阅读说明：本技术 一种基于发送行为特征的短信轰炸识别和防治方法 (Short message bombing identification and prevention method based on sending behavior characteristics ) 是由 胡耀恩 张裕桥 郭利荣 于 2021-07-21 设计创作，主要内容包括：一种基于发送行为特征的短信轰炸识别和防治方法,在运营商网络侧,实时接收短信内容,结合端口发送行为和短信内容是否含有验证码等特征,判别是否有不法分子利用APP或者网站的漏洞实现对用户进行短信轰炸行为,对轰炸端口和轰炸短信进行实时识别和拦截。(A short message bombing identification and prevention method based on sending behavior characteristics is characterized in that short message content is received in real time at an operator network side, whether lawbreakers use APP or website loopholes to realize short message bombing behaviors is judged by combining characteristics such as port sending behaviors and whether the short message content contains verification codes, and the bombing port and the bombing short messages are identified and intercepted in real time.)

1. A short message bombing identification and prevention method based on sending behavior characteristics is characterized in that: the method comprises the following steps:

(1) the operator network side receives the short message content in real time;

(2) judging whether a calling party is a port number according to a port record library, judging whether short message content contains a verification code according to verification code characteristics including whether the short message content contains a key word containing 4-6 digits and containing the verification code, a check code, a verification password, a secret key and a password, if the short message content does not contain the verification code but does not contain the port number, releasing the short message, if the short message content contains the verification code and the port number, continuously judging whether the calling number is an unimportant port including a bank and payment, and if the calling number is not the unimportant port, continuously judging in the next step;

(3) if the number of the called number is a non-important port, judging whether the calling number is a sensitive port, if the called number is a sensitive port, judging whether the called number is a system protection number, if the called number is a system protection number, intercepting the short message, if the called number is not a system protection number, releasing the short message, and if the called number is not a sensitive port, performing rule counting on port sending behaviors, wherein the rule counting is that k pieces of verification code short messages are sent to n protection numbers within m minutes, and m, n and k can be configured, so that a plurality of rules are supported to be parallel;

(4) Judging whether a calling port reaches a rule threshold value, if so, listing the port as a suspicion sensitive port or directly listing the port as a sensitive port, if not, counting the number of short messages of a called number receiving verification code, if not, counting the number of the short messages of the called number receiving verification code, wherein the rule count is that n calling ports send k verification code short messages to the same called number within m minutes, m, n and k are configurable, and if the called number reaches the system automatic protection rule threshold value, the called number is automatically added into a system protection number library; if the called number does not reach the threshold value of the automatic protection rule of the system, continuing the next judgment;

(6) and continuing to judge the next short message and the port.

Technical Field

The invention belongs to the field of network and information security, and particularly relates to a short message bombing identification and prevention method based on sending behavior characteristics.

Background

The short message bombing software can automatically collect websites or APP which need short message verification codes on the network. The bomber uses the bomber software to input one or a group of mobile phone numbers at will, the bomber software firstly automatically searches a large number of websites which can send short message verification codes to visit one by one, then automatically fills the mobile phone numbers on each website and simulates manual clicking to obtain the verification codes, and the websites can send short messages to the input mobile phone numbers at the same time. The more websites the bombing software finds, the more short messages are sent. Such "short message bombs" may send up to hundreds of pieces per second. The bombing software can set the number and time of the short message verification code requests of various websites, such as requesting every few minutes and sending short messages to the input mobile phone number continuously in 24 hours.

In the prior art, the short message bombing prevention mainly comprises 2 means, one is to add man-machine verification, such as adding a graphic verification code, and prevent man-machine automation call of bombing from sending a verification code short message; one is to create a one-key verification scheme at the mobile terminal to replace the short message verification code. The 2 defense means need the support of related authentication interfaces, and a plurality of short message sending interfaces and mobile applications exist in the market, so that the interfaces and the applications are difficult to uniformly adjust the authentication mode, the industry has no uniform standard, and the standard requirements cannot be standardized. And at present, a coding tool can crack the verification mode like the graphic verification code, and the cracked short message bomb can be sent as usual.

Disclosure of Invention

The invention aims to prevent a user from being bombed by short messages to cause harassment complaints, discover bombing short messages in time and realize bombing port numbers, effectively suppress bombing behavior from the source, develop prevention and control methods aiming at bombing short messages from the network side of an operator, implement the prevention and control methods on the network side of the operator, and provide guarantee for the safe operation of short message service of a telecom operator, and adopt the technical scheme that:

a short message bombing identification and prevention method based on sending behavior characteristics is characterized in that: the method comprises the following steps:

(1) The operator network side receives the short message content in real time;

(2) judging whether a calling party is a port number according to a port record library, judging whether short message content contains a verification code according to verification code characteristics (whether the short message content contains 4-6 digits and key words such as the verification code, a check code, a verification password, a secret key, a password and the like), if not, whether the short message content contains the verification code or not, if so, releasing the short message, if the short message content contains the verification code, and if so, continuously judging whether the calling number is an unimportant port (a port for bank, payment and the like), and if not, continuously judging in the next step;

(3) if the number of the messages is not the important port, whether the calling party is a sensitive port is judged, if the calling party is the sensitive port, the short messages are intercepted, and if the calling party is not the sensitive port, rule counting is carried out on the port sending behaviors (the number of the short messages of the verification codes sent to n protection numbers within m minutes is k, m, n and k can be configured, and a plurality of rules are supported to be parallel);

(4) judging whether a calling port reaches a rule threshold value, if so, listing the port as a suspicion sensitive port or directly listing the port as a sensitive port, if not, accumulating counting records according to rules (the number of k verification code short messages are sent to n protection numbers within m minutes, m, n and k can be configured, and a plurality of rules are supported to be parallel) if not, and if not, accumulating the counting records;

(5) And continuing to judge the next short message and the port.

Drawings

FIG. 1 is a flow chart of the present invention

Detailed Description

In order to make the technical means, the creation characteristics, the achievement purposes and the effects of the invention easy to understand, the invention is further described with the specific embodiments.

Example 1

As shown in fig. 1, a method for recognizing and preventing short message bombing based on sending behavior characteristics is characterized in that: the method comprises the following steps:

(1) the operator network side receives the short message content in real time;

(2) judging whether the calling is a port number according to the port record base, judging whether the short message content contains a verification code according to the verification code characteristics (whether the verification code contains 4-6 digits and key words such as the verification code, a check code, a verification password, a secret key, a password and the like), and if the short message content does not contain the verification code but does not contain the port number or the port number, releasing the short message

If the number is the port number and the content of the sent short message contains the verification code, whether the calling number is an unimportant port (a port such as a bank port and a payment port) or not is continuously judged, and if the calling number is not the unimportant port, the next judgment is continuously carried out;

(3) if the port is not important, judging whether the calling is sensitive, if so, intercepting the short message

If the number of the verification code short messages is not the same as the number of the verification code short messages, the verification code short messages are sent to the n protection numbers within m minutes, and the verification code short messages are sent to the n protection numbers;

(4) judging whether the calling port reaches a rule threshold value, if so, listing the port as a suspicion sensitive port or directly listing the port as a sensitive port, and intercepting no short message when the short message is not intercepted (the short message is not intercepted when the threshold value is reached, and the short message is intercepted only when the port is the sensitive port)

If the number of the verification code short messages does not reach the threshold value, accumulating the counting records according to rules (the number of k verification code short messages sent to n protection numbers within m minutes, m, n and k can be configured, and a plurality of rules are supported to be parallel);

(5) and continuing to judge the next short message and the port.

Detecting whether the time interval between the receiving time of the short message and the receiving time of the previous short message is smaller than a first preset threshold value or not; if the short message is smaller than the first preset threshold, determining that the short message is a bombing short message;

taking the receiving time of the short message as a time end point, calculating the average value of the time intervals between adjacent short messages received within a preset time length, and detecting whether the average value is smaller than a second preset threshold value; and if the short message is smaller than a second preset threshold, determining that the short message is a bombing short message.

Specifically, a time interval between two short messages received successively (i.e. the first preset threshold) may be set in advance according to an actual short message sending or receiving condition, and if the shortest time interval for receiving a short message under a normal condition is 5 seconds, i.e. the time interval between two short messages not bombed by a short message is at least 5 seconds, the first preset threshold may be set to 5 seconds, where the first preset threshold may be dynamically adjusted according to an actual condition, which is only an exemplary description.

Further, the application program or the plug-in may calculate a time interval between the receiving time of the short message currently received by the terminal device and the receiving time of the previous short message received by the terminal device, and determine whether the short message currently received by the terminal device is a bombing short message by comparing the calculated time interval with a first preset threshold. If the receiving time of the short message currently received by the terminal device is 10: 55: 20, the receiving time of the previous short message received by the terminal device is 10: 55: 12, it can be calculated that the time interval between two short messages is 8 seconds, and the first preset threshold is 5 seconds, so that the time interval is greater than the first preset threshold, and it can be determined that the short message currently received by the terminal device is not a bombing short message. If the receiving time of the short message currently received by the terminal device is 10: 55: 15, the receiving time of the previous short message received by the terminal device is 10: 55: 12, it can be calculated that the time interval between two short messages is 3 seconds, and the first preset threshold is 5 seconds, so that the time interval is smaller than the first preset threshold, and it can be determined that the short message currently received by the terminal device is a bombing short message.

Further, it may be specified in advance that, according to the actual short message sending or receiving situation, more than 20 short messages received within 1 minute are considered that the terminal device has entered the situation of being bombed by the short message, at this time, an average value calculation may be performed on the time interval between the receiving times of the 20 short messages, that is, the time interval between the 1 st short message and the 2 nd short message (denoted as a1), the time interval between the 2 nd short message and the 3 rd short message (denoted as a2), and … … may be performed until the time interval between the 29 th short message and the 30 th short message (denoted as a29) is calculated, then the average value calculation is performed on the obtained time intervals (a1, a2, … …, and a29), so as to obtain the average value of the time intervals between adjacent short messages received within 1 minute, at this time, the calculated average value may be used as a second preset threshold, and if the average value of the time intervals between adjacent short messages received within 1 minute is 3 seconds, the second preset threshold is 3 seconds. The second preset threshold may be dynamically adjusted according to actual needs, and the above is only an exemplary description.

Further, when monitoring that the terminal device receives the short message, the application program or the plug-in may use the receiving time of the short message as a time end point, calculate an average value of time intervals between adjacent short messages received within a first preset time period (e.g., 30 seconds, 50 seconds, 1 minute, 2 minutes, etc.), and determine whether the short message currently received by the terminal device is a bombing short message by detecting whether the average value is smaller than a second preset threshold. If the average value of the time intervals between adjacent short messages received within the first preset time is 5 seconds, the short message currently received by the terminal device is determined not to be a bombing short message because the average value is greater than the second preset threshold. If the average value of the time intervals between adjacent short messages received within the first preset time is 2 seconds, the short message currently received by the terminal device can be determined to be a bombing short message because the average value is smaller than the second preset threshold.