CN107276982B - Abnormal login detection method and device - Google Patents
Abnormal login detection method and device Download PDFInfo
- Publication number
- CN107276982B CN107276982B CN201710318612.9A CN201710318612A CN107276982B CN 107276982 B CN107276982 B CN 107276982B CN 201710318612 A CN201710318612 A CN 201710318612A CN 107276982 B CN107276982 B CN 107276982B
- Authority
- CN
- China
- Prior art keywords
- login
- user
- current user
- abnormal
- machine learning
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Cardiology (AREA)
- General Health & Medical Sciences (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention provides an abnormal login detection method and device, wherein the method comprises the following steps: when a certain user login is detected, acquiring a user login log of a current user; acquiring multidimensional attribute data logged by a current user according to a user login log of the current user; according to the multidimensional attribute data of the current user login, carrying out abnormal scoring on the current user login by using the established user login machine learning model, and acquiring the abnormal scoring value of the current user login; if the abnormal score value is judged to be within the set abnormal score threshold range, initiating an inquiry whether the current user is allowed to log in to the current user; and processing whether the current user is allowed to log in or not according to the inquiry feedback result of the current user. The technical scheme has the following beneficial effects: by introducing a machine learning mode into abnormal login detection, the problem of single dimension of the traditional method is solved, and excessive manual work can be avoided.
Description
Technical Field
The invention relates to the technical field of internet, in particular to an abnormal login detection method and device.
Background
With the continuous development of the internet, the challenge brought by the network security is more and more serious. Once an attacker steals the account and password of the user by means of fishing, fraud and the like, the personal information and property of the user are seriously threatened. Therefore, abnormal user login behaviors are found in time, and appropriate protective measures are taken for the account of the user, so that the method has great significance for protecting the privacy and property of the user. However, how to detect the abnormal logging behavior is always a major research problem in the industry.
The simplest method for detecting abnormal login behavior is threshold detection. That is, counting the number of initiated login times and the proportion of abnormal behaviors (including absence of user, password error, off-site login, etc.) in a certain entry or IP, and if the proportion exceeds a certain threshold, it can be considered that the login behaviors initiated by the IP are all abnormal. The principle behind this is that an attacker often needs to try all the usernames/passwords that it owns to log in, and if the login is successful, an account can be stolen. Because of the large amount of data, the attacker makes login attempts at a very fast speed, thus guaranteeing its own benefits. A significant portion of these attempts have failed. For normal users, a large amount of login cannot be initiated in a short time, and a large amount of failures cannot occur (in fact, the number of the failed users does not account for a large proportion). The method for specifying a threshold value for distinguishing through the behavior difference is a simple and easy method and is adopted by a large number of companies at present. The threshold value is often set according to the number of times, for example, 10 times of login failures exceed 90%, 100 times of login failures exceed 70%, and the like.
Although the threshold detection method is simple and easy, the following disadvantages exist:
1) fixing a threshold value: the setting of the threshold value is often summarized empirically and artificially. But the hacker itself can also guess the target server threshold through his experience. For example, if a hacker is disabled more than 100 logins, it may guess that the threshold is roughly around 100, and then circumvent it by reducing the frequency of attacks, replacing IP, etc., so that the threshold-based defense is completely defeated.
2) The threshold value is not continuous: the segmentation of the threshold is due to the fact that the more times, the greater the doubtability and therefore the lower the allowable failure ratio. However, this discontinuity causes a large problem. For example, if a segmentation point of a threshold is 100, the allowable failure rate is 90% for times below 100, and the allowable failure rate is only 70% for times above 100. Then for the hacker, once it guesses this fragmentation criterion, it can set its number of attempts to 99, thereby maximizing the efficiency of the attack.
3) The threshold value is artificially set: the threshold value is often set by human experience, and thus the cost is increased a lot. In addition, the hacking behavior is always changed, the artificial processing mode means the response hysteresis, and it is likely that an hacking behavior is completed when the artificial response comes. Similarly, if one wants to migrate the same set of policies to different services, different threshold settings are required. In this time, the manual setting will also greatly limit the expansibility of the defense system itself.
In addition to determining abnormal login behavior from the ip perspective, detection may also be performed from the user perspective. For example, the common login place, the common login time, and the like of the user can be analyzed according to the historical login record of the user. When a user logs in, the login place or the login time is abnormally changed, and the abnormal login behavior is determined.
The benefit of this strategy is that it is not limited to attacker-initiated login behavior, but is considered directly from the user's own perspective. Therefore, even if the attacker logs in only once, the attacker can find out abnormal login behaviors in time. Moreover, since the user information grasped by the attacker is often limited, the user cannot accurately simulate the habitual login behavior of the user. Thus, the cost to the attacker is greatly increased.
User-based policies also suffer from certain disadvantages:
1) the false alarm rate and the missing report rate are higher: if the analysis is performed from only a few dimensions, false alarm or false alarm can be easily caused. For example, when a user suddenly goes to another city on a certain day, it is likely that abnormal login behavior will be triggered. Such frequent false positives can have a significant negative impact on the user experience. On the other hand, if the attacker happens to match the user's usual login, a false negative will be generated. The same problem exists with regular login times, where a user logs in all day long, the time-dimension equivalent protection is completely disabled.
2) Cold start problem: the problem of cold start and how to determine the place and time of the frequent login for a new user when the history data is lacking. This is because the judgment of the common use place often requires a comprehensive judgment of the log-in place of the user history to be able to give an accurate result. The problem of cold start directly results in that new users cannot be effectively protected, thereby having a serious influence on the growth of users.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art: the traditional abnormal login detection technical scheme has single dimension and needs a lot of manual work.
Disclosure of Invention
The embodiment of the invention provides an abnormal login detection method and device, which are used for solving the problem of single dimension of the traditional technical scheme and avoiding excessive manual work.
In one aspect, an embodiment of the present invention provides an abnormal login detection method, where the method includes:
when a certain user login is detected, acquiring a user login log of a current user;
acquiring multidimensional attribute data logged by a current user according to a user login log of the current user;
according to the multidimensional attribute data of the current user login, carrying out abnormal scoring on the current user login by using the established user login machine learning model, and acquiring the abnormal scoring value of the current user login;
if the abnormal score value is judged to be within the set abnormal score threshold range, initiating an inquiry whether the current user is allowed to log in to the current user;
and processing whether the current user is allowed to log in or not according to the inquiry feedback result of the current user.
In another aspect, an embodiment of the present invention provides an abnormal login detection apparatus, where the apparatus includes:
the device comprises a preprocessing unit, a log processing unit and a log processing unit, wherein the preprocessing unit is used for acquiring a user login log of a current user when a certain user login is detected; acquiring multidimensional attribute data logged by a current user according to a user login log of the current user;
the machine learning unit is used for carrying out abnormal scoring on the current user login by utilizing the established user login machine learning model according to the multidimensional attribute data of the current user login to obtain an abnormal scoring value of the current user login;
the active learning unit is used for initiating an inquiry whether the current user is allowed to log in or not to the current user if the abnormal score value is judged to be within the set abnormal score threshold range;
and the exception processing unit is used for processing whether the current user is allowed to log in or not according to the inquiry feedback result of the current user.
The technical scheme has the following beneficial effects: by introducing a machine learning mode into abnormal login detection, the problem of single dimension of the traditional method is solved, and excessive manual work can be avoided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flowchart of an abnormal login detection method according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of an abnormal login detection apparatus according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating a structure of a machine learning unit according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of an active learning unit according to an embodiment of the present invention;
fig. 5 is a schematic overall flow chart of an abnormal login detection method according to an application example of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, a flowchart of an abnormal login detection method according to an embodiment of the present invention is shown, where the method includes:
101. when a certain user login is detected, acquiring a user login log of a current user;
102. acquiring multidimensional attribute data logged by a current user according to a user login log of the current user;
103. according to the multidimensional attribute data of the current user login, carrying out abnormal scoring on the current user login by using the established user login machine learning model, and acquiring the abnormal scoring value of the current user login;
104. if the abnormal score value is judged to be within the set abnormal score threshold range, initiating an inquiry whether the current user is allowed to log in to the current user;
105. and processing whether the current user is allowed to log in or not according to the inquiry feedback result of the current user.
Preferably, the method for establishing the user login machine learning model includes: obtaining a plurality of sample user login logs; acquiring multidimensional attribute data and login results of the login of the plurality of sample users according to the login logs of the plurality of sample users; and performing machine learning by using the multidimensional attribute data and the login results of the login of the plurality of sample users and adopting an incremental machine learning algorithm to establish a user login machine learning model.
Preferably, the method further comprises: and taking the multidimensional attribute data and the login result of the current user as a training set, performing machine learning by adopting an incremental machine learning algorithm, and correcting the login machine learning model of the user.
Preferably, the method further comprises the following steps: if the abnormal score value is judged to be higher than the maximum value in the set abnormal score threshold range, processing is directly carried out according to abnormal login; and if the abnormal score value is judged to be lower than the minimum value in the set abnormal score threshold range, allowing login.
Preferably, the multidimensional attribute data comprises: whether the login belongs to a common login place, whether the login belongs to common login time, whether the login belongs to common login equipment, and dimension data are counted; the statistical dimensional data comprises: error rate within preset time, login times within preset time;
if the abnormal score value is judged to be within the set abnormal score threshold range, before the inquiry of whether the current user is allowed to log in is sent to the current user, the method further comprises the following steps: the current user is forcibly authenticated through at least one of the following modes: verifying a password, a mobile phone number, an identity card number, a user head portrait and a gesture; and confirms that the forced authentication passed. If the forced authentication is not passed, the login is determined to be abnormal, and the inquiry whether the current user is allowed to login is not sent to the current user.
Corresponding to the method embodiment, as shown in fig. 2, a schematic structural diagram of an abnormal login detection apparatus according to an embodiment of the present invention is shown, where the apparatus includes:
the preprocessing unit 21 is configured to, when a certain user login is detected, obtain a user login log of a current user; acquiring multidimensional attribute data logged by a current user according to a user login log of the current user;
the machine learning unit 22 is used for performing abnormal scoring on the current user login by using the established user login machine learning model according to the multidimensional attribute data of the current user login to obtain an abnormal scoring value of the current user login;
the active learning unit 23 is configured to, if it is determined that the abnormal score value is within the set abnormal score threshold range, initiate an inquiry to a current user as to whether the current user is allowed to log in;
and the exception handling unit 24 is configured to handle whether to allow the current user to log in according to an inquiry feedback result of the current user.
Preferably, the preprocessing unit 21 is further configured to obtain a plurality of sample user login logs; acquiring multidimensional attribute data and login results of the login of the plurality of sample users according to the login logs of the plurality of sample users; acquiring a plurality of user login logs; acquiring multidimensional attribute data logged by the user according to the multiple user login logs;
as shown in fig. 3, which is a schematic structural diagram of a machine learning unit according to an embodiment of the present invention, the machine learning unit 22 includes:
and the user login machine learning model establishing module 221 is configured to perform machine learning by using the multidimensional attribute data and login results of the multiple sample user logins and adopting an incremental machine learning algorithm, and establish the user login machine learning model.
Preferably, the machine learning unit 22 further includes:
and a user login machine learning model modification module 222, configured to use the multidimensional attribute data and the login result of the current user as a training set, perform machine learning by using an incremental machine learning algorithm, and modify the user login machine learning model.
Preferably, the exception handling unit 24 is further configured to, if it is determined that the exception score value is higher than a maximum value in a set exception score threshold range, directly perform processing according to an exception entry;
the exception handling unit 24 is further configured to allow login if it is determined that the exception score value is lower than a minimum value in a set exception score threshold range.
Preferably, the multidimensional attribute data comprises: whether the login belongs to a common login place, whether the login belongs to common login time, whether the login belongs to common login equipment, and dimension data are counted; the statistical dimensional data comprises: error rate within preset time, login times within preset time;
as shown in fig. 4, which is a schematic structural diagram of an active learning unit according to an embodiment of the present invention, the active learning unit 23 includes:
and a forced authentication module 231, configured to, if it is determined that the abnormal score value is within the set abnormal score threshold range, perform forced authentication on the current user in at least one of the following manners before initiating an inquiry to the current user as to whether the current user is allowed to log in: verifying a password, a mobile phone number, an identity card number, a user head portrait and a gesture; and confirms that the forced authentication passed.
The technical scheme has the following beneficial effects: by introducing a machine learning mode into abnormal login detection, the problem of single dimension of the traditional method is solved, and excessive manual work can be avoided. Importantly, in consideration of the influence of the training set on the machine learning effect, the embodiment of the invention also provides a mode for collecting the training set through user feedback, so that the problem of collecting the training set in the process of applying the machine learning can be effectively solved. By introducing user feedback and considering user experience to a certain extent, accurate training data can be collected most efficiently, and the overall effect of machine learning is effectively improved.
The above technical solution of the embodiment of the present invention is explained in detail by the following application examples:
as shown in fig. 5, an overall flow diagram of an abnormal login detection method according to an application example of the present invention specifically includes:
1. and preprocessing each log. This preprocessing may include determining whether the current login belongs to a common login location, or whether it belongs to a common time; some statistical features such as error rate in a short time, log-in times, etc. may also be included. After preprocessing, the original log is converted into a dimension attribute, and the dimension attribute can be directly used for processing in machine learning.
2. And performing abnormal scoring on the current login by using a user login machine learning model through machine learning. The specific machine learning algorithm used herein is not the focus of the present invention, and only an incremental machine learning algorithm, such as a Hoeffding tree, is required.
3. After the abnormal score is obtained, whether consultation is needed for the user is judged through active learning. Active learning maintains a threshold score, and when the anomaly score is above the threshold, processing is directed. Otherwise, consultation is initiated to the user. Therefore, the phenomenon that too much consultation is initiated to the user and the user experience is influenced can be avoided.
4. And after user feedback is obtained, taking the multidimensional attribute data and the login result of the current user as a training set, performing machine learning by adopting an incremental machine learning algorithm, and correcting the user login machine learning model. In this way, the model for machine learning can be continuously enhanced through continuous user feedback.
The above technical solution of the embodiment of the present invention is detailed below:
pretreatment:
the preprocessing stage mainly converts simple log logs into data with relatively comprehensive information. For example, whether the device belongs to a commonly used login place is determined according to the logged-in ip, and whether the device belongs to a commonly used device is determined according to the logged-in user substitution. Meanwhile, some statistical information can be collected in ip or user dimensions. For example, the login times of the current ip within 5 minutes, the failure frequency, and the previous login time interval of the current user. Only when the log is converted into data consisting of a large number of dimensional attributes, the current login behavior can be accurately and comprehensively described in a data form, and a necessary data base is made for machine learning.
Machine learning and user feedback:
machine learning belongs to a large domain category, and is commonly used to solve classification problems in multiple dimensions. The present invention is not limited to any modification of the machine learning algorithm portion, nor to any particular or class of algorithms, and is therefore described at a high level. The machine learning algorithm generates a usable model by learning the training set. Then, for new data, a score can be given directly through the model. The accuracy of this score is directly related to the number, dimensions, steps, etc. of the training set.
However, in practical applications, the collection process of the training set is not simple. First, there is a large log of logins each day, with only a small fraction of them behaving as abnormal logins. If the random extraction is simply performed, the training data of abnormal login is too little to be recognized well. In addition, even if the determination is made manually, it is difficult to accurately determine whether or not the login behavior is abnormal in some cases. After all, the staff cannot directly ask the user himself, and only an estimation can be made by means of the collected relevant information. Therefore, in this case, how to collect an accurate and comprehensive training set becomes one of the main challenges for introducing the machine learning algorithm.
The application example of the invention solves this problem by means of user feedback. First, the log is converted into multidimensional data available for machine learning, and then the user is queried in the form of mail, short message or private message. Let the user decide whether this login behavior was initiated by oneself. According to the result selected by the user, the multidimensional data can be marked as abnormal or normal and then directly put into a training set. If an incremental machine learning algorithm is adopted, training data can be immediately input into the machine learning algorithm, and then the machine learning algorithm continuously evolves a model thereof according to continuous data, so that the classification result is more and more accurate.
Active learning:
the way of asking the user, although directly effective, can have a certain impact on the user experience. In order to control the scope of this effect, the number of queries must be limited. At the same time, it must be ensured that machine learning is adequately trained. To meet these two requirements, the present invention introduces a way of active learning.
The active learning is to judge whether the current data needs to be accurately marked and retrained by people according to the scoring result of the machine learning. For example, if the abnormal score of a datum is 0 or 100, it means that the current result is well determined by machine learning, and if the datum is artificially labeled and retrained, it does not produce great gain to the evolution of the model. Conversely, if a data score is 50, it indicates that machine learning is not certain that the current login is abnormal, and human labeling and retraining can have a large impact on machine learning. In other words, it can be said that the data with an abnormal score of 50 points has a higher training value than the data with an abnormal score of 100 points.
Based on the principle, active learning maintains a threshold range of scores, and when the scores are within the threshold range, the data is high in training value, and the user needs to be consulted and retrained. The threshold value is adjusted continuously with the number of consultation times to ensure that only a certain percentage of users receive consultation requests. For example, the initial threshold value is 40-60, and only 20% of users are configured to receive the consultation request. Then, assuming that the proportion of users who have been consulted currently has reached 20%, and the abnormal score of the new login is 60%, the active learning strategy first determines that the users need to be consulted. Then, since the advisory rate has exceeded 20% at this time, active learning shrinks the threshold range, such as to 41-59. In this way, less data may be determined to require consultation, thereby limiting the continued growth in the proportion of users that consult. Conversely, if the current advisory rate is below 20%, the threshold range may be gradually relaxed until the advisory rate returns to 20%. Thus, active learning is equivalent to maintaining a self-adjusting threshold system, by which the training value of the training set can be maximized on the premise of ensuring the proportion of consulting users.
Feedback verification:
it should be noted that through the active learning screening, the queried user may have abnormal login behavior. This means that when the user is queried, it is possible that a malicious attacker is queried instead of the queried real user. Obviously, an attacker may try to give false feedback to affect the final detection effect of the machine learning system. Therefore, certain authentication thresholds must be set to prevent the attacker from giving false feedback when performing the challenge.
In order to collect enough feedback data, the entire feedback process (including verification auditing) must be completed through an automated process. As described above, there is a certain similarity between the problem of recognizing the abnormal feedback and the problem of recognizing the abnormal registration which the present invention attempts to solve. But, in contrast, for the login scenario, more needs to be taken into account for the impact of the user experience. While for feedback some strong authentication mechanisms can be added that impair the user experience. Because the feedback system belongs to an auxiliary system of the whole detection mechanism, the use of the product by the user is not directly influenced. For products with huge user bases, even a small part of users are willing to participate in the whole feedback mechanism, which is enough to promote the self-learning process. Therefore, this process can be prevented from being overly complicated by the introduction of a new anomaly feedback detection method again through a strong verification mechanism and appropriate product design. Partially trusted strong authentication mechanisms include: a verification password, a mobile phone or an identification number, etc. Even the verification effect can be enhanced by verifying the head portrait, the gesture and other novel verification technologies at present and making the user operate more easily.
Finally, the verification process is limited to automated procedures, so that one hundred percent correctness cannot be guaranteed. However, the processing of noise is a common problem in the field of machine learning, and most mainstream algorithms already have relatively mature noise processing solutions. Therefore, as long as the guarantee accuracy can be at a high level through the verification mechanism, a small amount of false feedback generated by the attacker can be regarded as noise, and the influence of the false feedback can be automatically eliminated by the machine learning algorithm.
The application example of the invention provides a user feedback-based abnormal login self-learning detection method. By introducing a machine learning mode into abnormal login detection, the problem of single dimension of the traditional method is solved, and excessive manual work can be avoided. More importantly, in consideration of the influence of the training set on the machine learning effect, the application example of the invention also provides a mode of collecting the training set through user feedback, so that the problem of collecting the training set in the process of applying the machine learning can be effectively solved. By introducing user feedback and considering user experience to a certain extent, accurate training data can be collected most efficiently, and the overall effect of machine learning is effectively improved.
It should be understood that the specific order or hierarchy of steps in the processes disclosed is an example of exemplary approaches. Based upon design preferences, it is understood that the specific order or hierarchy of steps in the processes may be rearranged without departing from the scope of the present disclosure. The accompanying method claims present elements of the various steps in a sample order, and are not intended to be limited to the specific order or hierarchy presented.
In the foregoing detailed description, various features are grouped together in a single embodiment for the purpose of streamlining the disclosure. This method of disclosure is not to be interpreted as reflecting an intention that the claimed embodiments of the subject matter require more features than are expressly recited in each claim. Rather, as the following claims reflect, invention lies in less than all features of a single disclosed embodiment. Thus, the following claims are hereby expressly incorporated into the detailed description, with each claim standing on its own as a separate preferred embodiment of the invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. To those skilled in the art; various modifications to these embodiments will be readily apparent, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
What has been described above includes examples of one or more embodiments. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the aforementioned embodiments, but one of ordinary skill in the art may recognize that many further combinations and permutations of various embodiments are possible. Accordingly, the embodiments described herein are intended to embrace all such alterations, modifications and variations that fall within the scope of the appended claims. Furthermore, to the extent that the term "includes" is used in either the detailed description or the claims, such term is intended to be inclusive in a manner similar to the term "comprising" as "comprising" is interpreted when employed as a transitional word in a claim. Furthermore, any use of the term "or" in the specification of the claims is intended to mean a "non-exclusive or".
Those of skill in the art will further appreciate that the various illustrative logical blocks, units, and steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate the interchangeability of hardware and software, various illustrative components, elements, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design requirements of the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present embodiments.
The various illustrative logical blocks, or elements, described in connection with the embodiments disclosed herein may be implemented or performed with a general purpose processor, a digital signal processor, an Application Specific Integrated Circuit (ASIC), a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general-purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a digital signal processor and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a digital signal processor core, or any other similar configuration.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. For example, a storage medium may be coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC, which may be located in a user terminal. In the alternative, the processor and the storage medium may reside in different components in a user terminal.
In one or more exemplary designs, the functions described above in connection with the embodiments of the invention may be implemented in hardware, software, firmware, or any combination of the three. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media that facilitate transfer of a computer program from one place to another. Storage media may be any available media that can be accessed by a general purpose or special purpose computer. For example, such computer-readable media can include, but is not limited to, RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store program code in the form of instructions or data structures and which can be read by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Additionally, any connection is properly termed a computer-readable medium, and, thus, is included if the software is transmitted from a website, server, or other remote source via a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wirelessly, e.g., infrared, radio, and microwave. Such discs (disk) and disks (disc) include compact disks, laser disks, optical disks, DVDs, floppy disks and blu-ray disks where disks usually reproduce data magnetically, while disks usually reproduce data optically with lasers. Combinations of the above may also be included in the computer-readable medium.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (8)
1. An abnormal login detection method, characterized in that the method comprises:
when a certain user login is detected, acquiring a user login log of a current user;
acquiring multidimensional attribute data logged by a current user according to a user login log of the current user;
according to the multidimensional attribute data of the current user login, carrying out abnormal scoring on the current user login by using the established user login machine learning model, and acquiring the abnormal scoring value of the current user login;
if the abnormal score value is judged to be within the set abnormal score threshold range, initiating an inquiry whether the current user is allowed to log in to the current user, wherein the abnormal score threshold range is adjusted according to the proportion of the user who has been inquired currently, if the proportion of the user who has been inquired currently exceeds the set proportion, contracting the threshold range, and if the proportion of the user who has been inquired currently is lower than the set proportion, widening the threshold range;
processing whether the current user is allowed to log in or not according to the inquiry feedback result of the current user;
the method for establishing the user login machine learning model comprises the following steps:
obtaining a plurality of sample user login logs;
acquiring multidimensional attribute data and login results of the login of the plurality of sample users according to the login logs of the plurality of sample users;
and performing machine learning by using the multidimensional attribute data and the login results of the login of the plurality of sample users and adopting an incremental machine learning algorithm to establish a user login machine learning model.
2. The abnormal login detection method of claim 1, the method further comprising:
and taking the multidimensional attribute data and the login result of the current user as a training set, performing machine learning by adopting an incremental machine learning algorithm, and correcting the login machine learning model of the user.
3. The abnormal login detection method of claim 1, further comprising:
if the abnormal score value is judged to be higher than the maximum value in the set abnormal score threshold range, processing is directly carried out according to abnormal login;
and if the abnormal score value is judged to be lower than the minimum value in the set abnormal score threshold range, allowing login.
4. The abnormal login detection method of any one of claims 1-3, wherein the multi-dimensional attribute data comprises: whether the login belongs to a common login place, whether the login belongs to common login time, whether the login belongs to common login equipment, and dimension data are counted; the statistical dimensional data comprises: error rate within preset time, login times within preset time;
if the abnormal score value is judged to be within the set abnormal score threshold range, before the inquiry of whether the current user is allowed to log in is sent to the current user, the method further comprises the following steps:
the current user is forcibly authenticated through at least one of the following modes: verifying a password, a mobile phone number, an identity card number, a user head portrait and a gesture; and are
And confirming that the forced verification is passed.
5. An abnormal login detection apparatus, the apparatus comprising:
the device comprises a preprocessing unit, a log processing unit and a log processing unit, wherein the preprocessing unit is used for acquiring a user login log of a current user when a certain user login is detected; acquiring multidimensional attribute data logged by a current user according to a user login log of the current user;
the machine learning unit is used for carrying out abnormal scoring on the current user login by utilizing the established user login machine learning model according to the multidimensional attribute data of the current user login to obtain an abnormal scoring value of the current user login;
the active learning unit is used for initiating an inquiry about whether the current user is allowed to log in or not to the current user if the abnormal score value is judged to be within a set abnormal score threshold range, the abnormal score threshold range is adjusted according to the proportion of the user who has been inquired currently, if the proportion of the user who has been inquired currently exceeds a set proportion, the threshold range is contracted, and if the proportion of the user who has been inquired currently is lower than the set proportion, the threshold range is widened;
the exception handling unit is used for processing whether the current user is allowed to log in or not according to the inquiry feedback result of the current user;
the preprocessing unit is also used for acquiring a plurality of sample user login logs; acquiring multidimensional attribute data and login results of the login of the plurality of sample users according to the login logs of the plurality of sample users;
the machine learning unit includes:
and the user login machine learning model establishing module is used for performing machine learning by using the multidimensional attribute data and login results of the login of the plurality of sample users and adopting an incremental machine learning algorithm to establish the user login machine learning model.
6. The abnormal login detection device of claim 5,
the machine learning unit further comprises:
and the user login machine learning model correction module is used for performing machine learning by using the multidimensional attribute data and the login result of the current user as a training set and adopting an incremental machine learning algorithm to correct the user login machine learning model.
7. The abnormal login detection device of claim 5,
the abnormality processing unit is also used for directly processing according to the abnormal login if the abnormal score value is judged to be higher than the maximum value in the set abnormal score threshold range;
and the exception handling unit is also used for allowing login if the exception score value is judged to be lower than the minimum value in the set exception score threshold range.
8. The abnormal login detection apparatus of any one of claims 5-7, wherein the multi-dimensional attribute data comprises: whether the login belongs to a common login place, whether the login belongs to common login time, whether the login belongs to common login equipment, and dimension data are counted; the statistical dimensional data comprises: error rate within preset time, login times within preset time;
the active learning unit includes:
and the forced authentication module is used for performing forced authentication on the current user in at least one of the following modes before an inquiry whether the current user is allowed to log in is sent to the current user if the abnormal score value is judged to be within the set abnormal score threshold range: verifying a password, a mobile phone number, an identity card number, a user head portrait and a gesture; and confirms that the forced authentication passed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710318612.9A CN107276982B (en) | 2017-05-08 | 2017-05-08 | Abnormal login detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710318612.9A CN107276982B (en) | 2017-05-08 | 2017-05-08 | Abnormal login detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107276982A CN107276982A (en) | 2017-10-20 |
| CN107276982B true CN107276982B (en) | 2020-10-30 |
Family
ID=60073849
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710318612.9A Active CN107276982B (en) | 2017-05-08 | 2017-05-08 | Abnormal login detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107276982B (en) |
Families Citing this family (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108090332A (en) * | 2017-12-06 | 2018-05-29 | 国云科技股份有限公司 | A kind of air control method that behavioural analysis is logged in based on user |
| CN107911396B (en) * | 2017-12-30 | 2020-12-15 | 世纪龙信息网络有限责任公司 | Login abnormity detection method and system |
| CN110008695A (en) * | 2018-01-05 | 2019-07-12 | 中国信息通信研究院 | A kind of mixed type user behavior auditing method and system based on distribution book keeping operation |
| CN108512827B (en) * | 2018-02-09 | 2021-09-21 | 世纪龙信息网络有限责任公司 | Method, device, equipment and storage medium for establishing abnormal login identification and supervised learning model |
| CN108924118B (en) * | 2018-06-27 | 2021-07-02 | 亚信科技(成都)有限公司 | Method and system for detecting database collision behavior |
| CN108989150B (en) * | 2018-07-19 | 2021-03-26 | 新华三信息安全技术有限公司 | Login abnormity detection method and device |
| US11899763B2 (en) * | 2018-09-17 | 2024-02-13 | Microsoft Technology Licensing, Llc | Supervised learning system for identity compromise risk computation |
| CN111290903B (en) * | 2018-11-21 | 2023-04-25 | 中国移动通信集团内蒙古有限公司 | Software system monitoring method and device based on user behavior and machine learning |
| CN109756368B (en) * | 2018-12-24 | 2022-03-01 | 广州市百果园网络科技有限公司 | Method and device for detecting abnormal change of equipment, computer readable storage medium and terminal |
| CN110401626B (en) * | 2019-03-14 | 2022-02-18 | 腾讯科技(深圳)有限公司 | Hacker attack grading detection method and device |
| CN110427971A (en) * | 2019-07-05 | 2019-11-08 | 五八有限公司 | Recognition methods, device, server and the storage medium of user and IP |
| CN110618977B (en) * | 2019-09-12 | 2023-10-31 | 腾讯科技(深圳)有限公司 | Login anomaly detection method, device, storage medium and computer equipment |
| CN110708296B (en) * | 2019-09-19 | 2022-03-18 | 中国电子科技网络信息安全有限公司 | VPN account number collapse intelligent detection model based on long-time behavior analysis |
| CN111046373A (en) * | 2019-11-04 | 2020-04-21 | 深圳供电局有限公司 | Security management method, system, medium and device for customer service center |
| CN111339506A (en) * | 2020-02-21 | 2020-06-26 | 安徽斯跑特科技有限公司 | Customer management platform for sale of trusted operating system |
| CN112926048B (en) * | 2021-05-11 | 2021-08-20 | 北京天空卫士网络安全技术有限公司 | Abnormal information detection method and device |
| CN113468510A (en) * | 2021-07-15 | 2021-10-01 | 中国银行股份有限公司 | Abnormal login behavior data detection method and device |
| CN113315791A (en) * | 2021-07-30 | 2021-08-27 | 杭州安恒信息技术股份有限公司 | Host protection method based on proxy module and electronic device |
| CN114612887B (en) * | 2021-09-01 | 2023-01-10 | 腾讯科技(深圳)有限公司 | Bill abnormity detection method, device, equipment and computer readable storage medium |
| CN114301657A (en) * | 2021-12-23 | 2022-04-08 | 杭州安恒信息技术股份有限公司 | Account login detection method, device and medium |
| CN114389871A (en) * | 2021-12-31 | 2022-04-22 | 新浪网技术(中国)有限公司 | Automatic analysis method and device for abnormal login of account |
| CN116541815B (en) * | 2023-07-06 | 2024-04-05 | 深圳市柏英特电子科技有限公司 | Computer equipment operation and maintenance data safety management system |
-
2017
- 2017-05-08 CN CN201710318612.9A patent/CN107276982B/en active Active
Non-Patent Citations (1)
| Title |
|---|
| "基于用户行为分析的入侵检测应用模型的研究";陈云芳等;《微机发展》;20040229;第14卷(第2期);正文第122-124页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107276982A (en) | 2017-10-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107276982B (en) | Abnormal login detection method and device | |
| EP2965249B1 (en) | Method and system for distinguishing humans from machines | |
| US9800594B2 (en) | Method and system for detecting unauthorized access attack | |
| US8234499B2 (en) | Adaptive authentication solution that rewards almost correct passwords and that simulates access for incorrect passwords | |
| WO2019228004A1 (en) | Identity verification method and apparatus | |
| US9686269B2 (en) | Method and system for distinguishing humans from machines and for controlling access to network services | |
| US9824197B2 (en) | Classifier training method and apparatus, identity authentication method and system | |
| US10491630B2 (en) | System and method for providing data-driven user authentication misuse detection | |
| US9529999B2 (en) | Method and system of distinguishing between human and machine | |
| US10284580B2 (en) | Multiple detector methods and systems for defeating low and slow application DDoS attacks | |
| JP6290659B2 (en) | Access management method and access management system | |
| WO2019184122A1 (en) | Login verification method and apparatus, terminal device and storage medium | |
| CN108924118B (en) | Method and system for detecting database collision behavior | |
| CN107465642B (en) | Method and device for judging abnormal login of account | |
| CN107070940B (en) | Method and device for judging malicious login IP address from streaming login log | |
| AU2019401240B2 (en) | Detecting and responding to attempts to gain unauthorized access to user accounts in an online system | |
| US10015153B1 (en) | Security using velocity metrics identifying authentication performance for a set of devices | |
| KR102130582B1 (en) | Web-based brute force attack blocking device and method using machine learning | |
| TWI604334B (en) | Information System Certification Method | |
| WO2016107415A1 (en) | Auxiliary identity authentication method based on user network behavior feature | |
| US20190384897A1 (en) | System and method for protecting online resources against guided username guessing attacks | |
| CN112272195B (en) | Dynamic detection authentication system and method thereof | |
| CN112702349B (en) | Network attack defense method and device and electronic bidding transaction platform | |
| KR20150131846A (en) | Method and System for preventing Login ID theft using captcha | |
| JP6890559B2 (en) | Access analysis system and access analysis method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |