[go: up one dir, main page]

CN111200665B - User source tracing method and device and computer readable storage medium - Google Patents

User source tracing method and device and computer readable storage medium Download PDF

Info

Publication number
CN111200665B
CN111200665B CN201811375981.2A CN201811375981A CN111200665B CN 111200665 B CN111200665 B CN 111200665B CN 201811375981 A CN201811375981 A CN 201811375981A CN 111200665 B CN111200665 B CN 111200665B
Authority
CN
China
Prior art keywords
nat
log
dpi
aaa
logs
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811375981.2A
Other languages
Chinese (zh)
Other versions
CN111200665A (en
Inventor
关欣
於少菲
张军华
吴进夫
辛海英
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Liaoning Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Liaoning Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Liaoning Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201811375981.2A priority Critical patent/CN111200665B/en
Publication of CN111200665A publication Critical patent/CN111200665A/en
Application granted granted Critical
Publication of CN111200665B publication Critical patent/CN111200665B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Debugging And Monitoring (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供一种用户溯源方法、装置及计算机可读存储介质,用于解决现有技术中在集中式CGN组网架构下无法实现用户溯源的技术问题。该方法包括:根据DPI话单和NAT日志的第一关联关系,从多个NAT日志中确定出待溯源DPI话单关联的至少一个NAT日志;其中,该第一关联关系包括:DPI话单和NAT日志包含相同的关键字;根据NAT日志与AAA日志的第二关联关系,从多个AAA日志中确定出该至少一个NAT日志关联的至少一个AAA日志;其中,该第二关联关系包括:NAT日志与AAA日志包含相同的关键字;确定该至少一个AAA日志中的用户账号,并将该用户账号确定为该待溯源DPI话单的溯源结果。

Figure 201811375981

The present invention provides a user traceability method, a device and a computer-readable storage medium, which are used to solve the technical problem that the user traceability cannot be realized under the centralized CGN networking architecture in the prior art. The method includes: determining at least one NAT log associated with the DPI bill to be traced from a plurality of NAT logs according to a first association relationship between the DPI bill and the NAT log; wherein the first association includes: the DPI bill and the NAT log. The NAT log contains the same keyword; according to the second association relationship between the NAT log and the AAA log, at least one AAA log associated with the at least one NAT log is determined from multiple AAA logs; wherein, the second association relationship includes: NAT The log and the AAA log contain the same keywords; the user account in the at least one AAA log is determined, and the user account is determined as the traceability result of the DPI bill to be traced.

Figure 201811375981

Description

一种用户溯源方法、装置及计算机可读存储介质A kind of user traceability method, device and computer readable storage medium

技术领域technical field

本发明涉及网络通信技术领域,特别涉及一种用户溯源方法、装置及计算机可读存储介质。The present invention relates to the technical field of network communication, and in particular, to a user traceability method, device and computer-readable storage medium.

背景技术Background technique

目前,运营商级网络地址转换(Carrier-Grade Network Address Translation,CGN设备存在多种部署场景,主要有分布式和集中式两种。At present, carrier-grade network address translation (Carrier-Grade Network Address Translation, CGN equipment has various deployment scenarios, mainly distributed and centralized.

图1为现有技术中分布式CGN系统的组网结构图。在分布式CGN系统中,CGN设备直接挂载在宽带远程接入服务器(Broadband Remote Access Server,BRAS)设备上,网络地址转换技术一是采用静态地址映射,即内部网络的私有IP地址转换为公有IP地址时,IP地址是一对一的,端口是端口号固定且连续的端口块。当用户上线后,认证授权计费(Authentication-Authorization-Accounting,AAA)设备记录用户账号,BRAS将用户的私网IP,映射的公网IP及端口块序号上报AAA设备,用户产生上网记录后,深度包检测(DeepPacket Inspection,DPI)设备记录用户上网的源IP、源端口号、目的IP及目的端口号。这种组网架构下用户溯源所采用的关联算法为:DPI设备中的源IP=AAA设备中的公网IP,DPI设备中的源端口号>AAA设备中的公网端块起始号&DPI.源端口号<AAA设备中的公网端块终止号。FIG. 1 is a network structure diagram of a distributed CGN system in the prior art. In a distributed CGN system, the CGN device is directly mounted on the Broadband Remote Access Server (BRAS) device. The first network address translation technology uses static address mapping, that is, the private IP address of the internal network is converted to the public one. In the case of IP addresses, the IP addresses are one-to-one, and the ports are a block of fixed and continuous port numbers. After the user goes online, the Authentication-Authorization-Accounting (AAA) device records the user account, and the BRAS reports the user's private network IP, the mapped public network IP and port block serial number to the AAA device. A deep packet inspection (Deep Packet Inspection, DPI) device records the source IP, source port number, destination IP and destination port number of the user surfing the Internet. The association algorithm used for user source tracing in this networking architecture is: source IP in DPI device = public network IP in AAA device, source port number in DPI device > public network end block start number in AAA device & DPI .source port number < public network end block termination number in the AAA device.

图2为现有技术中集中式CGN系统的组网结构图。分布式系统不同的是,集中式CGN系统中的CGN设备是挂载在核心路由器(Core Router,CR)上,网络地址转换技术一是采用动态地址转换,即内部网络的私有IP地址在转换为公网IP地址时,转换后的公网IP不确定的,是随机的。而在这种组网架构下,现有技术无法实现用户上网记录的溯源。FIG. 2 is a network structure diagram of a centralized CGN system in the prior art. The difference between the distributed system is that the CGN equipment in the centralized CGN system is mounted on the core router (Core Router, CR). The first network address translation technology uses dynamic address translation, that is, the private IP address of the internal network is converted to When the public network IP address is used, the converted public network IP is uncertain and random. However, under such a networking architecture, the existing technology cannot realize the traceability of the user's online records.

发明内容SUMMARY OF THE INVENTION

本发明实施例提供一种用户溯源方法、装置及计算机可读存储介质,用于解决现有技术中在集中式CGN组网架构下无法实现用户溯源的技术问题。Embodiments of the present invention provide a user traceability method, device, and computer-readable storage medium, which are used to solve the technical problem in the prior art that user traceability cannot be achieved under a centralized CGN networking architecture.

第一方面,本发明实施例提供一种用户溯源方法,应用于集中式CGN系统,所述方法包括:In a first aspect, an embodiment of the present invention provides a user traceability method, which is applied to a centralized CGN system, and the method includes:

根据DPI话单和NAT日志的第一关联关系,从多个NAT日志中确定出待溯源DPI话单关联的至少一个NAT日志;其中,所述第一关联关系包括:DPI话单和NAT日志包含相同的关键字;According to the first association relationship between the DPI bill and the NAT log, at least one NAT log associated with the to-be-traced DPI bill is determined from the multiple NAT logs; wherein the first association relationship includes: the DPI bill and the NAT log include: the same keyword;

根据NAT日志与AAA日志的第二关联关系,从多个AAA日志中确定出所述至少一个NAT日志关联的至少一个AAA日志;其中,所述第二关联关系包括:NAT日志与AAA日志包含相同的关键字;According to the second association relationship between the NAT log and the AAA log, at least one AAA log associated with the at least one NAT log is determined from the plurality of AAA logs; wherein the second association relationship includes: the NAT log and the AAA log contain the same keyword;

确定所述至少一个AAA日志中的用户账号,并将所述用户账号确定为所述待溯源DPI话单的溯源结果。Determine the user account in the at least one AAA log, and determine the user account as the traceability result of the DPI bill to be traced.

