Method, device and storage medium for detecting shared internet access

By establishing a TCP flow table and analyzing the decoding information and timestamp sequence of uplink TCP SYN packets, the problem of misjudgment of shared internet access behavior of terminal devices in the mobile internet era was solved, and more accurate detection of shared internet access was achieved.

CN114257625BActive Publication Date: 2026-06-19ZTE CORP

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ZTE CORP
Filing Date
2020-09-24
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing technologies have misjudgments in identifying shared internet access behavior of terminal devices, especially in the mobile internet era. The new Android system's randomization protection of TCP timestamp values ​​has led to serious false detection problems.

Method used

By establishing a TCP flow table, obtaining the decoding information and TCP timestamp values ​​of uplink TCP SYN packets, grouping packets according to the decoding information, and judging the randomness of the TCP timestamp value sequence, it is possible to determine whether the terminal device is sharing the Internet.

Benefits of technology

It improves the accuracy of identifying shared internet access behavior of terminal devices, reduces false alarms, and avoids false detections caused by TCP timestamp randomization.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN114257625B_ABST
    Figure CN114257625B_ABST
Patent Text Reader

Abstract

This invention provides a method, device, and storage medium for detecting shared internet access. The method includes: establishing a TCP flow table based on uplink TCP SYN packets sent by a terminal device, wherein the TCP flow table records multiple flow information identifiers, each of which represents a corresponding uplink TCP SYN packet; obtaining decoding information and a TCP timestamp value corresponding to the uplink TCP SYN packet based on the TCP flow table; grouping the received uplink TCP SYN packets according to the decoding information; obtaining classification information for each group of uplink TCP SYN packets, wherein the classification information represents the classification result of each group of uplink TCP SYN packets based on the corresponding TCP timestamp value; and determining whether the terminal device is engaging in shared internet access behavior based on the classification information.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of communication technology, and in particular to a method, device and storage medium for detecting shared Internet access. Background Technology

[0002] Most mobile devices nowadays typically have a Wi-Fi hotspot function, allowing them to easily connect to the mobile network and share it with other devices. For example, if a mobile network operator partners with a specific brand of mobile devices to promote an unlimited data plan for that brand's devices, and users enable the Wi-Fi hotspot function to share the mobile network with other devices, it will consume more bandwidth resources for the operator than normal, resulting in higher operating costs. Furthermore, shared internet access also means increased concurrent traffic, which will require increased investment from the operator in routers, gateways, firewalls, and other related equipment.

[0003] In the existing technology, there are still misjudgments in the identification of shared Internet access behavior of some terminal devices. Therefore, how to improve the accuracy of the identification of shared Internet access behavior of terminal devices and reduce misjudgments is a technical problem that urgently needs to be solved by those skilled in the art. Summary of the Invention

[0004] The main objective of this invention is to provide a method, device, and storage medium for detecting shared internet access, aiming to improve the accuracy of identifying shared internet access behavior of terminal devices and reduce misjudgments of such behavior.

[0005] In a first aspect, embodiments of the present invention provide a method for detecting shared internet access, the method comprising:

[0006] A TCP flow table is established based on the uplink TCP SYN packets sent by the terminal device. The TCP flow table records multiple flow information identifiers, each of which is used to represent the corresponding uplink TCP SYN packet.

[0007] The decoding information and TCP timestamp value corresponding to the uplink TCP SYN packet are obtained according to the TCP flow table.

[0008] The received uplink TCP SYN packet is grouped according to the decoded information;

[0009] Obtain the classification information for each group of uplink TCP SYN packets, wherein the classification information represents the classification result of each group of uplink TCP SYN packets according to the corresponding TCP timestamp value;

[0010] The classification information is used to determine whether the terminal device is engaging in shared internet access behavior.

[0011] Secondly, embodiments of the present invention also provide a detection device, the detection device including a processor, a memory, a computer program stored in the memory and executable by the processor, and a data bus for implementing connection communication between the processor and the memory, wherein when the computer program is executed by the processor, it implements the steps of any of the shared Internet access detection methods provided in this specification.

[0012] Thirdly, embodiments of the present invention also provide a storage medium for computer-readable storage, wherein the storage medium stores one or more programs, which can be executed by one or more processors to implement the steps of any of the shared Internet access detection methods provided in this specification.

[0013] This invention provides a method, device, and storage medium for detecting shared internet access. The method includes establishing a TCP flow table based on uplink TCP SYN packets sent by a terminal device. The TCP flow table records multiple flow information identifiers, each of which represents a corresponding uplink TCP SYN packet. The method also includes obtaining decoding information and a TCP timestamp value corresponding to each uplink TCP SYN packet from the TCP flow table; grouping the received uplink TCP SYN packets according to the decoding information; obtaining classification information for each group of uplink TCP SYN packets, where the classification information represents the classification result of each group of uplink TCP SYN packets based on the corresponding TCP timestamp value; and determining whether the terminal device is engaging in shared internet access behavior based on the classification information. This invention effectively solves the false detection problem caused by TCP timestamp randomization in the field of shared internet access detection, improves the accuracy of identifying shared internet access behavior of terminal devices, and reduces misjudgments of shared internet access behavior. Attached Figure Description

[0014] To more clearly illustrate the technical solutions of the embodiments of this application, the drawings used in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0015] Figure 1 This is a schematic diagram illustrating an application scenario of a shared internet access detection method provided in an embodiment of the present invention;

[0016] Figure 2 This is a flowchart illustrating a shared internet access detection method provided in an embodiment of the present invention;

[0017] Figure 3This is a flowchart illustrating the steps involved in establishing a TCP flow table in a shared internet access detection method provided by an embodiment of the present invention.

[0018] Figure 4 This is a flowchart illustrating the steps for obtaining classification information of uplink TCP SYN packets in a shared internet access detection method provided by an embodiment of the present invention.

[0019] Figure 5 This is a schematic block diagram of a detection device provided in an embodiment of the present invention. Detailed Implementation

[0020] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0021] The flowchart shown in the attached diagram is for illustrative purposes only and does not necessarily include all content and operations / steps, nor does it necessarily have to be performed in the order described. For example, some operations / steps can be broken down, combined, or partially merged, so the actual execution order may change depending on the actual situation.

[0022] It should be understood that the terminology used in this specification is for the purpose of describing particular embodiments only and is not intended to limit the invention. As used in this specification and the appended claims, the singular forms “a,” “an,” and “the” are intended to include the plural forms unless the context clearly indicates otherwise.

[0023] In the mobile internet field, there are many types of terminal devices. Users may own a variety of portable internet access terminal devices such as mobile phones, tablets, smart speakers, smart projectors, VR all-in-one machines, and laptops. With the support of the large bandwidth, high speed, and low latency of 5G mobile networks, as well as the discounts on ultra-large data packages, more users tend to use their mobile phones as internet hotspots and share the internet with multiple other devices via Wi-Fi.

[0024] Users sharing internet access generates more concurrent traffic, which can impact the network capacity and performance established by telecom operators based on conventional business models. Therefore, telecom operators typically analyze user traffic sharing behavior in real time, detect and identify the corresponding traffic, and then take actions such as statistical analysis, additional charges, interference, and blocking.

[0025] The technology for users to share the internet across multiple devices has been constantly evolving, and correspondingly, telecom operators are continuously adjusting and upgrading their detection technologies for this behavior. For example, in the PC internet era, early Windows systems used globally sequentially increasing IP identification values ​​for outbound IP packets, and the initial IP identification was randomized at startup. Therefore, if only one increasing IP identification sequence was found, it could be determined that only one device was accessing the internet. However, if multiple increasing IP identification sequences were found, it could be determined that the user might be sharing the internet, and the number of different sequences likely represented the number of devices sharing the internet. But with the advent of the mobile internet era, new smart terminal systems (such as iOS and Android) no longer use globally increasing IP identification values; some systems use completely randomized values, making sequence detection impossible and rendering this detection method ineffective.

[0026] In the mobile internet era, the most effective method for detecting shared internet access is based on the timestamp value in the TCP (Transmission Control Protocol) SYN header extension options. Most smart terminal systems (iOS, Android) carry TCP timestamp options in their outbound TCP SYN packets. These systems use continuously increasing timestamp values, and the initial timestamp value is randomized upon system startup. Therefore, if only one continuously increasing timestamp sequence is found, it is determined that the user is not sharing internet access; if multiple continuously increasing timestamp sequences are found, it can be determined that the user may be sharing internet access, and the number of different sequences likely represents the number of terminals sharing internet access.

[0027] With increased emphasis on user privacy protection in the mobile internet sector, newer Android systems (such as Android 9 and Android 10) employ the latest Linux Kernel, which randomizes the timestamp values ​​of outbound TCP packets. This means that the timestamp values ​​of the same terminal device are no longer a continuously increasing sequence over time. Therefore, using existing methods based on TCP timestamp characteristics to detect shared internet access behavior will lead to false detections. For example, for a new Android phone, even if a user is only using that one phone to access the internet, the telecom operator's network equipment might mistakenly identify it as the user using multiple phones to share the internet, thus misinterpreting normal internet access behavior as shared internet access.

[0028] Therefore, the present invention provides a method, device and storage medium for detecting shared Internet access, aiming to improve the accuracy of identifying the shared Internet access behavior of terminal devices and reduce misjudgments of the shared Internet access behavior of terminal devices.

[0029] Please see Figure 1 , Figure 1 This is a schematic diagram illustrating an application scenario of a shared internet access detection method provided in an embodiment of the present invention.

[0030] like Figure 1 As shown, the detection system 100 includes a terminal device 10 and a detection device 20 that is communicatively connected to the terminal device 10. The detection device 20 may be a gateway device or a server, which is not limited here.

[0031] Terminal device 10 and detection device 20 communicate via TCP / IP protocol. Detection device 20 receives multiple uplink TCP SYN packets sent by terminal device 10 within a preset period and obtains the decoding information and TCP timestamp value corresponding to each uplink TCP SYN packet. Then, it groups the received uplink TCP SYN packets according to the decoding information and determines the classification information corresponding to the TCP timestamp value of each uplink TCP SYN packet in each group. Based on the classification information of each group of uplink TCP SYN packets, it determines whether the terminal device is engaging in shared internet access behavior.

[0032] Specifically, since the TCP timestamp value category in the uplink TCP SYN packet sent by a single terminal device 10 is singular—that is, when a terminal device 10 accesses the internet, the corresponding TCP timestamp value sequence in the uplink TCP SYN packet sent to the detection device 20 is either a random TCP timestamp value sequence or a non-random TCP timestamp value sequence—the TCP timestamp value sequences corresponding to the multiple uplink TCP SYN packets detected by the detection device 20 can only be a single TCP timestamp value sequence, that is, either a random TCP timestamp value sequence or a non-random TCP timestamp value sequence.

[0033] If the detection device 20 detects that the TCP timestamp value corresponding to the uplink TCP SYN packet sent by a terminal device 10 includes a random TCP timestamp value sequence and a non-random TCP timestamp value sequence, it indicates that the terminal device 10 is sharing the network with other terminal devices, that is, there is a shared Internet access behavior.

[0034] If the detection device 20 detects that the TCP timestamp value sequence in the uplink TCP SYN packet sent by a terminal device 10 is a non-random TCP timestamp value sequence, it determines whether the non-random TCP timestamp value sequence includes multiple consecutively increasing timestamp sequences. If so, it can be determined that the terminal device 10 may be sharing the Internet, and the number of different sequences may be the number of terminal devices sharing the Internet.

[0035] If the detection device 20 detects that the TCP timestamp value in the uplink TCP SYN packet sent by a terminal device 10 is a random sequence of TCP timestamp values, it indicates that the terminal device 10 has implemented TCP timestamp value protection. In this case, the detection device 20 excludes the analysis of whether the terminal device has Internet sharing behavior, thereby effectively solving the problem of false detection caused by TCP timestamp randomization in the field of Internet sharing detection.

[0036] Please refer to Figure 2 , Figure 2 This is a flowchart illustrating a shared internet access detection method provided in an embodiment of the present invention.

[0037] like Figure 2 As shown, this shared internet access detection method can be applied to a detection device, which can be a server or a gateway device, and this is not limited to that. The method includes steps S101 to S105.

[0038] Step S101: Establish a TCP flow table based on the uplink TCP SYN packet sent by the terminal device. The TCP flow table records multiple flow information identifiers, each of which is used to represent the corresponding uplink TCP SYN packet.

[0039] The terminal device and the detection device transmit data via the TCP / IP protocol. The detection device receives the uplink TCP SYN packets sent by the terminal device within a preset period and establishes a TCP flow table based on the uplink TCP SYN packets. The TCP flow table records multiple flow information identifiers, and each flow information identifier is used to represent a corresponding TCP SYN packet.

[0040] In some embodiments, the flow information identifier includes the user IP address, network IP address, user TCP port, and network TCP port. The corresponding uplink TCP SYN packet can be identified by using the user IP address, network IP address, user TCP port, and network TCP port together.

[0041] Please see Figure 3 , Figure 3 A flowchart illustrating the steps involved in establishing the TCP flow table in the shared internet access detection method.

[0042] like Figure 3As shown, in some embodiments, establishing a TCP flow table based on the uplink TCP SYN packet sent by the terminal device includes:

[0043] Step S1011: Obtain message data sent by the terminal device from the same user IP address;

[0044] Step S1012: Obtain the uplink TCP SYN packet from the packet data;

[0045] Step S1013: Select uplink TCP SYN packets that meet preset conditions from the uplink TCP SYN packets and establish a TCP flow table.

[0046] For example, the detection device receives packet data sent from terminal devices with the same user IP address and determines the type of the acquired packet data to check whether the acquired packet data meets preset conditions. When the preset conditions are met, i.e., the packet data is an uplink TCP SYN packet, the uplink TCP SYN packet can be selected from the packet data, and a TCP flow table can be established based on the TCP SYN packet. The preset conditions include that the packet data is uplink TCP SYN packet data. The detection device can identify whether the packet data is uplink TCP SYN packet data from relevant fields of the packet data.

[0047] For example, when the packet data is uplink packet data and IP.Protocol=6 in the packet data, it indicates that the packet data is uplink TCP packet data, and when TCP.Flags=2 in the packet data, it indicates that the packet is an uplink TCP SYN packet.

[0048] After retrieving the uplink TCP SYN packet from the packet data, a TCP flow table is established by filtering uplink TCP SYN packets that meet preset conditions. The preset condition is whether the uplink TCP SYN packet is the first TCP SYN packet in each TCP flow. If it is, the preset condition is met; otherwise, it is not. In other words, the first TCP SYN packet of each TCP flow is retrieved, and a TCP flow table is established. This TCP flow table records the flow information identifier of the first uplink TCP SYN packet in the corresponding TCP flow.

[0049] In some embodiments, after the TCP flow table is established, the detection device can trigger the release of the corresponding TCP flow table record based on the TCP FIN message and / or TCP RST message, and / or release the corresponding TCP flow table record according to a preset appropriate timeout period, so as to support the dynamic aging mechanism of TCP flow table resources.

[0050] Step S102: Obtain the decoding information and TCP timestamp value corresponding to the uplink TCP SYN packet according to the TCP flow table.

[0051] Each uplink TCP SYN packet includes decoding information and a TCP timestamp value in its header extension options.

[0052] The TCP option parameters carried by non-first uplink TCP SYN packets in each stream may vary and do not represent the default information of the terminal system. Therefore, after the TCP flow table is established, it is used to check whether the received uplink TCP SYN packet is the first uplink TCP SYN packet in the corresponding TCP stream. If the received uplink TCP SYN packet is the first uplink TCP SYN packet in the corresponding TCP stream, it is parsed. Otherwise, parsing of the uplink TCP SYN packet is discarded.

[0053] Among these, the detection of whether the received uplink TCP SYN packet is the first uplink TCP SYN packet in the corresponding TCP stream using the TCP flow table includes:

[0054] Obtain the message information of the uplink TCP SYN packet, which includes the user IP address, network IP address, user TCP port, and network TCP port.

[0055] The obtained packet information is compared with the flow information identifier recorded in the TCP flow table to determine whether the obtained uplink TCP SYN packet information has been recorded in the TCP flow table.

[0056] When the TCP flow table does not record the packet information corresponding to the acquired uplink TCP SYN packet, it indicates that the acquired uplink TCP SYN packet is the first uplink TCP SYN packet in the corresponding TCP flow. In this case, the acquired uplink TCP SYN packet is recorded in the TCP flow table, and the uplink TCP SYN packet is parsed to obtain the corresponding decoding information and TCP timestamp value.

[0057] When the TCP flow table records information about an acquired uplink TCP SYN packet, it indicates that the acquired uplink TCP SYN packet is not the first uplink TCP SYN packet in the corresponding TCP flow, and the acquired uplink TCP SYN packet is discarded.

[0058] That is, only the first uplink TCP SYN packet of each TCP stream is parsed to obtain the decoding information and TCP timestamp value corresponding to each uplink TCP SYN packet. The decoding information includes at least one of the following: the TTL field value of IPv4 or the HopLimit field value of IPv6, the TCP window field value, the window expansion option value in the TCP header options field, and the maximum segment size value in the TCP header options field.

[0059] For example, the detection device parses the uplink TCP SYN packets recorded in the TCP flow table to obtain the corresponding decoding information.

[0060] For example, the detection device extracts either the TTL field value of IPv4 or the HopLimit field value of IPv6 as decoding information. For terminal devices running iOS, TTL / HopLimit is typically 64 or 63; for Android, it is typically 64, 63, 128, or 127; and for Windows, it is typically 255, 254, 128, or 127.

[0061] In some embodiments, the detection device also extracts the TCP window field value as decoding information, namely the TCP Window field value, or Winsize for short. Winsize may be any one of 65535, 64240, 14600, 8192, etc.

[0062] In some embodiments, the detection device extracts the window scaling option value from the TCP header options field as decoding information, namely the WSopt (TCP Window Scale Option) option value in TCP Options, abbreviated as Scale, where Scale may be any one of 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, etc.

[0063] In some embodiments, the detection device extracts the maximum segment size value from the TCP header options field as decoding information. The MSS (Maximum Segment Size) option value in TCP Options is abbreviated as MSS. MSS may be any of 1460, 1360, 1260, 1408, 1452, 0, etc. 0 indicates that the decoding extraction found no MSS option, or that the MSS option exists but its value is 0.

[0064] Simultaneously, the detection device also extracts the corresponding TCP timestamp value from the uplink TCP SYN packet, namely the TSopt (TCP Timestamps Option) value in TCP Options, abbreviated as TSval. TSval can be any value between 0 and 4294967295.

[0065] Step S103: Group the received uplink TCP SYN packets according to the decoding information.

[0066] After parsing the decoding information and TCP timestamp value corresponding to the uplink TCP SYN packet, the uplink TCP SYN packets received within a preset period are grouped according to the decoding information. If N uplink TCP SYN packets are received from the terminal device within the preset period, the N uplink TCP SYN packets are grouped using the N decoding information corresponding to these N uplink TCP SYN packets, and uplink TCP SYN packets that meet the preset conditions are placed in the same group.

[0067] For example, the detection device combines at least one of the following in a preset order: the TTL field value of IPv4 or the HopLimit field value of IPv6 in the decoded information, the TCP window field value, the window expansion option value in the TCP header options field, and the maximum segment size value in the TCP header options field, to form a packet index, and uses the packet index to group uplink TCP SYN packets.

[0068] For example, the grouping index setting can be set to: "TTL_Winsize_Scale_MSS" or "TTL_Winsize_Scale" or "Winsize_Scale".

[0069] In this embodiment, the grouping index "TTL_Winsize_Scale_MSS" is used as an example for illustration.

[0070] When the detection device T1 receives the decoding information and TCP timestamp value corresponding to the first uplink TCP SYN packet reported by the terminal device, TTL=64, Winsize=65535, Scale=8, MSS=1460, TSval=10000 respectively, a new group with the index "64_65535_8_1460" is created for the uplink TCP SYN packet. T1 and TSval=10000 are then assigned to this group for further detection.

[0071] When the detection device receives the decoding information and TCP timestamp values ​​corresponding to the second uplink TCP SYN packet reported by the terminal device at time T2, they are TTL=64, Winsize=65535, Scale=8, MSS=1460, and TSval=12000, respectively. Then, it locates the group with the existing index "64_65535_8_1460" in the uplink TCP SYN packet group and assigns T2 and TSval=12000 to this group for further detection.

[0072] When the detection device receives the decoding information and TCP timestamp value of the third uplink TCP SYN packet reported by the terminal device at time T3, TTTL=63, Winsize=65535, Scale=9, MSS=1460, TSval=66666, a new group with the index "63_65535_9_1460" is created for the uplink TCP SYN packet. T3 and TSval=66666 are then assigned to this group for further detection.

[0073] At this time, there are two groups in the uplink TCP SYN packet table of the terminal device, namely "64_65535_8_1460" and "63_65535_9_1460". The "63_65535_9_1460" group contains one pair of data T3 and TSval=66666; the "64_65535_8_1460" group contains two pairs of data T1 and TSval=10000, and T2 and TSval=12000.

[0074] Step S104: Obtain the classification information of each group of uplink TCP SYN packets, wherein the classification information represents the classification result of each group of uplink TCP SYN packets according to the corresponding TCP timestamp value.

[0075] For example, the classification information represents the classification result of each group of uplink TCP SYN packets according to the corresponding TCP timestamp value. By obtaining the classification result for each group of uplink TCP SYN packets, it can be determined whether the TCP timestamp value sequence corresponding to each group of uplink TCP SYN packets is a random TCP timestamp value sequence or a non-random TCP timestamp value sequence.

[0076] Please see Figure 4 , Figure 4 This is a flowchart illustrating the steps for obtaining classification information for uplink TCP SYN packets.

[0077] like Figure 4 As shown, in some embodiments, obtaining the classification information of each group of uplink TCP SYN packets includes:

[0078] Step S1041: Determine whether the TCP timestamp value sequence corresponding to each group of uplink TCP SYN packets is a random TCP timestamp value sequence or a non-random TCP timestamp value sequence;

[0079] Step S1042: When the TCP timestamp value sequence corresponding to the uplink TCP SYN packets in this group is a random TCP timestamp value sequence, the uplink TCP SYN packets in this group are classified as a random TCP SYN packet group;

[0080] Step S1043: When the TCP timestamp value sequence corresponding to the uplink TCP SYN packets in this group is a non-random TCP timestamp value sequence, the uplink TCP SYN packets in this group are classified as a non-random TCP SYN packet group.

[0081] The step of determining whether the TCP timestamp sequence corresponding to each group of uplink TCP SYN packets is a random TCP timestamp sequence or a non-random TCP timestamp sequence includes:

[0082] Determine whether the standard deviation of adjacent TCP timestamp subsequences in the TCP timestamp value sequence corresponding to each group of uplink TCP SYN packets is less than a preset value;

[0083] When the standard deviation is less than the preset value, it is determined that the TCP timestamp value sequence corresponding to the uplink TCP SYN packet in that group is a non-random TCP timestamp value sequence.

[0084] When the standard deviation is greater than or equal to the preset value, it is determined that the TCP timestamp value sequence corresponding to the uplink TCP SYN packet in that group is a random TCP timestamp value sequence.

[0085] For example, each group of uplink TCP SYN packets includes multiple uplink TCP SYN packets, and each uplink TCP SYN packet corresponds to a TCP timestamp value. By extracting the TCP timestamp value corresponding to each uplink TCP SYN packet in each group of uplink TCP SYN packets, a TCP timestamp value sequence can be obtained for each group of uplink TCP SYN packets. By judging the randomness of the TCP timestamp value sequence, it can be determined whether the current group of TCP SYN packets is a non-random TCP SYN packet group or a random TCP SYN packet group.

[0086] Specifically, in a sequence of TCP timestamp values ​​corresponding to a set of uplink TCP SYN packets, the sequence is divided into several subsequences of TCP timestamp values. The standard deviation of adjacent subsequences of TCP timestamp values ​​is calculated to see if it is less than a preset value. If the standard deviation of adjacent subsequences of TCP timestamp values ​​is less than the preset value, the TCP timestamp values ​​are considered to be non-random, that is, the TCP timestamp value sequence is a non-random TCP timestamp value sequence. Then, the set of uplink TCP SYN packets corresponding to this non-random TCP timestamp value sequence is classified as a non-random TCP SYN packet group.

[0087] When the standard deviation of adjacent TCP timestamp value subsequences is greater than or equal to a preset value, the TCP timestamp values ​​are considered to have randomness, that is, the TCP timestamp value sequence is a random TCP timestamp value sequence, and the uplink TCP SYN packets corresponding to this random TCP timestamp value sequence are classified as random TCP SYN packet groups.

[0088] For example, every uplink TCP SYN packet includes a TCP timestamp value, TSval, which ranges from 0 to 4294967295. The TSval value is divided into M segments, each segment having a size of B = 4294967295 / M. Any TCP timestamp value TSval will be assigned to one of these M segments.

[0089] If B = 2 * 10 8 Then M = 215, meaning the first segment takes values ​​in the range [0, 2*10]. 8 The second segment is [2*10] 8 4*10 8 The third segment is [4*10] 8 6*10 8 And so on, where the TCP timestamp value corresponds to a specific segment within that segment.

[0090] The following example illustrates the determination of the randomness of a sequence of TCP timestamp values ​​for a set of uplink TCP SYN packets.

[0091] In a set of uplink TCP SYN packets, when the TCP timestamp value of an uplink TCP SYN packet received at time T1 falls into the first segment, the first segment count is 1. When X uplink TCP SYN packets received within a preset period have TCP timestamp values ​​falling into the first segment, the first segment count is X.

[0092] If the value of TSval is divided into M segments within time T1, then the statistical values ​​of the TCP timestamps corresponding to each of the M segments are denoted as X1, X2, X3...X M-1 XM To form sequence X M = [X1, X2, X3...X M-1 X M ].

[0093] If the preset period includes Q units of time, then the sequence X... M Divide the sequence into Q-1 subsequences and calculate the standard deviation (STD) for each subsequence. Each subsequence includes at least two adjacent TCP timestamp values, and the number of TCP timestamp values ​​in each subsequence increases arithmetically. For example, subsequence 1 is [X1, X2], subsequence 2 is [X1, X2, X3], subsequence 3 is [X1, X2, X3, X4], and subsequence Q-1 is [X1, X2, X3...X ... M-1 X M ].

[0094] Calculate the standard deviation (STD) of each of the Q-1 subsequences to obtain Q-1 standard deviations, namely STD1, STD2, STD3…STD. Q-1 If the preset standard deviation threshold is a constant C, then among these Q-1 standard deviations, if any one standard deviation is greater than or equal to the preset standard deviation threshold C, then the uplink TCP SYN packets in this group are considered to have TCP timestamp value randomization, and the corresponding TCP timestamp value is a random TCP timestamp value. The corresponding uplink TCP SYN packets are then classified as a random uplink TCP SYN packet group. Conversely, if the standard deviation is less than or equal to C, then the uplink TCP SYN packets in this group are considered to not have TCP timestamp value randomization, and the corresponding TCP timestamp value is a non-random TCP timestamp value. The corresponding uplink TCP SYN packets are then classified as a non-random uplink TCP SYN packet group.

[0095] Step S105: Determine whether the terminal device is sharing internet access based on the classification information.

[0096] Based on the classification information of the received uplink TCP SYN packets, it can be determined whether one or more groups of uplink TCP SYN packets are all non-random TCP SYN packet groups, all random TCP SYN packet groups, or both non-random TCP SYN packet groups and non-random TCP SYN packet groups exist simultaneously. This allows us to determine whether the terminal device is engaging in internet access.

[0097] In some embodiments, determining whether the terminal device is engaging in shared internet access based on classification information includes:

[0098] If the uplink TCP SYN packets received within a preset period include both non-random TCP SYN packet groups and random TCP SYN packet groups, it is determined that the terminal device is engaging in shared internet access behavior.

[0099] For example, if the detection device receives multiple uplink TCP SYN packets reported by the terminal device within a preset period, and if the multiple uplink TCP SYN packets include random uplink TCP SYN packet groups and non-random uplink TCP SYN packet groups, it indicates that the terminal device is sharing the Internet through a hotspot, i.e., there is shared Internet access behavior.

[0100] In some embodiments, if the uplink TCP SYN packets received within a preset period only include random TCP SYN packet groups, the determination of whether the terminal device is sharing the Internet access is ignored, thereby avoiding false detection.

[0101] In some embodiments, after determining whether the terminal device is engaging in shared internet access based on classification information, the method further includes:

[0102] When the terminal device engages in internet sharing behavior, corresponding feedback is generated based on the internet sharing behavior.

[0103] For example, preset control processing is performed on the terminal device acting as a wireless hotspot based on the shared internet access behavior.

[0104] For example, the preset control measures include temporarily limiting the network speed of the terminal device, or monitoring the shared internet traffic of the terminal device.

[0105] Please see Figure 5 , Figure 5 This is a schematic block diagram of a detection device 300 provided in an embodiment of the present invention.

[0106] like Figure 5 As shown, the detection device 300 includes a processor 301 and a memory 302, which are connected by a bus 303, such as an I2C (Inter-integrated Circuit) bus.

[0107] Specifically, processor 301 provides computing and control capabilities to support the operation of the entire detection device. Processor 301 can be a Central Processing Unit (CPU), but it can also be other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor can be a microprocessor or any conventional processor.

[0108] The memory 302 can be a Flash chip, a read-only memory (ROM), a disk, an optical disk, a USB flash drive, or a portable hard drive, etc.

[0109] The processor 301 is used to run a computer program stored in the memory 302, and performs the following steps when executing the computer program:

[0110] A TCP flow table is established based on the uplink TCP SYN packets sent by the terminal device. The TCP flow table records multiple flow information identifiers, each of which is used to represent the corresponding uplink TCP SYN packet.

[0111] The decoding information and TCP timestamp value corresponding to the uplink TCP SYN packet are obtained according to the TCP flow table.

[0112] The received uplink TCP SYN packet is grouped according to the decoded information;

[0113] Obtain the classification information for each group of uplink TCP SYN packets, wherein the classification information represents the classification result of each group of uplink TCP SYN packets according to the corresponding TCP timestamp value;

[0114] The classification information is used to determine whether the terminal device is engaging in shared internet access behavior.

[0115] In some embodiments, the processor 301 establishes a TCP flow table based on the uplink TCP SYN packet sent by the terminal device, specifically including:

[0116] Obtain message data sent by the terminal device from the same user IP address;

[0117] Obtain the uplink TCP SYN packet from the packet data;

[0118] A TCP flow table is established by selecting uplink TCP SYN packets that meet preset conditions from the uplink TCP SYN packets.

[0119] In some embodiments, the flow information identifier includes the user IP address, network IP address, user TCP port, and network TCP port.

[0120] In some embodiments, the decoding information includes either the TTL field value of IPv4 or the HopLimit field value of IPv6, and at least one of the following: the TCP window field value, the window expansion option value in the TCP header options field, and the maximum segment size value in the TCP header options field.

[0121] In some embodiments, the processor 301 obtains classification information for each group of uplink TCP SYN packets, specifically including:

[0122] Determine whether the TCP timestamp value sequence corresponding to each group of uplink TCP SYN packets is a random TCP timestamp value sequence or a non-random TCP timestamp value sequence;

[0123] When the TCP timestamp value sequence corresponding to the uplink TCP SYN packets in this group is a random TCP timestamp value sequence, the uplink TCP SYN packets in this group are classified as a random TCP SYN packet group;

[0124] When the TCP timestamp value sequence corresponding to the uplink TCP SYN packets in this group is a non-random TCP timestamp value sequence, the uplink TCP SYN packets in this group are classified as a non-random TCP SYN packet group.

[0125] In some embodiments, when the processor 301 determines whether the TCP timestamp value sequence corresponding to each group of uplink TCP SYN packets is a random TCP timestamp value sequence or a non-random TCP timestamp value sequence, the specific steps include:

[0126] Determine whether the standard deviation of adjacent TCP timestamp subsequences in the TCP timestamp value sequence corresponding to each group of uplink TCP SYN packets is less than a preset value;

[0127] When the standard deviation is less than the preset value, it is determined that the TCP timestamp value sequence corresponding to the uplink TCP SYN packet in that group is a non-random TCP timestamp value sequence.

[0128] When the standard deviation is greater than or equal to the preset value, it is determined that the TCP timestamp value sequence corresponding to the uplink TCP SYN packet in that group is a random TCP timestamp value sequence.

[0129] In some embodiments, when the processor 301 determines whether the terminal device is engaging in shared internet access behavior based on classification information, the specific steps include:

[0130] If the uplink TCP SYN packets received within a preset period include both non-random TCP SYN packet groups and random TCP SYN packet groups, it is determined that the terminal device is engaging in shared internet access behavior.

[0131] In some embodiments, the processor 301 is also configured to perform the following steps:

[0132] When the terminal device engages in internet sharing behavior, corresponding feedback is generated based on the internet sharing behavior.

[0133] This invention also provides a storage medium for computer-readable storage, wherein the storage medium stores one or more programs that can be executed by one or more processors to implement the steps of any of the shared internet access detection methods provided in the specification of this invention.

[0134] The storage medium can be an internal storage unit of the detection device described in the foregoing embodiments, such as the hard disk or memory of the detection device. Alternatively, the storage medium can be an external storage device of the detection device, such as a plug-in hard disk, Smart Media Card (SMC), Secure Digital (SD) card, or Flash Card equipped on the detection device.

[0135] It will be understood by those skilled in the art that all or some of the steps, systems, or apparatuses disclosed above, and their functional modules / units, can be implemented as software, firmware, hardware, or suitable combinations thereof. In hardware embodiments, the division between functional modules / units mentioned in the above description does not necessarily correspond to the division of physical components; for example, a physical component may have multiple functions, or a function or step may be performed collaboratively by several physical components. Some or all physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application-specific integrated circuit. Such software may be distributed on a computer-readable medium, which may include computer storage media (or non-transitory media) and communication media (or transient media). As is known to those skilled in the art, the term computer storage media includes volatile and non-volatile, removable and non-removable media implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data). Computer storage media include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, digital versatile disc (DVD) or other optical disc storage, magnetic cartridges, magnetic tape, disk storage or other magnetic storage devices, or any other medium that can be used to store desired information and can be accessed by a computer. Furthermore, it is well known to those skilled in the art that communication media typically contain computer-readable instructions, data structures, program modules, or other data in modulated data signals such as carrier waves or other transmission mechanisms, and may include any information delivery medium.

[0136] It should be understood that the term "and / or" as used in this specification and the appended claims refers to any combination and all possible combinations of one or more of the associated listed items, and includes such combinations. It should be noted that, herein, the terms "comprising," "including," or any other variations thereof are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or system that includes that element.

[0137] The sequence numbers of the above embodiments of the present invention are merely for descriptive purposes and do not represent the superiority or inferiority of the embodiments. The above descriptions are only specific embodiments of the present invention, but the scope of protection of the present invention is not limited thereto. Any person skilled in the art can easily conceive of various equivalent modifications or substitutions within the technical scope disclosed in the present invention, and these modifications or substitutions should all be covered within the scope of protection of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims

1. A method for detecting shared Internet access, characterized by The method includes: A TCP flow table is established based on the uplink TCP SYN packets sent by the terminal device. The TCP flow table records multiple flow information identifiers, each of which is used to represent the corresponding uplink TCP SYN packet. The decoding information and TCP timestamp value corresponding to the uplink TCP SYN packet are obtained according to the TCP flow table. The received uplink TCP SYN packet is grouped according to the decoded information; Obtain the classification information for each group of uplink TCP SYN packets, wherein the classification information represents the classification result of each group of uplink TCP SYN packets according to the corresponding TCP timestamp value; Determine whether the terminal device is engaging in shared internet access behavior based on the classification information; The step of obtaining the classification information for each group of uplink TCP SYN packets includes: Determine whether the TCP timestamp value sequence corresponding to each group of uplink TCP SYN packets is a random TCP timestamp value sequence or a non-random TCP timestamp value sequence; When the TCP timestamp value sequence corresponding to the uplink TCP SYN packets in this group is a random TCP timestamp value sequence, the uplink TCP SYN packets in this group are classified as a random TCP SYN packet group; When the TCP timestamp value sequence corresponding to the uplink TCP SYN packets in this group is a non-random TCP timestamp value sequence, the uplink TCP SYN packets in this group are classified as a non-random TCP SYN packet group.

2. The shared internet access detection method according to claim 1, characterized in that, The step of establishing a TCP flow table based on the uplink TCP SYN packet sent by the terminal device includes: Obtain message data sent by the terminal device from the same user IP address; Obtain the uplink TCP SYN packet from the packet data; A TCP flow table is established by selecting uplink TCP SYN packets that meet preset conditions from the uplink TCP SYN packets.

3. The shared Internet access detection method of claim 1, wherein, The stream information identifier includes the user IP address, network IP address, user TCP port, and network TCP port.

4. The shared Internet access detection method of claim 1, wherein, The decoding information includes at least one of the following: the TTL field value of IPv4 or the HopLimit field value of IPv6, the TCP window field value, the window expansion option value in the TCP header options field, and the maximum segment size value in the TCP header options field.

5. The shared internet access detection method according to claim 1, characterized in that, The determination of whether the TCP timestamp value sequence corresponding to each group of uplink TCP SYN packets is a random TCP timestamp value sequence or a non-random TCP timestamp value sequence includes: Determine whether the standard deviation of adjacent TCP timestamp subsequences in the TCP timestamp value sequence corresponding to each group of uplink TCP SYN packets is less than a preset value; When the standard deviation is less than the preset value, it is determined that the TCP timestamp value sequence corresponding to the uplink TCP SYN packet in that group is a non-random TCP timestamp value sequence. When the standard deviation is greater than or equal to the preset value, it is determined that the TCP timestamp value sequence corresponding to the uplink TCP SYN packet in that group is a random TCP timestamp value sequence.

6. The shared Internet access detection method of claim 5, wherein, The step of determining whether the terminal device is sharing internet access based on classification information includes: If the uplink TCP SYN packets received within a preset period include both non-random TCP SYN packet groups and random TCP SYN packet groups, it is determined that the terminal device is engaging in shared internet access behavior.

7. The shared Internet access detection method of claim 1, wherein, The method further includes: When the terminal device engages in internet sharing behavior, corresponding feedback is generated based on the internet sharing behavior.

8. A detection device, characterized in that The detection device includes a processor, a memory, a computer program stored in the memory and executable by the processor, and a data bus for establishing communication between the processor and the memory, wherein when the computer program is executed by the processor, it implements the steps of the shared internet access detection method as described in any one of claims 1 to 7.

9. A storage medium for computer-readable storage, characterized in that, The storage medium stores one or more programs, which can be executed by one or more processors to implement the steps of the shared Internet access detection method according to any one of claims 1 to 7.