CN107276982A - A kind of abnormal login detecting method and device - Google Patents
A kind of abnormal login detecting method and device Download PDFInfo
- Publication number
- CN107276982A CN107276982A CN201710318612.9A CN201710318612A CN107276982A CN 107276982 A CN107276982 A CN 107276982A CN 201710318612 A CN201710318612 A CN 201710318612A CN 107276982 A CN107276982 A CN 107276982A
- Authority
- CN
- China
- Prior art keywords
- abnormal
- login
- active user
- machine learning
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Cardiology (AREA)
- General Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the present invention provides a kind of abnormal login detecting method and device, and methods described includes:When detecting a certain User logs in, the User logs in daily record of active user is obtained;According to the User logs in daily record of active user, the multidimensional property data that active user logs in are obtained;The multidimensional property data logged according to active user, are logged in active user using the User logs in machine learning model of foundation and carry out abnormal scoring, obtain the abnormal score value that active user logs in;If it is determined that the abnormal score value then initiates the inquiry for whether allowing active user to log within the abnormal scoring threshold range of setting to active user;According to the inquiry feedback result of active user, to whether allowing active user's login to handle.Above-mentioned technical proposal has the advantages that:It is incorporated into abnormal login detection to solve the problem of conventional method dimension is single, can also avoid excessive artificial work by way of by machine learning.
Description
Technical field
The present invention relates to Internet technical field, more particularly to a kind of abnormal login detecting method and device.
Background technology
With continuing to develop for internet, the challenge that network security is brought is also increasingly severeer.Once attacker passes through
Fishing, after the means such as swindle steal the account and password of user, the personal information and property of user just receive serious
Threaten.Therefore, the User logs in behavior noted abnormalities in time, and appropriate safeguard measure is taken its account, used for protection
The privacy and property at family have great meaning.However, the behavior for how to detect abnormal login, is always one in industry
Primary study problem.
For detection abnormal login behavior, simplest method is threshold test.Count under a certain entrance or IP, initiate
Login times and abnormal behaviour therein ratio (including user is not present, code error and different-place login etc.), such as
Really this ratio has exceeded certain threshold value, then just it is considered that the login behavior that this IP is initiated all is abnormal.So
The principle done is, attacker generally requires to attempt all usemame/passwords that it is possessed to be logged in, if logged on into
Work(can just steal an account.Because data volume is larger, attacker can carry out login attempt at a terrific speed, so
It can guarantee that the income of its own.And in these trials, it is greatly failure to have again.And for normal users,
One will not initiate in the short time it is a large amount of log in, two being not in that substantial amounts of failure (has situation about inputing by mistake, will not also accounted in fact
Too vast scale).It is a method simple and easy to apply, at present to specify a threshold value to make a distinction by the difference of this behavior
Also used by substantial amounts of company.And for the setting of threshold value, be often segmented according to number of times, for example log in 10 times
Failure logs in 100 times unsuccessfully more than 70% etc. more than 90%.
The method of threshold test is although simple and easy to apply, but there is following shortcoming:
1) threshold value is fixed:The setting of threshold value is often by experience, and artificial sums up what is come.But hacker is in itself,
It can go to guess the threshold value of destination server by its experience.For example, if a hacker is sealed if logging in more than 100 times
Prohibit, it can guess that threshold value substantially 100 or so, then by reducing attack frequency, replaces the modes such as IP to be evaded,
So that the defence based on threshold value is entirely ineffective.
2) threshold value is discontinuous:The segmentation of threshold value is due to that number of times is more, and dubiety is bigger, therefore regular meeting is compared in the failure allowed
It is lower.But, the problem of this discontinuity can cause larger.If for example, a waypoint of a threshold value be 100, it is right
In less than 100 number of times, it is allowed to which mortality is 90%, and for more than 100 number of times, it is allowed to mortality there was only 70%.That
For hacker, once it has guessed this segmentation criteria, it can be just set its number of attempt to 99, so that
Maximize the efficiency of attack.
3) threshold value is manually set:The setting of threshold value is often by artificial experience come what is set, and so, cost is just
It can increase many.In addition, the attack of hacker changes always, artificial processing mode also implies that the delayed of response
Property, it is likely that when waiting artificial react, an attack has been completed.Likewise, if it is desired to by same set of plan
Different services are slightly transplanted to, then need different threshold values to set.This when, system of defense will also be limited significantly by being manually set
The autgmentability of itself.
Except going to judge the behavior of abnormal login from ip angle, it can also leave for being detected from the angle of user.
For example, can be recorded according to the historical log of user, analyze the user conventional login, conventional login time etc..Once
User logs in ground or abnormal change occurs for login time, it is determined that the behavior of abnormal login when logging in.
This tactful login behavior for being advantageous in that, being not limited to attacker's initiation, and the angle directly from user in itself
Degree goes to consider.So, even attacker has only logged in once, also can timely note abnormalities login behavior.Moreover, attacking
The user profile that the person of hitting grasps is often limited, therefore, can not accurately go the custom for imitating out user to log in behavior.Such one
Come, for the cost of attacker, will greatly increase.
Strategy based on user, equally can also have certain weak point:
1) rate of false alarm and rate of failing to report are higher:If simply from a few dimension go analysis, it is easy to occur reporting by mistake or
Situation about failing to report.For example, when user day is gone on business to another city suddenly, then be likely to trigger the row of abnormal login
For.And it is this frequently report by mistake, great negative effect can be produced to Consumer's Experience.On the other hand, if attacker by chance with
Meet to the conventional login of user, then will produce and fail to report.The problem of conventional login time similarly has similar, if one
Individual user's whole day section is all in the case where being logged in, then the protection equivalent to time dimension is entirely ineffective.
2) cold start-up problem:So-called cold start-up problem, and for a new user, in the case where lacking historical data,
The problems such as how judging conventional login ground and conventional login time.Because, the judgement on ground is commonly used, generally requires to go through user
The ground that logs in of history carries out a comprehensive judgement, can provide an accurate result and come out.The problem of cold start-up, will be direct
New user is caused not to be effectively protected, the growth hence for user produces serious influence.
In process of the present invention is realized, inventor has found that at least there are the following problems in the prior art:Traditional abnormal login
Detection technique scheme dimension is single, and needs many artificial work.
The content of the invention
The embodiment of the present invention provides a kind of abnormal login detecting method and device, single to solve conventional solution dimension
The problem of, and excessive artificial work can be avoided.
On the one hand, the embodiments of the invention provide a kind of abnormal login detecting method, methods described includes:
When detecting a certain User logs in, the User logs in daily record of active user is obtained;
According to the User logs in daily record of active user, the multidimensional property data that active user logs in are obtained;
The multidimensional property data logged according to active user, using the User logs in machine learning model of foundation to current use
Family, which is logged in, carries out abnormal scoring, obtains the abnormal score value that active user logs in;
If it is determined that the abnormal score value is within the abnormal scoring threshold range of setting, then to active user initiate whether
The inquiry for allowing active user to log in;
According to the inquiry feedback result of active user, to whether allowing active user's login to handle.
On the other hand, the embodiments of the invention provide a kind of abnormal login detection means, described device includes:
Pretreatment unit, for when detecting a certain User logs in, obtaining the User logs in daily record of active user;According to
The User logs in daily record of active user, obtains the multidimensional property data that active user logs in;
Machine learning unit, for the multidimensional property data logged according to active user, utilizes the User logs in machine of foundation
Device learning model is logged in active user carries out abnormal scoring, obtains the abnormal score value that active user logs in;
Active Learning unit, for if it is determined that the abnormal score value is within the abnormal scoring threshold range of setting, then
The inquiry for initiating whether to allow active user to log in active user;
Exception processing unit, for the inquiry feedback result according to active user, to whether allowing active user to log into
Row processing.
Above-mentioned technical proposal has the advantages that:It is incorporated into by way of by machine learning in abnormal login detection
Come, solve the problem of conventional method dimension is single, can also avoid excessive artificial work.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are only this
Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with
Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is a kind of abnormal login detecting method flow chart of the embodiment of the present invention;
Fig. 2 is a kind of abnormal login structure of the detecting device schematic diagram of the embodiment of the present invention;
Fig. 3 is machine learning cellular construction schematic diagram of the embodiment of the present invention;
Fig. 4 is Active Learning cellular construction schematic diagram of the embodiment of the present invention;
Fig. 5 is a kind of abnormal login detecting method overall flow schematic diagram of application example of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made
Embodiment, belongs to the scope of protection of the invention.
As shown in figure 1, for a kind of abnormal login detecting method flow chart of the embodiment of the present invention, methods described includes:
101st, when detecting a certain User logs in, the User logs in daily record of active user is obtained;
102nd, according to the User logs in daily record of active user, the multidimensional property data that active user logs in are obtained;
103rd, the multidimensional property data logged according to active user, using the User logs in machine learning model of foundation to working as
Preceding User logs in carries out abnormal scoring, obtains the abnormal score value that active user logs in;
104th, if it is determined that the abnormal score value is then initiated within the abnormal scoring threshold range of setting to active user
The inquiry for whether allowing active user to log in;
105th, according to the inquiry feedback result of active user, to whether allowing active user's login to handle.
Preferably, the method for building up of the User logs in machine learning model, including:Obtain multiple sample of users and log in day
Will;Daily record is logged according to the multiple sample of users, multidimensional property data and login that the multiple sample of users is logged in is obtained
As a result;The multidimensional property data and login result logged in using the multiple sample of users, are calculated using the machine learning of increment type
Method carries out machine learning, sets up the User logs in machine learning model.
Preferably, methods described also includes:It regard the multidimensional property data and login result of the active user as training
Collection, carries out machine learning using the machine learning algorithm of increment type, corrects the User logs in machine learning model.
Preferably, in addition to:If it is determined that the abnormal score value is higher than the maximum in the abnormal scoring threshold range set
Value, then directly handled according to abnormal login;If it is determined that the abnormal score value is less than the abnormal scoring threshold range set
In minimum value, then allow log in.
Preferably, the multidimensional property data include:Whether login is with belonging to conventional login, whether login belongs to conventional is stepped on
Whether record time, login belong to conventional logging device, statistical dimension data;The statistical dimension data include:In preset time
Error rate, the login times in preset time;
If it is determined that the abnormal score value is within the abnormal scoring threshold range of setting, it is being to active user's initiation then
Before the no inquiry for allowing active user to log in, in addition to:Pressure is carried out by way of following at least one to active user to test
Card:Verify password, checking cell-phone number, checking identification card number, checking user head portrait, checking gesture;And confirm that pressure is verified.
If forcing checking not pass through, it is determined that be abnormal login, without the inquiry for initiating whether to allow active user to log in active user
Ask.
Corresponding to embodiment of the method, as shown in Fig. 2 being a kind of abnormal login structure of the detecting device signal of the embodiment of the present invention
Figure, described device includes:
Pretreatment unit 21, for when detecting a certain User logs in, obtaining the User logs in daily record of active user;Root
According to the User logs in daily record of active user, the multidimensional property data that active user logs in are obtained;
Machine learning unit 22, for the multidimensional property data logged according to active user, utilizes the User logs in of foundation
Machine learning model is logged in active user carries out abnormal scoring, obtains the abnormal score value that active user logs in;
Active Learning unit 23, for if it is determined that the abnormal score value is within the abnormal scoring threshold range of setting,
The inquiry for whether allowing active user to log in then is initiated to active user;
Exception processing unit 24, for the inquiry feedback result according to active user, to whether allowing active user to log in
Handled.
Preferably, the pretreatment unit 21, is additionally operable to obtain multiple sample of users login daily records;According to the multiple sample
The daily record of this User logs in, obtains multidimensional property data and login result that the multiple sample of users is logged in;Obtain multiple users
Log in daily record;According to the multiple User logs in daily record, the multidimensional property data of User logs in are obtained;
As shown in figure 3, for machine learning cellular construction schematic diagram of the embodiment of the present invention, the machine learning unit 22 is wrapped
Include:
User logs in machine learning model sets up module 221, for the multidimensional category logged in using the multiple sample of users
Property data and login result, machine learning is carried out using the machine learning algorithm of increment type, the User logs in engineering is set up
Practise model.
Preferably, the machine learning unit 22 also includes:
User logs in machine learning model correcting module 222, for by the multidimensional property data of the active user and stepping on
Result is recorded as training set, machine learning is carried out using the machine learning algorithm of increment type, the User logs in engineering is corrected
Practise model.
Preferably, the exception processing unit 24, is additionally operable to if it is determined that the abnormal score value is commented higher than the exception set
The maximum divided in threshold range, then directly handled according to abnormal login;
The exception processing unit 24, is additionally operable to if it is determined that the abnormal score value is less than the abnormal scoring threshold value model set
Minimum value in enclosing, then allow to log in.
Preferably, the multidimensional property data include:Whether login is with belonging to conventional login, whether login belongs to conventional is stepped on
Whether record time, login belong to conventional logging device, statistical dimension data;The statistical dimension data include:In preset time
Error rate, the login times in preset time;
As shown in figure 4, for Active Learning cellular construction schematic diagram of the embodiment of the present invention, the Active Learning unit 23 is wrapped
Include:
Authentication module 231 is forced, for if it is determined that the abnormal score value is within the abnormal scoring threshold range of setting,
Then before the inquiry for initiating whether to allow active user to log in active user, to current use by way of following at least one
Family carries out pressure checking:Verify password, checking cell-phone number, checking identification card number, checking user head portrait, checking gesture;And confirm
Pressure is verified.
Above-mentioned technical proposal has the advantages that:It is incorporated into by way of by machine learning in abnormal login detection
Come, solve the problem of conventional method dimension is single, can also avoid excessive artificial work.It is important that, it is contemplated that training set
Influence to machine learning effect, the embodiment of the present invention also proposed by user feedback to collect the pattern of training set, so
One, it can effectively solve in machine-learning process, collect the problem of training set.By introducing user feedback, and one
Determine to consider Consumer's Experience in degree, most can efficiently be collected into accurate training data, so that effective hoisting machine study
Whole structure.
Above-mentioned technical proposal of the embodiment of the present invention is described in detail below by way of application example:
As shown in figure 5, be a kind of abnormal login detecting method overall flow schematic diagram of application example of the present invention, specific bag
Include:
1. a pair each login daily record is pre-processed.This pretreatment can include, and judge whether current log in belongs to
It is conventional to log in ground, if to belong to the conventional time;Some statistical natures can also be included, such as the error rate in the short time is logged in
Number of times etc..After pretreatment, original login daily record can be converted into dimensional attribute one by one, be used directly for machine
Processing is gone in device study.
2. by machine learning, abnormal scoring is carried out to current log in using User logs in machine learning model.Herein,
The machine learning algorithm specifically used is not the emphasis of the present invention, and the machine learning algorithm of use increment type is only required here i.e.
Can, e.g., Hoeffding trees.
3. after abnormal scoring is got, judge whether to need to be seeked advice to user by Active Learning.Actively learn
The threshold value of a scoring can be safeguarded by practising, and when scoring is higher than threshold value extremely, then directly be handled.Otherwise initiate to seek advice to user.This
Sample one, it is possible to avoid initiating excessive consulting to user, influence Consumer's Experience.
4. getting after user feedback, using the multidimensional property data and login result of active user as training set, use
The machine learning algorithm of increment type carries out machine learning, corrects the User logs in machine learning model.So, by not
Disconnected user feedback, it becomes possible to constantly strengthen the model of machine learning.
The above-mentioned technical proposal of the embodiment of the present invention described below:
Pretreatment:
Pretreatment stage, mainly will simply log in daily record, be transformed into the relatively comprehensive data of information.For example, according to
The ip of login, with judging whether to belong to conventional login, replaces according to the user of login, determines whether to belong to conventional equipment
Deng.At the same time it can also collect some statistical informations in ip or user's dimension.Such as, logins of the current ip in 5 minutes time
Number, failure frequency, the login time interval of active user's last time.Daily record is only changed into the data of a large amount of dimensional attribute compositions
When, current login behavior can be comprehensively accurately depicted in the form of data, be that necessary data are carried out in machine learning
Basis.
Machine learning and user feedback:
Machine learning belongs to field category one big, and it is commonly used to solve the classification problem under various dimensions.The present invention
Any improvement is not done to machine learning algorithm part, be also not limited to certain or not a class algorithm, therefore, simply high-level
On illustrate.Machine learning algorithm, can generate an available model by learning to training set.Then, to new
Data a, it is possible to scoring is directly provided by model.The degree of accuracy of this scoring, with the quantity of training set, dimension, divides
Step etc., it is all directly related.
However, in actual applications, the collection process of training set is simultaneously remarkable.First, there is substantial amounts of login day daily
Will, and wherein there was only the abnormal login behavior of very small part.If simply simply randomly selected, abnormal login can be caused
Training data is very few, it is impossible to identification well.Even in addition, artificial judge, in some cases, it is also difficult to accurately judge
Whether go out is abnormal login behavior.After all staff can not direct access inquiry user, can only be by the phase arrived of collection
Information is closed, an estimation is done.Therefore, in this case, accurate comprehensively training set how is collected into, becomes introducing machine
One of significant challenge of learning algorithm.
Application example of the present invention solves this problem by way of user feedback.First, or by login daily record turn
The available multidimensional data of machine learning is turned to, then, to user in the form of mail, short message or personal letter, is inquired to it.
Allow user to judge, whether current login behavior is that I initiates.The result selected according to user, can be by multidimensional data mark
Remember into exception or normal, be then directly thrown into training set.If using the machine learning algorithm of increment type, also
Training data can be put into machine learning algorithm immediately, then machine learning algorithm, according to endlessly data,
Constantly evolve the model of itself so that classification results are more and more accurate.
Active Learning:
Inquire the mode of user, although directly effectively, but can be affected on Consumer's Experience.In order to control
Make the scope of this influence, it is necessary to which the number of times of inquiry is limited.At the same time, it must assure that machine learning can be obtained again
Sufficiently training.In order to reach that the two require that invention introduces the mode of Active Learning.
So-called Active Learning, is exactly the appraisal result according to machine learning, judges whether current data needs to carry out accurately
Artificial mark and retraining.Such as, if the abnormal scoring of a data is 0 point or 100 points, then represent machine learning
Current results are extremely determined, if this data are carried out with artificially mark and retraining, then for the evolution of model, often
It can not produce very big gain.Opposite, if the abnormal scoring of a data is 50 points, then show that machine learning is not true
Whether abnormal, this when of progress artificially mark and retraining, it is possible to larger shadow is produced to machine learning is logged in before settled
Ring.In other words, it is believed that abnormal scoring is 50 points of data, data of its training value than 100 points are high.
Based on this principle, Active Learning can safeguard the threshold range of a scoring, when scoring is in threshold range
When, mean that the data training value is high, it is necessary to carry out seeking advice from and retraining to user.And this threshold value can be with consulting
Number of times, is constantly adjusted, to ensure to only have the user of certain percentage to receive counsel requests.For example, such as initially
Threshold value is 40-60, and the user of setting only 20% receives counsel requests.So, it is assumed that the current user's ratio seeked advice from,
Through having reached 20%, and the abnormal scoring of a new login is 60 points, then, active learning strategies judge to need to seek advice from first to use
Family.Then, because consulting ratio now alreadys exceed 20%, Active Learning can shrink to threshold range, such as shrink
To 41-59.So, less data can be judged as needing consulting, so that the user's constant for limiting consulting increases.Conversely
, if currently consulting ratio is less than 20%, then can progressively relax threshold range, be until consulting ratio returns to 20%
Only.So, Active Learning is equivalent to the thresholding system for maintaining a self-regulation, by this system, can ensure
On the premise of counsel user ratio, the training value of training set is maximized.
Feedback validation:
It should be noted that by the screening of Active Learning, the user being asked, which is likely to be, has abnormal login behavior
's.It means that when user is inquired, it is possible to be not the real user inquired, but malice has been arrived in inquiry
Attacker.Obviously, attacker can attempt the feedback to making mistake to influence the final Detection results of machine learning system.Therefore,
When being inquired, it is necessary to set certain checking threshold, to prevent attacker to the feedback made mistake.
In order to be collected into enough feedback data, whole process of feedback (including checking examination & verification) must be by automation
Flow is completed.So, the identification problem and the present invention for abnormal feedback attempt the identification of the abnormal login solved
Problem, has certain similitude.But unlike, for logging in scene, it is necessary to which more go to consider Consumer's Experience band
The influence come.And for feedback, the strong authentication mechanism of some impaired users experience can be added.Because reponse system belongs to whole
One accessory system of testing mechanism, can't directly affect use of the user to product.And for possessing huge user base number
For product, even the user of only fraction is willing to participate in whole feedback mechanism, just it is enough to promote self study process
Carry out.So, can be by strong authentication mechanism and appropriate product design, to avoid being introduced back into new abnormal feedback detection side
Method causes this process excessively to complicate.The believable strong authentication mechanism in part includes:Verify password, mobile phone or identification card number
Deng.Even can be by verifying the new verification technique at present such as head portrait, gesture, then while allowing the user to be easier to operate to, come
Strengthen verification the verifying results.
Finally, it is verified that process can only be confined to the flow of automation, so being that can not ensure absolutely correct.But
It is a FAQs in machine learning field for the processing of noise, most main flow algorithm has all had phase to be
To ripe noise processed solution.Therefore, as long as by authentication mechanism, ensureing that accuracy can be in a higher water
It is flat, then the error feedback that a small amount of attacker produces, noise can be considered, so as to be eliminated automatically by machine learning algorithm
It influences.
Application example of the present invention provides a kind of abnormal login self-learning type detection method based on user feedback.By inciting somebody to action
The mode of machine learning is incorporated into abnormal login detection, solves the problem of conventional method dimension is single, can also avoid
Many artificial work.More importantly, it is contemplated that influence of the training set to machine learning effect, application example of the present invention is also proposed
The pattern of training set is collected by user feedback, so, can effectively solve in machine-learning process, receive
Collect the problem of training set.By introducing user feedback, and Consumer's Experience is considered to a certain extent, most can efficiently be collected into standard
True training data, so that the effectively whole structure of hoisting machine study.
It should be understood that the particular order or level the step of during disclosed are the examples of illustrative methods.Based on setting
Count preference, it should be appreciated that during the step of particular order or level can the protection domain for not departing from the disclosure feelings
Rearranged under condition.Appended claim to a method gives the key element of various steps with exemplary order, and not
It is to be limited to described particular order or level.
In above-mentioned detailed description, various features are combined in single embodiment together, to simplify the disclosure.No
This open method should be construed to reflect such intention, i.e. the embodiment of theme claimed needs ratio
The more features of feature clearly stated in each claim.On the contrary, as appended claims is reflected
Like that, the present invention is in the state fewer than whole features of disclosed single embodiment.Therefore, appended claims
It is hereby expressly incorporated into detailed description, wherein each claim is alone as the single preferred embodiment of the present invention.
To enable any technical staff in the art to realize or using the present invention, disclosed embodiment being entered above
Description is gone.To those skilled in the art;The various modification modes of these embodiments will be apparent from, and this
The General Principle of text definition can also be applied to other embodiments on the basis of the spirit and scope of the disclosure is not departed from.
Therefore, the disclosure is not limited to embodiments set forth herein, but most wide with principle disclosed in the present application and novel features
Scope is consistent.
Described above includes the citing of one or more embodiments.Certainly, in order to above-described embodiment is described and description portion
The all possible combination of part or method is impossible, but it will be appreciated by one of ordinary skill in the art that each is implemented
Example can do further combinations and permutations.Therefore, embodiment described herein is intended to fall into appended claims
Protection domain in all such changes, modifications and variations.In addition, with regard to the term used in specification or claims
"comprising", the mode that covers of the word is similar to term " comprising ", just as " including, " solved in the claims as link word
As releasing.In addition, the use of any one term "or" in the specification of claims being to represent " non-exclusionism
Or ".
Those skilled in the art will also be appreciated that the various illustrative components, blocks that the embodiment of the present invention is listed
(illustrative logical block), unit, and step can be by the knots of electronic hardware, computer software, or both
Conjunction is realized.To clearly show that the replaceability (interchangeability) of hardware and software, above-mentioned various explanations
Property part (illustrative components), unit and step universally describe their function.Such work(
Can be that the design requirement depending on specific application and whole system is realized by hardware or software.Those skilled in the art
For every kind of specific application various methods can be used to realize described function, but this realization is understood not to
The scope protected beyond the embodiment of the present invention.
Various illustrative logical blocks described in the embodiment of the present invention, or unit can by general processor,
Digital signal processor, application specific integrated circuit (ASIC), field programmable gate array or other programmable logic devices, discrete gate
Or the design of transistor logic, discrete hardware components, or any of the above described combination is come the function described by realizing or operate.General place
It can be microprocessor to manage device, and alternatively, the general processor can also be any traditional processor, controller, microcontroller
Device or state machine.Processor can also be realized by the combination of computing device, such as digital signal processor and microprocessor,
Multi-microprocessor, one or more microprocessors combine a Digital Signal Processor Core, or any other like configuration
To realize.
The step of method described in the embodiment of the present invention or algorithm can be directly embedded into hardware, computing device it is soft
Part module or the combination of both.Software module can be stored in RAM memory, flash memory, ROM memory, EPROM storages
Other any form of storage media in device, eeprom memory, register, hard disk, moveable magnetic disc, CD-ROM or this area
In.Exemplarily, storage medium can be connected with processor, to allow processor to read information from storage medium, and
Write information can be deposited to storage medium.Alternatively, storage medium can also be integrated into processor.Processor and storage medium can
To be arranged in ASIC, ASIC can be arranged in user terminal.Alternatively, processor and storage medium can also be arranged at use
In different parts in the terminal of family.
In one or more exemplary designs, above-mentioned functions described by the embodiment of the present invention can be in hardware, soft
Part, firmware or any combination of this three are realized.If realized in software, these functions can be stored and computer-readable
On medium, or with it is one or more instruction or code form be transmitted on the medium of computer-readable.Computer readable medium includes electricity
Brain stores medium and is easy to so that allowing computer program to be transferred to other local telecommunication medias from a place.Storing medium can be with
It is that any general or special computer can be with the useable medium of access.For example, such computer readable media can include but
It is not limited to RAM, ROM, EEPROM, CD-ROM or other optical disc storage, disk storage or other magnetic storage devices, or other
What can be used for carrying or store with instruct or data structure and it is other can be by general or special computer or general or specially treated
Device reads the medium of the program code of form.In addition, any connection can be properly termed computer readable medium, example
Such as, if software is to pass through a coaxial cable, fiber optic cables, double from web-site, server or other remote resources
Twisted wire, Digital Subscriber Line (DSL) or with defined in being also contained in of the wireless way for transmitting such as infrared, wireless and microwave
In computer readable medium.Described disk (disk) and disk (disc) include Zip disk, radium-shine disk, CD, DVD, floppy disk
And Blu-ray Disc, disk is generally with magnetic duplication data, and disk generally carries out optical reproduction data with laser.Combinations of the above
It can also be included in computer readable medium.
Above-described embodiment, has been carried out further to the purpose of the present invention, technical scheme and beneficial effect
Describe in detail, should be understood that the embodiment that the foregoing is only the present invention, be not intended to limit the present invention
Protection domain, within the spirit and principles of the invention, any modification, equivalent substitution and improvements done etc. all should be included
Within protection scope of the present invention.
Claims (10)
1. a kind of abnormal login detecting method, it is characterised in that methods described includes:
When detecting a certain User logs in, the User logs in daily record of active user is obtained;
According to the User logs in daily record of active user, the multidimensional property data that active user logs in are obtained;
The multidimensional property data logged according to active user, are stepped on using the User logs in machine learning model of foundation to active user
Record carries out abnormal scoring, obtains the abnormal score value that active user logs in;
If it is determined that the abnormal score value is within the abnormal scoring threshold range of setting, then initiate whether to allow to active user
The inquiry that active user logs in;
According to the inquiry feedback result of active user, to whether allowing active user's login to handle.
2. abnormal login detecting method as claimed in claim 1, it is characterised in that the User logs in machine learning model is built
Cube method, including:
Obtain multiple sample of users and log in daily record;
Daily record is logged according to the multiple sample of users, multidimensional property data and login that the multiple sample of users is logged in is obtained
As a result;
The multidimensional property data and login result logged in using the multiple sample of users, using the machine learning algorithm of increment type
Machine learning is carried out, the User logs in machine learning model is set up.
3. abnormal login detecting method as claimed in claim 2, it is characterised in that methods described also includes:
Using the multidimensional property data and login result of the active user as training set, using the machine learning algorithm of increment type
Machine learning is carried out, the User logs in machine learning model is corrected.
4. abnormal login detecting method as claimed in claim 1, it is characterised in that also include:
If it is determined that the abnormal score value is then directly stepped on higher than the maximum in the abnormal scoring threshold range set according to abnormal
Record is handled;
If it is determined that the abnormal score value then allows to log in less than the minimum value in the abnormal scoring threshold range set.
5. the abnormal login detecting method as any one of claim 1-4, it is characterised in that the multidimensional property packet
Include:Login whether belong to it is conventional log in ground, log in whether belong to conventional login time, log in whether belong to conventional logging device,
Statistical dimension data;The statistical dimension data include:Login times in error rate in preset time, preset time;
If it is determined that the abnormal score value is within the abnormal scoring threshold range of setting, then initiating whether to permit to active user
Perhaps before the inquiry that active user logs in, in addition to:
Pressure checking is carried out to active user by way of following at least one:Verify password, checking cell-phone number, checking identity card
Number, checking user head portrait, checking gesture;And
Confirm that pressure is verified.
6. a kind of abnormal login detection means, it is characterised in that described device includes:
Pretreatment unit, for when detecting a certain User logs in, obtaining the User logs in daily record of active user;According to current
The User logs in daily record of user, obtains the multidimensional property data that active user logs in;
Machine learning unit, for the multidimensional property data logged according to active user, utilizes the User logs in engineering of foundation
Practise model and the abnormal scoring of progress is logged in active user, obtain the abnormal score value that active user logs in;
Active Learning unit, for if it is determined that the abnormal score value is within the abnormal scoring threshold range of setting, then to working as
Preceding user initiates the inquiry for whether allowing active user to log in;
Exception processing unit, for the inquiry feedback result according to active user, to whether allowing at active user's login
Reason.
7. abnormal login detection means as claimed in claim 6, it is characterised in that
The pretreatment unit, is additionally operable to obtain multiple sample of users login daily records;Day is logged according to the multiple sample of users
Will, obtains multidimensional property data and login result that the multiple sample of users is logged in;
The machine learning unit includes:
User logs in machine learning model sets up module, for using the multiple sample of users log in multidimensional property data and
Login result, carries out machine learning using the machine learning algorithm of increment type, sets up the User logs in machine learning model.
8. abnormal login detection means as claimed in claim 7, it is characterised in that
The machine learning unit also includes:
User logs in machine learning model correcting module, for the multidimensional property data and login result of the active user to be made
For training set, machine learning is carried out using the machine learning algorithm of increment type, the User logs in machine learning model is corrected.
9. abnormal login detection means as claimed in claim 6, it is characterised in that
The exception processing unit, is additionally operable to if it is determined that the abnormal score value is higher than in the abnormal scoring threshold range set
Maximum, then directly handled according to abnormal login;
The exception processing unit, is additionally operable to if it is determined that the abnormal score value is less than in the abnormal scoring threshold range set
Minimum value, then allow to log in.
10. the abnormal login detection means as any one of claim 6-9, it is characterised in that the multidimensional property data
Including:Log in and whether belong to whether the conventional ground, login of logging in belongs to whether conventional login time, login belong to conventional login and set
Standby, statistical dimension data;The statistical dimension data include:Login times in error rate in preset time, preset time;
The Active Learning unit includes:
Force authentication module, for if it is determined that the abnormal score value is within the abnormal scoring threshold range of setting, then to
Whether active user's initiation allows before the inquiry that active user logs in, and active user is carried out by way of following at least one
Force checking:Verify password, checking cell-phone number, checking identification card number, checking user head portrait, checking gesture;And confirm that pressure is tested
Card passes through.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710318612.9A CN107276982B (en) | 2017-05-08 | 2017-05-08 | Abnormal login detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710318612.9A CN107276982B (en) | 2017-05-08 | 2017-05-08 | Abnormal login detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107276982A true CN107276982A (en) | 2017-10-20 |
CN107276982B CN107276982B (en) | 2020-10-30 |
Family
ID=60073849
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710318612.9A Active CN107276982B (en) | 2017-05-08 | 2017-05-08 | Abnormal login detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107276982B (en) |
Cited By (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107911396A (en) * | 2017-12-30 | 2018-04-13 | 世纪龙信息网络有限责任公司 | Log in method for detecting abnormality and system |
CN108090332A (en) * | 2017-12-06 | 2018-05-29 | 国云科技股份有限公司 | A kind of air control method that behavioural analysis is logged in based on user |
CN108512827A (en) * | 2018-02-09 | 2018-09-07 | 世纪龙信息网络有限责任公司 | The identification of abnormal login and method for building up, the device of supervised learning model |
CN108924118A (en) * | 2018-06-27 | 2018-11-30 | 亚信科技(成都)有限公司 | One kind hitting library behavioral value method and system |
CN108989150A (en) * | 2018-07-19 | 2018-12-11 | 新华三信息安全技术有限公司 | A kind of login method for detecting abnormality and device |
CN109756368A (en) * | 2018-12-24 | 2019-05-14 | 广州市百果园网络科技有限公司 | Detection method, device, computer readable storage medium and the terminal of unit exception change |
CN110008695A (en) * | 2018-01-05 | 2019-07-12 | 中国信息通信研究院 | A kind of mixed type user behavior auditing method and system based on distribution book keeping operation |
CN110401626A (en) * | 2019-03-14 | 2019-11-01 | 腾讯科技(深圳)有限公司 | A kind of hacker attack hierarchical detection method and device |
CN110427971A (en) * | 2019-07-05 | 2019-11-08 | 五八有限公司 | Recognition methods, device, server and the storage medium of user and IP |
CN110618977A (en) * | 2019-09-12 | 2019-12-27 | 腾讯科技(深圳)有限公司 | Login abnormity detection method and device, storage medium and computer equipment |
CN110708296A (en) * | 2019-09-19 | 2020-01-17 | 中国电子科技网络信息安全有限公司 | VPN account number collapse intelligent detection model based on long-time behavior analysis |
CN111046373A (en) * | 2019-11-04 | 2020-04-21 | 深圳供电局有限公司 | Security management method, system, medium and device for customer service center |
CN111290903A (en) * | 2018-11-21 | 2020-06-16 | 中国移动通信集团内蒙古有限公司 | Software system monitoring method and device based on user behaviors and machine learning |
CN111339506A (en) * | 2020-02-21 | 2020-06-26 | 安徽斯跑特科技有限公司 | Customer management platform for sale of trusted operating system |
CN112703712A (en) * | 2018-09-17 | 2021-04-23 | 微软技术许可有限责任公司 | Supervised learning system for identity hazard risk calculation |
CN112926048A (en) * | 2021-05-11 | 2021-06-08 | 北京天空卫士网络安全技术有限公司 | Abnormal information detection method and device |
CN113315791A (en) * | 2021-07-30 | 2021-08-27 | 杭州安恒信息技术股份有限公司 | Host protection method based on proxy module and electronic device |
CN113468510A (en) * | 2021-07-15 | 2021-10-01 | 中国银行股份有限公司 | Abnormal login behavior data detection method and device |
CN114301657A (en) * | 2021-12-23 | 2022-04-08 | 杭州安恒信息技术股份有限公司 | Account login detection method, device and medium |
CN114389871A (en) * | 2021-12-31 | 2022-04-22 | 新浪网技术(中国)有限公司 | Automatic analysis method and device for abnormal login of account |
CN114612887A (en) * | 2021-09-01 | 2022-06-10 | 腾讯科技(深圳)有限公司 | Bill abnormity detection method, device, equipment and computer readable storage medium |
CN116541815A (en) * | 2023-07-06 | 2023-08-04 | 深圳市柏英特电子科技有限公司 | Computer equipment operation and maintenance data safety management system |
-
2017
- 2017-05-08 CN CN201710318612.9A patent/CN107276982B/en active Active
Non-Patent Citations (1)
Title |
---|
陈云芳等: ""基于用户行为分析的入侵检测应用模型的研究"", 《微机发展》 * |
Cited By (35)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108090332A (en) * | 2017-12-06 | 2018-05-29 | 国云科技股份有限公司 | A kind of air control method that behavioural analysis is logged in based on user |
CN107911396A (en) * | 2017-12-30 | 2018-04-13 | 世纪龙信息网络有限责任公司 | Log in method for detecting abnormality and system |
CN107911396B (en) * | 2017-12-30 | 2020-12-15 | 世纪龙信息网络有限责任公司 | Login abnormity detection method and system |
CN110008695A (en) * | 2018-01-05 | 2019-07-12 | 中国信息通信研究院 | A kind of mixed type user behavior auditing method and system based on distribution book keeping operation |
CN108512827A (en) * | 2018-02-09 | 2018-09-07 | 世纪龙信息网络有限责任公司 | The identification of abnormal login and method for building up, the device of supervised learning model |
CN108512827B (en) * | 2018-02-09 | 2021-09-21 | 世纪龙信息网络有限责任公司 | Method, device, equipment and storage medium for establishing abnormal login identification and supervised learning model |
CN108924118A (en) * | 2018-06-27 | 2018-11-30 | 亚信科技(成都)有限公司 | One kind hitting library behavioral value method and system |
CN108989150A (en) * | 2018-07-19 | 2018-12-11 | 新华三信息安全技术有限公司 | A kind of login method for detecting abnormality and device |
CN108989150B (en) * | 2018-07-19 | 2021-03-26 | 新华三信息安全技术有限公司 | Login abnormity detection method and device |
US11899763B2 (en) | 2018-09-17 | 2024-02-13 | Microsoft Technology Licensing, Llc | Supervised learning system for identity compromise risk computation |
CN112703712B (en) * | 2018-09-17 | 2023-04-18 | 微软技术许可有限责任公司 | Supervised learning system for identity hazard risk calculation |
CN112703712A (en) * | 2018-09-17 | 2021-04-23 | 微软技术许可有限责任公司 | Supervised learning system for identity hazard risk calculation |
CN111290903B (en) * | 2018-11-21 | 2023-04-25 | 中国移动通信集团内蒙古有限公司 | Software system monitoring method and device based on user behavior and machine learning |
CN111290903A (en) * | 2018-11-21 | 2020-06-16 | 中国移动通信集团内蒙古有限公司 | Software system monitoring method and device based on user behaviors and machine learning |
CN109756368B (en) * | 2018-12-24 | 2022-03-01 | 广州市百果园网络科技有限公司 | Method and device for detecting abnormal change of equipment, computer readable storage medium and terminal |
CN109756368A (en) * | 2018-12-24 | 2019-05-14 | 广州市百果园网络科技有限公司 | Detection method, device, computer readable storage medium and the terminal of unit exception change |
CN110401626A (en) * | 2019-03-14 | 2019-11-01 | 腾讯科技(深圳)有限公司 | A kind of hacker attack hierarchical detection method and device |
CN110401626B (en) * | 2019-03-14 | 2022-02-18 | 腾讯科技(深圳)有限公司 | Hacker attack grading detection method and device |
CN110427971A (en) * | 2019-07-05 | 2019-11-08 | 五八有限公司 | Recognition methods, device, server and the storage medium of user and IP |
CN110618977A (en) * | 2019-09-12 | 2019-12-27 | 腾讯科技(深圳)有限公司 | Login abnormity detection method and device, storage medium and computer equipment |
CN110618977B (en) * | 2019-09-12 | 2023-10-31 | 腾讯科技(深圳)有限公司 | Login anomaly detection method, device, storage medium and computer equipment |
CN110708296B (en) * | 2019-09-19 | 2022-03-18 | 中国电子科技网络信息安全有限公司 | VPN account number collapse intelligent detection model based on long-time behavior analysis |
CN110708296A (en) * | 2019-09-19 | 2020-01-17 | 中国电子科技网络信息安全有限公司 | VPN account number collapse intelligent detection model based on long-time behavior analysis |
CN111046373A (en) * | 2019-11-04 | 2020-04-21 | 深圳供电局有限公司 | Security management method, system, medium and device for customer service center |
CN111339506A (en) * | 2020-02-21 | 2020-06-26 | 安徽斯跑特科技有限公司 | Customer management platform for sale of trusted operating system |
CN112926048B (en) * | 2021-05-11 | 2021-08-20 | 北京天空卫士网络安全技术有限公司 | Abnormal information detection method and device |
CN112926048A (en) * | 2021-05-11 | 2021-06-08 | 北京天空卫士网络安全技术有限公司 | Abnormal information detection method and device |
CN113468510A (en) * | 2021-07-15 | 2021-10-01 | 中国银行股份有限公司 | Abnormal login behavior data detection method and device |
CN113315791A (en) * | 2021-07-30 | 2021-08-27 | 杭州安恒信息技术股份有限公司 | Host protection method based on proxy module and electronic device |
CN114612887A (en) * | 2021-09-01 | 2022-06-10 | 腾讯科技(深圳)有限公司 | Bill abnormity detection method, device, equipment and computer readable storage medium |
CN114612887B (en) * | 2021-09-01 | 2023-01-10 | 腾讯科技(深圳)有限公司 | Bill abnormity detection method, device, equipment and computer readable storage medium |
CN114301657A (en) * | 2021-12-23 | 2022-04-08 | 杭州安恒信息技术股份有限公司 | Account login detection method, device and medium |
CN114389871A (en) * | 2021-12-31 | 2022-04-22 | 新浪网技术(中国)有限公司 | Automatic analysis method and device for abnormal login of account |
CN116541815A (en) * | 2023-07-06 | 2023-08-04 | 深圳市柏英特电子科技有限公司 | Computer equipment operation and maintenance data safety management system |
CN116541815B (en) * | 2023-07-06 | 2024-04-05 | 深圳市柏英特电子科技有限公司 | Computer equipment operation and maintenance data safety management system |
Also Published As
Publication number | Publication date |
---|---|
CN107276982B (en) | 2020-10-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107276982A (en) | A kind of abnormal login detecting method and device | |
CN106209862B (en) | A kind of steal-number defence implementation method and device | |
CN105260628B (en) | Classifier training method and apparatus, auth method and system | |
JP2021508889A (en) | Identity verification method and equipment | |
CN110191113A (en) | A kind of user behavior methods of risk assessment and device | |
CN105095726B (en) | Generate the method and device of identifying code | |
CN108989150A (en) | A kind of login method for detecting abnormality and device | |
CN108229963A (en) | The Risk Identification Method and device of user's operation behavior | |
CN106295349A (en) | Risk Identification Method, identification device and the anti-Ore-controlling Role that account is stolen | |
US20210234877A1 (en) | Proactively protecting service endpoints based on deep learning of user location and access patterns | |
CN109711173B (en) | Password file leakage detection method | |
CN110300127A (en) | A kind of network inbreak detection method based on deep learning, device and equipment | |
CN107612880A (en) | One kind applies access method and device | |
CN109698809A (en) | A kind of recognition methods of account abnormal login and device | |
CN112613599A (en) | Network intrusion detection method based on generation countermeasure network oversampling | |
CN107682317A (en) | Establish method, data detection method and the equipment of Data Detection model | |
CN110457601B (en) | Social account identification method and device, storage medium and electronic device | |
CN109284333A (en) | Industrial chain data maintaining method and platform based on block chain | |
CN109145585A (en) | There are the method and devices of weak passwurd for a kind of detection website | |
CN110096013A (en) | A kind of intrusion detection method and device of industrial control system | |
CN114091042A (en) | Risk early warning method | |
CN107248995A (en) | Account verification method and device | |
CN109460653A (en) | Verification method, verifying equipment, storage medium and the device of rule-based engine | |
CN117150459A (en) | Zero-trust user identity security detection method and system | |
CN112272176A (en) | Network security protection method and system based on big data platform |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |