CN101854360A

Movatterモバイル変換

Info

Publication number: CN101854360A
Application number: CN201010178570A
Authority: CN
Inventors: 杨满智; 王琼; 金红; 刘长永
Original assignee: Eversec Beijing Technology Co Ltd
Current assignee: Heng Jia Jia (Beijing) Technology Co., Ltd.
Priority date: 2010-05-21
Filing date: 2010-05-21
Publication date: 2010-10-06
Anticipated expiration: 2030-05-21
Also published as: CN101854360B

Abstract

The invention relates to a method for tracing to the source of a mobile subscriber cellphone number according to an IP address, comprising the following steps of: obtaining an IP address the source of which needs to be traced; obtaining other behavioral characteristics of the IP address, such as a source port number, URL (Universal Resource Locator) and the like; searching operating IP address ranges provided by mobile operators by utilizing the IP address as an index to obtain network equipment marks, such as fire walls, GGSN (Gateway GPRS Support Node), PDSN (Packet Data Serving Node) equipment, which correspond to the IP address; searching according to the network equipment marks and the mobile subscriber behavioral characteristics of the IP address to obtain the corresponding mobile subscriber cellphone number. The invention also provides a device for tracing to the source of the mobile subscriber cellphone number according to the IP address. After the relevant cellphone number information is obtained, network management staff can operate a user data register corresponding to the cellphone number, and for example, the physical paths of Hacker users are cut off so as to block the further attack of Hackers to ensure the safety of the network and other users.

Description

According to the trace to the source device and method of mobile subscriber cellphone number of IP address

Technical field

The present invention relates to a kind of network and information security technology, particularly relate to a kind of according to the trace to the source device and method of mobile subscriber cellphone number of IP address.It is to utilize in the GPRS/PDSN network, according to IP address and the mobile subscriber's behavioural characteristic mobile subscriber cellphone number of tracing to the source.

Background technology

The autonomous reception with the diverse network security incident quantity of autonomous monitoring of China compared increase comparatively significantly with the same period in the first half of the year in 2009 in 2010.These incidents are generally from event monitoring technology such as the Internet intrusion detection, honey jar baiting techniques, safe emergency responses, but often owing to can't and lack tracer technique at the IP address location, and cause the discovery incident and can't locate dispose event.

The appearance of mobile Internet meanwhile, the particularly appearance of the three big 3G of operator cards of surfing Internet, make the safety of China incident develop into the fixing internet that merges that moves, how to judge that the cradle of the attack that backbone network is monitored is very meaningful from the fixed network and Internet network.

State Council is in issue on September 25th, 2000 " Internet Information Services Management Regulations " for this reason, the information content and issuing time, internet address or the domain name that provide should be provided its 14 internet information ISP who is engaged in service items such as news, publication and BBS; The Internet access service supplier should the recording internet user information such as surf time, user account number, internet address or domain name, calling telephone number.Internet information ISP and Internet access service supplier's record backup should be preserved 60, and when national appropriate body is inquired about in accordance with the law, was provided.

The present situation of this respect is to trace to the source at fixed network IP DSLAM relevant solution and patent are arranged at present, still traces to the source then at the mobile network and uses the NAT technology to carry out the IP conversion in a large number owing to relate to mobile operator, is difficult to track Intranet IP; Often to exist different places such as GGSN/PDSN/CG/WAPGW etc. to accomplish effectively unified and the cell-phone number of mobile operator and Intranet IP address obtain.

Summary of the invention

The objective of the invention is to overcome prior mobile network can't effectively trace to the source and provide internet records for future reference defective, and provide a kind of according to the trace to the source device and method of mobile subscriber cellphone number of IP address.

The object of the invention to solve the technical problems also can be applied to the following technical measures to achieve further.

Aforesaid method, the IP address range information of being managed that the mobile operator among the wherein said step B provides are to obtain from the public network IP address management system of the mobile operator that this user mobile phone number business is provided or IP address assignment equipment.

Aforesaid method, wherein said IP address management system comprises GGSN, PDSN, NAT and WAPGW.

Aforesaid method, the incidence relation of the cell phone that writes down among the wherein said step C number, IP address allocated, mobile subscriber's behavioural characteristic is that charge system (BOSS/BSS), charging gateway (CG/Radius), the signal collecting (Gn/Rp signal collecting) from the mobile operator that this mobile subscriber cellphone number business is provided obtains.

Aforesaid method, wherein said mobile subscriber's behavioural characteristic comprise source port, source IP, Target IP, target port, URL, QQ number, MSN number.

Aforesaid method, wherein said step D, IP address correlation relation before and after the FW/NAT is to obtain from all NAT device, and its incidence relation information comprises that IP address, the IP address behind the NAT and time, the described NAT device before the NAT comprises fire compartment wall, PNAT equipment, WAPGW.

The object of the invention to solve the technical problems also can realize by the following technical solutions.According to the present invention propose a kind of according to the trace to the source device of mobile subscriber cellphone number of IP address, it is characterized in that it comprises cellphone subscriber's information gathering processing module, FW/NAT information gathering processing module, runner public-network network appliance IP information acquisition module and association process enquiry module, this cellphone subscriber's information gathering processing module, this FW/NAT information gathering processing module and this runner public-network network appliance IP information acquisition module are connected with data storage cell by interface respectively, and this association process enquiry module is handled Information Monitoring associated with the query by the data storage cell direct correlation.

Aforesaid device, the contained information of wherein said runner public-network network appliance IP information acquisition module acquisition step B; The contained information of this cellphone subscriber's information gathering processing module acquisition step C; The contained information of this FW/NAT information gathering processing module acquisition step D; Above-mentioned acquisition mode is ftp, sftp, scp, syslog, socket, database or manual entry.

Aforesaid device, wherein said device can be handled association automatically, merge the information of storing step B, C, D, and generate the data comprise database, XML, plain text different-format and use for this association process enquiry module, support information compresses simultaneously, and compression ratio is 70%～90%.

Aforesaid device, wherein said device can or report automatically by this association process enquiry module confession external inquiry, and its inquiry or the mode that reports automatically are FTP, SFTP, SCP, HTTP, WEBSERVICE.

Aforesaid device, wherein said device is except providing the I P address traces to the source, can also be used for recorded information, this recorded information can be Internet user's surf time, user account number, internet address or domain name, calling telephone number, and this device can be to above-mentioned recorded information backup inquiry.

Aforesaid device, wherein said device comprise the information of tracing to the source after the particular association, are specially IP address, cell-phone number, IMSI number, temporal information, port information, URL information and internet behavior feature.

The present invention compared with prior art has tangible advantage and beneficial effect.By technique scheme, the present invention has following advantage and beneficial effect at least according to the trace to the source device and method of mobile subscriber cellphone number of IP address:

1, the present invention possesses real-time monitoring.

2, the present invention possesses unique polarization.

3, it is minimum that the present invention possesses the network performance influence.

4, the present invention possesses the minimum property of investment.

Above-mentioned explanation only is the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of specification, and for above-mentioned and other purposes, feature and advantage of the present invention can be become apparent, below especially exemplified by preferred embodiment, and conjunction with figs., be described in detail as follows.

Description of drawings

Fig. 1 is the present invention according to the trace to the source device networking block diagram of mobile subscriber cellphone number of IP address.

Fig. 2 is the present invention according to the trace to the source device treatment state schematic diagram of mobile subscriber cellphone number of IP address.

Fig. 3 is the present invention according to the trace to the source flow chart of method of mobile subscriber cellphone number of IP address.

Embodiment

Reach technological means and the effect that predetermined goal of the invention is taked for further setting forth the present invention, below in conjunction with accompanying drawing and preferred embodiment, to foundation the present invention propose according to I P address trace to the source its embodiment of device and method, structure, feature and the effect thereof of mobile subscriber cellphone number, describe in detail as after.

Seeing also shown in Figure 3ly, is the present invention according to the trace to the source device treatment state schematic diagram of mobile subscriber cellphone number of IP address.

Comprise mobile phone user information gathering processing module 11, FW/NAT information gathering processing module 12, runner public-network network appliance IP information acquisition module 13 and association process enquiry module 14 according to the trace to the source device 1 of mobile subscriber cellphone number of IP address.Above-mentioned mobile phone user information gathering processing module 11 can be obtained cell phone number with private network distributing IP address correlation information and carry out association store from data signaling collection or CDR ticket, comprises at least:

● cell-phone number

●IMSI

● the time started stabs

● the concluding time stabs

● the upper-layer protocol type

● the URL record of surfing Internet with cell phone

Above-mentioned FW/NAT information gathering processing module 12 can slave firewall or NAT device obtain public and private net IP address information and carry out association store by the Syslog mode, comprise at least:

● the time started stabs

● the concluding time stabs

● private network IP

● public network NAT IP

● Target IP

● the private network source port

● the public network source port

● target port

Above-mentioned runner public-network network appliance IP information acquisition module 13 can obtain the IP information of web network equipment outside it by the mode of http/ftp from the mobile operator maintenance system, comprise at least:

● the IP address

● the operation sign

● reference address (http/ftp)

The data message of above-mentioned association process enquiry module 14 in can related above-mentioned 3 modules line data compression of going forward side by side, and inquiry and north orientation mating interface externally are provided is as based on the XML mode

<？xml?version＝″1.0″encoding＝″UTF-8″>

<task?id＝″1″t?ype＝″msisdn_locate″emergency＝″true″>

<src_ip>122.102.133.2</src_ip>

<dst_ip>202.102.133.2</dst_ip>

<src_port>5060</src_port>

<ds?t_por?t>202.102.133.2</ds?t_port>

<digest>http://wap.baidu.com</digest>

<start_record>5</start_record>

<end_record>15</end_record>

</task>

</xml>

Type:msisdn_locate inquiry msisdn number, imsi_locate inquiry imsi number, ip_loacte inquires about msisdn and imsi number simultaneously

Src_ip: outer net source IP, i.e. the source IP of NAT conversion back packet is some in the nat address pool

Dst_ip: the IP of the server that outer net is accessed

Src_port: the port of outer net FW

Dst_port: the port of the accessed service of outer net

Digest: the URL or the summary info of visit outer net, support fuzzy matching

Starttime: inquire about this time the user that (comprising this time) surf the Net afterwards

Endtime: inquire about this time the user that (comprising this time) surf the Net before

Start_record: the home record of current Query Result

End_record: the end record of current Query Result

Seeing also shown in Figure 3ly, is the present invention according to the trace to the source flow chart of method of mobile subscriber cellphone number of IP address, and concrete steps are:

A. obtain IP address to be traced to the source and mobile subscriber's behavioural characteristic to be checked thereof;

B. utilize this IP address as index, search the IP address range of being managed that mobile operator provides by the device 1 of the mobile subscriber cellphone number of tracing to the source according to the IP address, the network equipment that obtains this IP address correspondence indicates;

C. obtain mobile subscriber cellphone number, mobile subscriber's behavioural characteristic and the incidence relation between them of charging of mobile operator side or signal collecting by the device 1 of the mobile subscriber cellphone number of tracing to the source according to the IP address;

D. obtain the IP address correlation relation of the FW/NAT front and back of mobile operator side FW/NAT equipment by the device 1 of the mobile subscriber cellphone number of tracing to the source according to the IP address;

E, indicate and mobile subscriber's behavioural characteristic is searched and obtained corresponding mobile subscriber cellphone number according to this network equipment; And

F. above-mentioned steps B to the information of D after device 1 storage of the mobile subscriber cellphone number of tracing to the source according to the IP address and handling, when the needs IP address of tracing to the source is input in the device of this mobile subscriber cellphone number of tracing to the source according to the IP address and just can finishes above-mentioned incidence relation and inquiry automatically, obtain mobile subscriber cellphone number.

When the outside request of tracing to the source is initiated, as steps A. obtain IP address to be traced to the source and mobile subscriber's behavioural characteristic to be checked thereof; Utilize this IP address as index according to step B., search the IP address range of being managed that mobile operator provides by the device of the mobile subscriber cellphone number of tracing to the source according to the IP address, the network equipment that obtains this IP address correspondence indicates; Because the IP address information is relevant with the network equipment of specific mobile operator, therefore this device 1 is in order to solve the information of tracing to the source on which equipment of inquiry, and runner public-network network appliance IP information acquisition module 13 is provided, its interface position as shown in Figure 2 23.This runner public-network network appliance IP information acquisition module 13 is handled to merge from NAT and is gone up distribution public network IP information and hand to data storage cell 15, and the generation network equipment indicates.

Indicate the access path that can find the relevant information of tracing to the source (as http: // association process enquiry module IP/ the network equipment indicates .jsp) by this network equipment and at this time just can directly inquire about the specific information of tracing to the source by association process enquiry module 14.The specific information of tracing to the source comprises cell phone number and the mapping relations of private network IP, the IP address correlation relation before and after the FW/NAT.

In the mobile operator network in order to obtain the mapping relations of cell phone number and private network IP, the mobile phone user information gathering processing module 11 (as shown in Figure 2) of the device 1 by the mobile subscriber cellphone number of tracing to the source according to the IP address realizes the GPRS core net is carried out beam split bypass signal collecting, its deployed position (as the interface 21 of Fig. 2) is positioned at the GPRS gn interface of mobile operator inside, because the flow in the GPRS core net between SGSN and the GGSN is divided into into, go out some thighs such as different directions, so taking, mobile phone user information gathering processing module 11 need after these flows advanced line data synthetic and filter the GTP-C packet, the cell phone that needs among the extraction step C number, IP address allocated, the incidence relation information of behavioural characteristic is also handed to data storage cell 15 (shown in Figure 2).The processing module of cellphone subscriber's information gathering meanwhile 11 needs the synthetic and filtration GTP-U packet of advanced line data after taking these flows, therefrom extract mobile subscriber's behavioural characteristic, comprising source port, source IP, Target IP, target port, URL, QQ number, MSN number, and hand to data storage cell 15.

Because what this device 1 adopted is the bypass signal collecting, need not be connected in series enter the internet or transform GGSN equipment, whether the Network flow model changes all because be bypass and can network not being impacted, therefore network performance is influenced substantially is minimum in the present invention, simultaneously because the present invention possesses real-time collection GTP signaling message, therefore send moment in GTP PDP context activation message and just can know user mobile phone number information, and need not wait for that the transmission of PDP context deactivation message finishes, generate after the original cdr logging just inquiring user cellphone information, thereby reach real-time monitoring.Only extract related news simultaneously and need not store a large amount of initial data, it is less therefore to make an investment in memory device, and the present invention possesses the minimum property of investment.

At present because the address space of IPv4 is less, a lot of mobile operator adopt the NAT technology to save the IP address (as the broadband, sub-district when providing the Internet to insert, mobile CMNET etc.), therefore can only trace into the public IP on the NAT device, need obtain the IP address correlation relation of FW/NAT front and back, therefore this device 1 provides FW/NAT information gathering processing module 12 (shown in Figure 2) for the mapping relations that can solve public and private net, take directly 22 positions of the interface from Fig. 1 all NAT device to be gathered relevant information as Fig. 3 step D, it has write down the IP address before the NAT, I P address/port and time behind the NAT, this NAT device comprises fire compartment wall, PNAT equipment, WAPGW.Relevant information is handled by FW/NAT information gathering processing module 12 and is merged (as the information of Fig. 2 FW/NAT information gathering processing module 12 descriptions) and hand to data storage cell 15.The combination of above-mentioned information can be given and be the invention provides unique polarization.

Above-mentioned steps B to the information of step D after device 1 storage of the mobile subscriber cellphone number of tracing to the source according to the IP address and handling, when trace to the source IP address and user behavior feature of needs is input to and just can searches customizing messages according to the network equipment sign of this IP automatically in the device of this mobile subscriber cellphone number of tracing to the source according to the IP address and obtain mobile subscriber cellphone number.

Whole for the present invention in sum according to the trace to the source method of mobile subscriber cellphone number of IP address, also provide a kind of simultaneously according to the trace to the source device 1 of mobile subscriber cellphone number of IP address, by the contained information of runner public-network network appliance IP information acquisition module 13 acquisition step B, be the IP address range address of being managed that provides on the mobile operator NAT device, the network equipment that obtains this IP address correspondence indicates economizes XXNAT equipment as so-and-so; By the contained information of mobile phone user information gathering processing module 11 acquisition step C, be mobile subscriber cellphone number and private network IP address relationship among the GTP-C, therefrom extract mobile subscriber's behavioural characteristic from GTP-U, comprising source port, source IP, target I P, target port, URL, QQ number, MSN number, final by merging the incidence relation that generates between them; By the contained information of FW/NAT information gathering processing module 12 acquisition step D, be NAT device private network IP, public network NAT IP, Target IP, private network source port, public network source port, target port information when doing the NAT conversion, above acquisition mode is ftp, sftp, scp, syslog, socket, database or manual entry, and stores data storage cell 15 into.The mobile phone user information gathering processing module 11 of described device 1, FW/NAT information gathering processing module 12, runner public-network network appliance IP information acquisition module 13 can be handled association automatically, merge the information of storing step B, C, D, generating XML form (as described above) uses for association process enquiry module 14, support information compression simultaneously, compression ratio is 70%～90%.The association process enquiry module 14 of described device 1 provides inquiry or automatic reporting functions by the HTTP/FTP mode to external system.

But device 1 is recording internet user's surf time, user account number, internet address or domain name, calling telephone number also, purpose/source/NAT rear port, URL etc., therefore this device can also be used for above-mentioned recorded information is backed up and inquires about, device 1 also comprises the information of tracing to the source after the particular association, is specially IP address, cell-phone number, IMSI number, temporal information, port information, URL information and internet behavior feature.

Claims

1. one kind according to the trace to the source method of mobile subscriber cellphone number of IP address, it is characterized in that it may further comprise the steps:

B. utilize this IP address as index, search the IP address range of being managed that mobile operator provides by the device of the mobile subscriber cellphone number of tracing to the source according to the IP address, the network equipment that obtains this IP address correspondence indicates;

C. obtain mobile subscriber cellphone number and mobile subscriber's behavior characteristic information of charging of mobile operator side or signal collecting by the device of the mobile subscriber cellphone number of tracing to the source according to the IP address, and the incidence relation between mobile subscriber cellphone number and the mobile subscriber's behavior characteristic information;

D. obtain the IP address correlation relation of the FW/NAT front and back of mobile operator FW/NAT equipment by the device of the mobile subscriber cellphone number of tracing to the source according to the IP address;

E, indicate and this mobile subscriber's behavioural characteristic is searched and obtained corresponding mobile subscriber cellphone number according to this network equipment; And

F. above-mentioned steps B to the information of D after the device storage of the mobile subscriber cellphone number of tracing to the source according to the IP address and handling, when the needs IP address of tracing to the source is input in the device of this mobile subscriber cellphone number of tracing to the source according to the IP address and just can finishes above-mentioned incidence relation and inquiry automatically, obtain mobile subscriber cellphone number.

2. method according to claim 1 is characterized in that: the IP address range information of being managed that the mobile operator among the described step B provides is to obtain from the public network IP address management system of the mobile operator that this user mobile phone number business is provided or IP address assignment equipment.

3. method according to claim 2 is characterized in that, described IP address management system comprises GGSN, PDSN, NAT and WAPGW.

4. method according to claim 1, it is characterized in that: the incidence relation of the cell phone that writes down among the described step C number, IP address allocated, mobile subscriber's behavioural characteristic is that charge system, charging gateway, the signal collecting from the mobile operator that this mobile subscriber cellphone number business is provided obtains.

5. method according to claim 1 is characterized in that: described mobile subscriber's behavioural characteristic comprises source port, source IP, Target IP, target port, URL, QQ number, MSN number.

6. method according to claim 1, it is characterized in that: described step D, IP address correlation relation before and after the FW/NAT is to obtain from all NAT device, and its incidence relation information comprises that IP address, the IP address behind the NAT and time, the described NAT device before the NAT comprises fire compartment wall, PNAT equipment, WAPGW.

7. one kind according to the trace to the source device of mobile subscriber cellphone number of IP address, it is characterized in that it comprises cellphone subscriber's information gathering processing module, FW/NAT information gathering processing module, runner public-network network appliance IP information acquisition module and association process enquiry module, this cellphone subscriber's information gathering processing module, this FW/NAT information gathering processing module and this runner public-network network appliance IP information acquisition module are connected with data storage cell by interface respectively, and this association process enquiry module is handled Information Monitoring associated with the query by the data storage cell direct correlation.

8. device according to claim 7 is characterized in that:

The contained information of described runner public-network network appliance IP information acquisition module acquisition step B;

The contained information of this cellphone subscriber's information gathering processing module acquisition step C;

The contained information of this FW/NAT information gathering processing module acquisition step D;

Above-mentioned acquisition mode is ftp, sftp, scp, syslog, socket, database or manual entry.

9. device according to claim 7, it is characterized in that: described device can be handled association automatically, merge the information of storing step B, C, D, and generation comprises that the data of database, XML, plain text different-format are for this association process enquiry module use, support information compression simultaneously, compression ratio is 70%～90%.

10. device according to claim 7 is characterized in that: described device can or report automatically by this association process enquiry module confession external inquiry, and its inquiry or the mode that reports automatically are FTP, SFTP, SCP, HTTP, WEBSERVICE.

11. device according to claim 7, it is characterized in that: described device is except providing the IP address traces to the source, can also be used for recorded information, this recorded information can be Internet user's surf time, user account number, internet address or domain name, calling telephone number, and this device can be to above-mentioned recorded information backup inquiry.

12. device according to claim 7 is characterized in that: described device comprises the information of tracing to the source after the particular association, is specially IP address, cell-phone number, IMSI number, temporal information, port information, URL information and internet behavior feature.