CN106992958B - Method and system for positioning malicious account through lost account - Google Patents
Method and system for positioning malicious account through lost account Download PDFInfo
- Publication number
- CN106992958B CN106992958B CN201610041698.0A CN201610041698A CN106992958B CN 106992958 B CN106992958 B CN 106992958B CN 201610041698 A CN201610041698 A CN 201610041698A CN 106992958 B CN106992958 B CN 106992958B
- Authority
- CN
- China
- Prior art keywords
- account
- user
- machine code
- client
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Abstract
The application discloses a method and a system for locating a malicious account through a lost account, wherein the method comprises the following steps: reading the reported lost account, and inquiring a machine code corresponding to each client logged in by the reported lost account; inquiring all user accounts logged in the corresponding client according to each machine code; and analyzing each user account to determine malicious accounts and other lost accounts. According to the positioning method and the positioning system for positioning the malicious account through the lost account, the malicious account can be analyzed through the corresponding relation between the machine code and the user account, hackers or lawbreakers are attacked from the source, and the problem that the hackers or the lawbreakers cannot be tracked in the prior art is solved.
Description
Technical Field
The application relates to the field of internet, in particular to a method and a system for locating a malicious account through a lost account.
Background
With the development of the internet, it is common that hackers steal normal user accounts and lawless persons purchase a large amount of junk accounts through the black industry to target websites to implement destructive behavior.
Because the cost of the real-name authentication of natural people is higher at present, a considerable number of account numbers registered on a website are not subjected to the real-name authentication. Once these accounts that have not been authenticated are stolen or purchased for use as a hacking site, the account can only be sealed based on the hacking site's actions performed by a certain account number, and a hacker who really hacks behind the account or a lawbreaker who hacks the site cannot be located. Therefore, even if the behavior of attacking the website is tracked, the lawbreaker only loses one or a plurality of accounts, and the cost of the lawbreaker is basically not violated, so that the lawbreaker is promoted to malice the behavior.
The prior art can track the identity of hackers or lawbreakers behind accounts in a way that tracks IP. However, the IP positioning is not accurate, and the environmental information of the user cannot be truly reflected; and more hackers or lawbreakers use proxy IP, which increases the difficulty of using IP positioning.
Therefore, a scheme capable of locating and tracking the malicious account is required to be provided, so that the potential risk is pre-judged and pre-warned, and hackers or lawbreakers are attacked from the source.
Disclosure of Invention
In view of the above, embodiments of the present application are proposed to provide a method and system for locating a malicious account through a lost account that overcomes or at least partially solves the above problems.
In order to solve the above problem, the present application discloses a method for locating a malicious account by a lost account, including:
reading the reported lost account, and inquiring a machine code corresponding to each client logged in by the reported lost account;
inquiring all user accounts logged in the corresponding client according to each machine code;
and analyzing each user account and determining a malicious account.
The embodiment of the present application further discloses a system for locating a malicious account by a lost account, including:
the machine code query module is used for reading the reported lost account and querying the machine code corresponding to each client logged in by the reported lost account;
the user account query module is used for querying all user accounts logged in the corresponding client according to each machine code;
and the account analysis module is used for analyzing each user account and determining a malicious account.
The embodiment of the application has at least the following advantages:
according to the positioning method and the positioning system for positioning the malicious account through the lost account, the machine code can be inquired through the lost account, each user account for logging in the client corresponding to the machine code is inquired through the machine code, the malicious account is analyzed and positioned through the corresponding relation between the machine code and the user account, a hacker or a lawless person is positioned from the source, and the problem that the hacker or the lawless person cannot be tracked in the prior art is solved.
Drawings
Fig. 1 is a flowchart of a method for locating a malicious account through a lost account according to a first embodiment of the present application.
Fig. 2 is a flowchart of a method for locating a malicious account by a lost account according to a second embodiment of the present application.
Fig. 3 is a block diagram of a positioning system for positioning a malicious account by a lost account according to the positioning method of the first embodiment of the present application.
Fig. 4 is a block diagram of a positioning system for positioning a malicious account by a lost account according to a positioning method of a second embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments that can be derived from the embodiments given herein by a person of ordinary skill in the art are intended to be within the scope of the present disclosure.
One of core ideas of the application is that a machine code of each client logged in by a lost account is read, all user accounts logged in each corresponding client are searched according to each machine code, each user account is analyzed, and then a malicious account is determined from all the user accounts.
First embodiment
A first embodiment of the present application provides a method for locating a malicious account by losing an account, and it should be noted that the malicious account includes a hacker account, a spam account used by a lawless person to attack a website, and the like, and is not particularly limited to a certain type of account as compared with an account normally used by a user.
Fig. 1 is a flowchart of a positioning method for positioning a malicious account through a lost account according to a first embodiment of the present application. The positioning method for positioning the malicious account through the lost account provided by the first embodiment of the application comprises the following steps:
s101, reading the reported lost account, and inquiring a machine code corresponding to each client logged in by the reported lost account;
in this step, if a user finds that an account is lost, for example, the account cannot be opened after inputting a user name or a password, or finds that the account has traces of being used by others, the user can report the lost account from a complaint channel of a webpage. And the server reads the lost account reported by the user and inquires the machine code corresponding to each client logged in by the reported lost account from a database, for example.
For example, if the server queries that the lost account reported by the user is associated with five machine codes respectively from the database, it can be determined that the lost account has logged in 5 clients respectively. The machine code is a unique code that distinguishes each client from the others, and may be, for example, the Mac address of the client.
S102, inquiring all user accounts logged in the corresponding client according to each machine code;
in this step, the server queries, according to each machine code queried in step S101, all user accounts logged in on the client corresponding to each machine code. For example, in step S101, 5 associated machine codes are queried, and then a user account logged in on each client is queried according to each associated machine code. For example, 1, 2, 3, 4, and 5 user accounts log in on the client corresponding to the 5 associated machine codes, respectively, that is, 15 user accounts log in on the 5 clients.
S103, analyzing each user account and determining a malicious account;
in this step, taking the 15 user accounts as an example, the server may analyze the 15 user accounts one by one, and determine which one or more accounts are malicious accounts according to a specific rule.
As can be seen from the above, in the positioning method for positioning a malicious account by a lost account according to the first embodiment of the present application, a machine code can be queried by the lost account, each user account logged in a client corresponding to the machine code is queried by the machine code, and the malicious account is analyzed and positioned by a correspondence between the machine code and the user account, so as to position a hacker or a lawless person from the source, thereby solving the problem that the hacker or the lawless person cannot be tracked in the prior art.
Second embodiment
A second embodiment of the present application provides a method for locating a malicious account by using a lost account, and as shown in fig. 2, a flowchart of the method for locating a malicious account by using a lost account according to the second embodiment of the present application is provided. The positioning method for positioning the malicious account through the lost account, provided by the second embodiment of the application, includes the following steps:
s201, loading an information acquisition tool for extracting the machine code of the client to a webpage end;
in this step, the information collection tool is, for example, a script or a plug-in, and the script may be a JavaScript script. The server loads, for example, JavaScript code on the web page side, and when the web page is accessed through the browser of the client, the JavaScript code is loaded in the browser along with other scripts of the web page to extract the machine code of the client. Of course, the information collection tool may not be limited to JavaScript code or plug-in, and any web page code that can enable uploading machine code of the client to the server is feasible.
S202, when the webpage end is logged in through the client, the machine code of the client is obtained and is transmitted to a server;
in this step, when the user logs in the web page through the client, the information collecting tool in step S201 may obtain the machine code of the client, and transmit the machine code to the server. Preferably, the server is provided with a database into which the machine code can be uploaded.
S203, extracting user information from a user access log corresponding to the client in the server;
in this step, the server records a history record of each time the client accesses the web page, such as a user access log, which records the content of each login time, offline time, user account, user IP, login location, etc., and extracts the relevant user information from the user access log, which may be, for example, a "cleaning log".
S204, extracting all user accounts in the user information, and associating all the user accounts with the machine codes of the client respectively;
the user information includes one or more user accounts logged in by the client, and if a plurality of users log in by the same client, the user information recorded in the user access log includes a plurality of user accounts. In this step, the server extracts all user accounts from the user information, and corresponds all user accounts to the machine code of the client, respectively. That is, each user account extracted on the same client is correspondingly matched with the machine code of the client, so that the machine code can be queried through the user account in the following process, or the user account can be queried through the machine code.
The user information may further include at least one of a user IP, a login location, and a contact address reserved by the user, for example. In this step, the user account is associated with the machine code, for example, each item contained in the user information may be associated with the machine code, that is, the user IP, the login place, and the like may be associated with the machine code, so that any item of the user information can be queried through the machine code, and the machine code can be queried through any item of the user information.
After this step, a many-to-many mapping may be formed in the server, and each user account may correspond to multiple machine codes, and each machine code may also correspond to multiple user accounts.
S205, reading the reported lost account, and inquiring a machine code corresponding to each client logged in by the reported lost account;
in this step, through matching the machine code in the database with the user account, the corresponding at least one machine code can be queried through the reported lost account (i.e., the user account). This step is the same as or similar to step S101 in the first embodiment, and is not described again here.
S206, inquiring all user accounts logged in the corresponding client according to each machine code;
in this step, all the user accounts logged in the client are searched according to the many-to-many correspondence between the user accounts and the machine codes recorded in the server. This step is the same as or similar to step S102 in the first embodiment, and is not described again here.
And S207, analyzing each user account and determining a malicious account.
This step is the same as or similar to step S103 in the first embodiment, and is not described again here.
In a preferred embodiment, the step S207 of analyzing each user account to determine a malicious account includes:
and when one user account corresponds to the same machine code with the lost accounts, determining that the user account is a malicious account.
In this step, assuming that a certain user account always logs in a client corresponding to the same machine code in sequence with other accounts reported as lost accounts, the user account will have the same machine code corresponding to the lost accounts. In this case, if the user account and the lost account correspond to the same machine code more than a certain number of times, for example, 100 times, it may be determined that the user account is a malicious account.
Or, the step of analyzing each user account and determining a malicious account further includes:
and when the operation frequency of one user account exceeds a threshold value, determining that the user account is a malicious account.
Since a malicious account is usually very active, assuming that a certain user account has frequent operations, for example, a certain threshold has been exceeded, the threshold may be the maximum operation frequency of a real user within a fixed time, for example, it is detected that the operation frequency of the user account is 100 times per hour, and this time exceeds the maximum operation frequency (for example, 60 times) that the real user may perform, it may be determined that the user account is a malicious account. The maximum operation frequency of the real user can be obtained through statistics, and details are not repeated here.
In a preferred embodiment, after analyzing each user account and determining a malicious account, the location method further includes:
and analyzing each user account, and determining other unreported lost accounts.
In this step, since it is already possible to determine which account or accounts are malicious accounts, it is possible to determine which account or accounts are other unreported lost accounts at the same time.
For example, when one of the user accounts and the determined malicious account correspond to the same machine code, and the login place corresponding to the user account is not a fixed login place in the past specific time, it is determined that the user account is an unreported lost account. For example, if a fixed login place of a certain user account within 90% of 2015 is a hangzhou state, it may be determined that the fixed login place of the user account is the hangzhou state, and if it is detected in this step that the user account and the malicious account correspond to the same login place, and the latest login place of the user account is beijing, it may be determined that the user account is a lost account.
For another example, when one of the user accounts corresponds to the same machine code as the determined malicious account, and the user account logs in only once in a specific time period after a time node where the same machine code as the malicious account is located, it may be determined that the account is a lost account. For example, after a certain user account and a malicious account log on a client, the user account is stolen, and the malicious account will not be used again only once, so that the user account can be determined to be a lost account in this case.
As can be appreciated by those skilled in the art, there are many ways to determine whether a malicious account and a lost account in the art, and the above is merely an example and is not a limitation of the present application.
In a preferred embodiment, after analyzing each of the user accounts and determining other unreported lost accounts, the method further includes:
logging off the malicious account; and/or
And informing the user losing the account through the contact way reserved by the user.
The two steps can be regarded as steps of beating malicious accounts and early warning lost accounts, and the spread of risks can be controlled through the steps. There are other methods for attacking malicious accounts, warning and notifying lost accounts in the art, which are not specifically described herein.
As can be seen from the above, in the positioning method for positioning a malicious account by a lost account according to the second embodiment of the present application, a machine code can be queried through the lost account, then each user account logged in a client corresponding to the machine code is queried through the machine code, and the malicious account is analyzed and positioned through a correspondence between the machine code and the user account, so as to locate a hacker or a lawless person from the source, strike the hacker, and perform early warning on the user with the lost account, thereby solving the problem that the hacker or the lawless person cannot be tracked in the prior art, and controlling risk spread.
Third embodiment
An embodiment of the present application further provides a positioning system for positioning a malicious account by using a lost account, and as shown in fig. 3, a block diagram of the positioning system for positioning a malicious account corresponding to the method for positioning a malicious account according to the first embodiment of the present application is provided. The positioning system 300 includes:
a machine code query module 301, configured to read a reported lost account, and query a machine code corresponding to each client that the reported lost account logs in;
a user account query module 302, configured to query, according to each machine code, all user accounts logged in a corresponding client;
the account analysis module 303 is configured to analyze each user account to determine a malicious account.
In the positioning system for positioning a malicious account by losing an account provided by the third embodiment of the present application, the malicious account can be analyzed by the correspondence between the machine code and the user account, so as to position a hacker or a lawbreaker from the source, and solve the problem that the hacker or the lawbreaker cannot be tracked in the prior art.
Fourth embodiment
An embodiment of the present application further provides a positioning system for positioning a malicious account by using a lost account, and as shown in fig. 4, a block diagram of a positioning system for positioning a malicious account corresponding to the method for positioning a malicious account according to the second embodiment of the present application is provided. The positioning system includes:
the loading module 401 is configured to load an information acquisition tool for extracting a machine code of a client to a web page side;
a machine code transmission module 402, configured to obtain a machine code of the client when the web page is logged in through the client, and transmit the machine code of the client to a server;
a user information extracting module 403, configured to extract user information from a user access log corresponding to the client in the server;
an information matching module 404, configured to extract all user accounts in the user information, and associate all user accounts with the machine codes of the clients respectively.
A machine code query module 405, configured to read the reported lost account, and query a machine code corresponding to each client that the reported lost account logs in;
the user account query module 406 is configured to query all user accounts logged in the corresponding client according to each machine code;
the account analysis module 407 is configured to analyze each user account to determine a malicious account.
In an embodiment, the account analyzing module 407 includes:
and the malicious account determining submodule is used for determining that one user account is a malicious account when the user account respectively corresponds to the same machine code with the lost accounts.
In an embodiment, the user information further comprises at least one of a user IP, a login location, and a contact address reserved by the user.
The account analysis module is further configured to analyze each user account and determine other unreported lost accounts.
In a preferred embodiment, the account number analysis module further includes:
and the un-reported lost account determining submodule is used for determining that one user account is an un-reported lost account when the user account and the malicious account correspond to the same machine code and the login place corresponding to the user account is not a fixed login place in the past specific time.
In a preferred embodiment, the system further comprises:
a malicious account striking module for logging off the malicious account and/or
And the lost account early warning module is used for notifying the user losing the account through a contact way reserved by the user.
In a preferred embodiment, the machine code is the Mac address of the client.
In the positioning system for positioning the malicious account by losing the account, the malicious account can be analyzed by the corresponding relation between the machine code and the user account, a hacker or a lawless person can be positioned from the source, the hacker can be attacked, early warning is carried out on the user losing the account, and the problem that the hacker or the lawless person cannot be tracked in the prior art is solved.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As will be appreciated by one of skill in the art, embodiments of the present application may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
In a typical configuration, the computer device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory. The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium. Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement signal storage by any method or technology. The signals may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store signals that can be accessed by a computing device. As defined herein, computer readable media does not include non-transitory computer readable media (fransitory media), such as modulated data signals and carrier waves.
Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the true scope of the embodiments of the application.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. The term "comprising" is used to specify the presence of stated elements, but not necessarily the presence of stated elements, unless otherwise specified.
The method and the system for locating a malicious account by a lost account provided by the application are introduced in detail, a specific example is applied in the text to explain the principle and the implementation of the application, and the description of the embodiment is only used for helping to understand the method and the core idea of the application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (14)
1. A method for locating a malicious account through a lost account is characterized by comprising the following steps:
reading the reported lost account, and inquiring a machine code corresponding to each client logged in by the reported lost account;
inquiring all user accounts logged in the corresponding client according to each machine code;
analyzing each user account and determining a malicious account;
the step of analyzing each user account and determining a malicious account comprises:
when one user account corresponds to the same machine code with a plurality of lost accounts, determining the user account as a malicious account; or
And when the operation frequency of one user account exceeds a threshold value, determining that the user account is a malicious account.
2. The method as claimed in claim 1, wherein before reading the reported lost account and querying a machine code corresponding to each client logged in by the reported lost account, the method further comprises:
loading an information acquisition tool for extracting the machine code of the client to a webpage end;
when the webpage end is logged in through the client, acquiring a machine code of the client, and transmitting the machine code of the client to a server;
extracting user information from a user access log corresponding to the client in a server;
and extracting all user accounts in the user information, and associating all the user accounts with the machine codes of the client respectively.
3. The positioning method of claim 2, wherein the user information further comprises at least one of a user IP, a login location, a contact address reserved by a user.
4. The location method of claim 3, wherein after analyzing each of the user accounts and determining a malicious account, the location method further comprises:
and analyzing each user account, and determining other unreported lost accounts.
5. The method of claim 4, wherein the step of analyzing each of the user accounts to determine other missing accounts that have not been reported comprises:
and when one user account and the malicious account correspond to the same machine code and the login place corresponding to the user account is not a fixed login place in a specific time, determining that the user account is an unreported lost account.
6. The method of claim 5, wherein after analyzing each of the user accounts and determining other lost accounts that have not been reported, the method further comprises:
logging off the malicious account; and/or
And informing the user losing the account through the contact way reserved by the user.
7. The positioning method of claim 1, wherein the machine code is a Mac address of the client.
8. A location system for locating a malicious account by missing an account, comprising:
the machine code query module is used for reading the reported lost account and querying the machine code corresponding to each client logged in by the reported lost account;
the user account query module is used for querying all user accounts logged in the corresponding client according to each machine code;
the account analysis module is used for analyzing each user account and determining a malicious account;
the account analysis module comprises a malicious account determination submodule for:
when one user account corresponds to the same machine code with a plurality of lost accounts, determining the user account as a malicious account; or
And when the operation frequency of one user account exceeds a threshold value, determining that the user account is a malicious account.
9. The location system of claim 8, the system further comprising:
the loading module is used for loading an information acquisition tool for extracting the machine code of the client to the webpage end;
the machine code transmission module is used for acquiring the machine code of the client and transmitting the machine code of the client to a server when the client logs in the webpage end;
the user information extraction module is used for extracting user information from a user access log corresponding to the client in the server;
and the information matching module is used for extracting all user accounts in the user information and associating all the user accounts with the machine codes of the client respectively.
10. The location system of claim 9, wherein the user information further comprises at least one of a user IP, a login location, a contact address reserved by a user.
11. The location system of claim 10, wherein the account analysis module is further configured to analyze each of the user accounts to determine other missing accounts that have not been reported.
12. The location system of claim 11, wherein the account analysis module further comprises:
and the un-reported lost account determining submodule is used for determining that one user account is an un-reported lost account when the user account and the malicious account correspond to the same machine code and the login place corresponding to the user account is not a fixed login place in the past specific time.
13. The positioning system of claim 12, wherein the system further comprises:
a malicious account striking module for logging off the malicious account and/or
And the lost account early warning module is used for notifying the user losing the account through a contact way reserved by the user.
14. The location system of claim 8, wherein the machine code is a Mac address of the client.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610041698.0A CN106992958B (en) | 2016-01-21 | 2016-01-21 | Method and system for positioning malicious account through lost account |
| PCT/CN2017/070907 WO2017124954A1 (en) | 2016-01-21 | 2017-01-11 | Method and system for locating malicious account through missing account |
| TW106101736A TW201733388A (en) | 2016-01-21 | 2017-01-18 | Method and system for locating malicious account through missing account |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610041698.0A CN106992958B (en) | 2016-01-21 | 2016-01-21 | Method and system for positioning malicious account through lost account |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106992958A CN106992958A (en) | 2017-07-28 |
| CN106992958B true CN106992958B (en) | 2020-11-06 |
Family
ID=59361506
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610041698.0A Active CN106992958B (en) | 2016-01-21 | 2016-01-21 | Method and system for positioning malicious account through lost account |
Country Status (3)
| Country | Link |
|---|---|
| CN (1) | CN106992958B (en) |
| TW (1) | TW201733388A (en) |
| WO (1) | WO2017124954A1 (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112351030B (en) * | 2020-11-04 | 2024-01-05 | 广州腾讯科技有限公司 | Data processing method and computer equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101977383A (en) * | 2010-08-03 | 2011-02-16 | 北京星网锐捷网络技术有限公司 | Authentication processing method, system, client side and server for network access |
| CN103220288A (en) * | 2013-04-12 | 2013-07-24 | 苏州通付盾信息技术有限公司 | Safe-operation method of social platform |
| CN104901850A (en) * | 2015-06-12 | 2015-09-09 | 国家计算机网络与信息安全管理中心广东分中心 | Network locating method for malicious code terminal infected machine |
| WO2015172685A1 (en) * | 2014-05-12 | 2015-11-19 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for identifying malicious account |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104426885B (en) * | 2013-09-03 | 2019-04-16 | 深圳市腾讯计算机系统有限公司 | Abnormal account providing method and device |
| CN104519032B (en) * | 2013-09-30 | 2019-02-01 | 深圳市腾讯计算机系统有限公司 | A kind of security strategy and system of internet account number |
| CN104852886B (en) * | 2014-02-14 | 2019-05-24 | 腾讯科技(深圳)有限公司 | The guard method of user account number and device |
| CN104917643B (en) * | 2014-03-11 | 2019-02-01 | 腾讯科技(深圳)有限公司 | Abnormal account detection method and device |
| US9396332B2 (en) * | 2014-05-21 | 2016-07-19 | Microsoft Technology Licensing, Llc | Risk assessment modeling |
| CN105227532B (en) * | 2014-06-30 | 2018-09-18 | 阿里巴巴集团控股有限公司 | A kind of blocking-up method and device of malicious act |
-
2016
- 2016-01-21 CN CN201610041698.0A patent/CN106992958B/en active Active
-
2017
- 2017-01-11 WO PCT/CN2017/070907 patent/WO2017124954A1/en active Application Filing
- 2017-01-18 TW TW106101736A patent/TW201733388A/en unknown
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101977383A (en) * | 2010-08-03 | 2011-02-16 | 北京星网锐捷网络技术有限公司 | Authentication processing method, system, client side and server for network access |
| CN103220288A (en) * | 2013-04-12 | 2013-07-24 | 苏州通付盾信息技术有限公司 | Safe-operation method of social platform |
| WO2015172685A1 (en) * | 2014-05-12 | 2015-11-19 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for identifying malicious account |
| CN104901850A (en) * | 2015-06-12 | 2015-09-09 | 国家计算机网络与信息安全管理中心广东分中心 | Network locating method for malicious code terminal infected machine |
Also Published As
| Publication number | Publication date |
|---|---|
| TW201733388A (en) | 2017-09-16 |
| CN106992958A (en) | 2017-07-28 |
| WO2017124954A1 (en) | 2017-07-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108881294B (en) | Attack source IP portrait generation method and device based on network attack behaviors | |
| CN110401614B (en) | Malicious domain name tracing method and device | |
| US10791131B2 (en) | Processing network data using a graph data structure | |
| US20130042306A1 (en) | Determining machine behavior | |
| CN108924118B (en) | Method and system for detecting database collision behavior | |
| CN103634317A (en) | Method and system of performing safety appraisal on malicious web site information on basis of cloud safety | |
| CN104144419A (en) | Identity authentication method, device and system | |
| CN107241292B (en) | Vulnerability detection method and device | |
| KR102110642B1 (en) | Password protection question setting method and device | |
| CN107888606B (en) | Domain name credit assessment method and system | |
| CN110149319B (en) | APT organization tracking method and device, storage medium and electronic device | |
| CN107426196B (en) | Method and system for identifying WEB invasion | |
| KR20180088655A (en) | A method for detecting web tracking services | |
| US20210360013A1 (en) | Detection method for malicious domain name in domain name system and detection device | |
| CN113496033A (en) | Access behavior recognition method and device and storage medium | |
| CN107332804A (en) | The detection method and device of webpage leak | |
| CN103888480A (en) | Cloud monitoring based network information security identification method and cloud device | |
| CN110619075B (en) | Webpage identification method and equipment | |
| CN106713242B (en) | Data request processing method and processing device | |
| CN112839054A (en) | Network attack detection method, device, equipment and medium | |
| CN108282446A (en) | Identify the method and apparatus of scanner | |
| CN108156118A (en) | User Identity method and device | |
| CN106911635B (en) | Method and device for detecting whether backdoor program exists in website | |
| CN106992958B (en) | Method and system for positioning malicious account through lost account | |
| US10152465B2 (en) | Security-focused web application crawling |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |