CN108989150A - A kind of login method for detecting abnormality and device - Google Patents
A kind of login method for detecting abnormality and device Download PDFInfo
- Publication number
- CN108989150A CN108989150A CN201810798720.5A CN201810798720A CN108989150A CN 108989150 A CN108989150 A CN 108989150A CN 201810798720 A CN201810798720 A CN 201810798720A CN 108989150 A CN108989150 A CN 108989150A
- Authority
- CN
- China
- Prior art keywords
- login
- log
- user
- data
- login banner
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The embodiment of the invention provides a kind of login method for detecting abnormality and devices, method includes: to obtain the current login log of user to be detected, wherein, currently logging in log includes at least one first login banner and to the first logon data to be matched that should belong to the first login banner;From the first logon data to be matched, the second logon data to be matched for belonging to the second login banner in abnormal login home banking is extracted, wherein abnormal login home banking is for judging whether user logs in the set of abnormal multiple login banners;Judge whether the second logon data to be matched is often matched with the common logon data for belonging to the second login banner in logon data set with user, if mismatching, it is abnormal then to determine that user to be detected logs in, wherein, user is often with the historical log log that logon data set is according to user to be detected, the set of the common logon data for belonging to the second login banner of statistics.By this programme, it can be improved and judge that user logs in abnormal accuracy rate.
Description
Technical field
The present invention relates to fields of communication technology, more particularly to a kind of login method for detecting abnormality and device.
Background technique
With the extensive application and fast development of network technology, network information security threat is being continuously increased.In order to cope with
The abnormal access of illegal user, the user name inputted when needing to obtain customer access network and login password;Server according to
Name in an account book searches the corresponding reference password number of the user name from the password of storage, and judge the user login password whether with ginseng
It is consistent to examine password, if it is inconsistent, it is abnormal to think that the user logs in.
If the login password of legitimate user, by unauthorized theft, the above method does not ensure that user account safety.In order to
The safety for improving user account, is usually manually arranged the legal logon datas such as legal login ground, legal login time.Server
After verifying user login code, judge whether user's current login data meets legal logon data, if conditions are not met, then
It is abnormal to think that the user logs in.
However, since the legal logon data being manually arranged is fixed, the case where being easy to appear erroneous judgement, fail to judge, for example, legal
Login time is set as 9:00-17:30, and user is in 21:00 login process emergency, then can be due to current login time not
Meet legal login time, and be identified as abnormal login, causes to judge that the abnormal accuracy rate of user's login is lower.
Summary of the invention
The embodiment of the present invention is designed to provide a kind of login method for detecting abnormality and device, judges that user steps on to improve
Record abnormal accuracy rate.Specific technical solution is as follows:
In a first aspect, the embodiment of the invention provides a kind of login method for detecting abnormality, which comprises
Obtain the current login log of user to be detected, the current login log include at least one first login banner with
And to the first logon data to be matched that should belong to first login banner;
From the described first logon data to be matched, extraction belongs to second of the second login banner in abnormal login home banking
Logon data to be matched, the abnormal login home banking are for judging whether user logs in the collection of abnormal multiple login banners
It closes, at least one first login banner includes second login banner;
Judge whether the described second logon data to be matched is often stepped on belonging to described second in logon data set with user
The common logon data of record mark matches, if mismatching, it is determined that the user to be detected logs in exception, and the user is common
Logon data set is the historical log log according to the user to be detected, and statistics belongs to the normal of second login banner
With the set of logon data.
Second aspect, the embodiment of the invention provides a kind of login abnormal detector, described device includes:
Module is obtained, for obtaining the current login log of user to be detected, the current login log includes at least one
First login banner and to the first logon data to be matched that should belong to first login banner;
Extraction module, for from the described first logon data to be matched, extraction to belong to second in abnormal login home banking
The logon data to be matched of the second of login banner, the abnormal login home banking are for judging it is abnormal more whether user logs in
The set of a login banner, at least one first login banner includes second login banner;
Judgment module, for judging whether the described second logon data to be matched is often belonged to in logon data set with user
Matching in the common logon data of second login banner, if mismatching, it is determined that the user to be detected logs in exception,
The user is often according to the historical log log of the user to be detected with logon data set, and statistics belongs to described second
The set of the common logon data of login banner.
The third aspect, the embodiment of the invention provides a kind of server, including processor and machine readable storage medium, institutes
It states machine readable storage medium and is stored with the machine-executable instruction that can be executed by the processor, the processor is described
Machine-executable instruction promotes to execute method and step described in first aspect of the embodiment of the present invention.
Fourth aspect, the embodiment of the invention provides a kind of machine readable storage mediums, are stored with machine-executable instruction,
When being called and being executed by processor, the machine-executable instruction promotes the processor to execute first party of the embodiment of the present invention
Method and step described in face.
A kind of login method for detecting abnormality and device provided in an embodiment of the present invention, by obtaining the current of user to be detected
Log is logged in, is logged in the first logon data to be matched included by log from current, extraction belongs in abnormal login home banking
The logon data to be matched of the second of second login banner, judges whether the second logon data to be matched with user often uses logon data
The common logon data for belonging to the second login banner in set matches, if mismatching, it is determined that user to be detected logs in abnormal.
Abnormal login home banking is for judging whether user logs in the set of abnormal multiple login banners, and user often uses logon data
Set is the historical log log according to user to be detected, and what is counted belongs to the common logon data of the second login banner
Set considers the current login of the user according to the historical log log of user to be detected with the presence or absence of exception, without artificial
The legal logon data of manual setting, user is often with the common login number for logging in log in logon data set with reference to user's history
According to improve the accuracy rate for judging that user logs in exception.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is the flow diagram of the login method for detecting abnormality of the embodiment of the present invention;
Fig. 2 is the building user of the embodiment of the present invention often with the flow diagram of logon data set;
Fig. 3 is the structural schematic diagram of the login abnormal detector of the embodiment of the present invention;
Fig. 4 is the structural schematic diagram of the server of the embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
Judge that user logs in abnormal accuracy rate to improve, the embodiment of the invention provides a kind of login abnormality detection sides
Method, device, server and machine readable storage medium.
It is introduced in the following, being provided for the embodiments of the invention a kind of login method for detecting abnormality first.
The executing subject that method for detecting abnormality is logged in provided by the embodiment of the present invention can be server, which is
User logs in offer Situation Awareness and unifies log collection processing platform, logs in method for detecting abnormality provided by the embodiment of the present invention
At least one of the software that can be arranged in executing subject, hardware circuit, logic circuit, processor execute realization.
As shown in Figure 1, a kind of login method for detecting abnormality provided by the embodiment of the present invention, may include steps of.
S101 obtains the current login log of user to be detected.
Wherein, currently logging in log includes at least one first login banner and to should belong to the first of the first login banner
Logon data to be matched.Current login log is user to be detected currently generated login banner and correspondence when accessing network
Belonging to the set of the logon data of the login banner, current login log often generates after login password authentication, illustratively,
First login banner may include login time mark, logging zone mark, registration terminal address identifies, login failure identifies,
Then currently log in the login time mark and corresponding specific login time data, logon area that log may include user to be detected
Domain identifier and corresponding specific logging zone data, registration terminal address mark and corresponding specific registration terminal address date,
The number etc. of login failure mark and corresponding specific login failure.
User to be detected passes through access SSLVPN (Security Socket Layer-Virtual Private
Network, the Virtual Private Network based on secure socket layer protocol) gateway, EAD (Endpoint Admission Defense,
Endpoint admission defense) network access equipments such as gateway access network, and these network access equipments are receiving user to be detected
Access request after, device log can be generated, username information, purpose IP address information, source IP are generally included in device log
Address information etc. can obtain the current login log of user to be detected according to device log.
Optionally, S101 can specifically include:
User to be detected is obtained when accessing network by each network access equipment, the equipment that each network access equipment generates
Log;
It for each device log, is normalized, first device log that obtains that treated, wherein first sets
Standby log includes at least username information, destination address information and source address information;
Based on username information, destination address information and source address information, from corresponding default behavior matching database,
The first login banner to match with username information, destination address information and source address information is searched respectively and to should belong to the
The logon data to be matched of the first of one login banner, and according to the first login banner and the first logon data to be matched, obtain to
Detect the current login log of user.
Due to different network access equipments, the format of data is different in device log, handles for convenience, needs to obtaining
The device log got is normalized, and the data in the first device log after normalized have unified data
Format.But the O&Ms information such as do not have user, assets in device log, therefore need to carry out Data expansion to the first device log, with
This come enrich out individual subscriber mark, user's logging zone mark, user access asset identification, user access operation system
First login banners such as mark, and to the first logon data to be matched that should belong to each first login banner, it is such as specific to use
Family personal data, user's logging zone data, the asset data of user's access, operation system data of user's access etc., institute is rich
The first login banner and first that richness goes out logon data composition to be matched are current to log in log.
Multiple behavior matching databases, such as username information and individual subscriber mark/data pair are stored in server
The behavior matching database answered, destination address information behavior matching database corresponding with asset identification/data that user accesses,
Destination address information behavior matching database corresponding with operation system mark/data that user accesses and source address information
Behavior matching database corresponding with user's logging zone mark/data.Message-oriented middleware is that the software of execution real-time task is flat
The information and the matching of login banner/logon data of device log may be implemented, for example by the information input of device log in platform
The message-oriented middleware of Kafka server cluster, by the data flow real-time task of message-oriented middleware, the letter based on device log
Breath, can be matched to the first login banner and the first logon data to be matched, for example, device log in behavior matching database
Information be username information, data flow real-time task can execute following steps: based on the username information, believe to user name
It ceases behavior matching database corresponding with individual subscriber mark/data to be matched, it is corresponding that matching obtains the username information
Individual subscriber mark and users personal data, then individual subscriber mark and the current login log of users personal data composition.
After obtaining the current login log of user to be detected, current login log can be stored to numbers such as such as HBase
According in library, so that visualization log searching uses, also, server is when carrying out login abnormality detection, can be from database
Obtain current login log.
S102 is extracted from the first logon data to be matched and is belonged to the of the second login banner in abnormal login home banking
Two logon datas to be matched.
Wherein, abnormal login home banking be for judging whether user logs in the set of abnormal multiple login banners, until
Few one first login banner includes the second login banner.
Login banner is used for identity user generated login behavior when accessing network, in abnormal login home banking at least
May include one of following login banner: user's logging zone mark, login failed for user mark, user access application system
Unsuccessfully mark, same IP address are online mark, same user while being online mark, Yong Huyi system simultaneously
Mark, user are logged in repeatedly in section of fixing time in the application system mark apart from farther away multiple regions login banner, user's access
The terminal iidentification etc. that knowledge, user log in.Login banner in abnormal login home banking can be set according to demand, for example, concern
User's logging zone and user access the case where failure, then may include in abnormal login home banking user's logging zone mark,
Login failed for user mark and user access application system and unsuccessfully identify.The comprehensive consideration of multiple login banners, can be improved and sentence
The accuracy rate of disconnected user's abnormal login.
It may include the login banner in addition to the second login banner in abnormal login home banking in current login log,
For example, the second login banner includes that user's logging zone mark, login failed for user mark and user access application system failure
Mark, and currently logging in the first login banner in log includes user's logging zone mark, login failed for user mark, user
Access application system unsuccessfully identify, same IP address while being online and identifies and same user while being online
Mark.It is current log in the same IP address in addition to the second login banner is contained in log and meanwhile be online mark with
Same user is online mark simultaneously, currently whether logs in exception to detect user, it is necessary first to log in from current
In the logon data to be matched of the first of log, extracts and belong to second of the second login banner in abnormal login home banking and to be matched step on
Data are recorded, whether abnormal decision condition is logged in as user with this.
S103, judge the second logon data to be matched whether with user often with belonging to the second login mark in logon data set
The common logon data known matches, if mismatching, it is determined that user to be detected logs in abnormal.
Wherein, for user often with the historical log log that logon data set is according to user to be detected, statistics belongs to
The set of the common logon data of two login banners.User often with logon data set is belonged to second in abnormal login home banking
The set of the common logon data of login banner, for counting the common logon data for belonging to the second login banner.
By taking the second login banner is user's logging zone mark as an example, user is often combined into user to be detected with logon data collection
The set of common logging zone data, it is assumed that user to be detected often logs in Shanghai, if extracted from current log in log
The specific area data that user to be detected currently logs in is Beijing, and it is upper that logging zone data are commonly used in common behavior set
Sea, then match it is unsuccessful, so that it is determined that user to be detected log in it is abnormal.If extracting use to be detected from current log in log
The specific area data that family currently logs in is Shanghai, and commonly using and commonly using logging zone data in behavior set is also Shanghai, then matches
Success can determine that user to be detected is legitimate user.The case where being other types login banner for the second login banner, class
It is same as the example of user's logging zone mark, will not enumerate here.Matched process can divide in real time for example, by Spark
Task dispatching information flow real-time task is analysed to realize.
Optionally, as shown in Fig. 2, user may include steps of often with the method for determination of logon data set.
S201 obtains the historical log log of user to be detected, wherein historical log log is logged in including an at least third
It identifies and to the first historical log data that should belong to third login banner.
User's past to be detected that historical log log includes generated third login banner and right when accessing network
The the first historical log data that should belong to third login banner can be produced when accessing network to past user to be detected
Historical Device log carry out Data expansion and obtain.Wherein, the specific acquisition process of historical log log can be refering to aforementioned
The current specific acquisition process for logging in log, repeats no more herein.
Optionally, S201 is specifically as follows: according to predetermined period, obtaining the historical log of user to be detected in predetermined period
Log.
S202, from the first historical log data, extraction belongs to second of the second login banner in abnormal login home banking
Historical log data, wherein an at least third login banner includes the second login banner.
It may include the login in addition to the second login banner in abnormal login home banking in first historical log log
Mark, for example, the second login banner includes that user's logging zone mark, login failed for user mark and user access application system
Failure identifies, and the third login banner in the first historical log log includes user's logging zone mark, login failed for user
Mark, user access application system and unsuccessfully identifys, same IP address while being online and identify and same user while locating
It is identified in presence.The same IP address in addition to the second login banner is contained in first historical log log while being in
Presence mark and same user are online mark simultaneously, need from the first historical log data, extraction belongs to
Second historical log data of the second login banner, that is, extract user's logging zone mark pair in the first historical log log
Data, the corresponding data of login failed for user mark and the user answered accesses application system and unsuccessfully identifies corresponding data.
It is corresponding to count each second login banner based on the second historical log data for belonging to each second login banner by S203
Historical statistical data.
S204, for every one second login banner, the corresponding historical statistical data of the second login banner meet this
When the corresponding specified baseline of two login banners, determine that the second historical log data for belonging to second login banner are common log in
Data.
The corresponding specified baseline of second login banner is the foundation for dividing common logon data, that is to say, belong to for defining
In the second login banner the second historical log data whether be common logon data judgment basis.For example, abnormal login mark
Knowing the second login banner in library is user's logging zone mark, the corresponding specified baseline of second login banner can be set
Being set to user in the number ratio that some region logs in is more than 90%, it is assumed that in historical log log, there is 50 logging zone numbers
According to for Beijing, 5 logging zone data are Shanghai, and Pekinese's ratio has been more than 90%, then it is assumed that Beijing is user's to be detected
Common logging zone data.For another example be login failed for user mark for the second login banner in abnormal login home banking, it can
With by the corresponding specified baseline of second login banner be set as user in one day login failure number less than 5 times.
Logging in method for detecting abnormality before S203, provided by the embodiment of the present invention can also be performed following steps:
It obtains in each predetermined period, the second historical log data of each second login banner is belonged in historical log log
Number and the corresponding initial baseline of each second login banner;
For every one second login banner, it is based on the corresponding initial baseline of the second login banner, in each predetermined period
The number for belonging to the second historical log data of second login banner is weighted, and it is corresponding to obtain second login banner
Specified baseline.
Predetermined period can be a hour, one day, one week etc., it is generally the case that it is daily daily to obtain user to be detected
Historical log log.By taking the second login banner in abnormal login home banking is login failed for user mark as an example, work within one week
In a few days, the number of the login failed for user to be detected got is respectively 3 times, 2 times, 10 times, 1 time, 0 time, login failure number
More, more explanation is abnormal login, therefore can use maximum times and be weighted to obtain the second login mark with initial baseline
Know corresponding specified baseline, for example, the corresponding failure maximum times of login failed for user mark are 10 times, and the mistake of initial setting up
The baseline for losing number is 5 times, in order to improve the accuracy of baseline, 0.3 weight can be distributed to maximum times, gives initial baseline
The weight of distribution 0.7, passes through weighted calculation: 10*0.3+5*0.7=6.5 is to get corresponding specified to login failed for user mark
Baseline is greater than 6.5 times;Certainly the 90% of maximum times can also be taken to be distributed, 95% distribution etc., then is added with initial baseline
Power obtains specified baseline, since user has logged in exception under login failed for user maximum times, in order to further increase baseline
Accuracy, is based on upper example, can take the 90% of maximum times, then be weighted: 10*0.9*0.3+5*0.7=6.2 is to get arriving
It is greater than 6.2 times that login failed for user, which identifies corresponding specified baseline,.
The set that the common logon data for belonging to each second login banner is constituted is determined as the common login number of user by S205
According to set.
In the present embodiment, it can also be marked according to the second login in abnormal login home banking is belonged in the first historical log data
The the second historical log data known construct user behavior knowledge base, according still further to full in specified Baseline demographics user behavior knowledge base
The common logon data of the corresponding specified baseline of the second login banner of foot, to establish user often with logon data set.Building
The process of user behavior knowledge base can realize for example, by Spark statistical learning task dispatching information flow statistics task, information flow
Statistics task is the specific software realization mode of user behavior construction of knowledge base, and information flow statistics task is mainly executed when realizing
Following steps: according to the second historical log for belonging to the second login banner in abnormal login home banking in the first historical log data
Data carry out the building of user behavior knowledge base, do not limit specific software realization mode here, can be using arbitrary programming
Language.
In order to reach more preferably judging nicety rate, for example, the number of more strict requirements login failed for user, sets before
The baseline set be greater than 6 times,, can be for example, by weight by baseline setting to being greater than 4 times and in order to reach more strict requirements
New setting weighting weight, distribution probability etc., or the historical log data reacquired in historical log log are analyzed etc.,
Baseline is adjusted or is relearned.
Optionally, after S103, following steps are can also be performed in method provided by the embodiment of the present invention:
According to the second logon data to be matched, the abnormality alarming information about user to be detected is exported.
Abnormality alarming information may include alarm instruction, for reminding administrative staff to have user's abnormal login;Abnormality alarming
Information can also include abnormal cause, such as logging zone is not the common time, login failure in general regions, login time
Number is excessive etc.;Abnormality alarming information can also include abnormal Threat, for example, the excessive Threat of login failure number compared with
Height can then export the information of high Threat.The specific way of output can be to export abnormality alarming information and put down to unified alarm
Platform carries out abnormality alarming according to abnormality alarming information by uniformly alerting platform.
Using the present embodiment, by obtaining the current login log of user to be detected, logged in included by log from current
In first logon data to be matched, the second login number to be matched for belonging to the second login banner in abnormal login home banking is extracted
According to judging whether the second logon data to be matched is often stepped on belonging to the common of the second login banner in logon data set with user
Record data match, if mismatching, it is determined that user to be detected logs in abnormal.Abnormal login home banking is for judging that user is
The no set for logging in abnormal multiple login banners, user is often with the historical log that logon data set is according to user to be detected
Log, what is counted belongs to the set of the common logon data of the second login banner, according to the historical log of user to be detected
Log whether there is exception to consider the current login of the user, and it is not necessary that legal logon data is manually arranged, user is common
The common logon data of log is logged in logon data set with reference to user's history, judges that user logs in exception to improve
Accuracy rate.The embodiment of the present application can more comprehensively consider the login behavior of user, not only measure a certain log in and go
For, realize it is more complete judge whether user logs in exception, effectively avoid the one-sidedness because being manually arranged due to cause
The low problem of judging result accuracy rate.
Corresponding to above method embodiment, the embodiment of the invention provides a kind of login abnormal detectors, such as Fig. 3 institute
Show, which may include:
Module 310 is obtained, for obtaining the current login log of user to be detected, the current login log includes at least
One first login banner and to the first logon data to be matched that should belong to first login banner;
Extraction module 320, for from the described first logon data to be matched, extraction belongs in abnormal login home banking the
The logon data to be matched of the second of two login banners, the abnormal login home banking are for judging it is abnormal whether user logs in
The set of multiple login banners, at least one first login banner includes second login banner;
Judgment module 330, for judge the described second logon data to be matched whether with user often with logon data set
In belong to the common logon data of second login banner and match, if mismatching, it is determined that the user to be detected logs in
Abnormal, the user is often according to the historical log log of the user to be detected with logon data set, and statistics belongs to institute
State the set of the common logon data of the second login banner.
Optionally, the acquisition module 310, specifically can be used for:
User to be detected is obtained when accessing network by each network access equipment, the equipment that each network access equipment generates
Log;
It for each device log, is normalized, obtain that treated the first device log, first equipment
Log includes at least username information, destination address information and source address information;
Based on the username information, the destination address information and the source address information, from corresponding default behavior
In matching database, searches match with the username information, the destination address information and the source address information respectively
The first login banner and stepped on to the first logon data to be matched that should belong to first login banner, and according to described first
Record mark and first logon data to be matched, obtain the current login log of the user to be detected.
Optionally, the acquisition module 310 can be also used for the historical log log for obtaining the user to be detected, institute
Historical log log is stated to include an at least third login banner and step on the first history that should belong to the third login banner
Record data;
The extraction module 320 can be also used for from the first historical log data, and extraction belongs to the exception and steps on
The second historical log data of the second login banner described in home banking are recorded, an at least third login banner includes described the
Two login banners;
Described device can also include:
Statistical module, for counting each second and logging in based on the second historical log data for belonging to each second login banner
Identify corresponding historical statistical data;
Determining module, for being directed to every one second login banner, in the corresponding historical statistical data of the second login banner
When meeting the corresponding specified baseline of second login banner, determine that the second historical log data for belonging to second login banner are
Common logon data;The set that the common logon data for belonging to each second login banner is constituted is determined as to the user is common to step on
Record data acquisition system.
Optionally, the acquisition module 310 specifically can be used for obtaining institute in the predetermined period according to predetermined period
State multiple historical log logs of user to be detected;
The acquisition module 310, can be also used for obtaining in each predetermined period, and each is belonged in the historical log log
The number and the corresponding initial baseline of each second login banner of second historical log data of two login banners;
Described device can also include:
Weighting block, it is right based on the corresponding initial baseline of the second login banner for being directed to every one second login banner
The number for belonging to the second historical log data of second login banner in each predetermined period is weighted, and is somebody's turn to do
The corresponding specified baseline of second login banner.
Optionally, described device can also include:
Output module, for exporting the exception about the user to be detected according to the described second logon data to be matched
Warning information.
Using the present embodiment, by obtaining the current login log of user to be detected, logged in included by log from current
In first logon data to be matched, the second login number to be matched for belonging to the second login banner in abnormal login home banking is extracted
According to judging whether the second logon data to be matched is often stepped on belonging to the common of the second login banner in logon data set with user
Record data match, if mismatching, it is determined that user to be detected logs in abnormal.Abnormal login home banking is for judging that user is
The no set for logging in abnormal multiple login banners, user is often with the historical log that logon data set is according to user to be detected
Log, what is counted belongs to the set of the common logon data of the second login banner, according to the historical log of user to be detected
Log whether there is exception to consider the current login of the user, and it is not necessary that legal logon data is manually arranged, user is common
The common logon data of log is logged in logon data set with reference to user's history, judges that user logs in exception to improve
Accuracy rate.The embodiment of the present application more comprehensively considers the login behavior of user, not only measures a certain login behavior, real
Showed it is more complete judge whether user logs in exception, effectively avoid because judging caused by the one-sidedness that is manually arranged
As a result the low problem of accuracy rate.
The embodiment of the invention also provides a kind of servers, as shown in figure 4, including processor 401 and machine readable storage
Medium 402, the machine readable storage medium 402 are stored with the machine-executable instruction that can be executed by the processor 401,
The processor 401 is promoted to execute login method for detecting abnormality provided in an embodiment of the present invention by the machine-executable instruction
All steps.
Above-mentioned computer readable storage medium may include RAM (Random Access Memory, random access memory
Device), it also may include NVM (Non-volatile Memory, nonvolatile memory), for example, at least a magnetic disk storage.
Optionally, computer readable storage medium can also be that at least one is located remotely from the storage device of aforementioned processor.
Above-mentioned processor can be general processor, including CPU (Central Processing Unit, central processing
Device), NP (Network Processor, network processing unit) etc.;Can also be DSP (Digital Signal Processor,
Digital signal processor), ASIC (Application Specific Integrated Circuit, specific integrated circuit),
FPGA (Field-Programmable Gate Array, field programmable gate array) or other programmable logic device are divided
Vertical door or transistor logic, discrete hardware components.
In the present embodiment, processor 401 refers to by the way that the machine stored in read machine readable storage medium storing program for executing 402 is executable
Enable, promoted can be realized by machine-executable instruction: the current login log by obtaining user to be detected logs in day from current
In first logon data to be matched included by will, extract belong to second of the second login banner in abnormal login home banking to
With logon data, judge the second logon data to be matched whether with user often with belonging to the second login banner in logon data set
Common logon data match, if mismatching, it is determined that user to be detected logs in abnormal.Abnormal login home banking is for sentencing
Whether disconnected user logs in the set of abnormal multiple login banners, and user is often according to user to be detected with logon data set
Historical log log, what is counted belongs to the set of the common logon data of the second login banner, according to user's to be detected
Historical log log whether there is exception to consider the current login of the user, it is not necessary that legal logon data is manually arranged,
User often with the common logon data for logging in log in logon data set with reference to user's history, judges user to improve
Log in abnormal accuracy rate.
In addition, judging that user logs in abnormal accuracy rate to improve, the embodiment of the invention provides a kind of machine readable
Storage medium is stored with machine-executable instruction, and when being called and being executed by processor, the machine-executable instruction promotes institute
It states processor and executes all steps for logging in method for detecting abnormality provided by the embodiment of the present invention.
In the present embodiment, machine readable storage medium executes at runtime logs in abnormal inspection provided by the embodiment of the present invention
The machine-executable instruction of survey method, therefore can be realized: the current login log by obtaining user to be detected is stepped on from currently
It records in the first logon data to be matched included by log, extraction belongs to second of the second login banner in abnormal login home banking
Logon data to be matched, judge the second logon data to be matched whether with user often with belonging to the second login in logon data set
The common logon data of mark matches, if mismatching, it is determined that user to be detected logs in abnormal.Abnormal login home banking is to use
In judging whether user logs in the set of abnormal multiple login banners, user is often according to use to be detected with logon data set
The historical log log at family, what is counted belongs to the set of the common logon data of the second login banner, according to use to be detected
The historical log log at family whether there is exception to consider the current login of the user, it is not necessary that legal login number is manually arranged
According to, user often with the common logon data for logging in log in logon data set with reference to user's history, to improve judgement
User logs in abnormal accuracy rate.
For server and machine readable storage medium embodiment, since the method content that it is related to is substantially similar
In embodiment of the method above-mentioned, so being described relatively simple, the relevent part can refer to the partial explaination of embodiments of method.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device,
For server and machine readable storage medium embodiment, since it is substantially similar to the method embodiment, so the comparison of description
Simply, the relevent part can refer to the partial explaination of embodiments of method.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all
Any modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present invention
It is interior.
Claims (10)
1. a kind of login method for detecting abnormality, which is characterized in that the described method includes:
Obtain the current login log of user to be detected, the current login log includes at least one first login banner and right
It should belong to the first logon data to be matched of first login banner;
From the described first logon data to be matched, extract belong to second of the second login banner in abnormal login home banking to
With logon data, the abnormal login home banking be for judging whether user logs in the set of abnormal multiple login banners,
At least one first login banner includes second login banner;
Judge the described second logon data to be matched whether with user often with belong in logon data set it is described second log in mark
The common logon data known matches, if mismatching, it is determined that the user to be detected logs in exception, and the user is common to be logged in
Data acquisition system is the historical log log according to the user to be detected, and the common of the second login banner that belong to of statistics is stepped on
Record the set of data.
2. the method according to claim 1, wherein the current login log for obtaining user to be detected, packet
It includes:
User to be detected is obtained when accessing network by each network access equipment, the equipment day that each network access equipment generates
Will;
It for each device log, is normalized, obtain that treated the first device log, first device log
Including at least username information, destination address information and source address information;
Based on the username information, the destination address information and the source address information, matched from corresponding default behavior
In database, the to match with the username information, the destination address information and the source address information is searched respectively
One login banner and to the first logon data to be matched that should belong to first login banner, and log in and mark according to described first
Knowledge and first logon data to be matched, obtain the current login log of the user to be detected.
3. the method according to claim 1, wherein the method also includes:
Obtain the historical log log of the user to be detected, the historical log log include an at least third login banner with
And to the first historical log data that should belong to the third login banner;
From the first historical log data, extracts and belong to the of the second login banner described in the abnormal login home banking
Two historical log data, an at least third login banner includes second login banner;
Based on the second historical log data for belonging to each second login banner, the corresponding historical statistics of each second login banner is counted
Data;
For every one second login banner, meet second login banner in the corresponding historical statistical data of the second login banner
When corresponding specified baseline, determine that the second historical log data for belonging to second login banner are common logon data;
The set that the common logon data for belonging to each second login banner is constituted is determined as the user often with logon data collection
It closes.
4. according to the method described in claim 3, it is characterized in that, the historical log day for obtaining the user to be detected
Will, comprising:
According to predetermined period, the historical log log of the user to be detected in the predetermined period is obtained;
It is directed to every one second login banner described, meets this in the corresponding historical statistical data of the second login banner and second steps on
When record identifies corresponding specified baseline, determine that the second historical log data for belonging to second login banner are common logon data
Before, the method also includes:
It obtains in each predetermined period, the second historical log data of each second login banner is belonged in the historical log log
Number and the corresponding initial baseline of each second login banner;
For every one second login banner, it is based on the corresponding initial baseline of the second login banner, in each predetermined period
The number for belonging to the second historical log data of second login banner is weighted, and it is corresponding to obtain second login banner
Specified baseline.
5. the method according to claim 1, wherein logging in exception in the determination user to be detected
Afterwards, the method also includes:
According to the described second logon data to be matched, the abnormality alarming information about the user to be detected is exported.
6. a kind of login abnormal detector, which is characterized in that described device includes:
Module is obtained, for obtaining the current login log of user to be detected, the current login log includes at least one first
Login banner and to the first logon data to be matched that should belong to first login banner;
Extraction module, for from the described first logon data to be matched, extraction to belong to the second login in abnormal login home banking
Second logon data to be matched of mark, the abnormal login home banking are for judging whether user logs in abnormal multiple step on
The set of mark is recorded, at least one first login banner includes second login banner;
Judgment module, for judge the described second logon data to be matched whether with user often with belonging to institute in logon data set
The common logon data for stating the second login banner matches, if mismatching, it is determined that the user to be detected logs in exception, described
User is often according to the historical log log of the user to be detected with logon data set, and statistics belongs to second login
The set of the common logon data of mark.
7. device according to claim 6, which is characterized in that the acquisition module is specifically used for:
User to be detected is obtained when accessing network by each network access equipment, the equipment day that each network access equipment generates
Will;
It for each device log, is normalized, obtain that treated the first device log, first device log
Including at least username information, destination address information and source address information;
Based on the username information, the destination address information and the source address information, matched from corresponding default behavior
In database, the to match with the username information, the destination address information and the source address information is searched respectively
One login banner and to the first logon data to be matched that should belong to first login banner, and log in and mark according to described first
Knowledge and first logon data to be matched, obtain the current login log of the user to be detected.
8. device according to claim 6, which is characterized in that the acquisition module is also used to obtain the use to be detected
The historical log log at family, the historical log log include an at least third login banner and step on to should belong to the third
Record the first historical log data of mark;
The extraction module is also used to from the first historical log data, and extraction belongs in the abnormal login home banking
Second historical log data of second login banner, an at least third login banner include the second login mark
Know;
Described device further include:
Statistical module, for counting each second login banner based on the second historical log data for belonging to each second login banner
Corresponding historical statistical data;
Determining module meets for being directed to every one second login banner in the corresponding historical statistical data of second login banner
When the corresponding specified baseline of second login banner, determine that it is common for belonging to the second historical log data of second login banner
Logon data;The set that the common logon data for belonging to each second login banner is constituted is determined as the common login number of the user
According to set.
9. device according to claim 8, which is characterized in that the acquisition module is specifically used for obtaining according to predetermined period
Take the historical log log of the user to be detected in the predetermined period;
The acquisition module is also used to obtain in each predetermined period, and each second login banner is belonged in the historical log log
The second historical log data number and the corresponding initial baseline of each second login banner;
Described device further include:
Weighting block is based on the corresponding initial baseline of the second login banner, to described for being directed to every one second login banner
The number for belonging to the second historical log data of second login banner in each predetermined period is weighted, obtain this second
The corresponding specified baseline of login banner.
10. device according to claim 6, which is characterized in that described device further include:
Output module, for exporting the abnormality alarming about the user to be detected according to the described second logon data to be matched
Information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810798720.5A CN108989150B (en) | 2018-07-19 | 2018-07-19 | Login abnormity detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810798720.5A CN108989150B (en) | 2018-07-19 | 2018-07-19 | Login abnormity detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108989150A true CN108989150A (en) | 2018-12-11 |
| CN108989150B CN108989150B (en) | 2021-03-26 |
Family
ID=64550495
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810798720.5A Active CN108989150B (en) | 2018-07-19 | 2018-07-19 | Login abnormity detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108989150B (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109525611A (en) * | 2019-01-11 | 2019-03-26 | 新华三信息安全技术有限公司 | A kind of abnormal outgoing behavioral value method and device of Intranet user |
| CN110011997A (en) * | 2019-03-28 | 2019-07-12 | 杭州数梦工场科技有限公司 | Intrusion detection method and device and computer readable storage medium |
| CN110062380A (en) * | 2019-04-28 | 2019-07-26 | 广东电网有限责任公司 | A kind of connected reference request safety detection method of mobile application system |
| CN110381090A (en) * | 2019-08-23 | 2019-10-25 | 新华三信息安全技术有限公司 | Terminal abnormal detection method, device, detection device and machine readable storage medium |
| CN110445790A (en) * | 2019-08-12 | 2019-11-12 | 四川长虹电器股份有限公司 | A kind of account method for detecting abnormality logging in behavior based on user |
| CN110618977A (en) * | 2019-09-12 | 2019-12-27 | 腾讯科技(深圳)有限公司 | Login abnormity detection method and device, storage medium and computer equipment |
| CN110674021A (en) * | 2019-09-09 | 2020-01-10 | 深圳供电局有限公司 | Detection method and system for login log of mobile application |
| CN110933080A (en) * | 2019-11-29 | 2020-03-27 | 上海观安信息技术股份有限公司 | IP group identification method and device for user login abnormity |
| CN111240928A (en) * | 2020-01-06 | 2020-06-05 | 上海闻泰信息技术有限公司 | Automatic detection method, device and equipment for equipment drive and storage medium |
| CN111294336A (en) * | 2020-01-15 | 2020-06-16 | 深圳开源互联网安全技术有限公司 | Login behavior detection method and device, computer equipment and storage medium |
| CN111600874A (en) * | 2020-05-13 | 2020-08-28 | 奇安信科技集团股份有限公司 | User account detection method, device, electronic equipment, medium and program product |
| CN112989332A (en) * | 2021-04-08 | 2021-06-18 | 北京安天网络安全技术有限公司 | Abnormal user behavior detection method and device |
| CN112988670A (en) * | 2021-05-11 | 2021-06-18 | 长扬科技(北京)有限公司 | Log data processing method and device |
| CN113810327A (en) * | 2020-06-11 | 2021-12-17 | 中国科学院计算机网络信息中心 | Abnormal account detection method and device and storage medium |
| CN117176473A (en) * | 2023-11-02 | 2023-12-05 | 北京创元天成科技发展有限公司 | Client information management method and system based on Internet of things |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104426884A (en) * | 2013-09-03 | 2015-03-18 | 深圳市腾讯计算机系统有限公司 | Method for authenticating identity and device for authenticating identity |
| US9231962B1 (en) * | 2013-11-12 | 2016-01-05 | Emc Corporation | Identifying suspicious user logins in enterprise networks |
| US20160105801A1 (en) * | 2014-10-09 | 2016-04-14 | Microsoft Corporation | Geo-based analysis for detecting abnormal logins |
| CN106529288A (en) * | 2016-11-16 | 2017-03-22 | 智者四海(北京)技术有限公司 | Account risk identification method and device |
| CN107172104A (en) * | 2017-07-17 | 2017-09-15 | 顺丰科技有限公司 | One kind logs in method for detecting abnormality, system and equipment |
| CN107276982A (en) * | 2017-05-08 | 2017-10-20 | 微梦创科网络科技(中国)有限公司 | A kind of abnormal login detecting method and device |
| CN107689936A (en) * | 2016-08-03 | 2018-02-13 | 阿里巴巴集团控股有限公司 | Security verification system, the method and device of logon account |
-
2018
- 2018-07-19 CN CN201810798720.5A patent/CN108989150B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104426884A (en) * | 2013-09-03 | 2015-03-18 | 深圳市腾讯计算机系统有限公司 | Method for authenticating identity and device for authenticating identity |
| US9231962B1 (en) * | 2013-11-12 | 2016-01-05 | Emc Corporation | Identifying suspicious user logins in enterprise networks |
| US20160105801A1 (en) * | 2014-10-09 | 2016-04-14 | Microsoft Corporation | Geo-based analysis for detecting abnormal logins |
| CN107689936A (en) * | 2016-08-03 | 2018-02-13 | 阿里巴巴集团控股有限公司 | Security verification system, the method and device of logon account |
| CN106529288A (en) * | 2016-11-16 | 2017-03-22 | 智者四海(北京)技术有限公司 | Account risk identification method and device |
| CN107276982A (en) * | 2017-05-08 | 2017-10-20 | 微梦创科网络科技(中国)有限公司 | A kind of abnormal login detecting method and device |
| CN107172104A (en) * | 2017-07-17 | 2017-09-15 | 顺丰科技有限公司 | One kind logs in method for detecting abnormality, system and equipment |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109525611A (en) * | 2019-01-11 | 2019-03-26 | 新华三信息安全技术有限公司 | A kind of abnormal outgoing behavioral value method and device of Intranet user |
| CN109525611B (en) * | 2019-01-11 | 2021-03-12 | 新华三信息安全技术有限公司 | Method and device for detecting abnormal outgoing behavior of intranet user |
| CN110011997A (en) * | 2019-03-28 | 2019-07-12 | 杭州数梦工场科技有限公司 | Intrusion detection method and device and computer readable storage medium |
| CN110062380A (en) * | 2019-04-28 | 2019-07-26 | 广东电网有限责任公司 | A kind of connected reference request safety detection method of mobile application system |
| CN110445790A (en) * | 2019-08-12 | 2019-11-12 | 四川长虹电器股份有限公司 | A kind of account method for detecting abnormality logging in behavior based on user |
| CN110381090A (en) * | 2019-08-23 | 2019-10-25 | 新华三信息安全技术有限公司 | Terminal abnormal detection method, device, detection device and machine readable storage medium |
| CN110674021A (en) * | 2019-09-09 | 2020-01-10 | 深圳供电局有限公司 | Detection method and system for login log of mobile application |
| CN110618977A (en) * | 2019-09-12 | 2019-12-27 | 腾讯科技(深圳)有限公司 | Login abnormity detection method and device, storage medium and computer equipment |
| CN110618977B (en) * | 2019-09-12 | 2023-10-31 | 腾讯科技(深圳)有限公司 | Login anomaly detection method, device, storage medium and computer equipment |
| CN110933080A (en) * | 2019-11-29 | 2020-03-27 | 上海观安信息技术股份有限公司 | IP group identification method and device for user login abnormity |
| CN110933080B (en) * | 2019-11-29 | 2021-10-26 | 上海观安信息技术股份有限公司 | IP group identification method and device for user login abnormity |
| CN111240928A (en) * | 2020-01-06 | 2020-06-05 | 上海闻泰信息技术有限公司 | Automatic detection method, device and equipment for equipment drive and storage medium |
| CN111240928B (en) * | 2020-01-06 | 2024-04-09 | 上海闻泰信息技术有限公司 | Automatic detection method, device, equipment and storage medium for equipment drive |
| CN111294336A (en) * | 2020-01-15 | 2020-06-16 | 深圳开源互联网安全技术有限公司 | Login behavior detection method and device, computer equipment and storage medium |
| CN111600874A (en) * | 2020-05-13 | 2020-08-28 | 奇安信科技集团股份有限公司 | User account detection method, device, electronic equipment, medium and program product |
| CN111600874B (en) * | 2020-05-13 | 2022-10-28 | 奇安信科技集团股份有限公司 | User account detection method and device, electronic equipment and medium |
| CN113810327A (en) * | 2020-06-11 | 2021-12-17 | 中国科学院计算机网络信息中心 | Abnormal account detection method and device and storage medium |
| CN113810327B (en) * | 2020-06-11 | 2023-08-22 | 中国科学院计算机网络信息中心 | Abnormal account detection method, device and storage medium |
| CN112989332A (en) * | 2021-04-08 | 2021-06-18 | 北京安天网络安全技术有限公司 | Abnormal user behavior detection method and device |
| CN112988670A (en) * | 2021-05-11 | 2021-06-18 | 长扬科技(北京)有限公司 | Log data processing method and device |
| CN117176473A (en) * | 2023-11-02 | 2023-12-05 | 北京创元天成科技发展有限公司 | Client information management method and system based on Internet of things |
| CN117176473B (en) * | 2023-11-02 | 2024-01-09 | 北京创元天成科技发展有限公司 | Client information management method and system based on Internet of things |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108989150B (en) | 2021-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108989150A (en) | A kind of login method for detecting abnormality and device | |
| US11916944B2 (en) | Network anomaly detection and profiling | |
| CN109241461B (en) | User portrait construction method and device | |
| US10686829B2 (en) | Identifying changes in use of user credentials | |
| JP6732806B2 (en) | Account theft risk identification method, identification device, and prevention/control system | |
| US10911437B2 (en) | Detection of anomalous authentication attempts in a client-server architecture | |
| CN103490884B (en) | Be used for the method for the checking of digital certificate | |
| US6347374B1 (en) | Event detection | |
| US7815106B1 (en) | Multidimensional transaction fraud detection system and method | |
| US10165005B2 (en) | System and method providing data-driven user authentication misuse detection | |
| CN112182519B (en) | Computer storage system security access method and access system | |
| US7693767B2 (en) | Method for generating predictive models for a business problem via supervised learning | |
| CN111552933A (en) | Method and device for identifying abnormal login of account | |
| CN113132311B (en) | Abnormal access detection method, device and equipment | |
| CN112543196A (en) | Network threat information sharing platform based on block chain intelligent contract | |
| CN102906756A (en) | Security threat detection associated with security events and actor category model | |
| CN106027520A (en) | Method and device for detecting and processing stealing of website accounts | |
| CN107819758A (en) | A kind of IP Camera leak remote detecting method and device | |
| CN116915515B (en) | Access security control method and system for industrial control network | |
| CN110061981A (en) | A kind of attack detection method and device | |
| CN105487936A (en) | Information system security evaluation method for classified protection under cloud environment | |
| CN110619209A (en) | Method and system for analyzing and judging web intrusion event | |
| US20090234827A1 (en) | Citizenship fraud targeting system | |
| Rathod et al. | Database intrusion detection by transaction signature | |
| CN115706669A (en) | Network security situation prediction method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |