CN106549974B - Device, method and system for predicting whether social network account is malicious or not - Google Patents
Device, method and system for predicting whether social network account is malicious or not Download PDFInfo
- Publication number
- CN106549974B CN106549974B CN201611109776.2A CN201611109776A CN106549974B CN 106549974 B CN106549974 B CN 106549974B CN 201611109776 A CN201611109776 A CN 201611109776A CN 106549974 B CN106549974 B CN 106549974B
- Authority
- CN
- China
- Prior art keywords
- account
- social network
- malicious
- data
- accounts
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a device for predicting whether a social network account is malicious, which is suitable for being connected with a social network server for providing social network service, wherein the social network server allows a user to operate by the social network account, and the device comprises: the account data acquisition module is suitable for acquiring account data of a plurality of social network accounts from the social network server; the account characteristic extraction module is suitable for extracting the account characteristic of one social network account according to the acquired account data of the plurality of social network accounts, and the account characteristic at least comprises account usage and account malicious association degree; and the account malicious prediction module is suitable for predicting whether the social network account is malicious or not by adopting a pre-established classification model according to the account characteristics of the social network account. The invention also discloses a corresponding method, equipment for detecting whether the social network account is malicious or not and a method for detecting the malicious behavior of the social network account.
Description
Technical Field
The invention relates to the technical field of information security, in particular to equipment, a method and a system for predicting whether a social network account is malicious or not.
Background
With the rapid development of network communication technology, the continuous deepening of internet application and the increasingly abundant information carried by the internet, the internet becomes an important infrastructure of human society, and meanwhile, the problem of network security is increasingly serious. Among them, telecommunication fraud is gradually becoming an important criminal means to endanger the safety of public property.
At present, the main method for treating telecommunication fraud is to treat malicious network addresses and malicious program downloads, and although this method has a function of inhibiting telecommunication fraud to some extent, because it cannot monitor fraud links transmitted through communication of social networks and cannot identify malicious social network accounts engaged in malicious fraud activities, a large part of cases of fraud through social network services still occur. Therefore, determining whether a social network account is malicious or not is very important for controlling telecommunication fraud.
Therefore, a solution for predicting and detecting whether a social network account is malicious is urgently needed.
Disclosure of Invention
To this end, the present invention provides a solution for predicting and detecting whether a social network account is malicious in an attempt to solve or at least alleviate at least one of the problems presented above.
According to one aspect of the present invention, there is provided an apparatus for predicting whether a social network account is malicious, adapted to connect with a social network server providing a social network service, wherein the social network server allows a user to operate with the social network account, the apparatus comprising: the account data acquisition module is suitable for acquiring account data of a plurality of social network accounts from the social network server; the account characteristic extraction module is suitable for extracting the account characteristic of one social network account according to the acquired account data of the plurality of social network accounts, and the account characteristic at least comprises account usage and account malicious association degree; and the account malicious prediction module is suitable for predicting whether the social network account is malicious or not by adopting a pre-established classification model according to the account characteristics of the social network account.
According to another aspect of the present invention, there is provided a system for detecting whether a social network account is malicious, adapted to connect with a social network server or a client providing a social network service, wherein the social network server allows a user to operate with the social network account, the system comprising: a malicious account storage device storing known malicious social network accounts; a suspected malicious account storage device storing a suspected malicious social network account; a device to predict whether a social network account is malicious according to the present invention; a communication monitoring device; and a device to detect social network account malicious behavior; the communication monitoring equipment is resident in a social network server or a client, is suitable for monitoring communication of the social network server or the client, acquires a plurality of social network accounts for initiating communication and receiving the communication, and sends the social network accounts to the equipment for detecting malicious behaviors of the social network accounts; the device is further adapted to send the content of the communication to the device detecting the malicious behavior of the social network account in response to a request for obtaining the content of the communication from the device detecting the malicious behavior of the social network account; the device for detecting malicious behavior of the social network accounts is adapted to determine whether any of the received social network accounts is located in the suspected malicious account storage device; if yes, requesting the communication monitoring equipment to acquire the content of the communication; judging whether the communication content comprises a network address, if so, acquiring the network content corresponding to the network address; and judging whether the network content relates to malicious behaviors, if so, determining that the social network account sending the network address is a malicious social network account, and storing the malicious social network account into malicious account storage equipment.
According to another aspect of the present invention, there is provided a method for predicting whether a social network account is malicious, adapted to be executed in a device connected to a social network server providing a social network service, wherein the social network server allows a user to operate with the social network account, the method comprising the steps of: obtaining account data for a plurality of social networking accounts from a social networking server; extracting account characteristics of one social network account according to the acquired account data of the plurality of social network accounts, wherein the account characteristics at least comprise account usage and account malicious association degree; and predicting whether the social network account is malicious or not by adopting a pre-established classification model according to the account characteristics of the social network account.
According to yet another aspect of the present invention, there is provided a method for detecting malicious activities of a social network account, adapted to be executed on a device for detecting malicious activities of a social network account, the device for detecting malicious activities of a social network account being respectively coupled with a communication monitoring device residing in a social network server or a client providing a social network service, a malicious account storage device storing known malicious social network accounts, and a suspected malicious account storage device storing suspected malicious social network accounts, wherein the social network server allows a user to operate with the social network account, the method comprising the steps of: receiving a plurality of social network accounts from a social network server or a client of the communication monitoring device that initiate a communication and receive the communication; determining whether any of the received social network accounts are located in a suspected malicious account storage device; if yes, requesting the communication monitoring equipment to acquire communication content; receiving content of a communication from a communication monitoring device; judging whether the content of the communication comprises a network address; if so, acquiring the network content corresponding to the network address; determining whether the network content relates to a malicious behavior; and if so, determining that the social network account sending the network address is a malicious social network account, and storing the malicious social network account into malicious account storage equipment.
According to the scheme for predicting whether the social network account is malicious or not, the account characteristics which can reflect whether the social network account is malicious or not are selected, and the classification model is adopted to predict whether the social network account is malicious or not, so that the method is accurate and effective. The account names, the remarks and the added groups are respectively grouped through a clustering algorithm, so that the account use of the social network account can be effectively obtained, and meanwhile, the account malicious association degree of the social network account can be effectively obtained by establishing an association relation graph of the social network account.
In addition, according to the scheme for detecting whether the social network account is malicious or not, the suspected malicious social network account which is predicted to be malicious is obtained to initiate communication, whether the content of the communication relates to malicious behaviors or not is judged, whether the suspected malicious social network account is the malicious social network account or not can be further determined, the judgment accuracy is further improved, and misjudgment is effectively avoided.
Drawings
To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the following description and the annexed drawings, which are indicative of various ways in which the principles disclosed herein may be practiced, and all aspects and equivalents thereof are intended to be within the scope of the claimed subject matter. The above and other objects, features and advantages of the present disclosure will become more apparent from the following detailed description read in conjunction with the accompanying drawings. Throughout this disclosure, like reference numerals generally refer to like parts or elements.
FIG. 1 illustrates a block diagram of a social networking system 100, according to an exemplary embodiment of the present invention;
FIG. 2 illustrates a block diagram of a system 200 for detecting whether a social networking account is malicious according to an exemplary embodiment of the present invention;
FIG. 3 illustrates a block diagram of a device 210 for predicting whether a social network account is malicious according to an example embodiment of the present invention;
FIG. 4 shows a schematic diagram of an associative relationship diagram of social networking accounts, according to an example embodiment of the present invention;
FIG. 5 shows a schematic diagram of an associative relationship diagram of social network accounts according to another exemplary embodiment of the present invention;
FIG. 6 illustrates a flow diagram of a method 300 of predicting whether a social network account is malicious according to an exemplary embodiment of the present invention; and
FIG. 7 shows a flowchart of a method 400 of detecting social network account malicious behavior, according to an example embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
FIG. 1 shows a block diagram of a social networking system 100, according to an example embodiment of the present invention. As shown in FIG. 1, the social networking system 100 may provide social networking services to a user and include at least one social networking client 110 and a social networking server 120. Among other things, social network server 120 allows users to operate with social network accounts. It will be appreciated that a user may need to enter some basic information (e.g., nickname, name, mailbox, phone number, etc.) on the social networking server 120 to create a social networking account belonging to the user before operating with the social networking account. The created social network account is represented by an account identification that can uniquely identify the social network account.
The social network clients 110 and the social network server 120 are connected via the internet, and after creating the social network accounts, users may utilize the social network clients 110 to perform operations with the created social network accounts, including but not limited to operations related to social interaction (e.g., adding friends, joining groups, etc.), operations related to finance (e.g., performing consumption, transferring money, etc.), and operations related to communication (e.g., sending group messages, sending single-point messages, etc.). The social network server 120 may count these operations, generating information such as the number of friends, the number of groups, the number of consumption, etc. In addition, the social network server 120 may also generate information such as account rating, usage time, liveness, etc. based on usage of the social network account.
It will be appreciated that the above information forms data for each social network account and is stored in the social network server 120.
FIG. 2 illustrates a block diagram of a system 200 for detecting whether a social networking account is malicious according to an exemplary embodiment of the present invention. As shown in FIG. 2, a system 200 for detecting whether a social network account is malicious connects to a social network server 120 or a client 110, and may include a device 210 for predicting whether a social network account is malicious, a communication monitoring device 220, a device 230 for detecting malicious behavior of a social network account, a malicious social network account storage device 240, and a suspected malicious social network account storage device 250.
The device 210 for predicting whether the social network account is malicious connects to the social network server 120, and may obtain account data of the social network account stored on the social network server 120, and predict whether the social network account is malicious according to the account data. FIG. 3 illustrates a block diagram of a device 210 for predicting whether a social network account is malicious according to an example embodiment of the present invention. As shown in fig. 3, the device 210 for predicting whether a social network account is malicious may include an account data collection module 211, an account feature extraction module 212, and an account malicious prediction module 213.
The account data collection module 211 may reside on the social network server 120, and obtain account data for a plurality of social network accounts from the social network server 120, the account data typically including data that may be used as a basis for predicting whether a social network account is malicious, and may include, for example, at least one of the following types of data: account class, account name, account remarks, whether the account is registered in real name, user name, identification number, telephone number, mailbox, bank card number, login IP address, login MAC address, number of friends, number of actively added friends, number of passively added friends, number of friends added from a group, number of interactions with friends, number of self-display, number of groups the account is added to, number of consumptions, number of transfers, number of received transfers, number of messages sent in a group, number of single-point messages, and ratio of group messages to single-point messages.
Therein, it will be appreciated that the account rating, typically based on account age and liveness, may be used to determine whether the account is tentatively registered. Account name, which may be used to capture a user's naming-habit preferences or account usage. The account remarks, which are usually marked with keywords indicating usage such as "customer service", "assistant", etc., can be used to determine the usage of the account. Whether an account is registered in a real name or not can be used for predicting whether the account is malicious or not, because the account which is engaged in malicious activities is not usually registered in the real name. The identity card number, the mailbox, the bank card number, the login IP address and the login MAC address, and since criminals usually use the same identity to register different accounts in batches, the data can be used for predicting whether the accounts are malicious or not by detecting whether the criminals are reused or not.
In order to reduce the risk of identity exposure, social network accounts engaged in malicious activities are usually rarely actually involved in social activities in the social network, so the data of the number of friends, the number of actively added friends, the number of passively added friends, the number of friends added from a group, the number of interactions between friends, the number of self-exposure times and the group added by the account can be well used for distinguishing whether the social network accounts are malicious or not.
Similarly, social network accounts engaged in malicious activities often rarely use payment functions, so data such as consumption times, transfer times, and transfer receiving times can also be used to distinguish whether a social network account is malicious or not.
While the social network account engaged in malicious activities rarely actually participates in social activities in the social network, fraud information is usually spread in a group or individually, so the number of messages sent in the group, the number of single-point messages, and the ratio of the number of group messages to the number of single-point messages can also be used as a basis for predicting whether the social network account is malicious or not.
Therefore, by acquiring the data, whether the social network account is malicious or not can be effectively predicted, and the prediction accuracy is improved.
The account feature extraction module 212 is connected to the account data collection module 211, and may receive the account data of the plurality of social network accounts acquired by the account data collection module 211, and extract the account feature of one of the social network accounts according to the acquired account data of the plurality of social network accounts.
The account characteristics may include account usage, and according to one embodiment of the invention, the account data for each social network account may include account usage data, which may indicate usage of the social network account. According to the analysis of the data that can be used as a basis for predicting whether the social network account is malicious or not, the account usage data may include data of at least one data type of three data types, namely, an account name, an account remark, and an account joining group, and the account feature extraction module 212 may determine the account usage of one social network account according to the account usage data in the account data of the social network account.
The account feature extraction module 212 may obtain, for each data type in the account usage data, data of the data type in the account data of the plurality of social network accounts obtained by the account data acquisition module 211, group the data by using a clustering algorithm, and determine the account usage of one social network account according to a group to which each data in the account usage data of the social network account belongs. The adopted clustering algorithm can be a k-means algorithm, and can also be other clustering algorithms which can be used for grouping basic data, and the invention is not limited to this.
The principle of the account feature extraction module 212 determining the account usage of a social network account will be described in detail below by way of example.
It is assumed that the account usage data acquired by the account data acquisition module 211 includes data of three data types, namely, an account name, an account remark, and a group in which an account is joined. The account data collection module 211 obtains account data for the social network account A, B, C, D.
In the account data of the social network account A, the data with the data type of the account name is 'xx sales A', the data with the data type of the account remark is 'xx sales', and the data with the data type of the group added by the account is 'xx sales group'. In the account data of the social network account B, the data with the data type of the account name is 'xx popularization B', the data with the data type of the account remark is 'xx popularization B', and the data with the data type of the group added by the account is 'xx popularization group'. In the account data of the social network account C, the data with the data type of the account name is 'xx customer service C', the data with the data type of the account remark is 'xx customer service', and the data with the data type of the group added by the account is 'xx customer service group'. In the account data of the social network account D, the data with the data type of the account name is 'xx user D', the data with the data type of the account remark is 'xx user', and the data with the data type of the group added by the account is 'xx friend group'.
And grouping the data of the group with the data types of account name, account remark and account joining by adopting a k-means algorithm. That is, three data sets (xx sales a, xx distribution B, xx customer service C, xx user D), (xx sales, xx distribution, xx customer service, xx user) and (xx sales group, xx popularization group, xx customer service group, xx friend group) are grouped.
Where account usage may include sales, customer service, and users, the data set may be divided into sales groups, customer service groups, and user groups. The grouping results after the k-means algorithm (xx sales A, xx promotion B, xx customer service C, xx user D) are: xx sales A and xx promotion B are sales groups, xx customer service C is a customer service group, and xx users D are user groups. (xx sales, xx promotions, xx customer services, xx users) the grouping results are: xx sales and xx popularization into sales groups, xx customer service into customer service groups, and xx users into user groups. (xx sales groups, xx promotion groups, xx customer service groups, xx friends groups) the grouping results are: the xx selling group and the xx promoting group are sales groups, the xx customer service group is a customer service group, and the xx friend group is a user group. The data "xx sales a", "xx sales groups" of social network account a all belong to the sales group, then the account usage of social network account a may be determined to be sales. The data "xx promotional B", "xx promotional group" of social network account B all belong to the sales group, and then the account usage of social network account B may be determined to be sales. If the data "xx customer service C", "xx customer service" and "xx customer service group" of the social network account C belong to a customer service group, the account usage of the social network account C can be determined as customer service. The data "xx user D", "xx user", "xx friend group" of social network account D all belong to the user group, and then it can be determined that the account usage of social network account D is the user.
In particular, since social network accounts may join multiple groups, situations may arise where one social network account number has multiple account purposes. According to an embodiment of the present invention, if the account feature extraction module 212 determines that one social network account has multiple account usages, the account malice prediction module 213 is adapted to predict whether the social network account is malicious according to each account usage and remaining account features of the one social network account, and predict that the social network account is malicious if any of the results is malicious.
For example, in the account data of the social network account a, the data of which the data type is the account name is "xx sales a", the data of which the data type is the account remark is "xx sales", and the data of which the data type is the group to which the account is added is "xx sales group" and "xx customer service group". Obviously, the data "xx sales a", "xx sales group" of the social network account a all belong to the sales group, and "xx customer service group" belongs to the customer service group, and then the account usage of the social network account a can be determined as sales and customer service. At this time, the account malicious prediction module 213 may respectively predict the social network account a according to the account characteristics in which the account usage is sales and the account characteristics in which the account usage is customer service, and predict that the social network account is malicious as long as one of the results is malicious. And if the two results are both non-malicious, predicting that the social network account is non-malicious.
The account characteristics may also include an account malicious association degree, which may indicate an association of the social networking account with the malicious social networking account. According to one embodiment of the invention, the account data may include account identity data, which may be indicative of an account identity. According to the above analysis of data that may be a basis for predicting whether a social network account is malicious or not, the account identity data may include data of at least one data type of a user's name, identification number, phone number, mailbox, bank card number, IP address, and MAC address.
The device 210 for predicting whether an account is malicious may further include an account association storage module 214, where the account association storage module 214 is coupled to a malicious account storage device 240 storing known malicious social network accounts and stores an association graph of pre-established social network accounts.
FIG. 4 shows a schematic diagram of an incidence relation diagram of social network accounts according to an exemplary embodiment of the present invention. As shown in fig. 4, the associative relationship graph may include a plurality of account nodes having attributes (i.e., colors of the account nodes in the graph), and a plurality of data nodes connected to the account nodes, where each account node corresponds to one social network account, the attributes of the account nodes indicate whether the social network account is a malicious social network account (e.g., malicious in gray and non-malicious in white), each data node corresponds to one piece of data in the account identity data, and the connection between a data node and an account node indicates that the data corresponding to the data node belongs to the social network account corresponding to the account node.
The account association storage module 214 may update the stored association relationship graph of the social network accounts according to the acquired account identity data of the plurality of social network accounts, and then the account feature extraction module 212 connected to the account association storage module 214 may calculate the account malicious association degree of one of the social network accounts according to the updated association relationship graph of the social network accounts.
Specifically, the account association storage module 214 may add each of the obtained plurality of social network accounts as an account node to the stored association graph thereof, and determine the attribute of the added account node according to the malicious social network account in the malicious account storage device 240. If the social network account corresponding to the added account node belongs to the malicious social network account in the malicious account storage device 240, the attribute of the account node indicates malicious, otherwise, the attribute indicates non-malicious.
In addition, the account association relation storage module 214 may also update the attribute of each account node in the association relation graph at predetermined time intervals according to the malicious social network account in the malicious account storage device 214, so as to improve the accuracy of the calculated account malicious association degree.
Then, the account association relation storage module 214 adds each piece of acquired account identity data of the plurality of social network accounts as one data node to the association relation graph, and connects each account node with a data node corresponding to each piece of account identity data of the social network account corresponding to the account node.
After the association graph is updated, the account feature extraction module 212 may calculate a direct link number between an account node corresponding to one social network account and an account node indicated as a malicious social network account by each attribute in the updated association graph, where the direct link number refers to a number of links between two account nodes that do not pass through other account nodes. According to the calculated direct connection numbers, the account malicious association degree of the social network account can be calculated, for example, the calculated direct connection numbers can be added to obtain the account malicious association degree of the social network account.
The principle of the account feature extraction module 212 determining the account malicious association of a social networking account is described in detail below by way of example in connection with FIG. 5.
FIG. 5 shows a schematic diagram of an associative relationship diagram of social network accounts according to another exemplary embodiment of the present invention. As shown in fig. 5, the account node "social network account a" is linked with the data node "with a user name a", "identification number a", "mailbox address a", "bank card number a", "login IP address a 1", "login IP address a 2", "login MAC address a 1", and "login MAC address a 2". The account node "social network account B" is linked with the data nodes "user name a", "identification number B", "phone number B", "mailbox address B", "login IP address a 1", "login IP address a 2", "login IP address B1", "login MAC address a 1", "login MAC address a 2", and "login MAC address B1", and the attribute indicates a malicious social network account. The account node "social network account C" is linked with the data node "identification number B", "telephone number B", "mailbox address C", "login IP address C", and "login MAC address C". The account node "social network account D" is linked with the data node "identification number D", "bank card number D", "telephone number D", "mailbox address C", "login IP address D", and "login MAC address D".
It can be calculated that if the direct link number between the account node "social network account a" and the account node "social network account B" whose attribute indicates that the account node is a malicious social network account is 5, the account malicious association degree of the social network account a is 5. If the direct link number between the account node "social network account C" and the account node "social network account B" is 2, the account malicious association degree of the social network account C is 2. If the direct link number between the account node "social network account D" and the account node "social network account B" is 0, the account malicious association degree of the social network account D is 0.
The account features may also include other features, and according to one embodiment of the invention, the account data may further include data of at least one of the following data types: account level, whether the account is registered in real name or not, number of friends, number of actively added friends, number of passively added friends, number of friends added from the group, number of interactions with friends, number of self-display times, consumption times, transfer receiving times, number of messages sent in the group, number of single messages, and ratio of the number of group messages to the number of single messages. For these data types, the account feature extraction module 212 may directly extract the data of the data type from the account data of one social network account as the corresponding account feature.
Finally, the resulting account characteristics may be as shown in the following table:
as described above, the present invention can extract features in different ways for data of different data types. Some data types may be strings with infinite combinations, so that probability statistics cannot be directly calculated, and cannot be directly applied to a classification algorithm (such as account name and account remark), and some data types may have multiple data (such as multiple login IP addresses, multiple login MAC addresses, and a group in which multiple accounts join), and they cannot directly input a classification model for predicting social network accounts. The invention can convert the data of the data types into account characteristics (account usage and account malicious association degree) which can be used by a classification model, and meanwhile, the information quantity carried by the data is not lost.
After extracting the account features from the acquired account data, the account malicious prediction module 213 connected to the account feature extraction module 212 may predict whether the social network account is malicious or not by using a pre-established classification model according to the extracted account features of the social network account.
When there are a plurality of pre-established classification models, the account malicious prediction module 213 may respectively use each of the classification models to predict whether the social network account is malicious, and if any result is malicious, predict that the social network account is malicious. The classification models herein may include SVM classification models and logistic regression classification models.
Account malicious prediction module 213 may also be coupled to suspected malicious account storage 250, which stores suspected malicious social network accounts, and store social network accounts predicted to be malicious as suspected malicious social network accounts in suspected malicious account storage 250, which facilitates use of device 230 for subsequent detection of social network account malicious activity.
Therefore, whether the social network account is malicious or not is predicted, namely whether the social network account is suspected to be malicious or not is judged. Next, the present invention may further determine whether the suspected social network account is a malicious social network account by monitoring malicious activities, which will be described below.
The communication monitoring device 220, which is typically resident in the social network server 120 or the client 110, monitors communications of the social network server 120 or the client 110, obtains a plurality of social network accounts in which the communications are initiated and received, and sends the social network accounts to the social network account malicious behavior detection device 230 connected to the communication monitoring device 220.
The device for detecting social network account malicious behavior 230 is also coupled to the suspected malicious account storage device 250, and may receive these social network accounts from the communication monitoring device 220 and determine whether any of the social network accounts is located in the suspected malicious account storage device 250. If it is determined that none of the received social network accounts are located in the suspected malicious account storage 250, a request may be made to the communication monitoring device 220 to no longer monitor communications initiated by the social network account.
If it is determined that any of the social network accounts are located in the suspected malicious account storage device 250, the device 230 that detects social network account malicious activity may request the communication monitoring device 220 to obtain the content of the communication.
The communication monitoring device 220 may send the content of the communication to the device 230 that detects social network account malicious behavior in response to a request by the device 230 that detects social network account malicious behavior.
After the device 230 that detects social network account malicious behavior receives the content of the communication, it may determine whether the content of the communication includes a network address. If yes, the network content corresponding to the network address is obtained. If the network address is not included, the communication is ignored.
After obtaining the network content corresponding to the network address, the device for detecting malicious behavior of the social network account 230 may further determine whether the network content relates to the malicious behavior. Specifically, the device for detecting malicious behaviors of the social network account 230 may determine whether the network content corresponding to the network address includes one of a virtual commodity, a two-dimensional code, transfer information, and payment information, and if so, determine that the network content relates to the malicious behaviors. The virtual goods may be, for example, game cards, phone cards, gift certificates, and the like.
If it is determined that the network content relates to malicious behavior, the device for detecting malicious behavior of social networking account 230 may determine that the social networking account that sent the network address is a malicious social networking account, and may also alert the social networking account that received the network address via the communication monitoring device 220.
In addition, the device for detecting social network account malicious behavior 230 is also coupled to the malicious account storage 240, and the determined malicious social network account can be stored in the malicious account storage 240.
Meanwhile, the device 210 for predicting whether the social network account is malicious may also obtain account data of the malicious social network account added in the malicious account storage device 240, train a classification model of the account data, and improve the accuracy of prediction.
Therefore, whether the social network account is malicious or not is predicted and determined, and reliability is high.
FIG. 6 illustrates a flow chart of a method 300 of predicting whether a social network account is malicious according to an exemplary embodiment of the present invention. The method 300 is suitable for execution in a device 210 connected to a social network server 120 providing a social network service, wherein the social network server 120 allows a user to operate with a social network account. The method 300 begins at step S310, where account data for a plurality of social networking accounts is obtained from the social networking server 120 at step S310.
Then in step S320, account characteristics of one of the social network accounts are extracted according to the acquired account data of the plurality of social network accounts, where the account characteristics may include at least account usage and account malicious association.
According to one embodiment of the invention, the account data may include account usage data, and the account usage of a social network account may be determined based on the account usage data of the social network account. The account usage data may include data of at least one of the following data types: account name, account notes, and group of account joins. Specifically, for each data type in the account usage data, a clustering algorithm may be used to group the obtained data of the data type of the multiple social network accounts, and the account usage of the social network account may be determined according to the group to which each data in the account usage data of the social network account belongs. Wherein the clustering algorithm can be a k-means algorithm.
According to another embodiment of the present invention, the account data may include account identity data, the device 210 is coupled to a malicious account storage device 240 storing known malicious social network accounts, and stores an association graph of pre-established social network accounts, the association graph includes a plurality of account nodes having attributes, and a plurality of data nodes connected to the account nodes, where each account node corresponds to a social network account, the attributes of the social network account indicate whether the social network account is a malicious social network account, each data node corresponds to one data in the account identity data, and the connection between the data node and the account node indicates that the data corresponding to the data node belongs to the social network account corresponding to the account node, step S320 may further include:
and updating the stored association relationship graph of the social network accounts according to the acquired account identity data of the plurality of social network accounts, and calculating the account malicious association degree of one social network account according to the updated association relationship graph of the social network accounts.
Wherein the account identity data may include data of at least one of the following data types: the user's name, identification number, phone number, mailbox, bank card number, login IP address, and login MAC address. Specifically, the step of updating the stored association relationship graph of the social network accounts according to the acquired account identity data of the plurality of social network accounts may include: adding each of the obtained plurality of social network accounts as an account node to the associative relationship graph, determining attributes of the added account node according to the malicious social network accounts in the malicious account storage device 240, adding each of the obtained account identity data of the plurality of social network accounts as a data node to the associative relationship graph, and finally connecting each account node with the data node corresponding to each data in the account identity data of the social network accounts corresponding to the account node. Wherein, the method 300 may further comprise the steps of: and updating the attribute of each account node in the association relationship graph at preset time intervals according to the malicious social network account in the malicious account storage device 240.
After updating the association graph, the step of calculating the account malicious association degree of the social network account may include: and calculating the direct link number between the account node corresponding to one social network account and the account node of which each attribute indicates the malicious social network account in the updated incidence relation graph, wherein the direct link number is the number of the links between the two account nodes without other account nodes. And calculating the account malicious association degree of the social network account according to the calculated direct connection numbers, for example, adding the calculated direct connection numbers to obtain the account malicious association degree of the social network account.
According to a specific embodiment of the present invention, the account data may further include data of at least one data type of an account level, whether the account is registered in real name, the number of friends, the number of actively added friends, the number of passively added friends, the number of friends added from the group, the number of interactions between friends, the number of self-display times, the number of consumption times, the number of transfer times, the number of messages sent in the group, the number of single messages, and the ratio between the number of group messages and the number of single messages, and step S320 may further include: data of the above data types of one social network account is extracted as corresponding account features.
After the account features of one social network account are extracted, in step S330, whether the social network account is malicious or not is predicted by using a pre-established classification model according to the account features of the one social network account.
According to an embodiment of the present invention, step S330 may further include: if it is determined that one social network account has multiple account purposes, whether the social network account is malicious or not can be predicted according to each account purpose and the rest account characteristics of the social network account, and if any result is malicious, the social network account is predicted to be malicious.
In addition, step S330 may further include: and predicting whether the social network account is malicious or not by adopting at least one pre-established classification model, and if any result is malicious, predicting that the social network account is malicious. Wherein the classification model may include an SVM classification model and a logistic regression classification model.
In accordance with yet another embodiment of the present invention, device 210 is coupled to suspected malicious account storage device 250, and method 300 may further include the steps of: social network accounts predicted to be malicious are stored as suspected malicious social network accounts to suspected malicious account storage 250.
Fig. 7 shows a method 400 for detecting social network account malicious behavior according to an exemplary embodiment of the present invention, which is adapted to be executed on a device 230 for detecting social network account malicious behavior, wherein the device 230 for detecting social network account malicious behavior is coupled with a communication monitoring device 220 residing in a social network server 120 or a client 110 providing a social network service, a malicious account storage device 240 storing known malicious social network accounts, and a suspected malicious account storage device 250 storing suspected malicious social network accounts, respectively, wherein the social network server 120 allows a user to operate with social network accounts.
The method 400 begins at step S410, where a plurality of social network accounts initiating a communication and receiving the communication in the social network server 120 or client 110 from the communication monitoring device 220 are received at step S410.
Then in step S420, it is determined whether any of the received social networking accounts are located in suspected malicious account storage 250. If so, in step S430, a request is made to the communication monitoring device 220 to acquire the content of the communication, and if it is determined that none of the received social network accounts is located in the suspected malicious account storage device 250, a request is made to the communication monitoring device 220 that the communication initiated by the social network account is no longer monitored.
Then, in step S440, the content of the communication is received from the communication monitoring apparatus 220, and in step S450, it is determined whether the content of the communication includes a network address.
If yes, in step S460, the network content corresponding to the network address is obtained. Then, in step S470, it is determined whether the web content relates to malicious behavior.
Specifically, whether the network content corresponding to the network address includes one of a virtual commodity, a two-dimensional code, transfer information and payment information or not can be judged, if yes, it is determined that the network content relates to malicious behaviors, and if not, the network content does not relate to the malicious behaviors. Wherein the virtual items are items such as point cards, phone cards, and gift certificates.
If it is determined whether the network content relates to a malicious behavior, in step S480, the social network account that sent the network address may be determined to be a malicious social network account and stored in the malicious account storage 240. If it is determined that the network content does not involve malicious behavior, the communication may be ignored.
Finally, according to another embodiment of the present invention, if it is determined that the social network account that sent the network address is malicious, the communication monitoring device 220 may further remind the social network account that received the network address.
The corresponding processing of the steps in the methods 300 and 400 has been explained in detail in the detailed description of the principle of the system 200 for detecting whether a social network account is malicious or not with reference to fig. 1 to 5, and repeated details are not repeated here.
It should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules or units or components of the devices in the examples disclosed herein may be arranged in a device as described in this embodiment or alternatively may be located in one or more devices different from the devices in this example. The modules in the foregoing examples may be combined into one module or may be further divided into multiple sub-modules.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
The present invention may further comprise: a4, the device as in A3, wherein if the account feature extraction module determines that the one social network account has multiple account usages, the account malice prediction module is adapted to predict whether the one social network account is malicious or not according to each account usage and the remaining account features of the one social network account, and if any of the results is malicious, predict that the social network account is malicious. A5, the device as in A3 or 4, wherein the clustering algorithm is a k-means algorithm. A6, the device of any one of A1-5, wherein the account data includes account identity data, the device further includes an account association storage module coupled to a malicious account storage device storing known malicious social network accounts, and storing an incidence relation graph of the pre-established social network accounts, wherein the incidence relation graph comprises a plurality of account nodes with attributes and a plurality of data nodes connected with the account nodes, each account node corresponds to a social network account, the attribute of each social network account indicates whether the social network account is a malicious social network account, each data node corresponds to one piece of data in the account identity data, and the connection between the data node and the account node indicates that the data corresponding to the data node belongs to the social network account corresponding to the account node; the account association relation storage module is suitable for updating the stored association relation graph of the social network accounts according to the acquired account identity data of the plurality of social network accounts, and the account feature extraction module is suitable for calculating the account malicious association degree of the social network account according to the updated association relation graph of the social network account. A7, the device as in a6, wherein the account association storage module is further adapted to add each of the obtained plurality of social network accounts as an account node to an association graph; determining attributes of the added account nodes according to the malicious social network accounts in the malicious account storage device; adding each data in the acquired account identity data of the plurality of social network accounts as a data node to an association relationship graph; and connecting each account node with a data node corresponding to each data in the account identity data of the social network account corresponding to the account node. A8, the device as in a7, wherein the account association storage module is further adapted to update the attributes of each account node in the association graph at predetermined time intervals according to the malicious social network account in the malicious account storage device. A9, the device as in A8, wherein the account feature extraction module is adapted to calculate the number of direct links between an account node corresponding to the one social network account and an account node of which each attribute indicates a malicious social network account in the updated incidence relation graph, the number of direct links being the number of links between two account nodes without passing through other account nodes; and calculating the account malicious association degree of the social network account according to the calculated direct connection number. A10, the device as in a9, wherein the account feature extraction module is adapted to add the calculated direct links to obtain the account malicious association degree of the social network account. A11, the device as in any one of A1-10, wherein the account maliciousness prediction module is adapted to predict whether a social network account is malicious or not by using at least one pre-established classification model, and predict that the social network account is malicious if any result is malicious. A12, the device of any one of A1-11, wherein the classification models include SVM classification models and logistic regression classification models. A13, the device of any one of a1-12, wherein the account maliciousness prediction module is coupled to a suspected malicious account storage device and is adapted to store social network accounts that it predicts as malicious to the suspected malicious account storage device as suspected malicious social network accounts. A14, the device of any one of A2-13, wherein the account usage data includes data of at least one of the following data types: account name, account notes, and group of account joins. A15, the device of any one of A6-14, wherein the account identity data includes data of at least one of the following data types: the user's name, identification number, phone number, mailbox, bank card number, login IP address, and login MAC address. A16, the device as in any one of a1-15, wherein the account data further includes data of at least one data type of account level, whether the account is registered with a real name, number of friends, number of actively added friends, number of passively added friends, number of friends added from the group, number of interactions with friends, number of self-exposure, number of consumption, number of money transfers received, number of messages sent in the group, number of single point messages, and ratio of group messages to single point messages; the account feature extraction module is further adapted to extract data of the above data types of the one social network account as the corresponding account feature.
The system of B18, as in B17, wherein the device for detecting malicious behavior of a social networking account is further adapted to alert, via the communication monitoring device, the social networking account receiving the network address if it is determined that the social networking account sending the network address is malicious. B19, the system according to B17 or 18, wherein the device for detecting malicious behavior of a social network account is further adapted to request from the communication monitoring device that communication initiated by the social network account is no longer monitored if it is determined that none of the received social network accounts are located in the suspected malicious account storage device. B20, the system as in any one of B17-19, wherein the device for detecting malicious activities of the social network account is further adapted to determine whether the network content corresponding to the network address includes one of a virtual commodity, a two-dimensional code, transfer information and payment information, and if so, determine that the network content relates to malicious activities.
C24, the method as in C23, wherein the predicting whether the social networking account is malicious comprises: if it is determined that one social network account has multiple account purposes, whether the social network account is malicious or not is predicted according to each account purpose and the rest account characteristics of the social network account, and if any result is malicious, the social network account is predicted to be malicious. C25, the method according to C23 or 24, wherein the clustering algorithm is a k-means algorithm. C26, the method as in any one of C21-25, wherein the account data includes account identity data, the device is coupled to a malicious account storage device that stores known malicious social network accounts, and storing an incidence relation graph of the pre-established social network accounts, wherein the incidence relation graph comprises a plurality of account nodes with attributes and a plurality of data nodes connected with the account nodes, each account node corresponds to a social network account, the attribute of which indicates whether the social network account is a malicious social network account, each data node corresponds to one piece of data in the account identity data, the link between the data node and the account node indicates that the data corresponding to the data node belongs to the social network account corresponding to the account node, and the step of extracting the account feature of one of the social network accounts comprises the following steps: updating the stored incidence relation graph of the social network accounts according to the acquired account identity data of the plurality of social network accounts; and calculating the account malicious association degree of the social network account according to the updated association relation graph of the social network account. C27, the method as recited in C26, wherein the step of updating the stored relationship graph of the social networking accounts according to the obtained account identity data of the plurality of social networking accounts comprises: adding each of the obtained plurality of social network accounts as an account node to an association graph; determining attributes of the added account nodes according to the malicious social network accounts in the malicious account storage device; adding each data in the acquired account identity data of the plurality of social network accounts as a data node to an association relationship graph; and connecting each account node with a data node corresponding to each data in the account identity data of the social network account corresponding to the account node. C28, the method as claimed in C27, wherein the method further comprises the steps of: and updating the attribute of each account node in the association relationship graph at preset time intervals according to the malicious social network account in the malicious account storage device. C29, the method as in C28, wherein the step of calculating an account malicious association for a social networking account comprises: calculating the direct link number between the account node corresponding to the social network account and the account node indicated as the malicious social network account by each attribute in the updated incidence relation graph, wherein the direct link number is the number of links between the two account nodes without other account nodes; and calculating the account malicious association degree of the social network account according to the calculated direct connection number. C30, the method as in C29, wherein the step of calculating an account malicious association of a social networking account based on the calculated number of direct links comprises: and adding the calculated direct connection numbers to obtain the account malicious association degree of the social network account. C31, the method as in any one of C21-30, wherein the predicting whether the social networking account is malicious comprises: and predicting whether the social network account is malicious or not by adopting at least one pre-established classification model, and if any result is malicious, predicting that the social network account is malicious. C32, the method according to any of claims 21-31, wherein the classification models comprise SVM classification models and logistic regression classification models. C33, the method as in any one of C21-32, wherein the device is coupled to a suspected malicious account storage device, the method further comprising the steps of: storing the social network account predicted to be malicious as a suspected malicious social network account to the suspected malicious account storage device. C34, the method as in any one of C22-33, wherein the account usage data includes data of at least one of the following data types: account name, account notes, and group of account joins. C35, the method as in any one of C26-34, wherein the account identity data includes data of at least one of the following data types: the user's name, identification number, phone number, mailbox, bank card number, login IP address, and login MAC address. C36, the method according to any one of C21-35, wherein the account data further includes data of at least one data type of account grade, whether the account is registered with a real name, the number of friends, the number of actively added friends, the number of passively added friends, the number of friends added from the group, the number of interactions with friends, the number of self-exposure, the number of consumption, the number of money transfers received, the number of messages sent in the group, the number of single-point messages, and the ratio of the number of group messages and single-point messages; the step of extracting account characteristics of one of the social network accounts comprises the following steps: and extracting the data of the data types of the social network account as corresponding account characteristics.
D40, the method of any one of D37-39, wherein the step of determining whether the web content relates to malicious behavior comprises: and judging whether the network content corresponding to the network address comprises one of a virtual commodity, a two-dimensional code, transfer information and payment information, and if so, determining that the network content relates to malicious behaviors.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
Furthermore, some of the described embodiments are described herein as a method or combination of method elements that can be performed by a processor of a computer system or by other means of performing the described functions. A processor having the necessary instructions for carrying out the method or method elements thus forms a means for carrying out the method or method elements. Further, the elements of the apparatus embodiments described herein are examples of the following apparatus: the apparatus is used to implement the functions performed by the elements for the purpose of carrying out the invention.
As used herein, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common object, merely indicate that different instances of like objects are being referred to, and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The present invention has been disclosed in an illustrative rather than a restrictive sense, and the scope of the present invention is defined by the appended claims.
Claims (36)
1. An apparatus for predicting whether a social network account is malicious, adapted to connect with a social network server providing a social network service, wherein the social network server allows a user to operate with the social network account, the apparatus comprising:
an account data acquisition module adapted to obtain account data for a plurality of social networking accounts from the social networking server;
the account characteristic extraction module is suitable for extracting account characteristics of one social network account according to the acquired account data of the plurality of social network accounts, wherein the account characteristics at least comprise account purposes and account malicious association degrees, and the account malicious association degrees indicate the association relationship between the social network accounts and the malicious social network accounts; and
the account malicious prediction module is suitable for predicting whether the social network account is malicious or not by adopting a pre-established classification model according to the account characteristics of the social network account; wherein
The account data comprises account usage data, and the account feature extraction module is further adapted to group the acquired data of the data types of the plurality of social network accounts by using a clustering algorithm for each data type in the account usage data, and determine the account usage of the social network account according to the group to which each data in the account usage data of the social network account belongs.
2. The apparatus of claim 1, wherein the account feature extraction module is adapted to predict whether the one social network account is malicious based on each account usage and remaining account features of the one social network account if the one social network account has multiple account usages, and predict the social network account as malicious if any of the results is malicious.
3. The apparatus of claim 1, wherein the clustering algorithm is a k-means algorithm.
4. The apparatus of any of claims 1-3, wherein the account data comprises account identity data, the device further includes an account association storage module coupled to a malicious account storage device storing known malicious social network accounts, and storing an incidence relation graph of the pre-established social network accounts, wherein the incidence relation graph comprises a plurality of account nodes with attributes and a plurality of data nodes connected with the account nodes, each account node corresponds to a social network account, the attribute of each social network account indicates whether the social network account is a malicious social network account, each data node corresponds to one piece of data in the account identity data, and the connection between the data node and the account node indicates that the data corresponding to the data node belongs to the social network account corresponding to the account node;
the account incidence relation storage module is suitable for updating the incidence relation graph of the social network accounts stored by the account incidence relation storage module according to the acquired account identity data of the plurality of social network accounts, and
the account feature extraction module is suitable for calculating the account malicious association degree of the social network account according to the updated association relation graph of the social network account.
5. The device of claim 4, wherein the account association storage module is further adapted to add each of the obtained plurality of social network accounts to an association graph as an account node;
determining attributes of the added account nodes according to the malicious social network accounts in the malicious account storage device;
adding each data in the acquired account identity data of the plurality of social network accounts as a data node to an association relationship graph;
and connecting each account node with a data node corresponding to each data in the account identity data of the social network account corresponding to the account node.
6. The device of claim 5, wherein the account association storage module is further adapted to update attributes of account nodes in the association graph at predetermined intervals according to malicious social network accounts in the malicious account storage device.
7. The apparatus of claim 6, wherein the account feature extraction module is adapted to calculate a direct link count between an account node corresponding to the one social network account and an account node for which each attribute indicates a malicious social network account in the updated incidence relation graph, the direct link count being a number of links between two account nodes that do not pass through other account nodes;
and calculating the account malicious association degree of the social network account according to the calculated direct connection number.
8. The apparatus of claim 7, wherein the account feature extraction module is adapted to add the calculated direct ties to obtain an account malicious association for the social networking account.
9. The device of claim 1, wherein the account malice prediction module is adapted to predict whether a social network account is malicious using at least one pre-established classification model, and if any of the results is malicious, predict that the social network account is malicious.
10. The apparatus of claim 1, wherein the classification model comprises an SVM classification model and a logistic regression classification model.
11. The device of claim 1, wherein the account malice prediction module is coupled to a suspected malicious account storage and is adapted to store social network accounts that are predicted to be malicious as suspected malicious social network accounts to the suspected malicious account storage.
12. The apparatus of claim 1, wherein the account usage data comprises data of at least one of the following data types: account name, account notes, and group of account joins.
13. The apparatus of claim 4, wherein the account identity data comprises data of at least one of the following data types: the user's name, identification number, phone number, mailbox, bank card number, login IP address, and login MAC address.
14. The apparatus of claim 1, wherein the account data further comprises data of at least one data type of an account level, whether an account is registered with a real name, a number of friends, a number of actively added friends, a number of passively added friends, a number of friends added from a group, a number of interactions with friends, a number of self-exposure, a number of consumption, a number of transfers, a number of received transfers, a number of messages sent in a group, a number of single-point messages, and a ratio of group messages to single-point message numbers; the account feature extraction module is further adapted to extract data of the above data types of the one social network account as the corresponding account feature.
15. A system for detecting whether a social network account is malicious, adapted to connect with a social network server or a client providing a social network service, wherein the social network server allows a user to operate with the social network account, the system comprising:
a malicious account storage device storing known malicious social network accounts;
a suspected malicious account storage device storing a suspected malicious social network account;
a device to predict whether a social network account is malicious according to any of claims 1-14;
a communication monitoring device; and a device to detect social network account malicious behavior;
the device for predicting whether the social network account is malicious is suitable for storing the social network account which is predicted to be malicious as a suspected malicious social network account in the suspected malicious account storage device, the communication monitoring device resides in the social network server or the client and is suitable for monitoring communication of the social network server or the client, acquiring a plurality of social network accounts which initiate communication and receive the communication, and sending the social network accounts to the device for detecting malicious behaviors of the social network account; the device is further adapted to send the content of the communication to the device for detecting the malicious behavior of the social network account in response to a request for obtaining the content of the communication from the device for detecting the malicious behavior of the social network account;
the device for detecting malicious behaviors of the social network accounts is suitable for judging whether any received social network account is located in the suspected malicious account storage device; if yes, requesting the communication monitoring equipment to acquire the communication content; judging whether the communication content comprises a network address, if so, acquiring network content corresponding to the network address; and judging whether the network content relates to malicious behaviors, if so, determining that the social network account sending the network address is a malicious social network account, and storing the malicious social network account into malicious account storage equipment.
16. The system of claim 15, wherein the device for detecting malicious social networking account behavior is further adapted to alert, via the communication monitoring device, the social networking account receiving the network address if it is determined that the social networking account sending the network address is malicious.
17. The system of claim 15, wherein the device to detect social network account malicious behavior is further adapted to request from the communication monitoring device that communications initiated by the social network account are no longer to be monitored if it is determined that none of the received social network accounts are located in the suspected malicious account storage device.
18. The system of any one of claims 15-17, wherein the device for detecting malicious social network account activity is further adapted to determine whether the network content corresponding to the network address includes one of a virtual good, a two-dimensional code, transfer information, and payment information, and if so, determine that the network content is related to malicious activity.
19. A method of predicting whether a social network account is malicious, adapted to be executed in a device connected to a social network server providing a social network service, wherein the social network server allows a user to operate with a social network account, the method comprising the steps of:
obtaining account data for a plurality of social networking accounts from the social networking server;
extracting account characteristics of one social network account according to the acquired account data of the plurality of social network accounts, wherein the account characteristics at least comprise account usage and account malicious association degrees, and the account malicious association degrees indicate the association relationship between the social network accounts and the malicious social network accounts; and
predicting whether the social network account is malicious or not by adopting a pre-established classification model according to the account characteristics of the social network account; wherein
The account data includes account usage data, and the step of extracting the account usage includes: and aiming at each data type in the account use data, grouping the acquired data of the data type of the plurality of social network accounts by adopting a clustering algorithm, and determining the account use of the social network account according to the grouping of each data in the account use data of the social network account.
20. The method of claim 19, wherein predicting whether the social network account is malicious comprises:
if it is determined that one social network account has multiple account purposes, whether the social network account is malicious or not is predicted according to each account purpose and the rest account characteristics of the social network account, and if any result is malicious, the social network account is predicted to be malicious.
21. The method of claim 19, wherein the clustering algorithm is a k-means algorithm.
22. The method of any of claims 19-21, wherein the account data includes account identity data, the device is coupled to a malicious account storage device that stores known malicious social network accounts, and storing an incidence relation graph of the pre-established social network accounts, wherein the incidence relation graph comprises a plurality of account nodes with attributes and a plurality of data nodes connected with the account nodes, each account node corresponds to a social network account, the attribute of which indicates whether the social network account is a malicious social network account, each data node corresponds to one piece of data in the account identity data, the link between the data node and the account node indicates that the data corresponding to the data node belongs to the social network account corresponding to the account node, and the step of extracting the account feature of one of the social network accounts comprises the following steps:
updating the stored incidence relation graph of the social network accounts according to the acquired account identity data of the plurality of social network accounts;
and calculating the account malicious association degree of the social network account according to the updated association relation graph of the social network account.
23. The method of claim 22, wherein updating the stored affinity graph of social networking accounts based on the obtained account identity data for the plurality of social networking accounts comprises:
adding each of the obtained plurality of social network accounts as an account node to an association graph;
determining attributes of the added account nodes according to the malicious social network accounts in the malicious account storage device;
adding each data in the acquired account identity data of the plurality of social network accounts as a data node to an association relationship graph;
and connecting each account node with a data node corresponding to each data in the account identity data of the social network account corresponding to the account node.
24. The method of claim 23, wherein the method further comprises the steps of:
and updating the attribute of each account node in the association relationship graph at preset time intervals according to the malicious social network account in the malicious account storage device.
25. The method of claim 24, wherein the step of calculating an account malicious association for a social network account comprises:
calculating the direct link number between the account node corresponding to the social network account and the account node indicated as the malicious social network account by each attribute in the updated incidence relation graph, wherein the direct link number is the number of links between the two account nodes without other account nodes;
and calculating the account malicious association degree of the social network account according to the calculated direct connection number.
26. The method of claim 25, wherein calculating an account malicious association for a social networking account based on the calculated number of direct connections comprises:
and adding the calculated direct connection numbers to obtain the account malicious association degree of the social network account.
27. The method of claim 19, wherein predicting whether the social network account is malicious comprises:
and predicting whether the social network account is malicious or not by adopting at least one pre-established classification model, and if any result is malicious, predicting that the social network account is malicious.
28. The method of claim 19, wherein the classification models comprise SVM classification models and logistic regression classification models.
29. The method of claim 19, wherein the device is coupled to a suspected malicious account storage device, the method further comprising the steps of:
storing the social network account predicted to be malicious as a suspected malicious social network account to the suspected malicious account storage device.
30. The method of claim 19, wherein the account usage data includes data of at least one of the following data types: account name, account notes, and group of account joins.
31. The method of claim 22, wherein the account identity data comprises data of at least one of the following data types: the user's name, identification number, phone number, mailbox, bank card number, login IP address, and login MAC address.
32. The method of claim 19, wherein the account data further comprises data of at least one data type of account level, whether an account is registered with a real name, number of friends, number of actively added friends, number of passively added friends, number of friends added from a group, number of interactions with friends, number of self-exposure, number of consumption, number of transfers, number of received transfers, number of messages sent in a group, number of single messages, and ratio of group messages to number of single messages; the step of extracting account characteristics of one of the social network accounts comprises the following steps:
and extracting the data of the data types of the social network account as corresponding account characteristics.
33. A method of detecting social network account malicious behavior, adapted to be executed on a device for detecting social network account malicious behavior, coupled to a communication monitoring device residing in a social network server or client providing a social network service, respectively, the social network server allowing a user to operate with a social network account, a malicious account storage device storing known malicious social network accounts, and a suspected malicious account storage device storing suspected malicious social network accounts, the method comprising the steps of:
receiving a plurality of social network accounts in the social network server or client from a communication monitoring device that initiate a communication and receive the communication;
determining whether any received social network account is located in the suspected malicious account storage device, the suspected malicious social network account being a social network account predicted to be malicious via the device of any of claims 1-14;
if yes, requesting the communication monitoring equipment to acquire the communication content;
receiving content of the communication from a communication monitoring device;
judging whether the content of the communication comprises a network address;
if so, acquiring the network content corresponding to the network address;
determining whether the network content relates to a malicious behavior; and
if so, determining that the social network account sending the network address is a malicious social network account, and storing the malicious social network account into malicious account storage equipment.
34. The method of claim 33, wherein the method further comprises the steps of:
and if the social network account sending the network address is determined to be malicious, reminding the social network account receiving the network address through the communication monitoring equipment.
35. The method of claim 33, wherein the method further comprises the steps of:
and if the received social network account is determined not to be located in the suspected malicious account storage device, requesting the communication monitoring device not to monitor the communication initiated by the social network account any more.
36. The method of any one of claims 33-35, wherein determining whether the web content is related to malicious behavior comprises:
and judging whether the network content corresponding to the network address comprises one of a virtual commodity, a two-dimensional code, transfer information and payment information, and if so, determining that the network content relates to malicious behaviors.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611109776.2A CN106549974B (en) | 2016-12-06 | 2016-12-06 | Device, method and system for predicting whether social network account is malicious or not |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611109776.2A CN106549974B (en) | 2016-12-06 | 2016-12-06 | Device, method and system for predicting whether social network account is malicious or not |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106549974A CN106549974A (en) | 2017-03-29 |
| CN106549974B true CN106549974B (en) | 2020-06-02 |
Family
ID=58396915
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611109776.2A Active CN106549974B (en) | 2016-12-06 | 2016-12-06 | Device, method and system for predicting whether social network account is malicious or not |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106549974B (en) |
Families Citing this family (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107229951B (en) * | 2017-05-31 | 2020-12-29 | 北京知道创宇信息技术股份有限公司 | Method and computing device for predicting whether malicious behaviors exist in user |
| CN109561050B (en) * | 2017-09-26 | 2021-11-09 | 武汉斗鱼网络科技有限公司 | Method and device for identifying batch account numbers |
| CN107682187A (en) * | 2017-09-29 | 2018-02-09 | 中科聚信信息技术(北京)有限公司 | A kind of anti-fraud method based on social network analysis model |
| CN109936525B (en) | 2017-12-15 | 2020-07-31 | 阿里巴巴集团控股有限公司 | Abnormal account number prevention and control method, device and equipment based on graph structure model |
| CN108197795B (en) * | 2017-12-28 | 2020-11-03 | 杭州优行科技有限公司 | Malicious group account identification method, device, terminal and storage medium |
| CN108536776A (en) * | 2018-03-28 | 2018-09-14 | 广州厚云信息科技有限公司 | Unification user malicious act detection method and system in a kind of social networks |
| CN110555301B (en) * | 2018-05-31 | 2023-05-09 | 阿里巴巴集团控股有限公司 | Account authority adjustment method, device and equipment and account authority processing method |
| CN110689422A (en) * | 2018-07-05 | 2020-01-14 | 北京嘀嘀无限科技发展有限公司 | Financial service management method and device |
| CN109146664A (en) * | 2018-07-20 | 2019-01-04 | 上海新储集成电路有限公司 | A kind of classification storage method for finance account |
| CN109034661A (en) * | 2018-08-28 | 2018-12-18 | 腾讯科技(深圳)有限公司 | User identification method, device, server and storage medium |
| CN109039827B (en) * | 2018-08-30 | 2020-09-22 | 河南信安通信技术股份有限公司 | Social software hotspot acquisition system and method based on positions |
| CN109145050B (en) * | 2018-09-29 | 2022-04-01 | 智器云南京信息科技有限公司 | Computing device |
| CN109636656A (en) * | 2018-10-31 | 2019-04-16 | 张建强 | A kind of dating system |
| CN109495378B (en) * | 2018-12-28 | 2021-03-12 | 广州华多网络科技有限公司 | Method, device, server and storage medium for detecting abnormal account |
| CN111861483A (en) * | 2019-04-26 | 2020-10-30 | 阿里巴巴集团控股有限公司 | Communication method, computer equipment and storage medium |
| CN114301864B (en) * | 2020-08-14 | 2024-02-02 | 腾讯科技(深圳)有限公司 | Object identification method, device, storage medium and server |
| CN113344621B (en) * | 2021-05-31 | 2023-08-04 | 北京百度网讯科技有限公司 | Determination method and device for abnormal account and electronic equipment |
| CN113468528A (en) * | 2021-06-29 | 2021-10-01 | 平安普惠企业管理有限公司 | Malicious device identification method and device, server and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105354249A (en) * | 2015-10-16 | 2016-02-24 | 晶赞广告(上海)有限公司 | Multi-account relevance method and device, and electronic equipment |
| CN105791255A (en) * | 2014-12-23 | 2016-07-20 | 阿里巴巴集团控股有限公司 | Method and system for identifying computer risks based on account clustering |
| CN106034149A (en) * | 2015-03-13 | 2016-10-19 | 阿里巴巴集团控股有限公司 | Account identification method and device |
| CN106156341A (en) * | 2016-07-14 | 2016-11-23 | 微额速达(上海)金融信息服务有限公司 | The identification method of the Internet labeled data |
-
2016
- 2016-12-06 CN CN201611109776.2A patent/CN106549974B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105791255A (en) * | 2014-12-23 | 2016-07-20 | 阿里巴巴集团控股有限公司 | Method and system for identifying computer risks based on account clustering |
| CN106034149A (en) * | 2015-03-13 | 2016-10-19 | 阿里巴巴集团控股有限公司 | Account identification method and device |
| CN105354249A (en) * | 2015-10-16 | 2016-02-24 | 晶赞广告(上海)有限公司 | Multi-account relevance method and device, and electronic equipment |
| CN106156341A (en) * | 2016-07-14 | 2016-11-23 | 微额速达(上海)金融信息服务有限公司 | The identification method of the Internet labeled data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106549974A (en) | 2017-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106549974B (en) | Device, method and system for predicting whether social network account is malicious or not | |
| CN110399925B (en) | Account risk identification method, device and storage medium | |
| CN107872772B (en) | Method and device for detecting fraud short messages | |
| RU2607229C2 (en) | Systems and methods of dynamic indicators aggregation to detect network fraud | |
| CN107872436B (en) | Account identification method, device and system | |
| JP6220407B2 (en) | Document classification using multi-scale text fingerprinting | |
| CN108881265A (en) | A kind of network attack detecting method and system based on artificial intelligence | |
| CN108683687A (en) | A kind of network attack identification method and system | |
| CN111435507A (en) | Advertisement anti-cheating method and device, electronic equipment and readable storage medium | |
| CN108667854A (en) | Network hole detection method and device, network hole automated pubilication system | |
| CN108881263A (en) | A kind of network attack result detection method and system | |
| CN103443800A (en) | Network rating | |
| WO2021098274A1 (en) | Method and apparatus for evaluating risk of leakage of private data | |
| CN103139193A (en) | Phishing website processing method and system | |
| CN102710770A (en) | Identification method for network access equipment and implementation system for identification method | |
| US20110208630A1 (en) | Methods and systems for detection of financial crime | |
| CN106162584A (en) | Identify the method for refuse messages, client, cloud server and system | |
| CN110909384B (en) | Method and device for determining business party revealing user information | |
| WO2019023372A1 (en) | Electronic payment network security | |
| CN106127463A (en) | One is transferred accounts control method and terminal unit | |
| CN111105064B (en) | Method and device for determining suspicion information of fraud event | |
| CN110061981A (en) | A kind of attack detection method and device | |
| WO2021050990A1 (en) | Data analytics tool | |
| CN102790707A (en) | Method and device for classifying object | |
| CN114363839B (en) | Fraud data early warning method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Room 311501, Unit 1, Building 5, Courtyard 1, Futong East Street, Chaoyang District, Beijing 100102 Applicant after: Beijing Zhichuangyu Information Technology Co., Ltd. Applicant after: Wuxi Public Security Bureau Address before: 100097 Jinwei Building 803, 55 Lanindichang South Road, Haidian District, Beijing Applicant before: Beijing Knows Chuangyu Information Technology Co.,Ltd. Applicant before: Wuxi Public Security Bureau |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |