CN104426885B - Abnormal account providing method and device - Google Patents
Abnormal account providing method and device Download PDFInfo
- Publication number
- CN104426885B CN104426885B CN201310396307.3A CN201310396307A CN104426885B CN 104426885 B CN104426885 B CN 104426885B CN 201310396307 A CN201310396307 A CN 201310396307A CN 104426885 B CN104426885 B CN 104426885B
- Authority
- CN
- China
- Prior art keywords
- account
- login
- common
- address
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Power Engineering (AREA)
Abstract
The present invention provides a kind of abnormal account providing method and device.Abnormal account providing method of the invention is comprising steps of detect the IP address of login account, and count the login account number of each IP address;Whether the login account number for determining each IP address is more than threshold value;And the login account number of such as IP address is more than threshold value, then according to the common login place of the login account of IP address, common login time and common business, determines whether login account is abnormal account.The present invention also provides a kind of abnormal accounts to provide device.Abnormal account providing method and device of the invention detects whether login account is stolen by the login account number of same IP address, and the abnormal operation of corresponding login account.
Description
Technical field
The present invention relates to internet areas, more particularly to a kind of abnormal account providing method and device.
Background technique
In Internet service, most of service requires user and provides the application that service password just can enter oneself.Together
When, also produce various steal-number groups, steal by various modes the service password of user with enter user application and it is illegal
It makes a profit.
Now for the processing of steal-number, usually operator's complaint for receiving the user for the service password that is stolen, then root
(to avoid by malicious complaint) is handled according to the title for complaining the account to the user to carry out a period of time, such as confirmation is complained errorless
Afterwards, it then carries out account recovery operation or application service is provided again.But above-mentioned processing is all that user itself carries out account
It complains, there is biggish retardance, biggish, irretrievable loss may be caused to user in customer complaint.
Summary of the invention
The embodiment of the present invention is designed to provide a kind of abnormal account providing method, to solve existing abnormal account
It is provided by user itself, there is biggish retardance, biggish, irretrievable loss skill may be caused to user
Art problem.
The purpose of the embodiment of the present invention, which also resides in, provides a kind of abnormal account offer device, to solve existing abnormal account
It number is provided by user itself, there is biggish retardance, user may be caused biggish, irretrievable loss
Technical problem.
To solve the above problems, technical solution provided by the invention is as follows:
There is provided a kind of abnormal account providing method comprising step:
Detect the IP(Internet Protocol of login account, network protocol) address, and count each IP address
Login account number;
Whether the login account number for determining each IP address is more than threshold value;And
If the login account number of the IP address is more than the threshold value, then according to the login account of the IP address
It is common to log in place, common login time and common business, determine whether the login account is abnormal account.
A kind of abnormal account offer device is also provided comprising:
Statistical module for detecting the IP address of login account, and counts the login account number of each IP address;
Abnormality detection module, for determining whether the login account number of each IP address is more than threshold value;And
Abnormal determining module, the login account number for the IP address as described in determining the abnormality detection module is more than as described in
Threshold value, then according to the common login place of the login account of the IP address, common login time and common business, really
Whether the fixed login account is abnormal account.
Compared to the prior art, the login account that abnormal account providing method of the invention and device pass through same IP address
Number, and the abnormal operation of corresponding login account detect whether login account is stolen, solve existing abnormal account by with
Family itself is provided, has biggish retardance, and biggish, irretrievable loss technology may be caused to ask to user
Topic.
Detailed description of the invention
Fig. 1 is the working environment structural schematic diagram of electronic equipment where abnormal account providing method of the invention and device;
Fig. 2 provides the structural schematic diagram of the first preferred embodiment of device for abnormal account of the invention;
Fig. 3 is the flow chart of the first preferred embodiment of abnormal account providing method of the invention;
Fig. 4 provides the structural schematic diagram of the second preferred embodiment of device for abnormal account of the invention;
Fig. 5 is the flow chart of the second preferred embodiment of abnormal account providing method of the invention;
Fig. 6 is the flow diagram of the specific embodiment of abnormal account providing method and device of the invention.
Specific embodiment
The explanation of following embodiment is to can be used to the particular implementation of implementation to illustrate the present invention with reference to additional schema
Example.
" component ", " module ", " system ", " interface " etc. are generally intended to refer to computer as used herein the term
Related entities: hardware, the combination of hardware and software, software or software in execution.For example, component can be but be not limited to transport
Capable process on a processor, processor, object, executable application, thread, program and/or the computer executed.Pass through figure
Show, both the application and the controller run on the controller can be component.One or more components, which can have, to be to hold
In capable process and/or thread, and component can be located on computer and/or be distributed in two or more computers it
Between.
Moreover, claimed theme may be implemented as generating software using standard program and/or engineering technology, consolidate
Part, hardware or any combination thereof are to control the method, apparatus or manufacture that computer realizes disclosed theme.It is used herein
Term " manufacture " be intended to comprising can be from any computer readable device, carrier or the computer program of medium access.Certainly,
Those skilled in the art will appreciate that many modifications can be carried out to the configuration, without departing from claimed theme range or
Spirit.
Fig. 1 and the discussion below are provided to electronic equipment where realizing abnormal account offer device of the present invention
Brief, summary the description of working environment.The working environment of Fig. 1 is only example and a non-purport of working environment appropriate
In any restrictions for the range for suggesting the purposes or function about working environment.Example electronic equipment 112 includes but is not limited to
People's computer, server computer, hand-held or laptop devices, mobile device (such as mobile phone, personal digital assistant
(PDA), media player etc.), multicomputer system, consumer electronic devices, minicomputer, mainframe computer including
Above-mentioned arbitrary system or the distributed computing environment of equipment, etc..
Although not requiring, in the common background that " computer-readable instruction " is executed by one or more electronic equipments
Lower description embodiment.Computer-readable instruction can be distributed via computer-readable medium and (be discussed below).It is computer-readable
Instruction can be implemented as program module, for example executes particular task or realize the function of particular abstract data type, object, application
Programming interface (API), data structure etc..Typically, the function of the computer-readable instruction can be in various environment arbitrarily
Combination or distribution.
Fig. 1 illustrates the electronics for the one or more embodiments for including abnormal account providing method and device of the invention
The example of equipment 112.In one configuration, electronic equipment 112 includes at least one processing unit 116 and memory 118.According to
The exact configuration and type of electronic equipment, memory 118 can be volatibility (such as RAM), it is non-volatile (such as ROM,
Flash memory etc.) or both certain combination.The configuration is illustrated in Fig. 1 by dotted line 114.
In other embodiments, electronic equipment 112 may include supplementary features and/or function.For example, equipment 112 may be used also
To include additional storage device (such as can be removed and/or non-removable) comprising but be not limited to magnetic memory apparatus, light is deposited
Storage device etc..This additional memory devices are illustrated in Fig. 1 by storage device 120.In one embodiment, for realizing this
The computer-readable instruction of one or more embodiment provided by text can be in storage device 120.Storage device 120 may be used also
To store other computer-readable instructions for realizing operating system, application program etc..Computer-readable instruction can be loaded into
It is executed in memory 118 by such as processing unit 116.
Term as used herein " computer-readable medium " includes computer storage medium.Computer storage medium includes
The volatibility that any method or technique of the information of such as computer-readable instruction or other data etc is realized for storage
With non-volatile, removable and nonremovable medium.Memory 118 and storage device 120 are the examples of computer storage medium.
Computer storage medium includes but is not limited to RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, digital universal
Disk (DVD) or other light storage devices, cassette tape, tape, disk storage device or other magnetic storage apparatus can be used for
Any other medium storage expectation information and can accessed by electronic equipment 112.Any such computer storage medium can
To be a part of electronic equipment 112.
Electronic equipment 112 can also include the communication connection 126 for allowing electronic equipment 112 to communicate with other equipment.Communication
Connection 126 can include but is not limited to modem, network interface card (NIC), integrated network interface, radiofrequency launcher/connect
Receive device, infrared port, USB connection or other interfaces for electronic equipment 112 to be connected to other electronic equipments.Communication connection
126 may include wired connection or wireless connection.Communication connection 126 can emit and/or receive communication medium.
Term " computer-readable medium " may include communication media.Communication media typically comprises computer-readable instruction
Or other data in " the own modulated data signal " of such as carrier wave or other transmission mechanisms etc, and passed including any information
Send medium.Term " own modulated data signal " may include such signal: one or more of the characteristics of signals is according to general
Mode of the information coding into signal is set or changed.
Electronic equipment 112 may include input equipment 124, such as keyboard, mouse, pen, voice-input device, touch input
Equipment, infrared camera, video input apparatus and/or any other input equipment.It also may include output equipment in equipment 112
122, such as one or more displays, loudspeaker, printer and/or other any output equipments.Input equipment 124 and output
Equipment 122 can be connected to electronic equipment 112 via wired connection, wireless connection or any combination thereof.In one embodiment,
Input equipment or output equipment from another electronic equipment are used as the input equipment 124 or defeated of electronic equipment 112
Equipment 122 out.
The component of electronic equipment 112 can be connected by various interconnection (such as bus).Such interconnection may include outer
Enclose component interconnection (PCI) (such as quick PCI), universal serial bus (USB), firewire (IEEE1394), optical bus structure etc.
Deng.In another embodiment, the component of electronic equipment 112 can pass through network interconnection.For example, memory 118 can be by position
Multiple physical memory cells arcs composition in different physical locations, by network interconnection.
It would be recognized by those skilled in the art that the storage equipment for storing computer-readable instruction can be across network point
Cloth.For example, can store via the electronic equipment 130 that network 128 accesses for realizing one provided by the present invention or more
The computer-readable instruction of a embodiment.The accessible electronic equipment 130 of electronic equipment 112 and downloading computer readable instruction
It is part or all of for execute.Alternatively, electronic equipment 112 can download a plurality of computer-readable instruction as needed,
Or some instructions can execute at electronic equipment 112 and some instructions can execute at electronic equipment 130.
Due to steal-number person steal after user password all can logon attempt user account, check the privacy data of user and make
Business consumption is carried out with user account;And steal-number person very likely usurps account while carrying out aforesaid operations to multiple simultaneously.
Therefore the behavior based on user has certain fixed rule, can assemble situation according to the IP of user's login account to judge that
The account of a little users has been stolen, if the login account of some IP address is more than a threshold value (the i.e. login account of the IP address
Quantity is abnormal), that is, it can determine whether that there is a large amount of abnormal account operation in the IP address, exception account operation may be steal-number person
Using steal-number software frequently stolen account operate it is caused.Abnormal account providing method of the invention and device, that is, base
In above-mentioned principle, effectively to operator abnormal account can be provided and to user reminding account abnormal operation.
Referring to figure 2., Fig. 2 provides the structural schematic diagram of the first preferred embodiment of device for abnormal account of the invention.
The abnormal account of this preferred embodiment provides device 20 and may be provided in above-mentioned electronic equipment 112.This preferred embodiment it is different
It includes statistical module 21, abnormality detection module 22 and abnormal determining module 23 that normal account, which provides device 20,.The statistical module 21
For detecting the IP address of login account, and count the login account number of each IP address;Abnormality detection module 22 is for determining
Whether the login account number of each IP address is more than threshold value 24;Abnormal determining module 23 is used for abnormality detection module 22 such as and determines IP
The login account number of address is more than threshold value 24, then according to the common login place of the login account of IP address, common login time
And common business, determine whether login account is abnormal account.
The abnormal account of this preferred embodiment provides device 20 in use, statistical module 21 detects all login accounts first
IP address, so as to count the login account number of each IP address.Then abnormality detection module 22 detects each IP address
Login account number whether be more than threshold value 24, which can artificially be set, and can be the login account number of the IP address
(the login account number of such as some IP address is unexpected for the multiple of the average value of the multiple of maximum value or the login account number of the IP address
Ten times of normal condition are increased to, then abnormality detection module 22 generally will be considered that the login account number of the IP address has been over
Threshold value 24).If the login account number of IP address is not above threshold value 24, then statistical module 21 continues the login account to each IP
Number carries out real-time statistics.
Then, as abnormality detection module 22 determine IP address login account number be more than threshold value 24, then judge here
There may be the operations of abnormal account in the IP address.Abnormal determining module 23 transfers all login accounts logged in the IP address
Number and all login accounts common login place, common login time and common business;Common by login account is stepped on
It records place, the current login place for commonly using login time and common business and the login account, current login time and works as
It is preceding to be compared using business, to determine whether login account is abnormal account.Specifically:
All login account numbers logged in such as IP address be A, wherein the common login place of X login account with work as
Preceding login place is different, and the common login time of Y login account is different from current login time, and Z login account is commonly used
Business is different from currently used business, and if X/A is greater than the first setting value, Y/A is greater than the second setting value, and Z/A is set greater than third
Value, it is determined that in the account logged in the IP address while satisfaction does not pass through the common place that logs in and logs in, not when commonly using login
Between to log in and be not used the login account of common business be abnormal account.Here the first setting value, the second setting value and
Third setting value can artificially be set, in this way can will due to user's self reason or operator caused by abnormal operation
It excludes.Certainly can not also set here it is one or several in the first setting value, the second setting value and third setting value, and
To directly it meet not by the common login for logging in place and logging in, not logging in and be not used common business in common login time
Account is determined as abnormal account.
The determination process of the abnormal account of the abnormal account offer device 20 of this preferred embodiment is provided in this way.
The abnormal account of this preferred embodiment provides login account number of the device by same IP address, and corresponding login
The abnormal operation of account detects whether login account is stolen, and can provide corresponding abnormal account to user and operator in time
Number, the time for confirming abnormal account can be shortened and reduced, normal users bring is lost.
Referring to figure 2. and Fig. 3, Fig. 3 be abnormal account providing method of the invention first preferred embodiment flow chart.
The abnormal account providing method of this preferred embodiment the abnormal account of above-mentioned first preferred embodiment can be used to provide device and carry out
Implement comprising:
Step S301, detects the IP address of login account, and counts the login account number of each IP address;
Step S302 determines whether the login account number of each IP address is more than threshold value;
Step S303 according to the common login place of the login account of IP address, commonly uses login time and common business,
Determine whether login account is abnormal account;
The abnormal account providing method of this preferred embodiment ends at step S303.
The following detailed description of the detailed process of each step of the abnormal account providing method of this preferred embodiment.
In step S301, statistical module 21 detects the IP address of all login accounts, so as to counting each IP
The login account number of location, then comes step S302.
In step s 302, whether the login account number that abnormality detection module 22 detects each IP address is more than threshold value 24,
The threshold value 24 can artificially be set, and can be the multiple of the maximum value of the login account number of the IP address or the login of the IP address
The multiple of the average value of account number.If the login account number of IP address is not above threshold value 24, then return step S301, counts mould
Block 21 continues to carry out real-time statistics to the login account number of each IP, then comes step S303.
In step S303, if abnormality detection module 22 determine IP address login account number be more than threshold value 24, then this
In judge that there may be the operations of abnormal account in the IP address.Abnormal determining module 23 transfer logged in the IP address it is all
The common login place of login account and all login accounts, common login time and common business;By login account
Common current login place, the current login time for logging in place, common login time and common business and the login account
And currently used business is compared, to determine whether login account is abnormal account.Specifically:
All login account numbers logged in such as IP address be A, wherein the common login place of X login account with work as
Preceding login place is different, and the common login time of Y login account is different from current login time, and Z login account is commonly used
Business is different from currently used business, and if X/A is greater than the first setting value, Y/A is greater than the second setting value, and Z/A is set greater than third
Value, it is determined that in the account logged in the IP address while satisfaction does not pass through the common place that logs in and logs in, not when commonly using login
Between to log in and be not used the login account of common business be abnormal account.Here the first setting value, the second setting value and
Third setting value can artificially be set, in this way can will due to user's self reason or operator caused by abnormal operation arrange
It removes.Certainly can not also set here it is one or several in the first setting value, the second setting value and third setting value, and it is straight
Connecing will meet not through the common login account for logging in place and logging in, not logging in and be not used common business in common login time
Number it is determined as abnormal account.
The determination process of the abnormal account of the abnormal account providing method of this preferred embodiment is completed in this way.
The abnormal account providing method of this preferred embodiment is by the login account number of same IP address, and corresponding logs in
The abnormal operation of account detects whether login account is stolen, and can provide corresponding abnormal account to user and operator in time
Number, the time for confirming abnormal account can be shortened and reduced, normal users bring is lost.
Referring to figure 4., Fig. 4 provides the structural schematic diagram of the second preferred embodiment of device for abnormal account of the invention.
The abnormal account of this preferred embodiment provides device 40 and may also be arranged in above-mentioned electronic equipment 112.It is preferably implemented first
On the basis of example, the abnormal account of this preferred embodiment provides device 40 and further includes common login location-determining module 45, commonly uses
Login time determining module 46, common business determining module 47 and abnormal account provide module 48.The common place that logs in determines
Module 45 using the highest L login of frequency in all login places of login account place as the common of login account for stepping on
Place is recorded, L is the positive integer greater than 1;Common login time determining module 46 is used for the landing time section intermediate frequency of login account
Common login time of the highest M login time section of rate as login account, M are the positive integer greater than 1;Common business determines
Module 47 is used for using the highest N number of business of frequency of use in the business of login account as the common business of login account, and N is big
In 1 positive integer;Abnormal account provides module 48 and is used to carry out unusual checking to the login account for being confirmed as abnormal account,
And according to testing result, abnormal account is provided.
The abnormal account of this preferred embodiment provides device 40 in use, statistical module 21 detects all login accounts first
IP address, so as to count the login account number of each IP address.Then abnormality detection module 22 detects each IP address
Login account number whether be more than threshold value 24, if the login account number of IP address is not above threshold value 24, then statistical module 21 after
The continuous login account number to each IP carries out real-time statistics.
Then, as abnormality detection module 22 determines that the login account number of IP address has been more than threshold value 24, then abnormal determining mould
Block 23 transfers the common login place of all login accounts and all login accounts that log in the IP address, common login
Time and common business;By the common login place of login account, common login time and common business and the login account
Number current login place, current login time and currently used business be compared, to determine whether login account is different
Normal account.Specific determination process specifically refers to above-mentioned abnormal account and provides as described in above-mentioned first preferred embodiment
The first preferred embodiment of device.
In the preferred embodiment, it commonly uses and logs in location-determining module 45 for frequency in all login places of login account
Highest L (such as 5) log in common login place of the place as login account, and L is the positive integer greater than 1;It is common to step on
Record time determining module 46 by the highest M login time section of frequency in the login time section of login account (such as 18 points to 19 points,
And 23 points to 24 points etc.) common login time as login account, M is the positive integer greater than 1;Common business determining module
The 47 common industry by the highest N number of business (such as networking telephone) of frequency of use in the business of login account as login account
Business, N are the positive integer greater than 1.Certainly the common setting for logging in place, common login time and common business can also use other
Statistical method is configured, and the specific common setting method for logging in place, commonly using login time and common business is simultaneously unlimited
It makes abnormal account of the invention and the protection scope of device is provided.
After abnormal determining module 23 determines abnormal account, abnormal account provides module 48 and can step on to abnormal account is confirmed as
It records account and carries out unusual checking, and according to testing result, provide abnormal account.Unusual checking herein includes detection
Whether login account reported, detects login account whether be transmitted across rubbish message and detection login account whether modify it is overstocked
At least one of item in code.Here rubbish message includes advertisement information and pornographic message etc..As abnormal account provides mould
Block detects any of the above-described abnormal behaviour, then it is believed that the exception account is provided to corresponding operator is located at once
It manages (title etc.), to reduce exception account loss caused by user and operator.
The abnormal account of this preferred embodiment provides device on the basis of first preferred embodiment, logs in ground by common
Common login place to abnormal account of point module, common login time module and common business module, common login time
And common business is confirmed, so that faster to the detection speed of abnormal account.Module is provided by abnormal account simultaneously
Unusual checking has advanced optimized the offer of abnormal account.
Referring to figure 4. and Fig. 5, Fig. 5 be abnormal account providing method of the invention the second preferred embodiment flow chart.
The abnormal account providing method of this preferred embodiment the abnormal account of above-mentioned second preferred embodiment can be used to provide device and carry out
Implement comprising:
Step S501, detects the IP address of login account, and counts the login account number of each IP address;
Step S502 determines whether the login account number of each IP address is more than threshold value;
Step S503 according to the common login place of the login account of IP address, commonly uses login time and common business,
Determine whether login account is abnormal account;
Step S504 carries out unusual checking to the login account for confirming abnormal account, and according to testing result, provides
Abnormal account;
The abnormal account providing method of this preferred embodiment ends at step S504.
The following detailed description of the detailed process of each step of the abnormal account providing method of this preferred embodiment.
In step S501, statistical module 21 detects the IP address of all login accounts, so as to counting each IP
The login account number of location, then comes step S502.
In step S502, whether the login account number that abnormality detection module 22 detects each IP address is more than threshold value 24,
The threshold value 24 can artificially be set, and can be the multiple of the maximum value of the login account number of the IP address or the login of the IP address
The multiple of the average value of account number.If the login account number of IP address is not above threshold value 24, then return step S501, counts mould
Block continues to carry out real-time statistics to the login account number of each IP, then comes step S503.
In step S503, if abnormality detection module 22 determine IP address login account number be more than threshold value 24, then this
In judge that there may be the operations of abnormal account in the IP address.Abnormal determining module 23 transfer logged in the IP address it is all
The common login place of login account and all login accounts, common login time and common business;By login account
Common current login place, the current login time for logging in place, common login time and common business and the login account
And currently used business is compared, to determine whether login account is abnormal account.
Wherein, login location-determining module 45 is commonly used the highest L of frequency in all login places of login account is a (such as
5 etc.) common login place of the place as login account is logged in, L is the positive integer greater than 1;Common login time determines mould
Block 46 is by the highest M login time section of frequency (such as 18 points to 19 points and 23 points to 24 in the login time section of login account
Point etc.) common login time as login account, M is the positive integer greater than 1;Business determining module 47 is commonly used by login account
Business in common business of the highest N number of business (such as networking telephone) of frequency of use as login account, N be greater than 1
Positive integer.Certainly the common setting for logging in place, common login time and common business can also be carried out with other statistical methods
Setting, the specific common setting method for logging in place, common login time and common business are not intended to limit of the invention different
Normal account provides the protection scope of device.Then come step S504.
In step S504, after abnormal determining module 23 determines abnormal account, abnormal account provides module 48 can be to confirmation
Unusual checking is carried out for the login account of abnormal account, and according to testing result, provides abnormal account.Abnormal row herein
Whether reported for detection including detection login account, detect whether login account is transmitted across rubbish message and detection logs in account
Number whether modified at least one of item in password.Here rubbish message includes advertisement information and pornographic message etc..Such as
Abnormal account provides module and detects any of the above-described abnormal behaviour, then it is believed that the exception account is provided to corresponding fortune
Battalion quotient is handled (title etc.) at once, to reduce exception account loss caused by user and operator.
The abnormal account providing method of this preferred embodiment logs in ground on the basis of first preferred embodiment, by common
Common login place to abnormal account of point module, common login time module and common business module, common login time
And common business is confirmed, so that faster to the detection speed of abnormal account.Module is provided by abnormal account simultaneously
Unusual checking has advanced optimized the offer of abnormal account.
Below by the concrete operating principle of Fig. 6 the abnormal account providing method and device that the present invention will be described in detail.It please join
According to Fig. 6, Fig. 6 is the flow diagram of the specific embodiment of abnormal account providing method and device of the invention.
It, can be real-time to the user's operation behavior after user has carried out abnormal operation (such as Modify password or trade)
Record 61;And by the operation behavior to user carry out analysis 62 and the operating time carry out analysis 63, by the common business of user
It is stored in common business determining module 64, the common login time section of user is stored in common login time determining module 65
In.
When user carries out register, 66 can be also recorded in real time to the register of user, and by stepping on to user
Record operation is analyzed, and carries out real-time statistics 67 to the login IP address of user and log in place to user to carry out statistics 68, will
The login place of user is stored in common log in location-determining module 69.
When the login user of statistical module counts some IP address is more than threshold value, abnormal determining module 70 can be called common
Login time determining module 65, common business determining module 64 and the common data for logging in location-determining module 69 and corresponding
Mathematical model to determine abnormal account, and determining abnormal account is supplied to corresponding operator or user.
In this way, the abnormal account for completing abnormal account providing method and device of the invention provides process.
Abnormal account providing method and device of the invention is by the login account number of same IP address, and corresponding logs in
The abnormal operation of account detects whether login account is stolen, solve existing abnormal account provided by user itself,
With biggish retardance, the technical issues of biggish, irretrievable loss may be caused to user.
There is provided herein the various operations of embodiment.In one embodiment, one or more operations can be with structure
At the computer-readable instruction stored on one or more computer-readable mediums, will make to succeed in one's scheme when being executed by electronic equipment
It calculates equipment and executes the operation.Describing the sequences of some or all of operations, to should not be construed as to imply that these operations necessarily suitable
Sequence is relevant.It will be appreciated by those skilled in the art that the alternative sequence of the benefit with this specification.Furthermore, it is to be understood that
Not all operation must exist in each embodiment provided in this article.
Moreover, word " preferred " used herein means serving as example, example or illustration.Feng Wen is described as " preferably
" any aspect or design be not necessarily to be construed as than other aspect or design it is more advantageous.On the contrary, the use purport of word " preferred "
Concept is being proposed in specific ways.Term "or" as used in this application is intended to mean the "or" for including and non-excluded
"or".That is, unless specified otherwise or clear from the context, " X uses A or B " means that nature includes any one of arrangement.
That is, if X uses A;X uses B;Or X uses A and B both, then " X uses A or B " is met in aforementioned any example.
Moreover, although the disclosure, this field skill has shown and described relative to one or more implementations
Art personnel will be appreciated that equivalent variations and modification based on the reading and understanding to the specification and drawings.The disclosure include it is all this
The modifications and variations of sample, and be limited only by the scope of the following claims.In particular, to by said modules (such as element,
Resource etc.) the various functions that execute, term for describing such components is intended to correspond to the specified function for executing the component
The random component (unless otherwise instructed) of energy (such as it is functionally of equal value), even if illustrated herein with execution in structure
The disclosure exemplary implementations in function open structure it is not equivalent.In addition, although the special characteristic of the disclosure
Through being disclosed relative to the only one in several implementations, but this feature can with such as can be to given or specific application
For be expectation and one or more other features combinations of other advantageous implementations.Moreover, with regard to term " includes ", " tool
Have ", " containing " or its deformation be used in specific embodiments or claims for, such term be intended to with term
The similar mode of "comprising" includes.
Each functional unit in the embodiment of the present invention can integrate in a processing module, be also possible to each unit list
It is solely physically present, can also be integrated in two or more units in a module.Above-mentioned integrated module can both use
Formal implementation of hardware can also be realized in the form of software function module.If the integrated module is with software function
The form of module is realized and when sold or used as an independent product, also can store in computer-readable storage Jie
In matter.Storage medium mentioned above can be read-only memory, disk or CD etc..Above-mentioned each device or system, can be with
Execute the method in correlation method embodiment.
In conclusion although the present invention has been disclosed above in the preferred embodiment, but above preferred embodiment is not to limit
The system present invention, those skilled in the art can make various changes and profit without departing from the spirit and scope of the present invention
Decorations, therefore protection scope of the present invention subjects to the scope of the claims.
Claims (8)
1. a kind of exception account providing method, which is characterized in that comprising steps of
The IP address of login account is detected, and counts the login account number of each IP address;
Whether the login account number for determining each IP address is more than threshold value;And
If the login account number of the IP address is more than the threshold value, it is determined that meet simultaneously in the login account of the IP address
It is described for not logged in by common login place, not logging in and be not used the login account for the business of commonly using in common login time
Abnormal account;
The step of whether the determination login account is abnormal account include:
If the login account number of the IP address is more than the threshold value, having X account in the login account of the IP address is not
It is logged in by the common place that logs in, having Y account in the login account of the IP address is not log in common login time, institute
It is common business to be not used, and X/A is greater than the first setting value that stating in the login account of IP address, which has Z account, and Y/A is greater than second
Setting value, Z/A are greater than third setting value, and wherein A is the login account number of the IP address, it is determined that the login of the IP address
In account while satisfaction does not pass through the login of common login place, is not commonly using login time login and the business of commonly using is not used
Login account is the abnormal account.
2. exception account providing method according to claim 1, which is characterized in that the exception account providing method is also wrapped
Include step:
Place is logged in as the common of the login account using frequency in all login places of the login account highest L
Place is logged in, L is the positive integer greater than 1;
Using the highest M login time section of frequency in the login time section of the login account as the common of the login account
Login time, M are the positive integer greater than 1;And
Using the highest N number of business of frequency of use in the business of the login account as the common business of the login account, N is
Positive integer greater than 1.
3. exception account providing method according to claim 1, which is characterized in that the exception account providing method is also wrapped
Include step:
Unusual checking is carried out to the login account for being confirmed as the abnormal account, and according to testing result, provides institute
State abnormal account.
4. exception account providing method according to claim 3, which is characterized in that the unusual checking includes detection
Whether the login account is reported, detects whether the login account is transmitted across rubbish message and the detection login account
Whether in password at least one of item was modified.
5. a kind of exception account provides device characterized by comprising
Statistical module for detecting the IP address of login account, and counts the login account number of each IP address;
Abnormality detection module, for determining whether the login account number of each IP address is more than threshold value;And
Abnormal determining module, the login account number for the IP address as described in determining the abnormality detection module are more than the threshold
Value, then the abnormal determining module determines in the login account of the IP address while meeting and do not stepped on by the common place that logs in
It records, log in and be not used the login account of common business in common login time as the abnormal account;
The login account number of IP address as described in determining the abnormality detection module is more than the threshold value, then the determining mould of the exception
Block determines that having X account in the login account of the IP address is not log in by the common place that logs in, and the IP address is stepped on
Having Y account in record account is not log in common login time, and having Z account in the login account of the IP address is not make
With common business, and X/A is greater than the first setting value, and Y/A is greater than the second setting value, and Z/A is greater than third setting value, and wherein A is institute
State the login account number of IP address, it is determined that meet simultaneously in the login account of the IP address and do not step on by the common place that logs in
It records, log in and be not used the login account of common business in common login time as the abnormal account.
6. exception account according to claim 5 provides device, which is characterized in that the exception account provides device and also wraps
It includes:
It is common to log in location-determining module, for the highest L login of frequency in all login places by the login account
Common login place of the place as the login account, L are the positive integer greater than 1;
Common login time determining module, when M login highest for frequency in the login time section by the login account
Between common login time of the section as the login account, M is positive integer greater than 1;And
Common business determining module, for using the highest N number of business of frequency of use in the business of the login account as described in
The common business of login account, N are the positive integer greater than 1.
7. exception account according to claim 5 provides device, which is characterized in that the exception account provides device and also wraps
It includes:
Abnormal account provides module, for carrying out unusual checking to the login account for being confirmed as the abnormal account,
And according to testing result, the abnormal account is provided.
8. exception account according to claim 7 provides device, which is characterized in that the unusual checking includes detection
Whether the login account is reported, detects whether the login account is transmitted across rubbish message and the detection login account
Whether in password at least one of item was modified.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310396307.3A CN104426885B (en) | 2013-09-03 | 2013-09-03 | Abnormal account providing method and device |
| PCT/CN2014/085815 WO2015032318A1 (en) | 2013-09-03 | 2014-09-03 | Exceptional account determination method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310396307.3A CN104426885B (en) | 2013-09-03 | 2013-09-03 | Abnormal account providing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104426885A CN104426885A (en) | 2015-03-18 |
| CN104426885B true CN104426885B (en) | 2019-04-16 |
Family
ID=52627803
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310396307.3A Active CN104426885B (en) | 2013-09-03 | 2013-09-03 | Abnormal account providing method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN104426885B (en) |
| WO (1) | WO2015032318A1 (en) |
Families Citing this family (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106302323B (en) * | 2015-05-19 | 2020-05-12 | 腾讯科技(深圳)有限公司 | Method and device for sending safety message |
| CN106302327A (en) * | 2015-05-20 | 2017-01-04 | 阿里巴巴集团控股有限公司 | The detection method of hacker's account and device |
| CN106572057A (en) * | 2015-10-10 | 2017-04-19 | 百度在线网络技术(北京)有限公司 | Method and device for detecting exception information of user login |
| CN105491028B (en) * | 2015-11-25 | 2019-01-25 | 四川诚品电子商务有限公司 | The identity identifying method of electric business platform account |
| CN106789855A (en) * | 2015-11-25 | 2017-05-31 | 北京奇虎科技有限公司 | The method and device of user login validation |
| CN106953832B (en) * | 2016-01-07 | 2020-04-07 | 福建天晴数码有限公司 | Method and system for processing online game suspicious account |
| CN106992958B (en) * | 2016-01-21 | 2020-11-06 | 阿里巴巴集团控股有限公司 | Method and system for positioning malicious account through lost account |
| CN106027520B (en) * | 2016-05-19 | 2019-02-26 | 微梦创科网络科技(中国)有限公司 | A kind of detection processing steals the method and device of website account number |
| CN108809909B (en) * | 2017-05-04 | 2020-08-04 | 腾讯科技(深圳)有限公司 | Data processing method and data processing device |
| CN107426231B (en) * | 2017-08-03 | 2020-05-01 | 奇安信科技集团股份有限公司 | Method and device for identifying user behavior |
| CN109858919B (en) * | 2017-11-27 | 2023-04-07 | 阿里巴巴集团控股有限公司 | Abnormal account number determining method and device, and online ordering method and device |
| CN107911396B (en) * | 2017-12-30 | 2020-12-15 | 世纪龙信息网络有限责任公司 | Login abnormity detection method and system |
| CN110390549B (en) * | 2018-04-20 | 2023-06-09 | 腾讯科技(深圳)有限公司 | Registration small number identification method, device, server and storage medium |
| CN108667828A (en) * | 2018-04-25 | 2018-10-16 | 咪咕文化科技有限公司 | A kind of risk control method, device and storage medium |
| CN108768943B (en) * | 2018-04-26 | 2020-06-26 | 腾讯科技(深圳)有限公司 | Method and device for detecting abnormal account and server |
| CN110611635B (en) * | 2018-06-14 | 2022-02-25 | 蓝盾信息安全技术股份有限公司 | Detection method based on multi-dimensional lost account |
| CN108449367B (en) * | 2018-06-25 | 2021-03-30 | 北京京东尚科信息技术有限公司 | Method and device for managing user login security, electronic equipment and readable medium |
| CN110798428A (en) * | 2018-08-01 | 2020-02-14 | 深信服科技股份有限公司 | Detection method, system and related device for violent cracking behavior of account |
| CN109040103B (en) * | 2018-08-27 | 2021-09-17 | 深信服科技股份有限公司 | Mail account number defect detection method, device, equipment and readable storage medium |
| CN109831415B (en) * | 2018-12-27 | 2021-12-21 | 北京奇艺世纪科技有限公司 | Object processing method, device and system and computer readable storage medium |
| CN110290132B (en) * | 2019-06-24 | 2022-02-11 | 北京奇艺世纪科技有限公司 | IP address processing method and device, electronic equipment and storage medium |
| CN111078417B (en) * | 2019-12-17 | 2023-06-20 | 深圳前海环融联易信息科技服务有限公司 | Account scheduling method, device, computer equipment and storage medium |
| CN111010402B (en) * | 2019-12-24 | 2022-09-30 | 深信服科技股份有限公司 | Account login method, device, equipment and computer readable storage medium |
| CN111311285A (en) * | 2020-02-21 | 2020-06-19 | 深圳壹账通智能科技有限公司 | Method, device, equipment and storage medium for preventing user from illegally logging in |
| CN111586028B (en) * | 2020-04-30 | 2022-10-11 | 广州市百果园信息技术有限公司 | Abnormal login evaluation method and device, server and storage medium |
| CN113810334B (en) * | 2020-06-11 | 2023-05-02 | 中国科学院计算机网络信息中心 | Method and system for detecting abnormal IP of mail system |
| CN112000711A (en) * | 2020-07-21 | 2020-11-27 | 微梦创科网络科技(中国)有限公司 | Method and system for determining evaluation user based on Spark |
| CN111931047B (en) * | 2020-07-31 | 2022-06-21 | 中国平安人寿保险股份有限公司 | Artificial intelligence-based black product account detection method and related device |
| CN113141611B (en) * | 2021-05-27 | 2022-09-16 | 哈尔滨工业大学(威海) | Method for detecting cloud mobile phone number account based on multiple abnormal behavior characteristics |
| CN113312560B (en) * | 2021-06-16 | 2023-07-25 | 百度在线网络技术(北京)有限公司 | Group detection method and device and electronic equipment |
| CN113542227A (en) * | 2021-06-18 | 2021-10-22 | 杭州安恒信息技术股份有限公司 | Account security protection method and device, electronic device and storage medium |
| CN114666164B (en) * | 2022-05-19 | 2022-10-25 | 南通环典计算机技术有限公司 | Computer network user identity login verification system and method |
| CN115150414A (en) * | 2022-06-29 | 2022-10-04 | 中国电信股份有限公司 | Abnormal account detection method and device and computer readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102664877A (en) * | 2012-03-30 | 2012-09-12 | 北京千橡网景科技发展有限公司 | Method and device for exception handling in login process |
| CN102769582A (en) * | 2012-08-02 | 2012-11-07 | 深圳中兴网信科技有限公司 | Logical server, instant messaging system and instant messaging method |
| CN103023718A (en) * | 2012-11-29 | 2013-04-03 | 北京奇虎科技有限公司 | Device and method for monitoring user login |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4013684B2 (en) * | 2002-07-23 | 2007-11-28 | オムロン株式会社 | Unauthorized registration prevention device in personal authentication system |
| CN100384161C (en) * | 2005-12-31 | 2008-04-23 | 华为技术有限公司 | Method and system for processing service behaviour abnormal |
| US9047465B2 (en) * | 2006-11-22 | 2015-06-02 | At&T Intellectual Property I, L.P. | Methods and apparatus for automatic security checking in systems that monitor for improper network usage |
| CN102457501B (en) * | 2010-10-26 | 2016-08-31 | 腾讯科技(深圳)有限公司 | The recognition methods of a kind of instant messaging account and system |
| CN102325062A (en) * | 2011-09-20 | 2012-01-18 | 北京神州绿盟信息安全科技股份有限公司 | Abnormal login detecting method and device |
| CN103001826B (en) * | 2012-11-29 | 2015-09-30 | 北京奇虎科技有限公司 | The equipment logged in for monitor user ' and method |
| CN106789855A (en) * | 2015-11-25 | 2017-05-31 | 北京奇虎科技有限公司 | The method and device of user login validation |
| CN107578263B (en) * | 2017-07-21 | 2021-01-05 | 北京奇艺世纪科技有限公司 | Advertisement abnormal access detection method and device and electronic equipment |
-
2013
- 2013-09-03 CN CN201310396307.3A patent/CN104426885B/en active Active
-
2014
- 2014-09-03 WO PCT/CN2014/085815 patent/WO2015032318A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102664877A (en) * | 2012-03-30 | 2012-09-12 | 北京千橡网景科技发展有限公司 | Method and device for exception handling in login process |
| CN102769582A (en) * | 2012-08-02 | 2012-11-07 | 深圳中兴网信科技有限公司 | Logical server, instant messaging system and instant messaging method |
| CN103023718A (en) * | 2012-11-29 | 2013-04-03 | 北京奇虎科技有限公司 | Device and method for monitoring user login |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104426885A (en) | 2015-03-18 |
| WO2015032318A1 (en) | 2015-03-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104426885B (en) | Abnormal account providing method and device | |
| US10248910B2 (en) | Detection mitigation and remediation of cyberattacks employing an advanced cyber-decision platform | |
| US11757872B2 (en) | Contextual and risk-based multi-factor authentication | |
| CN109376078B (en) | Mobile application testing method, terminal equipment and medium | |
| CN110442712B (en) | Risk determination method, risk determination device, server and text examination system | |
| US10445495B2 (en) | Buffer overflow exploit detection | |
| US10050899B2 (en) | Data processing method, apparatus, client, server and system | |
| US20180159881A1 (en) | Automated cyber physical threat campaign analysis and attribution | |
| CN105591743B (en) | Method and device for identity authentication through equipment operation characteristics of user terminal | |
| US20170187737A1 (en) | Method and electronic device for processing user behavior data | |
| CN106341381A (en) | Method and system of key management for rack server system | |
| JP2010182293A (en) | Method and system for detecting man-in-the-browser attack | |
| US11637866B2 (en) | System and method for the secure evaluation of cyber detection products | |
| US11477245B2 (en) | Advanced detection of identity-based attacks to assure identity fidelity in information technology environments | |
| CN106789837A (en) | Network anomalous behaviors detection method and detection means | |
| CN111414374B (en) | Block chain transaction concurrent processing method, device and equipment | |
| US20210226928A1 (en) | Risk analysis using port scanning for multi-factor authentication | |
| CN109564609A (en) | It mitigates and corrects using the detection of the computer attack of advanced computers decision-making platform | |
| US11563741B2 (en) | Probe-based risk analysis for multi-factor authentication | |
| CN107302586A (en) | A kind of Webshell detection methods and device, computer installation, readable storage medium storing program for executing | |
| CN111309620A (en) | Game protocol testing method and device, electronic equipment and storage medium | |
| CN103345439A (en) | Method and device for monitoring health states of full links in information system | |
| CN109635993A (en) | Operation behavior monitoring method and device based on prediction model | |
| CN110244963B (en) | Data updating method and device and terminal equipment | |
| CN104967603A (en) | Application account security verification method and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |