CN106162688B - A pseudo base station positioning method and system - Google Patents

Abstract

The invention discloses a method for locating a pseudo-base station. The method includes: acquiring signaling data according to a specified time slice; performing distributed processing on the signaling data based on a rule model library; when the distributed processing results meet preset conditions , give an alarm, and enter the distributed processing results into the data analysis platform; the data analysis platform performs multi-dimensional data analysis based on the distributed processing results and in combination with signaling data to count the occurrence rules of pseudo base stations; according to the multi-dimensional data Analyzing the results, adjusting the parameters of the rule model library to reversely improve the rule model library. The invention also discloses a pseudo base station positioning system at the same time. By adopting the technical scheme of the invention, the related information of the false base station can be accurately and real-time alarmed.

Description

A pseudo base station positioning method and system

technical field

The present invention relates to the communication field, in particular to a pseudo base station positioning method and system.

Background technique

In recent years, incidents of false base stations have occurred frequently. Some criminals have used high-tech equipment (such as hosts and laptops) to build platforms such as SMS group senders and SMS senders to search for mobile phone card information within a certain radius around them. . By disguising as the operator's base station, fraudulently using other people's mobile phone numbers to forcibly send short messages such as fraud and advertising to the user's mobile phone. There are two main working principles of the pseudo base station:

1) The traditional pseudo-base station can only obtain the user's International Mobile Subscriber Identification Number (IMSI, International Mobile Subscriber Identification Number) functionally. The base station location update is rejected -> the mobile phone re-selects the live network cell -> the location update is successful again", this process takes at least 3 seconds.

2) A new type of pseudo base station, functionally allowing users to stay in a pseudo cell, send short messages, and control user access. The process is generally: "Pseudo base station cell reselection -> initiate location update to pseudo base station -> pseudo base station location update acceptance -> pseudo base station send SMS -> pseudo base station change Location Area Code (LAC, Location Area Code) -> pseudo base station Base station cell reselection -> initiate location update to fake base station -> fake base station location update rejection -> mobile phone re-select live network cell -> location update is successful again", this process takes at least 25 seconds.

Due to the fluidity and sporadic characteristics of pseudo base stations, and the huge amount of user data that the base stations simultaneously access to the network, traditional technical means cannot achieve real-time detection and disposal of pseudo base stations. The latest pseudo base station has the characteristics of low cost, powerful function, portability, and low energy consumption, which greatly enhances the mobility of the pseudo base station. Generally, the information about user complaints has just arrived, and the pseudo-base station has changed the location of the crime. The traditional means of analyzing and troubleshooting relying on customer complaint information, such as alarms and performance counters, are based on the perspective of network element equipment to reflect the network operating status, which cannot reflect the status of each network element. The specific details of a call or event cannot reflect the network situation based on user granularity, especially when troubleshooting fake base station events based on signaling content screening statistics, it will be helpless or the process is cumbersome. However, the existing analysis and investigation methods have been unable to provide effective and reliable fake base station information to the public security department in a timely and accurate manner, and the work of criminal investigation and arrest has become extremely difficult.

Therefore, how to accurately and real-time alert the related information of the pseudo base station becomes an urgent problem to be solved.

Contents of the invention

In view of this, the embodiments of the present invention expect to provide a method and system for locating a pseudo base station, which can accurately and real-time alert related information of the pseudo base station.

In order to achieve the above object, the technical solution of the embodiment of the present invention is achieved in this way:

An embodiment of the present invention provides a method for locating a pseudo base station, the method comprising:

Obtain signaling data according to the specified time slice;

performing distributed processing on the signaling data based on a rule model library;

When the distributed processing results meet the preset conditions, an alarm will be issued, and the distributed processing results will be entered into the data analysis platform.

Preferably, after the distributed processing results are entered into the data analysis platform, it also includes:

The data analysis platform performs multi-dimensional data analysis based on the distributed processing results and in combination with signaling data to count the occurrence rules of pseudo base stations;

According to the multi-dimensional data analysis result, the parameters of the rule model library are adjusted to reversely improve the rule model library.

Preferably, the rule-based model library performs distributed processing on the signaling data, including:

Convert the signaling data of each time slice into an elastic distributed dataset RDD;

Batch analysis of signaling data flow within a preset time based on the rule model library.

Preferably, the multidimensional data analysis includes at least:

Based on multi-dimensional analysis of users, events, time, and space, a pseudo-base station interference quasi-real-time heat map based on the entire network is generated;

The interference heat map of the pseudo-base station is played in time frames, and the next activity location of the pseudo-base station is predicted according to the suspicious area and trajectory of the pseudo-base station.

Preferably, before the acquisition of signaling data according to a specified time slice, the method further includes:

The distributed message queue platform receives signaling data in real time;

storing the signaling data in each node of the cluster in a custom manner;

Wherein, the manner of self-definition is: dividing the signaling data into N categories, where N is a positive integer.

Preferably, before the distributed message queue platform receives signaling data in real time, the method also includes:

Build Zookeeper on the cluster, so that the distributed message queue platform is based on Zookeeper to balance the load.

The embodiment of the present invention also provides a pseudo base station positioning system, the system includes a distributed message queue platform, a stream processing platform and a data analysis platform; wherein,

The distributed message queue platform is used to receive signaling data in real time; the signaling data is stored in each node of the cluster in a customized manner; wherein, the customized manner is: the signaling The data is divided into N categories, where N is a positive integer:

The stream processing platform is used to obtain signaling data according to a specified time slice; perform distributed processing on the signaling data based on a rule model library; when the distributed processing results meet preset conditions, an alarm is issued, and the distributed The processing results are entered into the data analysis platform;

The data analysis platform is used to perform multi-dimensional data analysis based on the distributed processing results and in combination with signaling data to count the occurrence rules of pseudo base stations; adjust the parameters of the rule model library according to the multi-dimensional data analysis results, To inversely perfect the rule model library.

Preferably, the stream processing platform is also used for:

Convert the signaling data of each time slice into RDD;

Batch analysis of signaling data flow within a preset time based on the rule model library.

Preferably, the data analysis platform is also used for:

Based on multi-dimensional analysis of users, events, time, and space, a pseudo-base station interference quasi-real-time heat map based on the entire network is generated;

The interference heat map of the pseudo-base station is played in time frames, and the next activity location of the pseudo-base station is predicted according to the suspicious area and trajectory of the pseudo-base station.

Preferably, the distributed message queue platform is also used for:

Build Zookeeper on the cluster, so that the distributed message queue platform is based on Zookeeper to balance the load.

The pseudo base station positioning method and system based on the Spark Streaming flow technology provided by the embodiment of the present invention obtains signaling data according to a specified time slice; performs distributed processing on the signaling data based on a rule model library; when the distributed processing results satisfy When pre-set conditions, an alarm is issued, and the distributed processing results are entered into the data analysis platform; the data analysis platform performs multi-dimensional data analysis based on the distributed processing results and in combination with signaling data to count the appearance of pseudo base stations; According to the multi-dimensional data analysis result, the parameters of the rule model library are adjusted to reversely improve the rule model library. In this way, the relevant information of the false base station can be alerted accurately and in real time, and the accuracy of detecting the false base station can be improved.

Description of drawings

FIG. 1 is a first implementation flowchart of a pseudo base station positioning method provided by an embodiment of the present invention;

Fig. 2 is the implementation flow chart 2 of the pseudo base station positioning method provided by the embodiment of the present invention;

FIG. 3 is a third implementation flowchart of the pseudo base station positioning method provided by the embodiment of the present invention;

FIG. 4 is a schematic diagram of the composition and structure of the pseudo base station positioning system provided by the embodiment of the present invention.

Detailed ways

The present invention proposes a pseudo-base station positioning method and system based on Spark Streaming technology. In order to better understand the present invention, first introduce the Spark Streaming flow technology.

Spark Streaming is a real-time computing framework based on Spark. The advantage of Spark Streaming is that it can run on 100+ nodes and achieve second-level delay.

The workflow of Spark streaming is as follows: After receiving real-time data, divide the data into batches, then send them to Spark Engine for processing, and finally generate the results of the batch.

The basic principle of Spark Streaming is to split the input data stream into time slices (second level), and then process each time slice data in a batch-like manner. Spark Streaming decomposes streaming computing into a series of short batch jobs. Spark Streaming divides the real-time input data stream into blocks in units of time slice Δt (such as 1 second); Spark Streaming regards each piece of data as a resilient distributed dataset (RDD, Resilient Distributed Datasets), and uses RDD operations to process each Small chunks of data; each chunk will generate a SparkJob for processing, and the final result will also return multiple chunks.

The technical solutions of the present invention will be further elaborated below in conjunction with the accompanying drawings and specific embodiments.

Fig. 1 is the implementation flow chart 1 of the pseudo base station positioning method provided by the embodiment of the present invention. As shown in Fig. 1, the method mainly includes the following steps:

Step 101: Obtain signaling data according to a specified time slice.

Here, the value of the length Δt of the time slice may be set according to actual conditions, for example, the value of Δt may be 500 milliseconds.

Preferably, before the acquisition of signaling data according to a specified time slice, the method further includes:

The distributed message queue platform receives signaling data in real time;

The signaling data is stored in each node of the cluster in a custom manner.

Wherein, the manner of self-definition is: dividing the signaling data into N categories, where N is a positive integer.

Specifically, the signaling data is classified into several topics, such as network access user information, network access base station source, network access user location, user event type (such as calling, emergency call, called, video calling, video called, sending text messages) , receiving SMS, switching in, switching out, intra-BSC switching, normal location update, periodic location update, IMSI attach, IMSI detach, paging, supplementary service, SMS status report, service reestablishment, mobile phone status report).

The above-mentioned BSC is the abbreviation of Base Station Controller, and its Chinese name is Base Station Controller.

Step 102: Perform distributed processing on the signaling data based on a rule model library.

Preferably, the distributed processing of the signaling data by the rule-based model library may include:

Convert the signaling data of each time slice into Resilient Distributed Datasets (RDD, Resilient Distributed Datasets);

Batch analysis of signaling data flow within a preset time based on the rule model library.

Here, the rule model library may include:

1) When being rejected by the pseudo base station location update (due to reasons 12 and 13), the mobile terminal will delete the location area identification code (LAI, Location Area Identity) and temporary identification code (TMSI, Temporary Mobile Subscriber Identity) of the pseudo base station, and then The network performs location update on the live network with the LAI and IMSI of 65534 or 0;

2) When the location update of the pseudo base station is rejected (because of reason 15), the mobile terminal will use the LAI and TMSI assigned by the pseudo base station to perform location update on the live network.

3) The signal of the pseudo base station of the mobile terminal becomes weak or disappears, and then the mobile terminal re-searches the frequency point to enter the live network, and carries a LAI and TMSI before the update (pseudo base station allocation) when the location is updated again.

The above-mentioned reasons 12, 13, and 15 are all reasons for rejecting location update of pseudo base stations in the communication system. Specifically, reason 12 refers to "Location Area not allowed", which means "location area not allowed" in Chinese; reason 13 is Refers to "Roaming not allowed in this location area", which means "roaming is not allowed in this area" in Chinese; reason 15 refers to "No Suitable Cells In Location Area" in Chinese, which means "there are no suitable cells in the location area".

Of course, there are many reasons for the location update rejection of the pseudo base station, which will not be repeated here.

Distributed processing of the signaling data based on a rule model library may specifically include:

Step 103: When the distributed processing result meets the preset condition, an alarm is issued, and the distributed processing result is entered into the data analysis platform.

Specifically, by setting a relevant alarm threshold value, when the distributed processing result meets the corresponding alarm threshold value, an alarm can be triggered.

The execution subject of the above-mentioned steps 101, 102, and 103 can be a stream processing platform.

Preferably, the stream processing platform is a processing platform based on Spark Streaming flow technology.

Preferably, before the distributed message queue platform receives signaling data in real time, the method may also include:

Build Zookeeper on the cluster, so that the distributed message queue platform is based on Zookeeper to balance the load.

Specifically, the distributed message queue platform balances the load between the base station and the stream processing platform based on Zoopkeeper.

The pseudo base station positioning method described in this embodiment combines the user location event data with the Spark Streaming flow processing technology, first screens the key information of the pseudo base station from the massive data, and then performs multi-dimensional analysis based on users, events, time, and space. Realize quasi-real-time display and alarm of pseudo-base station activity hotspots like weather cloud images. In this way, based on the rule model library, batch processing the internal data of the time window can realize low-latency alarms, thereby solving the problem that existing technical means cannot detect fake base stations in real time.

Fig. 2 is the implementation flowchart 2 of the positioning of the pseudo base station provided by the embodiment of the present invention. As shown in Fig. 2, the process mainly includes the following steps:

Step 201: The signaling data is stored in the distributed message queuing platform according to the specified queuing mode and topic.

Specifically, through step 201, the real-time online number of base stations can be counted through the topic data stored in the distributed message queue platform; then the MC port list table can be established, and all MC port data can be imported to the first stream processing platform.

Wherein, the MC port refers to an interface between a mobile switching center (MSC, Mobile Switching Center) and a media gateway (MGW, Media Gateway).

Specifically, the first processing platform refers to a stream processing platform based on Spark Streaming streaming technology.

Step 202: Obtain signaling data according to a specified time slice.

Specifically, the stream processing platform based on Spark Streaming stream technology divides the signaling data into blocks according to the time slice Δt, regards each block of data as an RDD, and uses RDD operations to process each small block of data; each small block will A Spark Job is generated for processing, and the final result also returns multiple blocks.

Specifically, for topic data (Topic_Data), the data of the current time slice (such as 500ms) is complete signaling data, including: network access number, start time, end time, protocol, event type, coding category, MSC signaling Point code, BSC signaling point code, current location area, current cell or service area code (SAC, Service Area Code), source location area, source cell, destination location area, destination cell, start location area, start cell, end location Area, end cell, destination radio network control area identification code (RNCID, Radio Network Controller Identity), calling number, called number, calling IMSI, called IMSI, calling IMEI, called IMEI, event result, cut out Request reason, switch-out start time, switch-out response time, switch-in start time, switch-in response time, switch-out status, switch-in status, location update status, switching flag, ringing time, answer time, call duration.

Specifically, step 202 can be used to obtain data such as the number of people on the network and the number of base stations on the network, and identify abnormal base stations through predetermined rules; a temporary table for normal location updates can also be established through step 202 to filter events for records of normal location updates.

Step 203: Convert the signaling data of each time slice into an RDD, and then perform batch analysis of the real-time stream on the data stream.

Specifically, the batch analysis may include:

According to the signaling data format and delimiter, various topic data are obtained by time slice.

The topic can be: calling, emergency calling, called, video calling, video calling, sending text messages, receiving text messages, switching in, switching out, switching within the BSC, normal location update, periodic location update, IMSI attachment, IMSI separation, paging, supplementary service, SMS status report, service reconstruction, mobile phone status report.

Specifically, the abnormal base station data obtained in step 203 can be used to obtain the signaling data of the user falling off the mobile base station and the signaling data of re-entry into the network, and the range of the pseudo base station can be obtained through the geographical location information of the base station in these signaling data; Step 203 establishes a normal location update temporary table, and filters events where the source LAC is not the planning LAC.

Step 204: When the distributed processing result satisfies the preset condition, output the result data and trigger an alarm.

The pseudo-base station location method described in this embodiment is to count the real-time online number of the base station through the topic data stored in the distributed message queue platform; According to the rules, abnormal base stations are identified; the signaling data of the mobile base station dropped by the user and the signaling data of re-entry to the network are obtained, and the geographical location information of the base station in these signaling data is used to obtain the range of the pseudo base station. In this way, false base stations can be detected in real time.

Fig. 3 is the implementation flow chart 3 of the pseudo base station positioning method provided by the embodiment of the present invention. As shown in Fig. 3, the method mainly includes the following steps:

Step 301: According to the distributed processing results and combined with the signaling data, multi-dimensional data analysis is performed to collect statistics on the appearance of pseudo base stations.

Here, the distributed processing result may be the distributed processing result of the stream processing platform in Embodiment 1, and the signaling data may be signaling data acquired by the distributed message queue platform.

Preferably, the multidimensional data analysis may at least include:

Based on multi-dimensional analysis of users, events, time, and space, a pseudo-base station interference quasi-real-time heat map based on the entire network is generated;

The interference heat map of the pseudo-base station is played in time frames, and the next activity location of the pseudo-base station is predicted according to the suspicious area and trajectory of the pseudo-base station.

Specifically, the multi-dimensional data analysis may include but not limited to the following:

1) Statistical summary based on time granularity of hours, days, and months, including reports such as victim user list, interfered cell list, pseudo base station LAC list, etc.;

2) Classification of public security pseudo base stations, stationary pseudo base stations, and mobile pseudo base station interference events;

3) Find out the specific event and location of the complaint event based on the user complaint information, and verify the authenticity and validity of the complaint event;

4) Calculate the trajectory of high-frequency victimized users, query the location movement trajectory of a single user or multiple users based on a certain period of time, and mark the event points of fake base stations in the trajectory to analyze and check whether it is a fake base station;

5) Analyze the hotspot area where the pseudo base station interference event is occurring, the newly added pseudo base station interference area, and the disappearing pseudo base station interference area, so as to give an alarm to the sudden group pseudo base station event.

Step 302: According to the multi-dimensional data analysis result, adjust the parameters of the rule model library to reversely improve the rule model library.

Preferably, the rule model library can be stored in a local storage of the stream processing platform, or in a cloud server.

The execution subject of the above step 301 and step 302 can be a data analysis platform.

The pseudo-base station positioning method described in this embodiment, the data analysis platform performs multi-dimensional analysis based on users, events, time, and space, and realizes quasi-real-time display and alarm of pseudo-base station activity hotspots and analysis of pseudo-base station activities like a weather cloud map. Trends to predict the next criminal activity area; and, according to the multi-dimensional data analysis results, adjust the parameters of the rule model library to reversely improve the rule model library and improve the accuracy of detection.

FIG. 4 is a schematic diagram of the composition and structure of the pseudo base station positioning system provided by the embodiment of the present invention. As shown in FIG. 4, the system includes a distributed message queue platform 41, a stream processing platform 42 and a data analysis platform 43; wherein,

The distributed message queue platform 41 is used for receiving signaling data in real time; storing the signaling data in each node of the cluster in a custom manner;

The stream processing platform 42 is used to obtain signaling data according to a specified time slice; perform distributed processing on the signaling data based on the rule model library; when the distributed processing results meet the preset conditions, an alarm is issued, and the distributed Input data analysis platform 43 of formula processing result;

The data analysis platform 43 is used to perform multi-dimensional data analysis based on the distributed processing results and in combination with signaling data to count the occurrence rules of pseudo base stations; adjust the parameters of the rule model library according to the multi-dimensional data analysis results , to reversely improve the rule model library.

Wherein, the self-defining method is: dividing the signaling data into N categories, where N is a positive integer:

Preferably, the stream processing platform 42 is also used for:

Convert the signaling data of each time slice into RDD;

Batch analysis of signaling data flow within a preset time based on the rule model library.

Preferably, the data analysis platform 43 is also used for:

Based on multi-dimensional analysis of users, events, time, and space, a pseudo-base station interference quasi-real-time heat map based on the entire network is generated;

The interference heat map of the pseudo-base station is played in time frames, and the next activity location of the pseudo-base station is predicted according to the suspicious area and trajectory of the pseudo-base station.

Preferably, the distributed message queue platform 41 is also used for:

Build Zookeeper on the cluster, so that the distributed message queue platform is based on Zookeeper to balance the load.

The embodiment of the present invention provides a pseudo-base station positioning system. The system stores the collected real-time data of each base station in a distributed message queue platform, and the stream processing platform acts as a message queue consumer, and consumes each topic data in the message queue in groups, that is, uses Spark batch processing technology, conducts ETL process on the historical full amount of user behavior information of the MC port, screens out the normal location update event information of the abnormal LAC in the original location area, performs summary statistics, correlates user data and base station geographic location information, and obtains multi-dimensional event statistics , so as to determine the main activity area of the pseudo base station and the victim user group. Using the Spark streaming stream processing technology to judge and screen the real-time information of the MC port, and then summarize it with minute or hour-level time particles, and use the Geographic Information System (GIS, Geographic Information System) system to analyze the hot spots, it can effectively obtain pseudo Base station interference area and trajectory, so as to predict the next activity location of the pseudo base station. By setting the relevant alarm threshold value through the system, the alarm function of the false base station can be realized by triggering the threshold after the real-time data is summarized and counted. At the same time, the data analysis platform can store stream processing historical data, complete offline multi-dimensional analysis and statistics, and optimize base station network security.

In the several embodiments provided by the present invention, it should be understood that the disclosed methods, devices and systems can be implemented in other ways. The device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods, such as: multiple units or components can be combined, or May be integrated into another system, or some features may be ignored, or not implemented. In addition, the coupling, or direct coupling, or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be electrical, mechanical or other forms of.

The units described above as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place or distributed to multiple network units; Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present invention can be integrated into one processing unit, or each unit can be used as a single unit, or two or more units can be integrated into one unit; the above-mentioned integration The unit can be realized in the form of hardware or in the form of hardware plus software functional unit.

Those of ordinary skill in the art can understand that all or part of the steps for realizing the above-mentioned method embodiments can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the It includes the steps of the above-mentioned method embodiments; and the aforementioned storage medium includes: a removable storage device, a read-only memory (ROM, Read-Only Memory), a magnetic disk or an optical disk, and other various media that can store program codes.

Alternatively, if the above-mentioned integrated units in the embodiments of the present invention are implemented in the form of software function modules and sold or used as independent products, they may also be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the embodiment of the present invention is essentially or the part that contributes to the prior art can be embodied in the form of a software product. The computer software product is stored in a storage medium and includes several instructions for Make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the methods described in various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program codes such as removable storage devices, ROMs, magnetic disks or optical disks.

The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention. Any modifications, equivalent replacements and improvements made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.

Claims (9)

1. A pseudo-base station location method, characterized in that the method comprises: The stream processing platform obtains signaling data according to the specified time slice; The stream processing platform performs distributed processing on the signaling data based on the rule model library; When the distributed processing results meet the preset conditions, an alarm is issued, and the distributed processing results are entered into the data analysis platform; After the distributed processing results are entered into the data analysis platform, it also includes: The data analysis platform performs multi-dimensional data analysis based on the distributed processing results and in combination with signaling data to count the occurrence rules of pseudo base stations; According to the multi-dimensional data analysis result, the parameters of the rule model library are adjusted to reversely improve the rule model library. 2. The method according to claim 1, wherein the distributed processing of the signaling data by the rule-based model library comprises: Convert the signaling data of each time slice into an elastic distributed dataset RDD; Batch analysis of signaling data flow within a preset time based on the rule model library. 3. The method according to claim 1, wherein said performing multidimensional data analysis at least includes: Based on multi-dimensional analysis of users, events, time, and space, a pseudo-base station interference quasi-real-time heat map based on the entire network is generated; The interference heat map of the pseudo-base station is played in time frames, and the next activity location of the pseudo-base station is predicted according to the suspicious area and trajectory of the pseudo-base station. 4. The method according to claim 1, wherein before the acquisition of signaling data according to a specified time slice, the method further comprises: The distributed message queue platform receives signaling data in real time; storing the signaling data in each node of the cluster in a custom manner; Wherein, the manner of self-definition is: dividing the signaling data into N categories, where N is a positive integer. 5. method according to claim 4, is characterized in that, before described distributed message queue platform receives signaling data in real time, described method also comprises: Build Zookeeper on the cluster, so that the distributed message queue platform is based on Zookeeper to balance the load. 6. A pseudo base station positioning system, characterized in that the system includes a distributed message queue platform, a flow processing platform and a data analysis platform; wherein, The distributed message queue platform is used to receive signaling data in real time; the signaling data is stored in each node of the cluster in a customized manner; wherein, the customized manner is: the signaling The data is divided into N categories, where N is a positive integer; The stream processing platform is used to obtain signaling data according to a specified time slice; perform distributed processing on the signaling data based on a rule model library; when the distributed processing results meet preset conditions, an alarm is issued, and the distributed The processing results are entered into the data analysis platform; The data analysis platform is used to perform multi-dimensional data analysis based on the distributed processing results and in combination with signaling data to count the occurrence rules of pseudo base stations; adjust the parameters of the rule model library according to the multi-dimensional data analysis results, To inversely perfect the rule model library. 7. The system according to claim 6, wherein the stream processing platform is further used for: Convert the signaling data of each time slice into RDD; Batch analysis of signaling data flow within a preset time based on the rule model library. 8. The system according to claim 6, wherein the data analysis platform is also used for: Based on multi-dimensional analysis of users, events, time, and space, a pseudo-base station interference quasi-real-time heat map based on the entire network is generated; The interference heat map of the pseudo-base station is played in time frames, and the next activity location of the pseudo-base station is predicted according to the suspicious area and trajectory of the pseudo-base station. 9. The system according to claim 6, wherein the distributed message queuing platform is also used for: Build Zookeeper on the cluster, so that the distributed message queue platform is based on Zookeeper to balance the load.