本实施方式在对DPI话单进行用户溯源时,根据DPI话单和NAT日志的第一关联关系,从多个NAT日志中确定出待溯源DPI话单关联的至少一个NAT日志;根据NAT日志与AAA日志的第二关联关系,从多个AAA日志中确定出所述至少一个NAT日志关联的至少一个AAA日志;确定所述至少一个AAA日志中的用户账号,并将所述用户账号确定为所述待溯源DPI话单的溯源结果,解决现有技术中在集中式CGN组网架构下无法实现用户溯源的技术问题,并且对现有的集中式CGN系统组网架构改造较小,适用性强。When performing user source tracing on DPI bills in this embodiment, at least one NAT log associated with the DPI bills to be traced is determined from multiple NAT logs according to the first association relationship between DPI bills and NAT logs; The second association relationship of AAA logs, determining at least one AAA log associated with the at least one NAT log from multiple AAA logs; determining a user account in the at least one AAA log, and determining the user account as all The traceability results of the DPI bills to be traced are described, which solves the technical problem that user traceability cannot be achieved in the centralized CGN networking architecture in the prior art, and the existing centralized CGN system networking architecture is relatively small and has strong applicability. .

可选的,所述第一关联关系包括以下中的至少一种:Optionally, the first association relationship includes at least one of the following:

DPI话单中的源IP地址与NAT日志中的NAT后的IP地址相同;The source IP address in the DPI bill is the same as the IP address after NAT in the NAT log;

DPI话单中的源端口与NAT日志中的NAT后的端口相同;The source port in the DPI bill is the same as the port after NAT in the NAT log;

DPI话单中的目的IP地址与NAT日志中的目的IP地址相同;The destination IP address in the DPI bill is the same as the destination IP address in the NAT log;

DPI话单中的目的端口与NAT日志中的目的端口相同。The destination port in the DPI bill is the same as the destination port in the NAT log.

本实施方式提供了多种第一关联关系的实现方式,使得DPI话单到NAT日志的溯源过程可以更加灵活。This embodiment provides multiple implementation manners of the first association relationship, so that the source tracing process from the DPI bill to the NAT log can be more flexible.

可选的,根据DPI话单和NAT日志的第一关联关系,从多个NAT日志中确定出待溯源DPI话单关联的至少一个NAT日志,包括:Optionally, according to the first association relationship between the DPI bill and the NAT log, determine at least one NAT log associated with the DPI bill to be traced from the multiple NAT logs, including:

从多个NAT日志中确定出NAT会话开始时间早于所述待溯源DPI话单中的最小时间戳所标识的时间且NAT会话结束时间晚于所述待溯源DPI话单中的最大时间戳所标识的时间的至少一个NAT日志;或It is determined from multiple NAT logs that the start time of the NAT session is earlier than the time identified by the minimum time stamp in the DPI CDR to be traced, and the end time of the NAT session is later than the maximum time stamp in the DPI CDR to be traced. at least one NAT log for the identified time; or

从多个NAT日志中确定出NAT会话开始时间早于所述待溯源DPI话单中的最小时间戳所标识的时间且NAT会话结束时间晚于所述待溯源DPI话单中的最大时间戳所标识的时间之后的预设时间的至少一个NAT日志。It is determined from multiple NAT logs that the start time of the NAT session is earlier than the time identified by the minimum time stamp in the DPI CDR to be traced, and the end time of the NAT session is later than the maximum time stamp in the DPI CDR to be traced. At least one NAT log for a preset time after the identified time.

通过本实施方式进一步避免私网IP地址的重用导致的匹配错误问题,进一步提高了用户溯源的精准度。This embodiment further avoids the problem of matching errors caused by the reuse of private network IP addresses, and further improves the accuracy of user source tracing.

可选的,所述第二关联关系,包括:Optionally, the second association relationship includes:

NAT日志中的NAT前的IP地址与AAA日志中的私网IP地址相同。The pre-NAT IP address in the NAT log is the same as the private network IP address in the AAA log.

本实施方式基于NAT日志中的NAT前的IP地址和AAA日志中的私网IP地址实现NAT日志到AAA日志的溯源过程,保证了用户溯源的可靠性。This embodiment implements the source tracing process from the NAT log to the AAA log based on the pre-NAT IP address in the NAT log and the private network IP address in the AAA log, which ensures the reliability of user source tracing.

可选的,根据NAT日志与AAA日志的第二关联关系,从多个AAA日志中确定出所述至少一个NAT日志关联的至少一个AAA日志,包括:Optionally, according to the second association relationship between the NAT log and the AAA log, determine at least one AAA log associated with the at least one NAT log from multiple AAA logs, including:

从多个AAA日志中确定出用户上线时间早于所述至少一个NAT日志中的NAT会话开始时间且用户下线时间晚于所述至少一个NAT日志中的NAT会话结束时间的AAA日志。It is determined from the plurality of AAA logs that the user online time is earlier than the NAT session start time in the at least one NAT log and the user offline time is later than the NAT session end time in the at least one NAT log.

通过本实施方式可避免私网IP地址的重用导致的匹配错误问题,进一步提高了用户溯源的精准度。This embodiment can avoid the problem of matching errors caused by the reuse of private network IP addresses, and further improve the accuracy of user source tracing.

可选的,在从多个AAA日志中确定出所述至少一个NAT日志关联的至少一个AAA日志之前,还包括:Optionally, before the at least one AAA log associated with the at least one NAT log is determined from the multiple AAA logs, the method further includes:

根据session_ID和BRAS_IP从所述多个AAA日志中确定出对应同一用户的上线记录和下线记录,并将对应于同一用户的上线记录和下线记录关联成一条记录;Determine the online record and the offline record corresponding to the same user from the multiple AAA logs according to the session_ID and BRAS_IP, and associate the online record and the offline record corresponding to the same user into one record;

在确定任一上线记录没有对应的下线记录时,将所述任一上线记录关联一条下线时间为无限大的下线记录。When it is determined that any online record does not have a corresponding offline record, any online record is associated with an offline record whose offline time is infinite.

通过本实施方式可避免私网IP地址被不同用户的重复使用导致的匹配错误问题,进一步提高了用户溯源的精准度。This embodiment can avoid the problem of matching errors caused by the repeated use of private network IP addresses by different users, and further improve the accuracy of user source tracing.

可选的,在根据DPI话单和NAT日志的第一关联关系,从多个NAT日志中确定出待溯源DPI话单关联的至少一个NAT日志之前,还包括:Optionally, before determining at least one NAT log associated with the DPI bill to be traced from the multiple NAT logs according to the first association relationship between the DPI bill and the NAT log, the method further includes:

从DPI设备中采集所述待溯源的DPI话单;Collect the DPI bill to be traced from the DPI device;

从NAT设备中采集所述多个NAT日志;Collect the multiple NAT logs from the NAT device;

从AAA设备中采集所述多个AAA日志。The multiple AAA logs are collected from the AAA device.

通过本实施方式可以获得用户溯源过程所需的数据,保证用户溯源方法的可靠性。The data required for the user traceability process can be obtained through this implementation manner, thereby ensuring the reliability of the user traceability method.

第二方面,本发明实施例提供一种用户溯源装置,包括:In a second aspect, an embodiment of the present invention provides a user traceability device, including:

第一确定单元,用于根据DPI话单和NAT日志的第一关联关系,从多个NAT日志中确定出待溯源DPI话单关联的至少一个NAT日志;其中,所述第一关联关系包括:DPI话单和NAT日志包含相同的关键字;The first determining unit is configured to determine at least one NAT log associated with the DPI bill to be traced from the plurality of NAT logs according to the first association relationship between the DPI bill and the NAT log; wherein the first association relationship includes: DPI bills and NAT logs contain the same keywords;

第二确定单元,用于根据NAT日志与AAA日志的第二关联关系,从多个AAA日志中确定出所述至少一个NAT日志关联的至少一个AAA日志;其中,所述第二关联关系包括:NAT日志与AAA日志包含相同的关键字;A second determining unit, configured to determine at least one AAA log associated with the at least one NAT log from a plurality of AAA logs according to the second association relationship between the NAT log and the AAA log; wherein the second association relationship includes: NAT logs contain the same keywords as AAA logs;

第三确定单元,用于确定所述至少一个AAA日志中的用户账号,并将所述用户账号确定为所述待溯源DPI话单的溯源结果。The third determining unit is configured to determine the user account in the at least one AAA log, and determine the user account as the traceability result of the DPI bill to be traced.

可选的,所述第一关联关系包括以下中的至少一种:Optionally, the first association relationship includes at least one of the following:

DPI话单中的源IP地址与NAT日志中的NAT后的IP地址相同;The source IP address in the DPI bill is the same as the IP address after NAT in the NAT log;

DPI话单中的源端口与NAT日志中的NAT后的端口相同;The source port in the DPI bill is the same as the port after NAT in the NAT log;

DPI话单中的目的IP地址与NAT日志中的目的IP地址相同;The destination IP address in the DPI bill is the same as the destination IP address in the NAT log;

DPI话单中的目的端口与NAT日志中的目的端口相同。The destination port in the DPI bill is the same as the destination port in the NAT log.

可选的,所述第一确定单元具体用于:从多个NAT日志中确定出NAT会话开始时间早于所述待溯源DPI话单中的最小时间戳所标识的时间且NAT会话结束时间晚于所述待溯源DPI话单中的最大时间戳所标识的时间的至少一个NAT日志;或Optionally, the first determining unit is specifically configured to: determine from multiple NAT logs that the start time of the NAT session is earlier than the time identified by the minimum time stamp in the DPI bill of the source to be traced and the end time of the NAT session is later. At least one NAT log at the time identified by the maximum timestamp in the to-be-traced DPI CDR; or

从多个NAT日志中确定出NAT会话开始时间早于所述待溯源DPI话单中的最小时间戳所标识的时间且NAT会话结束时间晚于所述待溯源DPI话单中的最大时间戳所标识的时间之后的预设时间的至少一个NAT日志。It is determined from multiple NAT logs that the start time of the NAT session is earlier than the time identified by the minimum time stamp in the DPI CDR to be traced, and the end time of the NAT session is later than the maximum time stamp in the DPI CDR to be traced. At least one NAT log for a preset time after the identified time.

可选的,所述第二关联关系,包括:Optionally, the second association relationship includes:

NAT日志中的NAT前的IP地址与AAA日志中的私网IP地址相同。The pre-NAT IP address in the NAT log is the same as the private network IP address in the AAA log.

可选的,所述第二确定单元具体用于:Optionally, the second determining unit is specifically used for:

从多个AAA日志中确定出用户上线时间早于所述至少一个NAT日志中的NAT会话开始时间且用户下线时间晚于所述至少一个NAT日志中的NAT会话结束时间的AAA日志。It is determined from the plurality of AAA logs that the user online time is earlier than the NAT session start time in the at least one NAT log and the user offline time is later than the NAT session end time in the at least one NAT log.

可选的,所述装置还包括:Optionally, the device further includes:

关联单元,用于在所述第二确定单元从多个AAA日志中确定出所述至少一个NAT日志关联的至少一个AAA日志之前,根据session_ID和BRAS_IP从所述多个AAA日志中确定出对应同一用户的上线记录和下线记录,并将对应于同一用户的上线记录和下线记录关联成一条记录;在确定任一上线记录没有对应的下线记录时,将所述任一上线记录关联一条下线时间为无限大的下线记录。an association unit, configured to determine from the multiple AAA logs according to session_ID and BRAS_IP that the corresponding same User's online record and offline record, and associate the online record and offline record corresponding to the same user into one record; when it is determined that any online record does not have a corresponding offline record, associate any online record with a record The offline time is an infinite offline record.

可选的,所述装置还包括:Optionally, the device further includes:

采集单元,用于在所述第一确定单元根据DPI话单和NAT日志的第一关联关系,从多个NAT日志中确定出待溯源DPI话单关联的至少一个NAT日志之前,从DPI设备中采集所述待溯源的DPI话单、从NAT设备中采集所述多个NAT日志以及从AAA设备中采集所述多个AAA日志。The collecting unit is configured to, before the first determining unit determines at least one NAT log associated with the DPI bill to be traced from the multiple NAT logs according to the first association relationship between the DPI bill and the NAT log, from the DPI device The DPI bills to be traced are collected, the multiple NAT logs are collected from the NAT device, and the multiple AAA logs are collected from the AAA device.

第三方面,本发明实施例提供一种用户溯源装置,包括:In a third aspect, an embodiment of the present invention provides a user traceability device, including:

至少一个处理器,以及at least one processor, and

与所述至少一个处理器通信连接的存储器;a memory communicatively coupled to the at least one processor;

其中,所述存储器存储有可被所述至少一个处理器执行的指令,所述至少一个处理器通过执行所述存储器存储的指令执行本发明实施例第一方面或第一方面的任一种可选的实施方式所述的方法。Wherein, the memory stores instructions that can be executed by the at least one processor, and the at least one processor executes the first aspect or any one of the first aspects of the embodiments of the present invention by executing the instructions stored in the memory. The method described in the selected embodiment.

第四方面,本发明实施例提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机指令,当所述计算机指令在计算机上运行时,使得计算机执行本发明实施例第一方面或第一方面的任一种可选的实施方式所述的方法。In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, where computer instructions are stored in the computer-readable storage medium, and when the computer instructions are executed on a computer, the computer can execute the first aspect of the embodiment of the present invention. or the method described in any optional implementation manner of the first aspect.

本发明实施例中提供的一个或多个技术方案,至少具有如下技术效果或优点:One or more technical solutions provided in the embodiments of the present invention have at least the following technical effects or advantages:

本发明实施例技术方案在对DPI话单进行用户溯源时,根据DPI话单和NAT日志的第一关联关系,从多个NAT日志中确定出待溯源DPI话单关联的至少一个NAT日志;根据NAT日志与AAA日志的第二关联关系,从多个AAA日志中确定出所述至少一个NAT日志关联的至少一个AAA日志;确定所述至少一个AAA日志中的用户账号,并将所述用户账号确定为所述待溯源DPI话单的溯源结果,解决现有技术中在集中式CGN组网架构下无法实现用户溯源的技术问题,并且对现有的集中式CGN系统组网架构改造较小,适用性强。The technical solution of the embodiment of the present invention is to determine at least one NAT log associated with the DPI bill to be traced from the plurality of NAT logs according to the first association relationship between the DPI bill and the NAT log; The second association relationship between the NAT log and the AAA log is to determine at least one AAA log associated with the at least one NAT log from multiple AAA logs; determine the user account in the at least one AAA log, and assign the user account to the user account. It is determined to be the traceability result of the DPI bill to be traced, solves the technical problem that user traceability cannot be realized under the centralized CGN networking architecture in the prior art, and the transformation of the existing centralized CGN system networking architecture is relatively small, Strong applicability.

附图说明Description of drawings

为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions in the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without any creative effort.

图1为现有技术中分布式CGN系统的组网结构图;Fig. 1 is a network structure diagram of a distributed CGN system in the prior art;

图2为现有技术中集中式CGN系统的组网结构图;Fig. 2 is the networking structure diagram of the centralized CGN system in the prior art;

图3为本发明实施例中用户溯源方法的流程示意图;3 is a schematic flowchart of a user traceability method in an embodiment of the present invention;

图4为本发明实施例中DPI话单、NAT日志及AAA日志的生成和采集过程示意图;4 is a schematic diagram of the generation and collection process of DPI bills, NAT logs, and AAA logs in an embodiment of the present invention;

图5为本发明实施例中一种可能的多种数据关联的方法示意图;5 is a schematic diagram of a possible method for multiple data association in an embodiment of the present invention;

图6为本发明实施例中用户溯源装置的结构示意图;6 is a schematic structural diagram of a user traceability device in an embodiment of the present invention;

图7为本发明实施例中用户溯源装置的结构示意图。FIG. 7 is a schematic structural diagram of a user traceability device in an embodiment of the present invention.

具体实施方式Detailed ways

下面通过附图以及具体实施例对本发明技术方案做详细的说明,应当理解本发明实施例以及实施例中的具体特征是对本发明技术方案的详细的说明,而不是对本发明技术方案的限定,在不冲突的情况下,本发明实施例以及实施例中的技术特征可以相互组合。The technical solutions of the present invention will be described in detail below with reference to the accompanying drawings and specific embodiments. If there is no conflict, the embodiments of the present invention and the technical features in the embodiments may be combined with each other.

需要理解的是,在本发明实施例的描述中,“第一”、“第二”等词汇,仅用于区分描述的目的,而不能理解为指示或暗示相对重要性,也不能理解为指示或暗示顺序。在本发明实施例的描述中“多个”,是指两个或两个以上。It should be understood that, in the description of the embodiments of the present invention, words such as "first" and "second" are only used for the purpose of distinguishing the description, and should not be understood as indicating or implying relative importance, nor should it be understood as indicating or implied order. In the description of the embodiments of the present invention, "plurality" refers to two or more.

本发明实施例中的术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。The term "and/or" in this embodiment of the present invention is only an association relationship for describing associated objects, indicating that there may be three kinds of relationships, for example, A and/or B, which may indicate that A exists alone, and A and B exist at the same time. B, there are three cases of B alone. In addition, the character "/" in this document generally indicates that the related objects are an "or" relationship.

本发明实施例提供一种用户溯源方法、装置及计算机可读存储介质,应用于集中式CGN系统中,用以解决现有技术在集中式CGN组网架构下无法实现用户溯源的技术问题。Embodiments of the present invention provide a user traceability method, device, and computer-readable storage medium, which are applied in a centralized CGN system to solve the technical problem that user traceability cannot be achieved in the prior art under the centralized CGN networking architecture.

参见图3,该用户溯源方法包括:Referring to Figure 3, the user traceability method includes:

S101:根据DPI话单和NAT日志的第一关联关系,从多个NAT日志中确定出待溯源DPI话单关联的至少一个NAT日志;其中,所述第一关联关系包括:DPI话单和NAT日志包含相同的关键字;S101: According to the first association relationship between the DPI bill and the NAT log, determine at least one NAT log associated with the DPI bill to be traced from multiple NAT logs; wherein the first association includes: the DPI bill and the NAT log The logs contain the same keywords;

S102:根据NAT日志与AAA日志的第二关联关系,从多个AAA日志中确定出所述至少一个NAT日志关联的至少一个AAA日志;其中,所述第二关联关系包括:NAT日志与AAA日志包含相同的关键字;S102: Determine at least one AAA log associated with the at least one NAT log from multiple AAA logs according to the second association relationship between the NAT log and the AAA log; wherein the second association relationship includes: the NAT log and the AAA log contain the same keywords;

S103:确定所述至少一个AAA日志中的用户账号,并将所述用户账号确定为所述待溯源DPI话单的溯源结果。S103: Determine the user account in the at least one AAA log, and determine the user account as the traceability result of the DPI bill to be traced.

具体的,在执行上述步骤S101、S102以及S103之前,先从DPI设备中采集所述待溯源的DPI话单、从NAT设备中采集所述多个NAT日志以及从AAA设备中采集所述多个AAA日志。图4为本发明实施例中DPI话单、NAT日志以及AAA日志的生成和采集过程的示意图。Specifically, before performing the above steps S101, S102 and S103, first collect the DPI bills to be traced from the DPI device, collect the multiple NAT logs from the NAT device, and collect the multiple NAT logs from the AAA device AAA logs. FIG. 4 is a schematic diagram of a process of generating and collecting a DPI bill, a NAT log, and an AAA log in an embodiment of the present invention.

在具体实施时,由于同一个私网IP在不同时间段可能被不同的用户使用,为避免私网IP地址的重用导致的匹配错误问题,在从AAA设备中采集到所述AAA日志之后、在从所述多个AAA日志中确定出所述至少一个NAT日志关联的至少一个AAA日志之前,可进一步将同一用户的上线记录和下线记录进行关联。During specific implementation, since the same private network IP may be used by different users in different time periods, in order to avoid the matching error problem caused by the reuse of the private network IP address, after collecting the AAA log from the AAA device, Before at least one AAA log associated with the at least one NAT log is determined from the multiple AAA logs, the online record and the offline record of the same user may be further associated.

其中,关联同一用户的上线记录和下线记录的具体实施方式包括:将session_ID和BRAS_IP的组合作为唯一标识匹配预定时间范围内的对应同一用户的上下线记录,并将对应于同一用户的上线记录和下线记录关联成一条记录,如果在确定任一上线记录没有对应的下线记录时,将所述任一上线记录关联一条下线时间为无限大的下线记录。其中,BRAS_IP是给用户分配私网IP的BRAS设备的IP地址;session_ID是BRAS设备给用户分配私网IP时,每个会话的唯一标识。The specific implementation of associating the online and offline records of the same user includes: using the combination of session_ID and BRAS_IP as a unique identifier to match the online and offline records corresponding to the same user within a predetermined time range, and matching the online records corresponding to the same user. It is associated with the offline record to form a record. If it is determined that any online record does not have a corresponding offline record, any online record is associated with an offline record whose offline time is infinite. The BRAS_IP is the IP address of the BRAS device that assigns the private network IP to the user; the session_ID is the unique identifier of each session when the BRAS device assigns the private network IP to the user.

在本发明实施例中,步骤S101中的第一关联关系包括但不限于以下四种:In this embodiment of the present invention, the first association relationship in step S101 includes but is not limited to the following four types:

1)DPI话单中的源IP地址与NAT日志中的NAT后的IP地址(也可称为NAT日志中的源IP地址)相同;1) The source IP address in the DPI CDR is the same as the post-NAT IP address in the NAT log (also referred to as the source IP address in the NAT log);

2)DPI话单中的源端口与NAT日志中的NAT后的端口(也可称为NAT日志中的源端口)相同;2) The source port in the DPI bill is the same as the post-NAT port in the NAT log (also referred to as the source port in the NAT log);

3)DPI话单中的目的IP地址与NAT日志中的目的IP地址相同;3) The destination IP address in the DPI bill is the same as the destination IP address in the NAT log;

4)DPI话单中的目的端口与NAT日志中的目的端口相同。4) The destination port in the DPI bill is the same as the destination port in the NAT log.

在具体实施时,上述四种关联关系可以分别单独实施,也可以相互结合实施,本发明实施例不做具体限制。During specific implementation, the above-mentioned four kinds of association relationships may be implemented separately, or may be implemented in combination with each other, which is not specifically limited in the embodiment of the present invention.

例如,DPI话单与NAT日志的一种可能关联算法为:For example, a possible correlation algorithm for DPI bills and NAT logs is:

DPI.源IP=NAT.源IP;DPI.sourceIP=NAT.sourceIP;

DPI.目的IP=NAT.目的IP;DPI.destination IP=NAT.destination IP;

DPI.源端口=NAT.源端口;DPI.sourceport=NAT.sourceport;

DPI.目的端口=NAT.目的端口。DPI.destination port=NAT.destination port.

为了进一步避免私网IP地址的重用导致的匹配错误问题,步骤S101从多个NAT日志中确定出待溯源DPI话单关联的至少一个NAT日志时,还可以进一步对上述关联算法的数据作用范围进行限制,比如根据NAT日志的NAT会话开始时间和NAT会话结束时间确定关联算法的数据作用范围进行限制,以此进一步提高用户溯源的精准度。具体实施方式包括但不限于以下四种:In order to further avoid the problem of matching errors caused by the reuse of private network IP addresses, in step S101, when at least one NAT log associated with the DPI bill to be traced is determined from multiple NAT logs, the data scope of the above association algorithm may be further performed. Restrictions, for example, determine the data scope of the correlation algorithm based on the NAT session start time and NAT session end time of the NAT log, so as to further improve the accuracy of user traceability. Specific implementations include but are not limited to the following four:

1)NAT会话开始时间早于所述待溯源DPI话单中的最小时间戳所标识的时间且NAT会话结束时间晚于所述待溯源DPI话单中的最大时间戳所标识的时间;1) The start time of the NAT session is earlier than the time identified by the minimum timestamp in the DPI bill to be traced and the end time of the NAT session is later than the time identified by the maximum timestamp in the DPI bill to be traced;

2)NAT会话开始时间早于所述待溯源DPI话单中的最小时间戳所标识的时间且NAT会话结束时间晚于所述待溯源DPI话单中的最大时间戳所标识的时间之后的第一预设时间;2) The start time of the NAT session is earlier than the time identified by the minimum time stamp in the DPI CDR to be traced and the end time of the NAT session is later than the time identified by the maximum time stamp in the DPI CDR to be traced; a preset time;

3)NAT会话开始时间早于所述待溯源DPI话单中的最小时间戳所标识的时间之前的第二预设时间且NAT会话结束时间晚于所述待溯源DPI话单中的最大时间戳所标识的时间;3) The start time of the NAT session is earlier than the second preset time before the time identified by the minimum timestamp in the DPI bill to be traced and the end time of the NAT session is later than the maximum timestamp in the DPI bill to be traced the time identified;

4)NAT会话开始时间早于所述待溯源DPI话单中的最小时间戳所标识的时间之前的第三预设时间且NAT会话结束时间晚于所述待溯源DPI话单中的最大时间戳所标识的时间之后的第四预设时间。4) The start time of the NAT session is earlier than the third preset time before the time identified by the minimum timestamp in the DPI bill to be traced and the end time of the NAT session is later than the maximum timestamp in the DPI bill to be traced A fourth preset time after the identified time.

例如:E.g:

NAT设备的会话老化时间为X=NAT session aging time;The session aging time of the NAT device is X=NAT session aging time;

数据批处理的最小时延=X;The minimum delay of data batch processing = X;

A=DPI话单中最小时间戳;A=minimum timestamp in DPI CDR;

B=DPI话单中最大时间戳;B=Maximum timestamp in DPI CDR;

DPI数据范围=时间域A至B;DPI data range = time domain A to B;

则批处理中算法作用的NAT日志数据范围=时间域A至(B+X)。Then the range of NAT log data used by the algorithm in the batch process = time domain A to (B+X).

在本发明实施例中,步骤S102中的所述第二关联关系,包括:NAT日志中的NAT前的IP地址与AAA日志中的私网IP地址相同。In this embodiment of the present invention, the second association relationship in step S102 includes: the pre-NAT IP address in the NAT log is the same as the private network IP address in the AAA log.

为了进一步避免私网IP地址的重用导致的匹配错误问题,步骤S102从多个AAA日志中确定出所述至少一个NAT日志关联的至少一个AAA日志时,还可以进一步对关联算法的数据作用范围进行限制,比如根据AAA日志中用户上下线时间确定关联算法的数据作用范围进行限制,以此进一步提高溯源的精准度。具体实施方式包括:用户上线时间早于所述至少一个NAT日志中的NAT会话开始时间且用户下线时间晚于所述至少一个NAT日志中的NAT会话结束时间。In order to further avoid the problem of matching errors caused by the reuse of private network IP addresses, in step S102, when at least one AAA log associated with the at least one NAT log is determined from multiple AAA logs, the data scope of the association algorithm may be further performed. Restrictions, such as determining the data scope of the correlation algorithm based on the user's online and offline time in the AAA log, to further improve the accuracy of traceability. Specific implementations include: the user online time is earlier than the NAT session start time in the at least one NAT log and the user offline time is later than the NAT session end time in the at least one NAT log.

为了便于更清楚地理解本发明实施例技术方案,下面例举一种可能的多种数据关联的方法。In order to facilitate a clearer understanding of the technical solutions of the embodiments of the present invention, a possible method for multiple data associations is exemplified below.

参见图5,在对DPI话单进行溯源时,先从预设时间范围内的多个NAT日志中确定出NAT后IP与DPI话单中的源IP相同,NAT后端口与DPI话单中的源IP相同,目的IP与DPI话单中的目的IP相同,以及目的端口与DPI话单中的目的端口相同的NAT日志;然后从预设时间范围内的多个AAA日志中确定出私网IP与确定出的NAT日志中的私网IP(即NAT前的IP)相同的AAA日志;最后根据私网IP和用户账号对应关系确定出AAA日志中私网IP对应的用户账号,完成用户溯源。Referring to Figure 5, when tracing the source of the DPI bill, it is first determined from multiple NAT logs within a preset time range that the IP after NAT is the same as the source IP in the DPI bill, and the port after NAT is the same as the source IP in the DPI bill. The source IP is the same, the destination IP is the same as the destination IP in the DPI bill, and the NAT log of the destination port is the same as the destination port in the DPI bill; then the private network IP is determined from multiple AAA logs within the preset time range The AAA log is the same as the private network IP in the determined NAT log (that is, the IP before NAT). Finally, according to the correspondence between the private network IP and the user account, the user account corresponding to the private network IP in the AAA log is determined to complete the user source tracing.

在本发明实施例中,在对DPI话单进行用户溯源时,根据DPI话单和NAT日志的第一关联关系,从多个NAT日志中确定出待溯源DPI话单关联的至少一个NAT日志;根据NAT日志与AAA日志的第二关联关系,从多个AAA日志中确定出所述至少一个NAT日志关联的至少一个AAA日志;确定所述至少一个AAA日志中的用户账号,并将所述用户账号确定为所述待溯源DPI话单的溯源结果,解决现有技术中在集中式CGN组网架构下无法实现用户溯源的技术问题,并且对现有的集中式CGN系统组网架构改造较小,适用性强。In the embodiment of the present invention, when performing user source tracing on DPI bills, at least one NAT log associated with the DPI bills to be traced is determined from a plurality of NAT logs according to the first association relationship between the DPI bills and the NAT log; According to the second association relationship between the NAT log and the AAA log, determine at least one AAA log associated with the at least one NAT log from multiple AAA logs; determine a user account in the at least one AAA log, and assign the user account to the user account. The account number is determined as the traceability result of the DPI bill to be traced, which solves the technical problem that the user traceability cannot be realized in the centralized CGN networking architecture in the prior art, and the transformation of the existing centralized CGN system networking architecture is relatively small. , the applicability is strong.

参见图6,基于同一发明构思,本发明实施例还提供一种用户溯源装置,包括:Referring to FIG. 6, based on the same inventive concept, an embodiment of the present invention further provides a user traceability device, including:

第一确定单元201,用于根据DPI话单和NAT日志的第一关联关系,从多个NAT日志中确定出待溯源DPI话单关联的至少一个NAT日志;其中,所述第一关联关系包括:DPI话单和NAT日志包含相同的关键字;The first determining unit 201 is configured to determine at least one NAT log associated with the DPI bill to be traced from a plurality of NAT logs according to the first association relationship between the DPI bill and the NAT log; wherein the first association includes: : DPI CDRs and NAT logs contain the same keywords;

第二确定单元202,用于根据NAT日志与AAA日志的第二关联关系,从多个AAA日志中确定出所述至少一个NAT日志关联的至少一个AAA日志;其中,所述第二关联关系包括:NAT日志与AAA日志包含相同的关键字;The second determining unit 202 is configured to determine at least one AAA log associated with the at least one NAT log from a plurality of AAA logs according to the second association relationship between the NAT log and the AAA log; wherein the second association relationship includes : NAT logs contain the same keywords as AAA logs;

第三确定单元203,用于确定所述至少一个AAA日志中的用户账号,并将所述用户账号确定为所述待溯源DPI话单的溯源结果。The third determining unit 203 is configured to determine the user account in the at least one AAA log, and determine the user account as the traceability result of the DPI bill to be traced.

可选的,所述第一关联关系包括以下中的至少一种:Optionally, the first association relationship includes at least one of the following:

DPI话单中的源IP地址与NAT日志中的NAT后的IP地址相同;The source IP address in the DPI bill is the same as the IP address after NAT in the NAT log;

DPI话单中的源端口与NAT日志中的NAT后的端口相同;The source port in the DPI bill is the same as the port after NAT in the NAT log;

DPI话单中的目的IP地址与NAT日志中的目的IP地址相同;The destination IP address in the DPI bill is the same as the destination IP address in the NAT log;

DPI话单中的目的端口与NAT日志中的目的端口相同。The destination port in the DPI bill is the same as the destination port in the NAT log.

可选的,所述第一确定单元201具体用于:从多个NAT日志中确定出NAT会话开始时间早于所述待溯源DPI话单中的最小时间戳所标识的时间且NAT会话结束时间晚于所述待溯源DPI话单中的最大时间戳所标识的时间的至少一个NAT日志;或Optionally, the first determining unit 201 is specifically configured to: determine from multiple NAT logs that the start time of the NAT session is earlier than the time identified by the minimum timestamp in the DPI bill to be traced and the end time of the NAT session is At least one NAT log that is later than the time identified by the maximum timestamp in the to-be-traced DPI CDR; or

从多个NAT日志中确定出NAT会话开始时间早于所述待溯源DPI话单中的最小时间戳所标识的时间且NAT会话结束时间晚于所述待溯源DPI话单中的最大时间戳所标识的时间之后的预设时间的至少一个NAT日志。It is determined from multiple NAT logs that the start time of the NAT session is earlier than the time identified by the minimum time stamp in the DPI CDR to be traced, and the end time of the NAT session is later than the maximum time stamp in the DPI CDR to be traced. At least one NAT log for a preset time after the identified time.

可选的,所述第二关联关系,包括:Optionally, the second association relationship includes:

NAT日志中的NAT前的IP地址与AAA日志中的私网IP地址相同。The pre-NAT IP address in the NAT log is the same as the private network IP address in the AAA log.

可选的,所述第二确定单元202具体用于:Optionally, the second determining unit 202 is specifically configured to:

从多个AAA日志中确定出用户上线时间早于所述至少一个NAT日志中的NAT会话开始时间且用户下线时间晚于所述至少一个NAT日志中的NAT会话结束时间的AAA日志。It is determined from the plurality of AAA logs that the user online time is earlier than the NAT session start time in the at least one NAT log and the user offline time is later than the NAT session end time in the at least one NAT log.

可选的,所述装置还包括:Optionally, the device further includes:

关联单元,用于在所述第二确定单元202从多个AAA日志中确定出所述至少一个NAT日志关联的至少一个AAA日志之前,根据session_ID和BRAS_IP从所述多个AAA日志中确定出对应同一用户的上线记录和下线记录,并将对应于同一用户的上线记录和下线记录关联成一条记录;在确定任一上线记录没有对应的下线记录时,将所述任一上线记录关联一条下线时间为无限大的下线记录。an associating unit, configured to determine, according to session_ID and BRAS_IP, from the plurality of AAA logs corresponding On-line record and off-line record of the same user, and associate the on-line record and off-line record corresponding to the same user into one record; when it is determined that any on-line record does not have a corresponding off-line record, associate any on-line record An offline record with infinite offline time.

可选的,所述装置还包括:Optionally, the device further includes:

采集单元,用于在所述第一确定单元201根据DPI话单和NAT日志的第一关联关系,从多个NAT日志中确定出待溯源DPI话单关联的至少一个NAT日志之前,从DPI设备中采集所述待溯源的DPI话单、从NAT设备中采集所述多个NAT日志以及从AAA设备中采集所述多个AAA日志。The collection unit is configured to, before the first determining unit 201 determines at least one NAT log associated with the DPI bill to be traced from the plurality of NAT logs according to the first association relationship between the DPI bill and the NAT log, from the DPI device The DPI bills to be traced are collected from the NAT device, the multiple NAT logs are collected from the NAT device, and the multiple AAA logs are collected from the AAA device.

本发明所述方法和装置基于同一发明构思,由于方法及装置解决问题的原理相似,以上各单元所执行操作的具体实现方式可以参照本发明实施例上述用户溯源方法中对应的步骤,因此装置与方法的实施可以相互参见,重复之处不再赘述。The method and device of the present invention are based on the same inventive concept. Since the principles of the method and device for solving problems are similar, the specific implementation of the operations performed by the above units can refer to the corresponding steps in the above-mentioned user traceability method according to the embodiment of the present invention. For the implementation of the method, reference may be made to each other, and repeated descriptions will not be repeated.

参见图7,基于同一发明构思,本发明实施例还提供了一种用户溯源装置,包括:Referring to FIG. 7 , based on the same inventive concept, an embodiment of the present invention also provides a user traceability device, including:

至少一个处理器301,以及at least one processor 301, and

与所述至少一个处理器连接的存储器302;a memory 302 connected to the at least one processor;

其中,所述存储器302存储有可被所述至少一个处理器301执行的指令,所述至少一个处理器301通过执行所述存储器302存储的指令执行如本发明实施例上述方法实施例中所述用户溯源方法的步骤。Wherein, the memory 302 stores instructions that can be executed by the at least one processor 301, and the at least one processor 301 executes the instructions stored in the memory 302 by executing the instructions described in the foregoing method embodiments of the embodiments of the present invention. The steps of the user traceability method.

可选的,处理器301具体可以包括中央处理器(central processing unit,CPU)、特定应用集成电路(application specific integrated circuit,ASIC),可以是一个或多个用于控制程序执行的集成电路,可以是使用现场可编程门阵列(field programmablegate array,FPGA)开发的硬件电路,可以是基带处理器。Optionally, the processor 301 may specifically include a central processing unit (central processing unit, CPU), an application specific integrated circuit (application specific integrated circuit, ASIC), may be one or more integrated circuits for controlling program execution, may It is a hardware circuit developed using a field programmable gate array (FPGA), which can be a baseband processor.

可选的,处理器301可以包括至少一个处理核心。Optionally, the processor 301 may include at least one processing core.

可选的,该装置还包括存储器302,存储器302可以包括只读存储器(read onlymemory,ROM)、随机存取存储器(random access memory,RAM)和磁盘存储器。存储器302用于存储处理器301运行时所需的数据。Optionally, the apparatus further includes a memory 302, and the memory 302 may include a read only memory (ROM), a random access memory (RAM), and a disk memory. The memory 302 is used to store data required by the processor 301 when it operates.

基于同一发明构思,本发明实施例还提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机指令,当所述计算机指令在计算机上运行时,使得计算机执行本发明实施例上述用户溯源方法的步骤。Based on the same inventive concept, embodiments of the present invention further provide a computer-readable storage medium, where computer instructions are stored in the computer-readable storage medium, and when the computer instructions are executed on a computer, the computer can execute the above-mentioned embodiments of the present invention. The steps of the user traceability method.

本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.

显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit and scope of the invention. Thus, provided that these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include these modifications and variations.

Claims (12)

1. A user tracing method is applied to a centralized carrier-level network address translation (CGN) system, and comprises the following steps:
according to a first association relation between the DPI call ticket and the NAT log converted by the network address, determining at least one NAT log associated with the DPI call ticket to be traced from the plurality of NAT logs; wherein the first association relationship comprises: the DPI ticket and the NAT log contain the same keywords;
determining at least one AAA log related to the at least one NAT log from the plurality of AAA logs according to a second association relation between the NAT log and an authentication, authorization and accounting (AAA) log; wherein the second association relationship comprises: the NAT log and the AAA log contain the same keywords;
determining a user account in the at least one AAA log, and determining the user account as a tracing result of the DPI ticket to be traced;
wherein the second association relationship includes: the IP address before NAT in the NAT log is the same as the private network IP address in the AAA log;
determining at least one AAA log associated with the at least one NAT log from the plurality of AAA logs according to the second association relationship between the NAT log and the AAA log, comprising: and determining the AAA log with the user online time earlier than the NAT session starting time in the at least one NAT log and the user offline time later than the NAT session ending time in the at least one NAT log from the plurality of AAA logs.
2. The method of claim 1, wherein the first association comprises at least one of:
the source IP address in the DPI ticket is the same as the IP address after NAT in the NAT log;
the source port in the DPI ticket is the same as the port after NAT in the NAT log;
the destination IP address in the DPI ticket is the same as the destination IP address in the NAT log;
the destination port in the DPI ticket is the same as the destination port in the NAT log.
3. The method of claim 2, wherein determining at least one NAT log associated with the DPI ticket to be traced from the plurality of NAT logs according to the first association relationship between the DPI ticket and the NAT log comprises:
determining at least one NAT log of which the NAT session starting time is earlier than the time identified by the minimum timestamp in the DPI call ticket to be traced and the NAT session ending time is later than the time identified by the maximum timestamp in the DPI call ticket to be traced from the plurality of NAT logs; or
And determining at least one NAT log of which the NAT session starting time is earlier than the time identified by the minimum timestamp in the DPI call ticket to be traced and the NAT session ending time is later than the preset time after the time identified by the maximum timestamp in the DPI call ticket to be traced from the plurality of NAT logs.
4. The method of claim 1, wherein prior to determining at least one AAA log associated with the at least one NAT log from a plurality of AAA logs, further comprising:
determining an online record and an offline record corresponding to the same user from the plurality of AAA logs according to the session _ ID and the BRAS _ IP, and associating the online record and the offline record corresponding to the same user into a record;
and when any online record is determined not to have a corresponding offline record, associating the online record with an offline record with the offline time being infinite.
5. The method according to any of claims 1-4, wherein before determining at least one NAT log associated with a DPI ticket to be traced back from a plurality of NAT logs according to the first association relationship between the DPI ticket and the NAT log, the method further comprises:
collecting the DPI call ticket to be traced from DPI equipment;
collecting the plurality of NAT logs from NAT equipment;
collecting the plurality of AAA logs from the AAA device.
6. A user tracing apparatus, comprising:
the first determining unit is used for determining at least one NAT log associated with the DPI call ticket to be traced from the plurality of NAT logs according to the first association relation between the DPI call ticket and the NAT log; wherein the first association relationship comprises: the DPI ticket and the NAT log contain the same keywords;
a second determining unit, configured to determine, according to a second association relationship between the NAT log and the AAA log, at least one AAA log associated with the at least one NAT log from the multiple AAA logs; wherein the second association relationship comprises: the NAT log and the AAA log contain the same keywords;
a third determining unit, configured to determine a user account in the at least one AAA log, and determine the user account as a tracing result of the DPI ticket to be traced;
wherein the second association relationship includes: the IP address before NAT in the NAT log is the same as the private network IP address in the AAA log;
the second determining unit is specifically configured to: and determining the AAA log with the user online time earlier than the NAT session starting time in the at least one NAT log and the user offline time later than the NAT session ending time in the at least one NAT log from the plurality of AAA logs.
7. The apparatus of claim 6, wherein the first association comprises at least one of:
the source IP address in the DPI ticket is the same as the IP address after NAT in the NAT log;
the source port in the DPI ticket is the same as the port after NAT in the NAT log;
the destination IP address in the DPI ticket is the same as the destination IP address in the NAT log;
and the destination port in the DPI ticket is the same as the destination port in the NAT log.
8. The apparatus of claim 7, wherein the first determining unit is specifically configured to: determining at least one NAT log of which the NAT session starting time is earlier than the time identified by the minimum timestamp in the DPI call ticket to be traced and the NAT session ending time is later than the time identified by the maximum timestamp in the DPI call ticket to be traced from the plurality of NAT logs; or
And determining at least one NAT log from the plurality of NAT logs, wherein the NAT session starting time is earlier than the time identified by the minimum timestamp in the DPI call ticket to be traced, and the NAT session ending time is later than the preset time after the time identified by the maximum timestamp in the DPI call ticket to be traced.
9. The apparatus of claim 6, wherein the apparatus further comprises:
the association unit is used for determining the online record and the offline record corresponding to the same user from the plurality of AAA logs according to the session _ ID and the BRAS _ IP before the second determination unit determines at least one AAA log associated with the at least one NAT log from the plurality of AAA logs, and associating the online record and the offline record corresponding to the same user into one record; and when any online record is determined not to have a corresponding offline record, associating the online record with an offline record with the offline time being infinite.
10. The apparatus of any of claims 6-9, wherein the apparatus further comprises:
the collection unit is used for collecting the DPI call tickets to be traced from the DPI equipment, collecting the NAT logs from the NAT equipment and collecting the AAA logs from the AAA equipment before the first determination unit determines at least one NAT log associated with the DPI call tickets to be traced from the NAT logs according to the first association relation between the DPI call tickets and the NAT logs.
11. A user tracing apparatus, comprising:
at least one processor, and
a memory communicatively coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor to perform the method of any one of claims 1-5 by executing the instructions stored by the memory.
12. A computer-readable storage medium characterized by:
the computer readable storage medium stores computer instructions that, when executed on a computer, cause the computer to perform the method of any of claims 1-5.
CN201811375981.2A 2018-11-19 2018-11-19 User source tracing method and device and computer readable storage medium Active CN111200665B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811375981.2A CN111200665B (en) 2018-11-19 2018-11-19 User source tracing method and device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811375981.2A CN111200665B (en) 2018-11-19 2018-11-19 User source tracing method and device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN111200665A CN111200665A (en) 2020-05-26
CN111200665B true CN111200665B (en) 2022-07-01

Family

ID=70745908

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811375981.2A Active CN111200665B (en) 2018-11-19 2018-11-19 User source tracing method and device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN111200665B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112073258B (en) * 2020-08-06 2022-09-30 深信服科技股份有限公司 Method for identifying user, electronic equipment and storage medium
CN112328661B (en) * 2020-11-04 2024-04-02 北京思特奇信息技术股份有限公司 Method, system and electronic equipment for monitoring ticket processing performance
CN112989823B (en) * 2021-04-27 2021-08-13 北京优特捷信息技术有限公司 Log processing method, device, equipment and storage medium
CN115021969B (en) * 2022-05-10 2024-07-23 中国电信股份有限公司 Broadband account number determining method and device
CN115442277B (en) * 2022-08-28 2023-10-20 厦门市美亚柏科信息股份有限公司 Method and system for improving correctness of 5G traceability association

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103139326A (en) * 2013-03-06 2013-06-05 中国联合网络通信集团有限公司 Method, device and system for tracing internet protocol (IP)
CN107241454A (en) * 2016-03-29 2017-10-10 中兴通讯股份有限公司 A kind of method for realizing address administration, device, aaa server and SDN controllers
CN108173981A (en) * 2012-09-28 2018-06-15 瞻博网络公司 For the network address translation of the application of subscriber-aware service

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108173981A (en) * 2012-09-28 2018-06-15 瞻博网络公司 For the network address translation of the application of subscriber-aware service
CN103139326A (en) * 2013-03-06 2013-06-05 中国联合网络通信集团有限公司 Method, device and system for tracing internet protocol (IP)
CN107241454A (en) * 2016-03-29 2017-10-10 中兴通讯股份有限公司 A kind of method for realizing address administration, device, aaa server and SDN controllers

Also Published As

Publication number Publication date
CN111200665A (en) 2020-05-26

Similar Documents

Publication Publication Date Title
CN111200665B (en) User source tracing method and device and computer readable storage medium
CN109802953B (en) Industrial control asset identification method and device
CN111277553B (en) A method and device for determining a trusted node based on a blockchain network
CN103139326B (en) IP source tracing method, equipment and system
WO2019184164A1 (en) Method for automatically deploying kubernetes worker node, device, terminal apparatus, and readable storage medium
CN113807538B (en) Federal learning method, federal learning device, electronic equipment and storage medium
CN102611756B (en) Method and system for sending access request
CN108810192A (en) A kind of static IP configuration method, device, equipment and readable storage medium storing program for executing
WO2020019510A1 (en) Information processing method, terminal, and computer readable storage medium
CN108183838B (en) Method and device for testing source NAT function
CN105812195A (en) Method and device for computer to identify batch accounts
CN104683408A (en) Method and system for establishing virtual machine instance on OpenStack cloud computing management platform
CN110808879A (en) Protocol identification method, device, equipment and readable storage medium
CN111291382B (en) Vulnerability Scanning System
CN107395423A (en) The method and apparatus for binding the network port and network card interface
CN103595827B (en) A kind of IP address recognition methods of CDN source station and device
CN117356070A (en) Zero knowledge proof private transaction approval
CN116567609A (en) User information association backfill method, device, equipment and storage medium
CN109286506B (en) A method, system and device for traffic accounting
CN105554181B (en) A kind of DNS log compression method and apparatus
CN104333615A (en) Method and device for tracing address source
CN104717312A (en) Method and device for determining network resource access interfaces
CN105472054B (en) A kind of file transmitting method and access device
CN110233774A (en) A kind of Distributed probing method and system of Socks proxy server
KR20140113276A (en) Self-configuring local area network security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant