CN110191097B - Method, system, equipment and storage medium for detecting security of login page - Google Patents

Method, system, equipment and storage medium for detecting security of login page Download PDF

Info

Publication number
CN110191097B
CN110191097B CN201910366731.0A CN201910366731A CN110191097B CN 110191097 B CN110191097 B CN 110191097B CN 201910366731 A CN201910366731 A CN 201910366731A CN 110191097 B CN110191097 B CN 110191097B
Authority
CN
China
Prior art keywords
page
login
account
user
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910366731.0A
Other languages
Chinese (zh)
Other versions
CN110191097A (en
Inventor
陈俊峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN201910366731.0A priority Critical patent/CN110191097B/en
Publication of CN110191097A publication Critical patent/CN110191097A/en
Application granted granted Critical
Publication of CN110191097B publication Critical patent/CN110191097B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Technology Law (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The embodiment of the invention provides a method for detecting the security of a login page, which comprises the following steps: acquiring operation logs of a plurality of users, and acquiring key fields and page operation information in the operation logs according to preset field names; acquiring a plurality of page login information generated by a plurality of users logging in a server in N time periods according to the page operation information, wherein each user corresponds to one page login information; screening target page login information from the plurality of page login information, wherein the target page login information is page login information only recorded by single login in the N time periods; and determining the target page login account as a suspicious account, and further judging whether an account falsifying event exists or not. The embodiment of the invention provides a system for detecting the security of a login page, computer equipment and a storage medium. The embodiment of the invention can efficiently detect the common use event of the login page.

Description

Method, system, equipment and storage medium for detecting security of login page
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a method, a system, equipment and a storage medium for detecting the security of a login page.
Background
The enterprise management system aims at providing various services and playing various functions for enterprise staff in a centralized manner by means of a systematized management idea. The enterprise staff can log in the enterprise management system according to the self authority, such as checking attendance information, submitting and downloading files and the like. In order to guarantee the safe operation of the system, how to check the abnormal login event of the system is a technical problem to be solved at present.
However, in the existing detection of the abnormal account, an original system needs to be additionally modified, for example, when a login request of a user is obtained each time, the system needs to check the vacation state of the user, and at this time, a database needs to be called for checking, which brings huge pressure to both a network and the database.
Disclosure of Invention
In view of this, an object of the embodiments of the present invention is to provide a method, a system, a device, and a storage medium for detecting security of a login page, which can check an abnormal account user without modifying an original system, thereby reducing background operation steps and further reducing pressure on the system and a network.
In order to achieve the above object, an embodiment of the present invention provides a method for detecting security of a login page, including the following steps:
acquiring operation logs of a plurality of users;
acquiring a key field in the operation log from the operation log according to a preset field name;
extracting page operation information in the key field;
acquiring a plurality of page login information generated by the plurality of users logging in the server in N time periods according to the page operation information, wherein each user corresponds to one page login information, and each page login information comprises a page login account, page login time and page login times of the corresponding user;
screening target page login information from the plurality of page login information, wherein the target page login information is page login information only recorded by single login in the N time periods;
determining a page login account corresponding to the target page login information as a suspicious account;
comparing the user name of the suspicious account with a preset vacation list, judging whether an account falsifying event exists, if so, marking a suspicious mark on the suspicious account, wherein the preset vacation list comprises users in a vacation state and account names corresponding to the vacation users;
acquiring an associated social account of a target user corresponding to the suspicious account, and acquiring an activity area of the target user from the associated social account;
inquiring a position area according to the IP address of the page login address of the suspicious account, and comparing the position area with the active area;
and if the position area and the activity area are in the same area, removing the suspicious identification of the suspicious account.
Further, the step of obtaining the number of times of page login includes:
acquiring a mapping access sequence of each user according to the plurality of page login information;
generating an adjacency matrix of page access according to the mapping access sequence of each user;
and acquiring the jumping times of each page according to the adjacent matrix accessed by the page, wherein the jumping times are the page login times.
Further, the mapping access sequence is as follows:
and representing the parameter identification of the target page login information by a digital node p, and displaying a corresponding digital node q on the page after successful login.
Furthermore, the page login times are represented by arc [ p ] [ q ], and the arc [ p ] [ q ] is the number of hops from the page corresponding to the digital node p to the page corresponding to the digital node q in the adjacency matrix visited by the page.
Further, before the obtaining the operation log of the user, the method further includes:
extracting operation logs of a plurality of users according to a preset rule, and filtering the extracted operation logs;
the preset rule is used for judging the operation logs of which the users do not log in successfully.
In order to achieve the above object, an embodiment of the present invention further provides a system for detecting security of a login page, including:
the first acquisition module is used for acquiring operation logs of a plurality of users;
the second acquisition module is used for acquiring key fields in the operation log from the operation log according to preset field names;
the first extraction module is used for extracting the page operation information in the key field;
the second extraction module is used for acquiring a plurality of page login information generated by the plurality of users logging in the server in N time periods according to the page operation information, each user corresponds to one page login information, and each page login information comprises a page login account, page login time and page login times of the corresponding user;
the screening module is used for screening target page login information from the plurality of page login information, wherein the target page login information is page login information only having single login records in the N time periods;
the first judgment module is used for determining a page login account corresponding to the target page login information as a suspicious account;
the second judgment module is used for comparing the user name of the suspicious account with a preset vacation list and judging whether an account fraudulent event exists or not, if so, the suspicious account is marked with a suspicious mark, and the preset vacation list comprises users in a vacation state and account names corresponding to the vacation users;
a third obtaining module, configured to obtain an associated social account of the target user corresponding to the suspicious account, and obtain an activity area of the target user from the associated social account;
the query module is used for querying a position area according to the IP address of the page login address of the suspicious account and comparing the position area with the activity area;
and the third judgment module is used for removing the suspicious identification of the suspicious account if the position area and the activity area are in the same area.
Further, the second extraction module is further configured to:
acquiring a mapping access sequence of each user according to the plurality of page login information;
generating an adjacency matrix of page access according to the mapping access sequence of each user;
and acquiring the jumping times of each page according to the adjacent matrix accessed by the page, wherein the jumping times are the page login times.
Further, the mapping access sequence is as follows:
representing the parameter identification of each page login information by a digital node p, and displaying a corresponding digital node q on a page after login is successful;
the page login times are represented by arc [ p ] [ q ], and the arc [ p ] [ q ] is the jump from the page corresponding to the digital node p to the page corresponding to the digital node q in the adjacent matrix of the page access.
To achieve the above object, an embodiment of the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the method for detecting security of a landing page as described in any one of the above when executing the computer program.
To achieve the above object, an embodiment of the present invention further provides a computer-readable storage medium, in which a computer program is stored, where the computer program is executable by at least one processor, so as to cause the at least one processor to execute the steps of the method for detecting security of a landing page as described in any one of the above.
According to the method, the system and the storage medium for detecting the security of the login page, provided by the embodiment of the invention, the page operation information in the operation log of the user is firstly obtained and analyzed, the corresponding page login information recorded in a single time period of the N time periods is screened out from the multiple page login information, and the page login information is judged to determine the suspicious user with abnormal account number, so that the original system is not required to be modified, background operation steps are reduced, and the pressure on the system and a network is further reduced.
Drawings
Fig. 1 is a flowchart of a first embodiment of a method for detecting security of a landing page according to the present invention.
FIG. 2 is a flowchart of a second method for detecting security of a landing page according to the present invention.
FIG. 3 is a schematic diagram of program modules of a third embodiment of a system for detecting security of a landing page.
Fig. 4 is a schematic diagram of a hardware structure of a fourth embodiment of the computer apparatus according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
Example one
Referring to fig. 1, a flowchart illustrating steps of a method for detecting security of a landing page according to a first embodiment of the present invention is shown. It is to be understood that the flow charts in the embodiments of the present method are not intended to limit the order in which the steps are performed. The following description is made by taking a server as an execution subject. The details are as follows.
Step S101: operation logs of a plurality of users are obtained.
In this embodiment, the terminal receives a request instruction of the user for obtaining the operation log and sends the request instruction to the server, and the server returns the operation log according to the request instruction of the operation log. The operation log records operation information of a user login target page, the operation log includes but is not limited to operation information such as login address information, login time information and login duration information when the user logs in, the target page is an insurance login page, and the login time information includes login time information of the user who successfully logs in. The terminal comprises computer control equipment, and the terminal can record and call the operation log of the user.
In this embodiment, before obtaining the operation log of the user, the method further includes:
extracting operation logs of a plurality of users according to a preset rule, and filtering the extracted operation logs;
the preset rule is used for judging the operation logs of which the users do not log in successfully.
In this embodiment, if the user account is attempted to log in (in an unregistered successful state), an operation record also exists, operation information such as an account or a password error of the user during logging in is recorded in the operation log, and the user who has failed to log in is filtered during filtering, so that the login frequency is prevented from being repeatedly calculated.
Step S102: and acquiring key fields in the operation log from the operation log according to preset field names.
In this embodiment, when the server stores the operation log, the information of the operation log is classified according to categories and divided into a plurality of fields, and each field is provided with a field name. The preset field names comprise field names of the login account information, the login time information and the login frequency information, and key fields with the login account information, the login time information and the login frequency information are extracted during extraction.
Step S103: and extracting page operation information in the key field.
In this embodiment, when the key fields in the operation log are acquired from the operation log according to the preset field names, the login account information, the login time information, and the login frequency information are used to extract the page operation information in the key fields.
Step S104: and acquiring a plurality of page login information generated by the plurality of users logging in the server in N time periods according to the page operation information, wherein each user corresponds to one page login information, and each page login information comprises a page login account, page login time and page login times of the corresponding user.
In this embodiment, the step of obtaining the number of times of page login includes:
acquiring a mapping access sequence of each user according to the plurality of page login information;
generating an adjacency matrix of page access according to the mapping access sequence of each user;
and acquiring the jumping times of each page according to the adjacent matrix of the page access, wherein the jumping times are the page login times.
Wherein the mapping access sequence is:
and representing the parameter identification of each page login information by a digital node p, and displaying a corresponding digital node q on the page after login is successful.
In this embodiment, arc [ p ] [ q ] is used to represent the page login times, and the arc [ p ] [ q ] is the number of hops from the page corresponding to the digital node p to the page corresponding to the digital node q in the adjacency matrix visited by the page. For example, the identifier of the landing page is named numerically, when the page is jumped, a corresponding sequence is generated, and the sequence is subjected to matrix sorting to obtain arc [ p ] [ q ].
In this embodiment, the N time periods may be preset by themselves, for example, the previous three days, the previous ten days, and the like, and whether each user has an operation record in only one time period in the N time periods is determined, so as to further determine whether the user is an abnormal user.
Step S105: and screening target page login information from the plurality of page login information, wherein the target page login information is the page login information only recorded by single login in the N time periods.
In this embodiment, the terminal sends a request for retrieving the operation log to the server, where the request for retrieving the operation log includes a preset field name, and the preset field name is information of the operation logs of all users in N time periods. The key field comprises the login information of the user on the page, and the terminal extracts the page operation information in the key field. The page operation information is the page login information generated by all users logging in the server in N time periods. And finally extracting the page login times recorded in each page login account in only one of the N time periods. The target page login information comprises information of a login page.
Step S106: and determining the page login account corresponding to the target page login information as a suspicious account.
In this embodiment, the present invention is a method for detecting a user who has no operation behavior for the first i (i < = N-1) days and has an operation log for i +1 days in N time periods. Or, because the method is always detected, as long as only one time period is detected to have the operation record in the target time period of N days, the user is screened out and determined as the suspicious account.
In this embodiment, if there is an operation record in more than one time period, the account of the user is excluded from being abnormal and suspicious. If the user has operation records in a plurality of time periods in the target time period, the user is indicated to be possibly in a working state, and the user account which is not used for a long time does not have operation records for a plurality of times, so that the account abnormality suspicion is eliminated.
Step S107: and comparing the user name of the suspicious account with a preset vacation list, judging whether an account falsifying event occurs, if so, marking a suspicious mark on the suspicious account, wherein the preset vacation list comprises the users in a vacation state and account names corresponding to the vacation users.
In this embodiment, the suspicious account user is counted by the counting window, and then the suspicious account user is compared with a preset vacation list, where all the users in the vacation state and account names corresponding to the vacation users are listed on the preset vacation list. If the user is matched with the preset vacation list, the account number of the user is possibly falsely used, and the reason for abnormal use of the account number is further investigated.
Writing a query statement by using SQL, wherein the query statement is as follows:
SELECT*FROM op_table where op_day between(current_day-n)to current_day group by op_day having count(id)>1
the op _ table is a table for storing user operation information, and includes a user id (id), a user operation time (op _ time), and a user operation date (op _ day). Wherein op _ day is converted from op _ time. Current _ day represents the date until which this query was run, and n represents the time window during which this query statement was run each day.
Such as: this is 2018, 11/11, and if it is desired to query the abnormal records in the past 3 days, current _ day is 2018, 11/11, (current _ day-3) is 2018, 11/8.
If the user id included in the queried result does not appear in the queried result, the operation record is left for the first time in 11 months and 11 days in 2018. And then comparing the user list meeting the conditions with the vacation user list, and if the user is supposed to leave on the day but is in the abnormal use list, indicating that the account of the user is possibly falsely used, and the like. And then the reason of abnormal use of the account can be further investigated.
In this embodiment, historical login data corresponding to the suspicious account is obtained, a historical login success rate is counted according to the historical login data, the historical login success rate is compared with a current login success rate, and if a difference value exceeds a preset success rate difference value threshold, it is determined that an impersonated event occurs.
Step S108, obtaining the associated social accounts of the target users corresponding to the suspicious accounts, and obtaining the activity areas of the target users from the associated social accounts.
Step S109, inquiring a position area according to the IP address of the page login address of the suspicious account, and comparing the position area with the activity area.
Step S110, if the location area and the activity area are in the same area, removing the suspicious identification of the suspicious account.
In this embodiment, an associated social account (such as a nail or the like) of a target user corresponding to a suspicious account is acquired from the associated social account, a location area is queried according to an IP address of a page login address of the suspicious account, the location area is compared with the activity area of the target user, and if the location area is in the same area, for example, the same city, town, district, street or the like, a suspicious identifier of the suspicious account is removed. IP address query software may be used to query the landing of the current suspect account.
Example two
Referring to fig. 2, a flowchart of the steps of calculating the page login times according to the second embodiment of the present invention is shown. It is to be understood that the flow charts in the embodiments of the present method are not intended to limit the order in which the steps are performed. The following description is made by taking a server as an execution subject. The details are as follows.
Step S201: and acquiring the mapping access sequence of each user according to the plurality of page login information.
Step S202: and generating an adjacency matrix of page access according to the mapping access sequence of each user.
Step S203: and acquiring the jumping times of each page according to the adjacent matrix of the page access, wherein the jumping times are the page login times.
In this embodiment, the mapping access sequence is: and representing the parameter identification of the target page login information by a digital node p, and displaying a corresponding digital node q on the page after the login is successful.
The mapping access sequence in this embodiment may be understood as representing the access sequence of the user by using an index, for example, by using a number. Specifically, each page identifier parameter in the operation log may be mapped to a number to represent, and correspondingly, the mapping access sequence of each user may be found according to the order of the pages corresponding to the page identifier parameter of each user.
In this embodiment, arc [ p ] [ q ] is used to represent the page login times, and the arc [ p ] [ q ] is the number of hops from the page corresponding to the digital node p to the page corresponding to the digital node q in the adjacency matrix visited by the page.
In the present embodiment, the adjacency matrix is a matrix representing the adjacency relationship between vertices. The adjacency matrix in this embodiment is specifically generated according to the mapping access sequence of each user. Each point in the mapping access sequence for each user forms a vertex in the adjacency matrix of page accesses. Since the mapping access sequence of each user represents the order of the pages accessed by the user, the adjacency matrix accessed by the pages in this embodiment is a directed adjacency matrix. The vertex in the accessed adjacency matrix represents the import traffic corresponding to the vertex p, and in this embodiment, represents the number of hops to the page corresponding to the digital node q corresponding to the vertex, which is specifically equal to the sum of the values of all the directed edges of the column corresponding to the digital node p in the accessed adjacency matrix. For example, the import traffic corresponding to the vertex 3, i.e. the sum of the number of hops indicating that the page corresponding to the digital node 3 jumps from other pages, may include the number of hops from the 0 page of the start page to the page corresponding to the digital node 3, the number of hops from the page corresponding to the digital node 1 to the page corresponding to the digital node 3, the number of hops from the page corresponding to the digital node 2 to the page corresponding to the digital node 3, and so on, until the sum of the number of hops from the page corresponding to the digital node n to the page corresponding to the digital node 3. In the adjacent matrix of page access, all directed edges arc [ i ] [3] of i from 0 to n are correspondingly summed, and the total sum of the import flow, namely the page login times, corresponding to the vertex 3 is obtained.
EXAMPLE III
Fig. 3 is a schematic diagram showing program modules of a system for detecting security of a landing page according to a third embodiment of the present invention. The method specifically comprises the following steps:
a first obtaining module 301, configured to obtain operation logs of multiple users.
Specifically, the operation log in this embodiment records operation information of a user logging in a target page, where the operation log includes, but is not limited to, operation information such as a login address, a login time, and a login duration of the user during login, and the target page is an insurance login page.
Before the obtaining of the operation log of the user, the method further comprises the step of filtering the operation log to remove the operation log of the non-real user. For example: if the user account is tried to log in (in a state of successful log-in), operation records also exist, operation information such as an account or a password error of the user during logging in is recorded in the operation log, and the user who has failed to log in is filtered during filtering, so that the login frequency is prevented from being repeatedly calculated.
A second obtaining module 302, configured to obtain a key field in the operation log from the operation log according to a preset field name.
In this embodiment, when the server stores the operation log, the server classifies the information of the operation log according to categories, and divides the information into a plurality of fields, where each field is provided with a field name. The preset field names comprise field names of the login account information, the login time information and the login frequency information. When extracting, the second obtaining module 302 extracts the key fields with the login account information, the login time information, and the login frequency information.
The first extracting module 303 is configured to extract the page operation information in the key field.
In this embodiment, when the key fields in the operation log are obtained from the operation log according to the preset field names, the first extraction module 303 extracts the page operation information in the key fields with the login account information, the login time information, and the login frequency information.
A second extracting module 304, configured to obtain, according to the page operation information, multiple page login information generated by the multiple users logging in the server in N time periods, where each user corresponds to one page login information, and each page login information includes a page login account, page login time, and page login times of the corresponding user.
In this embodiment, the second extracting module is further configured to:
acquiring a mapping access sequence of each user according to the plurality of page login information;
generating an adjacency matrix of page access according to the mapping access sequence of each user;
and acquiring the jumping times of each page according to the adjacent matrix accessed by the page, wherein the jumping times are the page login times.
The mapping access sequence is as follows:
representing the parameter identification of each page login information by a digital node p, and displaying a corresponding digital node q on a page after login is successful;
the page login times are represented by arc [ p ] [ q ], and the arc [ p ] [ q ] is the jumping number from the page corresponding to the digital node p to the page corresponding to the digital node q in the adjacent matrix of the page access.
In this embodiment, the N time periods may be preset by themselves, for example, three days before, ten days before, and the like, and whether each user has an operation record in only one time period in the N time periods is determined, so as to further determine whether the user is an abnormal user. The second extraction module 304 obtains a plurality of page login information generated by the plurality of users logging in the server in N time periods from the page operation information.
A screening module 305, configured to screen target page login information from the multiple pieces of page login information, where the target page login information is page login information that only has a single login record in the N time periods.
In this embodiment, the target page login information includes login information of each user on a page, and the filtering module 305 filters the page login information recorded in a corresponding single time period only in a single time period of the N time periods.
The first determining module 306 is configured to determine a page login account corresponding to the target page login information as a suspicious account.
In the embodiment, the invention is a user who detects that no operation is performed for i (i < = N-1) days before N time periods, and an operation log exists for i +1 days. Or, because the method is always used for detection, as long as only one time period with an operation record is detected in the target time period N days, the user is screened out and determined as a suspicious account.
In this embodiment, if there is an operation record in more than one time period, the account of the user is excluded from being abnormal and suspicious. If the user has operation records in a plurality of time periods in the target time period, the user is indicated to be possibly in a working state, and the user account which is not used for a long time does not have a plurality of operation records, so that the suspicious account abnormality is eliminated.
A second determining module 307, configured to compare the user name of the suspicious account with a preset vacation list, and determine whether there is an account fraudulent event, if so, mark a suspicious identifier on the suspicious account, where the preset vacation list includes users in a vacation state and account names corresponding to the vacation users.
In this embodiment, the suspicious account user is counted by the counting window, and then the suspicious account user is compared with a preset vacation list, where all the users in the vacation state and account names corresponding to the vacation users are listed on the preset vacation list. If the user is matched with the preset vacation list, the account number of the user is possibly falsely used, and the reason for abnormal use of the account number is further investigated.
Writing a query statement by using SQL, wherein the query statement is as follows:
SELECT*FROM op_table where op_day between(current_day-n)to current_day group by op_day having count(id)>1
the op _ table is a table for storing user operation information, and includes a user id (id), a user operation time (op _ time), and a user operation date (op _ day). Wherein, the op _ day is converted from the op _ time. Current _ day represents the date until which this query was run, and n represents the time window during which this query statement was run each day.
Such as: this is 11/2018, and if it is desired to query the exception record in the past 3 days, current _ day is 11/2018/11/2018, and (current _ day-3) is 11/2018.
If the user id included in the queried result does not appear in the queried result, the operation record is left for the first time in 11 months and 11 days in 2018. And then comparing the qualified user list with the vacation user list, and if the user is supposed to leave the day but is in the abnormal use list, indicating that the account of the user is possibly falsely used, and the like. And then the reason of abnormal use of the account can be further investigated.
A third obtaining module 308, configured to obtain an associated social account of the target user corresponding to the suspicious account, and obtain an activity area of the target user from the associated social account.
The query module 309 is configured to query a location area according to the IP address of the page login address of the suspicious account, and compare the location area with the active area.
A third determining module 310, configured to remove the suspicious identifier of the suspicious account if the location area and the activity area are in the same area.
In this embodiment, an associated social account (such as a nail or the like) of a target user corresponding to a suspicious account is acquired from the associated social account, a location area is queried according to an IP address of a page login address of the suspicious account, the location area is compared with the activity area of the target user, and if the location area is in the same area, for example, the same city, town, district, street or the like, a suspicious identifier of the suspicious account is removed.
In this embodiment, historical login data corresponding to the suspicious account is obtained, the historical login success rate is counted according to the historical login data, the historical login success rate is compared with the current login success rate, and if the difference is large, it is determined that an impersonated event occurs.
Example four
Referring to fig. 4, a hardware structure diagram of a computer device according to a fourth embodiment of the present invention is shown.
The present invention further provides a computer device 2, such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a rack server, a blade server, a tower server or a rack server (including an independent server or a server cluster composed of a plurality of servers) capable of executing programs, and the like. The computer device 2 of the present embodiment includes at least, but is not limited to: a memory 21, a processor 22, etc. that may be communicatively coupled to each other via a system bus.
In the present embodiment, the memory 21 includes at least one type of computer-readable storage medium including a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. In some embodiments, the storage 21 may be an internal storage unit of the computer device 2, such as a hard disk or a memory of the computer device 2. In other embodiments, the memory 21 may also be an external storage device of the computer device 2, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), or the like provided on the computer device 2. Of course, the memory 21 may also comprise both internal and external memory units of the computer device 2. In this embodiment, the memory 21 is generally used for storing an operating system and various application software installed in the computer device 2, for example, the program code of the detection system 20 for security of login page in the fourth embodiment. Further, the memory 21 may also be used to temporarily store various types of data that have been output or are to be output.
Processor 22 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. The processor 22 is typically used to control the overall operation of the computer device 2. In this embodiment, the processor 22 is configured to run a program code stored in the memory 21 or process data, for example, run the detection system 20 for security of landing pages, so as to implement the detection method for security of landing pages in the first or second embodiment.
The network interface 23 may comprise a wireless network interface or a wired network interface, and the network interface 23 is generally used for establishing communication connection between the computer device 2 and other electronic apparatuses. For example, the network interface 23 is used to connect the computer device 2 to an external terminal through a network, establish a data transmission channel and a communication connection between the computer device 2 and the external terminal, and the like. The network may be a wireless or wired network such as an Intranet (Intranet), the Internet (Internet), a Global System of Mobile communication (GSM), wideband Code Division Multiple Access (WCDMA), a 4G network, a 5G network, bluetooth (Bluetooth), wi-Fi, and the like.
EXAMPLE five
The present embodiment also provides a computer-readable storage medium, such as a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, a server, an App application store, etc., on which a computer program is stored, which when executed by a processor implements corresponding functions. The computer program of this embodiment may be executed by at least one processor, so that the at least one processor executes the method for detecting security of a landing page according to the first embodiment or the second embodiment.
According to the method, the system and the storage medium for detecting the security of the login page, provided by the embodiment of the invention, the page operation information in the operation log of the user is firstly obtained and analyzed, the corresponding page login information recorded only in a single time period of the N time periods is screened out from the multiple pieces of page login information, the page login information is judged to determine the suspicious user with abnormal account number, and the original system is not required to be modified, so that the background operation steps are reduced, and the pressure on the system and the network is further reduced.
The above-mentioned serial numbers of the embodiments of the present invention are only for description, and do not represent the advantages and disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (10)

1. A method for detecting the security of a login page is characterized by comprising the following steps:
acquiring operation logs of a plurality of users;
acquiring key fields in the operation log from the operation log according to preset field names;
extracting page operation information in the key field;
acquiring a plurality of page login information generated by a plurality of users logging in a server in N time periods according to the page operation information, wherein each user corresponds to one page login information, and each page login information comprises a page login account, page login time and page login times of the corresponding user;
screening target page login information from the plurality of page login information, wherein the target page login information is page login information only having single login records in the N time periods;
determining a page login account corresponding to the target page login information as a suspicious account;
comparing the user name of the suspicious account with a preset vacation list, judging whether an account falsifying event exists, if so, marking a suspicious mark on the suspicious account, wherein the preset vacation list comprises users in a vacation state and account names corresponding to vacation users;
acquiring an associated social account of a target user corresponding to the suspicious account, and acquiring an activity area of the target user from the associated social account;
inquiring a position area according to the IP address of the page login address of the suspicious account, and comparing the position area with the active area;
and if the position area and the activity area are in the same area, removing the suspicious identification of the suspicious account.
2. The method for detecting according to claim 1, wherein the step of obtaining the number of page logins comprises:
acquiring a mapping access sequence of each user according to the plurality of page login information;
generating an adjacency matrix of page access according to the mapping access sequence of each user;
and acquiring the jumping times of each page according to the adjacent matrix of the page access, wherein the jumping times are the page login times.
3. The detection method according to claim 2, wherein the mapping access sequence is:
and representing the parameter identification of each page login information by a digital node p, and displaying a corresponding digital node q on the page after login is successful.
4. The detection method according to claim 3, wherein the page login times are represented by arc [ p ] [ q ], and the arc [ p ] [ q ] is the jump number from the page corresponding to the digital node p to the page corresponding to the digital node q in the adjacency matrix of the page access.
5. The detection method according to claim 1, wherein before obtaining the operation logs of the plurality of users, the method further comprises:
extracting operation logs of a plurality of users according to a preset rule, and filtering the extracted operation logs;
the preset rule is used for judging the operation logs of which the users do not log in successfully.
6. A system for detecting security of a landing page, comprising:
the first acquisition module is used for acquiring operation logs of a plurality of users;
the second acquisition module is used for acquiring key fields in the operation log from the operation log according to preset field names;
the first extraction module is used for extracting the page operation information in the key field;
the second extraction module is used for acquiring a plurality of page login information generated by the plurality of users logging in the server in N time periods according to the page operation information, each user corresponds to one page login information, and each page login information comprises a page login account, page login time and page login times of the corresponding user;
the screening module is used for screening target page login information from the plurality of page login information, wherein the target page login information is the page login information only having single login records in the N time periods;
the first judgment module is used for determining a page login account corresponding to the target page login information as a suspicious account;
the second judgment module is used for comparing the user name of the suspicious account with a preset vacation list and judging whether an account fraudulent event exists or not, if so, the suspicious account is marked with a suspicious mark, and the preset vacation list comprises users in a vacation state and account names corresponding to vacation users;
a third obtaining module, configured to obtain an associated social account of the target user corresponding to the suspicious account, and obtain an activity area of the target user from the associated social account;
the query module is used for querying a position area according to the IP address of the page login address of the suspicious account and comparing the position area with the activity area;
and the third judgment module is used for removing the suspicious identification of the suspicious account if the position area and the activity area are in the same area.
7. The detection system of claim 6, wherein the second extraction module is further configured to:
acquiring a mapping access sequence of each user according to the plurality of page login information;
generating an adjacency matrix of page access according to the mapping access sequence of each user;
and acquiring the jumping times of each page according to the adjacent matrix of the page access, wherein the jumping times are the page login times.
8. The detection system of claim 7, wherein the mapping access sequence is:
representing the parameter identification of each page login information by a digital node p, and displaying a corresponding digital node q on a page after login is successful;
the page login times are represented by arc [ p ] [ q ], and the arc [ p ] [ q ] is the jump number from the page corresponding to the digital node p to the page corresponding to the digital node q in the adjacent matrix accessed by the page.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method for detecting security of landing pages as claimed in any one of claims 1 to 5 when executing said computer program.
10. A computer-readable storage medium, in which a computer program is stored which is executable by at least one processor to cause the at least one processor to perform the steps of the method for detecting security of landing pages as claimed in any one of claims 1 to 5.
CN201910366731.0A 2019-05-05 2019-05-05 Method, system, equipment and storage medium for detecting security of login page Active CN110191097B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910366731.0A CN110191097B (en) 2019-05-05 2019-05-05 Method, system, equipment and storage medium for detecting security of login page

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910366731.0A CN110191097B (en) 2019-05-05 2019-05-05 Method, system, equipment and storage medium for detecting security of login page

Publications (2)

Publication Number Publication Date
CN110191097A CN110191097A (en) 2019-08-30
CN110191097B true CN110191097B (en) 2023-01-10

Family

ID=67715484

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910366731.0A Active CN110191097B (en) 2019-05-05 2019-05-05 Method, system, equipment and storage medium for detecting security of login page

Country Status (1)

Country Link
CN (1) CN110191097B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111198819B (en) * 2019-12-31 2024-05-10 中国银行股份有限公司 Safety testing method and device
CN114465811B (en) * 2022-03-09 2023-05-23 北京华云安信息技术有限公司 Website login determination method and device, electronic equipment and storage medium
CN115730283B (en) * 2022-10-19 2023-06-23 广州易幻网络科技有限公司 Account login wind control system, method, computer equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9231962B1 (en) * 2013-11-12 2016-01-05 Emc Corporation Identifying suspicious user logins in enterprise networks
CN106055572A (en) * 2016-05-20 2016-10-26 百度在线网络技术(北京)有限公司 Method and device for processing page transformation parameter
CN106549902A (en) * 2015-09-16 2017-03-29 阿里巴巴集团控股有限公司 A kind of recognition methods of suspicious user and equipment
CN106572057A (en) * 2015-10-10 2017-04-19 百度在线网络技术(北京)有限公司 Method and device for detecting exception information of user login
US9680938B1 (en) * 2014-10-06 2017-06-13 Exabeam, Inc. System, method, and computer program product for tracking user activity during a logon session

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170300453A1 (en) * 2009-06-12 2017-10-19 Google Inc. System and method of providing notification of suspicious access attempts
CN103023718B (en) * 2012-11-29 2015-12-23 北京奇虎科技有限公司 A kind of user logs in monitoring equipment and method
US9088560B1 (en) * 2014-03-05 2015-07-21 Symantec Corporation Systems and methods for validating login attempts based on user location
US9760426B2 (en) * 2015-05-28 2017-09-12 Microsoft Technology Licensing, Llc Detecting anomalous accounts using event logs
CN107911340B (en) * 2017-10-25 2020-08-28 平安普惠企业管理有限公司 Login verification method, device and equipment of application program and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9231962B1 (en) * 2013-11-12 2016-01-05 Emc Corporation Identifying suspicious user logins in enterprise networks
US9680938B1 (en) * 2014-10-06 2017-06-13 Exabeam, Inc. System, method, and computer program product for tracking user activity during a logon session
CN106549902A (en) * 2015-09-16 2017-03-29 阿里巴巴集团控股有限公司 A kind of recognition methods of suspicious user and equipment
CN106572057A (en) * 2015-10-10 2017-04-19 百度在线网络技术(北京)有限公司 Method and device for detecting exception information of user login
CN106055572A (en) * 2016-05-20 2016-10-26 百度在线网络技术(北京)有限公司 Method and device for processing page transformation parameter

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"社交用户的可疑行为检测";范卫俊;《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑》;20190215;第1-57页 *

Also Published As

Publication number Publication date
CN110191097A (en) 2019-08-30

Similar Documents

Publication Publication Date Title
CN108449327B (en) Account cleaning method and device, terminal equipment and storage medium
CN110191097B (en) Method, system, equipment and storage medium for detecting security of login page
CN113765881A (en) Method and device for detecting abnormal network security behavior, electronic equipment and storage medium
CN113489713B (en) Network attack detection method, device, equipment and storage medium
CN113176978B (en) Monitoring method, system, equipment and readable storage medium based on log file
CN111131221B (en) Interface checking device, method and storage medium
CN104731816A (en) Method and device for processing abnormal business data
CN110198305A (en) It attends a banquet method for detecting abnormality, system, computer equipment and the storage medium of IP
CN111866016A (en) Log analysis method and system
CN111404937B (en) Method and device for detecting server vulnerability
CN112183782A (en) Fault work order processing method and equipment
CN109727027A (en) Account recognition methods, device, equipment and storage medium
CN111476375B (en) Method and device for determining identification model, electronic equipment and storage medium
CN114757639A (en) Data processing method, device, equipment and storage medium
CN110941632A (en) Database auditing method, device and equipment
CN112819611A (en) Fraud identification method, device, electronic equipment and computer-readable storage medium
CN111858605A (en) Database automatic auditing method, system, equipment and storage medium
CN111625700B (en) Anti-grabbing method, device, equipment and computer storage medium
CN108650123B (en) Fault information recording method, device, equipment and storage medium
CN107844515B (en) Data compliance checking method and device
CN109547427A (en) Black list user&#39;s recognition methods, device, computer equipment and storage medium
CN113947497A (en) Data spatial feature extraction and identification method and system
CN110442466B (en) Method, device, computer equipment and storage medium for preventing repeated access request
CN116185785A (en) Early warning method and device for file abnormal change
CN111949363A (en) Service access management method, computer equipment, storage medium and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant