CN107276982A - A kind of abnormal login detecting method and device - Google Patents

A kind of abnormal login detecting method and device Download PDF

Info

Publication number
CN107276982A
CN107276982A CN201710318612.9A CN201710318612A CN107276982A CN 107276982 A CN107276982 A CN 107276982A CN 201710318612 A CN201710318612 A CN 201710318612A CN 107276982 A CN107276982 A CN 107276982A
Authority
CN
China
Prior art keywords
abnormal
login
active user
machine learning
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710318612.9A
Other languages
Chinese (zh)
Other versions
CN107276982B (en
Inventor
何为舟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Weimeng Chuangke Network Technology China Co Ltd
Original Assignee
Weimeng Chuangke Network Technology China Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Weimeng Chuangke Network Technology China Co Ltd filed Critical Weimeng Chuangke Network Technology China Co Ltd
Priority to CN201710318612.9A priority Critical patent/CN107276982B/en
Publication of CN107276982A publication Critical patent/CN107276982A/en
Application granted granted Critical
Publication of CN107276982B publication Critical patent/CN107276982B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Cardiology (AREA)
  • General Health & Medical Sciences (AREA)
  • Debugging And Monitoring (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The embodiment of the present invention provides a kind of abnormal login detecting method and device, and methods described includes:When detecting a certain User logs in, the User logs in daily record of active user is obtained;According to the User logs in daily record of active user, the multidimensional property data that active user logs in are obtained;The multidimensional property data logged according to active user, are logged in active user using the User logs in machine learning model of foundation and carry out abnormal scoring, obtain the abnormal score value that active user logs in;If it is determined that the abnormal score value then initiates the inquiry for whether allowing active user to log within the abnormal scoring threshold range of setting to active user;According to the inquiry feedback result of active user, to whether allowing active user's login to handle.Above-mentioned technical proposal has the advantages that:It is incorporated into abnormal login detection to solve the problem of conventional method dimension is single, can also avoid excessive artificial work by way of by machine learning.

Description

A kind of abnormal login detecting method and device
Technical field
The present invention relates to Internet technical field, more particularly to a kind of abnormal login detecting method and device.
Background technology
With continuing to develop for internet, the challenge that network security is brought is also increasingly severeer.Once attacker passes through Fishing, after the means such as swindle steal the account and password of user, the personal information and property of user just receive serious Threaten.Therefore, the User logs in behavior noted abnormalities in time, and appropriate safeguard measure is taken its account, used for protection The privacy and property at family have great meaning.However, the behavior for how to detect abnormal login, is always one in industry Primary study problem.
For detection abnormal login behavior, simplest method is threshold test.Count under a certain entrance or IP, initiate Login times and abnormal behaviour therein ratio (including user is not present, code error and different-place login etc.), such as Really this ratio has exceeded certain threshold value, then just it is considered that the login behavior that this IP is initiated all is abnormal.So The principle done is, attacker generally requires to attempt all usemame/passwords that it is possessed to be logged in, if logged on into Work(can just steal an account.Because data volume is larger, attacker can carry out login attempt at a terrific speed, so It can guarantee that the income of its own.And in these trials, it is greatly failure to have again.And for normal users, One will not initiate in the short time it is a large amount of log in, two being not in that substantial amounts of failure (has situation about inputing by mistake, will not also accounted in fact Too vast scale).It is a method simple and easy to apply, at present to specify a threshold value to make a distinction by the difference of this behavior Also used by substantial amounts of company.And for the setting of threshold value, be often segmented according to number of times, for example log in 10 times Failure logs in 100 times unsuccessfully more than 70% etc. more than 90%.
The method of threshold test is although simple and easy to apply, but there is following shortcoming:
1) threshold value is fixed:The setting of threshold value is often by experience, and artificial sums up what is come.But hacker is in itself, It can go to guess the threshold value of destination server by its experience.For example, if a hacker is sealed if logging in more than 100 times Prohibit, it can guess that threshold value substantially 100 or so, then by reducing attack frequency, replaces the modes such as IP to be evaded, So that the defence based on threshold value is entirely ineffective.
2) threshold value is discontinuous:The segmentation of threshold value is due to that number of times is more, and dubiety is bigger, therefore regular meeting is compared in the failure allowed It is lower.But, the problem of this discontinuity can cause larger.If for example, a waypoint of a threshold value be 100, it is right In less than 100 number of times, it is allowed to which mortality is 90%, and for more than 100 number of times, it is allowed to mortality there was only 70%.That For hacker, once it has guessed this segmentation criteria, it can be just set its number of attempt to 99, so that Maximize the efficiency of attack.
3) threshold value is manually set:The setting of threshold value is often by artificial experience come what is set, and so, cost is just It can increase many.In addition, the attack of hacker changes always, artificial processing mode also implies that the delayed of response Property, it is likely that when waiting artificial react, an attack has been completed.Likewise, if it is desired to by same set of plan Different services are slightly transplanted to, then need different threshold values to set.This when, system of defense will also be limited significantly by being manually set The autgmentability of itself.
Except going to judge the behavior of abnormal login from ip angle, it can also leave for being detected from the angle of user. For example, can be recorded according to the historical log of user, analyze the user conventional login, conventional login time etc..Once User logs in ground or abnormal change occurs for login time, it is determined that the behavior of abnormal login when logging in.
This tactful login behavior for being advantageous in that, being not limited to attacker's initiation, and the angle directly from user in itself Degree goes to consider.So, even attacker has only logged in once, also can timely note abnormalities login behavior.Moreover, attacking The user profile that the person of hitting grasps is often limited, therefore, can not accurately go the custom for imitating out user to log in behavior.Such one Come, for the cost of attacker, will greatly increase.
Strategy based on user, equally can also have certain weak point:
1) rate of false alarm and rate of failing to report are higher:If simply from a few dimension go analysis, it is easy to occur reporting by mistake or Situation about failing to report.For example, when user day is gone on business to another city suddenly, then be likely to trigger the row of abnormal login For.And it is this frequently report by mistake, great negative effect can be produced to Consumer's Experience.On the other hand, if attacker by chance with Meet to the conventional login of user, then will produce and fail to report.The problem of conventional login time similarly has similar, if one Individual user's whole day section is all in the case where being logged in, then the protection equivalent to time dimension is entirely ineffective.
2) cold start-up problem:So-called cold start-up problem, and for a new user, in the case where lacking historical data, The problems such as how judging conventional login ground and conventional login time.Because, the judgement on ground is commonly used, generally requires to go through user The ground that logs in of history carries out a comprehensive judgement, can provide an accurate result and come out.The problem of cold start-up, will be direct New user is caused not to be effectively protected, the growth hence for user produces serious influence.
In process of the present invention is realized, inventor has found that at least there are the following problems in the prior art:Traditional abnormal login Detection technique scheme dimension is single, and needs many artificial work.
The content of the invention
The embodiment of the present invention provides a kind of abnormal login detecting method and device, single to solve conventional solution dimension The problem of, and excessive artificial work can be avoided.
On the one hand, the embodiments of the invention provide a kind of abnormal login detecting method, methods described includes:
When detecting a certain User logs in, the User logs in daily record of active user is obtained;
According to the User logs in daily record of active user, the multidimensional property data that active user logs in are obtained;
The multidimensional property data logged according to active user, using the User logs in machine learning model of foundation to current use Family, which is logged in, carries out abnormal scoring, obtains the abnormal score value that active user logs in;
If it is determined that the abnormal score value is within the abnormal scoring threshold range of setting, then to active user initiate whether The inquiry for allowing active user to log in;
According to the inquiry feedback result of active user, to whether allowing active user's login to handle.
On the other hand, the embodiments of the invention provide a kind of abnormal login detection means, described device includes:
Pretreatment unit, for when detecting a certain User logs in, obtaining the User logs in daily record of active user;According to The User logs in daily record of active user, obtains the multidimensional property data that active user logs in;
Machine learning unit, for the multidimensional property data logged according to active user, utilizes the User logs in machine of foundation Device learning model is logged in active user carries out abnormal scoring, obtains the abnormal score value that active user logs in;
Active Learning unit, for if it is determined that the abnormal score value is within the abnormal scoring threshold range of setting, then The inquiry for initiating whether to allow active user to log in active user;
Exception processing unit, for the inquiry feedback result according to active user, to whether allowing active user to log into Row processing.
Above-mentioned technical proposal has the advantages that:It is incorporated into by way of by machine learning in abnormal login detection Come, solve the problem of conventional method dimension is single, can also avoid excessive artificial work.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are only this Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is a kind of abnormal login detecting method flow chart of the embodiment of the present invention;
Fig. 2 is a kind of abnormal login structure of the detecting device schematic diagram of the embodiment of the present invention;
Fig. 3 is machine learning cellular construction schematic diagram of the embodiment of the present invention;
Fig. 4 is Active Learning cellular construction schematic diagram of the embodiment of the present invention;
Fig. 5 is a kind of abnormal login detecting method overall flow schematic diagram of application example of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made Embodiment, belongs to the scope of protection of the invention.
As shown in figure 1, for a kind of abnormal login detecting method flow chart of the embodiment of the present invention, methods described includes:
101st, when detecting a certain User logs in, the User logs in daily record of active user is obtained;
102nd, according to the User logs in daily record of active user, the multidimensional property data that active user logs in are obtained;
103rd, the multidimensional property data logged according to active user, using the User logs in machine learning model of foundation to working as Preceding User logs in carries out abnormal scoring, obtains the abnormal score value that active user logs in;
104th, if it is determined that the abnormal score value is then initiated within the abnormal scoring threshold range of setting to active user The inquiry for whether allowing active user to log in;
105th, according to the inquiry feedback result of active user, to whether allowing active user's login to handle.
Preferably, the method for building up of the User logs in machine learning model, including:Obtain multiple sample of users and log in day Will;Daily record is logged according to the multiple sample of users, multidimensional property data and login that the multiple sample of users is logged in is obtained As a result;The multidimensional property data and login result logged in using the multiple sample of users, are calculated using the machine learning of increment type Method carries out machine learning, sets up the User logs in machine learning model.
Preferably, methods described also includes:It regard the multidimensional property data and login result of the active user as training Collection, carries out machine learning using the machine learning algorithm of increment type, corrects the User logs in machine learning model.
Preferably, in addition to:If it is determined that the abnormal score value is higher than the maximum in the abnormal scoring threshold range set Value, then directly handled according to abnormal login;If it is determined that the abnormal score value is less than the abnormal scoring threshold range set In minimum value, then allow log in.
Preferably, the multidimensional property data include:Whether login is with belonging to conventional login, whether login belongs to conventional is stepped on Whether record time, login belong to conventional logging device, statistical dimension data;The statistical dimension data include:In preset time Error rate, the login times in preset time;
If it is determined that the abnormal score value is within the abnormal scoring threshold range of setting, it is being to active user's initiation then Before the no inquiry for allowing active user to log in, in addition to:Pressure is carried out by way of following at least one to active user to test Card:Verify password, checking cell-phone number, checking identification card number, checking user head portrait, checking gesture;And confirm that pressure is verified. If forcing checking not pass through, it is determined that be abnormal login, without the inquiry for initiating whether to allow active user to log in active user Ask.
Corresponding to embodiment of the method, as shown in Fig. 2 being a kind of abnormal login structure of the detecting device signal of the embodiment of the present invention Figure, described device includes:
Pretreatment unit 21, for when detecting a certain User logs in, obtaining the User logs in daily record of active user;Root According to the User logs in daily record of active user, the multidimensional property data that active user logs in are obtained;
Machine learning unit 22, for the multidimensional property data logged according to active user, utilizes the User logs in of foundation Machine learning model is logged in active user carries out abnormal scoring, obtains the abnormal score value that active user logs in;
Active Learning unit 23, for if it is determined that the abnormal score value is within the abnormal scoring threshold range of setting, The inquiry for whether allowing active user to log in then is initiated to active user;
Exception processing unit 24, for the inquiry feedback result according to active user, to whether allowing active user to log in Handled.
Preferably, the pretreatment unit 21, is additionally operable to obtain multiple sample of users login daily records;According to the multiple sample The daily record of this User logs in, obtains multidimensional property data and login result that the multiple sample of users is logged in;Obtain multiple users Log in daily record;According to the multiple User logs in daily record, the multidimensional property data of User logs in are obtained;
As shown in figure 3, for machine learning cellular construction schematic diagram of the embodiment of the present invention, the machine learning unit 22 is wrapped Include:
User logs in machine learning model sets up module 221, for the multidimensional category logged in using the multiple sample of users Property data and login result, machine learning is carried out using the machine learning algorithm of increment type, the User logs in engineering is set up Practise model.
Preferably, the machine learning unit 22 also includes:
User logs in machine learning model correcting module 222, for by the multidimensional property data of the active user and stepping on Result is recorded as training set, machine learning is carried out using the machine learning algorithm of increment type, the User logs in engineering is corrected Practise model.
Preferably, the exception processing unit 24, is additionally operable to if it is determined that the abnormal score value is commented higher than the exception set The maximum divided in threshold range, then directly handled according to abnormal login;
The exception processing unit 24, is additionally operable to if it is determined that the abnormal score value is less than the abnormal scoring threshold value model set Minimum value in enclosing, then allow to log in.
Preferably, the multidimensional property data include:Whether login is with belonging to conventional login, whether login belongs to conventional is stepped on Whether record time, login belong to conventional logging device, statistical dimension data;The statistical dimension data include:In preset time Error rate, the login times in preset time;
As shown in figure 4, for Active Learning cellular construction schematic diagram of the embodiment of the present invention, the Active Learning unit 23 is wrapped Include:
Authentication module 231 is forced, for if it is determined that the abnormal score value is within the abnormal scoring threshold range of setting, Then before the inquiry for initiating whether to allow active user to log in active user, to current use by way of following at least one Family carries out pressure checking:Verify password, checking cell-phone number, checking identification card number, checking user head portrait, checking gesture;And confirm Pressure is verified.
Above-mentioned technical proposal has the advantages that:It is incorporated into by way of by machine learning in abnormal login detection Come, solve the problem of conventional method dimension is single, can also avoid excessive artificial work.It is important that, it is contemplated that training set Influence to machine learning effect, the embodiment of the present invention also proposed by user feedback to collect the pattern of training set, so One, it can effectively solve in machine-learning process, collect the problem of training set.By introducing user feedback, and one Determine to consider Consumer's Experience in degree, most can efficiently be collected into accurate training data, so that effective hoisting machine study Whole structure.
Above-mentioned technical proposal of the embodiment of the present invention is described in detail below by way of application example:
As shown in figure 5, be a kind of abnormal login detecting method overall flow schematic diagram of application example of the present invention, specific bag Include:
1. a pair each login daily record is pre-processed.This pretreatment can include, and judge whether current log in belongs to It is conventional to log in ground, if to belong to the conventional time;Some statistical natures can also be included, such as the error rate in the short time is logged in Number of times etc..After pretreatment, original login daily record can be converted into dimensional attribute one by one, be used directly for machine Processing is gone in device study.
2. by machine learning, abnormal scoring is carried out to current log in using User logs in machine learning model.Herein, The machine learning algorithm specifically used is not the emphasis of the present invention, and the machine learning algorithm of use increment type is only required here i.e. Can, e.g., Hoeffding trees.
3. after abnormal scoring is got, judge whether to need to be seeked advice to user by Active Learning.Actively learn The threshold value of a scoring can be safeguarded by practising, and when scoring is higher than threshold value extremely, then directly be handled.Otherwise initiate to seek advice to user.This Sample one, it is possible to avoid initiating excessive consulting to user, influence Consumer's Experience.
4. getting after user feedback, using the multidimensional property data and login result of active user as training set, use The machine learning algorithm of increment type carries out machine learning, corrects the User logs in machine learning model.So, by not Disconnected user feedback, it becomes possible to constantly strengthen the model of machine learning.
The above-mentioned technical proposal of the embodiment of the present invention described below:
Pretreatment:
Pretreatment stage, mainly will simply log in daily record, be transformed into the relatively comprehensive data of information.For example, according to The ip of login, with judging whether to belong to conventional login, replaces according to the user of login, determines whether to belong to conventional equipment Deng.At the same time it can also collect some statistical informations in ip or user's dimension.Such as, logins of the current ip in 5 minutes time Number, failure frequency, the login time interval of active user's last time.Daily record is only changed into the data of a large amount of dimensional attribute compositions When, current login behavior can be comprehensively accurately depicted in the form of data, be that necessary data are carried out in machine learning Basis.
Machine learning and user feedback:
Machine learning belongs to field category one big, and it is commonly used to solve the classification problem under various dimensions.The present invention Any improvement is not done to machine learning algorithm part, be also not limited to certain or not a class algorithm, therefore, simply high-level On illustrate.Machine learning algorithm, can generate an available model by learning to training set.Then, to new Data a, it is possible to scoring is directly provided by model.The degree of accuracy of this scoring, with the quantity of training set, dimension, divides Step etc., it is all directly related.
However, in actual applications, the collection process of training set is simultaneously remarkable.First, there is substantial amounts of login day daily Will, and wherein there was only the abnormal login behavior of very small part.If simply simply randomly selected, abnormal login can be caused Training data is very few, it is impossible to identification well.Even in addition, artificial judge, in some cases, it is also difficult to accurately judge Whether go out is abnormal login behavior.After all staff can not direct access inquiry user, can only be by the phase arrived of collection Information is closed, an estimation is done.Therefore, in this case, accurate comprehensively training set how is collected into, becomes introducing machine One of significant challenge of learning algorithm.
Application example of the present invention solves this problem by way of user feedback.First, or by login daily record turn The available multidimensional data of machine learning is turned to, then, to user in the form of mail, short message or personal letter, is inquired to it. Allow user to judge, whether current login behavior is that I initiates.The result selected according to user, can be by multidimensional data mark Remember into exception or normal, be then directly thrown into training set.If using the machine learning algorithm of increment type, also Training data can be put into machine learning algorithm immediately, then machine learning algorithm, according to endlessly data, Constantly evolve the model of itself so that classification results are more and more accurate.
Active Learning:
Inquire the mode of user, although directly effectively, but can be affected on Consumer's Experience.In order to control Make the scope of this influence, it is necessary to which the number of times of inquiry is limited.At the same time, it must assure that machine learning can be obtained again Sufficiently training.In order to reach that the two require that invention introduces the mode of Active Learning.
So-called Active Learning, is exactly the appraisal result according to machine learning, judges whether current data needs to carry out accurately Artificial mark and retraining.Such as, if the abnormal scoring of a data is 0 point or 100 points, then represent machine learning Current results are extremely determined, if this data are carried out with artificially mark and retraining, then for the evolution of model, often It can not produce very big gain.Opposite, if the abnormal scoring of a data is 50 points, then show that machine learning is not true Whether abnormal, this when of progress artificially mark and retraining, it is possible to larger shadow is produced to machine learning is logged in before settled Ring.In other words, it is believed that abnormal scoring is 50 points of data, data of its training value than 100 points are high.
Based on this principle, Active Learning can safeguard the threshold range of a scoring, when scoring is in threshold range When, mean that the data training value is high, it is necessary to carry out seeking advice from and retraining to user.And this threshold value can be with consulting Number of times, is constantly adjusted, to ensure to only have the user of certain percentage to receive counsel requests.For example, such as initially Threshold value is 40-60, and the user of setting only 20% receives counsel requests.So, it is assumed that the current user's ratio seeked advice from, Through having reached 20%, and the abnormal scoring of a new login is 60 points, then, active learning strategies judge to need to seek advice from first to use Family.Then, because consulting ratio now alreadys exceed 20%, Active Learning can shrink to threshold range, such as shrink To 41-59.So, less data can be judged as needing consulting, so that the user's constant for limiting consulting increases.Conversely , if currently consulting ratio is less than 20%, then can progressively relax threshold range, be until consulting ratio returns to 20% Only.So, Active Learning is equivalent to the thresholding system for maintaining a self-regulation, by this system, can ensure On the premise of counsel user ratio, the training value of training set is maximized.
Feedback validation:
It should be noted that by the screening of Active Learning, the user being asked, which is likely to be, has abnormal login behavior 's.It means that when user is inquired, it is possible to be not the real user inquired, but malice has been arrived in inquiry Attacker.Obviously, attacker can attempt the feedback to making mistake to influence the final Detection results of machine learning system.Therefore, When being inquired, it is necessary to set certain checking threshold, to prevent attacker to the feedback made mistake.
In order to be collected into enough feedback data, whole process of feedback (including checking examination & verification) must be by automation Flow is completed.So, the identification problem and the present invention for abnormal feedback attempt the identification of the abnormal login solved Problem, has certain similitude.But unlike, for logging in scene, it is necessary to which more go to consider Consumer's Experience band The influence come.And for feedback, the strong authentication mechanism of some impaired users experience can be added.Because reponse system belongs to whole One accessory system of testing mechanism, can't directly affect use of the user to product.And for possessing huge user base number For product, even the user of only fraction is willing to participate in whole feedback mechanism, just it is enough to promote self study process Carry out.So, can be by strong authentication mechanism and appropriate product design, to avoid being introduced back into new abnormal feedback detection side Method causes this process excessively to complicate.The believable strong authentication mechanism in part includes:Verify password, mobile phone or identification card number Deng.Even can be by verifying the new verification technique at present such as head portrait, gesture, then while allowing the user to be easier to operate to, come Strengthen verification the verifying results.
Finally, it is verified that process can only be confined to the flow of automation, so being that can not ensure absolutely correct.But It is a FAQs in machine learning field for the processing of noise, most main flow algorithm has all had phase to be To ripe noise processed solution.Therefore, as long as by authentication mechanism, ensureing that accuracy can be in a higher water It is flat, then the error feedback that a small amount of attacker produces, noise can be considered, so as to be eliminated automatically by machine learning algorithm It influences.
Application example of the present invention provides a kind of abnormal login self-learning type detection method based on user feedback.By inciting somebody to action The mode of machine learning is incorporated into abnormal login detection, solves the problem of conventional method dimension is single, can also avoid Many artificial work.More importantly, it is contemplated that influence of the training set to machine learning effect, application example of the present invention is also proposed The pattern of training set is collected by user feedback, so, can effectively solve in machine-learning process, receive Collect the problem of training set.By introducing user feedback, and Consumer's Experience is considered to a certain extent, most can efficiently be collected into standard True training data, so that the effectively whole structure of hoisting machine study.
It should be understood that the particular order or level the step of during disclosed are the examples of illustrative methods.Based on setting Count preference, it should be appreciated that during the step of particular order or level can the protection domain for not departing from the disclosure feelings Rearranged under condition.Appended claim to a method gives the key element of various steps with exemplary order, and not It is to be limited to described particular order or level.
In above-mentioned detailed description, various features are combined in single embodiment together, to simplify the disclosure.No This open method should be construed to reflect such intention, i.e. the embodiment of theme claimed needs ratio The more features of feature clearly stated in each claim.On the contrary, as appended claims is reflected Like that, the present invention is in the state fewer than whole features of disclosed single embodiment.Therefore, appended claims It is hereby expressly incorporated into detailed description, wherein each claim is alone as the single preferred embodiment of the present invention.
To enable any technical staff in the art to realize or using the present invention, disclosed embodiment being entered above Description is gone.To those skilled in the art;The various modification modes of these embodiments will be apparent from, and this The General Principle of text definition can also be applied to other embodiments on the basis of the spirit and scope of the disclosure is not departed from. Therefore, the disclosure is not limited to embodiments set forth herein, but most wide with principle disclosed in the present application and novel features Scope is consistent.
Described above includes the citing of one or more embodiments.Certainly, in order to above-described embodiment is described and description portion The all possible combination of part or method is impossible, but it will be appreciated by one of ordinary skill in the art that each is implemented Example can do further combinations and permutations.Therefore, embodiment described herein is intended to fall into appended claims Protection domain in all such changes, modifications and variations.In addition, with regard to the term used in specification or claims "comprising", the mode that covers of the word is similar to term " comprising ", just as " including, " solved in the claims as link word As releasing.In addition, the use of any one term "or" in the specification of claims being to represent " non-exclusionism Or ".
Those skilled in the art will also be appreciated that the various illustrative components, blocks that the embodiment of the present invention is listed (illustrative logical block), unit, and step can be by the knots of electronic hardware, computer software, or both Conjunction is realized.To clearly show that the replaceability (interchangeability) of hardware and software, above-mentioned various explanations Property part (illustrative components), unit and step universally describe their function.Such work( Can be that the design requirement depending on specific application and whole system is realized by hardware or software.Those skilled in the art For every kind of specific application various methods can be used to realize described function, but this realization is understood not to The scope protected beyond the embodiment of the present invention.
Various illustrative logical blocks described in the embodiment of the present invention, or unit can by general processor, Digital signal processor, application specific integrated circuit (ASIC), field programmable gate array or other programmable logic devices, discrete gate Or the design of transistor logic, discrete hardware components, or any of the above described combination is come the function described by realizing or operate.General place It can be microprocessor to manage device, and alternatively, the general processor can also be any traditional processor, controller, microcontroller Device or state machine.Processor can also be realized by the combination of computing device, such as digital signal processor and microprocessor, Multi-microprocessor, one or more microprocessors combine a Digital Signal Processor Core, or any other like configuration To realize.
The step of method described in the embodiment of the present invention or algorithm can be directly embedded into hardware, computing device it is soft Part module or the combination of both.Software module can be stored in RAM memory, flash memory, ROM memory, EPROM storages Other any form of storage media in device, eeprom memory, register, hard disk, moveable magnetic disc, CD-ROM or this area In.Exemplarily, storage medium can be connected with processor, to allow processor to read information from storage medium, and Write information can be deposited to storage medium.Alternatively, storage medium can also be integrated into processor.Processor and storage medium can To be arranged in ASIC, ASIC can be arranged in user terminal.Alternatively, processor and storage medium can also be arranged at use In different parts in the terminal of family.
In one or more exemplary designs, above-mentioned functions described by the embodiment of the present invention can be in hardware, soft Part, firmware or any combination of this three are realized.If realized in software, these functions can be stored and computer-readable On medium, or with it is one or more instruction or code form be transmitted on the medium of computer-readable.Computer readable medium includes electricity Brain stores medium and is easy to so that allowing computer program to be transferred to other local telecommunication medias from a place.Storing medium can be with It is that any general or special computer can be with the useable medium of access.For example, such computer readable media can include but It is not limited to RAM, ROM, EEPROM, CD-ROM or other optical disc storage, disk storage or other magnetic storage devices, or other What can be used for carrying or store with instruct or data structure and it is other can be by general or special computer or general or specially treated Device reads the medium of the program code of form.In addition, any connection can be properly termed computer readable medium, example Such as, if software is to pass through a coaxial cable, fiber optic cables, double from web-site, server or other remote resources Twisted wire, Digital Subscriber Line (DSL) or with defined in being also contained in of the wireless way for transmitting such as infrared, wireless and microwave In computer readable medium.Described disk (disk) and disk (disc) include Zip disk, radium-shine disk, CD, DVD, floppy disk And Blu-ray Disc, disk is generally with magnetic duplication data, and disk generally carries out optical reproduction data with laser.Combinations of the above It can also be included in computer readable medium.
Above-described embodiment, has been carried out further to the purpose of the present invention, technical scheme and beneficial effect Describe in detail, should be understood that the embodiment that the foregoing is only the present invention, be not intended to limit the present invention Protection domain, within the spirit and principles of the invention, any modification, equivalent substitution and improvements done etc. all should be included Within protection scope of the present invention.

Claims (10)

1. a kind of abnormal login detecting method, it is characterised in that methods described includes:
When detecting a certain User logs in, the User logs in daily record of active user is obtained;
According to the User logs in daily record of active user, the multidimensional property data that active user logs in are obtained;
The multidimensional property data logged according to active user, are stepped on using the User logs in machine learning model of foundation to active user Record carries out abnormal scoring, obtains the abnormal score value that active user logs in;
If it is determined that the abnormal score value is within the abnormal scoring threshold range of setting, then initiate whether to allow to active user The inquiry that active user logs in;
According to the inquiry feedback result of active user, to whether allowing active user's login to handle.
2. abnormal login detecting method as claimed in claim 1, it is characterised in that the User logs in machine learning model is built Cube method, including:
Obtain multiple sample of users and log in daily record;
Daily record is logged according to the multiple sample of users, multidimensional property data and login that the multiple sample of users is logged in is obtained As a result;
The multidimensional property data and login result logged in using the multiple sample of users, using the machine learning algorithm of increment type Machine learning is carried out, the User logs in machine learning model is set up.
3. abnormal login detecting method as claimed in claim 2, it is characterised in that methods described also includes:
Using the multidimensional property data and login result of the active user as training set, using the machine learning algorithm of increment type Machine learning is carried out, the User logs in machine learning model is corrected.
4. abnormal login detecting method as claimed in claim 1, it is characterised in that also include:
If it is determined that the abnormal score value is then directly stepped on higher than the maximum in the abnormal scoring threshold range set according to abnormal Record is handled;
If it is determined that the abnormal score value then allows to log in less than the minimum value in the abnormal scoring threshold range set.
5. the abnormal login detecting method as any one of claim 1-4, it is characterised in that the multidimensional property packet Include:Login whether belong to it is conventional log in ground, log in whether belong to conventional login time, log in whether belong to conventional logging device, Statistical dimension data;The statistical dimension data include:Login times in error rate in preset time, preset time;
If it is determined that the abnormal score value is within the abnormal scoring threshold range of setting, then initiating whether to permit to active user Perhaps before the inquiry that active user logs in, in addition to:
Pressure checking is carried out to active user by way of following at least one:Verify password, checking cell-phone number, checking identity card Number, checking user head portrait, checking gesture;And
Confirm that pressure is verified.
6. a kind of abnormal login detection means, it is characterised in that described device includes:
Pretreatment unit, for when detecting a certain User logs in, obtaining the User logs in daily record of active user;According to current The User logs in daily record of user, obtains the multidimensional property data that active user logs in;
Machine learning unit, for the multidimensional property data logged according to active user, utilizes the User logs in engineering of foundation Practise model and the abnormal scoring of progress is logged in active user, obtain the abnormal score value that active user logs in;
Active Learning unit, for if it is determined that the abnormal score value is within the abnormal scoring threshold range of setting, then to working as Preceding user initiates the inquiry for whether allowing active user to log in;
Exception processing unit, for the inquiry feedback result according to active user, to whether allowing at active user's login Reason.
7. abnormal login detection means as claimed in claim 6, it is characterised in that
The pretreatment unit, is additionally operable to obtain multiple sample of users login daily records;Day is logged according to the multiple sample of users Will, obtains multidimensional property data and login result that the multiple sample of users is logged in;
The machine learning unit includes:
User logs in machine learning model sets up module, for using the multiple sample of users log in multidimensional property data and Login result, carries out machine learning using the machine learning algorithm of increment type, sets up the User logs in machine learning model.
8. abnormal login detection means as claimed in claim 7, it is characterised in that
The machine learning unit also includes:
User logs in machine learning model correcting module, for the multidimensional property data and login result of the active user to be made For training set, machine learning is carried out using the machine learning algorithm of increment type, the User logs in machine learning model is corrected.
9. abnormal login detection means as claimed in claim 6, it is characterised in that
The exception processing unit, is additionally operable to if it is determined that the abnormal score value is higher than in the abnormal scoring threshold range set Maximum, then directly handled according to abnormal login;
The exception processing unit, is additionally operable to if it is determined that the abnormal score value is less than in the abnormal scoring threshold range set Minimum value, then allow to log in.
10. the abnormal login detection means as any one of claim 6-9, it is characterised in that the multidimensional property data Including:Log in and whether belong to whether the conventional ground, login of logging in belongs to whether conventional login time, login belong to conventional login and set Standby, statistical dimension data;The statistical dimension data include:Login times in error rate in preset time, preset time;
The Active Learning unit includes:
Force authentication module, for if it is determined that the abnormal score value is within the abnormal scoring threshold range of setting, then to Whether active user's initiation allows before the inquiry that active user logs in, and active user is carried out by way of following at least one Force checking:Verify password, checking cell-phone number, checking identification card number, checking user head portrait, checking gesture;And confirm that pressure is tested Card passes through.
CN201710318612.9A 2017-05-08 2017-05-08 Abnormal login detection method and device Active CN107276982B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710318612.9A CN107276982B (en) 2017-05-08 2017-05-08 Abnormal login detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710318612.9A CN107276982B (en) 2017-05-08 2017-05-08 Abnormal login detection method and device

Publications (2)

Publication Number Publication Date
CN107276982A true CN107276982A (en) 2017-10-20
CN107276982B CN107276982B (en) 2020-10-30

Family

ID=60073849

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710318612.9A Active CN107276982B (en) 2017-05-08 2017-05-08 Abnormal login detection method and device

Country Status (1)

Country Link
CN (1) CN107276982B (en)

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107911396A (en) * 2017-12-30 2018-04-13 世纪龙信息网络有限责任公司 Log in method for detecting abnormality and system
CN108090332A (en) * 2017-12-06 2018-05-29 国云科技股份有限公司 A kind of air control method that behavioural analysis is logged in based on user
CN108512827A (en) * 2018-02-09 2018-09-07 世纪龙信息网络有限责任公司 The identification of abnormal login and method for building up, the device of supervised learning model
CN108924118A (en) * 2018-06-27 2018-11-30 亚信科技(成都)有限公司 One kind hitting library behavioral value method and system
CN108989150A (en) * 2018-07-19 2018-12-11 新华三信息安全技术有限公司 A kind of login method for detecting abnormality and device
CN109756368A (en) * 2018-12-24 2019-05-14 广州市百果园网络科技有限公司 Detection method, device, computer readable storage medium and the terminal of unit exception change
CN110008695A (en) * 2018-01-05 2019-07-12 中国信息通信研究院 A kind of mixed type user behavior auditing method and system based on distribution book keeping operation
CN110401626A (en) * 2019-03-14 2019-11-01 腾讯科技(深圳)有限公司 A kind of hacker attack hierarchical detection method and device
CN110427971A (en) * 2019-07-05 2019-11-08 五八有限公司 Recognition methods, device, server and the storage medium of user and IP
CN110618977A (en) * 2019-09-12 2019-12-27 腾讯科技(深圳)有限公司 Login abnormity detection method and device, storage medium and computer equipment
CN110708296A (en) * 2019-09-19 2020-01-17 中国电子科技网络信息安全有限公司 VPN account number collapse intelligent detection model based on long-time behavior analysis
CN111046373A (en) * 2019-11-04 2020-04-21 深圳供电局有限公司 Security management method, system, medium and device for customer service center
CN111290903A (en) * 2018-11-21 2020-06-16 中国移动通信集团内蒙古有限公司 Software system monitoring method and device based on user behaviors and machine learning
CN111339506A (en) * 2020-02-21 2020-06-26 安徽斯跑特科技有限公司 Customer management platform for sale of trusted operating system
CN112703712A (en) * 2018-09-17 2021-04-23 微软技术许可有限责任公司 Supervised learning system for identity hazard risk calculation
CN112926048A (en) * 2021-05-11 2021-06-08 北京天空卫士网络安全技术有限公司 Abnormal information detection method and device
CN113315791A (en) * 2021-07-30 2021-08-27 杭州安恒信息技术股份有限公司 Host protection method based on proxy module and electronic device
CN113468510A (en) * 2021-07-15 2021-10-01 中国银行股份有限公司 Abnormal login behavior data detection method and device
CN114301657A (en) * 2021-12-23 2022-04-08 杭州安恒信息技术股份有限公司 Account login detection method, device and medium
CN114389871A (en) * 2021-12-31 2022-04-22 新浪网技术(中国)有限公司 Automatic analysis method and device for abnormal login of account
CN114612887A (en) * 2021-09-01 2022-06-10 腾讯科技(深圳)有限公司 Bill abnormity detection method, device, equipment and computer readable storage medium
CN116541815A (en) * 2023-07-06 2023-08-04 深圳市柏英特电子科技有限公司 Computer equipment operation and maintenance data safety management system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
陈云芳等: ""基于用户行为分析的入侵检测应用模型的研究"", 《微机发展》 *

Cited By (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108090332A (en) * 2017-12-06 2018-05-29 国云科技股份有限公司 A kind of air control method that behavioural analysis is logged in based on user
CN107911396A (en) * 2017-12-30 2018-04-13 世纪龙信息网络有限责任公司 Log in method for detecting abnormality and system
CN107911396B (en) * 2017-12-30 2020-12-15 世纪龙信息网络有限责任公司 Login abnormity detection method and system
CN110008695A (en) * 2018-01-05 2019-07-12 中国信息通信研究院 A kind of mixed type user behavior auditing method and system based on distribution book keeping operation
CN108512827A (en) * 2018-02-09 2018-09-07 世纪龙信息网络有限责任公司 The identification of abnormal login and method for building up, the device of supervised learning model
CN108512827B (en) * 2018-02-09 2021-09-21 世纪龙信息网络有限责任公司 Method, device, equipment and storage medium for establishing abnormal login identification and supervised learning model
CN108924118A (en) * 2018-06-27 2018-11-30 亚信科技(成都)有限公司 One kind hitting library behavioral value method and system
CN108989150A (en) * 2018-07-19 2018-12-11 新华三信息安全技术有限公司 A kind of login method for detecting abnormality and device
CN108989150B (en) * 2018-07-19 2021-03-26 新华三信息安全技术有限公司 Login abnormity detection method and device
US11899763B2 (en) 2018-09-17 2024-02-13 Microsoft Technology Licensing, Llc Supervised learning system for identity compromise risk computation
CN112703712B (en) * 2018-09-17 2023-04-18 微软技术许可有限责任公司 Supervised learning system for identity hazard risk calculation
CN112703712A (en) * 2018-09-17 2021-04-23 微软技术许可有限责任公司 Supervised learning system for identity hazard risk calculation
CN111290903B (en) * 2018-11-21 2023-04-25 中国移动通信集团内蒙古有限公司 Software system monitoring method and device based on user behavior and machine learning
CN111290903A (en) * 2018-11-21 2020-06-16 中国移动通信集团内蒙古有限公司 Software system monitoring method and device based on user behaviors and machine learning
CN109756368B (en) * 2018-12-24 2022-03-01 广州市百果园网络科技有限公司 Method and device for detecting abnormal change of equipment, computer readable storage medium and terminal
CN109756368A (en) * 2018-12-24 2019-05-14 广州市百果园网络科技有限公司 Detection method, device, computer readable storage medium and the terminal of unit exception change
CN110401626A (en) * 2019-03-14 2019-11-01 腾讯科技(深圳)有限公司 A kind of hacker attack hierarchical detection method and device
CN110401626B (en) * 2019-03-14 2022-02-18 腾讯科技(深圳)有限公司 Hacker attack grading detection method and device
CN110427971A (en) * 2019-07-05 2019-11-08 五八有限公司 Recognition methods, device, server and the storage medium of user and IP
CN110618977A (en) * 2019-09-12 2019-12-27 腾讯科技(深圳)有限公司 Login abnormity detection method and device, storage medium and computer equipment
CN110618977B (en) * 2019-09-12 2023-10-31 腾讯科技(深圳)有限公司 Login anomaly detection method, device, storage medium and computer equipment
CN110708296B (en) * 2019-09-19 2022-03-18 中国电子科技网络信息安全有限公司 VPN account number collapse intelligent detection model based on long-time behavior analysis
CN110708296A (en) * 2019-09-19 2020-01-17 中国电子科技网络信息安全有限公司 VPN account number collapse intelligent detection model based on long-time behavior analysis
CN111046373A (en) * 2019-11-04 2020-04-21 深圳供电局有限公司 Security management method, system, medium and device for customer service center
CN111339506A (en) * 2020-02-21 2020-06-26 安徽斯跑特科技有限公司 Customer management platform for sale of trusted operating system
CN112926048B (en) * 2021-05-11 2021-08-20 北京天空卫士网络安全技术有限公司 Abnormal information detection method and device
CN112926048A (en) * 2021-05-11 2021-06-08 北京天空卫士网络安全技术有限公司 Abnormal information detection method and device
CN113468510A (en) * 2021-07-15 2021-10-01 中国银行股份有限公司 Abnormal login behavior data detection method and device
CN113315791A (en) * 2021-07-30 2021-08-27 杭州安恒信息技术股份有限公司 Host protection method based on proxy module and electronic device
CN114612887A (en) * 2021-09-01 2022-06-10 腾讯科技(深圳)有限公司 Bill abnormity detection method, device, equipment and computer readable storage medium
CN114612887B (en) * 2021-09-01 2023-01-10 腾讯科技(深圳)有限公司 Bill abnormity detection method, device, equipment and computer readable storage medium
CN114301657A (en) * 2021-12-23 2022-04-08 杭州安恒信息技术股份有限公司 Account login detection method, device and medium
CN114389871A (en) * 2021-12-31 2022-04-22 新浪网技术(中国)有限公司 Automatic analysis method and device for abnormal login of account
CN116541815A (en) * 2023-07-06 2023-08-04 深圳市柏英特电子科技有限公司 Computer equipment operation and maintenance data safety management system
CN116541815B (en) * 2023-07-06 2024-04-05 深圳市柏英特电子科技有限公司 Computer equipment operation and maintenance data safety management system

Also Published As

Publication number Publication date
CN107276982B (en) 2020-10-30

Similar Documents

Publication Publication Date Title
CN107276982A (en) A kind of abnormal login detecting method and device
CN106209862B (en) A kind of steal-number defence implementation method and device
CN105260628B (en) Classifier training method and apparatus, auth method and system
JP2021508889A (en) Identity verification method and equipment
CN110191113A (en) A kind of user behavior methods of risk assessment and device
CN105095726B (en) Generate the method and device of identifying code
CN108989150A (en) A kind of login method for detecting abnormality and device
CN108229963A (en) The Risk Identification Method and device of user's operation behavior
CN106295349A (en) Risk Identification Method, identification device and the anti-Ore-controlling Role that account is stolen
US20210234877A1 (en) Proactively protecting service endpoints based on deep learning of user location and access patterns
CN109711173B (en) Password file leakage detection method
CN110300127A (en) A kind of network inbreak detection method based on deep learning, device and equipment
CN107612880A (en) One kind applies access method and device
CN109698809A (en) A kind of recognition methods of account abnormal login and device
CN112613599A (en) Network intrusion detection method based on generation countermeasure network oversampling
CN107682317A (en) Establish method, data detection method and the equipment of Data Detection model
CN110457601B (en) Social account identification method and device, storage medium and electronic device
CN109284333A (en) Industrial chain data maintaining method and platform based on block chain
CN109145585A (en) There are the method and devices of weak passwurd for a kind of detection website
CN110096013A (en) A kind of intrusion detection method and device of industrial control system
CN114091042A (en) Risk early warning method
CN107248995A (en) Account verification method and device
CN109460653A (en) Verification method, verifying equipment, storage medium and the device of rule-based engine
CN117150459A (en) Zero-trust user identity security detection method and system
CN112272176A (en) Network security protection method and system based on big data platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant