CN110445790A - A kind of account method for detecting abnormality logging in behavior based on user - Google Patents
A kind of account method for detecting abnormality logging in behavior based on user Download PDFInfo
- Publication number
- CN110445790A CN110445790A CN201910739790.8A CN201910739790A CN110445790A CN 110445790 A CN110445790 A CN 110445790A CN 201910739790 A CN201910739790 A CN 201910739790A CN 110445790 A CN110445790 A CN 110445790A
- Authority
- CN
- China
- Prior art keywords
- user
- data
- login
- log
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a kind of account method for detecting abnormality that behavior is logged in based on user, comprising the following steps: A. login page acquires user behavior information by javascript;B. server obtains log in history data after getting the IP value of user;C. calculating is current logs in ground with historical log data distance d1, the current login time of calculating and historical log time data distance d2, the current logging device of calculating and historical log device data distance d3;D. determine whether current login behavior is abnormal.Method of the invention, has merged login time in user's login behavior, log in ground, and three kinds of characteristic synthetics of logging device judge the abnormal behaviour in process of user login, improves the accuracy of analysis.
Description
Technical field
The present invention relates to computer security technical field, in particular to a kind of account for logging in behavior based on user is examined extremely
Survey method.
Background technique
With popularizing for network, internet has become the pith of people's life.In order to online standardization and
It is user-friendly, now much there is respective account in a network, also, as access network is more and more convenient, Yong Huke
To log in oneself account in different terminals, correspondingly, different users can also log in respective account from same terminal
Number.In the case, when user logs in and breaks down, how quick positioning failure excluded in time, becomes network clothes
The supplier of business problem of concern.In addition, growing various malice log in behavior, the supplier of network service is also required
It can be identified and is handled, to safeguard the normal use behavior of user.
Currently, the safety precaution of network account is mainly there are two direction in advance: (1) taking precautions against: improving user account password, close
The intensity of code;It is required that user uses more secure authentication informations;Carry out login account by associated verification tool;Known based on vocal print
Not with the secure log of speech recognition etc.;(2) real-time detection: the legitimacy that each account logs in is detected in time, to doubtful exception
Log on request carry out other verifying, even directly reject.
In the prior art, by detection log in IP, statistics a period of time in the account account log in where province with
And it is whether abnormal to detect account in the number of days that each province logs in, if user logs within nearest a period of time in multiple provinces
And it is more than preset value that account, which logs in the total degree in the province at place, it is believed that the account number cipher has been revealed.But it detects in the prior art
The method safety coefficient of account exception is low, is easily cracked by criminal, for example, criminal can first login account, obtain the account
Common login, by Agent IP log in this it is common log in ground, then system cannot detect account exception.I.e. current account
Abnormality detection is single in the presence of detection user account dimension, is easy to the shortcomings that cracking.
Summary of the invention
It is insufficient in above-mentioned background technique the purpose of the present invention is overcoming, it is different to provide a kind of account that behavior is logged in based on user
Normal detection method, the very land used based on account use the account abnormality detection model of time and non-commonly used equipment very much, realize more
Dimension detection, promotes the safety of detection.
In order to reach above-mentioned technical effect, the present invention takes following technical scheme:
A kind of account method for detecting abnormality logging in behavior based on user, comprising the following steps:
A. login page acquires user behavior information by javascript;
B. server obtains log in history data after getting the IP value of user;
C. calculate it is current log in ground with historical log data distance d1, the current login time of calculating and historical log when
Between data distance d2, calculate current logging device and historical log device data distance d3;
D. determine whether current login behavior is abnormal.
Further, the user behavior information includes browser fingerprint, user's login IP, user's login time, wherein
Browser fingerprint is a kind of recognition methods based on browser information combination, by Query Browser platform from configuration information, soft
The characteristic parameters such as the screen message, plugin information, font information of equipment are got on the levels such as part composition and hardware composition, are led to
Crossing the non-encrypted hash algorithm formation of murmurhash3 can be with the finger print data of unique identification user.
Further, it is specifically browser fingerprint of the server to obtain in the step B as logging device data, obtains
To log in history data, and obtain from log in history data the account historical log data, historical log time data,
Historical log device data.
Further, the calculation formula of d1 are as follows:The calculation formula of d2 are as follows:The calculation formula of d3 are as follows:
Wherein, m is positive integer, and Ti is that user's i-th logs in time of the act apart from present number of weeks, and Di is i-th use
Family logs in ground data, and D is that active user logs in ground data, and d (D, Di) is D at a distance from Di, d (D, the Di) when D is equal with Di
=1, it is otherwise i-th user's login time data for 0, Di ', D ' is active user's login time data, d (D ', Di ') it is D '
At a distance from Di ', as D ' and Di when equal ' d (D ', Di ')=1, it is otherwise 0, Di " is i-th user logging device data, D "
For active user's logging device data, d (D ", Di ") is d (D ", the Di ")=1 when D " is equal with Di " at a distance from D " and Di ",
It otherwise is 0.
Further, the step D specifically: when the value of d1+d2+d3 belongs to (2,3] section when, then determine current log in
Behavior is low danger;If belong to (1,2] section when, then determine that current to log in behavior be middle danger;If belong to [0,1] section, then sentence
Settled preceding login behavior is high-risk.
Compared with prior art, the present invention have it is below the utility model has the advantages that
The of the invention account method for detecting abnormality that behavior is logged in based on user has been merged when logging in user's login behavior
Between, ground is logged in, logging device three kinds of characteristic synthetics judge the abnormal behaviour in process of user login, improve the accurate of analysis
Property, have recognition accuracy high, the advantages of being not easy to crack, can find account risk in time, while also greatly improving industry
The safety of business system account.
Detailed description of the invention
Fig. 1 is the account method for detecting abnormality flow diagram of the invention that behavior is logged in based on user.
Specific embodiment
Below with reference to the embodiment of the present invention, the invention will be further elaborated.
Embodiment:
Embodiment one:
As shown in Figure 1, a kind of account method for detecting abnormality for logging in behavior based on user, is based in user's login behavior
Login time, logs in ground, and three kinds of features of logging device mainly comprise the steps that come the method for carrying out account abnormality detection
The first step, by acquiring user behavior information using javascript in login page.
Specifically, the user behavior information acquired is needed to specifically include the browser fingerprint of user, user's login IP, user
Login time, current browser fingerprint are to be made up of Query Browser platform from configuration information, software composition and hardware
UserAgent, colorDepth, hardwareConcurrency, the cpuClass of equipment are got on equal levels,
These features of platform, webglVendorAndRenderer, fonts, fontsFlash are non-encrypted by murmurhash3
Hash algorithm is calculated, but there is the phenomenon that repeating, this programme joined on the basis of original fonts ' Songti
SC','SimHe','Songti TC','DengXian','Adobe Arabic','Adobe Hebrew','Apple
Braille','PingFang SC','Heiti SC','Adobe Heiti Std','Adobe Song Std','
Microsoft Uighur','Microsoft YaHei','Microsoft Yi Baiti','FangSong','KaiTi','
Apple Color Emoji', ' Adobe Garamond' these fonts, greatly reduce browser fingerprint duplicate it is general
Rate improves the accuracy of identification.
Specifically, the field feature that browser fingerprint uses is described below table:
Second step, server obtain geographical location after getting the IP value of user.
The browser fingerprint that server obtains is as logging device data.The history of the account is taken in log in history data
Log in ground data, historical log time data, historical log device data.
Third step calculates current login ground with historical log data distance d1, current login time and historical log
Distance d2, current logging device and the historical log device data distance d3 of time data.
Specifically, in the present embodiment, the calculation formula of d1 are as follows:The calculation formula of d2
Are as follows:The calculation formula of d3 are as follows:
In above-mentioned calculation formula, m is positive integer, and Ti is that user's i-th logs in time of the act apart from present number of weeks,
Di is that i-th user logs in ground data, and D is that active user logs in ground data, and d (D, Di) is D at a distance from Di, when D and Di phase
D (D, Di)=1, is otherwise i-th user's login time data for 0, Di ' whens equal, and D ' is active user's login time data, d
(D ', Di ') is D ' at a distance from Di ', as D ' and Di when equal ' d (D ', Di ')=1, it is otherwise 0, Di " is that i-th user steps on
Recording apparatus data, D " are active user's logging device data, and d (D ", Di ") is the d when D " is equal with Di " at a distance from D " and Di "
Otherwise (D ", Di ")=1 is 0.
4th step determines whether current login behavior is abnormal.
Specifically, calculate d1+d2+d3, when the value of d1+d2+d3 belongs to (2,3] section when, then determine current to log in behavior
For low danger;If belong to (1,2] section when, then determine that current to log in behavior be middle danger;If belong to [0,1] section, then determine to work as
Preceding login behavior is high-risk.
In summary, method of the invention has merged login time in user's login behavior, with logging in, three kinds of logging device
Characteristic synthetic judges the abnormal behaviour in process of user login, improves the accuracy of analysis, wherein user logging device is logical
Browser finger print data is crossed to identify, the compatibility with browser is high, and the advantage that recognition accuracy is high.
It is understood that the principle that embodiment of above is intended to be merely illustrative of the present and the exemplary implementation that uses
Mode, however the present invention is not limited thereto.For those skilled in the art, essence of the invention is not being departed from
In the case where mind and essence, various changes and modifications can be made therein, these variations and modifications are also considered as protection scope of the present invention.
Claims (5)
1. a kind of account method for detecting abnormality for logging in behavior based on user, which comprises the following steps:
A. login page acquires user behavior information by javascript;
B. server obtains log in history data after getting the IP value of user;
C. current login ground with historical log data distance d1, the current login time of calculating and historical log time number are calculated
According to distance d2, calculate current logging device and historical log device data distance d3;
D. determine whether current login behavior is abnormal.
2. a kind of account method for detecting abnormality for logging in behavior based on user according to claim 1, which is characterized in that institute
Stating user behavior information includes browser fingerprint, user's login IP, user's login time.
3. a kind of account method for detecting abnormality for logging in behavior based on user according to claim 2, which is characterized in that institute
Stating in step B is specifically server using the browser fingerprint that obtains as logging device data, obtains log in history data, and from
The historical log of the account is obtained in log in history data data, historical log time data, historical log device data.
4. a kind of account method for detecting abnormality for logging in behavior based on user according to claim 3, which is characterized in that d1
Calculation formula are as follows:The calculation formula of d2 are as follows:
The calculation formula of d3 are as follows:
Wherein, m is positive integer, and Ti is that user's i-th logs in time of the act apart from present number of weeks, and Di is that i-th user steps on
Record ground data, D are that active user logs in ground data, and d (D, Di) is D at a distance from Di, d (D, the Di)=1 when D is equal with Di,
Otherwise be 0, Di ' be i-th user's login time data, D ' is active user's login time data, d (D ', Di ') be D ' with
The distance of Di ', as D ' and Di when equal ' d (D ', Di ')=1, it is otherwise 0, Di " is i-th user logging device data, and D " is
Active user's logging device data, d (D ", Di ") are at a distance from D " and Di ", and when D " is equal with Di ", d (D ", Di ")=1, no
It is then 0.
5. a kind of account method for detecting abnormality for logging in behavior based on user according to claim 4, which is characterized in that institute
State step D specifically: when the value of d1+d2+d3 belongs to (2,3] section when, then determine that current to log in behavior be low danger;If belonging to
(1,2] section when, then determine that current to log in behavior be middle danger;If belong to [0,1] section, then determine that current login behavior is height
Danger.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910739790.8A CN110445790A (en) | 2019-08-12 | 2019-08-12 | A kind of account method for detecting abnormality logging in behavior based on user |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910739790.8A CN110445790A (en) | 2019-08-12 | 2019-08-12 | A kind of account method for detecting abnormality logging in behavior based on user |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110445790A true CN110445790A (en) | 2019-11-12 |
Family
ID=68434600
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910739790.8A Pending CN110445790A (en) | 2019-08-12 | 2019-08-12 | A kind of account method for detecting abnormality logging in behavior based on user |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110445790A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112491875A (en) * | 2020-11-26 | 2021-03-12 | 四川长虹电器股份有限公司 | Intelligent tracking safety detection method and system based on account system |
WO2023236538A1 (en) * | 2022-06-06 | 2023-12-14 | 中国移动通信集团设计院有限公司 | Risky code pre-detection method and apparatus, electronic device, computer readable storage medium, and computer program product |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104426835A (en) * | 2013-08-20 | 2015-03-18 | 深圳市腾讯计算机系统有限公司 | Login detection method, login server, and login detection device and system thereof |
CN108090332A (en) * | 2017-12-06 | 2018-05-29 | 国云科技股份有限公司 | A kind of air control method that behavioural analysis is logged in based on user |
CN108234449A (en) * | 2017-12-07 | 2018-06-29 | 深圳市买买提信息科技有限公司 | Log on request processing method, server and computer readable storage medium |
CN108989150A (en) * | 2018-07-19 | 2018-12-11 | 新华三信息安全技术有限公司 | A kind of login method for detecting abnormality and device |
-
2019
- 2019-08-12 CN CN201910739790.8A patent/CN110445790A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104426835A (en) * | 2013-08-20 | 2015-03-18 | 深圳市腾讯计算机系统有限公司 | Login detection method, login server, and login detection device and system thereof |
CN108090332A (en) * | 2017-12-06 | 2018-05-29 | 国云科技股份有限公司 | A kind of air control method that behavioural analysis is logged in based on user |
CN108234449A (en) * | 2017-12-07 | 2018-06-29 | 深圳市买买提信息科技有限公司 | Log on request processing method, server and computer readable storage medium |
CN108989150A (en) * | 2018-07-19 | 2018-12-11 | 新华三信息安全技术有限公司 | A kind of login method for detecting abnormality and device |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112491875A (en) * | 2020-11-26 | 2021-03-12 | 四川长虹电器股份有限公司 | Intelligent tracking safety detection method and system based on account system |
CN112491875B (en) * | 2020-11-26 | 2022-07-08 | 四川长虹电器股份有限公司 | Intelligent tracking safety detection method and system based on account system |
WO2023236538A1 (en) * | 2022-06-06 | 2023-12-14 | 中国移动通信集团设计院有限公司 | Risky code pre-detection method and apparatus, electronic device, computer readable storage medium, and computer program product |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6732806B2 (en) | Account theft risk identification method, identification device, and prevention/control system | |
CN104202339B (en) | A kind of across cloud authentication service method based on user behavior | |
CN108989150A (en) | A kind of login method for detecting abnormality and device | |
CN104301286A (en) | User login authentication method and device | |
CN105930727A (en) | Web-based crawler identification algorithm | |
CN105471842B (en) | A kind of Network Security Analysis Method under big data environment | |
CN112765578B (en) | Method for realizing safety privacy calculation based on browser client | |
CN116644825B (en) | Big data-based outpatient information inquiry reservation management system | |
CN115174205B (en) | Network space safety real-time monitoring method, system and computer storage medium | |
CN110445790A (en) | A kind of account method for detecting abnormality logging in behavior based on user | |
CN105656867A (en) | Monitoring method and device for account theft event | |
CN112003846A (en) | Credit threshold training method, IP address detection method and related device | |
CN115130122A (en) | Big data security protection method and system | |
CN115204733A (en) | Data auditing method and device, electronic equipment and storage medium | |
WO2016048129A2 (en) | A system and method for authenticating a user based on user behaviour and environmental factors | |
CN111444484B (en) | Enterprise intranet user identity portrait processing method based on unified login management | |
CN111814121A (en) | Login authentication management system and method based on computer system | |
CN216122450U (en) | Power grid safety audit system | |
CN112118259B (en) | Unauthorized vulnerability detection method based on classification model of lifting tree | |
CN114357403A (en) | User login request processing method and device based on equipment credibility and equipment | |
CN112995128A (en) | Interface information automatic verification assembly and method based on artificial intelligence | |
CN112149089A (en) | Computer login authentication management system based on Internet of things | |
CN108241803B (en) | A kind of access control method of heterogeneous system | |
CN112149095B (en) | Student data safety management method and system | |
JP7059741B2 (en) | Fraud detection device, fraud detection method and fraud detection program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191112 |