CN110191097A - Detection method, system, equipment and the storage medium of login page safety - Google Patents
Detection method, system, equipment and the storage medium of login page safety Download PDFInfo
- Publication number
- CN110191097A CN110191097A CN201910366731.0A CN201910366731A CN110191097A CN 110191097 A CN110191097 A CN 110191097A CN 201910366731 A CN201910366731 A CN 201910366731A CN 110191097 A CN110191097 A CN 110191097A
- Authority
- CN
- China
- Prior art keywords
- page
- log
- user
- account
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/107—Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Technology Law (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The embodiment of the invention provides a kind of detection methods of login page safety, comprising: obtains the operation log of multiple users, and obtains critical field and page operation information in the operation log according to preset field name;According to the page operation information, the multiple user multiple page log-on messages that login service device generates within N number of period, the corresponding page log-on message of each user are obtained;Target pages log-on message is filtered out from the multiple page log-on message, the target pages log-on message is the page log-on message for only having single in N number of period and logging in record;The target pages logon account is determined as suspicious account, has further determined whether that account falsely uses event.The embodiment of the invention provides the detection system of login page safety, computer equipment and storage mediums.The embodiment of the present invention can falsely use event with efficient detection login page.
Description
Technical field
The present embodiments relate to technical field of network security more particularly to a kind of detection sides of login page safety
Method, system, equipment and storage medium.
Background technique
Enterprise management system, it is intended to the management thought of systematization, be concentrated for enterprise personnel and all kinds of services and performance are provided
All kinds of functions.Enterprise personnel can log in the enterprise management system according to own right, for example, check attendance information, submit and
Download file etc..For safeguards system safe operation, how Check System abnormal login event, be that the technology currently to be solved is asked
Topic.
But the existing detection to account exception, it needs to carry out additional transformation to original system, for example obtaining every time
To user log on request when, system needs to check that user has a holiday state, to call database to be checked at this time, to network and
Database all brings immense pressure.
Summary of the invention
In view of this, the purpose of the embodiment of the present invention is that providing a kind of detection method of login page safety, system, setting
Standby and storage medium can check abnormal accounting number users, and not need to be transformed original system, thus after reducing
Platform operating procedure, and then reduce the pressure to system and network.
To achieve the above object, the embodiment of the invention provides a kind of detection methods of login page safety, including such as
Lower step:
Obtain the operation log of multiple users;
According to preset field name from the critical field obtained in the operation log in the operation log;
Extract the page operation information in the critical field;
According to the page operation information, obtain the multiple user login service device within N number of period generate it is more
A page log-on message, the corresponding page log-on message of each user, each page log-on message includes the page of corresponding user
Face logon account, page login time and page login times;
Target pages log-on message is filtered out from the multiple page log-on message, the target pages log-on message is
Only has the page log-on message that single logs in record in N number of period;
The corresponding page logon account of the target pages log-on message is determined as suspicious account;
The user name of the suspicious account and default inventory of having a holiday are compared, account is judged whether there is and falsely uses event,
If so, the suspicious account is then stamped suspicious mark, the default inventory of having a holiday include user in state of having a holiday and
Account name corresponding to the user that has a holiday;
The association social activity account for obtaining the corresponding target user of the suspicious account is obtained from the social account of the association
The zone of action of the target user;
According to the IP address inquiring position region of the page entry address of the suspicious account, and by the band of position with
The zone of action is compared;
If the band of position and the zone of action release the suspicious mark of the suspicious account in the same area.
Further, the step of obtaining the page login times, comprising:
According to the multiple page log-on message, the mapping access sequence of each user is obtained;
According to the mapping access sequence of each user, the adjacency matrix of page access is generated;
According to the adjacency matrix of the page access, the number of hops of each page is obtained, wherein the number of hops
For the page login times.
Further, the mapping access sequence are as follows:
The parameter identification of the target pages log-on message is indicated that the page after logining successfully is shown with digital nodes p
Corresponding digital nodes q.
Further, the page login times are indicated with arc [p] [q], and the arc [p] [q] is the page access
Adjacency matrix in the corresponding page of digital nodes p to the corresponding page of digital nodes q jump number.
Further, before the operation log for obtaining user, further includes:
The operation log of multiple users is extracted according to preset rules, and the operation log of the extraction is filtered;
Wherein, the preset rules are for judging that the multiple user is not logged in successful operation log.
To achieve the above object, the embodiment of the invention also provides a kind of detection systems of login page safety, comprising:
First obtains module, for obtaining the operation log of multiple users;
Second obtains module, for according to preset field name from the pass obtained in the operation log in the operation log
Key field;
First extraction module, for extracting the page operation information in the critical field;
Second extraction module, for obtaining the multiple user and being stepped within N number of period according to the page operation information
Record multiple page log-on messages that server generates, each corresponding page log-on message of user, each page log-on message
Page logon account, page login time and page login times including corresponding user;
Screening module, for filtering out target pages log-on message, the target from the multiple page log-on message
Page log-on message is the page log-on message for only having single in N number of period and logging in record;
First judgment module, for the corresponding page logon account of the target pages log-on message to be determined as suspicious account
Family;
Second judgment module, for comparing the user name of the suspicious account and default inventory of having a holiday, judgement is
No to have account to falsely use event, if so, the suspicious account is then stamped suspicious mark, the default inventory of having a holiday includes in not
Account name corresponding to user and the user that has a holiday in false state;
Third obtains module, for obtaining the association social activity account of the corresponding target user of the suspicious account, from described
It is associated with the zone of action that the target user is obtained in social account;
Enquiry module, for the IP address inquiring position region according to the page entry address of the suspicious account, and will
The band of position is compared with the zone of action;
Third judgment module, if for the band of position and the zone of action in the same area, release described in can
Doubt the suspicious mark of account.
Further, second extraction module is also used to:
According to the multiple page log-on message, the mapping access sequence of each user is obtained;
According to the mapping access sequence of each user, the adjacency matrix of page access is generated;
According to the adjacency matrix of the page access, the number of hops of each page is obtained, wherein the number of hops
For the page login times.
Further, the mapping access sequence are as follows:
The parameter identification of each page log-on message is indicated that the page after logining successfully is shown with digital nodes p
Corresponding digital nodes q;
The page login times indicate that the arc [p] [q] is the adjacency matrix of the page access with arc [p] [q]
The corresponding page the jumping to the corresponding page of digital nodes q of middle digital nodes p.
To achieve the above object, the embodiment of the invention also provides a kind of computer equipment, including memory, processor with
And the computer program that can be run on a memory and on a processor is stored, when the processor executes the computer program
Realize as described above any one of described in login page safety detection method the step of.
To achieve the above object, the embodiment of the invention also provides a kind of computer readable storage medium, the computers
Computer program is stored in readable storage medium storing program for executing, the computer program can be performed by least one processor, so that institute
State at least one processor execute as described above any one of described in login page safety detection method the step of.
Detection method, system and the storage medium of login page safety provided in an embodiment of the present invention, obtain simultaneously first
The page operation information in the operation log of user is analyzed, by filtering out only to from multiple page log-on messages in the N
Record has corresponding page log-on message in the single period of a period, and is judged to come to the page log-on message true
Determine account exception suspicious user, do not need to be transformed original system, to reduce running background step, and then reduces pair
The pressure of system and network.
Detailed description of the invention
Fig. 1 is the flow chart of the detection method embodiment one of login page safety of the present invention.
Fig. 2 is the flow chart of the detection method embodiment two of login page safety of the present invention.
Fig. 3 is the program module schematic diagram of the detection system embodiment three of login page safety of the present invention.
Fig. 4 is the hardware structural diagram of computer equipment example IV of the present invention.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right
The present invention is further elaborated.It should be appreciated that described herein, specific examples are only used to explain the present invention, not
For limiting the present invention.Based on the embodiments of the present invention, those of ordinary skill in the art are not before making creative work
Every other embodiment obtained is put, shall fall within the protection scope of the present invention.
Embodiment one
Refering to fig. 1, the step flow chart of the detection method of the login page safety of the embodiment of the present invention one is shown.It can
To understand, the flow chart in this method embodiment, which is not used in, is defined the sequence for executing step.It is below to hold with server
Row main body carries out exemplary description.It is specific as follows.
Step S101: the operation log of multiple users is obtained.
In the present embodiment, the terminal receives the request instruction of the acquisition operation log of the user, and is sent to described
Server, the server return to the operation log according to the request instruction of the operation log.Remember in the operation log
The operation information that record has user to log in target pages includes but is not limited to login of the user when logging in the operation log
The operation informations such as location information, login time information and log duration information, the target pages are insurance login page, wherein
Login time information includes the login time information of the user logined successfully.The terminal includes computerized equipment, described
Terminal can record and call the operation log of the user.
In the present embodiment, before the operation log for obtaining user, further includes:
The operation log of multiple users is extracted according to preset rules, and the operation log of the extraction is filtered;
Wherein, the preset rules are for judging that the multiple user is not logged in successful operation log.
In the present embodiment, if user account is attempted login (in success status is not logged in), also has operation note and deposit
The record account of user or operation information of password mistake etc. when having login in operation log, when filtering, will be not logged in success
User be filtered processing, avoid computing repeatedly login times.
Step S102: according to preset field name from the critical field obtained in the operation log in the operation log.
In the present embodiment, server classifies the information category of the operation log when storing operation log,
It is divided into multiple fields, each field is designed with field name.When the preset field name includes the login account information, logs in
Between information and login times information field name, at the extraction, will with the login account information, login time information and step on
The critical field of record number information extracts.
Step S103: the page operation information in the critical field is extracted.
In the present embodiment, it is described according to preset field name from the key obtained in the operation log in the operation log
When field, the login account information, login time information and login times information are used to extract the page in the critical field
Face operation information.
Step S104: according to the page operation information, the multiple user login service device within N number of period is obtained
The multiple page log-on messages generated, the corresponding page log-on message of each user, each page log-on message includes corresponding to
Page logon account, page login time and the page login times of user.
In the present embodiment, obtain the page login times the step of, comprising:
According to the multiple page log-on message, the mapping access sequence of each user is obtained;
According to the mapping access sequence of each user, the adjacency matrix of page access is generated;
According to the adjacency matrix of the page access, the number of hops of each page is obtained, wherein the number of hops
For the page login times.
Wherein, the mapping access sequence are as follows:
The parameter identification of each page log-on message is indicated that the page after logining successfully is shown with digital nodes p
Corresponding digital nodes q.
In the present embodiment, the page login times are indicated with arc [p] [q], the arc [p] [q] is page visit
The corresponding page of digital nodes p jumps number to the corresponding page of digital nodes q in the adjacency matrix asked.For example, giving landing page
The identifier in face, which carries out numerical designation, can generate corresponding sequence in jump page, say that sequence carries out matrix sort and obtains
arc[p][q]。
In the present embodiment, N number of period can voluntarily be preset, such as first three days, preceding ten days etc., and to each user in N
Have whether only one period has operation note to be judged in a period, further determines whether as abnormal user.
Step S105: target pages log-on message, the target pages are filtered out from the multiple page log-on message
Log-on message is the page log-on message for only having single in N number of period and logging in record.
In the present embodiment, terminal to server issues the request for transferring operation log, this transfers the request packet of operation log
Preset field name is included, the information of the operation log of all users in preset field entitled N number of period.Critical field includes using
In the log-on message of the page, terminal extracts the page operation information in critical field again at family.The page operation information is all
User's page log-on message that login service device generates within N number of period.Finally extract wherein that each page logon account is only
Record has page login times within one of them period of N number of period.The target pages log-on message includes
The information of login page.
Step S106: the corresponding page logon account of the target pages log-on message is determined as suspicious account.
In the present embodiment, the present invention is that preceding i (i≤N-1) day is without operation behavior within N number of period for detection, and in i+1
There are the users of operation log for it.In other words, since this method is constant testing, as long as being detected at target time section N days
There is operation note in only one period, just screens the user, is determined as suspicious account.
In the present embodiment, if there is operation note in the more than one period, the account for excluding the user is extremely suspicious.With
If family shows that the user is likely to be at working condition, Er Qiechang in the target time period with the presence of multiple period operation notes
There is no multi-pass operation records for time not used user account, thus be excluded that account is extremely suspicious.
Step S107: the user name of the suspicious account and default inventory of having a holiday are compared, account is judged whether there is
Event is falsely used, if so, the suspicious account is then stamped suspicious mark, the default inventory of having a holiday includes in state of having a holiday
User and the user that has a holiday corresponding to account name.
In the present embodiment, suspicious account is counted with statistical window, then the user and default inventory of having a holiday are carried out
Comparison, default inventory of having a holiday is above-listed account name corresponding to all users in state of having a holiday and the user that has a holiday.If should
User matches with default inventory of having a holiday, then illustrates that the account of the user may be falsely used, and it is different further to investigate account generation
The reason of being often used.
Query statement, the query statement are write using SQL are as follows:
SELECT*FROM op_table where op_day between(current_day-n)to current_
day group by op_day having count(id)>1
Wherein, op_table table is the table for storing user's operation information, includes user id (id), user operation time (op_
Time), user's operation date (op_day).Wherein, op_day is converted by op_time.Current_day indicates operation
This inquiry expired date, n indicate time window, run this query statement daily.
Such as: today is November 11 in 2018, if wishing to inquire in the past, exception record, current_day are in 3 days
On November 11st, 2018, (current_day-3) are on November 8th, 2018.
The user id that the result checked out is included illustrates it is 2018 if not occurring in query result before this
On November 11, in, there are operation notes for the first time.Then qualified user list and user's inventory comparison of having a holiday, if user
It should have a holiday in this day, but in the list used extremely, then illustrate that the account of the user may be falsely used.Then may be used
Further to investigate the reason of account is abnormal use.
In the present embodiment, the corresponding historical log data of suspicious account are obtained, are stepped on according to historical log data statistics history
Success rate is recorded, by historical log success rate and currently rate is logined successfully and is compared, if difference is more than that preset success rate is poor
It is worth threshold value, then judges to occur to be falsely used event.
Step S108 obtains the association social activity account of the corresponding target user of the suspicious account, social from the association
The zone of action of the target user is obtained in account.
Step S109, according to the IP address inquiring position region of the page entry address of the suspicious account, and will be described
The band of position is compared with the zone of action.
Step S110, if the band of position and the zone of action release the suspicious account in the same area
Suspicious mark.
In the present embodiment, by the association social activity account of the corresponding target user of suspicious account (such as nail nail etc.), from described
It is associated with the zone of action that the target user is obtained in social account, according to the IP of the page entry address of the suspicious account
Location inquiring position region, and the band of position is compared with the zone of action of the target user, if in the same area,
Such as same city, town, area, street etc., then release the suspicious mark of the suspicious account.IP address query software can be used to look into
That askes current suspicious account logs in ground.
Embodiment two
Referring to Fig.2, showing the calculating flow chart of steps of the page login times of the embodiment of the present invention two.It can manage
It solves, the flow chart in this method embodiment, which is not used in, is defined the sequence for executing step.It is below to execute master with server
Body carries out exemplary description.It is specific as follows.
Step S201: according to the multiple page log-on message, the mapping access sequence of each user is obtained.
Step S202: according to the mapping access sequence of each user, the adjacency matrix of page access is generated.
Step S203: according to the adjacency matrix of the page access, the number of hops of each page is obtained, wherein institute
Stating number of hops is the page login times.
In the present embodiment, the mapping access sequence are as follows: by the parameter identification of the target pages log-on message with number
Node p indicates that the page after logining successfully shows corresponding digital nodes q.
Mapping access sequence in the present embodiment can be understood as coming by the way of index for example, by using the mode of number
Indicate the access sequence of user.Specifically, page iden-tity parameter each in operation log can be each mapped to a number
It indicates, accordingly, can find out the user's according to the sequence of the corresponding page of accession page identification parameter of each user
Map access sequence.
In the present embodiment, the page login times are indicated with arc [p] [q], the arc [p] [q] is page visit
The corresponding page of digital nodes p jumps number to the corresponding page of digital nodes q in the adjacency matrix asked.
In the present embodiment, adjacency matrix is the matrix for indicating neighbouring relations between vertex.The adjacency matrix of the present embodiment has
Body is generated according to the mapping access sequence of each user.Each point in the mapping access sequence of each user forms page access
Each vertex in adjacency matrix.Since the mapping access sequence of each user characterizes the sequence of the page of user access,
The adjacency matrix of the page access of the present embodiment is Digraph adjacent matrix.Vertex in-degree in the adjacency matrix of access indicates the top
The corresponding importing flow of point p indicates the jump for jumping to the page corresponding to the digital nodes q of the vertex correspondence in the present embodiment
Revolution, the sum of the value of all directed edges of the corresponding column of digital nodes p specifically equal in the adjacency matrix of page access.Such as
The corresponding importing flow in vertex 3 indicates from other page jumps to the sum of the number of hops of the corresponding page of digital nodes 3,
It may include the number of hops that the corresponding page of digital nodes 3 is jumped to from the page zero for starting the page, corresponding from digital nodes 1
Page jump to the number of hops of the corresponding page of digital nodes 3, from the corresponding page jump of digital nodes 2 to digital nodes
The number of hops etc. of the 3 corresponding pages successfully jumps to the number of the page, and so on, until digital nodes n is corresponding
Page jump to the corresponding page of digital nodes 3 number of hops summation.In the adjacency matrix of page access, corresponding to will
All directed edge arcs [i] [3] of the i from 0 to n take and import flow i.e. page login times to get to the vertex 3 is corresponding
Summation.
Embodiment three
Refering to Fig. 3, the program module signal of the detection system of the login page safety of the embodiment of the present invention three is shown
Figure.It specifically includes:
First obtains module 301, for obtaining the operation log of multiple users.
Specifically, the operation information that record has user to log in target pages in operation log in the present embodiment, the behaviour
Make to include but is not limited to the operation informations such as entry address, login time and log duration of the user when logging in log, it is described
Target pages are insurance login page.
Before the operation log for obtaining user, further includes that processing is filtered to the operation log, remove non-
The operation log of real user.Such as: if user account is attempted login (in success status is not logged in), also have operation note
It records, the record account of user or operation information of password mistake etc. when having login in operation log, when filtering will be not logged in
Successful user is filtered processing, avoids computing repeatedly login times.
Second obtains module 302, for being obtained in the operation log according to preset field name from the operation log
Critical field.
In the present embodiment, server classifies the information category of the operation log when storing operation log,
It is divided into multiple fields, each field is designed with field name.When the preset field name includes the login account information, logs in
Between information and login times information field name.Second obtain module 302 at the extraction, will with the login account information,
Login time information and the critical field of login times information extract.
First extraction module 303, for extracting the page operation information in the critical field.
In the present embodiment, it is described according to preset field name from the key obtained in the operation log in the operation log
When field, first extraction module 303, which extracts, has the login account information, login time information and login times information
The critical field in page operation information.
Second extraction module 304, for obtaining the multiple user in N number of period according to the page operation information
Multiple page log-on messages that interior login service device generates, the corresponding page log-on message of each user, each page log in
Information includes the page logon account, page login time and page login times of corresponding user.
In the present embodiment, second extraction module is also used to:
According to the multiple page log-on message, the mapping access sequence of each user is obtained;
According to the mapping access sequence of each user, the adjacency matrix of page access is generated;
According to the adjacency matrix of the page access, the number of hops of each page is obtained, wherein the number of hops
For the page login times.
The mapping access sequence are as follows:
The parameter identification of each page log-on message is indicated that the page after logining successfully is shown with digital nodes p
Corresponding digital nodes q;
The page login times indicate that the arc [p] [q] is the adjacency matrix of the page access with arc [p] [q]
The corresponding page of middle digital nodes p jumps number to the corresponding page of digital nodes q.
In the present embodiment, N number of period can voluntarily be preset, such as first three days, preceding ten days etc., and to each user in N
Have whether only one period has operation note to be judged in a period, further determines whether as abnormal user.The
Two extraction modules 304 obtain the multiple user login service device within N number of period in the page operation information and generate
Multiple page log-on messages,
Screening module 305, for filtering out target pages log-on message, the mesh from the multiple page log-on message
Mark page log-on message is the page log-on message for only having single in N number of period and logging in record.
In the present embodiment, the target pages log-on message includes log-on message of each user in the page, screening module
Only the record within the single period of N number of period has the page existing for the corresponding single period to log in letter for 305 screenings
Breath.
First judgment module 306, for be determined as the corresponding page logon account of the target pages log-on message can
Doubt account.
In the present embodiment, the present invention is that preceding i (i≤N-1) day is without operation behavior within N number of period for detection, and in i+1
There are the users of operation log for it.In other words, since this method is constant testing, as long as being detected at target time section N days
There is operation note in only one period, just screens the user, is determined as suspicious account.
In the present embodiment, if there is operation note in the more than one period, the account for excluding the user is extremely suspicious.With
If family shows that the user is likely to be at working condition, Er Qiechang in the target time period with the presence of multiple period operation notes
There is no multi-pass operation records for time not used user account, thus be excluded that account is extremely suspicious.
Second judgment module 307 judges for comparing the user name of the suspicious account and default inventory of having a holiday
Whether there is account to falsely use event, if so, the suspicious account is then stamped suspicious mark, the default inventory of having a holiday includes being in
Account name corresponding to user and the user that has a holiday in state of having a holiday.
In the present embodiment, suspicious account is counted with statistical window, then the user and default inventory of having a holiday are carried out
Comparison, default inventory of having a holiday is above-listed account name corresponding to all users in state of having a holiday and the user that has a holiday.If should
User matches with default inventory of having a holiday, then illustrates that the account of the user may be falsely used, and it is different further to investigate account generation
The reason of being often used.
Query statement, the query statement are write using SQL are as follows:
SELECT*FROM op_table where op_day between(current_day-n)to current_
day group by op_day having count(id)>1
Wherein, op_table table is the table for storing user's operation information, includes user id (id), user operation time (op_
Time), user's operation date (op_day).Wherein, op_day is converted by op_time.Current_day indicates operation
This inquiry expired date, n indicate time window, run this query statement daily.
Such as: today is November 11 in 2018, if wishing to inquire in the past, exception record, current_day are in 3 days
On November 11st, 2018, (current_day-3) are on November 8th, 2018.
The user id that the result checked out is included illustrates it is 2018 if not occurring in query result before this
On November 11, in, there are operation notes for the first time.Then qualified user list and user's inventory comparison of having a holiday, if user
It should have a holiday in this day, but in the list used extremely, then illustrate that the account of the user may be falsely used.Then may be used
Further to investigate the reason of account is abnormal use.
Third obtains module 308, for obtaining the association social activity account of the corresponding target user of the suspicious account, from institute
State the zone of action for being associated with and obtaining the target user in social account.
Enquiry module 309, for the IP address inquiring position region according to the page entry address of the suspicious account, and
The band of position is compared with the zone of action.
Third judgment module 310, if for the band of position and the zone of action in the same area, release described in
The suspicious mark of suspicious account.
In the present embodiment, by the association social activity account of the corresponding target user of suspicious account (such as nail nail etc.), from described
It is associated with the zone of action that the target user is obtained in social account, according to the IP of the page entry address of the suspicious account
Location inquiring position region, and the band of position is compared with the zone of action of the target user, if in the same area,
Such as same city, town, area, street etc., then release the suspicious mark of the suspicious account.
In the present embodiment, the corresponding historical log data of suspicious account are obtained, are stepped on according to historical log data statistics history
Success rate is recorded, by historical log success rate and currently rate is logined successfully and is compared, if difference is larger, judge to occur to be emitted
Use event.
Example IV
Refering to Fig. 4, the hardware structural diagram of the computer equipment of the embodiment of the present invention four is shown.
The present invention also provides a kind of computer equipments 2, can such as execute the smart phone, tablet computer, notebook of program
Computer, desktop computer, rack-mount server, blade server, tower server or Cabinet-type server are (including independent
Server cluster composed by server or multiple servers) etc..The computer equipment 2 of the present embodiment includes at least but not
It is limited to: memory 21, processor 22 of connection etc. can be in communication with each other by system bus.
In the present embodiment, memory 21 includes at least a type of computer readable storage medium, the readable storage
Medium includes flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory etc.), random access storage device
(RAM), static random-access memory (SRAM), read-only memory (ROM), electrically erasable programmable read-only memory
(EEPROM), programmable read only memory (PROM), magnetic storage, disk, CD etc..In some embodiments, memory
21 can be the internal storage unit of computer equipment 2, such as the hard disk or memory of the computer equipment 2.In other implementations
In example, memory 21 is also possible to the grafting being equipped on the External memory equipment of computer equipment 2, such as the computer equipment 2
Formula hard disk, intelligent memory card (Smart Media Card, SMC), secure digital (Secure Digital, SD) card, flash card
(Flash Card) etc..Certainly, memory 21 can also both including computer equipment 2 internal storage unit and also including outside it
Store equipment.In the present embodiment, memory 21 is installed on the operating system and types of applications of computer equipment 2 commonly used in storage
Software, for example, example IV login page safety detection system 20 program code etc..In addition, memory 21 can be with
For temporarily storing the Various types of data that has exported or will export.
Processor 22 can be in some embodiments central processing unit (Central Processing Unit, CPU),
Controller, microcontroller, microprocessor or other data processing chips.The processor 22 is commonly used in control computer equipment 2
Overall operation.In the present embodiment, program code or processing data of the processor 22 for being stored in run memory 21, example
The detection system 20 of login page safety is run, such as to realize the detection side of the login page safety of embodiment one or two
Method.
The network interface 23 may include radio network interface or wired network interface, which is commonly used in
Communication connection is established between the computer equipment 2 and other electronic devices.For example, the network interface 23 is for passing through network
The computer equipment 2 is connected with exterior terminal, establishes data transmission between the computer equipment 2 and exterior terminal
Channel and communication connection etc..The network can be intranet (Intranet), internet (Internet), whole world movement
Communication system (Global System of Mobile communication, GSM), wideband code division multiple access (Wideband
Code Division Multiple Access, WCDMA), 4G network, 5G network, bluetooth (Bluetooth), the nothings such as Wi-Fi
Line or cable network.
Embodiment five
The present embodiment also provides a kind of computer readable storage medium, such as flash memory, hard disk, multimedia card, card-type memory
(for example, SD or DX memory etc.), random access storage device (RAM), static random-access memory (SRAM), read-only memory
(ROM), electrically erasable programmable read-only memory (EEPROM), programmable read only memory (PROM), magnetic storage, magnetic
Disk, CD, server, App are stored thereon with computer program, phase are realized when program is executed by processor using store etc.
Answer function.The embodiment of the present invention computer program can be performed by least one processor, so that at least one described processing
Device executes the detection method to realize the login page safety of embodiment one or two.
Detection method, system and the storage medium of login page safety provided in an embodiment of the present invention, obtain simultaneously first
The page operation information in the operation log of user is analyzed, by filtering out only to from multiple page log-on messages in the N
Record has corresponding page log-on message in the single period of a period, and is judged to come to the page log-on message true
Determine account exception suspicious user, do not need to be transformed original system, to reduce running background step, and then reduces pair
The pressure of system and network.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side
Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases
The former is more preferably embodiment.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair
Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills
Art field, is included within the scope of the present invention.
Claims (10)
1. a kind of detection method of login page safety, which comprises the steps of:
Obtain the operation log of multiple users;
According to preset field name from the critical field obtained in the operation log in the operation log;
Extract the page operation information in the critical field;
According to the page operation information, the multiple user multiple pages that login service device generates within N number of period are obtained
Face log-on message, the corresponding page log-on message of each user, each page log-on message includes that the page of corresponding user is stepped on
Record account, page login time and page login times;
Target pages log-on message is filtered out from the multiple page log-on message, the target pages log-on message is described
Only has the page log-on message that single logs in record in N number of period;
The corresponding page logon account of the target pages log-on message is determined as suspicious account;
The user name of the suspicious account and default inventory of having a holiday are compared, account is judged whether there is and falsely uses event, if so,
The suspicious account is then stamped into suspicious mark, the default inventory of having a holiday includes user in state of having a holiday and described stops
Account name corresponding to bogus subscriber;
The association social activity account for obtaining the corresponding target user of the suspicious account, from the association social account described in acquisition
The zone of action of target user;
According to the IP address inquiring position region of the page entry address of the suspicious account, and by the band of position with it is described
Zone of action is compared;
If the band of position and the zone of action release the suspicious mark of the suspicious account in the same area.
2. detection method according to claim 1, which is characterized in that the step of obtaining the page login times, comprising:
According to the multiple page log-on message, the mapping access sequence of each user is obtained;
According to the mapping access sequence of each user, the adjacency matrix of page access is generated;
According to the adjacency matrix of the page access, the number of hops of each page is obtained, wherein the number of hops is institute
State page login times.
3. detection method according to claim 2, which is characterized in that the mapping access sequence are as follows:
The parameter identification of each page log-on message is indicated that the page after logining successfully is shown accordingly with digital nodes p
Digital nodes q.
4. detection method according to claim 3, which is characterized in that the page login times indicate with arc [p] [q],
The arc [p] [q] is the corresponding page of digital nodes p in the adjacency matrix of the page access to the corresponding page of digital nodes q
Face jumps number.
5. detection method according to claim 1, which is characterized in that before the operation log for obtaining user, also wrap
It includes:
The operation log of multiple users is extracted according to preset rules, and the operation log of the extraction is filtered;
Wherein, the preset rules are for judging that the multiple user is not logged in successful operation log.
6. a kind of detection system of login page safety characterized by comprising
First obtains module, for obtaining the operation log of multiple users;
Second obtains module, for according to preset field name from the keyword obtained in the operation log in the operation log
Section;
First extraction module, for extracting the page operation information in the critical field;
Second extraction module, for obtaining the multiple user and logging in clothes within N number of period according to the page operation information
Multiple page log-on messages that business device generates, the corresponding page log-on message of each user, each page log-on message include
Page logon account, page login time and the page login times of corresponding user;
Screening module, for filtering out target pages log-on message, the target pages from the multiple page log-on message
Log-on message is the page log-on message for only having single in N number of period and logging in record;
First judgment module, for the corresponding page logon account of the target pages log-on message to be determined as suspicious account;
Second judgment module is judged whether there is for comparing the user name of the suspicious account and default inventory of having a holiday
Account falsely uses event, if so, the suspicious account is then stamped suspicious mark, the default inventory of having a holiday includes in shape of having a holiday
Account name corresponding to user and the user that has a holiday in state;
Third obtains module, for obtaining the association social activity account of the corresponding target user of the suspicious account, from the association
The zone of action of the target user is obtained in social account;
Enquiry module, for the IP address inquiring position region according to the page entry address of the suspicious account, and will be described
The band of position is compared with the zone of action;
Third judgment module, if releasing the suspicious account in the same area for the band of position and the zone of action
The suspicious mark at family.
7. detection system according to claim 6, which is characterized in that second extraction module is also used to:
According to the multiple page log-on message, the mapping access sequence of each user is obtained;
According to the mapping access sequence of each user, the adjacency matrix of page access is generated;
According to the adjacency matrix of the page access, the number of hops of each page is obtained, wherein the number of hops is institute
State page login times.
8. detection method according to claim 7, which is characterized in that the mapping access sequence are as follows:
The parameter identification of each page log-on message is indicated that the page after logining successfully is shown accordingly with digital nodes p
Digital nodes q;
The page login times indicate that the arc [p] [q] is number in the adjacency matrix of the page access with arc [p] [q]
The corresponding page of byte point p jumps number to the corresponding page of digital nodes q.
9. a kind of computer equipment, can run on a memory and on a processor including memory, processor and storage
Computer program, which is characterized in that the processor is realized when executing the computer program such as any one of claim 1-5
The step of detection method of the login page safety.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer in the computer readable storage medium
Program, the computer program can be performed by least one processors, so that at least one described processor executes such as right
It is required that described in any one of 1-5 the step of the detection method of login page safety.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910366731.0A CN110191097B (en) | 2019-05-05 | 2019-05-05 | Method, system, equipment and storage medium for detecting security of login page |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910366731.0A CN110191097B (en) | 2019-05-05 | 2019-05-05 | Method, system, equipment and storage medium for detecting security of login page |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110191097A true CN110191097A (en) | 2019-08-30 |
CN110191097B CN110191097B (en) | 2023-01-10 |
Family
ID=67715484
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910366731.0A Active CN110191097B (en) | 2019-05-05 | 2019-05-05 | Method, system, equipment and storage medium for detecting security of login page |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110191097B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111198819A (en) * | 2019-12-31 | 2020-05-26 | 中国银行股份有限公司 | Safety test method and device |
CN114465811A (en) * | 2022-03-09 | 2022-05-10 | 北京华云安信息技术有限公司 | Website login determination method and device, electronic equipment and storage medium |
CN115730283A (en) * | 2022-10-19 | 2023-03-03 | 广州易幻网络科技有限公司 | Account login wind control system and method, computer equipment and storage medium |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9088560B1 (en) * | 2014-03-05 | 2015-07-21 | Symantec Corporation | Systems and methods for validating login attempts based on user location |
US20150326595A1 (en) * | 2012-11-29 | 2015-11-12 | Beijing Qihoo Technology Company Limited | User login monitoring device and method |
US9231962B1 (en) * | 2013-11-12 | 2016-01-05 | Emc Corporation | Identifying suspicious user logins in enterprise networks |
CN106055572A (en) * | 2016-05-20 | 2016-10-26 | 百度在线网络技术(北京)有限公司 | Method and device for processing page transformation parameter |
US20160350165A1 (en) * | 2015-05-28 | 2016-12-01 | Microsoft Technology Licensing, Llc | Detecting anomalous accounts using event logs |
CN106549902A (en) * | 2015-09-16 | 2017-03-29 | 阿里巴巴集团控股有限公司 | A kind of recognition methods of suspicious user and equipment |
CN106572057A (en) * | 2015-10-10 | 2017-04-19 | 百度在线网络技术(北京)有限公司 | Method and device for detecting exception information of user login |
US9680938B1 (en) * | 2014-10-06 | 2017-06-13 | Exabeam, Inc. | System, method, and computer program product for tracking user activity during a logon session |
US20170300453A1 (en) * | 2009-06-12 | 2017-10-19 | Google Inc. | System and method of providing notification of suspicious access attempts |
CN107911340A (en) * | 2017-10-25 | 2018-04-13 | 平安普惠企业管理有限公司 | Login validation method, device, equipment and the storage medium of application program |
-
2019
- 2019-05-05 CN CN201910366731.0A patent/CN110191097B/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170300453A1 (en) * | 2009-06-12 | 2017-10-19 | Google Inc. | System and method of providing notification of suspicious access attempts |
US20150326595A1 (en) * | 2012-11-29 | 2015-11-12 | Beijing Qihoo Technology Company Limited | User login monitoring device and method |
US9231962B1 (en) * | 2013-11-12 | 2016-01-05 | Emc Corporation | Identifying suspicious user logins in enterprise networks |
US9088560B1 (en) * | 2014-03-05 | 2015-07-21 | Symantec Corporation | Systems and methods for validating login attempts based on user location |
US9680938B1 (en) * | 2014-10-06 | 2017-06-13 | Exabeam, Inc. | System, method, and computer program product for tracking user activity during a logon session |
US20160350165A1 (en) * | 2015-05-28 | 2016-12-01 | Microsoft Technology Licensing, Llc | Detecting anomalous accounts using event logs |
CN106549902A (en) * | 2015-09-16 | 2017-03-29 | 阿里巴巴集团控股有限公司 | A kind of recognition methods of suspicious user and equipment |
CN106572057A (en) * | 2015-10-10 | 2017-04-19 | 百度在线网络技术(北京)有限公司 | Method and device for detecting exception information of user login |
CN106055572A (en) * | 2016-05-20 | 2016-10-26 | 百度在线网络技术(北京)有限公司 | Method and device for processing page transformation parameter |
CN107911340A (en) * | 2017-10-25 | 2018-04-13 | 平安普惠企业管理有限公司 | Login validation method, device, equipment and the storage medium of application program |
Non-Patent Citations (1)
Title |
---|
范卫俊: ""社交用户的可疑行为检测"", 《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑》 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111198819A (en) * | 2019-12-31 | 2020-05-26 | 中国银行股份有限公司 | Safety test method and device |
CN111198819B (en) * | 2019-12-31 | 2024-05-10 | 中国银行股份有限公司 | Safety testing method and device |
CN114465811A (en) * | 2022-03-09 | 2022-05-10 | 北京华云安信息技术有限公司 | Website login determination method and device, electronic equipment and storage medium |
CN114465811B (en) * | 2022-03-09 | 2023-05-23 | 北京华云安信息技术有限公司 | Website login determination method and device, electronic equipment and storage medium |
CN115730283A (en) * | 2022-10-19 | 2023-03-03 | 广州易幻网络科技有限公司 | Account login wind control system and method, computer equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN110191097B (en) | 2023-01-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106295349A (en) | Risk Identification Method, identification device and the anti-Ore-controlling Role that account is stolen | |
CN110417778B (en) | Access request processing method and device | |
CN110198305A (en) | It attends a banquet method for detecting abnormality, system, computer equipment and the storage medium of IP | |
CN108154047A (en) | A kind of data desensitization method and device | |
CN110191097A (en) | Detection method, system, equipment and the storage medium of login page safety | |
CN111404937B (en) | Method and device for detecting server vulnerability | |
CN110222535B (en) | Processing device, method and storage medium for block chain configuration file | |
CN111131221A (en) | Interface checking device, method and storage medium | |
CN111475369A (en) | Log monitoring adding method and device, computer equipment and storage medium | |
CN111740868A (en) | Alarm data processing method and device and storage medium | |
CN111258798A (en) | Fault positioning method and device for monitoring data, computer equipment and storage medium | |
CN110049028A (en) | Monitor method, apparatus, computer equipment and the storage medium of domain control administrator | |
CN108509322A (en) | Avoid the method excessively paid a return visit, electronic device and computer readable storage medium | |
CN109783310A (en) | The Dynamic and Multi dimensional method for safety monitoring and its monitoring device of information technoloy equipment | |
CN110460593B (en) | Network address identification method, device and medium for mobile traffic gateway | |
CN112612679A (en) | System running state monitoring method and device, computer equipment and storage medium | |
CN111625700A (en) | Anti-grabbing method, device, equipment and computer storage medium | |
CN114386025B (en) | Abnormality detection method, abnormality detection device, electronic device, and storage medium | |
CN113254672B (en) | Method, system, equipment and readable storage medium for identifying abnormal account | |
KR101973728B1 (en) | Integration security anomaly symptom monitoring system | |
CN115967565A (en) | Battlefield situation sensing method, system, terminal equipment and storage medium | |
CN109918277A (en) | Electronic device, the evaluation method of system log cluster analysis result and storage medium | |
CN115481002A (en) | Abnormal behavior identification method, device, equipment and storage medium | |
CN108805725A (en) | Risk case confirmation method, server and computer readable storage medium | |
CN112085590B (en) | Method and device for determining safety of rule model and server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |