CN107104973A - The method of calibration and device of user behavior - Google Patents
The method of calibration and device of user behavior Download PDFInfo
- Publication number
- CN107104973A CN107104973A CN201710322208.9A CN201710322208A CN107104973A CN 107104973 A CN107104973 A CN 107104973A CN 201710322208 A CN201710322208 A CN 201710322208A CN 107104973 A CN107104973 A CN 107104973A
- Authority
- CN
- China
- Prior art keywords
- user
- action log
- identifying code
- abnormal behaviour
- user action
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
Abstract
The embodiment of the present application provides the method for calibration and device of user behavior, the abnormal behaviour detected is defined as different grades of danger coefficient, then correspondingly verified according to the danger coefficient size of abnormal behaviour, when the danger coefficient of abnormal behaviour is more than default danger coefficient threshold value using the higher verification method of security;Identifying code is generated using User action log;Safety verification is carried out to user identity using the identifying code, obtained because the identifying code in the embodiment of the present invention is associated with User action log, therefore, identifying code is can to carry out dynamic change according to the change of User action log, it is not easy to be cracked by network hacker, it is ensured that the safety coefficient of subscriber authentication is more increased, relatively reliable, simple to operate, user experience is high.
Description
Technical field
The application is related to technical field of network security, more particularly to a kind of user behavior method of calibration and device.
Background technology
With the development of Internet technology, in order to ensure the security of Internet user's information, it usually needs build backstage
Database to carry out safety verification to user profile, so that it is determined that whether user can correctly sign in network application or enter
The network operations such as row network trading.
Yet with the wildness of network hacker, only by the checking of the such single factors of user profile, can not effectively it protect
Hinder the safety of user profile, so that various user information safety accidents continually occur.To solve this information security issue, may be used also
By the second proving program of setting, such as to obtain dynamic verification code by SMS and carry out user's checking.But, it is this
Mobile phone short message verification method needs to expend extra resource, substantially increases network verification cost, user experience also declines.
The content of the invention
The many aspects of the application provide the method for calibration and device of a kind of user behavior, are improving user profile checking
Checking cost is reduced while security, user experience is greatly improved.
The embodiment of the present application provides a kind of method of calibration of user behavior, including:
The current abnormal behaviour of user is monitored, the danger coefficient of the abnormal behaviour is determined;
If the danger coefficient of the abnormal behaviour is more than default danger coefficient threshold value, user's row of the user is obtained
For daily record;
Identifying code is generated using the User action log;
Safety verification is carried out to the abnormal behaviour using the identifying code.
The embodiment of the present application provides a kind of calibration equipment of user behavior, including:
Monitoring modular, the abnormal behaviour current for monitoring user;
Determining module, for, to the current abnormal behaviour of user, determining the abnormal row according to the monitoring module monitors
For danger coefficient;
Acquisition module, for determining that the danger coefficient of the abnormal behaviour is more than default dangerous system in the determining module
Number threshold value, then obtain the User action log of the user;
Generation module, for generating identifying code using the User action log;
Authentication module, for carrying out safety verification to the abnormal behaviour using the identifying code.
In the embodiment of the present application, on the basis of User action log is excavated, establish based on User action log
Learning model.And the abnormal behaviour detected is defined as different grades of danger coefficient, then according to the danger of abnormal behaviour
Dangerous coefficient magnitude correspondingly verified, when the danger coefficient of abnormal behaviour more than default danger coefficient threshold value uses security
Higher verification method;Identifying code is generated using User action log;Safety is carried out to user identity using the identifying code
Checking, is obtained, therefore, identifying code is can root because the identifying code in the embodiment of the present invention is associated with User action log
Dynamic change is carried out according to the change of User action log, it is not easy to cracked by network hacker, it is ensured that the safety of subscriber authentication
Coefficient is more increased, relatively reliable, simple to operate, and user experience is high.
Brief description of the drawings
Accompanying drawing described herein is used for providing further understanding of the present application, constitutes the part of the application, this Shen
Schematic description and description please is used to explain the application, does not constitute the improper restriction to the application.In the accompanying drawings:
The schematic flow sheet of the method for calibration for the user behavior that Fig. 1 provides for the embodiment of the application one;
The schematic flow sheet for the verification code generation method that Fig. 2 provides for another embodiment of the application;
The structural representation of the calibration equipment for the user behavior that Fig. 3 provides for the embodiment of the application one.
Embodiment
To make the purpose, technical scheme and advantage of the application clearer, below in conjunction with the application specific embodiment and
Technical scheme is clearly and completely described corresponding accompanying drawing.Obviously, described embodiment is only the application one
Section Example, rather than whole embodiments.Based on the embodiment in the application, those of ordinary skill in the art are not doing
Go out the every other embodiment obtained under the premise of creative work, belong to the scope of the application protection.
Increasing disparate networks application program has promoted the development of network.But people are brought just in enjoyment network
While sharp, the safety problem brought therewith is also faced with.Such as personal information is leaked, identity theft etc..Accordingly, it would be desirable to through
Authentication is often carried out on network, in the prior art in the presence of substantially following several verification code technologies:
(1) word identifying code (the problem of being typically question and answer)
For example, may I ask:4+4=Answer:8, however, word identifying code needs the problem of various non-machines of manual editing are answered, dimension
Protect cost slightly higher.
(2) picture validation code
The picture of an identifying code (such as emsf) is generated, user fills in checking according to the verification code information of picture presentation
Code, however, picture validation code is easier to be recognized by ocr softwares, does not reach identifying code effect.
(3) Gif animations identifying code
The animation that generation one contains identifying code (such as 41 border UM), the verification code information that user is shown according to animation,
Identifying code is filled in, however, Gif animation identifying codes are easier above the focus of user to animation, while also can be to whole
Individual page layout produces some influences.
(4) mobile phone note verification code
By sending identifying code to mobile phone, user is allowed to fill in corresponding identifying code, however, mobile phone note verification code needs to connect
Enter SMS operating service business, obtain corresponding identifying code short message and issue service, short message cost is of a relatively high.
(5) speech identifying code
A, direct voice broadcast identifying code;And b, mobile phone speech identifying code, corresponding phone is dialed, identifying code is reported,
However, speech identifying code is not very convenient to use in most of public arenas.
(6) video verification code
The identifying code that random digit, letter and Chinese are combined is dynamically embedded into the video of the forms such as MP4, flv,
Difficulty is cracked although increasing, the technology of video verification code realizes that difficulty is of a relatively high, it is difficult to popularize.
In order to solve the above-mentioned technical problem, the present invention is established based on user on the basis of User action log is excavated
The learning model of user behaviors log.And the abnormal behaviour detected is defined as different grades of danger coefficient, then according to different
Chang Hangwei danger coefficient size is correspondingly verified, when the danger coefficient of abnormal behaviour is more than default danger coefficient threshold value
Using the higher verification method of security, when the danger coefficient of abnormal behaviour is less than or equal to default danger coefficient threshold value using peace
The relatively low verification method of full property.
The present invention is more than default danger coefficient threshold value to the danger coefficient of abnormal behaviour using the higher checking of security
Method is described in detail.Below in conjunction with accompanying drawing, the technical scheme that each embodiment of the application is provided is described in detail.
The schematic flow sheet of the method for calibration for the user behavior that Fig. 1 provides for the embodiment of the application one, as shown in figure 1, bag
Include:
101st, the current abnormal behaviour of user is monitored;
When implementing, it is to be based on web crawlers technical limit spacing User action log, is carried out using institute's User action log
Analysis obtains the characteristic parameter for characterizing user behavior, calculates the similar of characteristic parameter of user's current behavior to characterizing user behavior
Degree, if similarity change is beyond default similarity threshold, it is determined that user's current behavior is abnormal behaviour.This Behavior-based control phase
Use many factors comprehensive detection user's abnormal behaviour like user's unusual checking method of degree, with higher detection efficiency and
Accurately.
It should be noted that obtaining the characteristic parameter for characterizing user behavior, Ke Yiyong by analyzing User action log
Tuple is described;Wherein, tuple includes:User send the IP address of request, URL request, current URL request time, when browsing
Length, page access path, request access source etc..
According to user behavior characteristic parameter tuple, the parameter for participating in Similarity Measure is quantified, machine is then utilized
Measuring similarity function in study, calculates the time similarity related to user behavior respectively, and place similarity is similar with URL
Degree, then according to time similarity, place similarity and URL similarities are calculated for the influence degree of user behavior similarity
Go out the similarity of characteristic parameter of user's current behavior with characterizing user behavior, be used as the index of user's unusual checking;If
There is larger differential magnitude in the behavior similarity of abnormal behaviour, compared with the behavior similarity of normal behaviour if differential magnitude
More than certain behavior similarity threshold values, it is determined that user's current behavior is abnormal behaviour.
102nd, the danger coefficient of the abnormal behaviour is determined;
It is the network colony according to belonging to the social label of the user determines the user, according to institute when implementing
The behavior pattern of network colony is stated, the similarity of the abnormal behaviour and the behavior pattern of the network colony is determined, according to pre-
If similarity and danger coefficient between corresponding relation, determine the danger coefficient of the abnormal behaviour.
It should be noted that each user there are many social labels in social networks, therefore marked according to these social activities
Label are divided into different classes of colony, and individual behavior pattern should be similar to the behavior mode of population of its generic,
So after it is that exception is to find user's individual behavior, the behavior mode of population with reference to user's individual behavior and its generic is true
Determine the abnormal danger coefficient of user's individual behavior.Therefore, in the embodiment of the present invention, pre-setting user's individual behavior and its institute
Belong to the similarity of behavior mode of population and the corresponding relation of danger coefficient, the individual abnormal behaviour of user and its institute are obtained when calculating
Belong to the similarity between behavior mode of population, be that can determine that corresponding danger coefficient according to the similarity of calculating.
If the 103, the danger coefficient of the abnormal behaviour is more than default danger coefficient threshold value, the use of the user is obtained
Family user behaviors log;
In the embodiment of the present invention, the threshold value of danger coefficient is pre-set, this threshold value can be multiple, for example, work as danger
Coefficient is more than or equal to first threshold (high risk), then using the first safety verification mode (strong security), such as using the present invention
Mode of identifying code progress subscriber authentication etc. is generated according to User action log;When danger coefficient is less than first threshold and big
In Second Threshold (middle danger), then using the second safety verification mode (middle security), such as short-message verification or graphic animations are tested
Card etc.;When danger coefficient is less than or equal to Second Threshold and more than the 3rd threshold value (low danger), then using the 3rd safety verification side
Formula (low-security), such as digital password authentification mode.
104th, identifying code is generated using the User action log;
Specifically include:
According to the User action log, the type of the User action log is determined;
According to the type of the User action log, it is determined that interest corresponding with the type of the User action log is crucial
Word;
According to the interest keyword of the determination, matched, obtained and the interest in the User action log
The interest characteristics information of Keywords matching;
According to the user interest profile information, identifying code corresponding with the user interest profile information is generated, it is described
Identifying code includes one or more
The generation method of above-mentioned identifying code may be referred to identifying code generation side described in embodiment illustrated in fig. 2 when implementing
Method, is repeated no more here.
105th, safety verification is carried out to the abnormal behaviour using the identifying code.
Specifically, user's checking interface is shown in client, the user's checking interface includes one or more
The identifying code of the User action log, the identifying code of the multiple User action log is random in the user's checking interface
It is arranged evenly.Client monitors simultaneously obtain the information that user inputs in the user's checking interface;Background server is by client
The information of user's input of end monitoring is matched with the identifying code of User action log, when the match is successful, it is determined that described
User identity passes through safety verification, it is allowed to user's subsequent operation.
In the embodiment of the present application, on the basis of User action log is excavated, establish based on User action log
Learning model.And the abnormal behaviour detected is defined as different grades of danger coefficient, then according to the danger of abnormal behaviour
Dangerous coefficient magnitude correspondingly verified, when the danger coefficient of abnormal behaviour more than default danger coefficient threshold value uses security
Higher verification method;Identifying code is generated using User action log;Safety is carried out to user identity using the identifying code
Checking, is obtained, therefore, identifying code is can root because the identifying code in the embodiment of the present invention is associated with User action log
Dynamic change is carried out according to the change of User action log, it is not easy to cracked by network hacker, it is ensured that the safety of subscriber authentication
Coefficient is more increased, relatively reliable, simple to operate, and user experience is high.
The schematic flow sheet for the verification code generation method that Fig. 2 provides for another embodiment of the application;As shown in Fig. 2 including:
201st, User action log is obtained;
For example, each user carries out the behaviors such as live video viewing after being logged in using user account, straight at this
The background server for broadcasting video produces User action log (also known as user behavior data).Therefore the user account of each user with
User action log is one-to-one.
Therefore, setting up the corresponding relation having between each user account and User action log in background server, therefore
Can be according to the user account in user's various dimensions information of collection, you can obtain the corresponding user behavior day of the user profile
Will.
It should be noted that generally User action log is directly proportional to the user in the frequency that logging in network is applied, if with
Family login times are more, and the User action log data of the user can be huge, in order to reduce data acquisition amount, reduce system resource
Pressure is obtained, nearest User action log can be obtained, nearest User action log, represent user nearest
Behavioural characteristic or the nearest interest characteristics of user.
In a kind of optional embodiment of the present invention, according to user account, obtain user corresponding with the user account and step on
Record the frequency;According to the User logs in frequency, it is determined that obtaining the initial time of User action log;Obtain current time with it is described
User action log between initial time.
It should be noted that in the embodiment of the present invention, user just logs in primary network application for a long time, that is, logs in the frequency
Than relatively low, then the initial time for obtaining User action log is more early;The frequent logging in online application of user, that is, log in the frequency and compare
Height, then obtain the initial time of User action log closer to current time.
202nd, the type of User action log is determined;
The User action log that different applications is produced is different, in order to which significantly more efficient analysis subsequent user interest is special
Reference is ceased, and in the embodiment of the present invention, User action log is classified.For example, the user that user produces in shopping application
User behaviors log is to belong to different types of daily record with the User action log produced in live video application.Therefore, the present invention is real
Apply in example, the classification to User action log can classify according to its corresponding application attribute, and set corresponding type
Mark.The user that type identification such as the User action log that shopping application is produced is the first kind, live video application is produced
The type identification of user behaviors log is Second Type, by that analogy, and the present invention is not limited type identification, is only intended to determine user
The type of user behaviors log.
203rd, interest keyword corresponding with the type of User action log is determined;
Pre-set the corresponding interest keyword of type of each User action log, i.e. pre-set user user behaviors log
Corresponding relation between type and interest keyword.Wherein, the type of each User action log can correspond to 1 or 1
Interest keyword above.
For example, live video application base attribute is relevant with user's viewing live video, then the program letter of live video
Breath and main broadcaster's information could be arranged to the interest keyword for the User action log that live video application is produced, wherein, section
Mesh information includes the information such as program category, programm name, program viewing time, and main broadcaster's information includes main broadcaster's title, the pet name, head portrait
Etc. information.
204th, according to the interest keyword of determination, matched, obtained and interest keyword in User action log
The interest characteristics information matched somebody with somebody;
So that live video is applied as an example, according to the interest keyword such as the programme information of determination or main broadcaster's information, live
Matched in the User action log that video is produced, for example, according to the length of program viewing time, can be in user behavior day
Matching obtains the program that user is most interested in will, and then can obtain program category and programm name that user is most interested in etc.
User interest profile information.In another example, the main broadcaster's information paid close attention to according to user is obtained that can be matched in User action log
The main broadcaster that user is most interested in, and then the user interest profiles such as main broadcaster's title, the pet name, head portrait that user is most interested in can be obtained
Information.
205th, at least two information in word, icon, numeral and/or character that user interest profile information includes are obtained
It is combined, generates identifying code corresponding with the user interest profile information.
User interest profile information obtained above includes multiple information, for example including word, icon, numeral and/or
The information such as character.In order to strengthen in the security of identifying code, the present embodiment, obtain user interest profile information include word,
At least two information in icon, numeral and/or character are combined, and generate test corresponding with the user interest profile information
Demonstrate,prove code.
So that live video is applied as an example, user interest profile information include user's program category interested, programm name,
The information such as main broadcaster's title, main broadcaster's pet name, main broadcaster's head portrait, can obtain two therein or multinomial information is combined into the user behavior
The corresponding identifying code of daily record.Wherein, the information such as program category, programm name, main broadcaster's title, main broadcaster's pet name, main broadcaster's head portrait can be with
It is indicated with the mark such as word, icon, numeral and/or character.
In the embodiment of the present application, according to User action log, the type of the User action log is determined;According to described
The type of User action log, it is determined that interest keyword corresponding with the type of the User action log;Determined according to described
Interest keyword, matched in the User action log, obtain the interest characteristics with the interest Keywords matching
Information, and then obtain at least two letters in word, icon, numeral and/or character that the user interest profile information includes
Breath is combined, and generates identifying code corresponding with the user interest profile information.Due to the identifying code in the embodiment of the present invention
It is to be associated with user interest profile, therefore, identifying code is can to carry out dynamic change according to the change of user interest profile, no
Easily cracked by network hacker, it is ensured that the safety coefficient of user profile checking is more increased, relatively reliable, simple to operate, user's body
Degree of testing is high.
The structural representation of the calibration equipment for the user behavior that Fig. 3 provides for the embodiment of the application one, as shown in figure 3, bag
Include:
Monitoring modular 31, the abnormal behaviour current for monitoring user;
Determining module 32, for, to the current abnormal behaviour of user, determining the exception according to the monitoring module monitors
The danger coefficient of behavior;
Acquisition module 33, for determining that the danger coefficient of the abnormal behaviour is more than default danger in the determining module
Coefficient threshold, then obtain the User action log of the user;
Generation module 34, for generating identifying code using the User action log;
Authentication module 35, for carrying out safety verification to the abnormal behaviour using the identifying code.
Wherein, the monitoring modular 31 specifically for:
Based on web crawlers technical limit spacing user's history behavioral data, analyzed using the user's history behavioral data
The characteristic parameter for characterizing user behavior is obtained, the similarity of characteristic parameter of user's current behavior with characterizing user behavior is calculated,
If similarity change is beyond default similarity threshold, it is determined that user's current behavior is abnormal behaviour.
Wherein, the determining module 32 specifically for:
Network colony according to belonging to the social label of the user determines the user, according to the row of the network colony
For pattern, the similarity of the abnormal behaviour and the behavior pattern of the network colony is determined, according to default similarity and danger
Corresponding relation between dangerous coefficient, determines the danger coefficient of the abnormal behaviour.
Wherein, the generation module 34 specifically for:
According to the User action log, the type of the User action log is determined;
According to the type of the User action log, it is determined that interest corresponding with the type of the User action log is crucial
Word;
According to the interest keyword of the determination, matched, obtained and the interest in the User action log
The interest characteristics information of Keywords matching;
According to the user interest profile information, identifying code corresponding with the user interest profile information is generated, it is described
Identifying code includes one or more.
Wherein, the authentication module 35 specifically for:
User's checking interface is shown, the user's checking interface includes one or more User action logs
Identifying code, the identifying code of the multiple User action log random distribution in the user's checking interface arranges;
Monitor and obtain the information that user inputs in the user's checking interface;
The information that the user is inputted is matched with the identifying code of the User action log, when the match is successful,
Then determine that user's various dimensions information of the collection passes through safety verification, it is allowed to user's sensitive operation, and by the use of the collection
Family various dimensions information is saved in user's various dimensions information database corresponding with the user account.
Embodiment illustrated in fig. 3 can perform Fig. 1 and the method described in embodiment illustrated in fig. 2, its realization principle and technology effect
Fruit repeats no more.
It should be understood by those skilled in the art that, embodiments of the invention can be provided as method, system or computer program
Product.Therefore, the present invention can be using the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware
Apply the form of example.Moreover, the present invention can be used in one or more computers for wherein including computer usable program code
The computer program production that usable storage medium is implemented on (including but is not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of product.
The present invention is the flow with reference to method according to embodiments of the present invention, equipment (system) and computer program product
Figure and/or block diagram are described.It should be understood that can be by every first-class in computer program instructions implementation process figure and/or block diagram
Journey and/or the flow in square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided
The processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce
A raw machine so that produced by the instruction of computer or the computing device of other programmable data processing devices for real
The device for the function of being specified in present one flow of flow chart or one square frame of multiple flows and/or block diagram or multiple square frames.
These computer program instructions, which may be alternatively stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory, which is produced, to be included referring to
Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one square frame of block diagram or
The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that in meter
Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented processing, thus in computer or
The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in individual square frame or multiple square frames.
In a typical configuration, computing device includes one or more processors (CPU), input/output interface, net
Network interface and internal memory.
Internal memory potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/or
The forms such as Nonvolatile memory, such as read-only storage (ROM) or flash memory (flash RAM).Internal memory is computer-readable medium
Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology come realize information store.Information can be computer-readable instruction, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), moved
State random access memory (DRAM), other kinds of random access memory (RAM), read-only storage (ROM), electric erasable
Programmable read only memory (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc read-only storage (CD-ROM),
Digital versatile disc (DVD) or other optical storages, magnetic cassette tape, the storage of tape magnetic rigid disk or other magnetic storage apparatus
Or any other non-transmission medium, the information that can be accessed by a computing device available for storage.Define, calculate according to herein
Machine computer-readable recording medium does not include temporary computer readable media (transitory media), such as data-signal and carrier wave of modulation.
It should also be noted that, term " comprising ", "comprising" or its any other variant are intended to nonexcludability
Comprising so that process, method, commodity or equipment including a series of key elements are not only including those key elements, but also wrap
Include other key elements being not expressly set out, or also include for this process, method, commodity or equipment intrinsic want
Element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that wanted including described
Also there is other identical element in process, method, commodity or the equipment of element.
It will be understood by those skilled in the art that embodiments herein can be provided as method, system or computer program product.
Therefore, the application can be using the embodiment in terms of complete hardware embodiment, complete software embodiment or combination software and hardware
Form.Deposited moreover, the application can use to can use in one or more computers for wherein including computer usable program code
The shape for the computer program product that storage media is implemented on (including but is not limited to magnetic disk storage, CD-ROM, optical memory etc.)
Formula.
Embodiments herein is the foregoing is only, the application is not limited to.For those skilled in the art
For, the application can have various modifications and variations.It is all any modifications made within spirit herein and principle, equivalent
Replace, improve etc., it should be included within the scope of claims hereof.
Claims (12)
1. a kind of method of calibration of user behavior, it is characterised in that including:
The current abnormal behaviour of user is monitored, the danger coefficient of the abnormal behaviour is determined;
If the danger coefficient of the abnormal behaviour is more than default danger coefficient threshold value, the user behavior day of the user is obtained
Will;
Identifying code is generated using the User action log;
Safety verification is carried out to the abnormal behaviour using the identifying code.
2. according to the method described in claim 1, it is characterised in that monitor the current abnormal behaviour of user, including:
Based on web crawlers technical limit spacing User action log, carry out analysis using institute's User action log and obtain sign user's row
For characteristic parameter, the similarity of characteristic parameter of user's current behavior with characterizing user behavior is calculated, if similarity change is super
Go out default similarity threshold, it is determined that user's current behavior is abnormal behaviour.
3. according to the method described in claim 1, it is characterised in that determine the danger coefficient of the abnormal behaviour, including:
Network colony according to belonging to the social label of the user determines the user, according to the behavior mould of the network colony
Formula, determines the similarity of the abnormal behaviour and the behavior pattern of the network colony, is with dangerous according to default similarity
Corresponding relation between number, determines the danger coefficient of the abnormal behaviour.
4. according to the method described in claim 1, it is characterised in that generate identifying code using the User action log, including:
According to the User action log, the type of the User action log is determined;
According to the type of the User action log, it is determined that interest keyword corresponding with the type of the User action log;
According to the interest keyword of the determination, matched in the User action log, obtain crucial with the interest
The interest characteristics information of word matching;
According to the user interest profile information, identifying code corresponding with the user interest profile information, the checking are generated
Code includes one or more.
5. method according to claim 4, it is characterised in that also include:
Corresponding relation between the type and interest keyword of pre-set user user behaviors log, the type of each User action log
The interest keyword of correspondence 1 or more than 1.
6. method according to claim 4, it is characterised in that according to the user interest profile information, generation with it is described
The corresponding identifying code of user interest profile information, including:
At least two information obtained in word, icon, numeral and/or character that the user interest profile information includes are carried out
Combination, generates identifying code corresponding with the user interest profile information.
7. the method according to any one of claim 1-6, it is characterised in that using the identifying code to the abnormal row
To carry out safety verification, including:
User's checking interface is shown, the user's checking interface includes testing for one or more User action logs
Demonstrate,prove code, identifying code random distribution arrangement in the user's checking interface of the multiple User action log;
Monitor and obtain the information that user inputs in the user's checking interface;
The information that the user is inputted is matched with the identifying code of the User action log, when the match is successful, then really
User's various dimensions information of the fixed collection passes through safety verification, it is allowed to user's sensitive operation, and the user of the collection is more
Dimensional information is saved in user's various dimensions information database corresponding with the user account.
8. a kind of calibration equipment of family behavior, it is characterised in that including:
Monitoring modular, the abnormal behaviour current for monitoring user;
Determining module, for, to the current abnormal behaviour of user, determining the abnormal behaviour according to the monitoring module monitors
Danger coefficient;
Acquisition module, for determining that the danger coefficient of the abnormal behaviour is more than default danger coefficient threshold in the determining module
Value, then obtain the User action log of the user;
Generation module, for generating identifying code using the User action log;
Authentication module, for carrying out safety verification to the abnormal behaviour using the identifying code.
9. device according to claim 8, it is characterised in that the monitoring modular specifically for:
Based on web crawlers technical limit spacing user's history behavioral data, analysis acquisition is carried out using the user's history behavioral data
The characteristic parameter of user behavior is characterized, the similarity of characteristic parameter of user's current behavior with characterizing user behavior is calculated, if phase
Like degree change beyond default similarity threshold, it is determined that user's current behavior is abnormal behaviour.
10. device according to claim 8, it is characterised in that the determining module specifically for:
Network colony according to belonging to the social label of the user determines the user, according to the behavior mould of the network colony
Formula, determines the similarity of the abnormal behaviour and the behavior pattern of the network colony, is with dangerous according to default similarity
Corresponding relation between number, determines the danger coefficient of the abnormal behaviour.
11. device according to claim 8, it is characterised in that the generation module specifically for:
According to the User action log, the type of the User action log is determined;
According to the type of the User action log, it is determined that interest keyword corresponding with the type of the User action log;
According to the interest keyword of the determination, matched in the User action log, obtain crucial with the interest
The interest characteristics information of word matching;
According to the user interest profile information, identifying code corresponding with the user interest profile information, the checking are generated
Code includes one or more.
12. the device according to any one of claim 8-11, it is characterised in that the authentication module specifically for:
User's checking interface is shown, the user's checking interface includes testing for one or more User action logs
Demonstrate,prove code, identifying code random distribution arrangement in the user's checking interface of the multiple User action log;
Monitor and obtain the information that user inputs in the user's checking interface;
The information that the user is inputted is matched with the identifying code of the User action log, when the match is successful, then really
User's various dimensions information of the fixed collection passes through safety verification, it is allowed to user's sensitive operation, and the user of the collection is more
Dimensional information is saved in user's various dimensions information database corresponding with the user account.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710322208.9A CN107104973A (en) | 2017-05-09 | 2017-05-09 | The method of calibration and device of user behavior |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710322208.9A CN107104973A (en) | 2017-05-09 | 2017-05-09 | The method of calibration and device of user behavior |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107104973A true CN107104973A (en) | 2017-08-29 |
Family
ID=59670147
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710322208.9A Pending CN107104973A (en) | 2017-05-09 | 2017-05-09 | The method of calibration and device of user behavior |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107104973A (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107861950A (en) * | 2017-11-28 | 2018-03-30 | 北京潘达互娱科技有限公司 | The detection method and device of abnormal text |
CN109067794A (en) * | 2018-09-26 | 2018-12-21 | 新华三信息安全技术有限公司 | A kind of detection method and device of network behavior |
CN109344583A (en) * | 2018-08-22 | 2019-02-15 | 阿里巴巴集团控股有限公司 | Threshold value determination and core body method, apparatus, electronic equipment and storage medium |
CN109361660A (en) * | 2018-09-29 | 2019-02-19 | 武汉极意网络科技有限公司 | Abnormal behaviour analysis method, system, server and storage medium |
CN109359972A (en) * | 2018-08-15 | 2019-02-19 | 阿里巴巴集团控股有限公司 | The push of core body product and core body method and system |
CN109842628A (en) * | 2018-12-13 | 2019-06-04 | 成都亚信网络安全产业技术研究院有限公司 | A kind of anomaly detection method and device |
CN110135145A (en) * | 2019-05-23 | 2019-08-16 | 四川新网银行股份有限公司 | Click identifying code method based on turing test |
CN110473084A (en) * | 2019-07-17 | 2019-11-19 | 中国银行股份有限公司 | A kind of method for detecting abnormality and device |
CN111526119A (en) * | 2020-03-19 | 2020-08-11 | 北京三快在线科技有限公司 | Abnormal flow detection method and device, electronic equipment and computer readable medium |
CN111814064A (en) * | 2020-06-24 | 2020-10-23 | 平安科技(深圳)有限公司 | Abnormal user processing method and device based on Neo4j, computer equipment and medium |
CN112784224A (en) * | 2019-11-08 | 2021-05-11 | 中国电信股份有限公司 | Terminal safety protection method, device and system |
CN117238070A (en) * | 2023-09-21 | 2023-12-15 | 湖北梦特科技有限公司 | Household safety control method and system based on intelligent community |
EP3918500B1 (en) * | 2019-03-05 | 2024-04-24 | Siemens Industry Software Inc. | Machine learning-based anomaly detections for embedded software applications |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102035649A (en) * | 2009-09-29 | 2011-04-27 | 国际商业机器公司 | Authentication method and device |
CN104301286A (en) * | 2013-07-15 | 2015-01-21 | 中国移动通信集团黑龙江有限公司 | User login authentication method and device |
CN104731914A (en) * | 2015-03-24 | 2015-06-24 | 浪潮集团有限公司 | Method for detecting user abnormal behavior based on behavior similarity |
CN105099675A (en) * | 2014-04-17 | 2015-11-25 | 阿里巴巴集团控股有限公司 | Method and device for generating authentication data for identity authentication and method and device for identity authentication |
CN105471581A (en) * | 2014-09-10 | 2016-04-06 | 阿里巴巴集团控股有限公司 | Identity verification method and device |
-
2017
- 2017-05-09 CN CN201710322208.9A patent/CN107104973A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102035649A (en) * | 2009-09-29 | 2011-04-27 | 国际商业机器公司 | Authentication method and device |
CN104301286A (en) * | 2013-07-15 | 2015-01-21 | 中国移动通信集团黑龙江有限公司 | User login authentication method and device |
CN105099675A (en) * | 2014-04-17 | 2015-11-25 | 阿里巴巴集团控股有限公司 | Method and device for generating authentication data for identity authentication and method and device for identity authentication |
CN105471581A (en) * | 2014-09-10 | 2016-04-06 | 阿里巴巴集团控股有限公司 | Identity verification method and device |
CN104731914A (en) * | 2015-03-24 | 2015-06-24 | 浪潮集团有限公司 | Method for detecting user abnormal behavior based on behavior similarity |
Cited By (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107861950A (en) * | 2017-11-28 | 2018-03-30 | 北京潘达互娱科技有限公司 | The detection method and device of abnormal text |
CN109359972B (en) * | 2018-08-15 | 2020-10-30 | 创新先进技术有限公司 | Core product pushing and core method and system |
CN109359972A (en) * | 2018-08-15 | 2019-02-19 | 阿里巴巴集团控股有限公司 | The push of core body product and core body method and system |
CN112508568A (en) * | 2018-08-15 | 2021-03-16 | 创新先进技术有限公司 | Core product pushing and core method and system |
CN109344583A (en) * | 2018-08-22 | 2019-02-15 | 阿里巴巴集团控股有限公司 | Threshold value determination and core body method, apparatus, electronic equipment and storage medium |
US11074336B2 (en) | 2018-08-22 | 2021-07-27 | Advanced New Technologies Co., Ltd. | Threshold determining and identity verification method, apparatus, electronic device, and storage medium |
CN109344583B (en) * | 2018-08-22 | 2020-10-23 | 创新先进技术有限公司 | Threshold determination and body verification method and device, electronic equipment and storage medium |
CN109067794A (en) * | 2018-09-26 | 2018-12-21 | 新华三信息安全技术有限公司 | A kind of detection method and device of network behavior |
CN109067794B (en) * | 2018-09-26 | 2021-12-31 | 新华三信息安全技术有限公司 | Network behavior detection method and device |
CN109361660A (en) * | 2018-09-29 | 2019-02-19 | 武汉极意网络科技有限公司 | Abnormal behaviour analysis method, system, server and storage medium |
CN109361660B (en) * | 2018-09-29 | 2021-09-03 | 武汉极意网络科技有限公司 | Abnormal behavior analysis method, system, server and storage medium |
CN109842628A (en) * | 2018-12-13 | 2019-06-04 | 成都亚信网络安全产业技术研究院有限公司 | A kind of anomaly detection method and device |
EP3918500B1 (en) * | 2019-03-05 | 2024-04-24 | Siemens Industry Software Inc. | Machine learning-based anomaly detections for embedded software applications |
CN110135145A (en) * | 2019-05-23 | 2019-08-16 | 四川新网银行股份有限公司 | Click identifying code method based on turing test |
CN110473084A (en) * | 2019-07-17 | 2019-11-19 | 中国银行股份有限公司 | A kind of method for detecting abnormality and device |
CN112784224A (en) * | 2019-11-08 | 2021-05-11 | 中国电信股份有限公司 | Terminal safety protection method, device and system |
CN112784224B (en) * | 2019-11-08 | 2024-01-30 | 中国电信股份有限公司 | Terminal safety protection method, device and system |
CN111526119A (en) * | 2020-03-19 | 2020-08-11 | 北京三快在线科技有限公司 | Abnormal flow detection method and device, electronic equipment and computer readable medium |
CN111526119B (en) * | 2020-03-19 | 2022-06-14 | 北京三快在线科技有限公司 | Abnormal flow detection method and device, electronic equipment and computer readable medium |
CN111814064A (en) * | 2020-06-24 | 2020-10-23 | 平安科技(深圳)有限公司 | Abnormal user processing method and device based on Neo4j, computer equipment and medium |
WO2021135540A1 (en) * | 2020-06-24 | 2021-07-08 | 平安科技(深圳)有限公司 | Neo4j-based anomalous user processing method and apparatus, computer device, and medium |
CN117238070A (en) * | 2023-09-21 | 2023-12-15 | 湖北梦特科技有限公司 | Household safety control method and system based on intelligent community |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107104973A (en) | The method of calibration and device of user behavior | |
CN104202339B (en) | A kind of across cloud authentication service method based on user behavior | |
CN106201886B (en) | A kind of Proxy Method and device of the verifying of real time data task | |
CN110213227A (en) | A kind of network data flow detection method and device | |
CN105430504A (en) | Family member mix identification method and system based on television watching log mining | |
US20230222542A9 (en) | Low entropy browsing history for ads quasi-personalization | |
CN104484604B (en) | A kind of page tampering identification method, scanner, apparatus and system | |
EP4004760A1 (en) | Staged information exchange facilitated by content-addressable records indexed to pseudonymous identifiers by a tamper-evident data structure | |
US8892896B2 (en) | Capability and behavior signatures | |
US20200364604A1 (en) | Machine learning on distributed customer data while protecting privacy | |
CN107203713A (en) | Verification code generation method and device | |
CN116934285A (en) | Visual intelligent system and equipment for realizing digitization and entity file management | |
WO2016188334A1 (en) | Method and device for processing application access data | |
US20210042787A1 (en) | Low entropy browsing history for ads quasi-personalization | |
CN111953652B (en) | System and method for generating a bridge matching identifier for a linking identifier | |
Ren et al. | App identification based on encrypted multi-smartphone sources traffic fingerprints | |
CN111784360B (en) | Anti-fraud prediction method and system based on network link backtracking | |
CN106953874A (en) | Website falsification-proof method and device | |
CN107294766B (en) | Centralized control method and system | |
CN114861205A (en) | Data classification-based privacy protection system with high safety performance | |
CN107018148A (en) | User logs in control method and device | |
US20220122121A1 (en) | Combating false information with crowdsourcing | |
Liu et al. | Detection of false Weibo repost based on XGBoost | |
CN107257325A (en) | User profile guard method and device | |
Thorpe et al. | Video-passwords: Advertising while authenticating |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20210309 Address after: 101300 309, 3rd floor, 60 Fuqian 1st Street, Tianzhu District, Shunyi District, Beijing Applicant after: Beijing longzhixin Technology Co.,Ltd. Address before: 100041 room 120, 4th floor, building 17, yard 30, Shixing street, Shijingshan District, Beijing Applicant before: BEIJING PANDA MUTUAL ENTERTAINMENT TECHNOLOGY Co.,Ltd. |
|
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170829 |