CN102231888A - Monitoring method and device - Google Patents
Monitoring method and device Download PDFInfo
- Publication number
- CN102231888A CN102231888A CN2011101738349A CN201110173834A CN102231888A CN 102231888 A CN102231888 A CN 102231888A CN 2011101738349 A CN2011101738349 A CN 2011101738349A CN 201110173834 A CN201110173834 A CN 201110173834A CN 102231888 A CN102231888 A CN 102231888A
- Authority
- CN
- China
- Prior art keywords
- thresholding
- user
- suspicious
- flow
- duration
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/12—Messaging; Mailboxes; Announcements
- H04W4/14—Short messaging services, e.g. short message services [SMS] or unstructured supplementary service data [USSD]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a monitoring method, which comprises the following steps of: configuring monitoring rules, wherein the monitoring rules comprise a rule time length, a traffic suspecting threshold, a statistical time length and a suspecting record number threshold, and the rule time length is less than the statistical time length; acquiring the times of monitoring operations executed by a user in the rule time length, comparing the times of the monitoring operations executed by the user in the rule time length with the traffic suspecting threshold, and judging the user triggers the suspecting threshold when the times is more than or equal to the traffic suspecting threshold; and acquiring the times of triggering the suspecting threshold by the user in the statistical time length, comparing the times of triggering the suspecting threshold by the user in the statistical time length with the suspecting record number threshold, and judging the user is a violating user when the times of triggering the suspecting threshold by the user in the statistical time length is more than or equal to the suspecting record number threshold. The invention also provides a monitoring device. By the method and the device, the user only transmitting a certain number of junk short messages in unit time but continuously transmitting the junk short messages for long can be effectively monitored.
Description
Technical field
The present invention relates to the SMS monitoring field, more specifically, relate to a kind of method for supervising and device.
Background technology
In recent years, Short Message Service is subjected to operator and users' attention more and more as a kind of basic service of mobile communication network.The means that each operator, profit group and individual utilize message center to carry out sales promotion emerge in an endless stream; That interconnects between each network is movable like a raging fire; The online size of message that flows also becomes geometric growth thereupon.The development of short message service is being operator's earning fair margin of profit, and when providing message Communications service easily for the user, also the propagation for refuse messages provides channel.At present, refuse messages has the gesture that grows in intensity, and has become society's one big public hazards.A large amount of malicious messages, advertisement information not only make the user tired tired very, but also might cause the operating environment paralysis of operator.
Given this, the junk short message supervisory control system is arisen at the historic moment, and its function mainly is automatically to find user in violation of rules and regulations according to a large amount of short messages of being monitored, and then restriction or forbid that it sends SMS message.Commercial in the market junk short message supervisory control system, normally judge based on the monitoring rule whether the size of message that the user sends has reached default thresholding in monitor duration, if, then think this user at a large amount of mass-sending refuse messages, and then restriction or forbid the behavior that this violation user sends SMS message.
The defective of above-mentioned method for supervising is, system for whether in violation of rules and regulations judgement of user mainly according to whether triggering default violation thresholding in its monitor duration, generally, in order to satisfy the communication requirement of normal users, thresholding can not be provided with too for a short time usually in violation of rules and regulations, so just makes some malicious users, utilize this specific character of system, continue for a long time to send refuse messages, but the traffic volume in the unit interval is carried out certain control, thereby escape the monitoring of system.
Summary of the invention
The technical problem to be solved in the present invention provides a kind of method for supervising and device, existing short message monitoring system is improved and replenishes, too simple to solve current strategy of catching user in violation of rules and regulations, can't be to only sending some in the unit interval, but the problem that the long-time user who continues to send refuse messages carries out effective monitoring.
In order to address the above problem, the invention provides a kind of method for supervising, comprising:
The configuration monitoring rule comprises in the described monitoring rule that regular duration, the suspicious thresholding of flow, statistics duration, suspicious record count thresholding, and described regular duration is less than the statistics duration;
Obtain the number of times that the interior user of described regular duration carries out monitored operation, number of times and the suspicious thresholding of described flow of user in the described regular duration being carried out monitored operation compare, and when more than or equal to the suspicious thresholding of flow, judge that this user triggers suspicious thresholding;
Obtain that this user triggers the number of times of suspicious thresholding in the statistics duration, the number of times that user in the described statistics duration is triggered suspicious thresholding is counted thresholding with described suspicious record and is compared, and when counting thresholding more than or equal to described suspicious record, judges that the user is the violation user.
Further, said method also can have following characteristics,
Also comprise flow thresholding in violation of rules and regulations in the described monitoring rule, described flow violation thresholding is greater than the suspicious thresholding of described flow;
Described method comprises that also number of times and the described flow violation thresholding of user in the regular duration being carried out monitored operation compare, if more than or equal to described flow violation thresholding, judges directly that then described user is the violation user.
Further, said method also can have following characteristics,
With the suspicious thresholding of described flow or flow in violation of rules and regulations thresholding or suspicious record count thresholding and compare and comprise:
After having added up the relevant information in a regular duration or the statistics duration, compare with corresponding thresholding again, perhaps, relevant information in regular duration of real-time statistics or the statistics duration, real-time and corresponding thresholding compares, and described relevant information is the number of times of carrying out monitored operation or the number of times that the user triggers suspicious thresholding.
Further, said method also can have following characteristics,
The number of times of the monitored operation of described execution is quantity that sends SMS message or the number of times that makes a call.
Further, said method also can have following characteristics,
Described method also comprises: when disposing many monitoring rules, travels through described many monitoring rules the number of times that the user carries out monitored operation monitored, be judged as in violation of rules and regulations up to this user, perhaps, up to having traveled through all monitoring rules.
The present invention also provides a kind of supervising device, comprise rule definition module, initial analysis module and subsequent analysis module, described initial analysis module comprises first monitoring unit and first comparing unit, and described subsequent analysis module comprises second monitoring unit and second comparing unit, wherein:
The rule definition module is used for: the configuration monitoring rule, comprise in the described monitoring rule that regular duration, the suspicious thresholding of flow, statistics duration, suspicious record count thresholding, and described regular duration is less than the statistics duration;
Described first monitoring unit is used for: obtain the number of times that the interior user of described regular duration carries out monitored operation;
Described first comparing unit is used for: number of times and the suspicious thresholding of described flow of user in the described regular duration being carried out monitored operation compare, when more than or equal to the suspicious thresholding of flow, judge that this user triggers suspicious thresholding, and notify described subsequent analysis module;
Described second monitoring unit is used for: obtain the number of times that interior this user of statistics duration triggers suspicious thresholding;
Described second comparing unit is used for: user in the described statistics duration is triggered the number of times of suspicious thresholding and described suspicious record count thresholding and compare, when counting thresholding more than or equal to described suspicious record, judge that the user be the violation user.
Further, said apparatus also can have following characteristics,
Also comprise flow thresholding in violation of rules and regulations in the monitoring rule of described rule definition block configuration, described flow violation thresholding is greater than the suspicious thresholding of described flow;
Described first comparing unit also is used for: number of times and the described flow violation thresholding of user in the regular duration being carried out monitored operation compare, if more than or equal to described flow violation thresholding, judge directly that then described user is the violation user.
Further, said apparatus also can have following characteristics,
Described first comparing unit is to be used for: after the user carries out the number of times of monitored operation in described first monitoring unit has been added up a regular duration, compare with suspicious thresholding of described flow or flow violation thresholding again; Perhaps, in real time the user of real-time statistics in regular duration of described first monitoring unit being carried out the number of times of monitored operation and the suspicious thresholding of described flow or the suspicious thresholding of flow compares;
Described second comparing unit is to be used for: after the user triggers the number of times of suspicious thresholding in described second monitoring unit has been added up a statistics duration, count thresholding relatively with described suspicious record again; Perhaps, in real time the user of real-time statistics in one of described second monitoring unit statistics duration being triggered the number of times of suspicious thresholding and described suspicious record counts thresholding and compares.
Further, said apparatus also can have following characteristics,
The number of times of the monitored operation of described execution is quantity that sends SMS message or the number of times that makes a call.
Further, said apparatus also can have following characteristics,
Described rule definition module is used to dispose many monitoring rules;
Described initial analysis module and subsequent analysis module are used to travel through described many monitoring rules to be monitored the number of times that the user carries out monitored operation, be judged as in violation of rules and regulations up to the user, perhaps, up to having traveled through all monitoring rules.
The present invention can effectively monitor the user who sends refuse messages for a long time with lower frequency, and can prevent effectively that locking system aligns the erroneous judgement at family commonly used by the judgement of introducing suspicious user in monitor procedure and the statistical analysis of suspicious user record number.If the violation thresholding that only value of setting is bigger in the rule, though can catch a large amount of users that send refuse messages in the unit interval, for only sending some in the unit interval, and the long-time user who continues to send refuse messages but can't catch; If the violation threshold setting in the rule is lower, itself and normal users can't be distinguished again.And by introducing the judgement of suspicious user, the suspicious thresholding that the value of setting is less, can catch the suspicious user of mass-sending refuse messages suspicion widely, carry out statistical analysis by the follow-up number of times that user in the statistics duration is doubted again, can judge effectively which is a normal users in the suspicious user, which is the long-time user who continues to send refuse messages.
Description of drawings
Fig. 1 is the configuration diagram according to the supervising device of exemplary embodiment of the present invention;
Fig. 2 is the flow chart according to the short message monitoring method of exemplary embodiment of the present invention;
Fig. 3 is the configuration diagram according to the short message monitoring system of exemplary embodiment of the present invention.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, hereinafter will be elaborated to embodiments of the invention in conjunction with the accompanying drawings.Need to prove that under the situation of not conflicting, embodiment among the application and the feature among the embodiment be combination in any mutually.
For convenience of description, at first define several nouns:
1. monitoring rule: monitor the rule of institute's foundation, can comprise that parameters such as thresholding counted in thresholding, statistics duration, suspicious record in violation of rules and regulations for regular duration, the suspicious thresholding of flow, flow.
2. regular duration: the monitor duration of a monitoring rule, judge promptly whether number of times that the user carries out monitored operation triggers the suspicious thresholding of flow and the flow time span of thresholding institute foundation in violation of rules and regulations, carry out monitored operation and comprise the quantity that sends SMS message, perhaps, the number of times that makes a call.
3. traffic monitoring: promptly the number of times (such as the number of short or the calls that send) of the monitored operation of execution in the regular duration is monitored, basic with the flow violation thresholding and the suspicious thresholding of flow that set in advance as monitoring, number of short that sends in regular duration as the user or calls reach flow in violation of rules and regulations when thresholding or the suspicious thresholding of flow, just think that the user triggers this thresholding.
4. statistics duration: the time span of stipulating in the monitoring rule that the suspicious record number of user is added up, when a certain user when the suspicious record number (trigger the number of times of flow suspicious thresholding) of statistics in the duration reaches suspicious record and counts thresholding, just think that this user triggers suspicious record and counts thresholding, be judged to be user in violation of rules and regulations.
In the monitoring rule, introduce suspicious thresholding (suspicious thresholding is less than the violation thresholding), and introduce the follow-up statistical analysis of suspicious user.The user of thresholding will be judged in violation of rules and regulations with outdoor except violating in violation of rules and regulations, also the user who violates suspicious thresholding is carried out statistical analysis, the user who reaches certain thresholding for (the statistics duration needs greater than regular duration) suspicious number of times in the statistics duration also is judged to be user in violation of rules and regulations.Comprise that specifically based on the monitoring rule short message number that the user sends is carried out counting statistics, when in a monitor duration, the message number that the user sent triggers the suspicious thresholding of flow, just thinks that this user is suspicious in this regular duration, record suspicious user information; Then, suspicious user is carried out statistical analysis at the record number of a suspicious thresholding of statistics duration internal trigger flow, just think this User Violations when thresholding counted in suspicious record when triggering based on monitoring rule.
The supervising device that the embodiment of the invention provides comprises as shown in Figure 1 with lower module:
The rule definition module is used to dispose at least one monitoring rule.Wherein, comprise in every monitoring rule: regular duration, the suspicious thresholding of flow, flow thresholding, statistics duration, suspicious record are in violation of rules and regulations counted thresholding.The suspicious thresholding of described flow is less than flow violation thresholding, and described statistics duration is greater than described regular duration.Described monitoring rule is configurable one or more, and thresholding counted in thresholding, statistics duration, suspicious record in violation of rules and regulations for the configurable different suspicious thresholding of regular duration, flow, flow in many monitoring rules.
The initial analysis module is used for the short message number that the user sends is carried out initial analysis.Described initial analysis module comprises: (1) first monitoring unit, obtain the number of times that the interior user of described regular duration carries out monitored operation; Monitor such as number of short or calls that the user is sent in a regular duration; (2) first comparing units, number of times and the suspicious thresholding of described flow of user in the described regular duration being carried out monitored operation compare, and when more than or equal to the suspicious thresholding of flow, judge that this user triggers suspicious thresholding, and notify described subsequent analysis module; And number of times and the described flow violation thresholding of user in the regular duration being carried out monitored operation compare, if more than or equal to described flow violation thresholding, judge directly that then described user is the violation user.Manner of comparison has two kinds: after the user carries out the number of times of monitored operation in described first monitoring unit has been added up a regular duration, compare with suspicious thresholding of described flow or flow violation thresholding again; Perhaps, in real time the user of real-time statistics in regular duration of described first monitoring unit being carried out the number of times of monitored operation and the suspicious thresholding of described flow or the suspicious thresholding of flow compares; Such as, short message number that monitoring is obtained or calls and the suspicious thresholding of flow, flow thresholding in violation of rules and regulations compare, the user that the interior number of times of carrying out monitored operation of decision rule duration reaches the suspicious thresholding of described flow triggers suspicious thresholding, and sends suspicious user record and follow-up monitoring request to follow-up analysis module; And the user who the number of times of carrying out monitored operation in the regular duration is reached described flow violation thresholding is judged to be user in violation of rules and regulations.
The subsequent analysis module is used for suspicious user is carried out statistical analysis at the number of times of the suspicious thresholding of statistics duration internal trigger.Described subsequent analysis module comprises: (1) second monitoring unit, the suspicious user of described initial analysis module monitors gained is added up at the number of times of a suspicious thresholding of statistics duration internal trigger flow; (2) second comparing units are used for that thresholding counted in number of times and the suspicious record of the suspicious thresholding of triggering flow of statistics gained and compare, and count thresholding when the number of times that triggers the suspicious thresholding of flow more than or equal to described suspicious record, and described user is judged to be the violation user.The manner of comparison here is the same also two kinds.After the user triggers the number of times of suspicious thresholding in described second monitoring unit has been added up a statistics duration, count thresholding relatively with described suspicious record again; Perhaps, in real time the user of real-time statistics in one of described second monitoring unit statistics duration being triggered the number of times of suspicious thresholding and described suspicious record counts thresholding and compares.
When many monitoring rules of rule definition block configuration, described initial analysis module and subsequent analysis module are used to travel through described many monitoring rules the number of times that the user carries out monitored operation are monitored, be judged as in violation of rules and regulations up to the user, perhaps, up to having traveled through all monitoring rules.Concrete, each monitored operation to user's execution, the initial analysis module is based on the regular duration of a monitoring rule, the suspicious thresholding of flow, flow thresholding is in violation of rules and regulations monitored, the subsequent analysis module is counted thresholding based on the statistics duration of this monitoring rule and suspicious record and is monitored, if this monitoring rule user down is judged as user in violation of rules and regulations, then no longer monitor based on other monitoring rules, otherwise, regular duration based on next bar monitoring rule, the suspicious thresholding of flow, flow is thresholding in violation of rules and regulations, statistics duration and suspicious record are counted thresholding and are monitored, be determined not user in violation of rules and regulations up to the user, perhaps, all monitoring rules have been traveled through.
Described supervising device further comprises:
Output module is used to export described suspicious user and/or user's user profile in violation of rules and regulations.
Described supervising device also can comprise a database, preserves suspicious user and violation user's information.
Present embodiment provides a kind of method for supervising, comprising:
The configuration monitoring rule comprises in the described monitoring rule that regular duration, the suspicious thresholding of flow, statistics duration, suspicious record count thresholding, and described regular duration is less than the statistics duration;
Obtain the number of times that the interior user of described regular duration carries out monitored operation, number of times and the suspicious thresholding of described flow of user in the described regular duration being carried out monitored operation compare, and when more than or equal to the suspicious thresholding of flow, judge that this user triggers suspicious thresholding;
Obtain that this user triggers the number of times of suspicious thresholding in the statistics duration, the number of times that user in the described statistics duration is triggered suspicious thresholding is counted thresholding with described suspicious record and is compared, and when counting thresholding more than or equal to described suspicious record, judges that the user is the violation user.
Wherein, also comprise flow thresholding in violation of rules and regulations in the described monitoring rule, described flow violation thresholding is greater than the suspicious thresholding of described flow;
Described method comprises that also number of times and the described flow violation thresholding of user in the regular duration being carried out monitored operation compare, if more than or equal to described flow violation thresholding, judges directly that then described user is the violation user.
Wherein, with the suspicious thresholding of described flow or flow in violation of rules and regulations thresholding or suspicious record count thresholding and compare and comprise:
After having added up the relevant information in a regular duration or the statistics duration, compare with corresponding thresholding again, perhaps, relevant information in regular duration of real-time statistics or the statistics duration, real-time and corresponding thresholding compares, and described relevant information is the number of times of carrying out monitored operation or the number of times that the user triggers suspicious thresholding.Such as, added up after the user carries out the number of times of monitored operation in the regular duration, again with the suspicious thresholding of described flow relatively, perhaps, the interior user of regular duration of monitoring carries out the number of times of monitored operation in real time, compares with the suspicious thresholding of described flow in real time.
Wherein, the number of times of the monitored operation of described execution is quantity that sends SMS message or the number of times that makes a call.
Wherein, described method also comprises: when disposing many monitoring rules, travel through described many monitoring rules the number of times of the monitored operation of user's execution is monitored, be judged as in violation of rules and regulations up to this user, perhaps, up to having traveled through all monitoring rules.
The method for supervising that present embodiment provides may further comprise the steps:
Steps A. rule definition block configuration monitoring rule, wherein, configurable one or more monitoring rule;
Step B. initial analysis module is counted the short message number of user's transmission or the calls of initiation, calculates the number of short of user's transmission in the regular duration or the calls of initiation;
Step C. compares number of short or calls that step B calculates gained with the threshold value in the monitoring rule, if reach flow thresholding in violation of rules and regulations, judge directly that then this user is the violation user; If reach the suspicious thresholding of flow, then judge and trigger the suspicious thresholding of flow, and this user record is sent to the subsequent analysis module carries out suspicious record statistical analysis; Otherwise return step B;
The user of the suspicious thresholding of triggering flow that step D. subsequent analysis module records step C sends, add up its number of times at a suspicious thresholding of statistics duration internal trigger flow, and count thresholding with the suspicious record of monitoring in the rule and compare, count thresholding if reach suspicious record, then this user is judged to be user in violation of rules and regulations, otherwise, return step B.
Below with reference to the accompanying drawings and in conjunction with exemplary embodiment, describe the present invention in detail.
Before supervising device work, need configuration at least one monitoring rule.The monitoring rule comprises: regular duration, the suspicious thresholding of flow, flow thresholding, statistics duration, suspicious record are in violation of rules and regulations counted thresholding.Wherein, the suspicious thresholding of flow needs less than flow violation thresholding, and the statistics duration needs greater than described regular duration.
Be example with the SMS monitoring among the following embodiment, call monitoring is similar.
Fig. 2 shows the flow chart according to the short message monitoring method of exemplary embodiment of the present invention, comprising:
S101 receives the monitoring request of sms center, obtains short message controlled messages body, has parsed information such as exhaling Subscriber Number according to this controlled messages body, carries out next step S102;
S102 takes out a monitoring rule from the monitoring rule of configuration.The monitoring rule of taking out will provide foundation for following counting, statistics, analytic process, carry out next step S103;
S103 based on the monitoring rule, to the number of short counting (employed counter guarantees not overflow under the normal condition) that this user is sent, carries out next step S104 in a regular duration;
S104 based on the monitoring rule, compares count value among the S103 and the suspicious thresholding of flow, if this count value reaches the suspicious thresholding of flow, carries out next step S105; Otherwise, carry out S109;
S105, record suspicious user information comprises rear subscriber number, suspicious thresholding triggered time of flow etc., carries out S106.
S106 based on the monitoring rule, calculates the suspicious record number of user in a statistics duration, and promptly the number of times of the suspicious thresholding of triggering rule flow is carried out S107.
S107 based on monitoring rule, judges whether statistical value among the S106 reaches suspicious record and count thresholding, if, execution S108; Otherwise this user is current normal, finishes this flow process, waits for that the monitoring request that receives sms center triggers new flow process;
S108, system is judged to be user in violation of rules and regulations with this user, finishes this flow process, waits for that the monitoring request that receives sms center triggers new flow process;
S109 based on the monitoring rule, compares count value among the S103 and flow violation thresholding, if count value reaches flow thresholding in violation of rules and regulations, carries out next step S108; Otherwise this user is current normal, finishes this flow process, waits for that the monitoring request that receives sms center triggers new flow process;
Wherein, if be provided with many monitoring rules in the system, then when the result of determination of S107 and S109 is "No", process ends not, return S102, continue to take off a monitoring rule and also this user is monitored, and so forth according to the monitoring rule, finish this flow process again until having traveled through all monitoring rules, wait for that the monitoring request that receives sms center triggers new flow process.
Fig. 3 shows the configuration diagram according to the short message monitoring system of exemplary embodiment of the present invention.In conjunction with Fig. 3 as can be seen this system comprise:
Control desk (human-computer interaction interface) 201 is used to monitor the configuration of rule etc. and the demonstration of user profile, and promptly this control desk combines the function of rule definition module and display module.On this control desk, both can carry out the configuration of data, as monitor the configuration of rule, the monitored results of system can be shown again.After the data configuration of control desk is finished, give initial analysis module 202 and database management operation module 203 synchronously with configuration data.
Database management operation module 203, major function is as follows: (1) is used for suspicious user information data-in storehouse 204 that initial analysis module 202 is sent, thereby provides data for the operations such as inquiry afterwards of follow-up statistical analysis and control desk 201; (2) realize the subsequent analysis function, receive the suspicious user record that initial analysis module 202 is sent, based on the monitoring rule suspicious record number in a statistics of the statistics suspicious user duration from database 204, and judged whether to reach the suspicious record that sets in the monitoring rule and counted thresholding.
As can be seen from the above description, the present invention has realized following technique effect: introduced the judgement of suspicious user and the statistical analysis that the user triggers suspicious thresholding record number in monitor procedure, it is less effectively to catch interior transmission of unit interval like this, but continue to send the user of refuse messages for a long time, and can avoid erroneous judgement normal users.
The present invention can expand to harassing call monitoring field, or other monitoring fields.
One of ordinary skill in the art will appreciate that all or part of step in the said method can instruct related hardware to finish by program, described program can be stored in the computer-readable recording medium, as read-only memory, disk or CD etc.Alternatively, all or part of step of the foregoing description also can use one or more integrated circuits to realize.Correspondingly, each the module/unit in the foregoing description can adopt the form of hardware to realize, also can adopt the form of software function module to realize.The present invention is not restricted to the combination of the hardware and software of any particular form.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention, all any modifications of being done within the spirit and principles in the present invention, is equal to and replaces and improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. a method for supervising is characterized in that, comprising:
The configuration monitoring rule comprises in the described monitoring rule that regular duration, the suspicious thresholding of flow, statistics duration, suspicious record count thresholding, and described regular duration is less than the statistics duration;
Obtain the number of times that the interior user of described regular duration carries out monitored operation, number of times and the suspicious thresholding of described flow of user in the described regular duration being carried out monitored operation compare, and when more than or equal to the suspicious thresholding of flow, judge that this user triggers suspicious thresholding;
Obtain that this user triggers the number of times of suspicious thresholding in the statistics duration, the number of times that user in the described statistics duration is triggered suspicious thresholding is counted thresholding with described suspicious record and is compared, and when counting thresholding more than or equal to described suspicious record, judges that the user is the violation user.
2. the method for claim 1 is characterized in that,
Also comprise flow thresholding in violation of rules and regulations in the described monitoring rule, described flow violation thresholding is greater than the suspicious thresholding of described flow;
Described method comprises that also number of times and the described flow violation thresholding of user in the regular duration being carried out monitored operation compare, if more than or equal to described flow violation thresholding, judges directly that then described user is the violation user.
3. method as claimed in claim 1 or 2 is characterized in that, with the suspicious thresholding of described flow or flow in violation of rules and regulations thresholding or suspicious record count thresholding and compare and comprise:
After having added up the relevant information in a regular duration or the statistics duration, compare with corresponding thresholding again, perhaps, relevant information in regular duration of real-time statistics or the statistics duration, real-time and corresponding thresholding compares, and described relevant information is the number of times of carrying out monitored operation or the number of times that the user triggers suspicious thresholding.
4. method as claimed in claim 1 or 2 is characterized in that, the number of times of the monitored operation of described execution is quantity that sends SMS message or the number of times that makes a call.
5. method as claimed in claim 1 or 2, it is characterized in that, described method also comprises: when disposing many monitoring rules, traveling through described many monitoring rules monitors the number of times that the user carries out monitored operation, be judged as in violation of rules and regulations up to this user, perhaps, up to having traveled through all monitoring rules.
6. supervising device, it is characterized in that comprise rule definition module, initial analysis module and subsequent analysis module, described initial analysis module comprises first monitoring unit and first comparing unit, described subsequent analysis module comprises second monitoring unit and second comparing unit, wherein:
The rule definition module is used for: the configuration monitoring rule, comprise in the described monitoring rule that regular duration, the suspicious thresholding of flow, statistics duration, suspicious record count thresholding, and described regular duration is less than the statistics duration;
Described first monitoring unit is used for: obtain the number of times that the interior user of described regular duration carries out monitored operation;
Described first comparing unit is used for: number of times and the suspicious thresholding of described flow of user in the described regular duration being carried out monitored operation compare, when more than or equal to the suspicious thresholding of flow, judge that this user triggers suspicious thresholding, and notify described subsequent analysis module;
Described second monitoring unit is used for: obtain the number of times that interior this user of statistics duration triggers suspicious thresholding;
Described second comparing unit is used for: user in the described statistics duration is triggered the number of times of suspicious thresholding and described suspicious record count thresholding and compare, when counting thresholding more than or equal to described suspicious record, judge that the user be the violation user.
7. device as claimed in claim 6 is characterized in that,
Also comprise flow thresholding in violation of rules and regulations in the monitoring rule of described rule definition block configuration, described flow violation thresholding is greater than the suspicious thresholding of described flow;
Described first comparing unit also is used for: number of times and the described flow violation thresholding of user in the regular duration being carried out monitored operation compare, if more than or equal to described flow violation thresholding, judge directly that then described user is the violation user.
8. as claim 6 or 7 described devices, it is characterized in that,
Described first comparing unit is to be used for: after the user carries out the number of times of monitored operation in described first monitoring unit has been added up a regular duration, compare with suspicious thresholding of described flow or flow violation thresholding again; Perhaps, in real time the user of real-time statistics in regular duration of described first monitoring unit being carried out the number of times of monitored operation and the suspicious thresholding of described flow or the suspicious thresholding of flow compares;
Described second comparing unit is to be used for: after the user triggers the number of times of suspicious thresholding in described second monitoring unit has been added up a statistics duration, count thresholding relatively with described suspicious record again; Perhaps, in real time the user of real-time statistics in one of described second monitoring unit statistics duration being triggered the number of times of suspicious thresholding and described suspicious record counts thresholding and compares.
9. as claim 6 or 7 described devices, it is characterized in that the number of times of the monitored operation of described execution is quantity that sends SMS message or the number of times that makes a call.
10. as claim 6 or 7 described devices, it is characterized in that,
Described rule definition module is used to dispose many monitoring rules;
Described initial analysis module and subsequent analysis module are used to travel through described many monitoring rules to be monitored the number of times that the user carries out monitored operation, be judged as in violation of rules and regulations up to the user, perhaps, up to having traveled through all monitoring rules.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011101738349A CN102231888A (en) | 2011-06-24 | 2011-06-24 | Monitoring method and device |
| PCT/CN2012/072590 WO2012174897A1 (en) | 2011-06-24 | 2012-03-20 | Monitoring method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011101738349A CN102231888A (en) | 2011-06-24 | 2011-06-24 | Monitoring method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102231888A true CN102231888A (en) | 2011-11-02 |
Family
ID=44844412
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011101738349A Pending CN102231888A (en) | 2011-06-24 | 2011-06-24 | Monitoring method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102231888A (en) |
| WO (1) | WO2012174897A1 (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102378180A (en) * | 2011-11-24 | 2012-03-14 | 中兴通讯股份有限公司 | Method and device for determining user identity |
| WO2012174897A1 (en) * | 2011-06-24 | 2012-12-27 | 中兴通讯股份有限公司 | Monitoring method and apparatus |
| CN105592430A (en) * | 2014-10-20 | 2016-05-18 | 中兴通讯股份有限公司 | Homologous information-based short message monitoring method and system |
| CN106060053A (en) * | 2016-06-12 | 2016-10-26 | 上海携程商务有限公司 | Method and system for automatically identifying and cleaning abnormal connection based on firewall |
| CN107979561A (en) * | 2016-10-21 | 2018-05-01 | 中国电信股份有限公司 | For controlling the methods, devices and systems of malicious traffic stream |
| CN108650167A (en) * | 2018-04-02 | 2018-10-12 | 北京五八信息技术有限公司 | Method, apparatus, electronic equipment and the readable storage medium storing program for executing that message is sent |
| CN108663479A (en) * | 2017-03-27 | 2018-10-16 | 北京极体科技有限公司 | A method of realizing intelligent self-loopa detection monitoring |
| CN110062096A (en) * | 2019-04-23 | 2019-07-26 | 贵阳朗玛通信科技有限公司 | A kind of method and device for screening offending user |
| CN111246293A (en) * | 2018-11-28 | 2020-06-05 | 北京默契破冰科技有限公司 | Method, apparatus, and computer storage medium for monitoring user behavior |
| CN111461372A (en) * | 2020-03-27 | 2020-07-28 | 中国平安人寿保险股份有限公司 | Conference room monitoring method and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004017622A1 (en) * | 2002-08-16 | 2004-02-26 | Telefonaktiebolaget Lm Ericsson (Publ) | Real time charging of short message service in a telecommunications network |
| CN1997058A (en) * | 2005-12-29 | 2007-07-11 | 山东移动通信有限责任公司 | A method for monitoring of the high-traffic short message |
| CN101321070A (en) * | 2008-07-16 | 2008-12-10 | 中兴通讯股份有限公司 | Monitoring system and method for suspicious user |
| CN101472245A (en) * | 2007-12-27 | 2009-07-01 | 中国移动通信集团公司 | Method and apparatus for intercepting rubbish short message |
| CN101702801A (en) * | 2009-10-30 | 2010-05-05 | 中兴通讯股份有限公司 | Short message monitoring method and system |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101674540A (en) * | 2008-09-10 | 2010-03-17 | 中国移动通信集团上海有限公司 | Method, device and system for controlling short message sending |
| CN101827328A (en) * | 2010-04-14 | 2010-09-08 | 中兴通讯股份有限公司 | Device and method for monitoring short-message |
| CN102104847B (en) * | 2011-02-24 | 2015-01-28 | 中兴通讯股份有限公司 | Short message monitoring method based on flow and call-initiating areas |
| CN102231888A (en) * | 2011-06-24 | 2011-11-02 | 中兴通讯股份有限公司 | Monitoring method and device |
-
2011
- 2011-06-24 CN CN2011101738349A patent/CN102231888A/en active Pending
-
2012
- 2012-03-20 WO PCT/CN2012/072590 patent/WO2012174897A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004017622A1 (en) * | 2002-08-16 | 2004-02-26 | Telefonaktiebolaget Lm Ericsson (Publ) | Real time charging of short message service in a telecommunications network |
| CN1997058A (en) * | 2005-12-29 | 2007-07-11 | 山东移动通信有限责任公司 | A method for monitoring of the high-traffic short message |
| CN101472245A (en) * | 2007-12-27 | 2009-07-01 | 中国移动通信集团公司 | Method and apparatus for intercepting rubbish short message |
| CN101321070A (en) * | 2008-07-16 | 2008-12-10 | 中兴通讯股份有限公司 | Monitoring system and method for suspicious user |
| CN101702801A (en) * | 2009-10-30 | 2010-05-05 | 中兴通讯股份有限公司 | Short message monitoring method and system |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012174897A1 (en) * | 2011-06-24 | 2012-12-27 | 中兴通讯股份有限公司 | Monitoring method and apparatus |
| CN102378180A (en) * | 2011-11-24 | 2012-03-14 | 中兴通讯股份有限公司 | Method and device for determining user identity |
| CN105592430A (en) * | 2014-10-20 | 2016-05-18 | 中兴通讯股份有限公司 | Homologous information-based short message monitoring method and system |
| CN106060053A (en) * | 2016-06-12 | 2016-10-26 | 上海携程商务有限公司 | Method and system for automatically identifying and cleaning abnormal connection based on firewall |
| CN107979561B (en) * | 2016-10-21 | 2020-07-03 | 中国电信股份有限公司 | Method, device and system for controlling malicious traffic |
| CN107979561A (en) * | 2016-10-21 | 2018-05-01 | 中国电信股份有限公司 | For controlling the methods, devices and systems of malicious traffic stream |
| CN108663479A (en) * | 2017-03-27 | 2018-10-16 | 北京极体科技有限公司 | A method of realizing intelligent self-loopa detection monitoring |
| CN108650167A (en) * | 2018-04-02 | 2018-10-12 | 北京五八信息技术有限公司 | Method, apparatus, electronic equipment and the readable storage medium storing program for executing that message is sent |
| CN108650167B (en) * | 2018-04-02 | 2021-06-01 | 北京五八信息技术有限公司 | Message sending method and device, electronic equipment and readable storage medium |
| CN111246293A (en) * | 2018-11-28 | 2020-06-05 | 北京默契破冰科技有限公司 | Method, apparatus, and computer storage medium for monitoring user behavior |
| CN111246293B (en) * | 2018-11-28 | 2023-10-13 | 北京默契破冰科技有限公司 | Method, apparatus and computer storage medium for monitoring user behavior |
| CN110062096A (en) * | 2019-04-23 | 2019-07-26 | 贵阳朗玛通信科技有限公司 | A kind of method and device for screening offending user |
| CN111461372A (en) * | 2020-03-27 | 2020-07-28 | 中国平安人寿保险股份有限公司 | Conference room monitoring method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2012174897A1 (en) | 2012-12-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102231888A (en) | Monitoring method and device | |
| CN100479572C (en) | Method and system for monitoring suspicious user of rubbish SMS | |
| WO2016197675A1 (en) | Method and apparatus for identifying crank call | |
| CN105354492B (en) | Mobile communication terminal and message notification control method and device thereof | |
| US8755499B2 (en) | Methods, computer program products, and systems for managing voice over internet protocol (VOIP) network elements | |
| EP2339872A1 (en) | De-massing method of position advertising service based on regional strategy and system thereof | |
| WO2017172541A1 (en) | Systems and methods for measuring effective customer impact of network problems in real-time using streaming analytics | |
| CN104780185A (en) | Information sharing control method and device | |
| CN102088679A (en) | Working method and system of intelligent short message firewall of self-learning mobile terminal | |
| CN101321070B (en) | Monitoring system and method for suspicious user | |
| WO2016197646A1 (en) | Method and device for monitoring crank call | |
| CN108737622A (en) | Monitoring method of conversing and device | |
| CN103888919A (en) | Short message monitoring method and device thereof | |
| CN105101138A (en) | Method and system for controlling traffic, and terminal | |
| CN101635894A (en) | Monitoring system, monitoring method and information transmission method for junk information | |
| CN101702801A (en) | Short message monitoring method and system | |
| CN101610169A (en) | Internet multimedia content monitoring method and device thereof | |
| CN102104847B (en) | Short message monitoring method based on flow and call-initiating areas | |
| CN102595357A (en) | Short message monitoring method and system | |
| CN106911675A (en) | A kind of mobile phone Malware method for early warning and device | |
| CN101827328A (en) | Device and method for monitoring short-message | |
| CN101917309A (en) | Denial of service attack detection method for public service number under softswitch platform | |
| CN110072251B (en) | Method and device for analyzing user communication behavior and managing user | |
| CN101526979B (en) | Intelligent alarm, inquiry and monitor terminal | |
| CN112141832A (en) | Visual operation platform of elevator thing networking |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20111102 |
|
| RJ01 | Rejection of invention patent application after publication |