CN108512815B - Anti-theft chain detection method, anti-theft chain detection device and server - Google Patents

Anti-theft chain detection method, anti-theft chain detection device and server Download PDF

Info

Publication number
CN108512815B
CN108512815B CN201710111704.XA CN201710111704A CN108512815B CN 108512815 B CN108512815 B CN 108512815B CN 201710111704 A CN201710111704 A CN 201710111704A CN 108512815 B CN108512815 B CN 108512815B
Authority
CN
China
Prior art keywords
user
behavior data
model
client
verification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710111704.XA
Other languages
Chinese (zh)
Other versions
CN108512815A (en
Inventor
万明月
黄宙舒
冯少伟
李兴
张智
孙刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Beijing Co Ltd
Original Assignee
Tencent Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Beijing Co Ltd filed Critical Tencent Technology Beijing Co Ltd
Priority to CN201710111704.XA priority Critical patent/CN108512815B/en
Publication of CN108512815A publication Critical patent/CN108512815A/en
Application granted granted Critical
Publication of CN108512815B publication Critical patent/CN108512815B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Abstract

The invention provides an anti-theft chain detection method, an anti-theft chain detection device and a server, wherein the anti-theft chain detection method comprises the following steps: acquiring user behavior data of a client; performing big data training verification on user behavior data through a theftproof chain model obtained by big data training on historical behavior data of a non-theftproof chain user; and under the condition that the user behavior data passes the verification of the anti-theft link model, determining that the client corresponding to the user behavior data is a non-anti-theft link user, and under the condition that the user behavior data does not pass the verification of the anti-theft link model, determining that the client corresponding to the user behavior data is an anti-theft link user. By the technical scheme, the risk of cracking of the anti-theft chain by a chain stealing party can be reduced, and the comprehensiveness and effectiveness of anti-theft chain protection are further improved.

Description

Anti-theft chain detection method, anti-theft chain detection device and server
[ technical field ] A method for producing a semiconductor device
The invention relates to the technical field of data processing, in particular to an anti-theft chain detection method, an anti-theft chain detection device and a server.
[ background of the invention ]
At present, a synchronous authentication mode is mostly used when anti-theft chain protection is performed in a network, for example, in a multimedia anti-theft chain process, a client encrypts a playing parameter through a secret key and sends the encrypted playing parameter to a server, the server authenticates the client according to the encrypted playing parameter, and when the authentication of the client fails, the server judges that a multimedia playing request of the client is abnormal and performs anti-theft attack.
However, the encryption algorithm for encrypting the playing parameters is located in the client, so that the encryption algorithm is easy to be cracked by the stealing link party, and the stealing link party can also use the encryption algorithm to encrypt the playing parameters after cracking the encryption algorithm, so that the synchronous authentication can be successfully passed. At this time, the effectiveness of the synchronous authentication can be enhanced only by upgrading the encryption algorithm of the encrypted playing parameter at the client, and the consumed labor cost and time cost are high.
In addition, the synchronous anti-theft chain authentication mode is only used before multimedia playing, once the anti-theft chain passes the synchronous anti-theft chain authentication, the subsequent multimedia playing process is not controlled by the server any more.
Therefore, how to provide a more secure and effective anti-stealing-link method becomes a technical problem to be solved urgently at present.
[ summary of the invention ]
The embodiment of the invention provides a method for detecting an anti-theft chain, a device for detecting the anti-theft chain and a server, aims to solve the problem of insufficient safety of an anti-theft chain mode in the related technology, can provide a new anti-theft chain mode, and improves the effectiveness of anti-theft chain protection for the server.
In a first aspect, an embodiment of the present invention provides a method for detecting a hotlink, including: acquiring user behavior data of a client; performing big data training verification on the user behavior data through a theftproof chain model obtained by big data training on historical behavior data of a non-theftproof chain user; and under the condition that the user behavior data passes the anti-theft link model verification, determining that the client corresponding to the user behavior data is a non-anti-theft link user, and under the condition that the user behavior data does not pass the anti-theft link model verification, determining that the client corresponding to the user behavior data is an anti-theft link user.
In the above embodiment of the present invention, optionally, before the step of performing big data training verification on the user behavior data by using a hotlink model obtained by performing big data training on historical behavior data of a non-hotlink user, the method further includes: acquiring historical behavior data of a preset number of non-hotlinking users in the interaction process with a server within a preset time interval; and performing big data training on the historical behavior data through a preset classification algorithm to establish the anti-theft chain model.
In the above embodiment of the present invention, optionally, the step of performing big data training verification on the user behavior data through a hotlink model obtained by performing big data training on historical behavior data of a non-hotlink user specifically includes: performing big data fitting on a calling object, the object calling frequency and the object calling sequence corresponding to each user characteristic behavior in the user behavior data through a hotlink prevention model obtained by training historical behavior data of a non-hotlink user; and when the fitting result of the calling object, the object calling frequency and the object calling sequence corresponding to the user characteristic behaviors at each time accords with a preset rule, determining that the user behavior data passes the verification of the anti-theft chain model, otherwise, determining that the user behavior data does not pass the verification of the anti-theft chain model.
In the above embodiment of the present invention, optionally, the user characteristic behavior includes one or more of a multimedia information query request, a multimedia play request, a play stop request, a play parameter adjustment request, and an advertisement insertion request.
In the above embodiment of the present invention, optionally, the method further includes: according to the interactive request from the client, carrying out synchronous authentication on the client to obtain a synchronous authentication result; and determining whether the client is a stealing link user or not according to a result of big data training verification on the user behavior data of the client and the synchronous authentication result.
In a second aspect, an embodiment of the present invention provides an anti-stealing chain detection apparatus, including: the user behavior data acquisition unit is used for acquiring user behavior data of the client; the model training verification unit is used for performing big data training verification on the user behavior data through a theftproof chain model obtained by carrying out big data training on the historical behavior data of a non-theftproof chain user; and the determining unit is used for determining that the client corresponding to the user behavior data is a non-hotlinking user under the condition that the user behavior data passes the hotlinking model verification, and determining that the client corresponding to the user behavior data is a hotlinking user under the condition that the user behavior data does not pass the hotlinking model verification.
In the above embodiment of the present invention, optionally, the method further includes: the historical behavior data acquisition unit is used for acquiring historical behavior data of a preset number of non-stealing-link users in the interaction process with the server within a preset time interval before the model training verification unit carries out big data training verification on the user behavior data; and the big data training unit is used for carrying out big data training on the historical behavior data through a preset classification algorithm so as to establish the anti-theft chain model.
In the above embodiment of the present invention, optionally, the model training verification unit is specifically configured to: and carrying out big data fitting on the calling object corresponding to each user characteristic behavior in the user behavior data, the object calling frequency and the object calling sequence through an anti-theft chain model obtained by training historical behavior data of a non-anti-theft chain user, wherein when the calling object corresponding to each user characteristic behavior, the object calling frequency and the fitting result of the object calling sequence accord with a preset rule, the user behavior data is determined to pass the verification of the anti-theft chain model, otherwise, the user behavior data is determined not to pass the verification of the anti-theft chain model.
In the above embodiment of the present invention, optionally, the user characteristic behavior includes one or more of a multimedia information query request, a multimedia play request, a play stop request, a play parameter adjustment request, and an advertisement insertion request.
In the above embodiment of the present invention, optionally, the method further includes: the synchronous authentication unit is used for synchronously authenticating the client according to the interactive request from the client to obtain a synchronous authentication result; and the joint verification unit is used for determining whether the client is a stealing link user or not according to the result of big data training verification on the user behavior data of the client and the synchronous authentication result.
In a third aspect, an embodiment of the present invention provides a server, including the hotlink detection device described in any one of the second aspect embodiments above.
The technical scheme provides a new anti-stealing-link mode, whether the client is a stealing-link user can be determined by verifying whether the user behavior data of the client can be fitted by a preset anti-stealing-link model, and the preset anti-stealing-link model is obtained by performing big data training by taking the historical behavior data of non-stealing-link users as samples.
The formation and the use of the anti-theft chain model are both carried out at the server side, so that the anti-theft chain party can be prevented from cracking the relevant information of the anti-theft chain authentication from the client side. The historical behavior data of the non-hotlinking users are various, and the hotlinking model obtained by training the big data by the non-hotlinking users is more complex than an encryption algorithm used by synchronous authentication in the related technology, is difficult to be cracked by a hotlinking party, increases the hotlinking cost and reduces the hotlinking possibility. Meanwhile, the anti-theft chain model is obtained by training based on actual historical behavior data of the non-anti-theft chain user, and the anti-theft chain model has higher accuracy in authentication than synchronous authentication fixed by an encryption algorithm in the related technology, so that accidental injury to the non-anti-theft chain user and missed detection to the anti-theft chain user can be reduced.
Then, if the user behavior data of the client can be fitted by the predetermined anti-theft chain model, it is indicated that the user behavior data is a parameter associated with the historical behavior data of the non-theft chain user, so that the client corresponding to the user behavior data can be determined as the non-theft chain user, otherwise, if the user behavior data of the client cannot be fitted by the predetermined anti-theft chain model, it is indicated that the user behavior data is not related to the historical behavior data of the non-theft chain user, at this time, the client corresponding to the user behavior data can be determined as the theft chain user, so as to further attack the anti-theft chain.
Because the user behavior data of the client is generated in the whole process of interaction between the client and the server, the anti-theft chain protection can be performed on the whole interaction process between the client and the server by performing anti-theft chain model verification on the user behavior data of the client, the application range of the anti-theft chain protection is enlarged, the risk of cracking by a chain-stealing party in an anti-theft chain mode is further reduced, and the comprehensiveness and effectiveness of the anti-theft chain protection are improved.
[ description of the drawings ]
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive labor.
FIG. 1 shows a flow diagram of a hotlink detection method of one embodiment of the invention;
FIG. 2 shows a flow chart for establishing a hotlink model in the embodiment shown in FIG. 1;
FIG. 3 shows a flow diagram of a pickproof chain detection method of another embodiment of the invention;
FIG. 4 shows a flow diagram of a pickproof chain detection method of yet another embodiment of the invention;
FIG. 5 shows a block diagram of a pickproof chain detection device of one embodiment of the present invention;
fig. 6 shows an overall architecture diagram of a pickproof chain detection device of an embodiment of the invention;
FIG. 7 shows a block diagram of a server of one embodiment of the invention;
fig. 8 shows a block diagram of a server of another embodiment of the invention.
[ detailed description ] embodiments
For better understanding of the technical solutions of the present invention, the following detailed descriptions of the embodiments of the present invention are provided with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
Example one
Fig. 1 shows a flow chart of a hotlink detection method of an embodiment of the invention.
As shown in fig. 1, a model generation method provided in an embodiment of the present invention includes:
and 102, acquiring user behavior data of the client.
The user behavior data is data generated by the client in the process of performing interactive behavior on the server, and includes, but is not limited to, a module requested to be called by the client, a module calling sequence, a module calling frequency and the like, so that the user behavior data is actually a behavior track of interaction between the client and the server, and contains a large amount of data with sequence and different dimensions, and the anti-theft chain inspection can be more comprehensive by comprehensively verifying the behavior track of the client.
Further, the acquired user behavior data of the client may be data generated by all or a certain type of interaction behaviors of the client within a predetermined time interval, where the interaction behaviors may include, but are not limited to, a multimedia playing request, a game operation request, a web page editing request, and the like, and the predetermined time interval may be set at the server, for example, the user behavior data of the client may be acquired every ten minutes so as to perform anti-theft chain check on the client.
And 104, performing big data training verification on the user behavior data through a theftproof chain model obtained by big data training on the historical behavior data of the non-theftproof chain user.
The formation and the use of the anti-theft chain model are both carried out at the server side, so that the anti-theft chain party can be prevented from cracking the relevant information of the anti-theft chain authentication from the client side. The historical behavior data of the non-hotlinking users are various, and the hotlinking model obtained by training the big data by the non-hotlinking users is more complex than an encryption algorithm used by synchronous authentication in the related technology, is difficult to be cracked by a hotlinking party, increases the hotlinking cost and reduces the hotlinking possibility. Meanwhile, the anti-theft chain model is obtained by training based on actual historical behavior data of the non-anti-theft chain user, and the anti-theft chain model has higher accuracy in authentication than synchronous authentication fixed by an encryption algorithm in the related technology, so that accidental injury to the non-anti-theft chain user and missed detection to the anti-theft chain user can be reduced.
It is to be understood that, in most cases, the server selects sample data from actual historical behavior data generated by a large number of non-hotlink users, performs big data training through the sample data to obtain a hotlink model, and can perform efficient hotlink protection on a plurality of clients simultaneously through the hotlink model.
And 106, under the condition that the user behavior data passes the verification of the anti-theft link model, determining that the client corresponding to the user behavior data is a non-anti-theft link user, and under the condition that the user behavior data does not pass the verification of the anti-theft link model, determining that the client corresponding to the user behavior data is an anti-theft link user.
That is, if the user behavior data of the client can be fitted by the predetermined hotlink model, it is indicated that the user behavior data is a parameter associated with the historical behavior data of the non-hotlink user, so the client corresponding to the user behavior data can be determined to be the non-hotlink user, otherwise, if the user behavior data of the client cannot be fitted by the predetermined hotlink model, it is indicated that the user behavior data is not related to the historical behavior data of the non-hotlink user, at this time, the client corresponding to the user behavior data can be determined to be the hotlink user, so as to further perform hotlink attack on the client.
For the determined stealing-link user, a corresponding stealing-link attacking strategy can be selected according to the degree of the irrelevance of the user behavior data to the historical behavior data of the non-stealing-link user, wherein the stealing-link attacking strategy comprises but is not limited to terminating interactive service, storing information of the stealing-link user, uploading the information of the stealing-link user to a network and the like.
Because the user behavior data of the client is generated in the whole process of interaction between the client and the server, the anti-theft chain protection can be performed on the whole interaction process between the client and the server by performing anti-theft chain model verification on the user behavior data of the client, the application range of the anti-theft chain protection is enlarged, the risk of cracking by a chain-stealing party in an anti-theft chain mode is further reduced, and the comprehensiveness and effectiveness of the anti-theft chain protection are improved.
Fig. 2 shows a flow chart for establishing a hotlink model in the embodiment shown in fig. 1.
As shown in fig. 2, the step of establishing the anti-stealing link model specifically includes:
step 202, obtaining historical behavior data of a preset number of non-stealing-link users in the interaction process with the server within a preset time interval.
If the number of users served by the server is small, for example, the number of users is 1000, historical behavior data of all users can be directly used as the basis for protecting the anti-theft chain. However, in most cases, the number of users served by the server is huge, for example, the number of users of social software is often tens of millions, so that only the historical behavior data of a predetermined number of non-stealing-link users can be acquired as sample data to perform big data training, and the predetermined number can be set at the server according to actual needs.
For example, for a server with video software of ten million users, because the types and sequences of user behaviors are various, one hundred thousand users can be selected as samples according to the age distribution of the users, so as to ensure that the samples have sufficient representativeness. For a server with simple puzzle game software of ten million users, because the types and the sequence of user behaviors are single, it is enough to randomly select ten thousand users as a representative sample.
Similarly, the predetermined time interval may be set at the server according to actual needs, such as one minute or one hour.
And step 204, performing big data training on the historical behavior data through a preset classification algorithm to establish a security chain model.
The predetermined classification algorithm may adopt an existing mature machine learning classification algorithm, including but not limited to: logistic regression (logistic regression), decision tree classifier (decision tree classifier), support vector machine classifier (support vector machine), naive bayes (negative bases), K-nearest neighbor algorithm (K neighbor), factorization machine (factorization machine), neural network classifier (neural network classifier), and deep learning (deep learning), or ensemble forest combination algorithm (e.g., random forest, etc.) which is a combination of at least two of the above algorithms. Of course, the training algorithm capable of having classification property can be set according to actual requirements.
When the ensemble combined algorithm combining at least two items is adopted, a more accurate and effective anti-theft chain model can be obtained, specifically, each training algorithm can be adopted for training to obtain one result, and then, a target result which accords with a preset rule can be selected from multiple obtained results according to the preset rule. For example, the preset rule may be: through multiple tests, the anti-theft chain verification accuracy of multiple results is compared, and the result with the highest anti-theft chain verification accuracy is selected as the target result. Of course, the preset rule is not limited to the above form.
In a possible specific implementation manner of step 204, the corresponding implementation flow includes:
using a predetermined classification algorithm to perform big data fitting on a calling object, an object calling frequency and an object calling sequence corresponding to each user characteristic behavior in user behavior data in a sample, namely performing machine learning based on a module, a module calling sequence and a module calling frequency requested to be called by a client in the sample to obtain a maximum likelihood value of the sample, wherein an anti-theft chain model represented by the maximum likelihood value of the sample is as follows:
Figure BDA0001234593600000091
wherein x isiRepresenting the user behavior data of the client of the ith sample, f (beta) representing the trained model parameters, yiA mark representing the ith sample, the mark of the sample representing whether the sample is a non-stealing-link user, yi1 means that the ith sample is a stealing-link user, yiIf it is 0, it means that the ith sample is a non-stealing-link user, and p is a probability density distribution function.
The distribution of the samples can be fitted to the maximum extent by the formula to form the anti-theft chain model, so that in the process of using the anti-theft chain model to carry out anti-theft chain inspection, the user behavior data of the client side is fitted, and whether the user behavior data of the client side is the parameter combination associated with the user behavior data of the non-anti-theft chain user is determined.
It is necessary to supplement that, with the increase and change of the behavior data of the non-hotlink user, the hotlink model can be updated accordingly, for example, at preset time intervals, such as one week, part of the behavior data of the non-hotlink user in the one week and the historical behavior data before the one week are selected as samples to perform big data training, and after the root, the hotlink model is updated in time along with the update of the samples used for establishing the hotlink model, so that the hotlink model fits the data of the non-hotlink user to the maximum extent, and the comprehensiveness and the effectiveness of the hotlink model are improved.
Example two
As shown in fig. 3, on the basis of the first embodiment, a more specific method for performing anti-theft chain verification through an anti-theft chain model is provided, and the anti-theft chain model is used to fit multi-dimensional user behavior data of the client, so that the reliability of the basis of anti-theft chain verification is increased, and the anti-theft chain protection effect is further improved. The method specifically comprises the following steps:
step 302, user behavior data of the client is obtained.
And step 304, performing big data fitting on the calling object, the object calling frequency and the object calling sequence corresponding to each user characteristic behavior in the obtained user behavior data through a hotlink prevention model obtained by training the historical behavior data of the non-hotlink users.
The user characteristic behaviors include various types of requests of the client in the interaction process with the server, for example, the user characteristic behaviors in the multimedia playing process include but are not limited to one or more of a multimedia information query request, a multimedia playing request, a playing stop request, a playing parameter adjustment request and an advertisement insertion request, and then a module requested to be called, a module calling sequence, a module calling frequency and the like of each user characteristic behavior form user behavior data. Therefore, the data with a large amount of orders and different dimensionalities are used as samples for fitting the client, so that the anti-theft chain verification is more comprehensive, the accuracy of the anti-theft chain verification is improved, and missing detection or false detection is avoided.
Step 306, determining whether the fitting result meets the predetermined rule, if so, entering step 308, and if not, entering step 310.
If the hotlink model is established in the manner provided in the first embodiment, the predetermined rule may be set to have a maximum likelihood value greater than or equal to a predetermined value, where the predetermined value is the minimum maximum likelihood value of the hotlink model and the user behavior data of the client when the client is a non-hotlink user.
And 308, determining that the user behavior data passes the verification of the anti-stealing link model, wherein the client is a non-stealing-link user.
And step 310, determining that the user behavior data does not pass the verification of the anti-theft link model, wherein the client is the anti-theft link user.
That is to say, only when the fitting degree of the user behavior data of the client and the anti-theft chain model reaches a predetermined value, the fitting degree is considered to meet the fitting level due to the non-anti-theft chain user, at this moment, the client can be determined as the non-anti-theft chain user, and otherwise, the client is determined as the anti-theft chain user.
EXAMPLE III
As shown in fig. 4, on the basis of the first and second embodiments, a combined anti-theft chain verification method is provided, which performs both synchronous authentication and anti-theft chain model fitting verification on the client, thereby providing a dual guarantee for anti-theft chain protection and improving the accuracy of anti-theft chain verification. The method specifically comprises the following steps:
step 402, according to the interactive request from the client, performing synchronous authentication on the client to obtain a synchronous authentication result.
And step 404, performing big data training verification on the user behavior data of the client according to the anti-theft chain model to obtain a model verification result.
In order to further improve the accuracy of the anti-theft chain verification, the anti-theft chain model can be used for performing fitting verification on the user behavior data of the client and performing synchronous authentication on the client to respectively obtain corresponding results. The sequence of the two steps can be synchronous authentication firstly and then antitheft chain model fitting verification, or can be carried out in two antitheft chain modes simultaneously.
And step 406, determining whether the client is a hotlinking user according to the model verification result and the synchronous authentication result.
One specific implementation of step 406 is:
firstly, the client is synchronously authenticated.
If the client can not pass the synchronous authentication, the client can be directly judged to be a stealing link user, and the stealing link verification process is ended; and if the client passes the synchronous authentication, performing the anti-theft chain model fitting verification.
Then, if the client side does not pass the fitting verification of the anti-theft chain model, the encryption algorithm of the synchronous authentication is probably cracked by the anti-theft chain party, and at the moment, the client side can be judged to be the anti-theft chain user; and if the client passes the anti-theft link model fitting verification, the user behavior data of the client can be fitted by the anti-theft link model, and the parameter combination is associated with the historical behavior data of the non-anti-theft link user, so that the client is judged to be the non-anti-theft link user.
That is, the client is determined to be a non-hotlinking user only if the model verification result is that the client passes the verification and the synchronous authentication result is that the client passes the synchronous authentication.
However, the validity of the synchronous authentication is lower than the validity of the anti-stealing link model fitting verification, and the non-stealing-link user is easily judged as the stealing-link user by mistake, so another specific implementation manner of the step 406 is provided as follows:
and simultaneously performing synchronous authentication and anti-theft chain model fitting verification to obtain a model verification result and a synchronous authentication result, wherein when the model verification result is 1, the client passes the anti-theft chain model fitting verification, when the model verification result is 0, the client fails the anti-theft chain model fitting verification, when the synchronous authentication result is 1, the client passes the synchronous authentication, and when the synchronous authentication result is 0, the client fails the synchronous authentication.
And then, multiplying the model verification result and the synchronous authentication result by corresponding weights respectively, and adding the two products to obtain a target result. The weighting values corresponding to the model verification result and the synchronous authentication result may be automatically set by the server according to the accuracy of the historical anti-theft link result, or may be manually set at the server side, for example, the weighting value of the model verification result is set to 0.55, the weighting value of the synchronous authentication result is set to 0.45, the sum of the weighting values of the model verification result and the synchronous authentication result is 1, and the weighting value of the model verification result needs to be greater than the weighting value of the synchronous authentication result.
And finally, detecting whether the target result reaches a preset threshold value, wherein the preset threshold value is the lowest threshold value required by determining the client as the non-stealing-link user, if the target result reaches the preset threshold value, determining the client as the non-stealing-link user, and if the target result does not reach the preset threshold value, determining the client as the stealing-link user.
In addition, the predetermined threshold value can be automatically set by the server according to the accuracy of the historical anti-theft chain result, or can be manually set at the server side. For example, if the weight of the model verification result is set to 0.55 and the weight of the synchronous authentication result is set to 0.45, the predetermined threshold may be set to 0.6, so that:
when the model verification result and the synchronous authentication result are both 1, the calculated target result is 1 and exceeds the preset threshold value of 0.6, so that the client can be judged to be a non-hotlinking user.
When the model verification result and the synchronous authentication result are both 0, the calculated target result is 0 and does not reach the preset threshold value of 0.6, so that the client can be judged as a stealing link user.
When the model verification result is 1 and the synchronous authentication result is 0, the calculated target result is 0.55 and does not reach the preset threshold value of 0.6, so that the client can be judged as a stealing link user.
When the model verification result is 0 and the synchronous authentication result is 1, the calculated target result is 0.45 and does not reach the preset threshold value of 0.6, so that the client can be judged as a stealing link user.
For another example, if the weight of the model verification result is set to 0.65, the weight of the synchronous authentication result is set to 0.35, and the predetermined threshold value is set to 0.61, thereby:
when the model verification result and the synchronous authentication result are both 1, the calculated target result is 1 and exceeds the preset threshold value of 0.6, so that the client can be judged to be a non-hotlinking user.
When the model verification result and the synchronous authentication result are both 0, the calculated target result is 0 and does not reach the preset threshold value of 0.61, so that the client can be judged as a stealing link user.
When the model verification result is 1 and the synchronous authentication result is 0, the calculated target result is 0.65 and reaches a preset threshold value of 0.61, so that the client can be judged to be a non-hotlinking user.
When the model verification result is 0 and the synchronous authentication result is 1, the calculated target result is 0.35 and does not reach the preset threshold value of 0.61, so that the client can be judged as a stealing link user.
Of course, the above two embodiments are only one embodiment of the present invention, and the present invention is not limited to this embodiment.
Example four
Fig. 5 shows a block diagram of a pickproof chain detection device of one embodiment of the invention.
As shown in fig. 5, the anti-theft chain detection device 500 according to an embodiment of the present invention includes: a user behavior data acquisition unit 502, a model training verification unit 504, and a determination unit 506.
The user behavior data obtaining unit 502 is configured to obtain user behavior data of a client.
The model training verification unit 504 is configured to perform big data training verification on the user behavior data through a hotlink model obtained by big data training on historical behavior data of a non-hotlink user.
The determining unit 506 is configured to determine that the client corresponding to the user behavior data is a non-hotlinking user when the user behavior data is verified by the hotlinking model, and determine that the client corresponding to the user behavior data is a hotlinking user when the user behavior data is not verified by the hotlinking model.
In the above embodiment of the present invention, optionally, the anti-theft chain detection apparatus 500 further includes a historical behavior data obtaining unit 508 and a big data training unit 510.
The historical behavior data obtaining unit 508 is configured to obtain historical behavior data of a predetermined number of non-hotlinking users in an interaction process with a server within a predetermined time interval before the model training verification unit 504 performs big data training verification on the user behavior data.
The big data training unit 510 is used for big data training of historical behavior data through a predetermined classification algorithm to establish a hotlink model.
In the above embodiment of the present invention, optionally, the model training verification unit 504 is specifically configured to: and performing big data fitting on a calling object, an object calling frequency and an object calling sequence corresponding to each user characteristic behavior in the user behavior data through an anti-theft chain model obtained by training historical behavior data of the non-anti-theft chain user, wherein when the fitting result of the calling object, the object calling frequency and the object calling sequence corresponding to each user characteristic behavior conforms to a preset rule, the user behavior data is determined to pass the verification of the anti-theft chain model, and otherwise, the user behavior data is determined not to pass the verification of the anti-theft chain model.
The user characteristic behaviors comprise one or more of a multimedia information query request, a multimedia playing request, a playing stopping request, a playing parameter adjusting request and an advertisement inserting request.
It should be added that, in the above-mentioned embodiment of the present invention, optionally, the hotlink detection device 500 further includes a synchronization authentication unit 512 and a joint verification unit 514.
The synchronous authentication unit 512 is configured to perform synchronous authentication on the client according to the interaction request from the client, so as to obtain a synchronous authentication result.
The joint verification unit 514 is configured to determine whether the client is a hotlinking user according to a result of performing big data training verification on the user behavior data of the client and a synchronous authentication result.
The anti-stealing link detection device 500 uses the anti-stealing link detection method according to any of the first to third embodiments, and therefore, the anti-stealing link detection device 500 has all the technical effects of the first to third embodiments, and will not be described herein again.
EXAMPLE five
The anti-theft chain detection device provided by the embodiment of the invention can be suitable for video playing scenes of a client and can also be used for accessing scenes of various files such as audio, texts, pictures and the like. As shown in fig. 6, at each stage of the multimedia playing, the client uploads user behavior data to the server to facilitate problem location, statistics, and the like performed by the server, so that in the process of training the anti-theft chain model, the user behavior data of the client may be collected, and the user behavior data includes but is not limited to data generated by an advertisement behavior (such as inserting an advertisement in the video playing process) and a quality behavior (such as selecting a resolution of a video file), and may also include data generated by other user behaviors such as opening, pausing, closing, and the like.
The server can determine the characteristic behaviors of the clients according to the historical behavior data of the clients in the non-hotlinking client set, and therefore the characteristic behaviors are used as sample data to conduct model training to obtain the hotlinking prevention model.
The method comprises the steps that in the process of performing anti-theft chain verification on a client to be verified, synchronous authentication can be performed, specifically, the client encrypts some data before multimedia playing and sends the encrypted data to a server, the server performs authentication on the encrypted data, and after the server passes the authentication, the client to be verified can obtain multimedia resources from the server.
And then, when the client to be verified plays the multimedia resources, the server fits the user behavior data generated in the process of playing the multimedia resources by the client to be verified through a pre-generated anti-theft link model, when the fitting result accords with a preset strategy, the client to be verified is judged to be a non-anti-theft link user, and the server can provide the data requested by the client to be verified. And when the fitting result does not accord with the preset strategy, the client to be verified is judged to be a stealing link user, and the server implements a stealing link attack strategy on the client.
EXAMPLE six
FIG. 7 shows a block diagram of a server of one embodiment of the invention.
As shown in fig. 7, a server 700 according to an embodiment of the present invention includes the anti-stealing chain detection apparatus 500 shown in the embodiment of fig. 5, and the anti-stealing chain detection apparatus 500 may be externally installed on the server or provided in the server.
Therefore, the server 700 has the same technical effect as the anti-stealing chain detection device 500 shown in the embodiment of fig. 5, and will not be described again here.
EXAMPLE seven
Fig. 8 shows a block diagram of a server of another embodiment of the invention.
As shown in fig. 8, server 800 may include a processor 802 coupled to one or more data storage facilities, which may include a storage medium 804 and a memory unit 806. Server 800 may also include input interface 808 and output interface 810 for communicating with another device or system. Program code executed by CPU8022 of processor 802 may be stored in storage medium 804 or memory unit 806.
The processor 802 in the server 800 calls the program code stored in the storage medium 804 or the memory unit 806, and performs the following steps:
acquiring user behavior data of a client;
performing big data training verification on the user behavior data through a theftproof chain model obtained by big data training on historical behavior data of a non-theftproof chain user;
and under the condition that the user behavior data passes the anti-theft link model verification, determining that the client corresponding to the user behavior data is a non-anti-theft link user, and under the condition that the user behavior data does not pass the anti-theft link model verification, determining that the client corresponding to the user behavior data is an anti-theft link user.
In a particular implementation, the processor 802 may further perform:
acquiring historical behavior data of a preset number of non-hotlink users in an interaction process with a server within a preset time interval before a step of performing big data training verification on user behavior data through a hotlink model obtained by performing big data training on historical behavior data of the non-hotlink users; and performing big data training on the historical behavior data through a preset classification algorithm to establish the anti-theft chain model.
In one particular implementation, the processor 802 is configured to perform:
performing big data fitting on a calling object, the object calling frequency and the object calling sequence corresponding to each user characteristic behavior in the user behavior data through a hotlink prevention model obtained by training historical behavior data of a non-hotlink user;
and when the fitting result of the calling object, the object calling frequency and the object calling sequence corresponding to the user characteristic behaviors at each time accords with a preset rule, determining that the user behavior data passes the verification of the anti-theft chain model, otherwise, determining that the user behavior data does not pass the verification of the anti-theft chain model.
In a particular implementation, the processor 802 may further perform:
according to the interactive request from the client, carrying out synchronous authentication on the client to obtain a synchronous authentication result;
and determining whether the client is a stealing link user or not according to a result of big data training verification on the user behavior data of the client and the synchronous authentication result.
The technical scheme of the invention is explained in detail in combination with the attached drawings, and through the technical scheme of the invention, the risk of cracking by a chain stealing party in a chain stealing prevention mode can be reduced, and the comprehensiveness and effectiveness of the chain stealing prevention protection are further improved.
The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrases "if determined" or "if detected (a stated condition or event)" may be interpreted as "when determined" or "in response to a determination" or "when detected (a stated condition or event)" or "in response to a detection (a stated condition or event)", depending on the context.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions in actual implementation, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) or a Processor (Processor) to execute some steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (10)

1. A method for hotlink detection, comprising:
the server acquires user behavior data of the client;
performing big data training verification on the user behavior data through an anti-theft chain model to obtain a model verification result, wherein the anti-theft chain model is obtained by performing big data training on historical behavior data of a non-anti-theft chain user for a server and performing periodic updating;
according to the interactive request from the client, carrying out synchronous authentication on the client to obtain a synchronous authentication result;
respectively obtaining weights corresponding to the model verification result and the synchronous authentication result, and carrying out weighted summation on the model verification result and the synchronous authentication result based on the obtained weights to obtain a target result;
and when the target result reaches a preset threshold value, determining that the client corresponding to the user behavior data is a non-stealing-link user, and when the target result does not reach the preset threshold value, determining that the client corresponding to the user behavior data is a stealing-link user.
2. The method according to claim 1, wherein before the step of performing big data training verification on the behavior data of the user by using a hotlink model obtained by big data training on historical behavior data of a non-hotlink user, the method further comprises:
acquiring historical behavior data of a preset number of non-hotlinking users in the interaction process with a server within a preset time interval;
and performing big data training on the historical behavior data through a preset classification algorithm to establish the anti-theft chain model.
3. The hotlink detection method according to claim 1 or 2, wherein the step of performing the big data training verification on the user behavior data through the hotlink model obtained by performing the big data training on the historical behavior data of the non-hotlink user specifically comprises:
performing big data fitting on a calling object, object calling frequency and object calling sequence corresponding to each user characteristic behavior in the user behavior data through a hotlink prevention model obtained by training historical behavior data of a non-hotlink user;
and when the fitting result of the calling object, the object calling frequency and the object calling sequence corresponding to the user characteristic behaviors at each time accords with a preset rule, determining that the user behavior data passes the verification of the anti-theft chain model, otherwise, determining that the user behavior data does not pass the verification of the anti-theft chain model.
4. The hotchain detection method of claim 3, wherein the user characteristic behavior comprises one or more of a multimedia information query request, a multimedia play request, a stop play request, a play parameter adjustment request, and an advertisement insertion request.
5. A pickproof chain detection device, comprising:
the user behavior data acquisition unit is used for acquiring user behavior data of the client;
the model training and verifying unit is used for performing big data training and verification on the user behavior data through an anti-theft chain model to obtain a model verification result, and the anti-theft chain model is obtained by performing big data training on historical behavior data of a non-anti-theft chain user for a server and is periodically updated;
the synchronous authentication unit is used for synchronously authenticating the client according to the interactive request from the client to obtain a synchronous authentication result;
the determining unit is used for respectively obtaining weights corresponding to the model verification result and the synchronous authentication result, and carrying out weighted summation on the model verification result and the synchronous authentication result based on the obtained weights to obtain a target result; when the target result reaches a preset threshold value, determining that the client corresponding to the user behavior data is a non-hotlinking user; and when the target result does not reach a preset threshold value, determining that the client corresponding to the user behavior data is a stealing link user.
6. The antitheft chain detection device of claim 5, further comprising:
the historical behavior data acquisition unit is used for acquiring historical behavior data of a preset number of non-stealing-link users in the interaction process with the server within a preset time interval before the model training verification unit carries out big data training verification on the user behavior data;
and the big data training unit is used for carrying out big data training on the historical behavior data through a preset classification algorithm so as to establish the anti-theft chain model.
7. The anti-theft chain detection device according to claim 5 or 6, wherein the model training verification unit is specifically configured to:
and carrying out big data fitting on a calling object, an object calling frequency and an object calling sequence corresponding to each user characteristic behavior in the user behavior data through a hotlink model obtained by training historical behavior data of a non-hotlink user, wherein when the calling object, the object calling frequency and the object calling sequence corresponding to each user characteristic behavior conform to a preset rule, the user behavior data is determined to pass the verification of the hotlink model, otherwise, the user behavior data is determined not to pass the verification of the hotlink model.
8. The hotchain detection device of claim 7, wherein the user characteristic behavior comprises one or more of a multimedia information query request, a multimedia play request, a stop play request, a play parameter adjustment request, and an advertisement insertion request.
9. A server characterized by comprising a hotlink detection device according to any one of claims 5 to 8.
10. A computer-readable storage medium storing executable instructions, wherein the executable instructions, when executed by a processor, implement the anti-hotlink detection method of any one of claims 1 to 4.
CN201710111704.XA 2017-02-28 2017-02-28 Anti-theft chain detection method, anti-theft chain detection device and server Active CN108512815B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710111704.XA CN108512815B (en) 2017-02-28 2017-02-28 Anti-theft chain detection method, anti-theft chain detection device and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710111704.XA CN108512815B (en) 2017-02-28 2017-02-28 Anti-theft chain detection method, anti-theft chain detection device and server

Publications (2)

Publication Number Publication Date
CN108512815A CN108512815A (en) 2018-09-07
CN108512815B true CN108512815B (en) 2021-12-10

Family

ID=63374054

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710111704.XA Active CN108512815B (en) 2017-02-28 2017-02-28 Anti-theft chain detection method, anti-theft chain detection device and server

Country Status (1)

Country Link
CN (1) CN108512815B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110969844A (en) * 2019-11-19 2020-04-07 惠州市德赛西威汽车电子股份有限公司 Method for calculating driving behavior similarity based on driving data and application
CN112084506A (en) * 2020-09-09 2020-12-15 重庆广播电视大学重庆工商职业学院 Method, device and equipment for evaluating cloud platform credibility

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102176698A (en) * 2010-12-20 2011-09-07 北京邮电大学 Method for detecting abnormal behaviors of user based on transfer learning
CN105590055A (en) * 2014-10-23 2016-05-18 阿里巴巴集团控股有限公司 Method and apparatus for identifying trustworthy user behavior in network interaction system
CN105897676A (en) * 2015-12-01 2016-08-24 乐视网信息技术(北京)股份有限公司 User resource access behavior processing method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100562016C (en) * 2006-01-16 2009-11-18 北京北方烽火科技有限公司 A kind of WEB service anti-stealing link method
CN103164636B (en) * 2011-12-09 2015-12-09 北大方正集团有限公司 A kind of method and system of online reading digital content authentication

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102176698A (en) * 2010-12-20 2011-09-07 北京邮电大学 Method for detecting abnormal behaviors of user based on transfer learning
CN105590055A (en) * 2014-10-23 2016-05-18 阿里巴巴集团控股有限公司 Method and apparatus for identifying trustworthy user behavior in network interaction system
CN105897676A (en) * 2015-12-01 2016-08-24 乐视网信息技术(北京)股份有限公司 User resource access behavior processing method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于数据挖掘的Web应用入侵异常检测研究;郁继锋;《中国优秀博士学位论文全文数据库信息科技辑》;20120515;41,71-73 *

Also Published As

Publication number Publication date
CN108512815A (en) 2018-09-07

Similar Documents

Publication Publication Date Title
CN105763521B (en) A kind of device authentication method and device
US9509688B1 (en) Providing malicious identity profiles from failed authentication attempts involving biometrics
Pan et al. Anomaly based web phishing page detection
CN112182519A (en) Computer storage system security access method and access system
CN109871673B (en) Continuous identity authentication method and system based on different context environments
CN105897676A (en) User resource access behavior processing method and device
CN112543196A (en) Network threat information sharing platform based on block chain intelligent contract
CN104980278A (en) Method and device for verifying usability of biological characteristic image
US20170171188A1 (en) Non-transitory computer-readable recording medium, access monitoring method, and access monitoring apparatus
CN116776386B (en) Cloud service data information security management method and system
CN110740140A (en) network information security supervision system based on cloud platform
CN116933222B (en) Three-dimensional model copyright authentication method and system based on zero watermark
CN109711173A (en) A kind of password file leakage detection method
CN108512815B (en) Anti-theft chain detection method, anti-theft chain detection device and server
CN111918287A (en) Information processing method and device
CN114884680A (en) Multi-server sustainable trust evaluation method based on context authentication
CN113591051A (en) Electronic file full life cycle information security system and method
CN111222181B (en) AI model supervision method, system, server and storage medium
AL-Maliki et al. Comparison study for NLP using machine learning techniques to detecting SQL injection vulnerabilities
US9237167B1 (en) Systems and methods for performing network counter measures
CN116846555A (en) Data access method and device
CN111970272A (en) APT attack operation identification method
CN113806707A (en) Browser user identity verification system and method based on cross-domain resource access
US9882879B1 (en) Using steganography to protect cryptographic information on a mobile device
KR101565942B1 (en) Method and Apparatus for detecting ID theft

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant