CN110191097B - Method, system, equipment and storage medium for detecting security of login page - Google Patents
Method, system, equipment and storage medium for detecting security of login page Download PDFInfo
- Publication number
- CN110191097B CN110191097B CN201910366731.0A CN201910366731A CN110191097B CN 110191097 B CN110191097 B CN 110191097B CN 201910366731 A CN201910366731 A CN 201910366731A CN 110191097 B CN110191097 B CN 110191097B
- Authority
- CN
- China
- Prior art keywords
- page
- login
- account
- user
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/107—Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Technology Law (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The embodiment of the invention provides a method for detecting the security of a login page, which comprises the following steps: acquiring operation logs of a plurality of users, and acquiring key fields and page operation information in the operation logs according to preset field names; acquiring a plurality of page login information generated by a plurality of users logging in a server in N time periods according to the page operation information, wherein each user corresponds to one page login information; screening target page login information from the plurality of page login information, wherein the target page login information is page login information only recorded by single login in the N time periods; and determining the target page login account as a suspicious account, and further judging whether an account falsifying event exists or not. The embodiment of the invention provides a system for detecting the security of a login page, computer equipment and a storage medium. The embodiment of the invention can efficiently detect the common use event of the login page.
Description
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a method, a system, equipment and a storage medium for detecting the security of a login page.
Background
The enterprise management system aims at providing various services and playing various functions for enterprise staff in a centralized manner by means of a systematized management idea. The enterprise staff can log in the enterprise management system according to the self authority, such as checking attendance information, submitting and downloading files and the like. In order to guarantee the safe operation of the system, how to check the abnormal login event of the system is a technical problem to be solved at present.
However, in the existing detection of the abnormal account, an original system needs to be additionally modified, for example, when a login request of a user is obtained each time, the system needs to check the vacation state of the user, and at this time, a database needs to be called for checking, which brings huge pressure to both a network and the database.
Disclosure of Invention
In view of this, an object of the embodiments of the present invention is to provide a method, a system, a device, and a storage medium for detecting security of a login page, which can check an abnormal account user without modifying an original system, thereby reducing background operation steps and further reducing pressure on the system and a network.
In order to achieve the above object, an embodiment of the present invention provides a method for detecting security of a login page, including the following steps:
acquiring operation logs of a plurality of users;
acquiring a key field in the operation log from the operation log according to a preset field name;
extracting page operation information in the key field;
acquiring a plurality of page login information generated by the plurality of users logging in the server in N time periods according to the page operation information, wherein each user corresponds to one page login information, and each page login information comprises a page login account, page login time and page login times of the corresponding user;
screening target page login information from the plurality of page login information, wherein the target page login information is page login information only recorded by single login in the N time periods;
determining a page login account corresponding to the target page login information as a suspicious account;
comparing the user name of the suspicious account with a preset vacation list, judging whether an account falsifying event exists, if so, marking a suspicious mark on the suspicious account, wherein the preset vacation list comprises users in a vacation state and account names corresponding to the vacation users;
acquiring an associated social account of a target user corresponding to the suspicious account, and acquiring an activity area of the target user from the associated social account;
inquiring a position area according to the IP address of the page login address of the suspicious account, and comparing the position area with the active area;
and if the position area and the activity area are in the same area, removing the suspicious identification of the suspicious account.
Further, the step of obtaining the number of times of page login includes:
acquiring a mapping access sequence of each user according to the plurality of page login information;
generating an adjacency matrix of page access according to the mapping access sequence of each user;
and acquiring the jumping times of each page according to the adjacent matrix accessed by the page, wherein the jumping times are the page login times.
Further, the mapping access sequence is as follows:
and representing the parameter identification of the target page login information by a digital node p, and displaying a corresponding digital node q on the page after successful login.
Furthermore, the page login times are represented by arc [ p ] [ q ], and the arc [ p ] [ q ] is the number of hops from the page corresponding to the digital node p to the page corresponding to the digital node q in the adjacency matrix visited by the page.
Further, before the obtaining the operation log of the user, the method further includes:
extracting operation logs of a plurality of users according to a preset rule, and filtering the extracted operation logs;
the preset rule is used for judging the operation logs of which the users do not log in successfully.
In order to achieve the above object, an embodiment of the present invention further provides a system for detecting security of a login page, including:
the first acquisition module is used for acquiring operation logs of a plurality of users;
the second acquisition module is used for acquiring key fields in the operation log from the operation log according to preset field names;
the first extraction module is used for extracting the page operation information in the key field;
the second extraction module is used for acquiring a plurality of page login information generated by the plurality of users logging in the server in N time periods according to the page operation information, each user corresponds to one page login information, and each page login information comprises a page login account, page login time and page login times of the corresponding user;
the screening module is used for screening target page login information from the plurality of page login information, wherein the target page login information is page login information only having single login records in the N time periods;
the first judgment module is used for determining a page login account corresponding to the target page login information as a suspicious account;
the second judgment module is used for comparing the user name of the suspicious account with a preset vacation list and judging whether an account fraudulent event exists or not, if so, the suspicious account is marked with a suspicious mark, and the preset vacation list comprises users in a vacation state and account names corresponding to the vacation users;
a third obtaining module, configured to obtain an associated social account of the target user corresponding to the suspicious account, and obtain an activity area of the target user from the associated social account;
the query module is used for querying a position area according to the IP address of the page login address of the suspicious account and comparing the position area with the activity area;
and the third judgment module is used for removing the suspicious identification of the suspicious account if the position area and the activity area are in the same area.
Further, the second extraction module is further configured to:
acquiring a mapping access sequence of each user according to the plurality of page login information;
generating an adjacency matrix of page access according to the mapping access sequence of each user;
and acquiring the jumping times of each page according to the adjacent matrix accessed by the page, wherein the jumping times are the page login times.
Further, the mapping access sequence is as follows:
representing the parameter identification of each page login information by a digital node p, and displaying a corresponding digital node q on a page after login is successful;
the page login times are represented by arc [ p ] [ q ], and the arc [ p ] [ q ] is the jump from the page corresponding to the digital node p to the page corresponding to the digital node q in the adjacent matrix of the page access.
To achieve the above object, an embodiment of the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the method for detecting security of a landing page as described in any one of the above when executing the computer program.
To achieve the above object, an embodiment of the present invention further provides a computer-readable storage medium, in which a computer program is stored, where the computer program is executable by at least one processor, so as to cause the at least one processor to execute the steps of the method for detecting security of a landing page as described in any one of the above.
According to the method, the system and the storage medium for detecting the security of the login page, provided by the embodiment of the invention, the page operation information in the operation log of the user is firstly obtained and analyzed, the corresponding page login information recorded in a single time period of the N time periods is screened out from the multiple page login information, and the page login information is judged to determine the suspicious user with abnormal account number, so that the original system is not required to be modified, background operation steps are reduced, and the pressure on the system and a network is further reduced.
Drawings
Fig. 1 is a flowchart of a first embodiment of a method for detecting security of a landing page according to the present invention.
FIG. 2 is a flowchart of a second method for detecting security of a landing page according to the present invention.
FIG. 3 is a schematic diagram of program modules of a third embodiment of a system for detecting security of a landing page.
Fig. 4 is a schematic diagram of a hardware structure of a fourth embodiment of the computer apparatus according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
Example one
Referring to fig. 1, a flowchart illustrating steps of a method for detecting security of a landing page according to a first embodiment of the present invention is shown. It is to be understood that the flow charts in the embodiments of the present method are not intended to limit the order in which the steps are performed. The following description is made by taking a server as an execution subject. The details are as follows.
Step S101: operation logs of a plurality of users are obtained.
In this embodiment, the terminal receives a request instruction of the user for obtaining the operation log and sends the request instruction to the server, and the server returns the operation log according to the request instruction of the operation log. The operation log records operation information of a user login target page, the operation log includes but is not limited to operation information such as login address information, login time information and login duration information when the user logs in, the target page is an insurance login page, and the login time information includes login time information of the user who successfully logs in. The terminal comprises computer control equipment, and the terminal can record and call the operation log of the user.
In this embodiment, before obtaining the operation log of the user, the method further includes:
extracting operation logs of a plurality of users according to a preset rule, and filtering the extracted operation logs;
the preset rule is used for judging the operation logs of which the users do not log in successfully.
In this embodiment, if the user account is attempted to log in (in an unregistered successful state), an operation record also exists, operation information such as an account or a password error of the user during logging in is recorded in the operation log, and the user who has failed to log in is filtered during filtering, so that the login frequency is prevented from being repeatedly calculated.
Step S102: and acquiring key fields in the operation log from the operation log according to preset field names.
In this embodiment, when the server stores the operation log, the information of the operation log is classified according to categories and divided into a plurality of fields, and each field is provided with a field name. The preset field names comprise field names of the login account information, the login time information and the login frequency information, and key fields with the login account information, the login time information and the login frequency information are extracted during extraction.
Step S103: and extracting page operation information in the key field.
In this embodiment, when the key fields in the operation log are acquired from the operation log according to the preset field names, the login account information, the login time information, and the login frequency information are used to extract the page operation information in the key fields.
Step S104: and acquiring a plurality of page login information generated by the plurality of users logging in the server in N time periods according to the page operation information, wherein each user corresponds to one page login information, and each page login information comprises a page login account, page login time and page login times of the corresponding user.
In this embodiment, the step of obtaining the number of times of page login includes:
acquiring a mapping access sequence of each user according to the plurality of page login information;
generating an adjacency matrix of page access according to the mapping access sequence of each user;
and acquiring the jumping times of each page according to the adjacent matrix of the page access, wherein the jumping times are the page login times.
Wherein the mapping access sequence is:
and representing the parameter identification of each page login information by a digital node p, and displaying a corresponding digital node q on the page after login is successful.
In this embodiment, arc [ p ] [ q ] is used to represent the page login times, and the arc [ p ] [ q ] is the number of hops from the page corresponding to the digital node p to the page corresponding to the digital node q in the adjacency matrix visited by the page. For example, the identifier of the landing page is named numerically, when the page is jumped, a corresponding sequence is generated, and the sequence is subjected to matrix sorting to obtain arc [ p ] [ q ].
In this embodiment, the N time periods may be preset by themselves, for example, the previous three days, the previous ten days, and the like, and whether each user has an operation record in only one time period in the N time periods is determined, so as to further determine whether the user is an abnormal user.
Step S105: and screening target page login information from the plurality of page login information, wherein the target page login information is the page login information only recorded by single login in the N time periods.
In this embodiment, the terminal sends a request for retrieving the operation log to the server, where the request for retrieving the operation log includes a preset field name, and the preset field name is information of the operation logs of all users in N time periods. The key field comprises the login information of the user on the page, and the terminal extracts the page operation information in the key field. The page operation information is the page login information generated by all users logging in the server in N time periods. And finally extracting the page login times recorded in each page login account in only one of the N time periods. The target page login information comprises information of a login page.
Step S106: and determining the page login account corresponding to the target page login information as a suspicious account.
In this embodiment, the present invention is a method for detecting a user who has no operation behavior for the first i (i < = N-1) days and has an operation log for i +1 days in N time periods. Or, because the method is always detected, as long as only one time period is detected to have the operation record in the target time period of N days, the user is screened out and determined as the suspicious account.
In this embodiment, if there is an operation record in more than one time period, the account of the user is excluded from being abnormal and suspicious. If the user has operation records in a plurality of time periods in the target time period, the user is indicated to be possibly in a working state, and the user account which is not used for a long time does not have operation records for a plurality of times, so that the account abnormality suspicion is eliminated.
Step S107: and comparing the user name of the suspicious account with a preset vacation list, judging whether an account falsifying event occurs, if so, marking a suspicious mark on the suspicious account, wherein the preset vacation list comprises the users in a vacation state and account names corresponding to the vacation users.
In this embodiment, the suspicious account user is counted by the counting window, and then the suspicious account user is compared with a preset vacation list, where all the users in the vacation state and account names corresponding to the vacation users are listed on the preset vacation list. If the user is matched with the preset vacation list, the account number of the user is possibly falsely used, and the reason for abnormal use of the account number is further investigated.
Writing a query statement by using SQL, wherein the query statement is as follows:
SELECT*FROM op_table where op_day between(current_day-n)to current_day group by op_day having count(id)>1
the op _ table is a table for storing user operation information, and includes a user id (id), a user operation time (op _ time), and a user operation date (op _ day). Wherein op _ day is converted from op _ time. Current _ day represents the date until which this query was run, and n represents the time window during which this query statement was run each day.
Such as: this is 2018, 11/11, and if it is desired to query the abnormal records in the past 3 days, current _ day is 2018, 11/11, (current _ day-3) is 2018, 11/8.
If the user id included in the queried result does not appear in the queried result, the operation record is left for the first time in 11 months and 11 days in 2018. And then comparing the user list meeting the conditions with the vacation user list, and if the user is supposed to leave on the day but is in the abnormal use list, indicating that the account of the user is possibly falsely used, and the like. And then the reason of abnormal use of the account can be further investigated.
In this embodiment, historical login data corresponding to the suspicious account is obtained, a historical login success rate is counted according to the historical login data, the historical login success rate is compared with a current login success rate, and if a difference value exceeds a preset success rate difference value threshold, it is determined that an impersonated event occurs.
Step S108, obtaining the associated social accounts of the target users corresponding to the suspicious accounts, and obtaining the activity areas of the target users from the associated social accounts.
Step S109, inquiring a position area according to the IP address of the page login address of the suspicious account, and comparing the position area with the activity area.
Step S110, if the location area and the activity area are in the same area, removing the suspicious identification of the suspicious account.
In this embodiment, an associated social account (such as a nail or the like) of a target user corresponding to a suspicious account is acquired from the associated social account, a location area is queried according to an IP address of a page login address of the suspicious account, the location area is compared with the activity area of the target user, and if the location area is in the same area, for example, the same city, town, district, street or the like, a suspicious identifier of the suspicious account is removed. IP address query software may be used to query the landing of the current suspect account.
Example two
Referring to fig. 2, a flowchart of the steps of calculating the page login times according to the second embodiment of the present invention is shown. It is to be understood that the flow charts in the embodiments of the present method are not intended to limit the order in which the steps are performed. The following description is made by taking a server as an execution subject. The details are as follows.
Step S201: and acquiring the mapping access sequence of each user according to the plurality of page login information.
Step S202: and generating an adjacency matrix of page access according to the mapping access sequence of each user.
Step S203: and acquiring the jumping times of each page according to the adjacent matrix of the page access, wherein the jumping times are the page login times.
In this embodiment, the mapping access sequence is: and representing the parameter identification of the target page login information by a digital node p, and displaying a corresponding digital node q on the page after the login is successful.
The mapping access sequence in this embodiment may be understood as representing the access sequence of the user by using an index, for example, by using a number. Specifically, each page identifier parameter in the operation log may be mapped to a number to represent, and correspondingly, the mapping access sequence of each user may be found according to the order of the pages corresponding to the page identifier parameter of each user.
In this embodiment, arc [ p ] [ q ] is used to represent the page login times, and the arc [ p ] [ q ] is the number of hops from the page corresponding to the digital node p to the page corresponding to the digital node q in the adjacency matrix visited by the page.
In the present embodiment, the adjacency matrix is a matrix representing the adjacency relationship between vertices. The adjacency matrix in this embodiment is specifically generated according to the mapping access sequence of each user. Each point in the mapping access sequence for each user forms a vertex in the adjacency matrix of page accesses. Since the mapping access sequence of each user represents the order of the pages accessed by the user, the adjacency matrix accessed by the pages in this embodiment is a directed adjacency matrix. The vertex in the accessed adjacency matrix represents the import traffic corresponding to the vertex p, and in this embodiment, represents the number of hops to the page corresponding to the digital node q corresponding to the vertex, which is specifically equal to the sum of the values of all the directed edges of the column corresponding to the digital node p in the accessed adjacency matrix. For example, the import traffic corresponding to the vertex 3, i.e. the sum of the number of hops indicating that the page corresponding to the digital node 3 jumps from other pages, may include the number of hops from the 0 page of the start page to the page corresponding to the digital node 3, the number of hops from the page corresponding to the digital node 1 to the page corresponding to the digital node 3, the number of hops from the page corresponding to the digital node 2 to the page corresponding to the digital node 3, and so on, until the sum of the number of hops from the page corresponding to the digital node n to the page corresponding to the digital node 3. In the adjacent matrix of page access, all directed edges arc [ i ] [3] of i from 0 to n are correspondingly summed, and the total sum of the import flow, namely the page login times, corresponding to the vertex 3 is obtained.
EXAMPLE III
Fig. 3 is a schematic diagram showing program modules of a system for detecting security of a landing page according to a third embodiment of the present invention. The method specifically comprises the following steps:
a first obtaining module 301, configured to obtain operation logs of multiple users.
Specifically, the operation log in this embodiment records operation information of a user logging in a target page, where the operation log includes, but is not limited to, operation information such as a login address, a login time, and a login duration of the user during login, and the target page is an insurance login page.
Before the obtaining of the operation log of the user, the method further comprises the step of filtering the operation log to remove the operation log of the non-real user. For example: if the user account is tried to log in (in a state of successful log-in), operation records also exist, operation information such as an account or a password error of the user during logging in is recorded in the operation log, and the user who has failed to log in is filtered during filtering, so that the login frequency is prevented from being repeatedly calculated.
A second obtaining module 302, configured to obtain a key field in the operation log from the operation log according to a preset field name.
In this embodiment, when the server stores the operation log, the server classifies the information of the operation log according to categories, and divides the information into a plurality of fields, where each field is provided with a field name. The preset field names comprise field names of the login account information, the login time information and the login frequency information. When extracting, the second obtaining module 302 extracts the key fields with the login account information, the login time information, and the login frequency information.
The first extracting module 303 is configured to extract the page operation information in the key field.
In this embodiment, when the key fields in the operation log are obtained from the operation log according to the preset field names, the first extraction module 303 extracts the page operation information in the key fields with the login account information, the login time information, and the login frequency information.
A second extracting module 304, configured to obtain, according to the page operation information, multiple page login information generated by the multiple users logging in the server in N time periods, where each user corresponds to one page login information, and each page login information includes a page login account, page login time, and page login times of the corresponding user.
In this embodiment, the second extracting module is further configured to:
acquiring a mapping access sequence of each user according to the plurality of page login information;
generating an adjacency matrix of page access according to the mapping access sequence of each user;
and acquiring the jumping times of each page according to the adjacent matrix accessed by the page, wherein the jumping times are the page login times.
The mapping access sequence is as follows:
representing the parameter identification of each page login information by a digital node p, and displaying a corresponding digital node q on a page after login is successful;
the page login times are represented by arc [ p ] [ q ], and the arc [ p ] [ q ] is the jumping number from the page corresponding to the digital node p to the page corresponding to the digital node q in the adjacent matrix of the page access.
In this embodiment, the N time periods may be preset by themselves, for example, three days before, ten days before, and the like, and whether each user has an operation record in only one time period in the N time periods is determined, so as to further determine whether the user is an abnormal user. The second extraction module 304 obtains a plurality of page login information generated by the plurality of users logging in the server in N time periods from the page operation information.
A screening module 305, configured to screen target page login information from the multiple pieces of page login information, where the target page login information is page login information that only has a single login record in the N time periods.
In this embodiment, the target page login information includes login information of each user on a page, and the filtering module 305 filters the page login information recorded in a corresponding single time period only in a single time period of the N time periods.
The first determining module 306 is configured to determine a page login account corresponding to the target page login information as a suspicious account.
In the embodiment, the invention is a user who detects that no operation is performed for i (i < = N-1) days before N time periods, and an operation log exists for i +1 days. Or, because the method is always used for detection, as long as only one time period with an operation record is detected in the target time period N days, the user is screened out and determined as a suspicious account.
In this embodiment, if there is an operation record in more than one time period, the account of the user is excluded from being abnormal and suspicious. If the user has operation records in a plurality of time periods in the target time period, the user is indicated to be possibly in a working state, and the user account which is not used for a long time does not have a plurality of operation records, so that the suspicious account abnormality is eliminated.
A second determining module 307, configured to compare the user name of the suspicious account with a preset vacation list, and determine whether there is an account fraudulent event, if so, mark a suspicious identifier on the suspicious account, where the preset vacation list includes users in a vacation state and account names corresponding to the vacation users.
In this embodiment, the suspicious account user is counted by the counting window, and then the suspicious account user is compared with a preset vacation list, where all the users in the vacation state and account names corresponding to the vacation users are listed on the preset vacation list. If the user is matched with the preset vacation list, the account number of the user is possibly falsely used, and the reason for abnormal use of the account number is further investigated.
Writing a query statement by using SQL, wherein the query statement is as follows:
SELECT*FROM op_table where op_day between(current_day-n)to current_day group by op_day having count(id)>1
the op _ table is a table for storing user operation information, and includes a user id (id), a user operation time (op _ time), and a user operation date (op _ day). Wherein, the op _ day is converted from the op _ time. Current _ day represents the date until which this query was run, and n represents the time window during which this query statement was run each day.
Such as: this is 11/2018, and if it is desired to query the exception record in the past 3 days, current _ day is 11/2018/11/2018, and (current _ day-3) is 11/2018.
If the user id included in the queried result does not appear in the queried result, the operation record is left for the first time in 11 months and 11 days in 2018. And then comparing the qualified user list with the vacation user list, and if the user is supposed to leave the day but is in the abnormal use list, indicating that the account of the user is possibly falsely used, and the like. And then the reason of abnormal use of the account can be further investigated.
A third obtaining module 308, configured to obtain an associated social account of the target user corresponding to the suspicious account, and obtain an activity area of the target user from the associated social account.
The query module 309 is configured to query a location area according to the IP address of the page login address of the suspicious account, and compare the location area with the active area.
A third determining module 310, configured to remove the suspicious identifier of the suspicious account if the location area and the activity area are in the same area.
In this embodiment, an associated social account (such as a nail or the like) of a target user corresponding to a suspicious account is acquired from the associated social account, a location area is queried according to an IP address of a page login address of the suspicious account, the location area is compared with the activity area of the target user, and if the location area is in the same area, for example, the same city, town, district, street or the like, a suspicious identifier of the suspicious account is removed.
In this embodiment, historical login data corresponding to the suspicious account is obtained, the historical login success rate is counted according to the historical login data, the historical login success rate is compared with the current login success rate, and if the difference is large, it is determined that an impersonated event occurs.
Example four
Referring to fig. 4, a hardware structure diagram of a computer device according to a fourth embodiment of the present invention is shown.
The present invention further provides a computer device 2, such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a rack server, a blade server, a tower server or a rack server (including an independent server or a server cluster composed of a plurality of servers) capable of executing programs, and the like. The computer device 2 of the present embodiment includes at least, but is not limited to: a memory 21, a processor 22, etc. that may be communicatively coupled to each other via a system bus.
In the present embodiment, the memory 21 includes at least one type of computer-readable storage medium including a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. In some embodiments, the storage 21 may be an internal storage unit of the computer device 2, such as a hard disk or a memory of the computer device 2. In other embodiments, the memory 21 may also be an external storage device of the computer device 2, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), or the like provided on the computer device 2. Of course, the memory 21 may also comprise both internal and external memory units of the computer device 2. In this embodiment, the memory 21 is generally used for storing an operating system and various application software installed in the computer device 2, for example, the program code of the detection system 20 for security of login page in the fourth embodiment. Further, the memory 21 may also be used to temporarily store various types of data that have been output or are to be output.
The network interface 23 may comprise a wireless network interface or a wired network interface, and the network interface 23 is generally used for establishing communication connection between the computer device 2 and other electronic apparatuses. For example, the network interface 23 is used to connect the computer device 2 to an external terminal through a network, establish a data transmission channel and a communication connection between the computer device 2 and the external terminal, and the like. The network may be a wireless or wired network such as an Intranet (Intranet), the Internet (Internet), a Global System of Mobile communication (GSM), wideband Code Division Multiple Access (WCDMA), a 4G network, a 5G network, bluetooth (Bluetooth), wi-Fi, and the like.
EXAMPLE five
The present embodiment also provides a computer-readable storage medium, such as a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, a server, an App application store, etc., on which a computer program is stored, which when executed by a processor implements corresponding functions. The computer program of this embodiment may be executed by at least one processor, so that the at least one processor executes the method for detecting security of a landing page according to the first embodiment or the second embodiment.
According to the method, the system and the storage medium for detecting the security of the login page, provided by the embodiment of the invention, the page operation information in the operation log of the user is firstly obtained and analyzed, the corresponding page login information recorded only in a single time period of the N time periods is screened out from the multiple pieces of page login information, the page login information is judged to determine the suspicious user with abnormal account number, and the original system is not required to be modified, so that the background operation steps are reduced, and the pressure on the system and the network is further reduced.
The above-mentioned serial numbers of the embodiments of the present invention are only for description, and do not represent the advantages and disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A method for detecting the security of a login page is characterized by comprising the following steps:
acquiring operation logs of a plurality of users;
acquiring key fields in the operation log from the operation log according to preset field names;
extracting page operation information in the key field;
acquiring a plurality of page login information generated by a plurality of users logging in a server in N time periods according to the page operation information, wherein each user corresponds to one page login information, and each page login information comprises a page login account, page login time and page login times of the corresponding user;
screening target page login information from the plurality of page login information, wherein the target page login information is page login information only having single login records in the N time periods;
determining a page login account corresponding to the target page login information as a suspicious account;
comparing the user name of the suspicious account with a preset vacation list, judging whether an account falsifying event exists, if so, marking a suspicious mark on the suspicious account, wherein the preset vacation list comprises users in a vacation state and account names corresponding to vacation users;
acquiring an associated social account of a target user corresponding to the suspicious account, and acquiring an activity area of the target user from the associated social account;
inquiring a position area according to the IP address of the page login address of the suspicious account, and comparing the position area with the active area;
and if the position area and the activity area are in the same area, removing the suspicious identification of the suspicious account.
2. The method for detecting according to claim 1, wherein the step of obtaining the number of page logins comprises:
acquiring a mapping access sequence of each user according to the plurality of page login information;
generating an adjacency matrix of page access according to the mapping access sequence of each user;
and acquiring the jumping times of each page according to the adjacent matrix of the page access, wherein the jumping times are the page login times.
3. The detection method according to claim 2, wherein the mapping access sequence is:
and representing the parameter identification of each page login information by a digital node p, and displaying a corresponding digital node q on the page after login is successful.
4. The detection method according to claim 3, wherein the page login times are represented by arc [ p ] [ q ], and the arc [ p ] [ q ] is the jump number from the page corresponding to the digital node p to the page corresponding to the digital node q in the adjacency matrix of the page access.
5. The detection method according to claim 1, wherein before obtaining the operation logs of the plurality of users, the method further comprises:
extracting operation logs of a plurality of users according to a preset rule, and filtering the extracted operation logs;
the preset rule is used for judging the operation logs of which the users do not log in successfully.
6. A system for detecting security of a landing page, comprising:
the first acquisition module is used for acquiring operation logs of a plurality of users;
the second acquisition module is used for acquiring key fields in the operation log from the operation log according to preset field names;
the first extraction module is used for extracting the page operation information in the key field;
the second extraction module is used for acquiring a plurality of page login information generated by the plurality of users logging in the server in N time periods according to the page operation information, each user corresponds to one page login information, and each page login information comprises a page login account, page login time and page login times of the corresponding user;
the screening module is used for screening target page login information from the plurality of page login information, wherein the target page login information is the page login information only having single login records in the N time periods;
the first judgment module is used for determining a page login account corresponding to the target page login information as a suspicious account;
the second judgment module is used for comparing the user name of the suspicious account with a preset vacation list and judging whether an account fraudulent event exists or not, if so, the suspicious account is marked with a suspicious mark, and the preset vacation list comprises users in a vacation state and account names corresponding to vacation users;
a third obtaining module, configured to obtain an associated social account of the target user corresponding to the suspicious account, and obtain an activity area of the target user from the associated social account;
the query module is used for querying a position area according to the IP address of the page login address of the suspicious account and comparing the position area with the activity area;
and the third judgment module is used for removing the suspicious identification of the suspicious account if the position area and the activity area are in the same area.
7. The detection system of claim 6, wherein the second extraction module is further configured to:
acquiring a mapping access sequence of each user according to the plurality of page login information;
generating an adjacency matrix of page access according to the mapping access sequence of each user;
and acquiring the jumping times of each page according to the adjacent matrix of the page access, wherein the jumping times are the page login times.
8. The detection system of claim 7, wherein the mapping access sequence is:
representing the parameter identification of each page login information by a digital node p, and displaying a corresponding digital node q on a page after login is successful;
the page login times are represented by arc [ p ] [ q ], and the arc [ p ] [ q ] is the jump number from the page corresponding to the digital node p to the page corresponding to the digital node q in the adjacent matrix accessed by the page.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method for detecting security of landing pages as claimed in any one of claims 1 to 5 when executing said computer program.
10. A computer-readable storage medium, in which a computer program is stored which is executable by at least one processor to cause the at least one processor to perform the steps of the method for detecting security of landing pages as claimed in any one of claims 1 to 5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910366731.0A CN110191097B (en) | 2019-05-05 | 2019-05-05 | Method, system, equipment and storage medium for detecting security of login page |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910366731.0A CN110191097B (en) | 2019-05-05 | 2019-05-05 | Method, system, equipment and storage medium for detecting security of login page |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110191097A CN110191097A (en) | 2019-08-30 |
CN110191097B true CN110191097B (en) | 2023-01-10 |
Family
ID=67715484
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910366731.0A Active CN110191097B (en) | 2019-05-05 | 2019-05-05 | Method, system, equipment and storage medium for detecting security of login page |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110191097B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111198819B (en) * | 2019-12-31 | 2024-05-10 | 中国银行股份有限公司 | Safety testing method and device |
CN114465811B (en) * | 2022-03-09 | 2023-05-23 | 北京华云安信息技术有限公司 | Website login determination method and device, electronic equipment and storage medium |
CN115730283B (en) * | 2022-10-19 | 2023-06-23 | 广州易幻网络科技有限公司 | Account login wind control system, method, computer equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9231962B1 (en) * | 2013-11-12 | 2016-01-05 | Emc Corporation | Identifying suspicious user logins in enterprise networks |
CN106055572A (en) * | 2016-05-20 | 2016-10-26 | 百度在线网络技术(北京)有限公司 | Method and device for processing page transformation parameter |
CN106549902A (en) * | 2015-09-16 | 2017-03-29 | 阿里巴巴集团控股有限公司 | A kind of recognition methods of suspicious user and equipment |
CN106572057A (en) * | 2015-10-10 | 2017-04-19 | 百度在线网络技术(北京)有限公司 | Method and device for detecting exception information of user login |
US9680938B1 (en) * | 2014-10-06 | 2017-06-13 | Exabeam, Inc. | System, method, and computer program product for tracking user activity during a logon session |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170300453A1 (en) * | 2009-06-12 | 2017-10-19 | Google Inc. | System and method of providing notification of suspicious access attempts |
CN103023718B (en) * | 2012-11-29 | 2015-12-23 | 北京奇虎科技有限公司 | A kind of user logs in monitoring equipment and method |
US9088560B1 (en) * | 2014-03-05 | 2015-07-21 | Symantec Corporation | Systems and methods for validating login attempts based on user location |
US9760426B2 (en) * | 2015-05-28 | 2017-09-12 | Microsoft Technology Licensing, Llc | Detecting anomalous accounts using event logs |
CN107911340B (en) * | 2017-10-25 | 2020-08-28 | 平安普惠企业管理有限公司 | Login verification method, device and equipment of application program and storage medium |
-
2019
- 2019-05-05 CN CN201910366731.0A patent/CN110191097B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9231962B1 (en) * | 2013-11-12 | 2016-01-05 | Emc Corporation | Identifying suspicious user logins in enterprise networks |
US9680938B1 (en) * | 2014-10-06 | 2017-06-13 | Exabeam, Inc. | System, method, and computer program product for tracking user activity during a logon session |
CN106549902A (en) * | 2015-09-16 | 2017-03-29 | 阿里巴巴集团控股有限公司 | A kind of recognition methods of suspicious user and equipment |
CN106572057A (en) * | 2015-10-10 | 2017-04-19 | 百度在线网络技术(北京)有限公司 | Method and device for detecting exception information of user login |
CN106055572A (en) * | 2016-05-20 | 2016-10-26 | 百度在线网络技术(北京)有限公司 | Method and device for processing page transformation parameter |
Non-Patent Citations (1)
Title |
---|
"社交用户的可疑行为检测";范卫俊;《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑》;20190215;第1-57页 * |
Also Published As
Publication number | Publication date |
---|---|
CN110191097A (en) | 2019-08-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108449327B (en) | Account cleaning method and device, terminal equipment and storage medium | |
CN110191097B (en) | Method, system, equipment and storage medium for detecting security of login page | |
CN113765881A (en) | Method and device for detecting abnormal network security behavior, electronic equipment and storage medium | |
CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
CN113176978B (en) | Monitoring method, system, equipment and readable storage medium based on log file | |
CN111131221B (en) | Interface checking device, method and storage medium | |
CN104731816A (en) | Method and device for processing abnormal business data | |
CN110198305A (en) | It attends a banquet method for detecting abnormality, system, computer equipment and the storage medium of IP | |
CN111866016A (en) | Log analysis method and system | |
CN111404937B (en) | Method and device for detecting server vulnerability | |
CN112183782A (en) | Fault work order processing method and equipment | |
CN109727027A (en) | Account recognition methods, device, equipment and storage medium | |
CN111476375B (en) | Method and device for determining identification model, electronic equipment and storage medium | |
CN114757639A (en) | Data processing method, device, equipment and storage medium | |
CN110941632A (en) | Database auditing method, device and equipment | |
CN112819611A (en) | Fraud identification method, device, electronic equipment and computer-readable storage medium | |
CN111858605A (en) | Database automatic auditing method, system, equipment and storage medium | |
CN111625700B (en) | Anti-grabbing method, device, equipment and computer storage medium | |
CN108650123B (en) | Fault information recording method, device, equipment and storage medium | |
CN107844515B (en) | Data compliance checking method and device | |
CN109547427A (en) | Black list user's recognition methods, device, computer equipment and storage medium | |
CN113947497A (en) | Data spatial feature extraction and identification method and system | |
CN110442466B (en) | Method, device, computer equipment and storage medium for preventing repeated access request | |
CN116185785A (en) | Early warning method and device for file abnormal change | |
CN111949363A (en) | Service access management method, computer equipment, storage medium and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |