CN106878241A - Malice hot spot detecting method and system - Google Patents

Abstract

The invention discloses a kind of malice hot spot detecting method and system, methods described includes：The hardware sensor of enterprises is deployed in, all data traffics in current radio environment are persistently captured, the data traffic is real-time transmitted to control server；Control server parses the characteristic information of needs from the data traffic；The characteristic information is carried out into matching detection in feature database；The connection of focus and client to belonging to this enterprises further checked, generates black and white lists；Focus/client in blacklist is positioned, and location information is sent to management terminal and shown.The present invention improves the security of wireless network, can not influence the existing wireless web frame of enterprise with the various wireless network environment of compatible enterprise, seamless can dispose, and carries out intelligence, convenient management.

Description

Malice hot spot detecting method and system

Technical field

The present invention relates to technical field of network security, more particularly to a kind of malice hot spot detecting method And system.

Background technology

As the development of network technology, wireless network are because its convenience, range of application is increasingly Extensively.Some companies and family are because the demand of distinct device wireless networking, is additionally arranged wireless aps (Access Point, access point), enhances the mobility of equipment for surfing the net, compensate for wired network The limitation of network.

For enterprise customer, as the focus in enterprise network is continuously increased, form each The different focus of kind producer, model is simultaneously deposited；Meanwhile, distribution is chaotic, and device security is fragile. Because in wireless network, data are to carry out radiation propagation using wireless signal, and attacker can lead to Any position that focus is covered in invasion wireless network is crossed, intercepted, intercept, reset, destroyed The communication data of user, great security risk is brought to the network information security of enterprise.

In the focus that enterprises occur, mainly there are following several ways, various modes have one Fixed potential safety hazard and problem.

1st, legal focus

There are the focus built of planning, referred to as legal focus in enterprise.Said from security standpoint, it is legal Focus should be unique focus of enterprises, and other focuses all may bring safety to enterprise Risk.

But, legal focus there is also potential safety hazard, though carried out Wireless Encryption Protocol WEP, The password setups such as WPA, there is also weak passwurd, secret grade it is not enough the problems such as, and various Crack strategy and crack tool is full of in the environment of network, these cryptographic protocols are to attacker Speech is also to perform practically no function, and easily causes information by focus Entry Firm internal network by hacker Leakage such as is tampered at the serious consequence；Legal focus is likely to that ddos attack can be received, and causes nothing Method normal service.

2nd, other focuses for coming are covered

Due to the penetrability and the uncertainty on border of wireless network, the nothing of some neighbouring enterprises Gauze network may be covered mutually.This focus has two for the network security of enterprise The problem of aspect.One is whether uncertain other side's focus is safe；Two is that this enterprise staff may Access other side's focus.It is possible to that information leakage can be caused.

3rd, the focus that employee builds privately

As long as carry-on WiFi finds the computer terminal business of network, you can as one and this network The focus of UNICOM；Also many tool terminals provide the instrument for sharing WiFi.Many employees have Meaning can set up unintentionally focus in the terminal of oneself, and its security hardly results in guarantee, hold Easily by hacker attacks, Entry Firm network internal, and then steal inside data of enterprise.

4th, malice focus

In addition to above-mentioned focus, some attackers are also possible to deliberately set up malice heat around enterprise Point, using the title same or like with enterprise hot spots, between making the terminal of employee intentionally or accidentally It is connected to the focus.It is and attacker can obtain enterprises information by the focus or even logical Cross and invade the terminal, Entry Firm internal network.

Therefore, the network security technology such as security and access controllability, for wireless network Needs are paid much attention to.

Although enterprise may periodically carry out the safety inspection of wireless network, malice focus feelings are detected Condition, whether there is illegal focus etc., but be hardly formed normality.Whole malice cannot for a long time be paid close attention to Focus situation, for there is contingency than larger illegal focus, it is impossible to accomplish in real time find and Blocking.Also lack it is a kind of can continue, the method for the detection malice focus situation of stable operation and System.

When focus is subject to DDoS flood attacks, many enterprises are all that attacked cannot to network In the case of being continuing with, respective handling can be just found and carried out.Attacked for fishing focus, The means almost not found, so as to cause some terminals to be connected to fishing focus between being not intended to, Cause information leakage.Also lack effective safeguard procedures, find in time and blocking is attacked.

After there occurs security incident, such as：Whether some terminals set up WiFi privately, some Whether terminal connected illegal focus, and whether focus received attack etc..For examining afterwards Meter and tracking, lack necessary data and support and processing means.

The content of the invention

In view of the above problems, it is proposed that the present invention so as to provide a kind of malice hot spot detecting method and System, with the shortcoming for overcoming above mentioned problem or solving or slow down above mentioned problem at least in part.

According to an aspect of the invention, there is provided a kind of malice hot spot detecting method, including with Lower step：

The hardware sensor of enterprises is deployed in, it is persistently all in capture current radio environment Data traffic, control server is real-time transmitted to by the data traffic；

Control server parses the characteristic information of needs from the data traffic；

The characteristic information is carried out matching detection by control server in feature database；

The connection of focus and client of the control server to belonging to this enterprises is entered to advance One step inspection, generates black and white lists；

Control server is positioned to the focus/client in blacklist, and by location information Management terminal is sent to be shown.

Alternatively, the hardware sensor includes wireless network card, real-time or timing acquiring wireless network The wireless data packet that focus, client are received or sent in network.

Alternatively, the characteristic information includes：Focus SSID, focus cipher mode, focus are frequently Road, focus MAC Address, client mac address.

Alternatively, the characteristic information is carried out matching inspection by the control server in feature database Survey includes：

The SSID name and client mac address of the hotspot in statistics wireless data packet, Mark off the focus and client for belonging to this enterprises, and the heat for being not belonging to this enterprises Point and client.

Alternatively, the control server is to belonging to the focus of this enterprises and the company of client Connect situation further to be checked, generation black and white lists include：

If what the focus of enterprises was connected is not the client of enterprises, institute is judged There is exception in the focus for stating enterprises, and the client is divided in blacklist；

If what the client of enterprises was connected is not the focus of enterprises, institute is judged There is exception in the client for stating enterprises, and the client is divided in blacklist；

If occur in the focus of enterprises SSID name identical multiple hotspot and And one or more hotspot in multiple hotspot receive broken string bag frequency exceeded it is pre- If threshold value, it is determined that occur abnormal, the focus be divided into blacklist；

If the quantity of the focus that the client of enterprises is connected in certain time period exceedes pre- If threshold value, the client is divided in blacklist.

Alternatively, the control server carries out positioning bag to the focus/client in blacklist Include：

The planar structure comprising sensor geographical location information has been imported in control server in advance Figure, is carried out using sensor three-point fix technology to the focus/client in sensor coverage It is accurately positioned.

Alternatively, management terminal receives the focus/client in the blacklist that control server sends Location information；The received location information of display simultaneously sends alarm prompt to keeper；According to User confirms, the focus/client in blacklist is added in white list.

According to another aspect of the present invention, there is provided a kind of malice Hot spots detection system, including Hardware sensor, control server, management terminal, wherein,

The hardware sensor is deployed in enterprises, persistently captures the institute in current radio environment There is data traffic, the data traffic is real-time transmitted to control server；

The control server parses the characteristic information of needs from the data traffic；By institute State characteristic information carries out matching detection in feature database；Focus and visitor to belonging to this enterprises The connection at family end further checked, generates black and white lists；To the focus in blacklist/ Client is positioned, and location information is sent into management terminal is shown；

The management terminal receives the location information from control server.

Alternatively, the hardware sensor includes wireless network card, real-time or timing acquiring wireless network The wireless data packet that focus, client are received or sent in network.

Alternatively, the characteristic information includes：Focus SSID, focus cipher mode, focus are frequently Road, focus MAC Address, client mac address.

Alternatively, the characteristic information is carried out matching inspection by the control server in feature database Survey includes：

The SSID name and client mac address of the hotspot in statistics wireless data packet, Mark off the focus and client for belonging to this enterprises, and the heat for being not belonging to this enterprises Point and client.

Alternatively, the control server is to belonging to the focus of this enterprises and the company of client Connect situation further to be checked, generation black and white lists include：

If what the focus of enterprises was connected is not the client of enterprises, institute is judged There is exception in the focus for stating enterprises, and the client is divided in blacklist；

If what the client of enterprises was connected is not the focus of enterprises, institute is judged There is exception in the client for stating enterprises, and the client is divided in blacklist；

If occur in the focus of enterprises SSID name identical multiple hotspot and And one or more hotspot in multiple hotspot receive broken string bag frequency exceeded it is pre- If threshold value, it is determined that occur abnormal, the focus be divided into blacklist；

If the quantity of the focus that the client of enterprises is connected in certain time period exceedes pre- If threshold value, the client is divided in blacklist.

Alternatively, the control server carries out positioning bag to the focus/client in blacklist Include：

The planar structure comprising sensor geographical location information has been imported in control server in advance Figure, is carried out using sensor three-point fix technology to the focus/client in sensor coverage It is accurately positioned.

Alternatively, the management terminal includes：

Receiving unit, for the focus/client in the blacklist for receiving control server transmission Location information；

Display alarm unit, for showing received location information and sending alarm to keeper Prompting；

Black and white lists administrative unit, for being confirmed according to user, by the focus/visitor in blacklist Family end is added in white list.

Malice Hot spots detection localization method of the invention and system, by the wireless data to gathering Wrap and detected, the malice focus/client in wireless network can be detected, and positioned. The security of wireless network is improve, enterprise can not be influenceed with the various wireless network environment of compatible enterprise The existing wireless web frame of industry, seamless can dispose, and carry out intelligence, convenient management.

Described above is only the general introduction of technical solution of the present invention, in order to better understand this hair Bright technological means, and being practiced according to the content of specification, and in order to allow the present invention Above and other objects, features and advantages can become apparent, below especially exemplified by of the invention Specific embodiment.

Brief description of the drawings

By reading the detailed description of hereafter preferred embodiment, various other advantage and benefit Will be clear understanding for those of ordinary skill in the art.Accompanying drawing is only used for showing to be preferable to carry out The purpose of mode, and it is not considered as limitation of the present invention.And in whole accompanying drawing, use Identical reference symbol represents identical part.In the accompanying drawings：

Fig. 1 shows the stream of malice Hot spots detection localization method according to an embodiment of the invention Cheng Tu；

Fig. 2 shows the structure of malice Hot spots detection system according to an embodiment of the invention Figure；

Fig. 3 shows the middle control clothes of malice Hot spots detection system according to an embodiment of the invention Business device structure chart；

Fig. 4 shows the management end of malice Hot spots detection system according to an embodiment of the invention End structure figure.

Specific embodiment

The invention will be further described with specific embodiment below in conjunction with the accompanying drawings.

As shown in Figure 1, a kind of malice hot spot detecting method of one embodiment of the invention, tool Body is comprised the following steps：

Step 101, is deployed in the hardware sensor of enterprises, persistently captures current wireless ring All data traffics in border, control server is real-time transmitted to by the data traffic.

The hardware sensor includes wireless network card, can be in real time or in timing acquiring wireless network The wireless data packet that focus, client are received or sent.The form of wireless data packet can be 802.11 etc..The wireless data packet that sensor will be collected is encapsulated, by wired or wireless Connected mode is transmitted to control server.

Focus includes：Wireless router, wireless aps etc..Client includes：Mobile terminal, PC, notebook computer etc..

Step 102, control server parses the characteristic information of needs from the data traffic.

The characteristic information includes：Focus SSID, focus cipher mode, focus channel, focus MAC Address, client mac address etc..

The characteristic information is carried out matching detection by step 103, control server in feature database.

The SSID name and client mac address of the hotspot in statistics wireless data packet, Mark off the focus and client for belonging to this enterprises, and the heat for being not belonging to this enterprises Point and client.

Step 104, by packet, to belonging to the focus of this enterprises and the company of client Connect situation further to be checked, generate black and white lists.

If what the focus of enterprises was connected is not the client of enterprises, institute is judged There is exception in the focus for stating enterprises, and the client is divided in blacklist；Or root According to the confirmation of administrative staff or user, it is also possible to which the client is added in white list；

If what the client of enterprises was connected is not the focus of enterprises, institute is judged There is exception in the client for stating enterprises, and the client is divided in blacklist；Or According to the confirmation of administrative staff or user, it is also possible to which the client is added in white list；

If occur in the focus of enterprises SSID name identical multiple hotspot and And one or more hotspot in multiple hotspot receive broken string bag frequency exceeded it is pre- If threshold value, it is determined that occur abnormal, the focus be divided into blacklist；

If the SSID name length of certain hotspot exceedes default threshold value, due to SSID is used to distinguish different wireless networks, is probably to attack if SSID length overlength Person is carrying out flooding, and the client launched a offensive is added in blacklist；

If the quantity of the focus that the client of enterprises is connected in certain time period exceedes pre- If threshold value, the client is divided in blacklist；Or according to administrative staff or user Confirmation, it is also possible to the client is added in dynamic white list；Client is frequently connected During the focus of a predetermined level is exceeded, the client is probably scanner, and trial is cracked in enterprise The focus in portion.

Step 105, control server is positioned to the focus/client in blacklist, and will Location information is sent to management terminal and is shown.

The planar structure comprising sensor geographical location information has been imported in control server in advance Figure, is carried out using sensor three-point fix technology to the focus/client in sensor coverage It is accurately positioned, helps the tracking focus or client of administrative staff's express delivery, positions wireless attack thing The source that part occurs.

Control server obtain at least one sensor report for being carried out to focus/client The information of positioning, according to obtain at least one sensor report for entering to focus/client The information of row positioning, positions to focus/client, wherein,

If sensor is three or more than three, according to each sensor to focus/client The intensity of signal is received, the distance between the sensor and focus/client is determined；

Geographical location information and each sensor and focus/client according to each sensor The distance between, using three-point fix algorithm, determine that geographical position coordinates estimate evaluation；Calculate Above-mentioned geographical position coordinates estimate the geometric center position coordinates of evaluation, used as focus/client The final estimate of geographical position coordinates.

The management terminal receives the focus/client in the blacklist that control server sends Location information；The received location information of display simultaneously sends alarm prompt to keeper；According to Family confirms, the focus/client in blacklist is added in white list.

The management terminal can be mobile terminal, PC, the notebook being connected with control server Computer etc..Further, the management terminal can be operated in and is connected with control server Web end pipe platform on mobile terminal, PC, notebook computer etc..

As shown in Figure 2, a kind of malice Hot spots detection system bag of one embodiment of the invention Include：Hardware sensor, control server and management terminal.

The hardware sensor is distributed in each position in enterprise's working environment, for persistently capturing All data traffics in current radio environment, middle control clothes are real-time transmitted to by the data traffic Business device.

The hardware sensor includes wireless network card, can be in real time or in timing acquiring wireless network The wireless data packet that focus, client are received or sent.The form of wireless data packet can be 802.11 etc..The wireless data packet that sensor will be collected is encapsulated, by wired or wireless Connected mode is transmitted to control server.

Wherein, the focus includes：Wireless router, wireless aps etc.；The client bag Include：Mobile terminal, the PC with wireless network card, notebook computer etc..

As shown in Figure 3, the control server includes：

Receiving unit, for receiving data traffic from the hardware sensor；

Resolution unit, the characteristic information for parsing needs from the data traffic；

Matching detection unit, for the characteristic information to be carried out into matching detection in feature database；

Black and white lists generation unit, for belonging to the focus of this enterprises and the company of client The situation of connecing carries out further checking generation black and white lists；

Positioning unit, for being positioned to the focus/client in blacklist；

Transmitting element, is shown for location information to be sent into management terminal.

Specifically, the resolution unit parses the characteristic information of needs from the data traffic Including：

Focus SSID, focus cipher mode, focus channel, focus MAC Address, client MAC Address etc.；Can also include：Client access time, client be assigned to IP, Annexation of AP and client etc..

The characteristic information is carried out matching detection bag by the matching detection unit in feature database Include：

The SSID name and client mac address of the hotspot in statistics wireless data packet, Mark off the focus and client for belonging to this enterprises, and the heat for being not belonging to this enterprises Point and client.

The black and white lists generation unit is to belonging to the connection of the focus and client of this enterprises Situation carries out further checking that generation black and white lists include：

If what the focus of enterprises was connected is not the client of enterprises, institute is judged There is exception in the focus for stating enterprises, and the client is divided in blacklist；Or root According to the confirmation of administrative staff or user, it is also possible to which the client is added in white list；

If what the client of enterprises was connected is not the focus of enterprises, institute is judged There is exception in the client for stating enterprises, and the client is divided in blacklist；Or According to the confirmation of administrative staff or user, it is also possible to which the client is added in white list；

If occur in the focus of enterprises SSID name identical multiple hotspot and And one or more hotspot in multiple hotspot receive broken string bag frequency exceeded it is pre- If threshold value, it is determined that occur abnormal, the focus be divided into blacklist；

If the SSID name length of certain hotspot exceedes default threshold value, due to SSID is used to distinguish different wireless networks, is probably to attack if SSID length overlength Person is carrying out flooding, and the client launched a offensive is added in blacklist；

If the quantity of the focus that the client of enterprises is connected in certain time period exceedes pre- If threshold value, the client is divided in blacklist；Or according to administrative staff or user Confirmation, it is also possible to the client is added in dynamic white list；Client is frequently connected During the focus of a predetermined level is exceeded, the client is probably scanner, and trial is cracked in enterprise The focus in portion.

The positioning unit, for being positioned to the focus/client in blacklist；

The plane structure chart comprising sensor geographical location information has been imported in advance in positioning unit, Essence is carried out to the focus/client in sensor coverage using sensor three-point fix technology It is determined that position, helps the tracking focus or client of administrative staff's express delivery, wireless attack event is positioned The source of generation.

Positioning unit obtain at least one sensor report for being determined focus/client Position information, according to obtain at least one sensor report for being carried out to focus/client The information of positioning, positions to focus/client, wherein,

If sensor is three or more than three, according to each sensor to focus/client The intensity of signal is received, the distance between the sensor and focus/client is determined；

Geographical location information and each sensor and focus/client according to each sensor The distance between, using three-point fix algorithm, determine that geographical position coordinates estimate evaluation；Calculate Above-mentioned geographical position coordinates estimate the geometric center position coordinates of evaluation, used as focus/client The final estimate of geographical position coordinates.

Transmitting element, is shown for location information to be sent into management terminal.

As shown in Figure 4, the management terminal includes：

Receiving unit, for the focus/client in the blacklist for receiving control server transmission Location information；

Display alarm unit, for showing received location information and sending alarm to keeper Prompting；

Black and white lists administrative unit, for being confirmed according to user, by the focus/client in blacklist End is added in white list.

The management terminal can be mobile terminal, PC, the notebook being connected with control server Computer etc..Further, the management terminal can be operated in and is connected with control server Web end pipe platform on mobile terminal, PC, notebook computer etc..

Malice Hot spots detection localization method and system that above-described embodiment is provided, by collection Wireless data packet detected, can detect the malice focus/client in wireless network, and Positioned.Improve the security of wireless network, can with the various wireless network environment of compatible enterprise, The existing wireless web frame of enterprise is not influenceed, seamless can be disposed, carry out intelligence, convenient management.

All parts embodiment of the invention can realize with hardware, or with one or many The software unit run on individual processor is realized, or is realized with combinations thereof.This area It will be appreciated by the skilled person that microprocessor or digital signal processor can be used in practice (DSP) some in malice Hot spots detection alignment system according to embodiments of the present invention are realized Or some or all functions of whole parts.The present invention is also implemented as performing this In described method some or all equipment or program of device (for example, calculating Machine program and computer program product).It is such to realize that program of the invention is stored in meter On calculation machine computer-readable recording medium, or there can be the form of one or more signal.Such letter Number can be downloaded from internet website and obtained, or provided on carrier signal, or to appoint What other forms is provided.

" one embodiment ", " embodiment " or " one or more implementation referred to herein Example " is it is meant that the special characteristic, structure or the characteristic that describe are included in the present invention in conjunction with the embodiments At least one embodiment in.Further, it is noted that word " in one embodiment " here Example is not necessarily all referring to same embodiment.

In specification mentioned herein, numerous specific details are set forth.However, can manage Solution, embodiments of the invention can be put into practice in the case of without these details.One In a little examples, known method, structure and technology is not been shown in detail, so as not to fuzzy to this The understanding of specification.

It should be noted that above-described embodiment the present invention will be described is carried out rather than to the present invention Limit, and those skilled in the art without departing from the scope of the appended claims may be used Design alternative embodiment.In the claims, any reference that will should not be located between bracket Symbol construction is into limitations on claims.Word "comprising" do not exclude the presence of be not listed in right will Element or step in asking.Word "a" or "an" before element does not exclude the presence of many Individual such element.The present invention by means of the hardware for including some different elements and can be borrowed Help properly programmed computer to realize.If in the unit claim for listing equipment for drying, Several in these devices can be embodied by same hardware branch.Word first, Second and third use do not indicate that any order.These words can be construed to title.

Furthermore, it should also be noted that the language used in this specification primarily to it is readable and The purpose of teaching and select, selected rather than in order to explain or limit subject of the present invention 's.Therefore, in the case of without departing from the scope of the appended claims and spirit, for this Many modifications and changes will be apparent from for the those of ordinary skill of technical field.For The scope of the present invention, is illustrative and not restrictive, sheet to the disclosure that the present invention is done The scope of invention is defined by the appended claims.

Claims (10)

1. a kind of malice hot spot detecting method, it is characterised in that comprise the following steps：

The hardware sensor of enterprises is deployed in, it is persistently all in capture current radio environment Data traffic, control server is real-time transmitted to by the data traffic；

Control server parses the characteristic information of needs from the data traffic；

The characteristic information is carried out matching detection by control server in feature database；

The connection of focus and client of the control server to belonging to this enterprises is entered to advance One step inspection, generates black and white lists；

Control server is positioned to the focus/client in blacklist, and by location information Management terminal is sent to be shown.

2. malice hot spot detecting method as claimed in claim 1, it is characterised in that

The hardware sensor include wireless network card, in real time or timing acquiring wireless network in focus, The wireless data packet that client is received or sent；

The characteristic information includes：Focus SSID, focus cipher mode, focus channel, focus MAC Address, client mac address.

3. malice hot spot detecting method as claimed in claim 1, it is characterised in that in described The characteristic information is carried out matching detection by control server in feature database to be included：

The SSID name and client mac address of the hotspot in statistics wireless data packet, Mark off the focus and client for belonging to this enterprises, and the heat for being not belonging to this enterprises Point and client；

The connection of focus and client of the control server to belonging to this enterprises is entered Row further checks that generation black and white lists include：

If what the focus of enterprises was connected is not the client of enterprises, institute is judged There is exception in the focus for stating enterprises, and the client is divided in blacklist；

If what the client of enterprises was connected is not the focus of enterprises, institute is judged There is exception in the client for stating enterprises, and the client is divided in blacklist；

If occur in the focus of enterprises SSID name identical multiple hotspot and And one or more hotspot in multiple hotspot receive broken string bag frequency exceeded it is pre- If threshold value, it is determined that occur abnormal, the focus be divided into blacklist；

If the quantity of the focus that the client of enterprises is connected in certain time period exceedes pre- If threshold value, the client is divided in blacklist.

4. malice hot spot detecting method as claimed in claim 1, it is characterised in that described Control server carries out positioning to the focus/client in blacklist to be included：

The planar structure comprising sensor geographical location information has been imported in control server in advance Figure, is carried out using sensor three-point fix technology to the focus/client in sensor coverage It is accurately positioned；

The method also includes：

Management terminal receives the positioning of the focus/client in the blacklist that control server sends Information；The received location information of display simultaneously sends alarm prompt to keeper；It is true according to user Recognize, the focus/client in blacklist is added in white list.

5. a kind of malice Hot spots detection system, it is characterised in that including hardware sensor, middle control Server, management terminal, wherein,

The hardware sensor is deployed in enterprises, persistently captures the institute in current radio environment There is data traffic, the data traffic is real-time transmitted to control server；

The control server parses the characteristic information of needs from the data traffic；By institute State characteristic information carries out matching detection in feature database；Focus and visitor to belonging to this enterprises The connection at family end further checked, generates black and white lists；To the focus in blacklist/ Client is positioned, and location information is sent into management terminal is shown；

The management terminal receives the location information from control server.

6. malice Hot spots detection system as claimed in claim 5, it is characterised in that

The hardware sensor include wireless network card, in real time or timing acquiring wireless network in focus, The wireless data packet that client is received or sent.

7. malice Hot spots detection system as claimed in claim 5, it is characterised in that the spy Reference breath includes：Focus SSID, focus cipher mode, focus channel, focus MAC Address, Client mac address；

The characteristic information is carried out matching detection by the control server in feature database to be included：

The SSID name and client mac address of the hotspot in statistics wireless data packet, Mark off the focus and client for belonging to this enterprises, and the heat for being not belonging to this enterprises Point and client.

8. malice Hot spots detection system as claimed in claim 5, it is characterised in that in described The connection of focus and client of the control server to belonging to this enterprises is further examined Look into, generation black and white lists include：

If what the focus of enterprises was connected is not the client of enterprises, institute is judged There is exception in the focus for stating enterprises, and the client is divided in blacklist；

If what the client of enterprises was connected is not the focus of enterprises, institute is judged There is exception in the client for stating enterprises, and the client is divided in blacklist；

If occur in the focus of enterprises SSID name identical multiple hotspot and And one or more hotspot in multiple hotspot receive broken string bag frequency exceeded it is pre- If threshold value, it is determined that occur abnormal, the focus be divided into blacklist；

If the quantity of the focus that the client of enterprises is connected in certain time period exceedes pre- If threshold value, the client is divided in blacklist.

9. malice Hot spots detection system as claimed in claim 5, it is characterised in that in described Control server carries out positioning to the focus/client in blacklist to be included：

The planar structure comprising sensor geographical location information has been imported in control server in advance Figure, is carried out using sensor three-point fix technology to the focus/client in sensor coverage It is accurately positioned.

10. malice Hot spots detection system as claimed in claim 5, it is characterised in that described Management terminal includes：

Receiving unit, for the focus/client in the blacklist for receiving control server transmission Location information；

Display alarm unit, for showing received location information and sending alarm to keeper Prompting；

Black and white lists administrative unit, for being confirmed according to user, by the focus/client in blacklist End is added in white list.