A publication Critical patent/CN105516165A/en
Priority to PCT/CN2016/109060 priority patent/WO2017107780A1/en
Application granted granted Critical
Publication of CN105516165B publication Critical patent/CN105516165B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4552Lookup mechanisms between a plurality of directories; Synchronisation of directories, e.g. metadirectories
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of methods of identification charging fraud illegally acted on behalf of, comprising: equipment of the core network obtains the IP address of the purpose network address URL and destination server that carry in service message;The equipment of the core network searches the IP address of server corresponding with the purpose network address from the white list pre-established, the corresponding relationship of the IP address comprising free address and legal server in the white list;When not including the IP address of the destination server in the IP address of server corresponding with the purpose network address, the equipment of the core network identifies that the destination server is doubtful illegal proxy server.The method of identification charging fraud provided in an embodiment of the present invention illegally acted on behalf of, can accurately identify the illegal agency for charging fraud, to be effectively blocked charging fraud.

Description

A kind of method illegally acted on behalf of, equipment and the system of identification charging fraud
Technical field
The present invention relates to technical field of network security, and in particular to it is a kind of identification charging fraud the method illegally acted on behalf of, Equipment and system.
Background technique
With the large scale deployment of economic development and mobile communication market, traditional voice and novel " flow " business are wide It is general to be applied and promoted.But in some areas, mobile network's flow rate are more expensive, in this background, on network just In the presence of the behavior for much carrying out charging fraud using preferential charging policy loophole.Such as: charging execution function entity (Policy And Charging Enforcement Function, PCEF) on be provided with free packaged service filter condition (0.facebook.com), user want access to the business of payment using the condition that freely comes, in user (www.test.com) when, the true access service message (www.test.com) paid will be needed to disguise oneself as coin free service message (0.facebook.com/www.test.com).After camouflage message is by Charging Detection, camouflage message is sent to agency service On device.Proxy server ignore charging fraud, obtain user's actual services network address (Uniform Resource Locator, URL) (www.test.com), is forwarded to service server.Equally, user's downlink message can also turn after proxy server is handled It is dealt on PCEF, is then forwarded on user equipment, preferential rate access actual services are obtained in realization by cheating.
For this kind of camouflage message, the network address of actual services always ceaselessly replaces hiding field, leads to developer It always needs ceaselessly to upgrade, as long as the Web address field of actual services is slightly changed in camouflage message, will can't detect.
For above-mentioned hypertext transfer protocol present in network (Hypertext transfer protocol, HTTP) Charging cheat scene, PCEF can obtain in advance the proxy server of fraud internet protocol (Internet Protocol, IP) address, but the IP address that industrial chain can replace the proxy server of fraud at any time is cheated, lead to the agency service to fraud The identification inaccuracy of device.
Summary of the invention
Very poor to the recognition effect of charging fraud in the prior art in order to solve the problems, such as, the embodiment of the present invention provides one kind The method illegally acted on behalf of for identifying charging fraud can accurately identify the illegal agency for charging fraud, thus effectively Block charging fraud.The embodiment of the invention also provides corresponding equipment and systems.
First aspect present invention provides a kind of method of identification charging fraud illegally acted on behalf of, and this method is applied to communication system The equipment of the core network of system, independent PCEF, the GGSN/PGW for being embedded with PCEF, visualization device, DNS in communication system Server etc. belongs to equipment of the core network, which comprises equipment of the core network obtains the purpose network address carried in service message The IP address of URL and destination server;The equipment of the core network is searched and the purpose network address from the white list pre-established The IP address of corresponding server, the corresponding relationship of the IP address comprising free address and legal server in the white list; When not including the IP address of the destination server in the IP address of server corresponding with the purpose network address, the core Net equipment identifies that the destination server is doubtful illegal proxy server.With the identification cheated charging is imitated in the prior art The very poor problem of fruit is compared, and the method for identification charging fraud provided in an embodiment of the present invention illegally acted on behalf of can accurately be known Not Yong Yu charging fraud illegal agency, thus be effectively blocked charging fraud.
Optionally, it is described after the equipment of the core network identifies that the destination server is doubtful illegal proxy server Method further include:
The IP address of the destination server is added in gray list by the equipment of the core network, includes in the gray list Corresponding relationship between the free address and the IP address of the doubtful illegal proxy server.
Optionally, the method also includes:
The equipment of the core network monitors the flow accounting of the doubtful illegal proxy server in the gray list, the flow Accounting is the ratio of free flow and total flow on the doubtful illegal proxy server;
Flow accounting described in preset time period is higher than the doubtful illegal generation of the first preset threshold value by the equipment of the core network The IP address of reason server is transferred in blacklist, and the free address and illegal proxy server are included in the blacklist Corresponding relationship between IP address.
Optionally, the method also includes:
The equipment of the core network monitors the flow accounting of the doubtful illegal proxy server in the gray list, the flow Accounting is the ratio of free flow and total flow on the doubtful illegal proxy server;
Flow accounting described in preset time period is lower than the doubtful illegal generation of the second preset threshold value by the equipment of the core network The IP address of reason server is transferred in the white list.
Optionally, the method also includes
The equipment of the core network obtains the legal network address of domain name message;
When the legal network address is free address, dns response report that the equipment of the core network is sent from name server The IP address of legal server corresponding with the legal network address is obtained in text;
The equipment of the core network is by the corresponding addition of IP address of the legal network address and the corresponding legal server Into the white list.
Optionally, it is described after the equipment of the core network identifies that the destination server is doubtful illegal proxy server Method further include:
The equipment of the core network handles the service message according to for the prevention and control strategy illegally acted on behalf of.
Second aspect of the present invention provides a kind of equipment of the core network, is applied to communication system, independent PCEF in communication system, GGSN/PGW, visualization device, the DNS Server etc. for being embedded with PCEF belong to equipment of the core network, and equipment of the core network includes:
Acquiring unit, for obtaining the IP address of the purpose network address URL and destination server that carry in service message;
Searching unit, for searching the purpose network address obtained with the acquiring unit from the white list pre-established The IP address of corresponding server, the corresponding relationship of the IP address comprising free address and legal server in the white list;
Recognition unit, for the IP address when server corresponding with the purpose network address that the searching unit is found In do not include the destination server IP address when, identify the destination server be doubtful illegal proxy server.
Compared with problem very poor to the recognition effect cheated charging in the prior art, core provided in an embodiment of the present invention Heart net equipment can accurately identify the illegal agency for charging fraud, to be effectively blocked charging fraud.
Optionally, the equipment of the core network further include:
First adding unit, for identifying that the destination server is doubtful illegal proxy server in the recognition unit Later, the IP address of the destination server is added in gray list, includes the free address and institute in the gray list State the corresponding relationship between the IP address of doubtful illegal proxy server.
Optionally, the equipment of the core network further include:
First monitoring unit, it is described for monitoring the flow accounting of the doubtful illegal proxy server in the gray list Flow accounting is the ratio of free flow and total flow on the doubtful illegal proxy server;
First buanch unit, the flow accounting for monitoring the first monitoring unit described in preset time period are higher than first The IP address of the doubtful illegal proxy server of preset threshold value is transferred in blacklist, includes the freenet in the blacklist Corresponding relationship between location and the IP address of illegal proxy server.
Optionally, the equipment of the core network further include:
Second monitoring unit, it is described for monitoring the flow accounting of the doubtful illegal proxy server in the gray list Flow accounting is the ratio of free flow and total flow on the doubtful illegal proxy server;
Second buanch unit, the flow accounting for monitoring the second monitoring unit described in preset time period are lower than second The IP address of the doubtful illegal proxy server of preset threshold value is transferred in the white list.
Optionally, the equipment of the core network further include: the second adding unit,
The acquiring unit is also used to obtain the legal network address of domain name message, when the legal network address is free address, The IP address of legal server corresponding with the legal network address is obtained from the dns response message that name server is sent;
Second adding unit, for the acquiring unit to be obtained the legal network address and acquiring unit acquisition The IP address of the corresponding legal server corresponding be added in the white list.
Optionally, the equipment of the core network further include:
Processing unit, for the recognition unit identify the destination server be doubtful illegal proxy server it Afterwards, according to for the prevention and control strategy illegally acted on behalf of, the service message is handled.
Third aspect present invention provides a kind of equipment of the core network, is applied to communication system, independent PCEF in communication system, GGSN/PGW, visualization device, the DNS Server etc. for being embedded with PCEF belong to equipment of the core network, and equipment of the core network includes: Transceiver, processor and memory are stored with the journey illegally acted on behalf of that processor executes identification charging fraud in the memory Sequence;
Processor is for executing following steps:
Obtain the IP address of the purpose network address URL and destination server that carry in service message;
The IP address of server corresponding with the purpose network address, the white list are searched from the white list pre-established In the IP address comprising free address and legal server corresponding relationship;
When not including the IP address of the destination server in the IP address of server corresponding with the purpose network address, Identify that the destination server is doubtful illegal proxy server.
Optionally, the processor is also used to for the IP address of the destination server being added in gray list, the ash Include the corresponding relationship between the free address and the IP address of the doubtful illegal proxy server in list.
Optionally, the flow that the processor is also used to monitor the doubtful illegal proxy server in the gray list accounts for Than the flow accounting is the ratio of free flow and total flow on the doubtful illegal proxy server;By preset time period The IP address that the interior flow accounting is higher than the doubtful illegal proxy server of the first preset threshold value is transferred in blacklist, described Include the corresponding relationship between the free address and the IP address of illegal proxy server in blacklist.
Optionally, the flow that the processor is also used to monitor the doubtful illegal proxy server in the gray list accounts for Than the flow accounting is the ratio of free flow and total flow on the doubtful illegal proxy server;By preset time period The interior flow accounting is transferred in the white list lower than the IP address of the doubtful illegal proxy server of the second preset threshold value.
Optionally, the processor is also used to obtain the legal network address of domain name message;When the legal network address is freenet When location, the IP of legal server corresponding with the legal network address is obtained from the dns response message that name server is sent Location;It is added to the IP address of the legal network address and the corresponding legal server is corresponding in the white list.
Optionally, the processor is also used to handle the service message according to for the prevention and control strategy illegally acted on behalf of.
Fourth aspect present invention provides the system of a kind of identification charging fraud illegally acted on behalf of, comprising: charge execution function Entity PCEF and name server,
The PCEF is equipment of the core network described in above-mentioned second aspect or any optional implementation of second aspect.
Fifth aspect present invention provides the system of a kind of identification charging fraud illegally acted on behalf of, comprising: charge execution function Entity PCEF, visualization device and name server,
Equipment of the core network described in the above-mentioned second aspect of the visualization device or any optional implementation of second aspect.
Compared with problem very poor to the recognition effect cheated charging in the prior art, knowledge provided in an embodiment of the present invention The system of other charging fraud illegally acted on behalf of, can accurately identify the illegal agency for charging fraud, to effectively hinder Disconnected charging fraud.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for For those skilled in the art, without creative efforts, it can also be obtained according to these attached drawings other attached Figure.
Fig. 1 is an embodiment schematic diagram of communication system in the embodiment of the present invention;
Fig. 2 is the embodiment schematic diagram that the system of charging fraud illegally acted on behalf of is identified in the embodiment of the present invention;
Fig. 3 is grey, white, blacklist content transfer schematic diagram in the embodiment of the present invention;
Fig. 4 is the embodiment schematic diagram that the process of white list is established in the embodiment of the present invention;
Fig. 5 is another embodiment schematic diagram that the process of white list is established in the embodiment of the present invention;
Fig. 6 is the embodiment schematic diagram that the method for charging fraud illegally acted on behalf of is identified in the embodiment of the present invention;
Fig. 7 is an embodiment schematic diagram of equipment of the core network in the embodiment of the present invention;
Fig. 8 is another embodiment schematic diagram of equipment of the core network in the embodiment of the present invention;
Fig. 9 is another embodiment schematic diagram of equipment of the core network in the embodiment of the present invention;
Figure 10 is another embodiment schematic diagram of equipment of the core network in the embodiment of the present invention;
Figure 11 is another embodiment schematic diagram of equipment of the core network in the embodiment of the present invention;
Figure 12 is another embodiment schematic diagram of equipment of the core network in the embodiment of the present invention;
Figure 13 is another embodiment schematic diagram of equipment of the core network in the embodiment of the present invention.
Specific embodiment
The embodiment of the present invention provides a kind of method of identification charging fraud illegally acted on behalf of, and can accurately identify based on Take the illegal agency of fraud, to be effectively blocked charging fraud.The embodiment of the invention also provides corresponding equipment and systems. It is described in detail separately below.
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, those skilled in the art's every other implementation obtained without creative efforts Example, shall fall within the protection scope of the present invention.
Fig. 1 is an embodiment schematic diagram of communication system in the embodiment of the present invention.
Refering to fig. 1, an embodiment of communication system provided in an embodiment of the present invention includes: user equipment (User Equipment, UE), resident access net (Residential Access Network, RAN), charging execution function entity (Policy and Charging Enforcement Function, PCEF), ticketing equipment (Billing), visualization Equipment, name server (Domain Name System Server, DNS Server) and service provider (Service Provider, SP) provided by service server.Wherein, UE it is upper helpful user can be installed and obtained in a fraudulent manner exempt from Take the client of flow or preferential flow.It may include the radio reception devices such as base station or evolution base station in RAN.PCEF can With built in version insertion Gateway GPRS Support Node (Gateway GPRS Support Node, GGSN) or packet switch Gateway (Packet Data Network Gateway, PGW), can also be independently arranged PCEF.Operator passes through Billing points Service log-on information and charging identifier management with flow service identification and customer flow implement on-line/off-line charging function Energy.Visualization device can show the data cases of network, for the timely awareness network data of operator.DNS Server can be incited somebody to action Domain name is converted into the IP address that network can identify.Wherein, independent PCEF, the GGSN/PGW for being embedded with PCEF, visualization are set Standby, DNS Server etc. belongs to equipment of the core network.
The core network device of identification charging fraud illegally acted on behalf of mainly includes independence provided by the embodiment of the present invention PCEF, be embedded with the GGSN/PGW of PCEF, or the visualization device of the illegal agent capability with identification charging fraud.
Fig. 2 is an embodiment schematic diagram of the system of identification charging fraud illegally acted on behalf of in the embodiment of the present invention.
Below with reference to Fig. 2, illustrate in the embodiment of the present invention by independent PCEF (it is of course also possible to be to be embedded with PCEF GGSN/PGW) identification charging fraud the process illegally acted on behalf of:
PCEF receives the service message that the user equipment that RAN is transmitted issues, the purpose net carried in the service message The IP address of location URL and destination server;Such as: purpose network address is www.***.com, and the IP address of destination server is 74.125.71.120。
PCEF obtains URL from the network layer of service message, and the IP address of destination server is obtained from IP layers.
PCEF searches the IP address of server corresponding with the purpose network address from the white list pre-established, described white The corresponding relationship of IP address comprising free address and legal server in list.
Because main function is to prevent the proxy server with flow fraud function to cheat in the embodiment of the present invention Mode obtain free flow, naturally it is also possible to including preferential flow, thus the network address in white list be all free address or Preferential network address, when PCEF finds www.***.com from white list, then can determine in white list with The IP address of the corresponding legal server of www.***.com network address, detailed process can be understood refering to table 1: such as table 1 It is shown:
Table 1: white list
The IP address of legal server corresponding to www.***.com can be determined from table 1.
When the IP address for not including the destination server in the IP address of server corresponding with the purpose network address URL When, PCEF identifies that the destination server is doubtful illegal proxy server.
Do not include purpose from the IP address that can determine legal server corresponding to www.***.com in table 1 to take The IP address 74.125.71.120 of business device.Certainly, it assumes that herein in table 1 in IP address corresponding to www.***.com Omitting in the IP address being not written out does not include the purpose IP address, then can determine that IP address is the service of 74.125.71.120 Device is doubtful illegal proxy server.In view of might have identification fault, so the proxy server drawing that not will identify that is black, And be defined as doubtful illegal proxy server, by further monitoring and observation determine again doubtful illegal proxy server whether be Real illegal proxy server.
, can be by prevention and control strategy after identifying doubtful illegal proxy server, such as obstruction returns toll rate and bandwidth The modes such as limitation are lost to reduce operator.
After PCEF identifies that the destination server is doubtful illegal proxy server, by the IP address of the destination server Be added in gray list, the IP address in the gray list comprising the free address and the doubtful illegal proxy server it Between corresponding relationship.
PCEF can carry out the doubtful illegal proxy server in gray list to continue monitoring, thus further qualitative doubtful non- Method proxy server.
PCEF monitors the flow accounting of the doubtful illegal proxy server in the gray list, and the flow accounting is described The ratio of free flow and total flow on doubtful illegal proxy server, that is, exempted from based on doubtful illegal proxy server IP Take the ratio of flow and total flow;
Flow accounting described in preset time period is higher than the doubtful illegal proxy server of the first preset threshold value by PCEF IP address is transferred in blacklist, comprising between the free address and the IP address of illegal proxy server in the blacklist Corresponding relationship.
Flow accounting described in preset time period is lower than to the IP of the doubtful illegal proxy server of the second preset threshold value Location is transferred in the white list.
First preset threshold value and the second preset threshold value can be pre-set values, the first preset threshold value and second preset Threshold value can be adjusted dynamically according to demand.
PCEF continues to monitor the flow under each IP address in gray list, records the flow accounting of free flow/total flow, If being higher than preconfigured blacklist threshold value, such as 90%, that is, the first preset threshold value, then flow accounting then will be higher than 90% IP address be transferred in blacklist list.If being lower than preconfigured white list threshold value, such as 50%, that is, the second preset threshold Flow accounting is then transferred in white list by value lower than the address 50%IP.
Such as: as shown in figure 3, PCEF monitors the flow accounting in gray list under some IP address higher than the first preset threshold Value illustrates that the corresponding doubtful illegal proxy server of the IP address is illegal proxy server, is then transferred to the IP address black In list, charging antifraud system can be inputted for the IP address in blacklist and is handled, it can also for these IP The corresponding server in location is traced to its source, and the legal liabilities that the personnel of these illegal proxy servers are arranged are investigated.PCEF prison It controls some IP address down-off accounting in gray list and is lower than the second preset threshold value, illustrate the IP address corresponding doubtful illegal generation Reason server is legal proxy server, then the IP address is transferred in white list.
Wherein, the first preset threshold value and the second preset threshold value can be adjusted according to demand, not limited specific value It is fixed.
May exist the switch of an automatic blacklist in the embodiment of the present invention, blacklist can also need to prop up with manual configuration It holds from gray list and is automatically converted to blacklist.Blacklist needs aging, if what is marked in blacklist in predetermined amount of time is non- Method proxy server does not have service message, then the IP address of the illegal proxy server, that is, timing are deleted from blacklist Refresh blacklist, no longer valid IP address is deleted from blacklist.
Embodiments described above can accurately identify the illegal agency for charging fraud, to effectively hinder Disconnected charging fraud.
Described above is all the use to white list, gray list and blacklist, be described below white list, gray list and The adaptive establishment process of blacklist:
The corresponding relationship of the IP address of pre-registered legal network address and legal server can be stored in name server. During white list is established in self study, white list is sky, including free address and legal server when original state IP address two arrange.
As shown in figure 4, PCEF obtains legal network address (URL) from the domain names message such as Get/POST/Connect, then Confirm whether the legal network address belongs to free address, free RG according to already present free rate group (Rating Group, RG) In include registered all free addresses.When confirming the legal network address is free address, then the legal network address is added to In the free address column of white list.When URL is www.***.com, obtained white list is as shown in table 2:
Table 2: white list
Freely (preferential) network address The IP address of legal server
www.***.com
Then, as shown in figure 5, PCEF obtains www.***.com from name server by dns response message and closes The corresponding relationship of the IP address of method server, it is assumed that the IP address of the legal server got be 74.125.71.104, 173.194.64.199,…….Then corresponding IP address is added in white list again, obtains white list as shown in table 3.
Table 3: white list
In this way, repeating process and the adding procedure of table 2 and table 3 corresponding to Fig. 4 and Fig. 5, so that it may establish automatically white List.
If the URL of certain request is in free url list but corresponding IP address is not in IP white list, the IP It is added to gray list.Content before this process has been described, about the content in gray list be transferred to white list or The process for being transferred to blacklist also has been described in aforementioned process, therefore it is no longer repeated here.
After establishing black, white, gray list, the black and white gray list of visualization device judgement fraud can also be notified:
PCEF notify each stream of Visualization Platform whether black/white/gray list, increase a field in source data.
Visualization Platform is counted for gray list, finds out suspicious black agency based on flow accounting and user's accounting etc..
Professional service is handled blacklist input charging antifraud system by the black agency of the confirmation such as packet capturing analysis.
Legal server IP is rejected under special screne, IP when disposing WAPGW is rejected, and normal WAPGW has free flow, Also there is charge flow.Different from actual purpose IP by the IP address of DNS query, WAPGW IP server enters gray list, so Judge that the flow accounting threshold value of WAPGW IP has charge flow, therefore can decide whether just for normal WAPGW afterwards Normal WAPGW.
When user is using UC, Operamini browser access business, user has several situations using UC browsing:
1, it is not turned on cloud acceleration, browser directly accesses ISP;
2, cloud to be opened to accelerate, partial service is accessed by the proxy server of UC, at this point, HOST is different from IP, into Enter gray list, is determined by IP global traffic accounting.
The cache class business such as user deploys CDN, cloud accelerates are come when deployment CDN or cloud acceleration from existing packet capturing It sees, network address will have CDN printed words, remove the IP of the website IP i.e. CDN of DNS query.
For example PCEF configuration * facebook* is free, when user accesses facebook, carries similar * The network address (this network address can be identified as freely in PCEF) of facebook.CDN.amazon.*, the IP of destination IP i.e. CDN Address.At this point, CDN IP is added into white list.
To cache class website, an IP can be used by multiple contents, if not free URL uses this IP, in PCEF meeting quilt Normal billing.
Server IP white list is collected by believable DNS message, identification Proxy agency avoids fraud industrial chain from passing through Forge DNS Server response message altered data.
In the embodiment of the present invention, after configuring free RG list, by counting free flow and total flow in preset time The case where accounting carries out being accurately positioned identification fraud proxy server IP, and operator cannot obtain information before solving.It can be with According to the fraud proxy server IP of PCEF self study in PCEF configuration prevention and control movement, such as obstruction returns toll rate, band tolerance System etc. lowers operator's loss.
Content described above is all using PCEF as executing subject, or to be embedded with the equipment of the core network of PCEF It is described as executing subject, in fact, can also be visualization device and PCEF cooperation to complete in the embodiment of the present invention Identification charging fraud the process illegally acted on behalf of:
It can be visualization device and establish white list, gray list and blacklist, after then PCEF receives service message, from The IP address of the purpose network address and destination server that carry in service message is parsed in service message, then PCEF is by purpose net The IP address of location and destination server is sent to visualization device, and doubtful illegal proxy server is identified by visualization device, And the flow accounting of the doubtful illegal proxy server of gray list is further monitored by visualization device, gray list is executed to white name Process performed by list, gray list to the content transfer between blacklist, detailed process and above-mentioned PCEF is essentially identical, herein not Excessive introduction is done again.
Visualization device according to free RG, can also count the TOP N Server IP of free flow.Visualization Platform branch Configuration free address list, inter-trust domain list of file names are held, free IP white list is learnt by DNS.The TOP Server of free flow After IP removes IP white list, remaining is considered as gray list.Visualization Platform counts the free flow, total of each Server IP simultaneously Flow, free flow accounting are supported to be exported from gray list according to customized free flow threshold, free flow accounting threshold value and be doubted IP like the IP blacklist list of fraud, in certain gray list, it may be possible to normal Proxy, such as UC browser, it is also possible to take advantage of Cheat the IP address of Proxy.For cheating Proxy, most flows are all free flows, can be at the beginning of the free flow accounting Step judgement fraud IP can further drill through the Top user of fraud for cheating Proxy IP.The report can carry out immediately Inquiry, timed task inquiry and transmission, attendant can further specify that blacklist/gray list IP is grabbed based on the report Packet analysis, to determine fraud and fraudulent mean.
The effect for identifying and controlling on PCEF can be showed in visualization device to operator.
The prior art is to cheat proxy server IP by manual identified, manual configuration to be reconfigured prevention and control movement.With it is existing Technology is compared, and this embodiment introduces the modes that new identification charging is cheated --- the proxy server IP of-automatic identification fraud, The automatic closed loop of charging fraud prevention and control can be achieved.
The IP address that credible dns server can be configured in visualization device can be operator's offer, can also be in net Shut inquiry DNS configuration, configure free address url list, such as now net facebook be it is free, then configure " * .facebook.*”。
Initially, IP white list is sky.
Meet following 3 conditions in source data: then the IP list in DNS TLV being saved in IP white list;
A, Server IP is credible dns server IP in source data;
B, protocol type is DNS;
C, DNS host and free URL can be matched in DNS TLV;
In addition Visualization Platform can direct configuration of IP white list, configure L3/L4 layer free regular field to adapt to gateway Scape.
In the embodiment of the present invention, Server IP white list is collected by believable DNS message, identification Proxy agency keeps away Exempt to cheat industrial chain by forging DNS Server response message altered data.
After configuring free RG list, free flow and total stream are counted by shunting user and server IP given time The case where amount accounting carries out being accurately positioned identification fraud proxy server IP, and operator cannot obtain information before solving.
Visualization Platform can indicate the fraud proxy server IP list of PCEF self study, and configure prevention and control movement.
The original demand that Visualization Platform acquires charge information on PCEF is not to derive from charging antifraud, but give Operator provides user's distribution situation for accessing business, and charging antifraud depends on original reported data, passes through Visualization Platform Processing closed loop self study cheat proxy server, existing networking and operation level framework are utilized to the greatest extent, is easy to portion Administration.
This embodiment introduces mode --- the proxy server IP of-automatic identification fraud of new identification charging fraud, can Realize the automatic closed loop of charging fraud prevention and control.And it is provided in an embodiment of the present invention identification charging fraud illegally act on behalf of be System also has the advantage that
Be applicable in wide: regardless of actual services image watermarking where, all will not influence fraud server ip judgement and Identification, the scope of application are wider.
Automatic study: after configuring coin free service RG list, the IP of the fraud proxy server by matching free RG The characteristics of location does not need manual configuration, is obtained by equipment self study, adapts to fraud proxy server IP dynamic change, improving can Maintainability.
Refering to Fig. 6, an embodiment of the method for identification charging fraud provided in an embodiment of the present invention illegally acted on behalf of includes:
101, equipment of the core network obtains the IP address of the purpose network address URL and destination server that carry in service message.
102, the equipment of the core network searches server corresponding with the purpose network address from the white list pre-established IP address, the corresponding relationship of the IP address comprising free address and legal server in the white list.
103, as the IP for not including the destination server in the IP address of server corresponding with the purpose network address When location, the equipment of the core network identifies that the destination server is doubtful illegal proxy server.
The embodiment of the present invention provides a kind of method of identification charging fraud illegally acted on behalf of, and can accurately identify based on Take the illegal agency of fraud, to be effectively blocked charging fraud.
Optionally, on the basis of above-mentioned Fig. 6 corresponding embodiment, identification charging fraud provided in an embodiment of the present invention In first alternative embodiment of the method illegally acted on behalf of, the equipment of the core network identifies that the destination server is doubtful illegal After proxy server, the method can also include:
The IP address of the destination server is added in gray list by the equipment of the core network, includes in the gray list Corresponding relationship between the free address and the IP address of the doubtful illegal proxy server.
Optionally, on the basis of first alternative embodiment of the method for above-mentioned identification charging fraud illegally acted on behalf of, In second alternative embodiment of the method for identification charging fraud provided in an embodiment of the present invention illegally acted on behalf of,
The equipment of the core network monitors the flow accounting of the doubtful illegal proxy server in the gray list, the flow Accounting is the ratio of free flow and total flow on the doubtful illegal proxy server;
Flow accounting described in preset time period is higher than the doubtful illegal generation of the first preset threshold value by the equipment of the core network The IP address of reason server is transferred in blacklist, and the free address and illegal proxy server are included in the blacklist Corresponding relationship between IP address.
Optionally, on the basis of first alternative embodiment of the method for above-mentioned identification charging fraud illegally acted on behalf of, In the third alternative embodiment for the method for identification charging fraud provided in an embodiment of the present invention illegally acted on behalf of,
The equipment of the core network monitors the flow accounting of the doubtful illegal proxy server in the gray list, the flow Accounting is the ratio of free flow and total flow on the doubtful illegal proxy server;
Flow accounting described in preset time period is lower than the doubtful illegal generation of the second preset threshold value by the equipment of the core network The IP address of reason server is transferred in the white list.
Optionally, on the basis of any embodiment for the method for above-mentioned identification charging fraud illegally acted on behalf of, the present invention In 4th alternative embodiment of the method for the identification charging fraud that embodiment provides illegally acted on behalf of, the method also includes
The equipment of the core network obtains the legal network address of domain name message;
When the legal network address is free address, dns response report that the equipment of the core network is sent from name server The IP address of legal server corresponding with the legal network address is obtained in text;
The equipment of the core network is by the corresponding addition of IP address of the legal network address and the corresponding legal server Into the white list.
Optionally, on the basis of any embodiment for the method for above-mentioned identification charging fraud illegally acted on behalf of, the present invention In 5th alternative embodiment of the method for the identification charging fraud that embodiment provides illegally acted on behalf of, the equipment of the core network is known The not described destination server is after doubtful illegal proxy server, the method can also include:
The equipment of the core network handles the service message according to for the prevention and control strategy illegally acted on behalf of.
The corresponding embodiment of Fig. 6 or any alternative embodiment can the description refering to fig. 1 to the part Fig. 5 understood, this It is no longer repeated at place.
Refering to Fig. 7, an embodiment of equipment of the core network 30 provided in an embodiment of the present invention includes:
Acquiring unit 301, for obtaining the IP address of the purpose network address and destination server that carry in service message;
Searching unit 302, for searching the mesh obtained with the acquiring unit 301 from the white list pre-established The corresponding server of network address IP address, it is corresponding with the IP address of legal server comprising free address in the white list Relationship;
Recognition unit 303, for when server corresponding with the purpose network address that the searching unit 302 is found When not including the IP address of the destination server in IP address, identify that the destination server is doubtful illegal agency service Device.
In the embodiment of the present invention, acquiring unit 301 obtains the purpose network address and destination server carried in service message IP address;Searching unit 302 searches the purpose network address obtained with the acquiring unit 301 from the white list pre-established The IP address of corresponding server, the corresponding relationship of the IP address comprising free address and legal server in the white list; Recognition unit 303 is not wrapped when in the IP address of server corresponding with the purpose network address that the searching unit 302 is found When IP address containing the destination server, identify that the destination server is doubtful illegal proxy server.The present invention is implemented The equipment of the core network that example provides can be identified accurately for the illegal agency of charging fraud, be taken advantage of to be effectively blocked charging Swindleness.
Optionally, on the basis of above-mentioned Fig. 7 corresponding embodiment, refering to Fig. 8, core net provided in an embodiment of the present invention In first alternative embodiment of equipment 30, the equipment of the core network 30 further include:
First adding unit 304, for identifying that the destination server is doubtful illegal agency in the recognition unit 303 After server, the IP address of the destination server is added in gray list, includes the freenet in the gray list Corresponding relationship between location and the IP address of the doubtful illegal proxy server.
Optionally, on the basis of above-mentioned Fig. 8 corresponding embodiment, refering to Fig. 9, core net provided in an embodiment of the present invention In second alternative embodiment of equipment 30, the equipment of the core network 30 further include:
First monitoring unit 305, for monitor first adding unit 304 be added to it is doubtful non-in the gray list The flow accounting of method proxy server, the flow accounting are free flow and total flow on the doubtful illegal proxy server Ratio;
First buanch unit 306, the flow accounting for monitoring the first monitoring unit 305 described in preset time period are high It is transferred in blacklist in the IP address of the doubtful illegal proxy server of the first preset threshold value, comprising described in the blacklist Corresponding relationship between free address and the IP address of illegal proxy server.
Optionally, on the basis of above-mentioned Fig. 8 corresponding embodiment, refering to fig. 10, core provided in an embodiment of the present invention In the third alternative embodiment of net equipment 30, the equipment of the core network 30 further include:
Second monitoring unit 307, for monitor first adding unit 304 be added to it is doubtful non-in the gray list The flow accounting of method proxy server, the flow accounting are free flow and total flow on the doubtful illegal proxy server Ratio;
Second buanch unit 308, the flow accounting for monitoring the second monitoring unit 307 described in preset time period are low It is transferred in the white list in the IP address of the doubtful illegal proxy server of the second preset threshold value.
Optionally, on the basis of above-mentioned Fig. 7 corresponding embodiment, refering to fig. 11, core provided in an embodiment of the present invention In 4th alternative embodiment of net equipment 30, the equipment of the core network further include: the second adding unit 309,
The acquiring unit 301 is also used to obtain the legal network address of domain name message, when the legal network address is free address When, the IP of legal server corresponding with the legal network address is obtained from the dns response message that name server is sent Location;
Second adding unit 309, for the acquiring unit 301 to be obtained the legal network address and acquisition list The IP address for the corresponding legal server that member obtains is corresponding to be added in the white list.
Optionally, on the basis of above-mentioned Fig. 7 corresponding embodiment, refering to fig. 12, core provided in an embodiment of the present invention In 5th alternative embodiment of net equipment 30, the equipment of the core network 30 further include:
Processing unit 311, for identifying that the destination server is doubtful illegal agency's clothes in the recognition unit 303 It is engaged in after device, according to for the prevention and control strategy illegally acted on behalf of, handles the service message.
Figure 13 is the structural schematic diagram of equipment of the core network 30 provided in an embodiment of the present invention.The equipment of the core network 30 includes Processor 310, memory 350 and input/output I/O equipment 330, memory 350 may include read-only memory and deposit at random Access to memory, and operational order and data are provided to processor 310.The a part of of memory 350 can also include non-volatile Random access memory (NVRAM).
In some embodiments, memory 350 stores following element, executable modules or data structures, or Their subset of person or their superset:
In embodiments of the present invention, by calling the operational order of the storage of memory 350, (operational order is storable in behaviour Make in system),
Obtain the IP address of the purpose network address and destination server that carry in service message;
The IP address of server corresponding with the purpose network address, the white list are searched from the white list pre-established In the IP address comprising free address and legal server corresponding relationship;
When not including the IP address of the destination server in the IP address of server corresponding with the purpose network address, Identify that the destination server is doubtful illegal proxy server.
Equipment of the core network provided in an embodiment of the present invention can accurately identify the illegal agency for charging fraud, from And it is effectively blocked charging fraud.
The operation of 310 control core net equipment 30 of processor, processor 310 can also be known as CPU (Central Processing Unit, central processing unit).Memory 350 may include read-only memory and random access memory, and Instruction and data is provided to processor 310.The a part of of memory 350 can also include nonvolatile RAM (NVRAM).The various components of equipment of the core network 30 are coupled by bus system 320 in specific application, wherein bus System 320 can also include power bus, control bus and status signal bus in addition etc. in addition to including data/address bus.But it is For the sake of clear explanation, in figure various buses are all designated as bus system 320.
The method that the embodiments of the present invention disclose can be applied in processor 310, or be realized by processor 310. Processor 310 may be a kind of IC chip, the processing capacity with signal.During realization, the above method it is each Step can be completed by the integrated logic circuit of the hardware in processor 310 or the instruction of software form.Above-mentioned processing Device 310 can be general processor, digital signal processor (DSP), specific integrated circuit (ASIC), ready-made programmable gate array (FPGA) either other programmable logic device, discrete gate or transistor logic, discrete hardware components.May be implemented or Person executes disclosed each method, step and the logic diagram in the embodiment of the present invention.General processor can be microprocessor or Person's processor is also possible to any conventional processor etc..The step of method in conjunction with disclosed in the embodiment of the present invention, can be straight Connect and be presented as that hardware decoding processor executes completion, or in decoding processor hardware and software module combination executed At.Software module can be located at random access memory, and flash memory, read-only memory, programmable read only memory or electrically-erasable can In the storage medium of this fields such as programmable memory, register maturation.The storage medium is located at memory 350, and processor 310 is read Information in access to memory 350, in conjunction with the step of its hardware completion above method.
Optionally, processor 310 is also used to for the IP address of the destination server being added in gray list, the ash name Include the corresponding relationship between the free address and the IP address of the doubtful illegal proxy server in list.
Optionally, processor 310 is also used to:
The flow accounting of the doubtful illegal proxy server in the gray list is monitored, the flow accounting is described doubtful The ratio of free flow and total flow on illegal proxy server;
Flow accounting described in preset time period is higher than to the IP of the doubtful illegal proxy server of the first preset threshold value Location is transferred in blacklist, and pair between the free address and the IP address of illegal proxy server is included in the blacklist It should be related to.
Optionally, processor 310 is also used to:
The flow accounting of the doubtful illegal proxy server in the gray list is monitored, the flow accounting is described doubtful The ratio of free flow and total flow on illegal proxy server;
Flow accounting described in preset time period is lower than to the IP of the doubtful illegal proxy server of the second preset threshold value Location is transferred in the white list.
Optionally, processor 310 is also used to:
Obtain the legal network address of domain name message;
When the legal network address be free address when, from name server send dns response message in obtain with it is described The IP address of the corresponding legal server of legal network address;
It is added to the IP address of the legal network address and the corresponding legal server is corresponding in the white list.
Optionally, processor 310 is also used to handle the service message according to for the prevention and control strategy illegally acted on behalf of.
Above equipment of the core network 30 can the description refering to fig. 1 to the part Fig. 6 understood that this place does not do excessive superfluous It states.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can It is completed with instructing relevant hardware by program, which can be stored in a computer readable storage medium, storage Medium may include: ROM, RAM, disk or CD etc..
Be provided for the embodiments of the invention above identification charging fraud the method illegally acted on behalf of, equipment and system into It has gone and has been discussed in detail, used herein a specific example illustrates the principle and implementation of the invention, the above implementation The explanation of example is merely used to help understand method and its core concept of the invention;Meanwhile for the general technology people of this field Member, according to the thought of the present invention, there will be changes in the specific implementation manner and application range, in conclusion this explanation Book content should not be construed as limiting the invention.

Claims (10)

1. a kind of method of identification charging fraud illegally acted on behalf of characterized by comprising
Equipment of the core network obtains the IP address of the purpose network address URL and destination server that carry in service message;
The equipment of the core network searches the IP address of server corresponding with the purpose network address from the white list pre-established, The corresponding relationship of IP address comprising free address and legal server in the white list;
It is described when not including the IP address of the destination server in the IP address of server corresponding with the purpose network address Equipment of the core network identifies that the destination server is doubtful illegal proxy server;
The IP address of the destination server is added in gray list by the equipment of the core network, comprising described in the gray list Corresponding relationship between free address and the IP address of the doubtful illegal proxy server;
The equipment of the core network handles the service message according to for the prevention and control strategy illegally acted on behalf of.
2. the method according to claim 1, wherein the method also includes:
The equipment of the core network monitors the flow accounting of the doubtful illegal proxy server in the gray list, the flow accounting For the ratio of flow and total flow free on the doubtful illegal proxy server;
The equipment of the core network takes the doubtful illegal agency that flow accounting described in preset time period is higher than the first preset threshold value The IP address of business device is transferred in blacklist, the IP comprising the free address and illegal proxy server in the blacklist Corresponding relationship between location.
3. the method according to claim 1, wherein the method also includes:
The equipment of the core network monitors the flow accounting of the doubtful illegal proxy server in the gray list, the flow accounting For the ratio of flow and total flow free on the doubtful illegal proxy server;
Doubtful illegal agency of the equipment of the core network by flow accounting described in preset time period lower than the second preset threshold value takes The IP address of business device is transferred in the white list.
4. method according to claim 1 to 3, which is characterized in that the method also includes
The equipment of the core network obtains the legal network address of domain name message;
When the legal network address is free address, the equipment of the core network is from the dns response message that name server is sent Obtain the IP address of legal server corresponding with the legal network address;
The equipment of the core network is added to institute for the IP address of the legal network address and the corresponding legal server is corresponding It states in white list.
5. a kind of equipment of the core network characterized by comprising
Acquiring unit, for obtaining the IP address of the purpose network address URL and destination server that carry in service message;
Searching unit, it is corresponding with the purpose network address that the acquiring unit obtains for being searched from the white list pre-established Server IP address, the corresponding relationship of the IP address comprising free address and legal server in the white list;
Recognition unit, for when server corresponding with the purpose network address that the searching unit is found IP address in not When IP address comprising the destination server, identify that the destination server is doubtful illegal proxy server;
First adding unit, for the recognition unit identify the destination server be doubtful illegal proxy server it Afterwards, the IP address of the destination server is added in gray list, in the gray list comprising the free address with it is described Corresponding relationship between the IP address of doubtful illegal proxy server;
Processing unit, for the recognition unit identify the destination server be doubtful illegal proxy server after, According to for the prevention and control strategy illegally acted on behalf of, the service message is handled, it is described for the prevention and control strategy illegally acted on behalf of, comprising: Obstruction returns toll rate and bandwidth limitation.
6. equipment of the core network according to claim 5, which is characterized in that the equipment of the core network further include:
First monitoring unit, for monitoring the flow accounting of the doubtful illegal proxy server in the gray list, the flow Accounting is the ratio of free flow and total flow on the doubtful illegal proxy server;
First buanch unit, it is preset that the flow accounting for monitoring the first monitoring unit described in preset time period is higher than first The IP address of the doubtful illegal proxy server of threshold value is transferred in blacklist, in the blacklist comprising the free address with Corresponding relationship between the IP address of illegal proxy server.
7. equipment of the core network according to claim 5, which is characterized in that the equipment of the core network further include:
Second monitoring unit, for monitoring the flow accounting of the doubtful illegal proxy server in the gray list, the flow Accounting is the ratio of free flow and total flow on the doubtful illegal proxy server;
Second buanch unit, the flow accounting for monitoring the second monitoring unit described in preset time period are preset lower than second The IP address of the doubtful illegal proxy server of threshold value is transferred in the white list.
8. according to any equipment of the core network of claim 5-7, which is characterized in that the equipment of the core network further include: the Two adding units,
The acquiring unit is also used to obtain the legal network address of domain name message, when the legal network address is free address, from domain The IP address of legal server corresponding with the legal network address is obtained in the dns response message that name server is sent;
Second adding unit, for the acquiring unit to be obtained the institute that the legal network address and the acquiring unit obtain The IP address for stating corresponding legal server corresponding is added in the white list.
9. it is a kind of identification charging fraud the system illegally acted on behalf of characterized by comprising charging execution function entity PCEF and Name server,
The PCEF is any equipment of the core network of the claims 5-8.
10. a kind of system of identification charging fraud illegally acted on behalf of characterized by comprising charging execution function entity PCEF, Visualization device and name server,
Any equipment of the core network of the visualization device the claims 5-8.
CN201510969780.5A 2015-12-22 2015-12-22 A kind of method illegally acted on behalf of, equipment and the system of identification charging fraud Active CN105516165B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201510969780.5A CN105516165B (en) 2015-12-22 2015-12-22 A kind of method illegally acted on behalf of, equipment and the system of identification charging fraud
PCT/CN2016/109060 WO2017107780A1 (en) 2015-12-22 2016-12-08 Method, device and system for recognizing illegitimate proxy for charging fraud

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510969780.5A CN105516165B (en) 2015-12-22 2015-12-22 A kind of method illegally acted on behalf of, equipment and the system of identification charging fraud

Publications (2)

Publication Number Publication Date
CN105516165A CN105516165A (en) 2016-04-20
CN105516165B true CN105516165B (en) 2019-05-28

Family

ID=55723801

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510969780.5A Active CN105516165B (en) 2015-12-22 2015-12-22 A kind of method illegally acted on behalf of, equipment and the system of identification charging fraud

Country Status (2)

Country Link
CN (1) CN105516165B (en)
WO (1) WO2017107780A1 (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105516165B (en) * 2015-12-22 2019-05-28 华为技术有限公司 A kind of method illegally acted on behalf of, equipment and the system of identification charging fraud
CN108337652B (en) * 2017-01-20 2020-12-01 ***通信集团河南有限公司 Method and device for detecting flow fraud
CN108809891B (en) * 2017-04-27 2019-12-20 贵州白山云科技股份有限公司 Server intrusion detection method and device
CN108933867B (en) * 2017-05-27 2021-04-13 ***通信集团公司 Method and device for preventing and controlling information fraud, equipment and storage medium
CN109525682B (en) * 2017-09-19 2021-08-06 ***通信有限公司研究院 Service processing method, device, network element entity and computer readable storage medium
CN107809752B (en) * 2017-10-16 2020-08-21 南京网元通信技术有限公司 Mobile network flow fraud verification method based on software simulation
CN107896232B (en) * 2017-12-27 2020-04-03 北京奇艺世纪科技有限公司 IP address evaluation method and device
CN109996201B (en) * 2018-01-02 2021-01-15 ***通信有限公司研究院 Network access method and network equipment
CN108347443B (en) * 2018-02-11 2021-02-02 中国联合网络通信集团有限公司 Method and system for discovering malicious traffic-free server
CN110198248B (en) * 2018-02-26 2022-04-26 北京京东尚科信息技术有限公司 Method and device for detecting IP address
CN108846096B (en) * 2018-06-15 2021-04-13 中国联合网络通信集团有限公司 Webpage prompting method, terminal, gateway equipment and user edge equipment
CN111294311B (en) * 2018-12-06 2022-05-13 ***通信集团河南有限公司 Traffic charging method and system for preventing traffic fraud
CN109831461B (en) * 2019-03-29 2021-10-26 新华三信息安全技术有限公司 Distributed denial of service (DDoS) attack defense method and device
CN111814643A (en) * 2020-06-30 2020-10-23 杭州科度科技有限公司 Black and gray URL (Uniform resource locator) identification method and device, electronic equipment and medium
CN112256308A (en) * 2020-11-12 2021-01-22 腾讯科技(深圳)有限公司 Target application updating method and device
CN115002203A (en) * 2021-03-02 2022-09-02 京东科技信息技术有限公司 Data packet capturing method, device, equipment and computer readable medium
CN114091014A (en) * 2021-10-29 2022-02-25 珠海大横琴科技发展有限公司 Data processing method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102130791A (en) * 2010-01-14 2011-07-20 深圳市深信服电子科技有限公司 Method, device and gateway server for detecting agent on gateway server
CN102891794A (en) * 2011-07-22 2013-01-23 华为技术有限公司 Data packet transmission control method and gateway device
CN103139205A (en) * 2013-01-30 2013-06-05 华为技术有限公司 Message processing method, device and network server
CN104486091A (en) * 2014-12-05 2015-04-01 中国联合网络通信集团有限公司 Charging method and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101795272B (en) * 2010-01-22 2012-09-19 北京网御星云信息技术有限公司 Illegal website filtering method and device
IN2014DN08971A (en) * 2012-05-09 2015-05-22 Ericsson Telefon Ab L M
CN103220296B (en) * 2013-04-26 2015-05-27 腾讯科技(深圳)有限公司 Method, equipment and system of data interaction
CN105516165B (en) * 2015-12-22 2019-05-28 华为技术有限公司 A kind of method illegally acted on behalf of, equipment and the system of identification charging fraud

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102130791A (en) * 2010-01-14 2011-07-20 深圳市深信服电子科技有限公司 Method, device and gateway server for detecting agent on gateway server
CN102891794A (en) * 2011-07-22 2013-01-23 华为技术有限公司 Data packet transmission control method and gateway device
CN103139205A (en) * 2013-01-30 2013-06-05 华为技术有限公司 Message processing method, device and network server
CN104486091A (en) * 2014-12-05 2015-04-01 中国联合网络通信集团有限公司 Charging method and device

Also Published As

Publication number Publication date
CN105516165A (en) 2016-04-20
WO2017107780A1 (en) 2017-06-29

Similar Documents

Publication Publication Date Title
CN105516165B (en) A kind of method illegally acted on behalf of, equipment and the system of identification charging fraud
KR101047997B1 (en) A detecting system and a management method for terminals sharing by analyzing network packets and a method of service
CN103179132B (en) A kind of method and device detecting and defend CC attack
CN109951500A (en) Network attack detecting method and device
CN104994133B (en) A kind of mobile Web web page access user experience perception evaluating method based on network KPI
CN100362805C (en) Multifunctional management system for detecting erotic images and unhealthy information in network
CN109756501A (en) A kind of high concealment network agent method and system based on http protocol
CN108337652B (en) Method and device for detecting flow fraud
CN108156038B (en) Request distribution method, device, access gateway and storage medium
US9042863B2 (en) Service classification of web traffic
CN107888605A (en) A kind of Internet of Things cloud platform traffic security analysis method and system
US10447530B2 (en) Device metering
CN102710770A (en) Identification method for network access equipment and implementation system for identification method
CN103257989A (en) Webpage download time analysis
CN106412975B (en) A kind of test method and device of content charging loophole
CN106656666A (en) Method and device for acquiring first screen time of web page
CN107579874A (en) The method and device that a kind of detection flows collecting device data acquisition is failed to report
CN108206769A (en) Method, apparatus, equipment and the medium of screen quality alarm
CN106131078A (en) A kind of method and device processing service request
CN110099129A (en) A kind of data transmission method and equipment
CN102271331B (en) Method and system for detecting reliability of service provider (SP) site
CN102984003A (en) Network access detection system and network access detection method
CN107968765A (en) A kind of network inbreak detection method and server
CN104158789A (en) Method and device for detecting security of payment type website
CN106411819A (en) Method and apparatus for recognizing proxy Internet protocol address

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant