Specific embodiment
It is more fully retouched below with reference to forming a part of this disclosure and showing the attached drawing of each specific illustrative embodiment
State each embodiment.However, each embodiment can be realized in many different forms, and it should not be constructed as limiting this
Each embodiment that place illustrates;On the contrary, these embodiments are provided so that the disclosure becomes thorough and complete, and by these
The range of embodiment is fully conveyed to those of ordinary skill in the art.Each embodiment can be implemented according to method, system or equipment.
Therefore, hardware realization form, full software embodiment or realization combining software and hardware aspects can be used in these embodiments
Form.Therefore, following specific embodiments are not limitations.
Fig. 1 is shown in which that the application environment 100 of the presently disclosed embodiments can be achieved.
More and more frequent using barcode scanning payment under mobile phone progress line, many people have been realized in cash-free trip now.Closely
There is criminal and substitutes the swindle of businessman's gathering two dimensional code for another surreptitiously, the false illegal parking list swindle with two dimensional code, inveigles payment in Nian Lai
Two dimensional code steals brush, and most popular shared bicycle has also been labeled with false two dimensional code, user is allowed to transfer accounts.
For example, in Fig. 1, fraudster 102 is asked for help with the camouflage of various business promotions and scanning and is identified in subway, public transport
The two dimensional code 104 (as an example, not a limit) that he generates, then the mobile phone of victim 106 will be implanted such as trojan horse program
It waits malicious codes or jumps to fishing website, bank card etc. can be stolen brush.In recent years, with the emergence of e-commerce and general
And fraudster also allows victim to place an order in regular electric business, to prevent platform discovery brush from singly serving as reasons, directly transmits gathering two dimension
Code gives victim, allows it to carry out identification and transfers accounts and swindled.Using convenient two dimensional code, cheats come up with swindleness of all shapes and colors
Mode is deceived, makes people impossible to guard against.
In Fig. 1, two dimensional code 104 is made of many fritters, and in these fritters, white represents 0, and black represents 1, these
Number obtains a matrix by permutation and combination, and then by specific algorithm compilation information, these information can be text, figure
Piece, link, account, installation kit, video etc..
Fraudulent user 102 produces fraud two dimensional code 104, which can be classified as transaction code and Fei Jiao
Easy code, wherein transaction code shows payment interface after recognition, and nontransaction code opens a url link, url link after recognition
It is referred to alternatively as two dimensional code id or QR code content.Alternatively, login movement can be executed after nontransaction code is identified or added
Add the movement, etc. of contact person.
Then, fraud two dimensional code 104 is showed victim 106 through various channels by fraudster 102.For example, fraud is used
Family 102 shows fraud two dimensional code on its electronic equipment and lures 106 barcode scanning of victim, or passes through the works such as social software
Fraud two dimensional code 104 is sent to victim 106 as picture by tool, and victim 106 is by the picture that long-pressing receives to identify
Fraud two dimensional code 104 or victim 106 download the fraud two dimensional code 104 as picture otherwise, and from photograph album
It reads and identifies the fraud two dimensional code 104 in the picture.
After victim 106 identifies fraud two dimensional code 104 by above-mentioned various modes, if the fraud two dimensional code 104
Type is transaction code, then victim 106 can be appreciated that a payment interface, and victim 106 is probably due to fraudster 102 makes up at this time
Various reasons out and remitted money by the payment interface to fraudster 102.For example, fraudster allows victim to carry out in regular electric business
It places an order, to prevent platform discovery brush from singly serving as reasons, directly transmits gathering two dimensional code to victim, allow it to carry out identification and transfer accounts and cheated
It deceives.
In addition, fraudster can produce the fraud two dimensional code of entity, such as will fraud two dimensional code be pasted onto paper or
On card, and be then covered on other normal two dimensional codes, for example, fraudster can will fraud two dimensional code be covered on trade company in order to
It collects money and so as to collecting account that the money for paying consumer to businessman imports oneself on the gathering two dimensional code that shows.
On the other hand, if the type of fraud two dimensional code 104 is non-transaction code, victim 106 is in identification fraud two dimension
The trojan horse program of the production of fraudster 102 may be downloaded after code 104, which is implanted to the electronic equipment of victim 106
In after can steal the sensitive information of victim 106, such as game account, social account, Bank Account Number, account password, each eka-gold
Melt the online transaction code etc. of app, so as to cause account is stolen or assets or fund it is stolen.
Victim 106 is also possible to the fraud page for being jumped to fraudster 102 after two dimensional code 104 is cheated in identification and being made,
Fraud page guidance victim 106 inputs above-mentioned various sensitive informations, can after fraudster 102 obtains these sensitive informations
Wait for an opportunity to steal the assets or account of victim.
For above-mentioned various fraud scenes, the disclosure discloses a kind of self-loopa two dimensional code risk of fraud recognition methods.Tool
For body, when victim 106 identifies a two dimensional code, which is uploaded to server 108.Two in server 108
Dimension code recognizer component identifies the two dimensional code uploaded using two dimensional code recognizer.The identification can be based on various factors,
Such as two-dimentional code type, barcode scanning movement, the analysis of two dimensional code id feature, barcode scanning amount, whether for the first time barcode scanning, two dimensional code association case point
Analysis etc..As will be understood by the skilled person in the art, other factors be may be based on to identify fraud two dimensional code, and this field
Technical staff can according to need to adjust the respective weights of used each factor.
When the two dimensional code identified is determined as fraud two dimensional code, which is added to server 108
In fraud two dimensional code library in, determine associated with fraud two dimensional code fraudster and the person of being spoofed at this time.
For fraudster, its newly-generated all two dimensional code is assessed by two dimensional code recognizer, and will be confirmed as
All two dimensional codes of fraud two dimensional code are again added to complete two dimensional code reflux in fraud two dimensional code library, so as to find more
More persons of being spoofed, this by server 108 derivative risk identification component and risk management and control component complete.
For the person of being spoofed, the derivative risk identification component in server 108 obtains the receipts of suspicious transaction before and after its barcode scanning
Money medium, and the suspicious gathering medium of history before in certain time period, and the risk management and control component pair in server 108
These gathering media carry out continuing transaction interception.Meanwhile the risk management and control component in server 108 will be taken advantage of in addition to identified
It is other than swindleness person, with these gathering media had business transaction or once and be try to these gathering medium remit money use
Family is identified as potential cheated user, checks these potential cheated users and is used to carry out the two dimensional code of these suspicious transaction to find more
More fraud two dimensional code, so as to be further discovered that more not being spoofed person.
It is compared to existing can only report by user oneself as a result, identify, the technical solution that the disclosure discloses
Identification initiative it is stronger, identification range is wider.Existing fraud two dimensional code is directly shielded or failed in addition, being different from
Mode, the technical solution fraud two dimensional code producing or identify based on fraudster's brand-new that the disclosure discloses and with the person's of being spoofed phase
The associated potential person of being spoofed more cheats two dimensional codes and more fraudsters and the person of being spoofed to derive discovery, thus real
A kind of existing derivative risk identification scheme of self-loopa.
Specifically, the program (including potential takes advantage of collect money medium, the person of being spoofed of two dimensional code, fraudster, fraudster
Swindleness person) identification, be not once to identify, but by identification as a result, the subsequent brand-new of fraudster determined by i.e. is produced or first
The potential person of being spoofed of the two dimensional code of secondary barcode scanning and the suspicious gathering medium used by the person of being spoofed discovery is used to carry out can
It doubts the two dimensional code traded, as the input of different links, automatic cycle and derivative identifies more two dimensional codes, fraudster, takes advantage of
Swindleness person collect money medium, the person of being spoofed (including the potential person of being spoofed) in terms of promoting black productions crime cost with the protection person of being spoofed side
Face, control effect greatly promote.
It will hereinafter be carried out by the above-mentioned various aspects of various block diagrams, data flow diagram and method flow diagram to the disclosure detailed
Thin description.
Fig. 2 shows the block diagrams according to the risk of fraud identification module 200 of one embodiment of the disclosure.Risk of fraud is known
Other module 200 includes seed input module 202, two dimensional code recognizer component 204, derivative risk identification component 206 and risk pipe
Control component 208.It will be understood by those skilled in the art that risk of fraud identification module 200 and its including various assemblies every function
It can realize, perhaps realize on server/cloud or partly in user calculating equipment in the calculating equipment of user
It is upper to realize and partly realized on server/cloud.
Referring to Fig. 2, seed input module 202 is used to receive the two dimensional code that report user provides and inputs as seed.At this
In one embodiment of invention, report user can refer to that discovery oneself is cheated due to the two dimensional code that fraudster provides or is damaged
Lose and report the user of the fraud case encountered.It is provided in addition, seed input module 202 is also used to receive potential cheated user
Two dimensional code as additional seed input.In one embodiment of the present disclosure, potential cheated user can be and be spoofed use
In the case at family fraud gathering the associated user of medium (for example, once or be try to it is suspicious gathering medium remit money
User, the user to remit money to suspicious gathering medium).
After user has found that oneself is cheated, which can be known in certain time period by before by the calculating equipment of oneself
The two dimensional code that do not cross is uploaded to server.In one embodiment of the invention, as an example, not a limit, user can pass through
Camera in the calculating equipment of oneself shoots the image of fraud two dimensional code, and the image is then uploaded to server.Such as this
Field technical staff is it should be understood that user can provide fraud two dimensional code by various other modes for seed input group
Part 202 receives.
In one embodiment of the present disclosure, fraud two dimensional code can be classified as trade two dimensional code and nontransaction two dimensional code.
In the situation of transaction two dimensional code, as an example, not a limit, user is cheated can to refer to that fraudster lures use by certain reason
It remits money via fraud two dimensional code to it at family.In the situation of nontransaction two dimensional code, as an example, not a limit, user is cheated can be with
Refer to and jumps to external linkage, or the installation kit, etc. of downloading trojan horse program after user identifies fraud two dimensional code.
Referring to Fig. 2, the two dimensional code that seed input module 202 receives for identification of two dimensional code recognizer component 204.It is specific and
Speech, two dimensional code recognizer component 204 can two-dimentional code type based on two dimensional code, barcode scanning movement, two dimensional code id feature, barcode scanning amount, be
No barcode scanning for the first time, two dimensional code are associated at least one of case analysis etc. to determine whether the two dimensional code is fraud two dimensional code.With
Under above-mentioned each feature is specifically described.
Two-dimentional code type is generally divided into (1) transaction two dimensional code, can be direct in down payment interface after identification transaction two dimensional code
Payment;And (2) nontransaction two dimensional code, a web site url or download link are jumped to after identifying nontransaction two dimensional code.In
In one embodiment of the disclosure, when the type of two dimensional code is nontransaction two dimensional code (outer chains jointer), which has can
Can induce user input sensitive information (such as fishing website), or downloading control unknown risks application program (for example, fee suction app,
Trojan horse program etc.) installation kit, therefore be considered being more likely fraud two dimensional code.
This is because after user identifies the two dimensional code be not be directly to transfer accounts or remit money, user be easy it is off one's guard, and
And to induce, user inputs sensitive information or downloading trojan horse program directly steals user calculating equipment jumping to the fishing page
In sensitive information in the case where, vigilant lower user is also not easy to discover immediately.Fraud two dimensional code is big in the art
All use the form of nontransaction two dimensional code.
In one embodiment of the present disclosure, as an example, not a limit, for being more likely the non-of fraud two dimensional code
It trades two dimensional code (external linkage two dimensional code), not directly shields the two dimensional code as is common in the art, but allow use
External linkage is clicked at family, so as to find that the real purpose of the two dimensional code is, such as opens and user is allowed to input sensitive letter
The page of breath, downloads installation kit of trojan horse program, etc..When the user clicks after the external linkage, pacify the user as emphasis
Full control object.For example, form information is committed to when user has inputted sensitive information and clicked " submission ", " completion " etc.
After the button of server, intercepts the submission and operate and inform user's risk therein.Then, which is identified as the fraud page
And security risk therein is informed when other users open the page.
Barcode scanning is acted, can be to be divided into camera barcode scanning, long-pressing identification, photograph album identification.Camera barcode scanning refers to passing through
Sweeping in the calculating equipment of user sweeps function (application program that equipment is carried or is mounted in equipment is included), calls user
Calculating equipment on camera be scanned and identify two dimensional code.Long-pressing identification refers to two in long-pressing picture selection identification figure
The mode of dimension code identifies two dimensional code.Photograph album identification refers to selecting photograph album in function sweeping to sweep, and selection has been saved in photograph album
In picture and identify the two dimensional code in picture.
In different fraud scenes, barcode scanning movement also can reflect different degrees of risk.For example, buying virtual quotient
Product are disposed of stolen goods in scene, and cheat is sent to user by two-dimension code image generated, by social chat tool, and user is by two dimensional code
It saves in photograph album, then QR code content is read by photograph album knowledge otherwise, this mode directly scans two compared to camera
Code is tieed up, degree of risk is higher.
For two dimensional code id feature, black list techniques are generallyd use in the art.Black list techniques be by it is all
It was found that malice network address an address list is recorded, in i.e. so-called blacklist, the network address for judging that user is accessed accordingly is
No is malice network address.Black list techniques are realized simply, but its problem is very difficult, the present browsing of blacklist that timely updates
Device manufacturer is to establish blacklist library in user terminal using this way mostly, is updated every several days primary.This mode is as clear
Device of looking at identification malice network address is the method for relative ease, but its significant drawback is to lack recognition capability for unknown webpage.
Two dimensional code id feature in the disclosure includes that code corresponds to the length of URL, text editing feature, URL source code feature.
In general, the URL of the two dimensional code of a fraud clique or fraudster production has certain similarity.
It is standardized according to RFC, the syntax format of URL is as follows: " scheme: //username:password@domain:
Port/path query_string#fragment_id (referring to: RFC1738 standard http://www.1etf.0rg/rfc/
Rfcl738.txt), all URL must comply with this rule, and wherein agreement (scheme) is exactly if default is omitted in part
Http protocol, user name password (username:password) are partially dispensed, in http protocol middle-end slogan
(port) default is 80, this is also dispensed, and wherein the part fragment_id is detecting whether to be in malice URL
There is no real value.As an example, not a limit, the possibility of the corresponding URL of two dimensional code malice URL if with following characteristics
Property is higher:
Domain is IP;
Port non-80/443;
" " in domain is more than 4;
Path depth is larger;
In URL containing@,-,~etc. characters;
In URL containing such as ' secure ', ' account ', ' webscr ', ' login ', ' ebayisapi ',
The sensitive vocabulary of ' signin ', ' bank ', ' confirm ', ' submit ', update ' etc;
URL length is more than 23 characters;
It is approximate with legal domain name, such as l is replaced with 1, o is replaced with 0 etc.;
Occur multiple common top level domain in Main Domain.
In addition, as an example, not a limit, the page of the corresponding URL of two dimensional code malice URL if there are following characteristics
A possibility that it is higher:
A large amount of static linkages;
A large amount of non-domain name link, resource, method;
A large amount of hidden blocks;
In the presence of the iframe for being directed toward other domain names;
Back links is considerably less
No. copyright/ipc is false or does not have;
With the presence or absence of login window.Fishing website lures that user reveals personal sensitive information into frequently by login window,
It generallys use whether following logic judgment webpage includes login window: finding all<form>labels in the page first, then
<input>label for finding the inside, finally to keywords such as each<input>tag match password, pass.If
Password, pass are not matched to, then propose to match the keywords such as login, signin in all<form>labels
Strategy.Other methods can also be used to determine whether including login window.
However, according to the feature as above of URL format, can with the format of URL, there are variabilities, it is a plurality of not exactly the same
URL may be directed toward identical chained address, such as: www.xxxx.com and http://www.xxxx.com:80 is the same chain
Ground connection location can have the username and password of multipair identical access authority, accordingly even when user in the URL link of ftp agreement
In the different ftp connection of name password, the access file of direction is also consistent, such as ftp: //username:password
Ftp.xxx.xxx/file replaces other files for having the username and password of access authority to will not influence URL direction.
Therefore, in view of the variability of above-mentioned URL format, a malice URL-a simple variation is not changing
In the case where becoming its malicious link essence, content is not quite identical with the feature in virus base to be matched,
It thus causes and malice two dimensional code is failed to report, such loophole is utilized in many hackers, often converts its extension horse website
The format of the address URL, for escaping identification, some malicious codes often modify its extension horse when spreading through the internet itself
The value in the part query in the address URL, and its value is likely to be and is randomly generated, and ensures its evil by such method
Meaning URL link has longer timeliness.
In one embodiment of the present disclosure, for above situation, it can customize a set of formation rule for a URL word
Symbol string is converted into unified form data to be detected determine whether the URL is malicious link for being matched with feature database.
The starting point of the rule of formalization is exactly to eliminate the variability of URL string format, is abandoned to detection without the superfluous of practical significance
Remaining information, and the default information being not present in URL character string is supplemented, form format is " scheme: //domain:port/
The URL character string to be detected of path ".
Specifically, proposing the formalization detection method of the malice URL in two dimensional code a kind of, comprising:
Step a, it is standardized according to RFC, URL to be detected is split as syntactic element character string according to URL syntax structure;
Step b, specified character string, including agreement, domain name, port numbers, He Lu are extracted from the character string that fractionation obtains
Diameter;
Step c, judge that agreement character string and port numbers character string whether there is, the string portions being not present are mended
Full processing;
Step d, the character string obtained after handling completion resequences to obtain new URL, calculates the cryptographic Hash of new URL, makees
For cryptographic Hash corresponding with URL to be detected;
Step e, malice URL feature database and corresponding with URL to be detected with the characteristic in malice URL feature database is traversed
Cryptographic Hash compares detection.
Further, carrying out completion processing to the agreement character string being not present or the port numbers character string being not present includes
Step:
Judge that agreement character string whether there is, if there is no then supplementing HTTP as default protocol;
Judge that port numbers character string whether there is, if there is no then according to the protocol type benefit in the agreement character string
Fill default port number.
Further, if including: the agreement according to the protocol type supplement default port in the agreement character string
Type is that http protocol then supplements 80 as default port number;21 are supplemented if the protocol type is File Transfer Protocol as silent
Recognize port numbers;Other agreements are uniformly processed, and do not have to replenishing port number, add null character string as port numbers.
The malice URL feature database is each malice URL in advance capturing anti-virus manufacturer as URL to be detected, warp
It crosses the step a to step d and obtains the Hash value list of cryptographic Hash composition corresponding with each malice URL.
There is variability for malice URL link address character string format in the present invention, carry out string format
Regularization processing has been abandoned changeable and the meaningless part of detection is constituted and contained supplemented with the part omitted by default
There are the data to be tested of enough information.The string format of the address URL of regularization is " scheme: //domain:port/
Path " remains agreement, domain name, port and path, these data can determine that address pointed by a URL is believed completely
Breath, so it should be equivalent for detect and detect origin url data to the data of above-mentioned format.For form format
For the URL character string to be detected of " scheme: //domain:port/path ", wherein agreement " scheme " is if part is saved
Slightly, just plus the http agreement of default, port " port " just adds default if it is http protocol if part is omitted
80,21 are just added if it is File Transfer Protocol, deletes username, password, query_string in the RFC specification of URL,
The part fragment_id is just completed to this URL character string to be detected, such as URL link address is " www.test, com/
Main/index, html " are changed into " http://www.test, com:80/main/ after the formalization of above-mentioned rule
index,html".The scale of feature database is detected and controlled for convenience, after URL character string to be detected is also calculated Hash
As detection data.
In the another embodiment of the disclosure, if the URL to be detected in two dimensional code is short URL, turned using reduction method
It changes the URL of corresponding length into and starts to execute step a.In addition, being extracted for the URL that regular (such as RFC specification) can not judge
Feature field building prediction file, and model prediction is carried out to the URL by the classifier of training and continuous renewal under line.
Specifically, training method under the line of classifier are as follows: therefrom extract the correlated characteristic structure of URL based on URL knowledge base
Build trained file, be then trained using sorting algorithm, optimize simultaneously preservation model, wherein sorting algorithm be at least decision tree,
Support vector machines, logistic regression, random forest or a variety of multiplexings;It is trained for changing with URL knowledge base under the line of the classifier
It periodically or non-regularly updates, when the URL that can not be judged predefined rule carries out malicious detection, extracts the correlation of URL
Feature field building prediction file, then detects prediction file using saved model, obtains prediction result and export.
In another embodiment of the present disclosure, the URL in the binary data of two-dimension code pattern to be detected is parsed, with malice
The library HASH of URL is matched, and the two dimensional code to be detected is malice two dimensional code if successful match.Specifically, extracting
URL in two dimensional code filters out white list URL, and using Bloom-filter algorithm, the URL of malice is saved in the library malice URL
In.
In another embodiment of the present disclosure, server end can collect malicious link, wooden horse or virus or fishing in advance
The invalid informations such as the URL of website, invalid information is added in blacklist list;In another example server end can be received in advance
Grouping link, legitimate site the security information such as URL, and security information is added in white list.It can periodically more
New blacklist list and white list, and updated blacklist list and white list are sent to user equipment;Or
The blacklist list and white list that person's user equipment game server end download server end is collected in advance.
In this embodiment it is possible to be blocked using the website information inquiring technology based on server end to malice network address
It cuts, by being used as from the security information of server end real-time query network address according to library, when the accessible any network address of user equipment
Can whether safe from server end real-time query network address in real time, user equipment is believed by the Web site query that server end returns
Breath is determined, is just carried out real-time blocking if it is malicious websites, is then done nothing if it is normal website.Net simultaneously
The security information of location can real-time, quickly and efficiently protect the web page browsing of user equipment in the seamless update of server service device
Safety.
In addition, by the URL linked in the URL for the webpage that user equipment browser accesses, web page contents and downloading file
URL is encrypted to ciphertext by cloud vlan query protocol VLAN, is sent to server end, and server end is believed according to the network address that user equipment is submitted
Breath ciphertext carries out the analyses and comparison of intelligence in server end URL library, and comparison result is returned to user equipment, user equipment
Decide whether the web page access behavior of user equipment browser is safe according to the judgement result that server end returns.
In the another embodiment of the disclosure, URL included by the content by communication message and preset URL blacklist into
Row URL matching;If the URL successful match, which is saved in the library malice URL, otherwise: by the communication message
The IP address of sending ending equipment and preset IP address blacklist carry out IP address matching;If the IP address successful match,
The URL is saved in the library malice URL.
Barcode scanning amount in the disclosure includes: user's dimension: user's barcode scanning number sweeps different code numbers;Equipment dimension: equipment
Barcode scanning number;Code dimension: the identification number of users of each two dimensional code.One identified number of users of two dimensional code is more than certain amount
(as an example, not a limit, it is greater than 1000), it is believed that these two dimensional codes will not be accused of cheating substantially.
For the first time whether barcode scanning is determining whether to be used as label when cheating two dimensional code.Specifically, an if user
First barcode scanning user of current two-dimension, then this for the first time barcode scanning user may be carry out barcode scanning test fraudster because
Fraudster needs oneself first barcode scanning once to check whether as expected after producing fraud two dimensional code, such as jumps to finger
Surely the transaction code, etc. that the specified trojan horse program of the fishing page, downloading or appearance are specified.
Two dimensional code association case analysis refers to the case where customer complaint of identification two dimensional code is spoofed.If general with one
A associated report user's number of two dimensional code is more, then the two dimensional code is more likely to be fraud two dimensional code.
In summary at least one of various features and history cheat two-dimensional code data, and two dimensional code recognizer component 204 is built
Vertical fraud two dimensional code recognizer, the two dimensional code crossed for report user's barcode scanning are analyzed, finally determine whether to be fraud two
Tie up code.As an example, not a limit, in one embodiment of the present disclosure, if two-dimentional code type is outer chains jointer and barcode scanning
Movement is to identify that two dimensional code and two dimensional code id feature meet one or more features of fraud url from photograph album, then by this two
Dimension code is determined as cheating two dimensional code.As an example, not a limit, in another embodiment of the disclosure, if two dimensional code is thrown
The number told is more than a certain threshold value, it is determined that the two dimensional code is fraud two dimensional code.As an example, not a limit, the disclosure again
In one embodiment, if having threshold percentage (such as 80%, 70% or other threshold values ratio in the two dimensional code that a certain user is identified
Example) barcode scanning for the first time (for example the user identifies 100 two dimensional codes, wherein the barcode scanning person for the first time for having 80 two dimensional codes is the use
Family), then it is assumed that the two dimensional code of barcode scanning is to cheat two dimensional code to the user for the first time.
Two dimensional code recognizer component 204 carries out cleaning cheated user's barcode scanning data automatically and carries out risk of fraud identification daily.
Full dose table is written with date subregion in the fraud two dimensional code identified daily by two dimensional code recognizer component 204, i.e. fraud two dimensional code
Library, and ensure that data do not repeat in table.
When determining a two dimensional code is fraud two dimensional code, the two dimensional code is directly usually shielded in the prior art, and
In the disclosure derive risk identification component 206 determine first each fraud two dimensional code all users, that is, identified this two
Tie up all users of code.
Then, the user of barcode scanning for the first time of the fraud two dimensional code is determined as fraudster by derivative risk identification component 206, without
It is directly to shield the two dimensional code.Because fraudster produce usually can do by myself after a fraud two dimensional code first identify the two dimensional code with
For testing.For the fraudster identified, derivative risk identification component 206 monitors the subsequent brand-new of the fraudster and produces or for the first time
All two dimensional codes of barcode scanning simultaneously pass to risk management and control component 208 for these two dimensional codes as doubtful fraud two dimensional code for this
A little two dimensional codes carry out risk assessment and reflux.
In another embodiment of the disclosure, if some user identifies the fraud two dimensional code more than number of thresholds
(including for the first time with non-barcode scanning for the first time), then deriving risk identification component 206 for the user identifier is doubtful fraudster.Such as this field
Technical staff is it should be understood that the quantity of any user identification fraud two dimensional code is limited, so if user's identification
Excessive fraud two dimensional code, it may be considered that the user is doubtful fraudulent user.Key monitoring doubtful fraudulent user as a result,
It identified or newly identified two dimensional code is to find more to cheat two dimensional code.
In another embodiment of the invention, derivative risk identification component 206 obtain fraudulent user once identified and
All two dimensional codes of identification in the future, and the information of these two dimensional codes is passed into risk management and control component 208 for these two dimensions
Code carries out risk assessment, so as to realize retrospect and prevention to fraud two dimensional code to find more to cheat two dimensional code.Make
For example rather than limit, in all two dimensional codes that fraudulent user once identified and identified in the future, the fraudulent user conduct
The two dimensional code of barcode scanning user is particularly likely that fraud two dimensional code for the first time.
In another embodiment of the invention, derivative risk identification component 206 periodically collects the fraudster's being identified
Fraud evidence is simultaneously pushed to the police hit under accurate line.
In addition, the non-user of barcode scanning for the first time of the fraud two dimensional code is determined as the person of being spoofed by derivative risk identification component 206.
In one embodiment of the present disclosure, if the person of being spoofed identification be transaction code, derive risk identification component 206 determine with
The associated current suspicious gathering medium of current suspicious transaction is carried out by the transaction code.In one embodiment of the present disclosure,
Current suspicious gathering medium can be he that fund account or fraudster under the online or line of fraudster oneself can control
Fund account under the online or line of people.
In another embodiment of the disclosure, if the person's of being spoofed identification is non-transaction code, derive risk identification
This is spoofed user and is classified as emphasis security object by component 206.Specifically, identifying nontransaction fraud when being spoofed user
Two dimensional code and after opening the fishing page, derivative risk identification component 206 prevents user from submitting the page and informs safety to user
Risk, or when being spoofed the nontransaction fraud two dimensional code of user's identification and starting to download trojan horse program, derivative risk identification group
Part 206 prevents the downloading of the trojan horse program and informs user's risk therein.
Other than determining current suspicious transaction and current suspicious gathering medium, derivative risk identification component 206 is also determined
The suspicious transaction of the history for the person of being spoofed and the suspicious gathering medium of history associated there.As it will be appreciated by those skilled in the art that
, the suspicious transaction of history may include all historical tradings relevant to currently fraud case.As an example, not a limit, history can
Doubtful transaction is also possible to the transaction, etc. between all non-acquaintances currently to trade in first 12 hours.
After derivative risk identification component 206 determines current suspicious gathering medium and the suspicious gathering medium of history, risk pipe
Control component 208 carries out continuing interception to the suspicious transaction carried out by current suspicious gathering medium and the suspicious gathering medium of history,
To prevent fraudster from receiving illicit money and shift.These suspicious transaction can refer to all friendships associated with these suspicious gathering media
Easily.In addition, risk management and control component 208 will also be other than the person of being spoofed, (including current suspicious with these suspicious gathering media
Gathering medium and the suspicious gathering medium of history) there is business transaction or once and was try to these suspicious gathering medium remittances
The user of money is identified as potential cheated user, so as to find other being taken advantage of of involving of fraud cases by currently cheating case
The fraud two dimensional code relevant to other fraud cases of swindleness person and these persons of being spoofed identification, to realize the derivative risk of self-loopa
Identification.
As an example, not a limit, after two dimensional code recognizer component 204 determines a fraud two dimensional code A, following step is executed
It is rapid: (1) to identify fraudster 1 associated with the fraud two dimensional code A and 1~N of the person of being spoofed (that is, the institute of fraud two dimensional code A
There is non-barcode scanning user for the first time).Then, for the person of being spoofed, (2) determine that 1~N of these persons of being spoofed passes through fraud two dimensional code A
The current suspicious transaction and the suspicious transaction of history carried out, thereby determines that current suspicious gathering medium relevant to these suspicious transaction
It carries out continuing interception with the suspicious gathering medium of history and to the suspicious transaction carried out by these gathering media.Then, (3) identify
There is business transaction with these suspicious gathering media out and attempted the potential quilt traded by these suspicious gathering media
1~M of fraudster.Then, (4) determine that these potential 1~M of the person of being spoofed are used to carry out the one or more two of these suspicious transaction
Code is tieed up, traverses these two dimensional codes, and determine the fraud two dimensional code B in these two dimensional codes.For fraudster, (5) identify that its is subsequent
Brand-new produce or for the first time all two dimensional codes of barcode scanning and by these two dimensional codes be identified as fraud two dimensional code C.
For one or more fraud two dimensional code B and C that new logo goes out, repeat the above steps (1)~(5), that is, continues to mark
Know fraudster 1 associated with these fraud two dimensional code B, C or one or more of the other fraud with the fraudster 1 understanding out
Person 2 and 1~K of the person of being spoofed, and a series of derivative risk identifications and risk management and control step are executed, and move in circles, so as to
It enough finds more fraudsters, be not more spoofed person and more cheat two dimensional code, wherein to the mark of new fraud two dimensional code
The circulation for knowing triggering above-mentioned steps (1)~(5) executes, to realize the derivative risk identification of self-loopa and risk management and control.
In one embodiment of the present disclosure, after identifying the potential person of being spoofed, risk management and control component 208 is further marked
Know all suspicious transaction of the potential person of being spoofed before fraud occurs in latter time period, and these transaction full doses are lost
It loses.Specifically, risk management and control component 208 determines that the potential person of being spoofed is traded with suspicious transaction medium or attempts to carry out
The time of these transaction identifies the suspicious transaction in certain time period before and after the time (for example, front and back 12 hours), and makes this
A little transaction full dose failures, to prevent the potential person of being spoofed cheated.
Fig. 3 shows the block diagram of the seed input module 202 according to one embodiment of the disclosure.Referring to Fig. 3, seed is defeated
Entering component 202 includes inputting for receiving the two dimensional code relevant to the fraud case reported that report user provides as seed
Report user's two dimensional code receive sub-component 302, and for receive potential cheated user by its carry out with suspicious gathering Jie
Potential cheated user's two dimensional code of the two dimensional code of the suspicious transaction of qualitative correlation receives sub-component 304.
In one embodiment of the present disclosure, the fraud that user meets with can refer to that user passes through the friendship of identification fraudster's production
Easy two dimensional code is remitted money to fraudster;User opens the fishing of fraudster's production by the external linkage two dimensional code of identification fraudster's production
It fishnet station and inputs sensitive information and causes assets or fund stolen;The external linkage two that user passes through identification fraudster's production
The trojan horse program of dimension code downloading fraudster's production simultaneously leads to sensitive information leaks or fund is stolen, etc..Technology in the disclosure
Scheme is not limited to said circumstances.
As an example, not a limit, when user has found to meet with fraud, user passes through mobile computing device or desk-top calculating
Equipment reports the fraud case and uploads information relevant to the fraud case to server.Then, it realizes on the server
Seed input module 202 is reported that user's two dimensional code receives these information of reception of sub-component 302 and thereby determines that by it and is taken advantage of with this
The relevant two dimensional code of fraud case part, i.e. fraudulent user are used to implement the two dimensional code of fraud.
In one embodiment of the present disclosure, after determining that a two dimensional code is fraud two dimensional code, fraud two dimension is determined
The fraudster and the person of being spoofed of code, and the suspicious gathering medium that the person of being spoofed is used by the fraud two dimensional code.It is then determined that
User relevant to the suspicious transaction carried out by these suspicious gathering media, and these users are determined as potential cheated use
Family.In one embodiment of the present disclosure, as an example, not a limit, potential cheated user with pass through these suspicious gathering media
The suspicious transaction correlation carried out can refer to that business transaction or once had occurred with these suspicious gathering media for these users
Or it is try to trade by these suspicious gathering media.
Then, potential cheated user's two dimensional code in seed input module 202 receives sub-component 304 and receives potential be cheated
The information of user, and thereby determine that potential cheated user is used to carry out the two dimensional code of these suspicious transaction and will be used as additional kind
Son input, to find more fraud two dimensional code, more fraudsters and more not be spoofed person.
When determine report user and it is potential be cheated two dimensional code used by a user when, seed input module 202 by these two
Dimension code is transferred to two dimensional code recognizer component 204
Fig. 4 shows the block diagram of the two dimensional code recognizer component 204 according to one embodiment of the disclosure.Referring to Fig. 4, when two
When dimension code recognizer component 204 receives two dimensional code from seed input module 202, connect by two dimensional code recognizer 402 to identify
The two dimensional code received is to determine if being fraud two dimensional code.
Specifically, two dimensional code recognizer component 204 passes through two dimensional code class of the two dimensional code recognizer 402 based on two dimensional code
Type, sweep anchor movement, two dimensional code id feature, barcode scanning amount, whether for the first time barcode scanning and two dimensional code association case analysis come determine this two
Whether dimension code is fraud two dimensional code.If it is determined that being fraud two dimensional code, then the fraud two dimensional code is added to fraud two dimensional code library
404 and ensure not in library existing fraud two dimensional code repeat.
In one embodiment of the present disclosure, full dose table is written in subregion to the fraud two dimensional code identified daily by date,
Cheat two dimensional code library 404.
In one embodiment of the present disclosure, the periodically sampling check two dimensional code identification of two dimensional code recognizer component 204 is accurate
The case that rate or prevention and control leak through analyzes reason, and correspondingly adjusts or optimize two dimensional code recognizer 402 and known with further promotion
Other accuracy rate.
Fig. 5 shows the block diagram of the derivative risk identification component 206 according to one embodiment of the disclosure.Reference Fig. 5, when
When receiving fraud two dimensional code, derivative risk identification component 206 determines sub-component 502 by the fraudster/person of being spoofed to determine
Fraudster (that is, the user of the barcode scanning fraud two dimensional code for the first time) relevant to the fraud two dimensional code received and the person of being spoofed
(that is, user of the non-fraud two dimensional code of barcode scanning for the first time).Subsequently, for the fraudster identified, derivative risk identification component 206
By newly cheat two dimensional code monitor sub-component 504 monitor the subsequent brand-new of fraudster produce or for the first time all two dimensional codes of barcode scanning and will
These two dimensional codes pass to risk management and control component 208 as doubtful fraud two dimensional code 508 for carrying out risk to these two dimensional codes
Assessment and reflux.
For the person of being spoofed identified, derivative risk identification component 206 determines sub-component 506 by suspicious gathering medium
The fraudulent trading that the person of being spoofed is carried out by fraud two dimensional code is determined first, and thereby determining that can for carry out the fraudulent trading
Doubt gathering medium 510.
Suspicious gathering medium 510 further includes carrying out current fraud friendship in the person of being spoofed in one embodiment of the present disclosure
The suspicious gathering medium of the relevant history of historical trading carried out in certain time period before easily, to find more fraud cases.
Fig. 6 shows the block diagram of the risk management and control component 208 according to one embodiment of the disclosure.Referring to Fig. 6, risk pipe
The doubtful fraud two dimensional code received is identified as taking advantage of by control component 208 by the identification of fraud two dimensional code and reflux sub-component 602
Swindleness two dimensional code 608 is simultaneously added in fraud two dimensional code library.
In one embodiment of the present disclosure, the identification of fraud two dimensional code and reflux sub-component 602 can be by all doubtful frauds
The subsequent brand-new of two dimensional code, i.e. fraudster is produced or all two dimensional codes of barcode scanning, Direct Recognition are fraud two dimensional code 608 and will for the first time
It is added to fraud two dimensional code library 404 and ensures not repeat with the existing fraud two dimensional code in library, thus triggers fraudster/quilt
Fraudster determines that sub-component 502 obtains fraudster relevant to the fraud two dimensional code and the new person of being spoofed and executes subsequent wind
Dangerous prevention and control step, so as to realize the derivative risk identification of self-loopa.
In another embodiment of the disclosure, the identification of fraud two dimensional code and reflux sub-component 602 can also pass through two dimensional code
Recognizer component 204 assesses the doubtful fraud two dimensional code received to determine if being fraud two dimensional code 608, and in determination
It is fraud two dimensional code library 404 to be added in the case where cheating two dimensional code, and triggering following recycles derivative risk prevention system step,
As described above.
Return to Fig. 6, gathering medium in risk management and control component 208 intercept sub-component 604 be used to include currently may be used
It doubts transaction and the suspicious transaction relevant All Activity of relevant suspicious gathering medium 510 of history carries out continuing interception, to prevent more
More people are deceived.
In addition, the potential person of being spoofed in risk management and control component 208 determines that sub-component 606 further will be except when preceding be taken advantage of
User other than swindleness person, relevant to these suspicious transaction is identified as the potential person of being spoofed 610, and provides it to potential cheated
User's two dimensional code receive sub-component 304 with for receive potential cheated user by its progress it is relevant to suspicious gathering medium can
The two dimensional code of transaction is doubted, and then determines if it is fraud two dimensional code by two dimensional code recognizer component 204, so as to
It was found that more fraud two dimensional code is to realize the derivative risk prevention system of self-loopa.
Fig. 7 shows the data flow diagram for risk of fraud identification of one embodiment according to the disclosure.Reference Fig. 7,
Seed input module 202 receives the two dimensional code 702 that report user provides and is passed to two dimensional code recognizer component 204.Two dimension
Code recognizer component 204 determines whether the two dimensional code 702 received is fraud two dimensional code based on fraud two dimensional code recognizer.Such as
Two dimensional code 702 received by fruit is fraud two dimensional code, then the fraud two dimensional code 704 that two dimensional code recognizer component 204 will identify that
It is transferred to derivative risk identification component 206.
Then, derivative risk identification component 206 determines that (usually this takes advantage of fraudster relevant to the fraud two dimensional code 704
Cheat the producer and barcode scanning people for the first time of two dimensional code) and person's of being spoofed (usual right and wrong for the first time barcode scanning people).For fraudster, derivative wind
Dangerous recognizer component 206 monitors its subsequent coming of new and goes out or the two dimensional code 706 of barcode scanning and be submitted to risk management and control component for the first time
208 for further assessing and flow back.Thereby, it is possible to when the fraud two dimensional code that its brand-new is produced has not been used in fraudster
It waits, finds that the fraud two dimensional code and be entered into prevention and control system, carry out fraud prevention and control in advance.For the person of being spoofed, derivative wind
Dangerous recognizer component 206 determines the transaction that the person of being spoofed is carried out by fraud two dimensional code 704, including current suspicious transaction and history
Suspicious transaction, as an example, not a limit, in the non-acquaintance transaction interior for the previous period of current suspicious transaction.Derivative risk is known
Other component 206 thereby determines that the suspicious gathering medium 708 for carrying out these suspicious transaction, including current suspicious gathering medium with
The suspicious gathering medium of history.Then, derivative risk identification component 206 is by these suspicious gathering media 708 together with the new of fraudster
The two dimensional code 708 of identification is transferred to risk management and control component 208 together.
Risk management and control component 208 by the two dimensional code 706 of fraudster's barcode scanning for the first time be identified as newly cheating two dimensional code 710 and by its
Be supplied to derivative risk identification component 206 for the new fraudster of determination (if any) and the new person of being spoofed (if there is
If), it is thus found that new fraudster the two dimensional code 718 of barcode scanning and is identified as newly cheating two dimensional code 722 for the first time, as above-mentioned
It was found that newly fraud two dimensional code 710 is such, to realize the derivative risk management and control of self-loopa for fraudster.
In addition, user relevant to suspicious gathering medium 708 is also identified as the potential person of being spoofed by risk management and control component 208
712 and seed input module 202 is provided it to, for determining that the potential person of being spoofed identifies via two dimensional code recognizer component 204
Two dimensional code 714 whether be fraud two dimensional code to find more new fraud two dimensional codes 716, as two dimension is newly cheated in above-mentioned discovery
Code 710 like that, and it is thus found that new suspicious gathering medium 720 and the new potential person of being spoofed 722, as above-mentioned discovery is suspicious
Gathering medium 708 and the potential person of being spoofed 712 like that, are achieved in the derivative risk management and control of self-loopa for the person of being spoofed.
As long as shown in fig. 7, the new fraud two dimensional code of discovery, so that it may which triggering following is spread out for fraudster and the person's of being spoofed
Raw risk management and control step, to be able to achieve the identification in advance to the new fraud two dimensional code of fraudster to improve risk prevention system efficiency.
As long as finding new fraud two dimensional code again in these subsequent derivation risk management and control steps, additional derivative risk is triggered again
Manage step, loop back and forth like this with realize self-loopa and automatic risk of fraud identification and prevention and control.Such as those skilled in the art
It should be understood that the circulation of the derivative risk management and control step of self-loopa shown in vertical setting of types ellipsis expression in Fig. 7 continues.
Fig. 8 shows the flow chart that method for distinguishing 800 is known for risk of fraud of one embodiment according to the disclosure.
In step 802, receives the two dimensional code that report user provides and inputted as seed.Received two dimensional code and the use
The fraud case of family report is related.
In step 804, the two dimensional code received is identified to identify fraud two dimensional code.The identification can be based on various factors, all
As for the first time whether code type, barcode scanning movement, the analysis of code id feature, barcode scanning amount, barcode scanning and code are associated with case analysis.
When identifying the fraud two dimensional code, method 800 proceeds to following steps:
In step 806, fraudster associated with the fraud two dimensional code and the person of being spoofed are determined.At one of the disclosure
In embodiment, fraudster can refer to the barcode scanning user for the first time of the fraud two dimensional code identified, and the person of being spoofed can refer to the fraud
The non-barcode scanning user for the first time of two dimensional code.
In step 808, the two dimensional code of the subsequent barcode scanning for the first time of the fraudster is identified to identify new fraud two dimensional code.In this public affairs
In the one embodiment opened, all two dimensional codes that the subsequent barcode scanning for the first time of fraudster or brand-new are produced all directly are identified as fraud two
Tie up code.In another embodiment of the disclosure, is analyzed based on code type, barcode scanning movement, code id feature, barcode scanning amount, is whether first
Secondary barcode scanning and code association case analysis identify all two dimensional codes that the subsequent barcode scanning for the first time of fraudster or brand-new are produced with determination
Whether it is fraud two dimensional code.Then, method 800 is back to step 806, to realize the derivative risk of self-loopa for fraudster
Prevention and control.
In step 810, determine described in the person's of being spoofed current suspicious transaction and history for passing through the fraud two dimensional code progress
Suspicious transaction.In one embodiment of the present disclosure, the suspicious transaction of history may include and currently cheat that case is relevant all to be gone through
History transaction.As an example, not a limit, history it is suspicious transaction be also possible to currently trade first 12 hours in all non-acquaintances it
Between transaction.
In step 812, determining current suspicious receipts associated with the current suspicious transaction and the suspicious transaction of the history
Money medium and the suspicious gathering medium of history.
In step 814, to associated suspicious with the current suspicious gathering medium and the suspicious gathering medium of the history
Transaction carries out continuing interception.In one embodiment of the present disclosure, these suspicious transaction can refer to and these suspicious gathering media
Associated All Activity.
In step 816, user other than the person of being spoofed, relevant to the suspicious transaction is identified as potential
The person of being spoofed.In one embodiment of the present disclosure, it after identifying the potential person of being spoofed, further identifies this and potential is spoofed
All suspicious transaction of the person before fraud occurs in latter time period, and make these transaction full dose failures, to prevent from being cheated.
In step 818, determining two dimensional code relevant to the suspicious transaction.Then, method 800 is back to step 802, with
Realize the derivative risk prevention system of self-loopa for the person of being spoofed.
Fig. 9 shows the formalization detection for the malice URL in two dimensional code of one embodiment according to the disclosure
The flow chart of method 900.This method comprises:
It 902, is standardized according to RFC, URL to be detected is split as syntactic element character string according to URL syntax structure;
904, specified character string, including agreement, domain name, port numbers, He Lu are extracted from splitting in obtained character string
Diameter;
906, judges that agreement character string and port numbers character string whether there is, the string portions being not present are mended
Full processing;
908, the character string obtained after completion is handled resequences to obtain new URL, calculates the cryptographic Hash of new URL, makees
For cryptographic Hash corresponding with URL to be detected;
910, traversal malice URL feature database is simultaneously corresponding with URL to be detected with the characteristic in malice URL feature database
Cryptographic Hash compares detection.
As will be understood by the skilled person in the art, the step in the flow chart can be by hardware (for example, processor, drawing
Hold up, memory, circuit), software (for example, operating system, application, driver, machine/processor-executable instruction) or combinations thereof
To execute.As one of ordinary skill in the art will appreciate, each embodiment may include more or less steps than showing.
The present invention is described above with reference to the block diagram and/or operating instruction of the method and system of embodiment according to the present invention
Embodiment.Each function action indicated in frame can occur by order shown in any flow chart is different from.For example, taking
Certainly in related function action, two frames continuously shown can actually substantially simultaneously execute or these frames sometimes
It can execute in the reverse order.
The above description, examples and data provide comprehensive description to the manufacture and use of component part of the invention.Cause
For many embodiments of the invention can be made without departing from the spirit and scope of the present invention, so the present invention is fallen in
In scope of the appended claims.