CN103532797A

CN103532797A - Abnormity monitoring method and device for user registration

Info

Publication number: CN103532797A
Application number: CN201310546009.8A
Authority: CN
Inventors: 曹鲁; 张红泽; 董海疆; 崔坤
Original assignee: Netease Information Technology Beijing Co Ltd
Current assignee: Netease Information Technology Beijing Co Ltd
Priority date: 2013-11-06
Filing date: 2013-11-06
Publication date: 2014-01-22
Anticipated expiration: 2033-11-06
Also published as: CN103532797B

Abstract

The invention embodiment provides an abnormity monitoring method for user registration. The method comprises the following steps: judging if the present registration behavior of a user is abnormal by utilizing history registration information corresponding to an user account according to and responding to a request related to the user account, if yes, storing the abnormal registration information corresponding to the abnormal registration behavior, and generating prompt information by utilizing the stored abnormal registration information and sending the prompt information to the user. The method, provided by the invention, can automatically finish the judgment and prompt of the abnormal user registration behavior according to the history user registration information and the user does not need to set the common registration place beforehand, so that the stealing risk of the user account is prominently reduced, the security of the user account is improved, the user operation complexity is decreased, and better experience is brought to the user. Furthermore, the embodiment of the invention further provides an abnormity monitoring device for the user registration.

Description

A kind of user logins method for monitoring abnormality and device

Technical field

Embodiments of the present invention relate to networking technology area, and more specifically, embodiments of the present invention relate to a kind of user and login method for monitoring abnormality and device.

Background technology

The embodiments of the present invention that be intended to for stating in claims this part provide background or context.Description herein can comprise the concept that can probe into, but the concept of having expected or having probed into not necessarily.Therefore, unless at this, point out, the content of describing in this part is not prior art for the application's specification and claims, and not because be included in just admit it is prior art in this part.

In network application, in order to realize the identification of user identity and checking, need user to input username and password in client, the username and password of user being submitted to by server end is verified, whether the password that password corresponding to user name that inspection user submits to preserved with server end is consistent, if consistent, determine that user is validated user, returns to login success message; If inconsistent, determine that user is illegal user, returns to refusal log messages.After user logins successfully, can use network application to enjoy corresponding application service.At present, application such as E-mail address, online game, online payment, microblogging is all to use this login mechanism to provide application service for user.

Yet when the username and password of user account is revealed or is stolen, existing login method can not guarantee the safety of user account.In order to improve the fail safe of user account, there is a kind of method in prior art, by user, set in advance or select conventional login ground, after receiving user's logging request, whether the address that judges this login of user is the conventional login ground that user sets in advance, if not, can judge that this time login is abnormal, to user, send prompting.

Summary of the invention

But, because needing user to set in advance conventional login ground, prior art can judge whether this login is abnormal, when user does not arrange conventional login ground, prior art can not guarantee the safety of user account, brings thus the problem that security of user account is low, risk is high.

Therefore in the prior art, protecting user account safety in process of user login, is very bothersome process.

For this reason, be starved of a kind of improved user and login method for monitoring abnormality and device, to monitor the abnormal behaviour in the process of accessing to your account, improve the fail safe of user account.

In the present context, embodiments of the present invention expectation provides a kind of user to login method for monitoring abnormality and device.

In the first aspect of embodiment of the present invention, a kind of method is provided, comprising:

In response to the request associated with user account, obtain the historical log information corresponding with described user account;

According to the historical log information corresponding with described user account, judge whether the current login behavior of user is abnormal login behavior;

When the current login behavior of judgement user is abnormal login behavior, preserve the abnormal login information relevant to described abnormal login behavior;

The abnormal login Information generation information of utilize preserving also sends described information, and described information for pointing out abnormal login behavior described in user when user gets described information.

Preferably, described request comprises:

Logging request for described user account; Or

Preset data operation requests for described user account.

Preferably, described method also comprises, when the current login behavior of judgement user is abnormal login behavior, feeds back the message rejecting said request.

Preferably, the described basis historical log information corresponding with described user account judges whether the current login behavior of user is that abnormal login behavior comprises:

According to the historical log information corresponding with described user account, according at least one in user's login position information and user's login frequency information, judge whether the current login behavior of user is abnormal login behavior.

Preferably, the described basis historical log information corresponding with described user account judges according at least one in user's login position information and user's login frequency information whether the current login behavior of user is that abnormal login behavior comprises:

Determine the historical log number of times of described user account;

Judge whether described historical log number of times is greater than the first setting threshold, to obtain the first judged result; And

When described the first judged result shows that described user account is not any active ues, determine that the current login behavior of described user is the behavior of normally logining;

Wherein, described any active ues is the user account that described historical log number of times is greater than described the first setting threshold.

According to historical log information corresponding with described user account in the first Preset Time interval, determine user's historical log positional information in described the first Preset Time interval;

According to described user's historical log positional information judgement quantity of user's historical log position in described the first Preset Time interval in described the first Preset Time interval, whether be greater than the second setting threshold, to obtain the second judged result; And

According to the historical log information corresponding with described user account, determine user's historical log positional information of described user account;

Determine the current login position of the user information that the current login behavior of user is corresponding;

Whether the ratio that the historical log number of days that judges the current login position of user that the current login behavior of user is corresponding takies the total number of days of historical log of all historical log position, family is less than the 3rd setting threshold, to obtain the 3rd judged result;

When described the 3rd judged result and described the second judged result are while being, determine that the current login behavior of described user is abnormal login behavior.

According to the historical log information corresponding with described user account in the current login behavior of distance users the second Preset Time interval, determine user's historical log positional information in the distance current login behavior of described user the second Preset Time interval;

In the current login behavior of judging distance user the second Preset Time interval, whether the quantity of user's historical log position is greater than the 4th setting threshold, to obtain the 4th judged result;

When described the 3rd judged result and described the 4th judged result are while being, determine that the current login behavior of user is abnormal login behavior.

According to user's historical log positional information judgement successful login frequency corresponding with the current login position of user, whether be greater than the 5th setting threshold, to obtain the 5th judged result;

According to user's historical log positional information judgement abnormal login frequency corresponding with the current login position of user, account for the described ratio of successfully logining the frequency and whether be greater than the 6th setting threshold, to obtain the 6th judged result;

When described the 5th judged result and described the 6th judged result are while being, determine that the current login behavior of user is abnormal login behavior.

Judge that current login position is whether consistent with the login position in default abnormal login list of locations, to obtain the 7th judged result; Wherein, the abnormal login frequency corresponding to login position in described default abnormal login list of locations is greater than the 7th setting threshold;

Judgment result is that while being when the described the 7th, determine that the current login behavior of user is abnormal login behavior.

Preferably, the abnormal login Information generation information that described utilization is preserved also sends described information and comprises:

Utilize the abnormal login Information generation information of preserving, described information at least comprises abnormal login positional information and/or abnormal login temporal information;

To the information recipient corresponding with described user account, send described information.

Preferably, describedly to the information recipient corresponding with described user account, send described information and comprise:

Obtain the mobile terminal identification information corresponding with described user account;

To the mobile terminal corresponding with described mobile terminal identification information, send described information; Wherein, described mobile terminal identification information is to obtain according to the user account of preserving in response to user's bindings request and the corresponding relation of mobile terminal identification information; Or, obtain the user bound account information corresponding with described user account, to the addresses of items of mail corresponding with described user bound account information, send described information.

Generate authorization information;

Utilize the abnormal login information of preserving to send described authorization information and make client corresponding to user account corresponding with described abnormal login behavior show described authorization information.

Preferably, described method also comprises:

Receive the authorization information of user's input;

Whether the authorization information that judges user's input is correct, obtains the 8th judged result;

When described the 8th judged result shows that authorization information that user inputs is correct, feedback is agreed to the message of described request;

When described the 8th judgement shows authorization information mistake that user inputs, the message that feedback rejects said request.

Preferably, described when the current login behavior of judgement user is abnormal login behavior, preserve the abnormal login information relevant to described abnormal login behavior and comprise:

When the current login behavior of judgement user is abnormal login behavior, the abnormal login information relevant to described abnormal login behavior is kept in local memory queue;

The abnormal login information being kept in local memory queue is sent in Message Queuing server, so that described Message Queuing server preserves described abnormal login information;

Utilize consumer's program module to obtain and be kept at the described abnormal login information in described Message Queuing server, and described abnormal login information is processed, be stored in abnormal login information database.

Preferably, before sending described information, described method also comprises:

Judge that whether user account corresponding to described abnormal login information meets filter condition, if met, does not send described information.

Preferably, described in, obtaining the historical log information corresponding with described user account comprises:

Obtain the historical log information in the 3rd Preset Time interval corresponding with described user account.

In the second aspect of embodiment of the present invention, a kind of device is provided, comprising:

The first acquisition module, is configured in response to the request associated with user account, obtains the historical log information corresponding with described user account;

The first judge module, is configured for according to the historical log information corresponding with described user account and judges whether the current login behavior of user is abnormal login behavior;

Memory module, is configured for when the current login behavior of judgement user is abnormal login behavior, preserves the abnormal login information relevant to described abnormal login behavior;

Reminding module, is configured for the abnormal login Information generation information of utilize preserving and sends described information, and described information for pointing out abnormal login behavior described in user when user gets described information.

Preferably, described the first acquisition module is configured for:

In response to the logging request for described user account, obtain the historical log information corresponding with described user account; Or, in response to the preset data operation requests for described user account, obtain the historical log information corresponding with described user account.

Preferably, described device also comprises:

Feedback module, is configured for when the current login behavior of judgement user is abnormal login behavior the message that feedback rejects said request.

Preferably, described the first judge module is configured for:

Preferably, described the first judge module comprises:

First determines subelement, is configured for the historical log number of times of determining described user account;

The first judgment sub-unit, is configured for and judges whether described historical log number of times is greater than the first setting threshold, to obtain the first judged result;

Second determines subelement, is configured for when described the first judged result shows that described user account is not any active ues, determines that the current login behavior of described user is the behavior of normally logining; Wherein, any active ues is the user account that described historical log number of times is greater than described the first setting threshold.

Preferably, described the first judge module comprises:

The 3rd determines subelement, is configured for according to the historical log information corresponding with described user account in the first Preset Time interval and determines user's historical log positional information in described the first Preset Time interval;

The second judgment sub-unit, be configured for according to described user's historical log positional information judgement quantity of user's historical log position in described the first Preset Time interval in described the first Preset Time interval whether be greater than the second setting threshold, to obtain the second judged result;

The 4th determines subelement, is configured for user's historical log positional information of determining described user account according to the historical log information corresponding with described user account;

The 5th determines subelement, is configured for and determines the current login position of user information corresponding to the current login behavior of user;

The 3rd judgment sub-unit, whether the ratio that the historical log number of days that is configured for the current login position of user that judges that the current login behavior of user is corresponding takies the total number of days of historical log of all historical log position, family is less than the 3rd setting threshold, to obtain the 3rd judged result;

The 6th determines subelement, is configured for and is while being when described the second judged result and described the 3rd judged result, and definite current login behavior of described user is abnormal login behavior.

Preferably, described the first judge module comprises:

The 7th determines subelement, be configured for according to the historical log information corresponding with described user account in the current login behavior of distance users the second Preset Time interval, determine user's historical log positional information in the distance current login behavior of described user the second Preset Time interval;

The 4th judgment sub-unit, whether the quantity that is configured for user's historical log position in the current login behavior of judging distance user the second Preset Time interval is greater than the 4th setting threshold, to obtain the 4th judged result;

The 8th determines subelement, is configured for and is while being when described the 3rd judged result and described the 4th judged result, and definite current login behavior of user is abnormal login behavior.

Preferably, described the first judge module comprises:

The 5th judgment sub-unit, is configured for according to user's historical log positional information judgement successful login frequency corresponding with the current login position of user whether be greater than the 5th setting threshold, to obtain the 5th judged result;

The 6th judgment sub-unit, is configured for according to user's historical log positional information and judges that the abnormal login frequency corresponding with the current login position of user accounts for the described ratio of successfully logining the frequency and whether be greater than the 6th setting threshold, to obtain the 6th judged result;

The 9th determines subelement, is configured for and is while being when described the 5th judged result and described the 6th judged result, and definite current login behavior of user is abnormal login behavior.

Preferably, described the first judge module comprises:

The 7th judgment sub-unit, is configured for and judges that current login position is whether consistent with the login position in default abnormal login list of locations, to obtain the 7th judged result; Wherein, the abnormal login frequency corresponding to login position in described default abnormal login list of locations is greater than the 7th setting threshold;

The tenth determines subelement, is configured for and judgment result is that while being, definite current login behavior of user is abnormal login behavior when the described the 7th.

Preferably, described reminding module comprises:

The first information generation unit, is configured for and utilizes the abnormal login Information generation information of preserving, and described information at least comprises abnormal login positional information and/or abnormal login temporal information;

The first information transmitting element, is configured for to the information recipient corresponding with described user account and sends described information.

Preferably, described the first information transmitting element is configured for:

Obtain the mobile terminal identification information corresponding with described user account, to the mobile terminal corresponding with described mobile terminal identification information, send described information; Wherein, described mobile terminal identification information is to obtain according to the user account of preserving in response to user's bindings request and the corresponding relation of mobile terminal identification information; Or, obtain the user bound account information corresponding with described user account, to the addresses of items of mail corresponding with described user bound account information, send described information.

Preferably, described reminding module comprises:

The second information generation unit, is configured for generation authorization information;

The second information transmitting element, is configured for and utilizes the abnormal login information of preserving to send described authorization information and make client corresponding to user account corresponding with described abnormal login behavior show described authorization information.

Preferably, described device also comprises:

Receiver module, is configured for the authorization information that receives user's input;

The second judge module, is configured for and judges that whether the authorization information of user's input is correct, obtains the 8th judged result;

Described feedback module also for:

When described the 8th judged result shows that authorization information that user inputs is correct, feedback is agreed to the message of described request; When described the 8th judgement shows authorization information mistake that user inputs, the message that feedback rejects said request.

Preferably, described memory module comprises:

Local memory queue, is configured for when the current login behavior of judgement user is abnormal login behavior, preserves the abnormal login information relevant to described abnormal login behavior in local memory queue;

Message Queuing server, is configured for the abnormal login information receiving from local memory queue, and preserves described abnormal login information;

Consumer's program module, is configured for and obtains the described abnormal login information being kept in described Message Queuing server, and described abnormal login information is processed, and to abnormal login information database, sends the abnormal login information after described processing;

Abnormal login information database, for the abnormal login information after stores processor.

Preferably, described device also comprises:

The 3rd judge module, for before sending described information, judges that whether user account corresponding to described abnormal login information meets filter condition, if met, does not send described information.

Preferably, described the first acquisition module is configured for:

In response to the request associated with user account, obtain the historical log information in the 3rd Preset Time interval corresponding with described user account.

According to the user of embodiment of the present invention, login method for monitoring abnormality and device, can be according to the request in response to associated with user account, utilize the historical log information corresponding with user account to judge whether the current login behavior of user is abnormal login behavior, if, preserve the abnormal login information corresponding with described abnormal login behavior, and utilize the abnormal login Information generation information of preserving and send information to user.Method and apparatus provided by the invention, without user, set in advance conventional login ground, can be according to judgement and the prompting of the behavior of the automatic completing user abnormal login of user's historical log information, thereby reduced significantly the stolen risk of user account, improved the fail safe of user account, and reduced the complexity of user's operation, for user has brought better experience.

summary of the invention

The inventor finds, because needing user to set in advance conventional login ground, prior art can judge whether this login is abnormal, when user does not arrange conventional login ground, prior art can not guarantee the safety of user account, brings thus the problem that security of user account is low, risk is high.For existing in prior art, security of user account is low, the problem of user's complicated operation, the invention provides a kind of user and login method for monitoring abnormality and device, can be according to the request in response to associated with user account, utilize the historical log information corresponding with user account to judge whether the current login behavior of user is abnormal login behavior, if, preserve the abnormal login information corresponding with described abnormal login behavior, and utilize the abnormal login Information generation information of preserving and send information to user.Method and apparatus provided by the invention, without user, set in advance conventional login ground, can be according to judgement and the prompting of the behavior of the automatic completing user abnormal login of user's historical log information, thereby reduced significantly the stolen risk of user account, improved the fail safe of user account, and reduced the complexity of user's operation, for user has brought better experience.

After having introduced basic principle of the present invention, lower mask body is introduced various non-limiting execution mode of the present invention.

application scenarios overview

First with reference to figure 2, the adaptable scene of embodiment of the present invention can be for example scene as shown in Figure 2, wherein, the client in Fig. 2 can be for providing login interface and display reminding information, and server (not shown) provided by the invention is used for realizing user and logins exception monitoring.

illustrative methods

Below in conjunction with the application scenarios of Fig. 2, be described with reference to Figure 3 the method for logining exception monitoring according to the user of exemplary embodiment of the invention.It should be noted that above-mentioned application scenarios only illustrates for the ease of understanding spirit of the present invention and principle, embodiments of the present invention are unrestricted in this regard.On the contrary, any scene that embodiments of the present invention can be applied to be suitable for.

As shown in Figure 3, for user according to an embodiment of the present invention logins the flow chart of method for monitoring abnormality, the method concrete example is as comprised:

S301, in response to the request associated with user account, obtains the historical log information corresponding with described user account.

S302, judges according to the historical log information corresponding with described user account whether the current login behavior of user is abnormal login behavior.

S303, when the current login behavior of judgement user is abnormal login behavior, preserves the abnormal login information relevant to described abnormal login behavior.

S304, the abnormal login Information generation information of utilize preserving also sends described information, and described information for pointing out abnormal login behavior described in user when user gets described information

Contrasting Fig. 3 below describes detailed realization of the present invention.

When specific implementation of the present invention, when receiving the request associated with user account, in response to the request associated with user account, obtain the historical log information corresponding with described user account.The described request associated with user account specifically can comprise: for the logging request of described user account, or, for the preset data operation requests of described user account.Wherein, for the preset data operation requests of user account such as comprising: for the password of user account revise request, for the cancellation of balances of accounts request of user account, for the article dealing request of user account etc.It should be noted that, default data operation request can be set in advance by server, also can by client, be set in advance by user, at this, does not limit.Wherein, obtaining the historical log information corresponding with user account is specifically as follows: obtain the historical log information in the 3rd Preset Time interval corresponding with described user account.The 3rd Preset Time interval can be preset by server, for example, can be 6 months, 3 months etc.It should be noted that, can further include the concept at the first Preset Time interval, the second Preset Time interval in the embodiment of the present invention, wherein, the first Preset Time interval, the second Preset Time interval are all less than or equal to the 3rd Preset Time interval.Obtaining the historical log information corresponding with user account can be also all historical log information corresponding with user account of obtaining preservation.User's historical log information can be logined daily record and obtain from user, and user logins daily record for the details of the each login of recording user, comprises the information such as account name, login IP, login time, login duration.Correspondingly, user's historical log information also can comprise user account, login IP(or login position), one or more in the information such as login time, login duration.

When step S302 specific implementation, according to the historical log information corresponding with described user account, judge whether the current login behavior of user is that abnormal login behavior specifically can comprise: according to judging according at least one in user's login position information and user's login frequency information whether the current login behavior of user is abnormal login behavior with historical log information corresponding to described user account.It should be noted that, be only a kind of exemplary execution mode of the present invention according to user's login position information and/or user's the current login behavior of login frequency information judgement user, is not considered as limitation of the present invention.Those skilled in the art all belong to protection scope of the present invention not paying other implementations of obtaining under creative work.

In a kind of possible implementation of the present invention, according to the historical log information corresponding with described user account, according at least one in user's login position information and user's login frequency information, judge whether the current login behavior of user is that abnormal login behavior comprises: the historical log number of times of determining described user account; Judge whether described historical log number of times is greater than the first setting threshold, to obtain the first judged result; And, when described the first judged result shows that described user account is not any active ues, determine that the current login behavior of described user is the behavior of normally logining; Wherein, any active ues is the user account that described historical log number of times is greater than described the first setting threshold.In this implementation, in order to prevent erroneous judgement, for the user account that is defined as non-any active ues, directly determine that its current login behavior is the behavior of normally logining.Wherein, any active ues is the user account that historical log number of times is greater than the first setting threshold, and non-any active ues is the user account that historical log number of times is less than or equal to the first setting threshold.The first setting threshold can be set as required, at this, does not limit.

In a kind of possible implementation of the present invention, according to the historical log information corresponding with described user account, according at least one in user's login position information and user's login frequency information, judge whether the current login behavior of user is that abnormal login behavior comprises: according to determine user's historical log positional information in described the first Preset Time interval with historical log information corresponding to described user account in the first Preset Time interval; According to described user's historical log positional information judgement quantity of user's historical log position in described the first Preset Time interval in described the first Preset Time interval, whether be greater than the second setting threshold, to obtain the second judged result; And, according to the historical log information corresponding with described user account, determine user's historical log positional information of described user account; Determine the current login position of the user information that the current login behavior of user is corresponding; Whether the ratio that the historical log number of days that judges the current login position of user that the current login behavior of user is corresponding takies the total number of days of historical log of all historical log position, family is less than the 3rd setting threshold, to obtain the 3rd judged result; When described the second judged result and described the 3rd judged result are while being, determine that the current login behavior of described user is abnormal login behavior.

During specific implementation, user's historical log position can obtain according to login IP in user's historical log information, and administrative division can be take as unit in historical log position, for example, take province, city to distinguish as unit.For the convenience of calculating, when determining historical log number of days corresponding to user login position, same login position (for example inside the province same) can be set and within one day, no matter login several times, be all only recorded as once.In order to reduce the memory space of data, when recording login position, can record at most N login position, N can preset, and record is not carried out in the login position that login times is few.When the ratio that the historical log number of days that is greater than the second setting threshold and the current login position of user corresponding to the current login behavior of user when judgement quantity of user's historical log position in the first Preset Time interval takies the total number of days of historical log of all historical log position, family is less than the 3rd setting threshold, determine that the current login behavior of user is abnormal login behavior.The first Preset Time interval can preset, for example, can be 1 month.During concrete judgement, first according to the historical log information corresponding with described user account in the first Preset Time interval, determine user's historical log positional information in described the first Preset Time interval, then according to described user's historical log positional information judgement quantity of user's historical log position in described the first Preset Time interval in described the first Preset Time interval, whether be greater than the second setting threshold, to obtain the second judged result.Similarly, also first according to user's historical log information, determine user's historical log positional information of user account, determine the current position that logs in of user, whether the ratio that the historical log number of days that then judges the current login position of user takies the total number of days of historical log of all historical log position, family is greater than the 3rd setting threshold, to obtain the 3rd judged result.Wherein, the second setting threshold and the 3rd setting threshold all can rule of thumb maybe need to set.When judging that the quantity of user's historical log position is greater than the second setting threshold in the first Preset Time interval, illustrate that user account is frequently logined in different login positions; When the ratio that takies the total number of days of historical log of all historical log position, family when the historical log number of days of the judgement current login position of user is less than the 3rd setting threshold, the current conventional position that logs in that position is not user that logs in is described.When two conditions meet simultaneously, determine that current login behavior is abnormal login behavior.With an example, describe, when the ratio that the login number of days that the quantity in the province of login surpasses the province of the second setting threshold and this login of user in this time login behavior of judgement user distance one month takies the number of days in all provinces of historical log, family is less than the 3rd setting threshold, can determine that this login behavior of user is abnormal login behavior.

In the implementation of another possibility of the present invention, according to the historical log information corresponding with described user account, according at least one in user's login position information and user's login frequency information, judge whether the current login behavior of user is that abnormal login behavior comprises: according to determining user's historical log positional information of described user account with historical log information corresponding to described user account; Determine the current login position of the user information that the current login behavior of user is corresponding; According to the historical log information corresponding with described user account in the current login behavior of distance users the second Preset Time interval, determine user's historical log positional information in the distance current login behavior of described user the second Preset Time interval; Whether the ratio that the historical log number of days that judges the current login position of user that the current login behavior of user is corresponding takies the total number of days of historical log of all historical log position, family is less than the 3rd setting threshold, to obtain the 3rd judged result; In the current login behavior of judging distance user the second Preset Time interval, whether the quantity of user's historical log position is greater than the 4th setting threshold, to obtain the 4th judged result; When described the 3rd judged result and described the 4th judged result are while being, determine that the current login behavior of user is abnormal login behavior.

During specific implementation, when the quantity that the ratio that takies the total number of days of historical log of all historical log position, family when the historical log number of days of the current login position of user corresponding to the current login behavior of user is less than user's historical log position in the 3rd setting threshold and the current login behavior of distance users the second Preset Time interval is greater than the 4th setting threshold, determine that the current login behavior of user is abnormal login behavior.Wherein, the second Preset Time interval can preset, for example, can be 24 hours.It should be noted that, the second Preset Time interval is less than or equal to the 3rd Preset Time interval.The second Preset Time interval is generally less than the first Preset Time interval.Certainly, can be also that other arrange more flexibly.When the ratio that takies the total number of days of historical log of all historical log position, family when the historical log number of days of the judgement current login position of user is less than the 3rd setting threshold, the current conventional position that logs in that position is not user that logs in is described.When the quantity of user's historical log position is greater than the 4th setting threshold in current login behavior the second Preset Time interval of judging distance user, illustrate that user's account is frequently logined in different login positions within short-term.When two conditions meet simultaneously, determine that current login behavior is abnormal login behavior.With an example, describe, when ratio that the login number of days in the province of judgement user this login takies the number of days in all provinces of historical log, family is less than the 3rd setting threshold and the current login behavior of the distance users quantity that user logins province in 24 hours forward and is greater than the 4th setting threshold, can determine that the current login behavior of user is abnormal login behavior.

In the implementation of another possibility of the present invention, according to the historical log information corresponding with described user account, according at least one in user's login position information and user's login frequency information, judge whether the current login behavior of user is that abnormal login behavior comprises: according to determining user's historical log positional information of described user account with historical log information corresponding to described user account; Determine the current login position of the user information that the current login behavior of user is corresponding; According to user's historical log positional information judgement successful login frequency corresponding with the current login position of user, whether be greater than the 5th setting threshold, to obtain the 5th judged result; According to user's historical log positional information judgement abnormal login frequency corresponding with the current login position of user, account for the described ratio of successfully logining the frequency and whether be greater than the 6th setting threshold, to obtain the 6th judged result; When described the 5th judged result and described the 6th judged result are while being, determine that the current login behavior of user is abnormal login behavior.

During specific implementation, when the judgement successful login frequency corresponding to the current login position of user is greater than the abnormal login frequency corresponding to the 5th setting threshold and the current login position of user and accounts for the described ratio of successfully logining the frequency and be greater than the 6th setting threshold, definite current login behavior of user is abnormal login behavior.For example, when the ratio that the frequency that is greater than the abnormal login the 5th setting threshold and this IP address causing when successful login times corresponding to the current login of judgement user IP address accounts for successfully login times is greater than the 6th setting threshold, think that this IP address success login times is too much, this is likely the attack of robot, at this moment, determine that the current login behavior of user is abnormal login behavior.

In the implementation of another possibility of the present invention, according to the historical log information corresponding with described user account, according at least one in user's login position information and user's login frequency information, judge whether the current login behavior of user is that abnormal login behavior comprises: determine the current login position of the user information that the current login behavior of user is corresponding; Judge that current login position is whether consistent with the login position in default abnormal login list of locations, to obtain the 7th judged result; Wherein, the abnormal login frequency corresponding to login position in described default abnormal login list of locations is greater than the 7th setting threshold; Judgment result is that while being when the described the 7th, determine that the current login behavior of user is abnormal login behavior.

During specific implementation, can abnormal login list of locations be set according to the abnormal login information of user's historical log information and/or storage.Wherein, the abnormal login frequency corresponding to the login position in abnormal login list of locations is greater than the 7th setting threshold.The 7th setting threshold can rule of thumb be set.When the abnormal login frequency causing when user's login position (corresponding login IP address) is greater than the 7th setting threshold, illustrate that the abnormal login number of times causing this login IP address is too much.When carrying out abnormal login judgement, can obtain the current login position of user information, then the login position in the current login position of user and abnormal login list of locations is compared, if consistent with at least one information in abnormal login list of locations, determine that login behavior corresponding to current login position is abnormal login behavior.

During specific implementation, above-mentioned determination methods may be used alone, can also be used in combination.

For example, in the another kind of possible implementation of the present invention, according to the historical log information corresponding with described user account, according at least one in user's login position information and user's login frequency information, judge whether the current login behavior of user is that abnormal login behavior comprises: the historical log number of times of determining described user account; Judge whether described historical log number of times is greater than the first setting threshold, to obtain the first judged result; And, when described the first judged result shows that described user account is not any active ues, determine that the current login behavior of described user is the behavior of normally logining; When described the first judged result shows that described user account is any active ues, according to historical log information corresponding with described user account in the first Preset Time interval, determine user's historical log positional information in described the first Preset Time interval; According to described user's historical log positional information judgement quantity of user's historical log position in described the first Preset Time interval in described the first Preset Time interval, whether be greater than the second setting threshold, to obtain the second judged result; And, according to the historical log information corresponding with described user account, determine user's historical log positional information of described user account; Determine the current login position of the user information that the current login behavior of user is corresponding; Whether the ratio that the historical log number of days that judges the current login position of user that the current login behavior of user is corresponding takies the total number of days of historical log of all historical log position, family is less than the 3rd setting threshold, to obtain the 3rd judged result; When described the second judged result and described the 3rd judged result are while being, determine that the current login behavior of described user is abnormal login behavior.

And for example, in another possible implementation of the present invention, according to the historical log information corresponding with described user account, according at least one in user's login position information and user's login frequency information, judge whether the current login behavior of user is that abnormal login behavior comprises: the historical log number of times of determining described user account; Judge whether described historical log number of times is greater than the first setting threshold, to obtain the first judged result; And, when described the first judged result shows that described user account is not any active ues, determine that the current login behavior of described user is the behavior of normally logining; When described the first judged result shows that described user account is any active ues, according to the historical log information corresponding with described user account, determine user's historical log positional information of described user account; Determine the current login position of the user information that the current login behavior of user is corresponding; According to the historical log information corresponding with described user account in the current login behavior of distance users the second Preset Time interval, determine user's historical log positional information in the distance current login behavior of described user the second Preset Time interval; Whether the ratio that the historical log number of days that judges the current login position of user that the current login behavior of user is corresponding takies the total number of days of historical log of all historical log position, family is less than the 3rd setting threshold, to obtain the 3rd judged result; In the current login behavior of judging distance user the second Preset Time interval, whether the quantity of user's historical log position is greater than the 4th setting threshold, to obtain the 4th judged result; When described the 3rd judged result and described the 4th judged result are while being, determine that the current login behavior of user is abnormal login behavior.

It should be noted that, these are only exemplary type explanation, during specific implementation of the present invention, can also take additive method to realize the judgement of abnormal login.Those skilled in the art all belong to protection scope of the present invention not paying other implementations of obtaining under creative work.

Fig. 4 schematically shows according to the flow chart of the abnormal login information storage means of further embodiment of this invention.

When specific implementation of the present invention, the prompting of the judgement of user's abnormal login behavior and abnormal login behavior has been carried out to decoupling zero, be provided with the memory module of abnormal login information, make storage and asynchronous the carrying out of abnormal login prompting of abnormal login information, to improve response and the processing speed of server end, and do not affect user's real-time login behavior.

During specific implementation, when the current login behavior of judgement user is abnormal login behavior, preserving the abnormal login information relevant to described abnormal login behavior comprises: when the current login behavior of judgement user is abnormal login behavior, the abnormal login information relevant to described abnormal login behavior is kept in local memory queue; The abnormal login information being kept in local memory queue is sent in Message Queuing server, so that described Message Queuing server preserves described abnormal login information; Utilize consumer's program module to obtain and be kept at the described abnormal login information in described Message Queuing server, and described abnormal login information is processed, be stored in abnormal login information database.

At length set forth below.When specific implementation of the present invention, by the judgement decoupling zero of the prompting of abnormal login information and abnormal login information, this is to operate than faster because the judgement of abnormal login is one, the prompting of abnormal login is an action more consuming time, such as comprising, sends short messages and sends out the network operations such as mail.In order being unlikely, to allow prompting operation consuming time block application server, to reduce response time and the concurrency of application server, so be necessary these two operation exceptions.In addition, abnormal login information is stored and abnormal login information can be carried out to persistent storage, facilitate the use of follow-up statistics and analysis.

Realizing when of the present invention, inventor finds, the transmission of abnormal login information and storage should guarantee abnormal login information as far as possible timely persistent storage get off, guarantee again certain concurrent and throughput, also the reliability of abnormal login information is had to certain requirement simultaneously.In order to meet above-mentioned requirements, the present invention has used message queue (Message Queue) when carrying out the storage of abnormal login information, message queue, for the non real-time business of those complexity is followed to online real-time main service detach, provides abundant characteristic and extensibility.

Below in conjunction with Fig. 4, at length introduce.In Fig. 4, application server is that the server of service is provided for user.Message Queuing server is the server for buffer memory abnormal login information.Consumer's program module is the abnormal login information of taking out in Message Queuing server, and abnormal login information is stored into the part of database.It is for according to abnormal login Information generation information and send the part of described information that the abnormal reminder module in backstage can be called again reminding module.These modules or program all can be deployed in server side.During specific implementation, when the current login behavior of judgement user is abnormal login behavior, the abnormal login information to be sent (sending/push (put) message in memory queue) of using memory queue buffer memory this locality, the proprietary thread pool on backstage sends these information to the corresponding queue of Message Queuing server simultaneously.Why will introduce memory queue, when main purpose is to prevent that network from connecting fault, the normal operation thread of application server can frequently be attempted creating and connect, thereby causes that user's request can not get response.Wherein, abnormal login message queue is to be positioned at message queue (MQ) server for storing the queue of abnormal login information, can be non-persistence queue.Consumer's program module, for the abnormal login information of abnormal login message queue is taken out, through format conversion, deposits database in, and in theory, consumer's process can have any number of, for accelerating consumption.The abnormal reminder module in backstage can be called again reminding module for extract the abnormal login information occurring in nearest a period of time from database, according to certain strategy, points out to corresponding user.Below the mode of prompting is described.

When specific implementation of the present invention, in a kind of possible implementation, step S304 specifically can comprise: utilize the abnormal login Information generation information of preserving, described information at least comprises abnormal login positional information and/or abnormal login temporal information; To the information recipient corresponding with described user account, send described information.

Wherein, to the information recipient corresponding with described user account, sending described information comprises: obtain the mobile terminal identification information corresponding with described user account; To the mobile terminal corresponding with described mobile terminal identification information, send described information; Wherein, described mobile terminal identification information is to obtain according to the user account of preserving in response to user's bindings request and the corresponding relation of mobile terminal identification information.During specific implementation, can be to sending information with the mobile terminal of user account binding.For example,, to the sending short message by mobile phone information with user account binding, for pointing out user's abnormal login positional information and/or abnormal login temporal information.Whether information can further include inquiry user needs the information such as Modify password.

Wherein, to the information recipient corresponding with described user account, sending described information comprises: obtain the user bound account information corresponding with described user account, to the addresses of items of mail corresponding with described user bound account information, send described information.During specific implementation, can be to sending information with other accounts of user account binding.For example, the addresses of items of mail corresponding to other accounts with the binding of active user's account sends mail information, for pointing out user's abnormal login positional information and/or abnormal login temporal information.Whether information can further include inquiry user needs the information such as Modify password.

When specific implementation of the present invention, in a kind of possible implementation, step S304 specifically can comprise: generate authorization information; Utilize the abnormal login information of preserving to send described authorization information and make client corresponding to user account corresponding with described abnormal login behavior show described authorization information.

During specific implementation, utilize the abnormal login information of preserving to send described authorization information and make client corresponding to user account corresponding with described abnormal login behavior show that described authorization information can comprise: (corresponding with server in client corresponding to user account, at least comprise and show login interface) demonstration authorization information, or to mobile terminal, send information, so that mobile terminal display reminding information.In front a kind of implementation, after generating information, on user's login interface of the client of using user or show authorization information on user interface, when user inputs correct authorization information, allow user's request; When the authorization information of user's input error, refuse user's request.In rear a kind of implementation, obtain the user account corresponding with described abnormal login behavior, obtain the mobile terminal identification information corresponding with described user account, to the mobile terminal corresponding with described mobile terminal identification information, send described authorization information, so that described mobile terminal shows described authorization information.For example, can be to the sending short message by mobile phone information with user account binding, for pointing out user's input validation code.Further, described information can also be for pointing out user's abnormal login positional information and/or abnormal login temporal information.

Further, method provided by the invention can also comprise: the authorization information that receives user's input; Whether the authorization information that judges user's input is correct, obtains the 8th judged result; When described the 8th judged result shows that authorization information that user inputs is correct, feedback is agreed to the message of described request; When described the 8th judgement shows authorization information mistake that user inputs, the message that feedback rejects said request.The authorization information of user's input can be from the client corresponding with login interface or operation interface, also can be from the mobile terminal with user's binding, when receiving the authorization information of feedback, judge that whether the authorization information that user inputs is correct, if correct, feedback is agreed to the information of user's request; If mistake, the information that feedback refuses user's request.

Further, before sending described information, described method also comprises: judge that whether user account corresponding to described abnormal login information meets filter condition, if met, does not send described information.When specific implementation, filter condition for example can comprise: the user login position corresponding with particular ip address; Or, in Preset Time, sent the user account of information; Or, the abnormal login information within the current prompting cycle not; Or the user account of abnormal login prompting etc. is not carried out in setting.Arranging of filter condition can be very flexibly, can arrange as required.It should be noted that, when carrying out the prompting of abnormal login, need to meet prompting in time, prompting by all kinds of means, and need to take into account and avoid too much harassing user.Therefore,, when specific implementation, the present invention can set in advance the prompting cycle to guarantee timely prompting, and adopts separate threads to point out.For fear of too much prompting, the frequency of prompting mode can be set, for example within 3 days, once mail is pointed out one day envelope etc. to short message prompt.User, carry out after specific operation, recalculate abnormal login information.For example, after user's Modify password, recalculate abnormal login information.

Further, described method also comprises: when the current login behavior of judgement user is abnormal login behavior, and the message that feedback rejects said request.When the current login behavior of judgement user is while normally logining behavior, feedback is agreed to the message of described request.

Further, method provided by the invention can also comprise: the abnormal login information to storage is carried out statistics and analysis.Such as comprising: statistics abnormal login scale the previous day, new increment, information amount etc.The present invention further can also comprise: inquiry abnormal login information, provides Exception Type distributes, abnormal login product distributes, abnormal login information of home location distributes statistics, analysis and inquiry.

exemplary apparatus

After having introduced according to the method for exemplary embodiment of the invention, next, with reference to 5 couples, figure, according to device exemplary embodiment of the invention, that login exception monitoring for user, describe.

, comprising:

The first acquisition module 501, is configured in response to the request associated with user account, obtains the historical log information corresponding with described user account;

The first judge module 502, is configured for according to the historical log information corresponding with described user account and judges whether the current login behavior of user is abnormal login behavior;

Memory module 503, is configured for when the current login behavior of judgement user is abnormal login behavior, preserves the abnormal login information relevant to described abnormal login behavior;

Reminding module 504, is configured for the abnormal login Information generation information of utilize preserving and sends described information, and described information for pointing out abnormal login behavior described in user when user gets described information.

Wherein, described the first acquisition module is configured for:

Further, described device also comprises:

Further, described the first judge module is configured for:

Further, described the first judge module comprises:

The 6th determines subelement, is configured for and is while being when described the 3rd judged result and described the 4th judged result, and definite current login behavior of described user is abnormal login behavior.

Further, described the first judge module comprises:

Further, described reminding module comprises:

Further, described the first information transmitting element is configured for:

Further, described reminding module comprises:

Further, described device also comprises:

Described feedback module also for:

Further, described memory module comprises:

Further, described device also comprises:

Further, described the first acquisition module specifically for:

In response to the request associated with user account, obtain the historical log information in the 3rd Preset Time interval corresponding with described user account

Although it should be noted that some devices or the sub-device of having mentioned equipment in above-detailed, this division is only not enforceable.In fact, according to the embodiment of the present invention, the feature of above-described two or more devices and function can be specialized in a device.Otherwise, the feature of an above-described device and function can Further Division for to be specialized by a plurality of devices.

In addition, although described in the accompanying drawings the operation of the inventive method with particular order,, this not requires or hint must be carried out these operations according to this particular order, or the operation shown in must carrying out all could realize the result of expectation.On the contrary, the step of describing in flow chart can change execution sequence.Additionally or alternatively, can omit some step, a plurality of steps be merged into a step and carry out, and/or a step is decomposed into a plurality of steps carries out.

The verb of mentioning in application documents " comprises ", those elements or the element step or the existence of step of recording in application documents do not got rid of in " comprising " and paradigmatic use thereof.Article before element " one " or " one " do not get rid of the existence of a plurality of this elements.

Although described spirit of the present invention and principle with reference to some embodiments, but should be appreciated that, the present invention is not limited to disclosed embodiment, the division of each side is not meant that to the feature in these aspects can not combine to be benefited yet, and this division is only the convenience in order to explain.The present invention is intended to contain interior included various modifications and the equivalent arrangements of spirit and scope of claims.The scope of claims meets the most wide in range explanation, thereby comprises all such modifications and equivalent structure and function.

Accompanying drawing explanation

By reference to accompanying drawing, read detailed description below, above-mentioned and other objects of exemplary embodiment of the invention, the feature and advantage easy to understand that will become.In the accompanying drawings, in exemplary and nonrestrictive mode, show some execution modes of the present invention, wherein:

Fig. 1 schematically shows the block diagram of the computing system 100 that is suitable for realizing embodiment of the present invention;

Fig. 2 schematically shows the application scenarios of the embodiment of the present invention;

Fig. 3 schematically shows the flow chart that user according to an embodiment of the invention logins method for monitoring abnormality;

Fig. 4 schematically shows according to the flow chart of the abnormal login information storage means of further embodiment of this invention;

The user that Fig. 5 schematically shows according to yet another embodiment of the invention logins exception monitoring device block diagram.

In the accompanying drawings, identical or corresponding label represents identical or corresponding part.

Embodiment

Below with reference to some illustrative embodiments, principle of the present invention and spirit are described.Should be appreciated that providing these execution modes is only used to make those skilled in the art can understand better and then realize the present invention, and not limit the scope of the invention by any way.On the contrary, it is in order to make the disclosure more thorough and complete that these execution modes are provided, and the scope of the present disclosure intactly can be conveyed to those skilled in the art.

Fig. 1 shows the block diagram of the exemplary computer system 100 that is suitable for realizing embodiment of the present invention.As shown in Figure 1, computing system 100 can comprise: CPU (CPU) 101, random-access memory (ram) 102, read-only memory (ROM) 103, system bus 104, hard disk controller 105, keyboard controller 106, serial interface controller 107, parallel interface controller 108, display controller 109, hard disk 110, keyboard 111, serial external equipment 112, parallel external equipment 113 and display 114.In these equipment, with system bus 104 coupling have CPU101, RAM102, ROM103, hard disk controller 105, keyboard controller 106, serial interface controller 107, parallel interface controller 108 and a display controller 109.Hard disk 110 and hard disk controller 105 couplings, keyboard 111 and keyboard controller 106 couplings, serial external equipment 112 and serial interface controller 107 couplings, parallel external equipment 113 and parallel interface controller 108 couplings, and display 114 and display controller 109 couplings.Should be appreciated that the structured flowchart described in Fig. 1 is only used to the object of example, rather than limitation of the scope of the invention.In some cases, can increase as the case may be or reduce some equipment.

Art technology technical staff knows, embodiments of the present invention can be implemented as a kind of system, method or computer program.Therefore, the disclosure can specific implementation be following form, that is: hardware, software (comprising firmware, resident software, microcode etc.), or the form of hardware and software combination completely completely, be commonly referred to as " circuit ", " module " or " system " herein.In addition, in certain embodiments, the present invention can also be embodied as the form of the computer program in one or more computer-readable mediums, comprises computer-readable program code in this computer-readable medium.

Can adopt the combination in any of one or more computer-readable media.Computer-readable medium can be computer-readable signal media or computer-readable recording medium.Computer-readable recording medium for example may be, but not limited to,, electricity, magnetic, optical, electrical magnetic, infrared ray or semi-conductive system, device or device, or the combination arbitrarily.The example more specifically of computer-readable recording medium (non exhaustive example) for example can comprise: the combination of portable computer diskette, hard disk, random-access memory (ram), read-only memory (ROM), erasable type programmable read only memory (EPROM or flash memory), Portable, compact disk read-only memory (CD-ROM), light storage device, magnetic memory device or above-mentioned any appropriate.In presents, computer-readable recording medium can be any comprising or stored program tangible medium, and this program can be used or be combined with it by instruction execution system, device or device.

Computer-readable signal media can be included in base band or the data-signal of propagating as a carrier wave part, has wherein carried computer-readable program code.The data-signal of this propagation can adopt various ways, includes but not limited to the combination of electromagnetic signal, light signal or above-mentioned any appropriate.Computer-readable signal media can also be any computer-readable medium beyond computer-readable recording medium, and this computer-readable medium can send, propagates or transmit the program for being used or be combined with it by instruction execution system, device or device.

The program code comprising on computer-readable medium can be with any suitable medium transmission, includes but not limited to wireless, electric wire, optical cable, RF etc., or the combination of above-mentioned any appropriate.

Can combine to write for carrying out the computer program code of the present invention's operation with one or more programming languages or its, described programming language comprises object-oriented programming language-such as Java, Smalltalk, C++, also comprises conventional process type programming language-such as " C " language or similar programming language.Program code can fully be carried out on subscriber computer, part part on subscriber computer is carried out or on remote computer or server, carried out completely on remote computer.In relating to the situation of remote computer, remote computer can be connected to subscriber computer by the network (comprising local area network (LAN) (LAN) or wide area network (WAN)) of any kind, or, can be connected to outer computer (for example utilizing ISP to pass through Internet connection).

The flow chart of method and the block diagram of equipment (or system) below with reference to the embodiment of the present invention are described embodiments of the present invention.The combination that should be appreciated that each square frame in each square frame of flow chart and/or block diagram and flow chart and/or block diagram can be realized by computer program instructions.These computer program instructions can offer the processor of all-purpose computer, special-purpose computer or other programmable data processing unit, thereby produce a kind of machine, these computer program instructions are carried out by computer or other programmable data processing unit, have produced the device of the function/operation of stipulating in the square frame in realization flow figure and/or block diagram.

Also these computer program instructions can be stored in and can make in computer or the computer-readable medium of other programmable data processing unit with ad hoc fashion work, like this, the instruction being stored in computer-readable medium just produces a product that comprises the command device of the function/operation of stipulating in the square frame in realization flow figure and/or block diagram.

Also computer program instructions can be loaded on computer, other programmable data processing unit or miscellaneous equipment, make to carry out sequence of operations step on computer, other programmable data processing unit or miscellaneous equipment, to produce computer implemented process, thus the process of function/operation that the instruction that makes to carry out on computer or other programmable device is stipulated during the square frame in realization flow figure and/or block diagram can be provided.

According to the embodiment of the present invention, the method and apparatus that a kind of user logins exception monitoring has been proposed.

In this article, any number of elements in accompanying drawing is all unrestricted for example, and any name is all only for distinguishing, and does not have any limitation.

Below with reference to some representative embodiments of the present invention, explain in detail principle of the present invention and spirit.

Claims

1. a method, comprising:

2. method according to claim 1, wherein, described request comprises:

Logging request for described user account; Or

Preset data operation requests for described user account.

3. method according to claim 1, described method also comprises:

When the current login behavior of judgement user is abnormal login behavior, the message that feedback rejects said request.

4. method according to claim 1, wherein, the described basis historical log information corresponding with described user account judges whether the current login behavior of user is that abnormal login behavior comprises:

5. method according to claim 4, wherein, the described basis historical log information corresponding with described user account judges according at least one in user's login position information and user's login frequency information whether the current login behavior of user is that abnormal login behavior comprises:

Determine the historical log number of times of described user account;

6. method according to claim 4, wherein, the described basis historical log information corresponding with described user account judges according at least one in user's login position information and user's login frequency information whether the current login behavior of user is that abnormal login behavior comprises:

According to described user's historical log positional information judgement quantity of user's historical log position in described the first Preset Time interval in described the first Preset Time interval, whether be greater than the second setting threshold, to obtain the second judged result;

When described the second judged result and described the 3rd judged result are while being, determine that the current login behavior of described user is abnormal login behavior.

7. method according to claim 4, wherein, the described basis historical log information corresponding with described user account judges according at least one in user's login position information and user's login frequency information whether the current login behavior of user is that abnormal login behavior comprises:

8. method according to claim 4, wherein, the described basis historical log information corresponding with described user account judges according at least one in user's login position information and user's login frequency information whether the current login behavior of user is that abnormal login behavior comprises:

9. method according to claim 4, wherein, the described basis historical log information corresponding with described user account judges according at least one in user's login position information and user's login frequency information whether the current login behavior of user is that abnormal login behavior comprises:

10. method according to claim 1, wherein, the abnormal login Information generation information that described utilization is preserved also sends described information and comprises:

11. methods according to claim 10, wherein, describedly send described information to the information recipient corresponding with described user account and comprise:

To the mobile terminal corresponding with described mobile terminal identification information, send described information; Wherein, described mobile terminal identification information is to obtain according to the user account of preserving in response to user's bindings request and the corresponding relation of mobile terminal identification information;

Or

Obtain the user bound account information corresponding with described user account, to the addresses of items of mail corresponding with described user bound account information, send described information.

12. methods according to claim 1, wherein, the abnormal login Information generation information that described utilization is preserved also sends described information and comprises:

Generate authorization information;

13. methods according to claim 11, described method also comprises:

Receive the authorization information of user's input;

14. methods according to claim 1, wherein, described when the current login behavior of judgement user is abnormal login behavior, preserve the abnormal login information relevant to described abnormal login behavior and comprise:

15. methods according to claim 1, before sending described information, described method also comprises:

16. methods according to claim 1, wherein, described in obtain the historical log information corresponding with described user account and comprise:

17. 1 kinds of devices, comprising:

18. devices according to claim 17, wherein, described the first acquisition module is configured for:

19. devices according to claim 17, described device also comprises:

20. devices according to claim 17, wherein, described the first judge module is configured for:

21. devices according to claim 20, wherein, described the first judge module comprises:

22. devices according to claim 20, wherein, described the first judge module comprises:

23. devices according to claim 20, wherein, described the first judge module comprises:

24. devices according to claim 20, wherein, described the first judge module comprises:

25. devices according to claim 20, wherein, described the first judge module comprises:

26. devices according to claim 17, wherein, described reminding module comprises:

27. devices according to claim 26, wherein, described the first information transmitting element is configured for:

28. devices according to claim 17, wherein, described reminding module comprises:

29. devices according to claim 28, described device also comprises:

Described feedback module also for:

30. devices according to claim 17, wherein, described memory module comprises:

Local memory queue, is configured for when the current login behavior of judgement user is abnormal login behavior, preserves the abnormal login information relevant to described abnormal login behavior in described local memory queue;

Message Queuing server, is configured for and receives the abnormal login information sending from local memory queue, and preserve described abnormal login information;

Abnormal login information database, is configured for the abnormal login information after stores processor.

31. devices according to claim 17, described device also comprises:

32. devices according to claim 17, wherein, described the first acquisition module is configured for: