Identity authentication method, optical line terminal and program product

Abstract

The application discloses an identity authentication method, an optical line terminal and a program product, relates to the technical field of communication, and the identity authentication method is applied to an optical line terminal (OLT). The method comprises the following steps: acquiring to-be-verified information and reference information of a dynamic feature of an optical network unit (ONU); and performing identity authentication on the ONU based on a comparison result of the to-be-verified information and the reference information, so as to obtain an identity authentication result of the ONU. The application solves the problem that the accuracy of traditional identity authentication of an optical network unit (ONU) access is low.

Description

Technical Field

[0001] This application relates to the field of communication technology, and in particular to authentication methods, optical line terminals and related software products. Background Technology

[0002] In traditional Passive Optical Network (PON) systems, Optical Line Terminals (OLTs) typically rely on static authentication identifiers from Optical Network Units (ONUs), such as MAC (Media Access Control) addresses, serial numbers, and registration IDs, for access authentication. However, these static identifiers are fixed after the device leaves the factory and are easily intercepted, copied, or forged by malicious devices. Once an attacker uses a forged legitimate identifier to initiate an illegal registration request, the OLT struggles to effectively distinguish between genuine ONUs and counterfeit devices, resulting in low accuracy of device access authentication and impacting the stable operation of the communication system. Summary of the Invention

[0003] The main purpose of this application is to provide an identity authentication method, optical line terminal and program product, which aims to solve the technical problem of low accuracy of traditional optical network unit (ONU) access identity authentication.

[0004] To achieve the above objectives, this application proposes an identity authentication method applied to an optical line terminal (OLT). The method includes: acquiring dynamic characteristics of an optical network unit (ONU) with information to be verified and reference information; and performing identity authentication on the ONU based on the comparison result of the information to be verified and the reference information to obtain the identity authentication result of the ONU.

[0005] Furthermore, to achieve the above objectives, this application also proposes an optical line terminal, which includes: a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the computer program is configured to implement the steps of the authentication method described above.

[0006] Furthermore, to achieve the above objectives, this application also proposes a computer storage medium, which is a computer-readable storage medium storing a computer program. When the computer program is executed by a processor, it implements the steps of the authentication method described above.

[0007] In addition, to achieve the above objectives, this application also proposes a computer program product, which includes a computer program that, when executed by a processor, implements the steps of the authentication method described above.

[0008] The one or more technical solutions proposed in this application have at least the following technical effects: An identity authentication method is provided, applied to an optical line terminal (OLT). Identity authentication is implemented by acquiring the dynamic characteristics to be verified information of an optical network unit (ONU) and comparing it with reference information. Utilizing the time-varying and unique characteristics of dynamic characteristics, this method overcomes the shortcomings of traditional static authentication identifiers, which are fixed and easily copied. When faced with identifier spoofing scenarios, even if an illegal device uses a static identifier identical to that of a legitimate device, it cannot generate dynamic characteristics to be verified that match the reference information. Therefore, based on the comparison results, illegal devices can be accurately identified and excluded, resulting in accurate identity authentication results for the ONU. This improves the accuracy of identity authentication in scenarios where spoofing devices coexist or offline misuse occurs. Attached Figure Description

[0009] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application.

[0010] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, for those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0011] Figure 1 This is a flowchart illustrating Embodiment 1 of the present application;

[0012] Figure 2 This is a schematic diagram of a scenario involved in an embodiment of this application; Figure 3 This is an interactive timing diagram of the random verification data distribution provided in Embodiment 2 of this application; Figure 4 This is a schematic diagram of the hardware operating environment of the optical line terminal involved in the embodiments of this application.

[0013] Explanation of reference numerals in the attached figures 100. Element Management System (EMS); 200. Optical Line Terminal (OLT); 300. Optical Distribution Network (ODN); 400. Network Unit (ONU).

[0014] The realization of the purpose, functional features and advantages of this application will be further explained in conjunction with the embodiments and with reference to the accompanying drawings. Detailed Implementation

[0015] It should be understood that the specific embodiments described herein are merely illustrative of the technical solutions of this application and are not intended to limit this application.

[0016] To better understand the technical solution of this application, a detailed description will be provided below in conjunction with the accompanying drawings and specific implementation methods.

[0017] In a conventional Passive Optical Network (PON) system, the Optical Line Terminal (OLT) authenticates and controls access to Optical Network Units (ONUs) through its PON port. For example, during registration, the ONU reports its static authentication identifier to the OLT. This static identifier can be, for example, a MAC address or serial number (SN). The OLT compares the received ONU static authentication identifier with the valid ONU authentication data pre-configured on the corresponding PON port. Only if they match is the ONU allowed to complete registration and access the network. Once the ONU is authenticated, the OLT allocates uplink bandwidth, establishes a logical link identifier, and issues corresponding service configuration parameters based on this static authentication identifier. Subsequent data forwarding and management also rely on this unique static authentication identifier. Therefore, under the same PON port, each ONU's static authentication identifier must be unique. However, if two ONUs report the same static authentication identifier, a static authentication identifier conflict will occur. In this scenario, the OLT typically only allows the first ONU detected or the first to complete the registration process to go online, while subsequent ONUs carrying the same identifier will be denied access. However, the problem lies in the fact that if the static authentication identifier of a legitimate ONU is spoofed by an unauthorized device, and this spoofed ONU is on the same PON port as the legitimate ONU, only one of them will be able to successfully register. If the legitimate ONU is temporarily offline due to a fault, disconnection, or restart, the spoofed ONU may take the opportunity to complete authentication and go online, thereby illegally occupying network resources, stealing user service data, and even interfering with normal communication services. Therefore, the accuracy of traditional optical network unit (ONU) access authentication is relatively low.

[0018] In view of this, a first embodiment of the identity authentication method of this application is proposed, referring to... Figure 1 , Figure 1 This is a flowchart illustrating the first embodiment of the identity authentication method of this application.

[0019] It should be noted that the embodiments of this application can be applied to passive optical network (PON) scenarios, and their architecture is as follows. Figure 2 It mainly includes an Element Management System (EMS), an Optical Line Terminal (OLT), an Optical Distribution Network (ODN), and at least one Optical Network Unit (ONU).

[0020] The EMS 100 is responsible for configuring, managing, and maintaining the OLT 200 and the entire passive optical network. By storing historical information, alarms, and notification messages from the OLT 200 and ONU 400, it can accurately identify abnormal ONU 400s and locate their physical positions. The OLT 200, as the core device at the central office, is responsible for initiating the discovery process of the ONU 400, assigning it a link identifier for registration and authentication. Simultaneously, it sends data to activate services according to instructions from the upper-layer operation and maintenance system, and maintains information exchange with the ONU 400 during operation to preserve its registration status. When the ONU 400 comes back online, the OLT 200 uses the reserved registration information to complete its authentication and re-access, and restores its carrying services by allocating uplink service time slots. The ONU 400, as a terminal device for home or enterprise users, is managed uniformly by the OLT 200. During the registration process, it receives a link identifier assigned by the OLT 200 to complete identity registration and strictly follows the time slot windows uniformly assigned by the OLT 200 to upload data, thereby achieving transparent forwarding of services. The ODN 300 serves as the physical connection channel between the OLT 200 and the ONU 400, used to connect a varying number of ONU 400s. Its physical structure includes: a backbone optical path connecting the primary optical splitter to the corresponding passive optical network interface of the OLT 200; an optical splitter that combines one or more devices to achieve the splitting ratio; and tributary optical fibers connecting multiple optical splitters or directly connecting to the ONU 400.

[0021] The entity executing the authentication method in this application embodiment can be an optical line terminal (OLT). For ease of description, the execution entity is omitted from the following description of each embodiment. The authentication method includes the following steps S10~S20: Step S10: Obtain the verification information and reference information of the dynamic characteristics of the optical network unit (ONU).

[0022] In one feasible embodiment, in order to achieve highly accurate identity authentication of the ONU, the verification information of the dynamic features of the ONU and the reference information of the dynamic features are obtained.

[0023] Optionally, dynamic characteristics refer to data related to the ONU that is dynamically updated over time or changes in operating status. This data is difficult for malicious devices to completely counterfeit or copy, and can therefore serve as a key basis for distinguishing genuine ONUs from counterfeit devices.

[0024] Optionally, dynamic features include: random verification data and equipment operation data.

[0025] Optionally, the random verification data can be a random value generated periodically by the OLT for each online ONU, which is unique and unpredictable.

[0026] Optionally, equipment operation data refers to information collected and statistically analyzed in real time during ONU operation, reflecting its own working status and the characteristics of the services it carries. Depending on the nature of the data, it can be further subdivided into equipment physical operation data and equipment service operation data.

[0027] Optionally, the device physical operation data are quantifiable parameters that reflect the working status of the ONU hardware module and the physical connection characteristics of the ODN network to which it belongs.

[0028] Optionally, the physical operation data of the device may include: the hardware characteristics of the ONU itself, such as the optical module's luminous power, optical module bias current, and optical module eye diagram parameters; and the characteristics of the ODN network, such as the distance between the ONU and the OLT, uplink optical power loss, and downlink optical power loss. These data constitute the hardware fingerprint and physical location fingerprint of the ONU.

[0029] Optionally, device service operation data describes the traffic characteristics and behavioral patterns of the services carried by the ONU. This information reflects the ONU's service habits and user behavior in the actual network. Examples include the ONU's runtime, time-sharing traffic characteristics based on different VLANs (such as uplink and downlink traffic statistics within a specific time period), and the MAC address list of devices connected to the ONU's user network interface. This data reflects user behavior and service characteristics, exhibiting individual uniqueness and time relevance.

[0030] Optionally, the dynamic feature verification information is the latest dynamic feature data collected or queried from the ONU. This type of information reflects the true state of the ONU at the current moment and serves as the verification sample for identity comparison.

[0031] Optionally, the reference information for dynamic features refers to the standard or benchmark data that the OLT collects, records, and stores in advance during the historical operation of the ONU, which serves as the basis for comparison to determine whether the information to be verified is true and reliable.

[0032] Optionally, to effectively manage dynamic characteristics, the OLT can maintain an ONU comprehensive information record table. The ONU comprehensive information record table can be indexed by the ONU's static authentication identifier (e.g., MAC address, SN serial number, etc.) to record and continuously update various dynamic characteristics of the corresponding ONU.

[0033] Optionally, the OLT retrieves reference information on the dynamic characteristics associated with the ONU from the ONU comprehensive information record table based on the ONU's static authentication identifier.

[0034] Optionally, the reference information for dynamic characteristics can come from the continuous monitoring and recording of the ONU's dynamic characteristics during each normal online period by the OLT. When the ONU is in a stable working state, the OLT can periodically collect its relevant data (e.g., device operation data), and store this data in the ONU comprehensive information record table after sorting, summarizing, and processing it. As for random verification data, the OLT itself will record the random verification data sent to a specific ONU each time, as reference information for subsequent authentication.

[0035] Step S20: Based on the comparison results between the information to be verified and the reference information, the ONU is authenticated to obtain the ONU's authentication result.

[0036] In one feasible embodiment, the information to be verified for the same dynamic feature is compared with its reference information to obtain a comparison result, and the identity authentication of the ONU is performed based on the comparison result to obtain the identity authentication result of the ONU.

[0037] Optionally, the comparison method between the information to be verified and the reference information includes: comparing whether the information to be verified and the reference information are consistent to obtain a comparison result; in response to the comparison result being consistent with the reference information (i.e., the comparison is passed), determining that the identity authentication result is successful; in response to the comparison result being inconsistent with the reference information (i.e., the comparison is not passed), determining that the identity authentication result is unsuccessful.

[0038] Optionally, the comparison method between the information to be verified and the reference information includes: comparing the similarity between the information to be verified and the reference information to obtain a comparison result; in response to the comparison result that the similarity between the information to be verified and the reference information is greater than a preset similarity threshold (e.g., 90%, 95%, 98%, 100%, etc.), determining that the identity authentication result is successful; in response to the comparison result that the similarity between the information to be verified and the reference information is less than or equal to the preset similarity threshold, determining that the identity authentication result is unsuccessful.

[0039] For example, the comparison method between the information to be verified and the reference information includes: determining whether the random verification data is consistent, whether the physical parameters in the device operation data are within the threshold range, and whether the similarity of the device operation data meets the standard. It is understood that the comparison method between the information to be verified and the reference information can be adaptively adjusted according to the actual situation, and the embodiments of this application do not limit it in this regard.

[0040] Optionally, dynamic features can include multiple different categories, and the comparison results of various dynamic features may be inconsistent. In such cases, corresponding actions can be taken based on the actual comparison results. For example, if the comparison result is all passed, the identity authentication result is determined to be successful; if the comparison result is partially failed, the identity authentication result is determined to be questionable. At this time, the identity of the ONU has not been fully confirmed, but it is not advisable to take direct forced blocking measures to avoid affecting possible normal business. Therefore, an alarm message can be reported and the operation and maintenance platform can be triggered to handle the situation; if the comparison result is all failed, the identity authentication result is determined to be unsuccessful. The ONU is highly suspected of being a counterfeit or illegal device. Therefore, a preset forced control policy can be triggered to actively suppress illegal access behavior.

[0041] Optionally, the mandatory control strategy includes at least one of the following: reporting alarm information, remotely shutting down the ONU laser, setting service rate limits, and restricting or blocking service forwarding.

[0042] Optionally, to facilitate network administrators in real-time monitoring of network status and timely detection and handling of security threats, authentication results can be presented visually. For example, the OLT can report the results to the upper-level network management system or a graphical maintenance terminal, and display the authentication results on the corresponding interface.

[0043] In this embodiment, identity authentication is implemented by obtaining the verification information of the dynamic features of the ONU and comparing it with the reference information. By utilizing the time-varying and unique characteristics of dynamic features, the shortcomings of traditional static authentication identifiers, which are fixed and easily copied, are overcome. When faced with identifier spoofing scenarios, even if an illegal device uses a static identifier that is consistent with that of a legitimate device, it cannot generate verification information of dynamic features that match the reference information. Therefore, the illegal device can be accurately identified and excluded based on the comparison results, and an accurate identity authentication result for the ONU can be obtained. This improves the accuracy of identity authentication in scenarios where counterfeit devices coexist or offline impersonation occurs.

[0044] Based on the first embodiment described above, a second embodiment of the authentication method of this application is proposed. In this embodiment, the dynamic features include: random verification data. Before step S10, which involves obtaining the verification information and reference information of the dynamic features of the optical network unit (ONU), steps A10 to A30 are further included: Step A10: In response to the ONU completing registration, random verification data is generated.

[0045] In one feasible embodiment, the dynamic features used for ONU identity authentication include random verification data, which can be random values ​​periodically generated by the OLT for each online ONU. Furthermore, before authenticating the ONU based on the random verification data, the OLT generates the random verification data in response to the ONU completing registration.

[0046] Optionally, ONU registration completion refers to the state where, after the physical layer connection is established, the ONU successfully completes the discovery, authentication, and parameter configuration processes through interaction with the OLT, and officially becomes a manageable online node in the PON system.

[0047] Optionally, the ONU registration process includes: the ONU initiating a registration request to the OLT based on its static authentication identifier (such as MAC address, serial number, etc.); the OLT performing preliminary verification of the static authentication identifier and accepting the registration; and then the OLT and ONU synchronizing the service configuration parameters through the management protocol. At this point, the ONU is considered to have completed registration and gone online, and enters normal operation.

[0048] Step A20: Send random verification data to the ONU.

[0049] In this process, the ONU completes the storage of random verification data, and uses the random verification data as the verification information for the dynamic characteristics of the ONU.

[0050] In one feasible embodiment, random verification data is sent to the ONU. If the ONU completes the storage of the random verification data, it indicates that the random verification data has been used as the verification information of the ONU's dynamic characteristics and can be used for current identity authentication.

[0051] Optionally, the OLT can send random check data to the ONU through the management protocol of the PON system, and the ONU can store the random check data in a local non-volatile storage medium.

[0052] Optionally, to ensure the confidentiality and integrity of the random verification data during transmission on the PON link and to prevent attackers from intercepting the random verification data sent by the OLT through eavesdropping, the OLT and ONU can negotiate an encryption method and transmit the random verification data in encrypted form.

[0053] Optionally, the OLT generates random verification data based on the static authentication identifier of the ONU and sends the random verification data to the ONU corresponding to the static authentication identifier.

[0054] Optionally, the ONU can use a dual-storage mechanism to save random verification data, including storing it in RAM and on local non-volatile storage media. RAM storage offers fast access and immediate effect, but it is volatile; data will be lost if the ONU loses power or restarts. Therefore, the ONU can also store the data on local non-volatile storage media, allowing it to be read and restored after power-on, providing a reliable basis for authentication upon reconnection.

[0055] Step A30: The random verification data is determined as reference information for the dynamic characteristics of the ONU.

[0056] In one feasible embodiment, the OLT local end determines the random verification data as reference information for the dynamic characteristics of the ONU, and uses it for ONU identity authentication.

[0057] Optionally, the OLT can store the random verification data in the ONU integrated information record table.

[0058] Optionally, random verification data can be generated and updated periodically. To ensure the security and timeliness of the random verification data and prevent the risk of being cracked or counterfeited due to the long-term use of the same random value, after the initial distribution of random verification data, the OLT can periodically generate new random verification data at a preset update interval T1 and send it to the corresponding ONU to update its locally stored value (i.e., the information to be verified). Each time an update is performed, the OLT itself synchronously records the latest distributed random verification data as reference information for subsequent authentication.

[0059] Optionally, when an ONU goes offline for any reason (such as power failure, fiber optic cable interruption, or active power-off), the periodic transmission of random verification data to that ONU is stopped.

[0060] Optionally, the update cycle T1 can be manually defined according to the actual security needs of the network.

[0061] Optionally, T ONU认证上线时长 <Update period T1 < 2×T ONU认证上线时长 , among which, T ONU认证上线时长 This refers to the time required for an ONU to complete registration, authentication, and successful deployment. The update cycle T1 is set to be greater than T. ONU认证上线时长 This ensures that the ONU receives at least one random verification data update during its stable operation phase after deployment, avoiding unnecessary management overhead caused by overly frequent updates before the ONU is stable. T1 is set to less than twice the value of T. ONU认证上线时长This ensures that the random value is updated frequently enough, preventing large update intervals from leaving an attacker with a sufficiently long attack window. Even if an attacker successfully steals a random value at a certain moment, that value will become invalid within a short period of time.

[0062] In this embodiment, random verification data dynamically generated, periodically updated, and distributed by the OLT can be introduced through the above method for ONU identity authentication. This makes it difficult for impersonators to achieve long-term impersonation by eavesdropping or copying static identifiers, thus improving the accuracy of ONU access identity authentication.

[0063] In one feasible implementation, step A20, the step of sending random verification data to the ONU, includes steps A21 to A22: Step A21: In response to determining that the registration status of the ONU is the first registration, random verification data is sent to the ONU.

[0064] In one feasible embodiment, before sending random verification data to the ONU, it is necessary to determine whether the ONU is registering for the first time. If the ONU's registration status is determined to be first registration, for example, the ONU has never completed registration or there is no historical record in the ONU comprehensive information record table, then random verification data is sent to the ONU.

[0065] Optionally, the registration status of the ONU, i.e., initial registration or re-registration, can be determined based on the static authentication identifier of the ONU.

[0066] Optionally, for data updates in the ONU integrated information record table, in response to the ONU's registration status being "first registration," a new entry can be created for that ONU in the ONU integrated information record table, and relevant data of the ONU, such as random verification data and equipment operation data, can be obtained and stored in the ONU integrated information record table. In response to the ONU's registration status being "re-registration," steps S10-20 are executed; in response to the authentication result being "authentication passed," relevant data of the ONU, such as random verification data and equipment operation data, can be obtained and stored in the ONU integrated information record table.

[0067] Step A22: In response to determining that the registration status of the ONU is re-registration, obtain the verification information and reference information of the dynamic characteristics of the ONU, perform identity authentication on the ONU based on the comparison result of the verification information and reference information, obtain the identity authentication result of the ONU, and in response to the identity authentication result being successful, send random verification data to the ONU.

[0068] In one feasible embodiment, if the ONU's registration status is determined to be re-registration (e.g., the ONU has previously completed registration or its corresponding information is stored in the ONU comprehensive information record table), to prevent unauthorized devices from impersonating legitimate ONUs, steps S10-S20 are executed. This involves obtaining the ONU's dynamic characteristics' verification information and reference information, and performing identity authentication on the ONU based on the comparison results of the verification information and reference information to obtain the ONU's identity authentication result. If the identity authentication result is successful, indicating that the ONU is a legitimate device, random verification data is sent to the ONU. If the identity authentication result is unsuccessful, the sending of random verification data is canceled to prevent leakage of random verification data and improve the accuracy of identity authentication.

[0069] Optionally, the dynamic features used for identity authentication include: random verification data and / or device operation data.

[0070] In this embodiment, by distinguishing between the initial registration and re-registration scenarios, the random verification data is not blindly updated when the ONU identity is not authenticated. This prevents attackers from taking advantage of the re-registration opportunity to obtain new random verification data through spoofing devices, ensuring that random verification data is only sent to trusted devices that have undergone strict authentication, thereby improving the accuracy of identity authentication.

[0071] In one feasible implementation, the information to be verified regarding the dynamic characteristics of the ONU includes at least one of the following methods a1 to a4: Method a1: Random checksum data running in the ONU's memory.

[0072] In one feasible embodiment, the verification information for the dynamic features used for identity authentication includes: random verification data running in the ONU's memory, that is, random verification data loaded into the volatile running memory of the ONU and currently in use.

[0073] Optionally, the random check data running in the ONU's memory includes: historically generated random check data and / or currently generated random check data.

[0074] Method a2: Random verification data stored in the ONU's local storage.

[0075] In one feasible embodiment, the verification information for the dynamic features used for identity authentication includes: random verification data stored in the local storage of the ONU, that is, data that the ONU writes to a non-volatile storage medium for persistent storage, which can still be retained after the ONU loses power or restarts.

[0076] Optionally, the random check data stored in the ONU's local storage includes: historically generated random check data and / or currently generated random check data.

[0077] Optionally, the ONU's local storage can be stored in the local flash memory chip.

[0078] Method a3, the currently generated random verification data.

[0079] In one feasible embodiment, the verification information of the dynamic features used for identity authentication includes: currently generated random verification data, that is, the latest random verification data generated and issued by the OLT in the current update cycle, which has the strongest timeliness.

[0080] Method a4: Historically generated random verification data.

[0081] In one feasible embodiment, the verification information of the dynamic features used for identity authentication includes: currently generated random verification data, that is, random verification data generated and issued by the OLT in the historical update cycle (e.g., the previous update cycle).

[0082] Optionally, during the identity authentication process, different priorities can be set for the aforementioned random verification data according to the actual scenario requirements, and a step-by-step verification method can be used for comparison. If the identity authentication of at least one random verification data is passed, the ONU's identity authentication result can be confirmed as successful.

[0083] Optionally, the priority of random check data is as follows: currently generated random check data running in memory > historically generated random check data running in memory > currently generated random check data stored in local storage > historically generated random check data stored in local storage.

[0084] Optionally, in the case of ONU re-registration, the verification information for dynamic features used for ONU identity authentication can be determined based on the reason for ONU's online status. For example, if the reason for ONU's online status is "online after offline," this means that the ONU was in normal working condition before going offline, and its memory may still retain random verification data from before offline. Therefore, the OLT can prioritize obtaining the random verification data running in the ONU's memory as the verification information for its dynamic features. If the reason for ONU's online status is "online after power failure," since the running memory is volatile, the ONU will lose all data stored in its memory at the moment of power failure. At this time, there is no valid random verification data available for reading in the ONU's memory. Therefore, the OLT can prioritize obtaining the random verification data stored in the ONU's local storage as the verification information for its dynamic features.

[0085] In this embodiment, by subdividing random verification data into various specific forms, the robustness of authentication is improved to adapt to diverse scenarios.

[0086] In one feasible implementation, after step A20, which involves sending random verification data to the ONU, steps A31 to A33 are further included: Step A31: Perform an identifier validity check on the ONU based on the random verification data to obtain the identifier validity check result.

[0087] In one feasible embodiment, after sending random verification data to the ONU, it is necessary to perform an identifier validity check on the ONU based on the currently sent random verification data to obtain the identifier validity check result.

[0088] Optionally, the identifier validity check is used to determine whether the random verification data has been successfully implemented and persistently saved on the ONU side.

[0089] Optionally, the validity check includes: the OLT initiating a read operation to obtain an effective response from the ONU for the random verification data, wherein the effective response is generated when the ONU saves the random verification data; in response to the effective response for the random verification data, determining that the validity check result is that the random verification data is valid; in response to an ineffective response for the random verification data, determining that the validity check result is that the random verification data is invalid.

[0090] Optionally, the effective response can be actively obtained by the OLT or generated by the ONU after saving the random verification data. This application embodiment does not limit this.

[0091] Step A32: In response to the identification validity detection result being that the random verification data is valid, the random verification data is determined as reference information for the dynamic characteristics of the ONU.

[0092] In one feasible embodiment, if the identification validity detection result is that the random verification data is valid, it indicates that the ONU has successfully stored the currently generated random verification data. Then, the random verification data is determined as the reference information for the dynamic characteristics of the ONU. For example, it can be further written into the ONU comprehensive information record table.

[0093] Step A33: In response to the result of the identifier validity check being invalid, the random verification data is resent to the ONU until the number of times the random verification data is sent exceeds the preset number of times it is sent, thus determining that the ONU does not meet the conditions for identity authentication based on the random verification data.

[0094] In one feasible embodiment, if the identifier validity detection result indicates that the random verification data is invalid, this may be due to a momentary link failure causing the transmission failure. In this case, step A20 is re-executed, i.e., sending random verification data to the ONU, until the number of times the random verification data is sent exceeds a preset sending threshold (e.g., 3 times, 5 times, 8 times, etc.), determining that the ONU does not meet the conditions for identity authentication based on random verification data. This situation can also be recorded in the ONU comprehensive information record table. For example, based on the ONU static authentication identifier, the ONU's random verification data verification capability can be recorded in the ONU comprehensive information record table for subsequent processing or maintenance reference.

[0095] For example, refer to Figure 3 The sequence diagram for the interaction of randomly verified data distribution includes steps b1 to b18: Step b1, ONU completes initial registration; Step b2: The OLT starts the update cycle timer, generates and sends random verification data to the ONU with T1 as the update cycle; Step b3: The ONU stores the received random verification data in memory and in local storage. Step b4, the ONU returns a response confirming the validity of the random verification data; Step b5: Based on the effective response, the OLT determines that the random verification data generated in the current cycle is valid and records it as reference information in the ONU integrated information record table; Step b6: In the next update cycle, the OLT generates and sends new random verification data to the ONU; In step b7, the ONU stores the received new random check data in memory and in local storage. In step b8, the ONU returns a response confirming the validity of the random verification data; Step b9: Based on the effective response, the OLT determines that the random verification data generated in the current cycle is valid and records it as reference information in the ONU integrated information record table; Step b10: Repeat the above steps for updating random verification data until the ONU disconnects. Step b11: The OLT stops updating the periodic timer and records the random verification data of the current period into the ONU integrated information record table; Step b12: The ONU comes online again and completes re-registration; Step b13: The OLT obtains random verification data from the ONU side as verification information and obtains random verification data stored locally as reference information. The verification information from the ONU side includes random verification data running in the ONU memory and random verification data stored in the ONU local storage. Step b14: The OLT performs identity authentication on the ONU based on the comparison results of the information to be verified and the reference information, and obtains the identity authentication result of the ONU. In response to the identity authentication result being successful, the OLT starts the update cycle timer. Step b15: The OLT generates and sends new random verification data to the ONU with an update cycle of T1; In step b16, the ONU stores the received new random check data in memory and in local storage. Step b17, the ONU returns a response confirming the validity of the random verification data; Step b18: Based on the effective response, the OLT determines that the random verification data generated in the current cycle is valid and records it as reference information in the ONU integrated information record table; repeat the above steps to achieve dynamic updating of the random verification data.

[0096] In this embodiment, the validity of the identifier is checked to confirm whether the currently generated random verification data is effective on the ONU side. This avoids the loss or error of reference information for dynamic features caused by momentary link failures or the ONU's lack of conditions for identity authentication based on random verification data, thereby improving the accuracy of identity authentication.

[0097] Based on any of the above embodiments, a third embodiment of the authentication method of this application is proposed. In this embodiment, the dynamic features include: device operation data. Step S10, the step of obtaining reference information of the dynamic features of the optical network unit (ONU) includes steps B10 to B30: Step B10: Periodically acquire sampled values ​​of the ONU's device operation data.

[0098] In one feasible embodiment, the dynamic features include: device operation data, which is information collected and statistically analyzed in real time during ONU operation, reflecting its own working status and the characteristics of the services it carries. To construct reference information for device operation data used for identity authentication, sampled values ​​of the ONU's device operation data can be periodically acquired.

[0099] Optionally, the sampling period of the sampled values ​​can be set according to the actual situation, such as every minute, every 5 minutes, etc., and the embodiments of this application do not limit this.

[0100] For example, the OLT continuously collects the device operation data of the ONU with a sampling period of 1 minute. At 10:00, the sampled value is "MAC address A", and the sampled value collected at 10:01 is also "MAC address A"; at 10:02, the sampled value becomes "MAC address B".

[0101] Step B20: Determine the effective feature values ​​within the preset absolute time period based on the sampled values.

[0102] The feature value is the data item contained in the sampled value.

[0103] In one feasible embodiment, after accumulating sampled values, for each preset absolute time period, it is necessary to filter out feature values ​​that can stably represent the behavior pattern of the ONU within that preset absolute time period from the sampled values ​​contained therein, so as to use them as valid feature values.

[0104] Optionally, the sampled value refers to the raw data record collected from the ONU.

[0105] Optionally, a feature value refers to a data item extracted from a sampled value, representing the data content itself. For example, a meaningful numerical value or identifier contained within the sampled value. Exemplarily, a feature value could be a specific MAC address, a specific optical power value, or a specific bandwidth value. The same feature value can be collected multiple times at different times, thus forming multiple sampled values.

[0106] Optionally, a valid feature value refers to a strong feature value that is selected within a certain preset absolute time period and can stably represent the behavior pattern of the ONU within that time period. Some feature values ​​may appear sporadically, or be noise, abnormal data, etc. Therefore, in this embodiment, the stable features retained after removing these sporadic factors through a specific method are used as valid feature values.

[0107] Optionally, the preset absolute time period refers to a fixed time window within a day, based on natural time, used for classifying, statistically analyzing, and processing the ONU's device operation data. The preset absolute time period can be based on a 24-hour cycle, dividing each day into multiple consecutive and non-overlapping time periods, each with a fixed start and end time.

[0108] Optionally, the granularity of the preset absolute time period can be set according to actual needs. For example, it can be based on "hours" (e.g., 00:00-00:59, 01:00-01:59, ..., 23:00-23:59), or on "half-hours" (e.g., 00:00-00:29, 00:30-00:59, etc.), or it can be a longer or shorter granularity. This absolute time-based division method allows the OLT to capture the behavioral patterns of the ONU at different time periods. For example, users' network usage habits during daytime working hours and nighttime rest hours may differ significantly.

[0109] Step B30: Determine the reference information of the equipment operation data corresponding to the preset absolute time period based on the effective feature values ​​within the preset absolute time period.

[0110] In one feasible embodiment, the above steps can determine at least one effective feature value within each preset absolute time period. These effective feature values ​​are the embodiment of the stable behavior characteristics of the ONU within that specific time period. Therefore, reference information of the device operation data corresponding to the preset absolute time period can be determined based on the effective feature values ​​within the preset absolute time period.

[0111] Optionally, the reference information of the device operation data corresponding to a predetermined preset absolute time period can be stored in the ONU comprehensive information record table. When the ONU comes online again at some point in the future, it can perform identity authentication based on the reference information of the device operation data in the ONU comprehensive information record table.

[0112] In this embodiment, by continuously collecting device operation data from ONUs, raw materials reflecting their behavioral patterns are accumulated; then, effective feature values ​​within a preset absolute time period are filtered out from these massive amounts of data, eliminating interference from occasional and abnormal factors; finally, stable and effective feature values ​​are established as reference information, which enables the OLT to build a personalized and dynamic behavioral benchmark profile for each ONU, improving the accuracy of identity authentication.

[0113] In one feasible implementation, step B20, which involves determining the effective feature values ​​within a preset absolute time period based on the sampled values, includes steps B21 to B23: Step B21: Obtain the sampled values ​​within the preset absolute time period from the sampled values.

[0114] In one feasible embodiment, sampled values ​​located within a preset absolute time period are obtained from the sampled values; for example, a first set of sampled values ​​can be constructed based on this.

[0115] Step B22: Determine the first effective sampling frequency of each feature value contained in the sampled values ​​within the preset absolute time period within the preset absolute time period.

[0116] In one feasible embodiment, for each specific feature value that has appeared in the sampled values ​​(e.g., sampled values ​​in the first sampled value set) within a preset absolute time period, the effective number of samplings within a single preset absolute time period is calculated, and divided by the theoretical maximum number of samplings within the preset absolute time period to obtain a first effective sampling frequency. This frequency can reflect the stability and representativeness of the feature value within this time period.

[0117] Optionally, the first effective sampling frequency refers to the ratio of the number of times a specific feature value appears within a preset absolute time period to the theoretical maximum number of samplings within that period. This frequency can be used to quantitatively evaluate the stability and representativeness of the feature value within that time period.

[0118] Step B23: In response to the existence of at least one first effective sampling frequency greater than a preset first threshold, the feature value with the first effective sampling frequency greater than the preset first threshold is determined as an effective feature value within a preset absolute time period.

[0119] In one feasible embodiment, for each feature included in the first set of sampled values, it is determined whether its first effective sampling frequency is greater than a preset first threshold (e.g., 90%, 80%, etc.). If there is at least one first effective sampling frequency greater than the preset first threshold, the feature value with the first effective sampling frequency greater than the preset first threshold is determined as an effective feature value within a preset absolute time period. If there is at least one first effective sampling frequency less than or equal to the preset first threshold, it is considered to be an occasional or abnormal behavior and is therefore not used as reference information.

[0120] For example, the preset absolute time period is 10:00-10:59. The OLT collects data every minute, so the theoretical maximum number of collections is 60. Among all the sampled values ​​collected by the OLT, there are three specific feature values: "MAC address A", "MAC address B", and "MAC address C". "MAC address A" appeared 58 times, with a first effective sampling frequency of 58 / 60 = 96.7%. "MAC address B" appeared 30 times, with a first effective sampling frequency of 30 / 60 = 50%. "MAC address C" appeared only 2 times, with a first effective sampling frequency of 2 / 60 = 3%. The preset first threshold is 90%. Therefore, "MAC address A" is determined as the effective feature value within the 10:00-10:59 period.

[0121] In this embodiment, the "strong features" that are truly stable and frequently occur within a preset absolute time period are determined by the above method, rather than the instantaneous values ​​that occur by chance, and these are used as valid feature values. This can effectively avoid the pollution of the benchmark caused by short-term fluctuations or occasional events, ensure the representativeness of the reference information, and improve the accuracy of identity authentication.

[0122] In one feasible implementation, step B30, which involves determining the reference information for the device operation data corresponding to the preset absolute time period based on the effective feature values ​​within the preset absolute time period, includes steps B31 to B34: Step B31: Obtain the recording time associated with at least one valid feature value within a preset absolute time period contained in the preset statistical window; In one feasible embodiment, the preset statistical window (e.g., the most recent 30 days, 15 days, etc.) consists of one or more preset absolute time periods (e.g., "10-11 AM every day" for the most recent 30 days). For each valid feature value (e.g., MAC address A) within a certain preset absolute time period (e.g., 10-11 AM), all its historical records within the preset statistical window are determined, and each historical record corresponds to a specific recording time; the recording time identifies at what time on which day the valid feature value was confirmed as valid.

[0123] Optionally, the recording time can be determined based on the start and end times of a preset absolute time period.

[0124] Optionally, the recording time can refer to a preset absolute time period. By recording the time, it is possible to distinguish valid feature value records within the same absolute time period from different dates or time periods. The specific representation of the recording time corresponds to the granularity of the preset absolute time period.

[0125] Optionally, when the preset absolute time period is in "days" (e.g., 10:00-11:00 every day), the recording time can be represented as a specific date (e.g., January 1st, January 2nd). When the preset absolute time period is more granular (e.g., every 30 minutes), the recording time can be represented as a combination of "date + time point" (e.g., January 1st, 10:00).

[0126] Step B32: Determine the timeliness weight of effective feature values ​​based on the time difference between the recording time and the preset update time.

[0127] Among them, the timeliness weight is negatively correlated with the time difference.

[0128] In one feasible embodiment, the preset update time refers to a pre-set reference time point used to perform the reference information update calculation; the time difference (e.g., how many days) between the recording time of each valid feature value and the preset update time is calculated, and then the timeliness weight is determined based on this time difference, where the smaller the time difference, the higher the weight, and the larger the time difference, the lower the weight. This negative correlation ensures that recently occurring behavior occupies a more important position in subsequent calculations.

[0129] Optionally, the preset update time can be a fixed, periodically occurring time reference point, such as "2:00 AM every day" or "0:00 AM every Monday". The preset update time can also be determined based on the registration event of the ONU device. For example, the time when the ONU device completes the registration event can be determined as the preset update time, or 10 minutes after the time when the ONU device completes the registration event can be determined as the preset update time. This application embodiment does not limit this.

[0130] Optionally, each time a preset update time is reached, an update calculation of the reference information can be triggered to re-evaluate the timeliness and representativeness of each valid feature value, thereby dynamically maintaining the reference information in the ONU comprehensive information record table.

[0131] Step B33: Determine the credibility coefficient of the valid feature values ​​based on the timeliness weight in the preset statistical window.

[0132] Among them, the credibility coefficient and the timeliness weight are positively correlated.

[0133] In one feasible embodiment, the credibility coefficient of the effective feature value is calculated based on the timeliness weight in the preset statistical window. For example, the timeliness weight is accumulated or a weighted average is calculated, so that the credibility coefficient and the timeliness weight are positively correlated.

[0134] Optionally, the credibility coefficient refers to the value obtained by comprehensively calculating all time-related weights of a certain effective feature value within a preset statistical window, which is used to quantitatively evaluate whether the effective feature value is still representative at the current stage.

[0135] Optionally, for each valid feature value, determine its timeliness weight within a preset statistical window, and perform summation, averaging, or other statistical operations on these timeliness weights to obtain the credibility coefficient of the valid feature value.

[0136] For example, the credibility coefficient L is calculated according to the following formula:

[0137] Where L is the confidence coefficient, n represents the length of the preset statistical window (e.g., the last 30 days), k represents the position index of the historical record in the statistical window, and (1 - k / n) represents the timeliness weight corresponding to the kth day.

[0138] For example, for a valid MAC address A, the three time-related weights are summed to obtain a confidence coefficient L_ = 0.3 + 0.2 + 0.1 = 0.6. For a MAC address C, the three time-related weights are summed to obtain L_ = 0.9 + 0.85 + 0.7 = 2.45, indicating that MAC address C is more representative in the recent past.

[0139] Step B34: In response to the existence of at least one confidence coefficient greater than a preset coefficient threshold, the valid feature values ​​with confidence coefficients greater than the preset coefficient threshold are determined as reference information for the equipment operation data corresponding to the preset absolute time period.

[0140] In one feasible embodiment, it is determined whether the confidence coefficient is greater than a preset coefficient threshold. If at least one confidence coefficient is greater than the preset coefficient threshold, the corresponding valid feature value is determined as reference information for the device operation data corresponding to the preset absolute time period. If at least one confidence coefficient is less than or equal to the preset coefficient threshold, it indicates that the valid feature value has lost its representativeness and is therefore unsuitable as reference information. Through this mechanism, the reference information can automatically forget disappearing features and remember newly emerging features over time, thus always maintaining an accurate reflection of the ONU's current behavior pattern.

[0141] In this embodiment, by calculating the timeliness weight and credibility coefficient, OLT can naturally strengthen the influence of recent behavior and weaken the influence of long-term behavior, avoiding frequent misjudgments caused by slow changes in user behavior and improving the long-term accuracy of identity authentication.

[0142] In one feasible implementation, step S10, the step of obtaining the verification information of the dynamic characteristics of the optical network unit (ONU), includes steps B11 to B16: Step B11: Obtain the sampled values ​​within the preset first event period from the sampled values.

[0143] The preset first event period is determined based on the completion time of the ONU's registration event.

[0144] In one feasible embodiment, after the ONU completes registration and goes online, periodic sampling can be performed to obtain sampled values, and then sampled values ​​within a preset first event period can be obtained from the sampled values. For example, a second set of sampled values ​​can be constructed based on this.

[0145] Optionally, the preset first event period is determined based on the completion time of the ONU's registration event; for example, the trigger time of the preset first event period is the completion time of the ONU's registration event (such as within 10 minutes after the ONU completes registration, which is taken as the preset first event period).

[0146] Step B12: Determine the second effective sampling frequency of each feature value contained in the sampled values ​​within the preset first event period within the preset first event period.

[0147] In one feasible embodiment, for each feature value (such as MAC address A, MAC address B, MAC address C, etc.) contained in the sampled values ​​within a preset first event period (e.g., sampled values ​​in the second sampled value set), the number of times it appears is counted and its frequency of occurrence is calculated, which is the second effective sampling frequency. The second effective sampling frequency can reflect the stability of the feature value in the early stage of ONU online.

[0148] Step B13: In response to the existence of at least one second effective sampling frequency greater than a preset second threshold, the feature value with the second effective sampling frequency greater than the preset second threshold is determined as the dynamic feature to be verified information. In one feasible embodiment, for each feature value, the relationship between its second effective sampling frequency and a preset second threshold (e.g., 70%) is determined. If at least one second effective sampling frequency is greater than the preset second threshold, it indicates that the feature value has shown sufficient stability within a preset first event period after the ONU goes online. Then, the feature value with the second effective sampling frequency greater than the preset second threshold is determined as the dynamic feature to be verified information for subsequent comparison with reference information.

[0149] Step B14: In response to the existence of at least one second effective sampling frequency that is less than or equal to the second threshold and greater than the preset third threshold, the feature value whose second effective sampling frequency is less than or equal to the second threshold and greater than the preset third threshold is determined as a candidate feature value.

[0150] In one feasible embodiment, if there is at least one second effective sampling frequency that is less than or equal to a preset second threshold (e.g., 70%) and the second effective sampling frequency is greater than a preset third threshold (e.g., 30%), then the feature value can be considered to have some potential, but its stability is not yet sufficient. Therefore, it can be given a second chance, and the feature value whose second effective sampling frequency is less than or equal to the second threshold and greater than the preset third threshold can be determined as a candidate feature value.

[0151] Step B15: Obtain from the sampled values ​​that have the same data items as the candidate feature values ​​within a preset second event period, and determine the third effective sampling frequency of each candidate feature value contained in the sampled values ​​that have the same data items as the candidate feature values ​​within the preset second event period within the preset second event period.

[0152] In one feasible embodiment, sampled values ​​located within a preset second event period and whose data items are the same as candidate feature values ​​are obtained from the sampled values, and a third set of sampled values ​​can be constructed based on this; the third effective sampling frequency of each candidate feature value within the preset second event period is calculated using the third set of sampled values.

[0153] Step B16: In response to the existence of at least one third effective sampling frequency greater than a preset fourth threshold, candidate feature values ​​with third effective sampling frequencies greater than the preset fourth threshold are determined as dynamic feature verification information, wherein the preset second event period is located after the preset first event period, the preset fourth threshold is greater than the preset second threshold, and the preset second threshold is greater than the preset third threshold.

[0154] In one feasible embodiment, the relationship between the third effective sampling frequency of each candidate feature value and the preset fourth threshold is determined. If at least one third effective sampling frequency is greater than the preset fourth threshold (e.g., 90%), it indicates that the candidate feature value has also shown sufficient stability. Then, the candidate feature value whose second effective sampling frequency is less than or equal to the second threshold and greater than the preset third threshold, and whose third effective sampling frequency is greater than the preset fourth threshold, is determined as the dynamic feature to be verified information.

[0155] Optionally, the preset first event period and the preset second event period refer to two consecutive time windows used to collect and filter the information to be verified after the ONU completes the registration event. For example, the preset first event period is the first sampling window after the ONU goes online (e.g., 10 minutes), and the preset second event period is the second sampling window immediately following the first window (e.g., the next 10 minutes). By setting two consecutive sampling periods, the stability of the information to be verified can be ensured.

[0156] For example, the OLT obtains sampled values ​​from the ONU within a preset first event period (i.e., 10 minutes after the ONU completes registration) and constructs a second set of sampled values. The theoretical maximum number of samplings within the preset first event period is 10. The feature values ​​and their effective sampling counts included in the second set of sampled values ​​are: MAC address A - 8 times, MAC address B - 4 times, and MAC address C - 2 times. Therefore, the second effective sampling frequency for MAC address A is determined to be 70%, the second effective sampling frequency for MAC address B is 40%, and the second effective sampling frequency for MAC address C is 20%. The second threshold is set to 70%, and the third threshold is set to 30%, thus identifying MAC address A and MAC address B as candidate feature values. Further, sample values ​​(i.e., sample values ​​corresponding to candidate feature values) within a preset second event period (e.g., 10 minutes after the end of the preset first event period) are obtained from the ONU's sample values, and a third set of sample values ​​is constructed. The theoretical maximum number of samplings in the preset second event period is 10. The candidate feature values ​​and their effective sampling counts included in the third set of sample values ​​are: MAC address A - 10 times, MAC address B - 5 times. Therefore, the third effective sampling frequency for MAC address A is determined to be 100%, and the third effective sampling frequency for MAC address B is determined to be 50%. The fourth threshold is set to 90%, therefore, MAC address A among the candidate feature values ​​is identified as the dynamic feature to be verified.

[0157] Optionally, step S10, the step of obtaining reference information for the dynamic characteristics of the optical network unit (ONU), includes: determining a target period from a preset absolute time period based on the completion time of the ONU's registration event, wherein the completion time of the ONU's registration event falls within the target period; obtaining valid feature values ​​within the target period; and determining these as reference information for the dynamic characteristics. For example, if the completion time of the ONU's registration event is 10:15, the target period is determined to be 10:00-10:59 from the preset absolute time period; the valid feature value MAC address A for the target period 10:00-10:59 is obtained and determined as reference information for the dynamic characteristics.

[0158] In this embodiment, the two-stage screening mechanism described above quickly identifies feature values ​​that exhibit high stability in the early stages of ONU registration, shortening the authentication waiting time. Furthermore, through compensation observation in a pre-set second event cycle and a higher standard of secondary screening, it ensures that the information to be verified is truly stable and reliable behavioral samples. This avoids misjudgment due to initial instability and guarantees the reliability of the final information to be verified through a higher second-cycle standard.

[0159] Based on any of the above embodiments, a fourth embodiment of the identity authentication method of this application is proposed. In this embodiment, step S20, the step of authenticating the ONU based on the comparison result of the information to be verified and the reference information, includes steps C10 to C20: Step C10: Based on the preset suspiciousness detection strategy, perform suspiciousness detection on the device access environment of this end and obtain suspiciousness detection results.

[0160] In one feasible embodiment, to further optimize the resource utilization of identity authentication and avoid the processing overhead caused by frequent identity authentication in a normal network environment, this application embodiment introduces a trigger-based authentication mechanism based on suspiciousness detection. According to a preset suspiciousness detection strategy, suspiciousness detection is performed on the device access environment of the local end to obtain suspiciousness detection results.

[0161] Optionally, a preset suspiciousness detection strategy refers to a set of rules or conditions used to determine whether there are any anomalies or potential attack risks in the current network access environment. A preset suspiciousness detection strategy includes at least one suspicious condition.

[0162] Step C20: In response to the suspiciousness detection result that the device access environment meets the suspicious conditions in the preset suspiciousness detection strategy, the ONU is authenticated based on the comparison result of the information to be verified and the reference information.

[0163] In one feasible embodiment, if the suspiciousness detection result is that the device access environment meets the suspicious conditions in the preset suspiciousness detection strategy, then step S20 is executed to perform identity authentication on the ONU based on the comparison result of the information to be verified and the reference information.

[0164] Optionally, in response to the suspiciousness detection result that the device access environment does not meet the suspicious conditions in the preset suspiciousness detection strategy, step S20 is not executed, and only a routine static identification check can be performed or access can be directly allowed, thereby saving processing resources.

[0165] In this embodiment, by introducing a pre-emptive suspiciousness detection strategy, the OLT can accurately identify suspicious access scenarios that require special attention, and only initiate dynamic feature comparison, which has a high computational cost, when necessary. This avoids performing full authentication for every access of every ONU in a normal network environment, reducing the processing burden on the OLT. At the same time, this mechanism ensures that identity authentication can be triggered in a timely and accurate manner when there is a real security risk, thus protecting network security.

[0166] In one feasible implementation, the suspected condition includes at least one of the following methods c1 to c4: In method c1, at least two ONUs have duplicate static authentication identifiers under the same access interface on this end. In one feasible embodiment, since each ONU's static authentication identifier should be fixed by the equipment manufacturer during production in a normal PON network deployment and is globally unique, it is impossible for two identical legitimate identifiers to appear under the same PON interface of the same OLT. Therefore, once it is detected that at least two ONUs have duplicate static authentication identifiers (such as MAC address and serial number) under the same access interface (i.e., PON port) on the OLT local side, this indicates that at least one of them is an illegitimate device, and step S20 can be executed to authenticate the ONU based on the comparison result of the information to be verified and the reference information.

[0167] Optionally, the OLT can compare the static authentication identifiers corresponding to registered ONUs and unregistered ONUs under at least one of its access interfaces. If at least two ONUs have duplicate static authentication identifiers, the suspicious condition is met. The OLT can perform identity authentication on both the registered and unregistered ONUs with duplicate static authentication identifiers, or it can perform identity authentication on all ONUs under the access interface.

[0168] Method c2: Under the same access interface on this end, the number of ONUs that drop out within a preset first time period is greater than a preset device number threshold. In one feasible embodiment, in a stable PON network, ONU disconnections are usually isolated and occasional (such as individual user power outages). If a large number of ONUs simultaneously or sequentially disconnect under the same access interface on the OLT within a short period of time, it does not conform to normal operation and maintenance patterns. Therefore, in response to the fact that the number of ONUs disconnecting within a preset first time period (e.g., 5 minutes) under the same access interface on the OLT exceeds a preset device number threshold (e.g., more than 10 units), step S20 is executed to authenticate the ONU based on the comparison results of the information to be verified and the reference information.

[0169] Optionally, the OLT can monitor the online status of ONUs under at least one of its access interfaces; if it detects that multiple ONUs are simultaneously offline under at least one access interface within a preset first time period, and the number is greater than a preset device number threshold, then it is determined that the suspicious condition is met, and the ONUs under that access interface are all authenticated.

[0170] Method c3: For ONUs whose registration status is re-registered, the difference between the unverified information and historical information of their device physical operation data is greater than a preset first difference threshold. In one feasible embodiment, although the physical characteristics of a legitimate ONU may fluctuate with time and environment, they usually remain within a certain range in the short term and have a certain degree of individual stability. If an ONU in the re-registration state has a difference between the verification information and historical information of its device physical operation data that is greater than a preset first difference threshold, the seemingly genuine physical ONU may have been replaced by an attacker with another counterfeit device with different hardware characteristics, posing a high risk of counterfeiting. Therefore, in response to an ONU in the re-registration state having a difference between the verification information and historical information of its device physical operation data that is greater than the preset first difference threshold, step S20 is executed to authenticate the ONU based on the comparison result of the verification information and the reference information.

[0171] Optionally, the OLT can compare the unverified information and historical information of the physical operation data of the ONU that has been offline and then re-connected (i.e., the re-registered ONU) to determine the difference value. The historical information of the physical operation data can be stored in the ONU comprehensive information record table. If the difference between the unverified information and the historical information of the physical operation data is greater than a preset first difference threshold, then the ONU is authenticated.

[0172] Optionally, the physical operation data of the device may include the optical power and distance of the ONU.

[0173] Understandably, device physical operation data can be used as a suspicious condition in a pre-defined suspiciousness detection strategy for rapid detection of the device access environment, or as a dynamic feature for identity authentication. When device physical operation data is used as a suspicious condition in a pre-defined suspiciousness detection strategy, the OLT can quickly compare the current value with historical values ​​for only one or a few items (e.g., distance, optical power), and the judgment here is coarse-grained. However, in the identity authentication stage, the OLT can perform fine-grained comparisons based on multiple items in the device physical operation data to improve the accuracy of identity authentication.

[0174] In method c4, for an ONU whose registration status is re-registered, there is at least one abnormal offline device within a preset second time period after its registration is completed. The abnormal offline device and the ONU whose registration status is re-registered belong to the same access interface, and the difference between the historical information of the device physical operation data of the abnormal offline device and the unverified information of the device physical operation data of the ONU whose registration status is re-registered is less than a preset second difference threshold.

[0175] In one feasible embodiment, for an ONU whose registration status is re-registered, it is detected whether at least one abnormal offline device exists under the same access interface within a preset second time period after its registration is completed. An abnormal offline device refers to a device whose physical operation data to be verified differs from that of the ONU whose registration status is re-registered by less than a preset second difference threshold, i.e., whether there is an abnormal offline device highly similar to the re-registered ONU. If this condition is met, it indicates that an attacker may first force or wait for a legitimate ONU to go offline abnormally, and then quickly use a fake device to attempt registration under the same interface. If the physical characteristics of the re-registered device are almost identical to those of the device that just went offline, it is highly likely that the attacker is using this to impersonate the device before the real device recovers, or that the real device itself was maliciously controlled and then brought back online after going offline abnormally. Therefore, in response to an ONU whose registration status is re-registered, if at least one abnormal offline device exists within the preset second time period after its registration is completed, step S20 is executed to authenticate the ONU based on the comparison results of the information to be verified and the reference information.

[0176] Optionally, the preset first difference threshold and the preset second difference threshold can be set manually, or they can be determined based on the statistical values ​​(e.g., minimum difference, average difference, etc.) of the physical operation data of the ONU under the access interface. The embodiments in this application do not impose any limitations.

[0177] Optionally, the suspiciousness detection results determined or obtained based on at least one of the above methods c1 to c4 can be recorded in the ONU comprehensive information record table.

[0178] It should be noted that the above examples are only for understanding this application and do not constitute a limitation on the identity authentication method of this application. Any simple modifications based on this technical concept are within the protection scope of this application.

[0179] This application provides an optical line terminal, which includes: at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, which are executed by the at least one processor to enable the at least one processor to perform the authentication method in the first embodiment above.

[0180] The following is for reference. Figure 4 The diagrams show structural schematics of optical line terminals suitable for implementing the embodiments of this application. The optical line terminals in the embodiments of this application may include, but are not limited to, mobile optical line terminals such as mobile phones, laptops, digital broadcast receivers, PDAs (Personal Digital Assistants), PADs (Portable Application Description), PMPs (Portable Media Players), vehicle-mounted optical line terminals (e.g., vehicle navigation optical line terminals), and fixed optical line terminals such as digital TVs and desktop computers. Figure 4 The optical line terminal shown is merely an example and should not impose any limitations on the functionality and scope of use of the embodiments of this application.

[0181] like Figure 4As shown, the optical line terminal may include a processing device 1001 (e.g., a central processing unit, a graphics processing unit, etc.) that can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 1002 or a program loaded from a storage device 1003 into a random access memory (RAM) 1004. The RAM 1004 also stores various programs and data required for the operation of the optical line terminal. The processing device 1001, ROM 1002, and RAM 1004 are interconnected via a bus 1005. An input / output (I / O) interface 1006 is also connected to the bus. Typically, the following systems can be connected to the I / O interface 1006: input devices 1007 including, for example, a touchscreen, touchpad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; output devices 1008 including, for example, a liquid crystal display (LCD), speaker, vibrator, etc.; storage devices 1003 including, for example, magnetic tape, hard disk, etc.; and communication devices 1009. Communication device 1009 allows the optical line terminal to communicate wirelessly or wiredly with other devices to exchange data. Although optical line terminals with various systems are shown in the figures, it should be understood that implementation or possession of all the systems shown is not required. More or fewer systems may be implemented alternatively.

[0182] Specifically, according to the embodiments disclosed in this application, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments disclosed in this application include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via a communication device, or installed from storage device 1003, or installed from ROM 1002. When the computer program is executed by processing device 1001, it performs the functions defined in the methods of the embodiments disclosed in this application.

[0183] The optical line terminal provided in this application, employing the authentication method described in the above embodiments, can solve the problem of low accuracy in traditional optical network unit (ONU) access authentication. Compared with the prior art, the beneficial effects of the optical line terminal provided in this application are the same as those of the authentication method described in the above embodiments, and other technical features of this optical line terminal are the same as those disclosed in the previous embodiment method, and will not be repeated here.

[0184] It should be understood that the various parts disclosed in this application can be implemented using hardware, software, firmware, or a combination thereof. In the description of the above embodiments, specific features, structures, materials, or characteristics can be combined in any suitable manner in one or more embodiments or examples.

[0185] The above are merely specific embodiments of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

[0186] This application provides a computer-readable storage medium having computer-readable program instructions (i.e., a computer program) stored thereon, which are used to execute the authentication method described in the above embodiments.

[0187] The computer-readable storage medium provided in this application embodiment may be, for example, a USB flash drive, but is not limited to, electrical, magnetic, optical, electromagnetic, infrared, or semiconductor systems, devices, or any combination thereof. More specific examples of computer-readable storage media may include, but are not limited to: electrical connections with one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fibers, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this embodiment, the computer-readable storage medium may be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, system, or device. The program code contained on the computer-readable storage medium may be transmitted using any suitable medium, including but not limited to: wires, optical cables, RF (Radio Frequency), etc., or any suitable combination thereof.

[0188] The aforementioned computer-readable storage medium may be included in an optical line terminal; or it may exist independently and not be assembled into an optical line terminal.

[0189] The aforementioned computer-readable storage medium carries one or more programs. When the aforementioned one or more programs are executed by the optical line terminal, the optical line terminal: acquires the verification information and reference information of the dynamic characteristics of the optical network unit (ONU); performs identity authentication on the ONU based on the comparison result of the verification information and the reference information, and obtains the identity authentication result of the ONU.

[0190] Computer program code for performing the operations of this application can be written in one or more programming languages ​​or a combination thereof, including object-oriented programming languages ​​such as Java, Smalltalk, and C++, and conventional procedural programming languages ​​such as the "C" language or similar programming languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network—including a Local Area Network (LAN) or a Wide Area Network (WAN)—or can be connected to an external computer (e.g., via the Internet using an Internet service provider).

[0191] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0192] The modules described in the embodiments of this application can be implemented in software or hardware. The names of the modules do not necessarily limit the functionality of the unit itself.

[0193] The readable storage medium provided in this application embodiment is a computer-readable storage medium that stores computer-readable program instructions (i.e., a computer program) for executing the above-described authentication method, which can solve the problem of low accuracy in traditional optical network unit (ONU) access authentication. Compared with the prior art, the beneficial effects of the computer-readable storage medium provided in this application embodiment are the same as the beneficial effects of the authentication method provided in the above embodiments, and will not be repeated here.

[0194] The above are only some embodiments of this application and do not limit the patent scope of this application. All equivalent structural transformations made under the technical concept of this application and using the contents of the specification and drawings of this application, or direct / indirect applications in other related technical fields, are included in the patent protection scope of this application.

Claims

1. An identity authentication method, characterized in that, The method is applied to an optical line terminal (OLT), and the method includes: To obtain the verification information and reference information of the dynamic characteristics of the optical network unit (ONU); The ONU is authenticated based on the comparison results between the information to be verified and the reference information, and the authentication result of the ONU is obtained.

2. The method as described in claim 1, characterized in that, The dynamic features include: random verification data. Prior to the step of acquiring the verification information and reference information of the dynamic features of the optical network unit (ONU), the following is also included: In response to the ONU completing registration, random verification data is generated; The random verification data is sent to the ONU, wherein the ONU responds by storing the random verification data and uses the random verification data as verification information for the dynamic characteristics of the ONU; The random verification data is determined as reference information for the dynamic characteristics of the ONU.

3. The method as described in claim 2, characterized in that, The step of sending the random verification data to the ONU includes: In response to determining that the registration status of the ONU is initial registration, the random verification data is sent to the ONU; In response to determining that the registration status of the ONU is re-registration, the system obtains the verification information and reference information of the dynamic characteristics of the ONU, performs identity authentication on the ONU based on the comparison result of the verification information and the reference information, obtains the identity authentication result of the ONU, and sends the random verification data to the ONU in response to the identity authentication result being successful.

4. The method as described in claim 2, characterized in that, After the step of sending the random verification data to the ONU, the method further includes: Based on the random verification data, the ONU is subjected to identifier validity detection to obtain the identifier validity detection result; In response to the validity detection result of the identifier indicating that the random verification data is valid, the random verification data is determined as reference information for the dynamic characteristics of the ONU; In response to the result of the identity validity detection indicating that the random verification data is invalid, the random verification data is resent to the ONU until the number of times the random verification data is sent exceeds a preset sending threshold, at which point it is determined that the ONU does not meet the conditions for identity authentication based on the random verification data.

5. The method according to any one of claims 1 to 4, characterized in that, The information to be verified regarding the dynamic characteristics of the ONU includes at least one of the following: Random verification data running in the memory of the ONU; The random verification data stored in the local storage of the ONU; The currently generated random verification data; Historically generated random verification data.

6. The method as described in claim 1, characterized in that, The dynamic characteristics include: device operation data, and the step of obtaining reference information on the dynamic characteristics of the optical network unit (ONU) includes: Periodically acquire sampled values ​​of the ONU's device operation data; Based on the sampled values, determine the effective feature values ​​within a preset absolute time period, wherein the feature values ​​are the data items contained in the sampled values; Based on the valid feature values ​​within the preset absolute time period, the reference information for the equipment operation data corresponding to the preset absolute time period is determined.

7. The method as described in claim 6, characterized in that, The step of determining the effective feature value within the preset absolute time period based on the sampled value includes: Obtain the sampled values ​​within a preset absolute time period from the sampled values; Determine the first effective sampling frequency of each feature value contained in the sampled values ​​within the preset absolute time period within the preset absolute time period; In response to the existence of at least one first effective sampling frequency greater than a preset first threshold, the feature value whose first effective sampling frequency is greater than the preset first threshold is determined as an effective feature value within the preset absolute time period.

8. The method as described in claim 6, characterized in that, The step of obtaining the verification information of the dynamic characteristics of the optical network unit (ONU) includes: The sampled values ​​within a preset first event period are obtained from the sampled values, wherein the preset first event period is determined based on the completion time of the ONU's registration event; Determine the second effective sampling frequency of each feature value contained in the sampled values ​​within the preset first event period within the preset first event period; In response to the existence of at least one second effective sampling frequency greater than a preset second threshold, the feature value of the second effective sampling frequency greater than the preset second threshold is determined as the verification information of the dynamic feature.

9. The method as described in claim 8, characterized in that, After the step of determining the second effective sampling frequency of each feature value included in the sampled values ​​within the preset first event period, the method further includes: In response to the existence of at least one second effective sampling frequency that is less than or equal to the second threshold and greater than a preset third threshold, the feature value whose second effective sampling frequency is less than or equal to the second threshold and greater than the preset third threshold is determined as a candidate feature value. From the sampled values, obtain sampled values ​​that have the same data items as the candidate feature values ​​within a preset second event period, and determine the third effective sampling frequency of each candidate feature value contained in the sampled values ​​that have the same data items as the candidate feature values ​​within the preset second event period within the preset second event period; In response to the existence of at least one of the third effective sampling frequencies being greater than a preset fourth threshold, candidate feature values ​​whose third effective sampling frequencies are greater than the preset fourth threshold are determined as the verification information of the dynamic feature, wherein the preset second event period is located after the preset first event period, the preset fourth threshold is greater than the preset second threshold, and the preset second threshold is greater than the preset third threshold.

10. The method as described in claim 6, characterized in that, The step of determining the reference information of the device operation data corresponding to the preset absolute time period based on the effective feature values ​​within the preset absolute time period includes: Obtain the recording time associated with at least one valid feature value within the preset absolute time period contained in the preset statistical window; The timeliness weight of the effective feature value is determined based on the time difference between the recording time and the preset update time, wherein the timeliness weight is negatively correlated with the time difference; The credibility coefficient of the effective feature value is determined based on the timeliness weight in the preset statistical window, wherein the credibility coefficient is positively correlated with the timeliness weight. In response to the existence of at least one of the confidence coefficients being greater than a preset coefficient threshold, the valid feature values ​​of the confidence coefficients being greater than the preset coefficient threshold are determined as reference information for the device operation data corresponding to the preset absolute time period.

11. The method as described in claim 1, characterized in that, The step of authenticating the ONU based on the comparison result between the information to be verified and the reference information includes: Based on the preset suspiciousness detection strategy, suspiciousness detection is performed on the device access environment of this end, and suspiciousness detection results are obtained; In response to the suspicion detection result indicating that the device access environment meets the suspicious conditions in the preset suspicion detection strategy, the ONU is authenticated based on the comparison result of the information to be verified and the reference information.

12. The method as described in claim 11, characterized in that, The suspicious condition includes at least one of the following: Under the same access interface on this end, there are at least two ONUs with duplicate static authentication identifiers; Under the same access interface on this end, the number of ONUs that drop out within a preset first time period is greater than the preset device number threshold. For ONUs whose registration status is re-registered, the difference between the unverified information and historical information of their device physical operation data is greater than a preset first difference threshold. For an ONU whose registration status is re-registered, there is at least one abnormal offline device within a preset second time period after its registration is completed. The abnormal offline device and the ONU whose registration status is re-registered belong to the same access interface, and the difference between the historical information of the device physical operation data of the abnormal offline device and the unverified information of the device physical operation data of the ONU whose registration status is re-registered is less than a preset second difference threshold.

13. An optical line terminal, characterized in that, The optical line terminal includes: a memory, a processor, and a computer program stored in the memory and executable on the processor, the computer program being configured to implement the steps of the authentication method as described in any one of claims 1 to 12.

14. A computer program product, characterized in that, The computer program product includes a computer program that, when executed by a processor, implements the steps of the authentication method as described in any one of claims 1 to 12.

Images