CN110191097A - Detection method, system, equipment and the storage medium of login page safety - Google Patents

Detection method, system, equipment and the storage medium of login page safety Download PDF

Info

Publication number
CN110191097A
CN110191097A CN201910366731.0A CN201910366731A CN110191097A CN 110191097 A CN110191097 A CN 110191097A CN 201910366731 A CN201910366731 A CN 201910366731A CN 110191097 A CN110191097 A CN 110191097A
Authority
CN
China
Prior art keywords
page
log
user
account
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910366731.0A
Other languages
Chinese (zh)
Other versions
CN110191097B (en
Inventor
陈俊峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN201910366731.0A priority Critical patent/CN110191097B/en
Publication of CN110191097A publication Critical patent/CN110191097A/en
Application granted granted Critical
Publication of CN110191097B publication Critical patent/CN110191097B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Technology Law (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The embodiment of the invention provides a kind of detection methods of login page safety, comprising: obtains the operation log of multiple users, and obtains critical field and page operation information in the operation log according to preset field name;According to the page operation information, the multiple user multiple page log-on messages that login service device generates within N number of period, the corresponding page log-on message of each user are obtained;Target pages log-on message is filtered out from the multiple page log-on message, the target pages log-on message is the page log-on message for only having single in N number of period and logging in record;The target pages logon account is determined as suspicious account, has further determined whether that account falsely uses event.The embodiment of the invention provides the detection system of login page safety, computer equipment and storage mediums.The embodiment of the present invention can falsely use event with efficient detection login page.

Description

Detection method, system, equipment and the storage medium of login page safety
Technical field
The present embodiments relate to technical field of network security more particularly to a kind of detection sides of login page safety Method, system, equipment and storage medium.
Background technique
Enterprise management system, it is intended to the management thought of systematization, be concentrated for enterprise personnel and all kinds of services and performance are provided All kinds of functions.Enterprise personnel can log in the enterprise management system according to own right, for example, check attendance information, submit and Download file etc..For safeguards system safe operation, how Check System abnormal login event, be that the technology currently to be solved is asked Topic.
But the existing detection to account exception, it needs to carry out additional transformation to original system, for example obtaining every time To user log on request when, system needs to check that user has a holiday state, to call database to be checked at this time, to network and Database all brings immense pressure.
Summary of the invention
In view of this, the purpose of the embodiment of the present invention is that providing a kind of detection method of login page safety, system, setting Standby and storage medium can check abnormal accounting number users, and not need to be transformed original system, thus after reducing Platform operating procedure, and then reduce the pressure to system and network.
To achieve the above object, the embodiment of the invention provides a kind of detection methods of login page safety, including such as Lower step:
Obtain the operation log of multiple users;
According to preset field name from the critical field obtained in the operation log in the operation log;
Extract the page operation information in the critical field;
According to the page operation information, obtain the multiple user login service device within N number of period generate it is more A page log-on message, the corresponding page log-on message of each user, each page log-on message includes the page of corresponding user Face logon account, page login time and page login times;
Target pages log-on message is filtered out from the multiple page log-on message, the target pages log-on message is Only has the page log-on message that single logs in record in N number of period;
The corresponding page logon account of the target pages log-on message is determined as suspicious account;
The user name of the suspicious account and default inventory of having a holiday are compared, account is judged whether there is and falsely uses event, If so, the suspicious account is then stamped suspicious mark, the default inventory of having a holiday include user in state of having a holiday and Account name corresponding to the user that has a holiday;
The association social activity account for obtaining the corresponding target user of the suspicious account is obtained from the social account of the association The zone of action of the target user;
According to the IP address inquiring position region of the page entry address of the suspicious account, and by the band of position with The zone of action is compared;
If the band of position and the zone of action release the suspicious mark of the suspicious account in the same area.
Further, the step of obtaining the page login times, comprising:
According to the multiple page log-on message, the mapping access sequence of each user is obtained;
According to the mapping access sequence of each user, the adjacency matrix of page access is generated;
According to the adjacency matrix of the page access, the number of hops of each page is obtained, wherein the number of hops For the page login times.
Further, the mapping access sequence are as follows:
The parameter identification of the target pages log-on message is indicated that the page after logining successfully is shown with digital nodes p Corresponding digital nodes q.
Further, the page login times are indicated with arc [p] [q], and the arc [p] [q] is the page access Adjacency matrix in the corresponding page of digital nodes p to the corresponding page of digital nodes q jump number.
Further, before the operation log for obtaining user, further includes:
The operation log of multiple users is extracted according to preset rules, and the operation log of the extraction is filtered;
Wherein, the preset rules are for judging that the multiple user is not logged in successful operation log.
To achieve the above object, the embodiment of the invention also provides a kind of detection systems of login page safety, comprising:
First obtains module, for obtaining the operation log of multiple users;
Second obtains module, for according to preset field name from the pass obtained in the operation log in the operation log Key field;
First extraction module, for extracting the page operation information in the critical field;
Second extraction module, for obtaining the multiple user and being stepped within N number of period according to the page operation information Record multiple page log-on messages that server generates, each corresponding page log-on message of user, each page log-on message Page logon account, page login time and page login times including corresponding user;
Screening module, for filtering out target pages log-on message, the target from the multiple page log-on message Page log-on message is the page log-on message for only having single in N number of period and logging in record;
First judgment module, for the corresponding page logon account of the target pages log-on message to be determined as suspicious account Family;
Second judgment module, for comparing the user name of the suspicious account and default inventory of having a holiday, judgement is No to have account to falsely use event, if so, the suspicious account is then stamped suspicious mark, the default inventory of having a holiday includes in not Account name corresponding to user and the user that has a holiday in false state;
Third obtains module, for obtaining the association social activity account of the corresponding target user of the suspicious account, from described It is associated with the zone of action that the target user is obtained in social account;
Enquiry module, for the IP address inquiring position region according to the page entry address of the suspicious account, and will The band of position is compared with the zone of action;
Third judgment module, if for the band of position and the zone of action in the same area, release described in can Doubt the suspicious mark of account.
Further, second extraction module is also used to:
According to the multiple page log-on message, the mapping access sequence of each user is obtained;
According to the mapping access sequence of each user, the adjacency matrix of page access is generated;
According to the adjacency matrix of the page access, the number of hops of each page is obtained, wherein the number of hops For the page login times.
Further, the mapping access sequence are as follows:
The parameter identification of each page log-on message is indicated that the page after logining successfully is shown with digital nodes p Corresponding digital nodes q;
The page login times indicate that the arc [p] [q] is the adjacency matrix of the page access with arc [p] [q] The corresponding page the jumping to the corresponding page of digital nodes q of middle digital nodes p.
To achieve the above object, the embodiment of the invention also provides a kind of computer equipment, including memory, processor with And the computer program that can be run on a memory and on a processor is stored, when the processor executes the computer program Realize as described above any one of described in login page safety detection method the step of.
To achieve the above object, the embodiment of the invention also provides a kind of computer readable storage medium, the computers Computer program is stored in readable storage medium storing program for executing, the computer program can be performed by least one processor, so that institute State at least one processor execute as described above any one of described in login page safety detection method the step of.
Detection method, system and the storage medium of login page safety provided in an embodiment of the present invention, obtain simultaneously first The page operation information in the operation log of user is analyzed, by filtering out only to from multiple page log-on messages in the N Record has corresponding page log-on message in the single period of a period, and is judged to come to the page log-on message true Determine account exception suspicious user, do not need to be transformed original system, to reduce running background step, and then reduces pair The pressure of system and network.
Detailed description of the invention
Fig. 1 is the flow chart of the detection method embodiment one of login page safety of the present invention.
Fig. 2 is the flow chart of the detection method embodiment two of login page safety of the present invention.
Fig. 3 is the program module schematic diagram of the detection system embodiment three of login page safety of the present invention.
Fig. 4 is the hardware structural diagram of computer equipment example IV of the present invention.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right The present invention is further elaborated.It should be appreciated that described herein, specific examples are only used to explain the present invention, not For limiting the present invention.Based on the embodiments of the present invention, those of ordinary skill in the art are not before making creative work Every other embodiment obtained is put, shall fall within the protection scope of the present invention.
Embodiment one
Refering to fig. 1, the step flow chart of the detection method of the login page safety of the embodiment of the present invention one is shown.It can To understand, the flow chart in this method embodiment, which is not used in, is defined the sequence for executing step.It is below to hold with server Row main body carries out exemplary description.It is specific as follows.
Step S101: the operation log of multiple users is obtained.
In the present embodiment, the terminal receives the request instruction of the acquisition operation log of the user, and is sent to described Server, the server return to the operation log according to the request instruction of the operation log.Remember in the operation log The operation information that record has user to log in target pages includes but is not limited to login of the user when logging in the operation log The operation informations such as location information, login time information and log duration information, the target pages are insurance login page, wherein Login time information includes the login time information of the user logined successfully.The terminal includes computerized equipment, described Terminal can record and call the operation log of the user.
In the present embodiment, before the operation log for obtaining user, further includes:
The operation log of multiple users is extracted according to preset rules, and the operation log of the extraction is filtered;
Wherein, the preset rules are for judging that the multiple user is not logged in successful operation log.
In the present embodiment, if user account is attempted login (in success status is not logged in), also has operation note and deposit The record account of user or operation information of password mistake etc. when having login in operation log, when filtering, will be not logged in success User be filtered processing, avoid computing repeatedly login times.
Step S102: according to preset field name from the critical field obtained in the operation log in the operation log.
In the present embodiment, server classifies the information category of the operation log when storing operation log, It is divided into multiple fields, each field is designed with field name.When the preset field name includes the login account information, logs in Between information and login times information field name, at the extraction, will with the login account information, login time information and step on The critical field of record number information extracts.
Step S103: the page operation information in the critical field is extracted.
In the present embodiment, it is described according to preset field name from the key obtained in the operation log in the operation log When field, the login account information, login time information and login times information are used to extract the page in the critical field Face operation information.
Step S104: according to the page operation information, the multiple user login service device within N number of period is obtained The multiple page log-on messages generated, the corresponding page log-on message of each user, each page log-on message includes corresponding to Page logon account, page login time and the page login times of user.
In the present embodiment, obtain the page login times the step of, comprising:
According to the multiple page log-on message, the mapping access sequence of each user is obtained;
According to the mapping access sequence of each user, the adjacency matrix of page access is generated;
According to the adjacency matrix of the page access, the number of hops of each page is obtained, wherein the number of hops For the page login times.
Wherein, the mapping access sequence are as follows:
The parameter identification of each page log-on message is indicated that the page after logining successfully is shown with digital nodes p Corresponding digital nodes q.
In the present embodiment, the page login times are indicated with arc [p] [q], the arc [p] [q] is page visit The corresponding page of digital nodes p jumps number to the corresponding page of digital nodes q in the adjacency matrix asked.For example, giving landing page The identifier in face, which carries out numerical designation, can generate corresponding sequence in jump page, say that sequence carries out matrix sort and obtains arc[p][q]。
In the present embodiment, N number of period can voluntarily be preset, such as first three days, preceding ten days etc., and to each user in N Have whether only one period has operation note to be judged in a period, further determines whether as abnormal user.
Step S105: target pages log-on message, the target pages are filtered out from the multiple page log-on message Log-on message is the page log-on message for only having single in N number of period and logging in record.
In the present embodiment, terminal to server issues the request for transferring operation log, this transfers the request packet of operation log Preset field name is included, the information of the operation log of all users in preset field entitled N number of period.Critical field includes using In the log-on message of the page, terminal extracts the page operation information in critical field again at family.The page operation information is all User's page log-on message that login service device generates within N number of period.Finally extract wherein that each page logon account is only Record has page login times within one of them period of N number of period.The target pages log-on message includes The information of login page.
Step S106: the corresponding page logon account of the target pages log-on message is determined as suspicious account.
In the present embodiment, the present invention is that preceding i (i≤N-1) day is without operation behavior within N number of period for detection, and in i+1 There are the users of operation log for it.In other words, since this method is constant testing, as long as being detected at target time section N days There is operation note in only one period, just screens the user, is determined as suspicious account.
In the present embodiment, if there is operation note in the more than one period, the account for excluding the user is extremely suspicious.With If family shows that the user is likely to be at working condition, Er Qiechang in the target time period with the presence of multiple period operation notes There is no multi-pass operation records for time not used user account, thus be excluded that account is extremely suspicious.
Step S107: the user name of the suspicious account and default inventory of having a holiday are compared, account is judged whether there is Event is falsely used, if so, the suspicious account is then stamped suspicious mark, the default inventory of having a holiday includes in state of having a holiday User and the user that has a holiday corresponding to account name.
In the present embodiment, suspicious account is counted with statistical window, then the user and default inventory of having a holiday are carried out Comparison, default inventory of having a holiday is above-listed account name corresponding to all users in state of having a holiday and the user that has a holiday.If should User matches with default inventory of having a holiday, then illustrates that the account of the user may be falsely used, and it is different further to investigate account generation The reason of being often used.
Query statement, the query statement are write using SQL are as follows:
SELECT*FROM op_table where op_day between(current_day-n)to current_ day group by op_day having count(id)>1
Wherein, op_table table is the table for storing user's operation information, includes user id (id), user operation time (op_ Time), user's operation date (op_day).Wherein, op_day is converted by op_time.Current_day indicates operation This inquiry expired date, n indicate time window, run this query statement daily.
Such as: today is November 11 in 2018, if wishing to inquire in the past, exception record, current_day are in 3 days On November 11st, 2018, (current_day-3) are on November 8th, 2018.
The user id that the result checked out is included illustrates it is 2018 if not occurring in query result before this On November 11, in, there are operation notes for the first time.Then qualified user list and user's inventory comparison of having a holiday, if user It should have a holiday in this day, but in the list used extremely, then illustrate that the account of the user may be falsely used.Then may be used Further to investigate the reason of account is abnormal use.
In the present embodiment, the corresponding historical log data of suspicious account are obtained, are stepped on according to historical log data statistics history Success rate is recorded, by historical log success rate and currently rate is logined successfully and is compared, if difference is more than that preset success rate is poor It is worth threshold value, then judges to occur to be falsely used event.
Step S108 obtains the association social activity account of the corresponding target user of the suspicious account, social from the association The zone of action of the target user is obtained in account.
Step S109, according to the IP address inquiring position region of the page entry address of the suspicious account, and will be described The band of position is compared with the zone of action.
Step S110, if the band of position and the zone of action release the suspicious account in the same area Suspicious mark.
In the present embodiment, by the association social activity account of the corresponding target user of suspicious account (such as nail nail etc.), from described It is associated with the zone of action that the target user is obtained in social account, according to the IP of the page entry address of the suspicious account Location inquiring position region, and the band of position is compared with the zone of action of the target user, if in the same area, Such as same city, town, area, street etc., then release the suspicious mark of the suspicious account.IP address query software can be used to look into That askes current suspicious account logs in ground.
Embodiment two
Referring to Fig.2, showing the calculating flow chart of steps of the page login times of the embodiment of the present invention two.It can manage It solves, the flow chart in this method embodiment, which is not used in, is defined the sequence for executing step.It is below to execute master with server Body carries out exemplary description.It is specific as follows.
Step S201: according to the multiple page log-on message, the mapping access sequence of each user is obtained.
Step S202: according to the mapping access sequence of each user, the adjacency matrix of page access is generated.
Step S203: according to the adjacency matrix of the page access, the number of hops of each page is obtained, wherein institute Stating number of hops is the page login times.
In the present embodiment, the mapping access sequence are as follows: by the parameter identification of the target pages log-on message with number Node p indicates that the page after logining successfully shows corresponding digital nodes q.
Mapping access sequence in the present embodiment can be understood as coming by the way of index for example, by using the mode of number Indicate the access sequence of user.Specifically, page iden-tity parameter each in operation log can be each mapped to a number It indicates, accordingly, can find out the user's according to the sequence of the corresponding page of accession page identification parameter of each user Map access sequence.
In the present embodiment, the page login times are indicated with arc [p] [q], the arc [p] [q] is page visit The corresponding page of digital nodes p jumps number to the corresponding page of digital nodes q in the adjacency matrix asked.
In the present embodiment, adjacency matrix is the matrix for indicating neighbouring relations between vertex.The adjacency matrix of the present embodiment has Body is generated according to the mapping access sequence of each user.Each point in the mapping access sequence of each user forms page access Each vertex in adjacency matrix.Since the mapping access sequence of each user characterizes the sequence of the page of user access, The adjacency matrix of the page access of the present embodiment is Digraph adjacent matrix.Vertex in-degree in the adjacency matrix of access indicates the top The corresponding importing flow of point p indicates the jump for jumping to the page corresponding to the digital nodes q of the vertex correspondence in the present embodiment Revolution, the sum of the value of all directed edges of the corresponding column of digital nodes p specifically equal in the adjacency matrix of page access.Such as The corresponding importing flow in vertex 3 indicates from other page jumps to the sum of the number of hops of the corresponding page of digital nodes 3, It may include the number of hops that the corresponding page of digital nodes 3 is jumped to from the page zero for starting the page, corresponding from digital nodes 1 Page jump to the number of hops of the corresponding page of digital nodes 3, from the corresponding page jump of digital nodes 2 to digital nodes The number of hops etc. of the 3 corresponding pages successfully jumps to the number of the page, and so on, until digital nodes n is corresponding Page jump to the corresponding page of digital nodes 3 number of hops summation.In the adjacency matrix of page access, corresponding to will All directed edge arcs [i] [3] of the i from 0 to n take and import flow i.e. page login times to get to the vertex 3 is corresponding Summation.
Embodiment three
Refering to Fig. 3, the program module signal of the detection system of the login page safety of the embodiment of the present invention three is shown Figure.It specifically includes:
First obtains module 301, for obtaining the operation log of multiple users.
Specifically, the operation information that record has user to log in target pages in operation log in the present embodiment, the behaviour Make to include but is not limited to the operation informations such as entry address, login time and log duration of the user when logging in log, it is described Target pages are insurance login page.
Before the operation log for obtaining user, further includes that processing is filtered to the operation log, remove non- The operation log of real user.Such as: if user account is attempted login (in success status is not logged in), also have operation note It records, the record account of user or operation information of password mistake etc. when having login in operation log, when filtering will be not logged in Successful user is filtered processing, avoids computing repeatedly login times.
Second obtains module 302, for being obtained in the operation log according to preset field name from the operation log Critical field.
In the present embodiment, server classifies the information category of the operation log when storing operation log, It is divided into multiple fields, each field is designed with field name.When the preset field name includes the login account information, logs in Between information and login times information field name.Second obtain module 302 at the extraction, will with the login account information, Login time information and the critical field of login times information extract.
First extraction module 303, for extracting the page operation information in the critical field.
In the present embodiment, it is described according to preset field name from the key obtained in the operation log in the operation log When field, first extraction module 303, which extracts, has the login account information, login time information and login times information The critical field in page operation information.
Second extraction module 304, for obtaining the multiple user in N number of period according to the page operation information Multiple page log-on messages that interior login service device generates, the corresponding page log-on message of each user, each page log in Information includes the page logon account, page login time and page login times of corresponding user.
In the present embodiment, second extraction module is also used to:
According to the multiple page log-on message, the mapping access sequence of each user is obtained;
According to the mapping access sequence of each user, the adjacency matrix of page access is generated;
According to the adjacency matrix of the page access, the number of hops of each page is obtained, wherein the number of hops For the page login times.
The mapping access sequence are as follows:
The parameter identification of each page log-on message is indicated that the page after logining successfully is shown with digital nodes p Corresponding digital nodes q;
The page login times indicate that the arc [p] [q] is the adjacency matrix of the page access with arc [p] [q] The corresponding page of middle digital nodes p jumps number to the corresponding page of digital nodes q.
In the present embodiment, N number of period can voluntarily be preset, such as first three days, preceding ten days etc., and to each user in N Have whether only one period has operation note to be judged in a period, further determines whether as abnormal user.The Two extraction modules 304 obtain the multiple user login service device within N number of period in the page operation information and generate Multiple page log-on messages,
Screening module 305, for filtering out target pages log-on message, the mesh from the multiple page log-on message Mark page log-on message is the page log-on message for only having single in N number of period and logging in record.
In the present embodiment, the target pages log-on message includes log-on message of each user in the page, screening module Only the record within the single period of N number of period has the page existing for the corresponding single period to log in letter for 305 screenings Breath.
First judgment module 306, for be determined as the corresponding page logon account of the target pages log-on message can Doubt account.
In the present embodiment, the present invention is that preceding i (i≤N-1) day is without operation behavior within N number of period for detection, and in i+1 There are the users of operation log for it.In other words, since this method is constant testing, as long as being detected at target time section N days There is operation note in only one period, just screens the user, is determined as suspicious account.
In the present embodiment, if there is operation note in the more than one period, the account for excluding the user is extremely suspicious.With If family shows that the user is likely to be at working condition, Er Qiechang in the target time period with the presence of multiple period operation notes There is no multi-pass operation records for time not used user account, thus be excluded that account is extremely suspicious.
Second judgment module 307 judges for comparing the user name of the suspicious account and default inventory of having a holiday Whether there is account to falsely use event, if so, the suspicious account is then stamped suspicious mark, the default inventory of having a holiday includes being in Account name corresponding to user and the user that has a holiday in state of having a holiday.
In the present embodiment, suspicious account is counted with statistical window, then the user and default inventory of having a holiday are carried out Comparison, default inventory of having a holiday is above-listed account name corresponding to all users in state of having a holiday and the user that has a holiday.If should User matches with default inventory of having a holiday, then illustrates that the account of the user may be falsely used, and it is different further to investigate account generation The reason of being often used.
Query statement, the query statement are write using SQL are as follows:
SELECT*FROM op_table where op_day between(current_day-n)to current_ day group by op_day having count(id)>1
Wherein, op_table table is the table for storing user's operation information, includes user id (id), user operation time (op_ Time), user's operation date (op_day).Wherein, op_day is converted by op_time.Current_day indicates operation This inquiry expired date, n indicate time window, run this query statement daily.
Such as: today is November 11 in 2018, if wishing to inquire in the past, exception record, current_day are in 3 days On November 11st, 2018, (current_day-3) are on November 8th, 2018.
The user id that the result checked out is included illustrates it is 2018 if not occurring in query result before this On November 11, in, there are operation notes for the first time.Then qualified user list and user's inventory comparison of having a holiday, if user It should have a holiday in this day, but in the list used extremely, then illustrate that the account of the user may be falsely used.Then may be used Further to investigate the reason of account is abnormal use.
Third obtains module 308, for obtaining the association social activity account of the corresponding target user of the suspicious account, from institute State the zone of action for being associated with and obtaining the target user in social account.
Enquiry module 309, for the IP address inquiring position region according to the page entry address of the suspicious account, and The band of position is compared with the zone of action.
Third judgment module 310, if for the band of position and the zone of action in the same area, release described in The suspicious mark of suspicious account.
In the present embodiment, by the association social activity account of the corresponding target user of suspicious account (such as nail nail etc.), from described It is associated with the zone of action that the target user is obtained in social account, according to the IP of the page entry address of the suspicious account Location inquiring position region, and the band of position is compared with the zone of action of the target user, if in the same area, Such as same city, town, area, street etc., then release the suspicious mark of the suspicious account.
In the present embodiment, the corresponding historical log data of suspicious account are obtained, are stepped on according to historical log data statistics history Success rate is recorded, by historical log success rate and currently rate is logined successfully and is compared, if difference is larger, judge to occur to be emitted Use event.
Example IV
Refering to Fig. 4, the hardware structural diagram of the computer equipment of the embodiment of the present invention four is shown.
The present invention also provides a kind of computer equipments 2, can such as execute the smart phone, tablet computer, notebook of program Computer, desktop computer, rack-mount server, blade server, tower server or Cabinet-type server are (including independent Server cluster composed by server or multiple servers) etc..The computer equipment 2 of the present embodiment includes at least but not It is limited to: memory 21, processor 22 of connection etc. can be in communication with each other by system bus.
In the present embodiment, memory 21 includes at least a type of computer readable storage medium, the readable storage Medium includes flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory etc.), random access storage device (RAM), static random-access memory (SRAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), programmable read only memory (PROM), magnetic storage, disk, CD etc..In some embodiments, memory 21 can be the internal storage unit of computer equipment 2, such as the hard disk or memory of the computer equipment 2.In other implementations In example, memory 21 is also possible to the grafting being equipped on the External memory equipment of computer equipment 2, such as the computer equipment 2 Formula hard disk, intelligent memory card (Smart Media Card, SMC), secure digital (Secure Digital, SD) card, flash card (Flash Card) etc..Certainly, memory 21 can also both including computer equipment 2 internal storage unit and also including outside it Store equipment.In the present embodiment, memory 21 is installed on the operating system and types of applications of computer equipment 2 commonly used in storage Software, for example, example IV login page safety detection system 20 program code etc..In addition, memory 21 can be with For temporarily storing the Various types of data that has exported or will export.
Processor 22 can be in some embodiments central processing unit (Central Processing Unit, CPU), Controller, microcontroller, microprocessor or other data processing chips.The processor 22 is commonly used in control computer equipment 2 Overall operation.In the present embodiment, program code or processing data of the processor 22 for being stored in run memory 21, example The detection system 20 of login page safety is run, such as to realize the detection side of the login page safety of embodiment one or two Method.
The network interface 23 may include radio network interface or wired network interface, which is commonly used in Communication connection is established between the computer equipment 2 and other electronic devices.For example, the network interface 23 is for passing through network The computer equipment 2 is connected with exterior terminal, establishes data transmission between the computer equipment 2 and exterior terminal Channel and communication connection etc..The network can be intranet (Intranet), internet (Internet), whole world movement Communication system (Global System of Mobile communication, GSM), wideband code division multiple access (Wideband Code Division Multiple Access, WCDMA), 4G network, 5G network, bluetooth (Bluetooth), the nothings such as Wi-Fi Line or cable network.
Embodiment five
The present embodiment also provides a kind of computer readable storage medium, such as flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory etc.), random access storage device (RAM), static random-access memory (SRAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), programmable read only memory (PROM), magnetic storage, magnetic Disk, CD, server, App are stored thereon with computer program, phase are realized when program is executed by processor using store etc. Answer function.The embodiment of the present invention computer program can be performed by least one processor, so that at least one described processing Device executes the detection method to realize the login page safety of embodiment one or two.
Detection method, system and the storage medium of login page safety provided in an embodiment of the present invention, obtain simultaneously first The page operation information in the operation log of user is analyzed, by filtering out only to from multiple page log-on messages in the N Record has corresponding page log-on message in the single period of a period, and is judged to come to the page log-on message true Determine account exception suspicious user, do not need to be transformed original system, to reduce running background step, and then reduces pair The pressure of system and network.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases The former is more preferably embodiment.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills Art field, is included within the scope of the present invention.

Claims (10)

1. a kind of detection method of login page safety, which comprises the steps of:
Obtain the operation log of multiple users;
According to preset field name from the critical field obtained in the operation log in the operation log;
Extract the page operation information in the critical field;
According to the page operation information, the multiple user multiple pages that login service device generates within N number of period are obtained Face log-on message, the corresponding page log-on message of each user, each page log-on message includes that the page of corresponding user is stepped on Record account, page login time and page login times;
Target pages log-on message is filtered out from the multiple page log-on message, the target pages log-on message is described Only has the page log-on message that single logs in record in N number of period;
The corresponding page logon account of the target pages log-on message is determined as suspicious account;
The user name of the suspicious account and default inventory of having a holiday are compared, account is judged whether there is and falsely uses event, if so, The suspicious account is then stamped into suspicious mark, the default inventory of having a holiday includes user in state of having a holiday and described stops Account name corresponding to bogus subscriber;
The association social activity account for obtaining the corresponding target user of the suspicious account, from the association social account described in acquisition The zone of action of target user;
According to the IP address inquiring position region of the page entry address of the suspicious account, and by the band of position with it is described Zone of action is compared;
If the band of position and the zone of action release the suspicious mark of the suspicious account in the same area.
2. detection method according to claim 1, which is characterized in that the step of obtaining the page login times, comprising:
According to the multiple page log-on message, the mapping access sequence of each user is obtained;
According to the mapping access sequence of each user, the adjacency matrix of page access is generated;
According to the adjacency matrix of the page access, the number of hops of each page is obtained, wherein the number of hops is institute State page login times.
3. detection method according to claim 2, which is characterized in that the mapping access sequence are as follows:
The parameter identification of each page log-on message is indicated that the page after logining successfully is shown accordingly with digital nodes p Digital nodes q.
4. detection method according to claim 3, which is characterized in that the page login times indicate with arc [p] [q], The arc [p] [q] is the corresponding page of digital nodes p in the adjacency matrix of the page access to the corresponding page of digital nodes q Face jumps number.
5. detection method according to claim 1, which is characterized in that before the operation log for obtaining user, also wrap It includes:
The operation log of multiple users is extracted according to preset rules, and the operation log of the extraction is filtered;
Wherein, the preset rules are for judging that the multiple user is not logged in successful operation log.
6. a kind of detection system of login page safety characterized by comprising
First obtains module, for obtaining the operation log of multiple users;
Second obtains module, for according to preset field name from the keyword obtained in the operation log in the operation log Section;
First extraction module, for extracting the page operation information in the critical field;
Second extraction module, for obtaining the multiple user and logging in clothes within N number of period according to the page operation information Multiple page log-on messages that business device generates, the corresponding page log-on message of each user, each page log-on message include Page logon account, page login time and the page login times of corresponding user;
Screening module, for filtering out target pages log-on message, the target pages from the multiple page log-on message Log-on message is the page log-on message for only having single in N number of period and logging in record;
First judgment module, for the corresponding page logon account of the target pages log-on message to be determined as suspicious account;
Second judgment module is judged whether there is for comparing the user name of the suspicious account and default inventory of having a holiday Account falsely uses event, if so, the suspicious account is then stamped suspicious mark, the default inventory of having a holiday includes in shape of having a holiday Account name corresponding to user and the user that has a holiday in state;
Third obtains module, for obtaining the association social activity account of the corresponding target user of the suspicious account, from the association The zone of action of the target user is obtained in social account;
Enquiry module, for the IP address inquiring position region according to the page entry address of the suspicious account, and will be described The band of position is compared with the zone of action;
Third judgment module, if releasing the suspicious account in the same area for the band of position and the zone of action The suspicious mark at family.
7. detection system according to claim 6, which is characterized in that second extraction module is also used to:
According to the multiple page log-on message, the mapping access sequence of each user is obtained;
According to the mapping access sequence of each user, the adjacency matrix of page access is generated;
According to the adjacency matrix of the page access, the number of hops of each page is obtained, wherein the number of hops is institute State page login times.
8. detection method according to claim 7, which is characterized in that the mapping access sequence are as follows:
The parameter identification of each page log-on message is indicated that the page after logining successfully is shown accordingly with digital nodes p Digital nodes q;
The page login times indicate that the arc [p] [q] is number in the adjacency matrix of the page access with arc [p] [q] The corresponding page of byte point p jumps number to the corresponding page of digital nodes q.
9. a kind of computer equipment, can run on a memory and on a processor including memory, processor and storage Computer program, which is characterized in that the processor is realized when executing the computer program such as any one of claim 1-5 The step of detection method of the login page safety.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer in the computer readable storage medium Program, the computer program can be performed by least one processors, so that at least one described processor executes such as right It is required that described in any one of 1-5 the step of the detection method of login page safety.
CN201910366731.0A 2019-05-05 2019-05-05 Method, system, equipment and storage medium for detecting security of login page Active CN110191097B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910366731.0A CN110191097B (en) 2019-05-05 2019-05-05 Method, system, equipment and storage medium for detecting security of login page

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910366731.0A CN110191097B (en) 2019-05-05 2019-05-05 Method, system, equipment and storage medium for detecting security of login page

Publications (2)

Publication Number Publication Date
CN110191097A true CN110191097A (en) 2019-08-30
CN110191097B CN110191097B (en) 2023-01-10

Family

ID=67715484

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910366731.0A Active CN110191097B (en) 2019-05-05 2019-05-05 Method, system, equipment and storage medium for detecting security of login page

Country Status (1)

Country Link
CN (1) CN110191097B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111198819A (en) * 2019-12-31 2020-05-26 中国银行股份有限公司 Safety test method and device
CN114465811A (en) * 2022-03-09 2022-05-10 北京华云安信息技术有限公司 Website login determination method and device, electronic equipment and storage medium
CN115730283A (en) * 2022-10-19 2023-03-03 广州易幻网络科技有限公司 Account login wind control system and method, computer equipment and storage medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9088560B1 (en) * 2014-03-05 2015-07-21 Symantec Corporation Systems and methods for validating login attempts based on user location
US20150326595A1 (en) * 2012-11-29 2015-11-12 Beijing Qihoo Technology Company Limited User login monitoring device and method
US9231962B1 (en) * 2013-11-12 2016-01-05 Emc Corporation Identifying suspicious user logins in enterprise networks
CN106055572A (en) * 2016-05-20 2016-10-26 百度在线网络技术(北京)有限公司 Method and device for processing page transformation parameter
US20160350165A1 (en) * 2015-05-28 2016-12-01 Microsoft Technology Licensing, Llc Detecting anomalous accounts using event logs
CN106549902A (en) * 2015-09-16 2017-03-29 阿里巴巴集团控股有限公司 A kind of recognition methods of suspicious user and equipment
CN106572057A (en) * 2015-10-10 2017-04-19 百度在线网络技术(北京)有限公司 Method and device for detecting exception information of user login
US9680938B1 (en) * 2014-10-06 2017-06-13 Exabeam, Inc. System, method, and computer program product for tracking user activity during a logon session
US20170300453A1 (en) * 2009-06-12 2017-10-19 Google Inc. System and method of providing notification of suspicious access attempts
CN107911340A (en) * 2017-10-25 2018-04-13 平安普惠企业管理有限公司 Login validation method, device, equipment and the storage medium of application program

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170300453A1 (en) * 2009-06-12 2017-10-19 Google Inc. System and method of providing notification of suspicious access attempts
US20150326595A1 (en) * 2012-11-29 2015-11-12 Beijing Qihoo Technology Company Limited User login monitoring device and method
US9231962B1 (en) * 2013-11-12 2016-01-05 Emc Corporation Identifying suspicious user logins in enterprise networks
US9088560B1 (en) * 2014-03-05 2015-07-21 Symantec Corporation Systems and methods for validating login attempts based on user location
US9680938B1 (en) * 2014-10-06 2017-06-13 Exabeam, Inc. System, method, and computer program product for tracking user activity during a logon session
US20160350165A1 (en) * 2015-05-28 2016-12-01 Microsoft Technology Licensing, Llc Detecting anomalous accounts using event logs
CN106549902A (en) * 2015-09-16 2017-03-29 阿里巴巴集团控股有限公司 A kind of recognition methods of suspicious user and equipment
CN106572057A (en) * 2015-10-10 2017-04-19 百度在线网络技术(北京)有限公司 Method and device for detecting exception information of user login
CN106055572A (en) * 2016-05-20 2016-10-26 百度在线网络技术(北京)有限公司 Method and device for processing page transformation parameter
CN107911340A (en) * 2017-10-25 2018-04-13 平安普惠企业管理有限公司 Login validation method, device, equipment and the storage medium of application program

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
范卫俊: ""社交用户的可疑行为检测"", 《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111198819A (en) * 2019-12-31 2020-05-26 中国银行股份有限公司 Safety test method and device
CN111198819B (en) * 2019-12-31 2024-05-10 中国银行股份有限公司 Safety testing method and device
CN114465811A (en) * 2022-03-09 2022-05-10 北京华云安信息技术有限公司 Website login determination method and device, electronic equipment and storage medium
CN114465811B (en) * 2022-03-09 2023-05-23 北京华云安信息技术有限公司 Website login determination method and device, electronic equipment and storage medium
CN115730283A (en) * 2022-10-19 2023-03-03 广州易幻网络科技有限公司 Account login wind control system and method, computer equipment and storage medium

Also Published As

Publication number Publication date
CN110191097B (en) 2023-01-10

Similar Documents

Publication Publication Date Title
CN106295349A (en) Risk Identification Method, identification device and the anti-Ore-controlling Role that account is stolen
CN110417778B (en) Access request processing method and device
CN110198305A (en) It attends a banquet method for detecting abnormality, system, computer equipment and the storage medium of IP
CN108154047A (en) A kind of data desensitization method and device
CN110191097A (en) Detection method, system, equipment and the storage medium of login page safety
CN111404937B (en) Method and device for detecting server vulnerability
CN110222535B (en) Processing device, method and storage medium for block chain configuration file
CN111131221A (en) Interface checking device, method and storage medium
CN111475369A (en) Log monitoring adding method and device, computer equipment and storage medium
CN111740868A (en) Alarm data processing method and device and storage medium
CN111258798A (en) Fault positioning method and device for monitoring data, computer equipment and storage medium
CN110049028A (en) Monitor method, apparatus, computer equipment and the storage medium of domain control administrator
CN108509322A (en) Avoid the method excessively paid a return visit, electronic device and computer readable storage medium
CN109783310A (en) The Dynamic and Multi dimensional method for safety monitoring and its monitoring device of information technoloy equipment
CN110460593B (en) Network address identification method, device and medium for mobile traffic gateway
CN112612679A (en) System running state monitoring method and device, computer equipment and storage medium
CN111625700A (en) Anti-grabbing method, device, equipment and computer storage medium
CN114386025B (en) Abnormality detection method, abnormality detection device, electronic device, and storage medium
CN113254672B (en) Method, system, equipment and readable storage medium for identifying abnormal account
KR101973728B1 (en) Integration security anomaly symptom monitoring system
CN115967565A (en) Battlefield situation sensing method, system, terminal equipment and storage medium
CN109918277A (en) Electronic device, the evaluation method of system log cluster analysis result and storage medium
CN115481002A (en) Abnormal behavior identification method, device, equipment and storage medium
CN108805725A (en) Risk case confirmation method, server and computer readable storage medium
CN112085590B (en) Method and device for determining safety of rule model and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant