CN110460593B - Network address identification method, device and medium for mobile traffic gateway - Google Patents
Network address identification method, device and medium for mobile traffic gateway Download PDFInfo
- Publication number
- CN110460593B CN110460593B CN201910691428.8A CN201910691428A CN110460593B CN 110460593 B CN110460593 B CN 110460593B CN 201910691428 A CN201910691428 A CN 201910691428A CN 110460593 B CN110460593 B CN 110460593B
- Authority
- CN
- China
- Prior art keywords
- network address
- distribution
- preset
- operating system
- internet protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2408—Traffic characterised by specific attributes, e.g. priority or QoS for supporting different services, e.g. a differentiated services [DiffServ] type of service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/29—Flow control; Congestion control using a combination of thresholds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to the technical field of network security and machine learning, and discloses a network address identification method, a device and a medium for a mobile traffic gateway, wherein the method comprises the following steps: obtaining address characteristic distribution of a target network address in a specified time period; and when the address characteristic distribution of the target network address meets the network address characteristic distribution condition of a legal gateway, determining the target network address as the network address of the legal gateway, wherein the network address characteristic distribution condition is obtained according to the network address characteristic distribution of a plurality of legal gateways. By adopting the technical scheme, the accuracy rate of identifying the network address of the legal gateway can be improved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, and a medium for identifying a network address of a mobile traffic gateway.
Background
With the rapid development of mobile communication and internet technologies, more demands of people for life, entertainment and office are met through mobile terminals such as mobile phones and tablets, and meanwhile, the demands of the mobile terminals on mobile traffic are increased. If the network Address (IP Address) of the mobile traffic gateway can be correctly identified, it is helpful to save bandwidth resources and to pass through adverse behaviors such as non-malicious aggregation behavior, phishing identification, and the like.
However, when the IP address of the mobile traffic gateway is identified, the IP address of the mobile traffic gateway is usually obtained by a communication operator, or the network address information of the mobile traffic gateway is purchased at some network address commercial websites, but the network address of the mobile traffic gateway obtained by the method for obtaining the network address information of the mobile traffic gateway is not comprehensive and cannot be updated in time, so that the network address of the mobile traffic gateway cannot be distinguished from the common network address, and a high cost is required for purchasing the network address information of the mobile traffic gateway.
In summary, there are many limitations in identifying the network address of the gateway by purchasing the network address information of the mobile traffic gateway in the prior art, and the accuracy is low.
Disclosure of Invention
In view of the above, embodiments of the present application are intended to provide a method, an apparatus, and a medium for identifying a network address of a mobile traffic gateway, so as to improve accuracy of identifying a legitimate gateway network address.
In a first aspect, an embodiment of the present application provides a method for identifying a network address of a mobile traffic gateway, where the method includes:
obtaining address characteristic distribution of a target network address in a specified time period;
and when the address characteristic distribution of the target network address meets the network address characteristic distribution condition of a legal gateway, determining the target network address as the network address of the legal gateway, wherein the network address characteristic distribution condition is obtained according to the network address characteristic distribution of a plurality of legal gateways.
In a second aspect, an embodiment of the present application provides an apparatus for identifying a network address of a mobile traffic gateway, where the apparatus includes:
the address characteristic distribution acquisition unit is used for acquiring the address characteristic distribution of the target network address in a specified time period;
and the legal gateway network address identification unit is used for determining the target network address as a legal gateway network address when the address characteristic distribution of the target network address meets the network address characteristic distribution condition of a legal gateway, wherein the network address characteristic distribution condition is obtained according to the network address characteristic distribution of a plurality of legal gateways.
In a possible implementation, the legitimate gateway network address identifying unit is further configured to:
inputting the address characteristic distribution into a trained gateway network address recognition model, and determining whether the target network address is a legal gateway network address according to an output result of the trained gateway network address recognition model, wherein:
the trained gateway network address recognition model is obtained by address feature distribution training of a plurality of legal gateway network addresses.
In a possible implementation manner, the address feature distribution includes at least one of the following or any combination of the following: and the type distribution of a terminal operating system corresponding to preset internet protocol data forwarded by the target network address in the appointed time period, the service type characteristic distribution corresponding to the preset internet protocol data and the flow distribution of the target network address.
In a possible implementation, the legitimate gateway network address identifying unit is further configured to:
after address feature distribution of a target network address in a specified time period is obtained, determining that total flow of preset internet protocol data is larger than a first preset flow value according to the flow distribution, and determining that preset bad network operation behaviors exist under the target network address when the total number of service types is smaller than a first preset service type threshold value according to the service type feature distribution.
In a possible implementation manner, the address feature distribution obtaining unit is configured to:
determining a terminal operating system type characteristic corresponding to each piece of preset internet protocol data forwarded by the target network address within the specified time period according to at least one operating system key field in the preset internet protocol data under the target network address;
determining a terminal operating system type corresponding to each terminal operating system type characteristic according to the terminal operating system type characteristic and a preset mapping relation between the terminal operating system type characteristic and the terminal operating system;
and determining the type distribution of the terminal operating systems according to the number of the types of the terminal operating systems corresponding to each type of terminal operating systems.
In a possible implementation manner, the address feature distribution obtaining unit is configured to:
determining the service type of each piece of preset Internet protocol data according to at least one service characteristic key field in the preset Internet protocol data;
and determining the service type characteristic distribution according to the quantity of the preset Internet protocol data corresponding to each type of service.
In a possible implementation manner, the address feature distribution obtaining unit is configured to:
and determining the flow distribution of the target network address according to the flow of preset internet protocol data corresponding to the target network address at a plurality of designated moments in the designated time period.
In a possible implementation manner, for the terminal operating system type distribution corresponding to the preset internet protocol data forwarded by the target network address within the specified time period, the network address feature distribution condition is: the ratio of the number of the appointed terminal operating systems to the total number of the terminal operating systems is larger than a first preset ratio;
aiming at the service type characteristic distribution corresponding to the preset internet protocol data, the network address characteristic distribution condition is as follows: the similarity between the quantity of the preset Internet protocol data corresponding to the specified service type and the quantity of the preset Internet protocol data corresponding to the specified service type in the preset conventional service type feature distribution is greater than a first preset similarity threshold;
aiming at the service type characteristic distribution corresponding to the preset internet protocol data, the network address characteristic distribution condition is as follows: the total number of the service types is larger than a second preset service type threshold value;
aiming at the flow distribution of the target network address, the network address characteristic distribution condition is as follows: the similarity of the flow distribution and the preset conventional flow distribution is greater than a second preset similarity threshold.
Aiming at the flow distribution of the target network address, the network address characteristic distribution condition is as follows: the total flow of the preset internet protocol data is greater than the second preset flow value.
In a third aspect, an embodiment of the present application provides a computer storage medium, where computer-executable instructions are stored in the computer storage medium, and the computer-executable instructions are used in the method according to the first aspect.
The scheme provided by the application has at least the following beneficial effects:
according to the scheme provided by the application, whether the target network address is the legal gateway network address or not is judged according to the address characteristic distribution of the target network address and the network address characteristic distribution condition of the legal gateway, so that the accuracy rate of identifying the legal gateway network address can be improved.
Drawings
Fig. 1 is a schematic view illustrating a process of issuing an identification picture of an authentication code to which the present application is applied;
fig. 2 is a schematic diagram illustrating network address identification of a mobile traffic gateway according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram illustrating distribution of types of a terminal operating system according to an embodiment of the present application;
fig. 4 is a schematic diagram of a method for obtaining type distribution of the terminal operating system according to an embodiment of the present application;
fig. 5 is a schematic diagram of a method for creating a mapping relationship between preset terminal operating system type characteristics and a terminal operating system according to an embodiment of the present application;
fig. 6 is a schematic diagram illustrating a method for obtaining service category feature distribution corresponding to preset internet protocol data according to an embodiment of the present application;
fig. 7 is a schematic diagram of a service category feature distribution provided in an embodiment of the present application;
fig. 8 is a schematic diagram of a method for obtaining traffic distribution of the target network address according to an embodiment of the present application;
FIG. 9 is a schematic illustration of a flow distribution provided by an embodiment of the present application;
fig. 10 is a schematic diagram illustrating a method for training a gateway network address recognition model according to an embodiment of the present application;
FIG. 11 is a flowchart illustrating an application of the solution provided by the embodiment of the present application to a scenario of transmitting data using TCP/IP;
fig. 12 is a schematic diagram of a network address identification apparatus of a mobile traffic gateway according to an embodiment of the present application;
fig. 13 is a schematic diagram of an identification apparatus provided in an embodiment of the present application as a hardware entity.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the accompanying drawings, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to facilitate those skilled in the art to better understand the technical solutions of the present application, the following terms related to the present application are described:
1. a mobile traffic gateway: the mobile traffic refers to traffic generated by mobile communication technologies such as General Packet Radio Service (GPRS), Enhanced Data Rate for GSM Evolution (EDGE), Time Division-Synchronous Code Division Multiple Access (Time Division-Synchronous Code Division Multiple Access, TD-SCDMA), High Speed Downlink Packet Access (HSDPA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), or other modes using related Data value-added services, and does not include traffic generated by other modes such as Wireless Local Area Network (WLAN), CSD, or other modes using content-charged Data services (songs, downloads, multimedia messages, and the like), and also does not include content-charged multimedia message (mms) Data, or multimedia message (mms) reduction traffic, or multimedia message (mms) Data Data traffic generated by group customers and industry applications such as M2M. The mobile traffic gateway refers to a gateway that provides a mobile traffic service for a user by each operator, and a legal gateway in the embodiment of the present application is another name of the mobile traffic gateway.
2. Address feature distribution: the access record of a certain network address under a preset internet protocol within a period of time is characterized according to various known distributions on the certain network address, such as the type distribution of a terminal operating system corresponding to preset internet protocol data forwarded by the target network address within a specified period of time, the service type characteristic distribution corresponding to the preset internet protocol data, the flow distribution of the target network address and the like, of the network address.
The following explains the design concept of the present application:
with the development of mobile communication and internet technologies, the demand of terminals on mobile traffic is increasing, and if the network address of a legal gateway providing traffic service can be correctly identified, it is very helpful to save network broadband resources, to allow normal aggregation behaviors, and to identify bad behaviors such as phishing.
By taking the issued verification code applied to the technical scheme of the application as an example, the importance of identifying the network address of the legal gateway providing the traffic service in the aspect of saving network bandwidth resources is explained as follows:
the verification code is a very popular prevention mode for malicious attack, the current mainstream verification code scheme is mainly issued through pictures, if the pictures issued during verification code identification are known to come from the network address of a legal mobile traffic gateway providing traffic service, the gateway is controlled to issue low-quality pictures under the condition that the use of a user is not influenced, the network bandwidth resources of the issued pictures can be saved, and the method is very beneficial to operators and users, and specifically comprises the following steps as shown in fig. 1:
step S101, drawing picture data during identifying the verification code;
step S102, judging whether the network address for sending the picture data is the mobile traffic gateway network address, if so, entering step S103, otherwise, entering step S104.
Step S103, issuing a low-resolution picture;
and step S103, issuing pictures with normal resolution.
As can be seen from the above example of issuing an image for identifying a verification code, the importance of identifying a network address of a legitimate gateway providing a traffic service is identified, and therefore, embodiments of the present application provide a method, an apparatus, and a medium for identifying a network address of a mobile traffic gateway, in the method of the present application, a network address is used as a target network address, internet protocol data of the target network address in a specified time period is first collected and analyzed, address feature distributions of the target network address in the specified time period are obtained according to the analysis result, and a network address feature distribution condition of the legitimate gateway is obtained according to the network address feature distributions of a plurality of legitimate gateways providing a traffic service (i.e., the mobile traffic gateways), and aiming at a certain target network address, when the address characteristic distribution of the target network address in a specified time period meets the network address characteristic distribution condition of a legal gateway, determining that the target network address is the network address of the legal gateway.
In the scheme of the application, the address characteristic distribution of the target network address can be used as an input value, a trained gateway network address recognition model is input, and whether the target network address is a legal gateway network address or not is determined according to an output result of the gateway network address recognition model.
It should be noted that the solution of the present application can be applied, but is not limited to, in a scenario where data is transmitted using any specified internet protocol, such as in a scenario where the solution of the present application is applied to transmission using the transmission control protocol TCP/internet protocol IP; when the scheme of the present application is applied to a scenario of transmitting data using TCP/IP, where the internet protocol data is TCP data, and the target network address is a target IP address, in this embodiment, the internet protocol used for transmitting data is not limited too much, and the following describes the scheme of the present application only by using an internet protocol that is preset for transmitting data.
The implementation of the technical solution of the present application is described in detail below with reference to the accompanying drawings:
as shown in fig. 2, the present application provides a method for identifying a network address of a legal mobile traffic gateway, which specifically includes the following steps:
step S201, obtaining address characteristic distribution of a target network address in a specified time period;
the specified time period is not limited too much, and those skilled in the art can set it to be 8:00-10:00, 17:00-20:00, 10:00-22:00 of a certain specified date, etc. according to actual requirements.
In an embodiment of the present application, the address characteristic distribution of the target network address in a specified time may include, but is not limited to, one or any combination of the following:
1) within the appointed time period, distributing the types of the terminal operating systems corresponding to the preset Internet protocol data forwarded by the target network address;
it should be understood that each piece of predetermined internet protocol data should be originated from a terminal, and each terminal has its corresponding terminal operating system;
in this embodiment, the terminal operating systems of the terminals corresponding to all the preset internet protocol data are classified according to categories, and the terminal operating system type distribution is the distribution of the number of the terminal operating system types corresponding to each category of terminal operating systems, which may be specifically referred to in fig. 3.
2) Presetting service type characteristic distribution corresponding to Internet protocol data;
it should be understood that each piece of preset internet protocol data accesses one service, in this embodiment, different services may be classified, and the service type feature is a distribution of a service type corresponding to the preset internet protocol data forwarded by the target network address within the specified time.
3) The traffic distribution of the target network address;
it should be understood that each piece of preset internet protocol data is a flow, and flows corresponding to the target network address at a plurality of specified times within the specified time period are flow distribution of the target network address.
The plurality of designated times are not limited too much, and can be set by a person skilled in the art according to actual requirements.
Step S202, judging whether the address characteristic distribution of the target network address meets the network address characteristic distribution condition of a legal gateway or not, if so, entering step S203, otherwise, entering step S104;
in this embodiment, the network address feature distribution condition of the valid gateway may be obtained according to one or more of a terminal operating system type distribution corresponding to preset internet protocol data forwarded by the target network address in the specified time period, a service type feature distribution corresponding to the preset internet protocol data, and a traffic distribution of the target network address in network address feature distributions of a plurality of valid gateways.
Step S203, determining that the target network address is a legal gateway network address;
step S204, the target network address is determined not to be a legal gateway network address.
The terminal in step S201 may include, but is not limited to: smart phones, tablet computers, personal notebook computers, desktop computers, robots, and the like.
The terminal operating system of the terminal may include, but is not limited to: android System, IOS System (internet Operating System-Cisco), Microsoft Windows System, Unix Operating System, Linux Operating System, Mac Operating System.
The Android system Android is a Linux-based operating system with free and open source codes. The method is mainly used for mobile equipment such as smart phones and tablet computers;
the iOS system is a mobile operating system developed by apple inc and applied to mobile end devices such as tablet computers;
the UNIX operating system is a powerful multi-user, multi-task and time-sharing operating system supporting various processor architectures;
the Linux Operating System is a set of Unix-like Operating systems which can be used freely and spread freely, is an Operating System which is based on Portable Operating System interfaces (Portable Operating System interfaces of Unix, POSIX) and multiple users, multiple tasks, multithreading and multiple Central Processing Units (CPUs) of Unix, and can run main Unix tool software, application programs and network protocols;
the Microsoft Windows is an operating system using a Graphical User Interface (GUI);
the Mac OS is the first Graphical User Interface (GUI) operating system that has been successful in the commercial field.
As shown in fig. 4, the scheme of this embodiment provides a method for obtaining the type distribution of the terminal operating system:
step S401, determining the type characteristics of the terminal operating system corresponding to each piece of preset Internet protocol data forwarded by the target network address in the specified time period;
analyzing the key fields of the operating system in the preset Internet protocol data under the target network address, and when only one key field of the operating system exists, taking the key field of the operating system obtained by analyzing each preset Internet protocol data as the type characteristic of the corresponding terminal operating system; when the number of the operating system key fields is at least two, taking the result of the processing of the at least two operating system key fields according to a preset field processing mode as the type characteristic of the terminal operating system;
the preset field processing mode is not limited too much, and may be but not limited to a field splicing mode, that is, but not limited to a result of splicing at least two key fields of the operating system according to a specified field splicing sequence is determined as a terminal operating system type characteristic corresponding to the preset internet protocol data.
The splicing sequence of the designated fields is not limited too much, and a person skilled in the art can set the splicing sequence of the designated fields according to actual requirements so as to achieve the purpose of distinguishing the terminal operating system type characteristics of different terminal operating systems with higher accuracy.
Step S402, determining a terminal operating system type corresponding to each terminal operating system type feature;
in this embodiment, a mapping relationship between a type characteristic of a terminal operating system and the terminal operating system may be preset and created according to historical preset internet protocol data acquired by a service provider and a service type corresponding to a service accessed by each piece of historical preset internet protocol data, but is not limited thereto;
in this embodiment, the terminal os type corresponding to each terminal os type feature may be determined according to a preset mapping relationship between the terminal os type feature and the terminal os.
Step S403, determining the type distribution of the terminal operating system;
the terminal operating system type distribution corresponding to the target network address can be determined according to the number of the terminal operating system types corresponding to each type of terminal operating system, and the terminal operating system type distribution can be referred to fig. 3;
fig. 3 is a histogram showing a distribution of types of terminal operating systems, where "first class terminal operating system, second class terminal operating system, third class terminal operating system, fourth class terminal operating system, fifth class terminal operating system, and sixth class terminal operating system" in a horizontal row all represent types of terminal operating systems, and numbers "20, 40, 60, 80, 100, 120, and 140" in a vertical row represent the number of types of terminal operating systems corresponding to the terminal operating systems, as shown in fig. 3, a first rectangle on the left in fig. 3 represents that the number of types of terminal operating systems of the first class terminal operating system is 120, and the number of each class of terminal operating systems can be clearly and clearly known from the distribution of types of terminal operating systems.
In this embodiment, a mapping relationship between preset terminal operating system type characteristics and a terminal operating system may be created according to a large amount of preset internet protocol data acquired by a service provider history, as shown in fig. 5, which gives a specific example:
step S501, acquiring a large amount of preset Internet protocol data, and determining the type characteristics of a terminal operating system corresponding to each preset Internet protocol data;
here, the method for determining the type of the terminal operating system corresponding to each piece of preset internet protocol data is consistent with the method in step S401, and the description is not repeated here.
Step S502, according to the terminal operating system identification in the service access data of each piece of Internet protocol data, determining a terminal operating system corresponding to each piece of preset Internet protocol data;
it should be understood that, the service access data of each piece of internet protocol data may include, but is not limited to, a login time when the terminal corresponding to the internet protocol data or the user corresponding to the internet protocol data accesses the network through the terminal, a network address of the access network, and a terminal operating system identifier including the terminal corresponding to the internet protocol data, so that the terminal operating system corresponding to each piece of preset internet protocol data may be determined according to the service access data of each piece of internet protocol data.
Step S503, constructing the terminal operating system type characteristic of each piece of preset Internet protocol data and the corresponding terminal operating system into the mapping relation between the preset terminal operating system type characteristic and the terminal operating system.
The preset mapping relationship between the terminal operating system type characteristic and the terminal operating system may be, but is not limited to be, stored in a binary table or binary form, which is not limited in the present application, and the preset mapping relationship between the terminal operating system type characteristic and the terminal operating system may be, but is not limited to be, stored in a specified database, so as to compare and search, and speed up the identification of the legal gateway network address.
As shown in fig. 6, a manner for obtaining the service category feature distribution corresponding to the preset internet protocol data is provided as follows:
step S601, analyzing the service characteristic key field in the preset Internet protocol data, and determining the service type of each preset Internet protocol data according to the analysis result;
the service feature keywords may be one or more.
Step S602, determining service type feature distribution according to the number of the preset internet protocol data corresponding to each type of service.
In this embodiment, a histogram representing service category feature distribution as shown in fig. 7 is provided, where the horizontal columns "first type service, second type service, third type service, fourth type service, fifth type service, and sixth type service" all represent service categories, the vertical columns of numbers "20, 40, 60, 80, 100, 120, and 140" represent the number of preset internet protocol data corresponding to different types of services, and the first left rectangle in fig. 7 represents that the number of preset internet protocol data corresponding to the first type service is 60, so that the number of each type of service can be clearly and clearly known from the service category feature distribution.
As shown in fig. 8, one way to obtain the traffic distribution of the target network address is provided as follows:
step S801, acquiring flow of preset Internet protocol data corresponding to a plurality of designated moments in a designated time period;
the preset internet protocol data is a flow, and the flow of the preset internet protocol data at any given moment is the quantity of the preset internet protocol data corresponding to the given moment.
Step S802, determining the flow distribution of the target network address according to the flow of the preset Internet protocol data corresponding to the plurality of designated moments respectively.
This embodiment provides a histogram showing the traffic distribution as shown in fig. 9, wherein the horizontal row "0 point in a certain month of a year, 1 point in a certain month of a year, 2 points in a certain month of a year, 3 points in a certain month of a year, 4 points in a certain month of a year, 5 points in a certain month of a year, 6 points in a certain month of a year, 7 points in a certain month of a year, 8 points in a certain month of a year, 9 points in a certain month of a year, 10 points in a certain month of a year, 11 points in a certain month of a year, 12 points in a certain month of a year, 13 points in a certain month of a year, 14 points in a certain month of a year, 15 points in a certain month of a year, 16 points in a certain month of a year, 17 points in a certain month of a year, 18 points in a certain month of a year, 19 points in a certain month of a year, 20 points in a certain month of a year, 21 points in a certain month of a year, 22 points in a certain month of a year, 23 points in a year" each of a designated time ", the vertical row indicates the left side of the corresponding predetermined number of the internet protocol data of the block 6, and the left side of the block of the data of the certain month is shown as a graph 5, the flow at each given moment is clearly and clearly known from the flow distribution.
In order to ensure the accuracy of identifying a legitimate gateway network address, the network address feature distribution conditions in this application may include, but are not limited to:
the network address characteristic distribution condition 1) the ratio of the number of the specified terminal operating systems to the total number of the terminal operating systems is larger than a first preset ratio;
the first preset ratio is not limited too much, and a person skilled in the art can set the ratio according to actual requirements;
the terminal operating system of the specified class is not limited too much, and may be set according to the type of the legal gateway that needs to be identified, for example, in this embodiment, the identified legal gateway network address of the legal gateway that provides the mobile traffic, and at this time, the terminal operating system of the specified class is a mobile terminal operating system, such as an android system, an IOS system, and the like.
The network address feature distribution condition 2) the similarity between the number of the preset internet protocol data corresponding to the specified service type and the number of the preset internet protocol data corresponding to the specified service type in the preset conventional service type feature distribution is greater than a first preset similarity threshold;
the preset conventional service category feature distribution refers to service category feature distribution under the condition that no network abnormal behaviors (such as phishing, malicious aggregation behaviors and the like) exist.
The specified service category and the first preset similarity threshold are not limited too much, and those skilled in the art can set the threshold according to actual requirements.
Network address feature distribution condition 3) the total number of the service types is greater than a second preset service type threshold value;
it should be understood that, when the predetermined internet protocol data forwarded by a certain network address corresponds to a plurality of service types, the possibility that the predetermined internet protocol data is a legal gateway network address is relatively high.
The second preset traffic category threshold is not limited too much, and those skilled in the art can set the threshold according to actual needs.
Network address feature distribution condition 4) the similarity between the traffic distribution and the preset conventional traffic distribution is greater than a second preset similarity threshold;
the preset conventional traffic distribution refers to the traffic distribution condition which is in accordance with the network utilization time law of the user under the condition that no network abnormal behaviors (such as phishing, malicious aggregation behaviors and the like) exist.
The second preset similarity threshold is not limited too much, and those skilled in the art can set the second preset similarity threshold according to actual requirements.
The network address characteristic distribution condition 5) presets that the total flow of the internet protocol data is greater than a second preset flow value.
It should be understood that when the total amount of the preset internet protocol data (total amount) corresponding to a certain network address is large, the probability that the certain network address is a legal gateway network address is relatively high.
The second preset flow value is not limited too much, and can be set by a person skilled in the art according to actual requirements.
The network address feature distribution condition 1) is set for terminal operating system type distribution corresponding to preset internet protocol data forwarded by the target network address within the specified time period, the network address feature distribution conditions 2) and 3) are set for service type feature distribution corresponding to the preset internet protocol data, and the network address feature distribution conditions 4) and 5) are flow distribution for the target network address.
As an alternative embodiment, those skilled in the art may flexibly adopt a plurality of the network address feature distribution conditions 1) -5) to cooperate with each other to identify a legal gateway network address more accurately, and may, but is not limited to, determine a target network address satisfying the network address feature distribution conditions 1) -5) as a legal gateway network address.
As a possible implementation situation, in the solution of the present application, when the network address feature distribution conditions 3) and 5) are utilized to identify a legal gateway network address, it may occur that the total traffic of the preset internet protocol data is greater than a first preset traffic value, and the total number of the traffic types is smaller than a first preset traffic type threshold, at this time, because the total traffic of the target network address in a specified time period is too much, but the total number of the traffic types is too little, the situation is abnormal, and at this time, it is determined that a preset bad network operation behavior exists under the target network address;
the first preset traffic value and the first preset traffic type threshold are not limited too much, and those skilled in the art can set the values according to actual requirements.
The predetermined bad network operation behavior may include abnormal aggregation behavior, phishing behavior, etc.
In the solution of the present application, after step S201, it may also be determined whether the target network address is a legal gateway network address without using the network address feature distribution condition, and after obtaining the address feature distribution of the target network address, the target network address may be input into a gateway network address recognition model trained through machine learning, and it is determined whether the target network address is a legal gateway network address according to an output result of the gateway network address recognition model.
Machine Learning (ML) is a multi-domain cross discipline, and relates to a plurality of disciplines such as probability theory, statistics, approximation theory, convex analysis, algorithm complexity theory and the like. The research on how a computer simulates or realizes the learning behavior of human beings so as to acquire new knowledge or skills and reorganize the existing knowledge structure to continuously improve the performance of the computer. The common methods of machine learning are mainly classified into supervised learning and unsupervised learning, wherein the supervised learning includes various classification models, and a model with the best classification effect can be obtained through training an existing training sample set containing input data and corresponding output data.
In order to implement this scheme, as shown in fig. 10, this embodiment further provides a method for training a gateway network address recognition model:
step S1001, obtaining a training sample set, wherein the training sample set comprises address feature distribution of a large number of network addresses and a result of whether each network address is a legal gateway network address;
the network addresses include a legal gateway network address and a non-legal gateway network address, and the address feature distribution of a plurality of network addresses and whether each network address is a result of a legal gateway network address can be obtained through the scheme described above in this embodiment, but not limited to;
the valid gateway network address flag bit may be, but is not limited to, a result indicating whether each network address is a valid gateway network address or not, for example, when the value of the valid gateway network address flag bit is 1, it indicates that the network address is a valid gateway network address, and when the value of the valid gateway network address flag bit is 0, it indicates that the network address is not a valid gateway network address.
Step S1002, a gateway network address training model is established based on a supervised training model, wherein the gateway network address training model at least comprises one or more input characteristics and an output label;
the one or more input characteristics may be, but are not limited to, one or more of address distribution characteristics of network addresses, and the one or more characteristics may include the terminal operating system distribution, traffic class characteristic distribution, and traffic distribution;
the output tag may be the value of the legal gateway network address flag bit of the identified network address.
Step S1003, training a current gateway network address training model by using a training sample set, adjusting model parameters of the current gateway network address training model according to a result output by an output layer until the model training is smaller than a set prediction error condition, and determining the current gateway network address training model as a recognition model for recognizing a legal gateway network address;
when the gateway network address training model is trained each time, all or a certain number of address feature distributions in the training sample set can be input into the gateway network address training model one by one, the values of the legal gateway network address zone bits output by the gateway network address training model are respectively compared with the values of the legal gateway network address zone bits corresponding to the training sample set, the ratio of the number of the two legal gateway network address zone bits with consistent values to the total number of the trained network addresses is determined as a prediction accuracy, and when the prediction accuracy is greater than a preset prediction accuracy threshold, the model training is determined to be smaller than a set prediction error condition.
When the gateway network address training model is trained each time and the prediction accuracy is not greater than the preset prediction accuracy threshold value, the gateway network address training model can be retrained by selecting data in the unused training sample set, model parameters of the gateway network address training model can be adjusted according to a preset model parameter adjusting function, and after the model parameters are adjusted, the gateway network address training model is retrained by reusing the data in the training sample set.
It should be noted that, those skilled in the art may also adjust the model parameters of the gateway network address training model according to other model training methods, or train the gateway network address training model according to other model training methods, which is not limited in this application.
In order to facilitate understanding of the scheme of the present application, as shown in fig. 11, a specific example of applying the scheme of the present application to a scenario of transmitting data using TCP/IP is described as follows:
step 1101, collecting and analyzing TCP data forwarded by a target IP address, determining the terminal operating system type characteristics of each TCP data according to SNY packet data in the TCP data, and further determining the terminal operating system type distribution corresponding to the TCP data forwarded by the target IP address in a specified time period;
specifically, the following operating system key fields in the SNY packet may be parsed:
a key field 1) of a terminal operating system, namely a fragment identifier DF, wherein the DF is used for indicating whether the TCP data is fragmented or discarded and reported to a source host by an ICMP error message when the packet length exceeds an MTU;
a terminal operating system key field 2) ttl, wherein ttl represents the maximum number of routers allowed to pass through by the IP packet;
a key field 3) of a terminal operating system, namely IP option len, which is used for expressing the IP option length of a target IP address;
terminal operating system key field 4) sliding Window size, wherein the field Window size does not belong to the operating system level characteristic, but the characteristic of the multiple relation between the sliding Window and mss belongs to the operating system level characteristic;
a key field of a terminal operating system 5) timer, wherein the value of the timer is set to 0 by some terminal operating systems, so that the values of the timers corresponding to different terminal operating systems are possibly different;
terminal operating system key field 6) TCP option, mss may have been tampered with by the intermediate router because the timestamp changes with time, TCP option is to remove the specific values of timestamp, mss.
Splicing a plurality of terminal operating system key fields of SNY packet data in any TCP data according to the sequence of the terminal operating system key field 1), the terminal operating system key field 2), the terminal operating system key field 3), the terminal operating system key field 4), the terminal operating system key field 5) and the terminal operating system key field 6) to obtain a result as a terminal operating system type characteristic corresponding to the TCP data;
and determining the terminal operating system corresponding to each TCP data according to the terminal operating system type characteristic corresponding to each TCP data and the preset mapping relation between the terminal operating system type characteristic and the terminal operating system, and further determining the terminal operating system type distribution corresponding to the target IP address according to the terminal operating system corresponding to each TCP data.
Step S1102, determining the service type of each TCP data according to the data packet data in the TCP data, and further determining the service type characteristic distribution corresponding to the TCP data;
step S1103, determining traffic distribution of the target IP address according to traffic of TCP data corresponding to a plurality of designated times;
step S1104, according to the type distribution, the service type characteristic distribution and the flow distribution of the terminal operating system, the address characteristic distribution of the target IP address is determined;
step S1105, judging whether the address feature distribution of the target IP address meets the network address feature distribution condition of the legal gateway, if yes, entering step S1206, otherwise, entering step S1207;
step S1106, determining that the target IP address is a legal gateway network address;
step S1107, it is determined that the target IP address is not a legitimate gateway network address.
By the scheme provided by the application, the network address of the gateway providing the mobile flow can be simply and conveniently identified quickly and accurately according to the network address characteristic distribution condition of the legal gateway, the preset bad network operation behavior can be effectively identified, the phishing behavior can be identified, and the malicious aggregation behavior can be avoided;
the scheme provided by the application can save high cost for purchasing a legal gateway network address from an operator or a gateway network address information provider, is low in cost, can save network bandwidth resources after identifying the legal gateway network address, and has great value for users needing to use flow and operators providing flow service.
Based on the same concept, as shown in fig. 12, this embodiment further provides a network address identification apparatus for a mobile traffic gateway, including:
an address feature distribution obtaining unit 1201, configured to obtain address feature distribution of a target network address in a specified time period;
a legal gateway network address identifying unit 1202, configured to determine the target network address as a legal gateway network address when the address feature distribution of the target network address meets a network address feature distribution condition of a legal gateway, where the network address feature distribution condition is obtained according to network address feature distributions of multiple legal gateways.
In a possible implementation manner, the above legal gateway network address identifying unit is further configured to:
inputting the address feature distribution into a trained gateway network address recognition model, and determining whether the target network address is a legal gateway network address according to an output result of the trained gateway network address recognition model, wherein:
the trained gateway network address recognition model is obtained by training the address characteristic distribution of a plurality of legal gateway network addresses.
In a possible implementation manner, the address feature distribution at least includes one or any combination of the following: and the type distribution of a terminal operating system corresponding to preset internet protocol data forwarded by the target network address in the specified time period, the service type characteristic distribution corresponding to the preset internet protocol data and the flow distribution of the target network address.
In a possible implementation manner, the above legal gateway network address identifying unit is further configured to:
after the address feature distribution of the target network address in a specified time period is obtained, determining that the total flow of preset internet protocol data is larger than a first preset flow value according to the flow distribution, and determining that preset bad network operation behaviors exist under the target network address when the total number of service types is smaller than a first preset service type threshold value according to the service type feature distribution.
In a possible implementation manner, the address feature distribution obtaining unit is configured to:
determining a terminal operating system type characteristic corresponding to each piece of preset internet protocol data forwarded by the target network address within the specified time period according to at least one operating system key field in the preset internet protocol data under the target network address;
determining a terminal operating system type corresponding to each terminal operating system type characteristic according to the terminal operating system type characteristic and a preset mapping relation between the terminal operating system type characteristic and the terminal operating system;
and determining the type distribution of the terminal operating systems according to the number of the types of the terminal operating systems corresponding to each type of terminal operating systems.
In a possible implementation manner, the address feature distribution obtaining unit is configured to:
determining the service type of each preset internet protocol data according to at least one service characteristic key field in the preset internet protocol data;
and determining the service type characteristic distribution according to the quantity of the preset Internet protocol data corresponding to each type of service.
In a possible implementation manner, the address feature distribution obtaining unit is configured to:
and determining the flow distribution of the target network address according to the flow of preset internet protocol data corresponding to the target network address at a plurality of specified moments in the specified time period.
In a possible implementation manner, for the terminal operating system type distribution corresponding to the preset internet protocol data forwarded by the target network address within the specified time period, the network address feature distribution condition is: the ratio of the number of the appointed terminal operating systems to the total number of the terminal operating systems is larger than a first preset ratio;
aiming at the service type characteristic distribution corresponding to the preset internet protocol data, the network address characteristic distribution condition is as follows: the similarity between the quantity of the preset Internet protocol data corresponding to the specified service type and the quantity of the preset Internet protocol data corresponding to the specified service type in the preset conventional service type characteristic distribution is greater than a first preset similarity threshold;
aiming at the service type characteristic distribution corresponding to the preset internet protocol data, the network address characteristic distribution condition is as follows: the total number of the service types is larger than a second preset service type threshold value;
for the traffic distribution of the target network address, the network address feature distribution condition is as follows: the similarity of the flow distribution and the preset conventional flow distribution is greater than a second preset similarity threshold.
For the traffic distribution of the target network address, the network address feature distribution condition is as follows: the total flow of the preset internet protocol data is greater than the second preset flow value.
As an example of the hardware entities, as shown in fig. 13, the gateway includes a processor 1301, a storage medium 1302, and at least one external communication interface 1303; the processor 1301, the storage medium 1302, and the external communication interface 1303 are connected via a bus 1304.
Here, it should be noted that: the description related to the above device is similar to the description of the method of the present application, and the description of the beneficial effects of the method is not repeated. For technical details not disclosed in the gateway embodiment of the present application, refer to the description of the method embodiment of the present application.
An embodiment of the present invention further provides a computer storage medium, where a computer-executable instruction is stored in the computer storage medium, and the computer-executable instruction is used to execute a gateway control method in a local area network according to any one of the above embodiments.
In addition, in the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the above-described units is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Alternatively, the integrated units described above in the present application may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or portions thereof contributing to the prior art may be embodied in the form of a software product stored in a storage medium, and including several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the above methods of the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the above claims.
Claims (9)
1. A network address identification method of a mobile traffic gateway is characterized by comprising the following steps:
obtaining address feature distribution of a target network address in a specified time period, wherein the address feature distribution at least comprises one or any combination of the following: the terminal operating system type distribution corresponding to preset internet protocol data forwarded by the target network address in the appointed time period, the service type characteristic distribution corresponding to the preset internet protocol data and the flow distribution of the target network address, wherein the terminal operating system type distribution is the distribution of the number of the terminal operating system types corresponding to each type of terminal operating system after classifying the terminal operating system of the terminal corresponding to the preset internet protocol data according to categories, the service type characteristic distribution is the distribution condition of the service types after classifying the access service corresponding to the preset internet protocol data, and the flow distribution of the target network address is the flow corresponding to the target network address at a plurality of appointed times in the appointed time period;
and when the address characteristic distribution of the target network address meets the network address characteristic distribution condition of a legal gateway, determining the target network address as the network address of the legal gateway, wherein the network address characteristic distribution condition is obtained according to the network address characteristic distribution of a plurality of legal gateways.
2. The method of claim 1, wherein after obtaining the address characteristic distribution of the target network address over the specified time period, further comprising:
inputting the address characteristic distribution into a trained gateway network address recognition model, and determining whether the target network address is a legal gateway network address according to an output result of the trained gateway network address recognition model, wherein:
the trained gateway network address recognition model is obtained by address feature distribution training of a plurality of legal gateway network addresses.
3. The method of claim 1, wherein after obtaining the address characteristic distribution of the target network address over the specified time period, further comprising:
and determining that the total flow of preset internet protocol data is greater than a first preset flow value according to the flow distribution, and determining that preset bad network operation behaviors exist under the target network address when the total number of the service types is less than a first preset service type threshold value according to the service type characteristic distribution.
4. The method of claim 1, wherein the terminal operating system type distribution is obtained by:
determining a terminal operating system type characteristic corresponding to each piece of preset internet protocol data forwarded by the target network address within the specified time period according to at least one operating system key field in the preset internet protocol data under the target network address;
determining a terminal operating system type corresponding to each terminal operating system type characteristic according to the terminal operating system type characteristic and a preset mapping relation between the terminal operating system type characteristic and the terminal operating system;
and determining the type distribution of the terminal operating systems according to the number of the types of the terminal operating systems corresponding to each type of terminal operating systems.
5. The method of claim 1, wherein the service class characteristic distribution corresponding to the predetermined internet protocol data is obtained by:
determining the service type of each piece of preset Internet protocol data according to at least one service characteristic key field in the preset Internet protocol data;
and determining the service type characteristic distribution according to the quantity of the preset Internet protocol data corresponding to each type of service.
6. The method of claim 1, wherein the traffic profile for the target network address is obtained by:
and determining the flow distribution of the target network address according to the flow of preset internet protocol data corresponding to the target network address at a plurality of designated moments in the designated time period.
7. The method of claim 1, wherein the network address characteristic distribution condition comprises:
aiming at the type distribution of a terminal operating system corresponding to preset internet protocol data forwarded by the target network address in the specified time period, the network address characteristic distribution condition is as follows: the ratio of the number of the appointed terminal operating systems to the total number of the terminal operating systems is larger than a first preset ratio;
aiming at the service type characteristic distribution corresponding to the preset internet protocol data, the network address characteristic distribution condition is as follows: the similarity between the quantity of the preset Internet protocol data corresponding to the specified service type and the quantity of the preset Internet protocol data corresponding to the specified service type in the preset conventional service type feature distribution is greater than a first preset similarity threshold;
aiming at the service type characteristic distribution corresponding to the preset internet protocol data, the network address characteristic distribution condition is as follows: the total number of the service types is larger than a second preset service type threshold value;
aiming at the flow distribution of the target network address, the network address characteristic distribution condition is as follows: the similarity of the flow distribution and the preset conventional flow distribution is greater than a second preset similarity threshold;
aiming at the flow distribution of the target network address, the network address characteristic distribution condition is as follows: the total flow of the preset internet protocol data is greater than the second preset flow value.
8. A network address identifying apparatus for a mobile traffic gateway, comprising:
an address feature distribution obtaining unit, configured to obtain address feature distribution of a target network address in a specified time period, where the address feature distribution at least includes one or any combination of the following: the terminal operating system type distribution corresponding to preset internet protocol data forwarded by the target network address in the appointed time period, the service type characteristic distribution corresponding to the preset internet protocol data and the flow distribution of the target network address, wherein the terminal operating system type distribution is the distribution of the number of the terminal operating system types corresponding to each type of terminal operating system after classifying the terminal operating system of the terminal corresponding to the preset internet protocol data according to categories, the service type characteristic distribution is the distribution condition of the service types after classifying the access service corresponding to the preset internet protocol data, and the flow distribution of the target network address is the flow corresponding to the target network address at a plurality of appointed times in the appointed time period;
and the legal gateway network address identification unit is used for determining the target network address as a legal gateway network address when the address characteristic distribution of the target network address meets the network address characteristic distribution condition of a legal gateway, wherein the network address characteristic distribution condition is obtained according to the network address characteristic distribution of a plurality of legal gateways.
9. A computer storage medium having computer-executable instructions stored thereon for performing the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910691428.8A CN110460593B (en) | 2019-07-29 | 2019-07-29 | Network address identification method, device and medium for mobile traffic gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910691428.8A CN110460593B (en) | 2019-07-29 | 2019-07-29 | Network address identification method, device and medium for mobile traffic gateway |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110460593A CN110460593A (en) | 2019-11-15 |
| CN110460593B true CN110460593B (en) | 2021-12-14 |
Family
ID=68483884
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910691428.8A Active CN110460593B (en) | 2019-07-29 | 2019-07-29 | Network address identification method, device and medium for mobile traffic gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110460593B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112887333A (en) * | 2021-03-02 | 2021-06-01 | 深信服科技股份有限公司 | Abnormal equipment detection method and device, electronic equipment and readable storage medium |
| CN113114669B (en) * | 2021-04-09 | 2023-05-23 | 厦门市美亚柏科信息股份有限公司 | GOIP gateway identification method, device, equipment and storage medium based on gateway data |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101262491A (en) * | 2008-04-02 | 2008-09-10 | 王京 | Application layer network analysis method and system |
| CN101795215A (en) * | 2010-01-28 | 2010-08-04 | 哈尔滨工程大学 | Network traffic anomaly detection method and detection device |
| CN102833668A (en) * | 2012-08-20 | 2012-12-19 | 中国联合网络通信集团有限公司 | Data traffic reminding method and data traffic reminding device |
| CN103428189A (en) * | 2012-05-25 | 2013-12-04 | 阿里巴巴集团控股有限公司 | Method, apparatus and system for identifying malicious network equipment |
| CN104391979A (en) * | 2014-12-05 | 2015-03-04 | 北京国双科技有限公司 | Malicious web crawler recognition method and device |
| CN106682504A (en) * | 2015-11-06 | 2017-05-17 | 珠海市君天电子科技有限公司 | Method and device for preventing file from being maliciously edited and electronic equipment |
| CN106886906A (en) * | 2016-08-15 | 2017-06-23 | 阿里巴巴集团控股有限公司 | A kind of device identification method and device |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102891829A (en) * | 2011-07-18 | 2013-01-23 | 航天信息股份有限公司 | Method and system for detecting and defending distributed denial of service attack |
| CN107426132B (en) * | 2016-05-23 | 2019-09-17 | 腾讯科技(深圳)有限公司 | The detection method and device of network attack |
| US10511615B2 (en) * | 2017-05-05 | 2019-12-17 | Microsoft Technology Licensing, Llc | Non-protocol specific system and method for classifying suspect IP addresses as sources of non-targeted attacks on cloud based machines |
| CN107483458A (en) * | 2017-08-29 | 2017-12-15 | 杭州迪普科技股份有限公司 | The recognition methods of network attack and device, computer-readable recording medium |
| CN109962903B (en) * | 2017-12-26 | 2022-01-28 | 中移(杭州)信息技术有限公司 | Home gateway security monitoring method, device, system and medium |
| CN107911396B (en) * | 2017-12-30 | 2020-12-15 | 世纪龙信息网络有限责任公司 | Login abnormity detection method and system |
| CN109194536A (en) * | 2018-07-27 | 2019-01-11 | 北京奇虎科技有限公司 | A kind of network flow filter method, device and terminal |
-
2019
- 2019-07-29 CN CN201910691428.8A patent/CN110460593B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101262491A (en) * | 2008-04-02 | 2008-09-10 | 王京 | Application layer network analysis method and system |
| CN101795215A (en) * | 2010-01-28 | 2010-08-04 | 哈尔滨工程大学 | Network traffic anomaly detection method and detection device |
| CN103428189A (en) * | 2012-05-25 | 2013-12-04 | 阿里巴巴集团控股有限公司 | Method, apparatus and system for identifying malicious network equipment |
| CN102833668A (en) * | 2012-08-20 | 2012-12-19 | 中国联合网络通信集团有限公司 | Data traffic reminding method and data traffic reminding device |
| CN104391979A (en) * | 2014-12-05 | 2015-03-04 | 北京国双科技有限公司 | Malicious web crawler recognition method and device |
| CN106682504A (en) * | 2015-11-06 | 2017-05-17 | 珠海市君天电子科技有限公司 | Method and device for preventing file from being maliciously edited and electronic equipment |
| CN106886906A (en) * | 2016-08-15 | 2017-06-23 | 阿里巴巴集团控股有限公司 | A kind of device identification method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110460593A (en) | 2019-11-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10841323B2 (en) | Detecting robotic internet activity across domains utilizing one-class and domain adaptation machine-learning models | |
| CN106992994B (en) | Automatic monitoring method and system for cloud service | |
| US20210185071A1 (en) | Providing security through characterizing mobile traffic by domain names | |
| US9838403B2 (en) | System and method for identifying abusive account registration | |
| CN110417778B (en) | Access request processing method and device | |
| WO2019056721A1 (en) | Information pushing method, electronic device and computer storage medium | |
| CN110442712B (en) | Risk determination method, risk determination device, server and text examination system | |
| CN109327439B (en) | Risk identification method and device for service request data, storage medium and equipment | |
| US20210126931A1 (en) | System and a method for detecting anomalous patterns in a network | |
| CN108632227A (en) | A kind of malice domain name detection process method and device | |
| CN104836781A (en) | Method distinguishing identities of access users, and device | |
| WO2020257991A1 (en) | User identification method and related product | |
| CN109600336A (en) | Store equipment, identifying code application method and device | |
| Krishnaveni et al. | Ensemble approach for network threat detection and classification on cloud computing | |
| CN107948199B (en) | Method and device for rapidly detecting terminal shared access | |
| CN112733045B (en) | User behavior analysis method and device and electronic equipment | |
| CN104980421B (en) | Batch request processing method and system | |
| JP7014898B2 (en) | ID authentication method, device, server and computer readable medium | |
| CN113412607B (en) | Content pushing method and device, mobile terminal and storage medium | |
| CN110460593B (en) | Network address identification method, device and medium for mobile traffic gateway | |
| US20200004785A1 (en) | Automatic grouping based on user behavior | |
| CN114338064B (en) | Method, device, system, equipment and storage medium for identifying network traffic type | |
| CN106998336B (en) | Method and device for detecting user in channel | |
| WO2016188334A1 (en) | Method and device for processing application access data | |
| CN110955890B (en) | Method and device for detecting malicious batch access behaviors and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |