CN110445790A - A kind of account method for detecting abnormality logging in behavior based on user - Google Patents

A kind of account method for detecting abnormality logging in behavior based on user Download PDF

Info

Publication number
CN110445790A
CN110445790A CN201910739790.8A CN201910739790A CN110445790A CN 110445790 A CN110445790 A CN 110445790A CN 201910739790 A CN201910739790 A CN 201910739790A CN 110445790 A CN110445790 A CN 110445790A
Authority
CN
China
Prior art keywords
user
data
login
log
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910739790.8A
Other languages
Chinese (zh)
Inventor
王淑娥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Changhong Electric Co Ltd
Original Assignee
Sichuan Changhong Electric Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Changhong Electric Co Ltd filed Critical Sichuan Changhong Electric Co Ltd
Priority to CN201910739790.8A priority Critical patent/CN110445790A/en
Publication of CN110445790A publication Critical patent/CN110445790A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a kind of account method for detecting abnormality that behavior is logged in based on user, comprising the following steps: A. login page acquires user behavior information by javascript;B. server obtains log in history data after getting the IP value of user;C. calculating is current logs in ground with historical log data distance d1, the current login time of calculating and historical log time data distance d2, the current logging device of calculating and historical log device data distance d3;D. determine whether current login behavior is abnormal.Method of the invention, has merged login time in user's login behavior, log in ground, and three kinds of characteristic synthetics of logging device judge the abnormal behaviour in process of user login, improves the accuracy of analysis.

Description

A kind of account method for detecting abnormality logging in behavior based on user
Technical field
The present invention relates to computer security technical field, in particular to a kind of account for logging in behavior based on user is examined extremely Survey method.
Background technique
With popularizing for network, internet has become the pith of people's life.In order to online standardization and It is user-friendly, now much there is respective account in a network, also, as access network is more and more convenient, Yong Huke To log in oneself account in different terminals, correspondingly, different users can also log in respective account from same terminal Number.In the case, when user logs in and breaks down, how quick positioning failure excluded in time, becomes network clothes The supplier of business problem of concern.In addition, growing various malice log in behavior, the supplier of network service is also required It can be identified and is handled, to safeguard the normal use behavior of user.
Currently, the safety precaution of network account is mainly there are two direction in advance: (1) taking precautions against: improving user account password, close The intensity of code;It is required that user uses more secure authentication informations;Carry out login account by associated verification tool;Known based on vocal print Not with the secure log of speech recognition etc.;(2) real-time detection: the legitimacy that each account logs in is detected in time, to doubtful exception Log on request carry out other verifying, even directly reject.
In the prior art, by detection log in IP, statistics a period of time in the account account log in where province with And it is whether abnormal to detect account in the number of days that each province logs in, if user logs within nearest a period of time in multiple provinces And it is more than preset value that account, which logs in the total degree in the province at place, it is believed that the account number cipher has been revealed.But it detects in the prior art The method safety coefficient of account exception is low, is easily cracked by criminal, for example, criminal can first login account, obtain the account Common login, by Agent IP log in this it is common log in ground, then system cannot detect account exception.I.e. current account Abnormality detection is single in the presence of detection user account dimension, is easy to the shortcomings that cracking.
Summary of the invention
It is insufficient in above-mentioned background technique the purpose of the present invention is overcoming, it is different to provide a kind of account that behavior is logged in based on user Normal detection method, the very land used based on account use the account abnormality detection model of time and non-commonly used equipment very much, realize more Dimension detection, promotes the safety of detection.
In order to reach above-mentioned technical effect, the present invention takes following technical scheme:
A kind of account method for detecting abnormality logging in behavior based on user, comprising the following steps:
A. login page acquires user behavior information by javascript;
B. server obtains log in history data after getting the IP value of user;
C. calculate it is current log in ground with historical log data distance d1, the current login time of calculating and historical log when Between data distance d2, calculate current logging device and historical log device data distance d3;
D. determine whether current login behavior is abnormal.
Further, the user behavior information includes browser fingerprint, user's login IP, user's login time, wherein Browser fingerprint is a kind of recognition methods based on browser information combination, by Query Browser platform from configuration information, soft The characteristic parameters such as the screen message, plugin information, font information of equipment are got on the levels such as part composition and hardware composition, are led to Crossing the non-encrypted hash algorithm formation of murmurhash3 can be with the finger print data of unique identification user.
Further, it is specifically browser fingerprint of the server to obtain in the step B as logging device data, obtains To log in history data, and obtain from log in history data the account historical log data, historical log time data, Historical log device data.
Further, the calculation formula of d1 are as follows:The calculation formula of d2 are as follows:The calculation formula of d3 are as follows:
Wherein, m is positive integer, and Ti is that user's i-th logs in time of the act apart from present number of weeks, and Di is i-th use Family logs in ground data, and D is that active user logs in ground data, and d (D, Di) is D at a distance from Di, d (D, the Di) when D is equal with Di =1, it is otherwise i-th user's login time data for 0, Di ', D ' is active user's login time data, d (D ', Di ') it is D ' At a distance from Di ', as D ' and Di when equal ' d (D ', Di ')=1, it is otherwise 0, Di " is i-th user logging device data, D " For active user's logging device data, d (D ", Di ") is d (D ", the Di ")=1 when D " is equal with Di " at a distance from D " and Di ", It otherwise is 0.
Further, the step D specifically: when the value of d1+d2+d3 belongs to (2,3] section when, then determine current log in Behavior is low danger;If belong to (1,2] section when, then determine that current to log in behavior be middle danger;If belong to [0,1] section, then sentence Settled preceding login behavior is high-risk.
Compared with prior art, the present invention have it is below the utility model has the advantages that
The of the invention account method for detecting abnormality that behavior is logged in based on user has been merged when logging in user's login behavior Between, ground is logged in, logging device three kinds of characteristic synthetics judge the abnormal behaviour in process of user login, improve the accurate of analysis Property, have recognition accuracy high, the advantages of being not easy to crack, can find account risk in time, while also greatly improving industry The safety of business system account.
Detailed description of the invention
Fig. 1 is the account method for detecting abnormality flow diagram of the invention that behavior is logged in based on user.
Specific embodiment
Below with reference to the embodiment of the present invention, the invention will be further elaborated.
Embodiment:
Embodiment one:
As shown in Figure 1, a kind of account method for detecting abnormality for logging in behavior based on user, is based in user's login behavior Login time, logs in ground, and three kinds of features of logging device mainly comprise the steps that come the method for carrying out account abnormality detection
The first step, by acquiring user behavior information using javascript in login page.
Specifically, the user behavior information acquired is needed to specifically include the browser fingerprint of user, user's login IP, user Login time, current browser fingerprint are to be made up of Query Browser platform from configuration information, software composition and hardware UserAgent, colorDepth, hardwareConcurrency, the cpuClass of equipment are got on equal levels, These features of platform, webglVendorAndRenderer, fonts, fontsFlash are non-encrypted by murmurhash3 Hash algorithm is calculated, but there is the phenomenon that repeating, this programme joined on the basis of original fonts ' Songti SC','SimHe','Songti TC','DengXian','Adobe Arabic','Adobe Hebrew','Apple Braille','PingFang SC','Heiti SC','Adobe Heiti Std','Adobe Song Std',' Microsoft Uighur','Microsoft YaHei','Microsoft Yi Baiti','FangSong','KaiTi',' Apple Color Emoji', ' Adobe Garamond' these fonts, greatly reduce browser fingerprint duplicate it is general Rate improves the accuracy of identification.
Specifically, the field feature that browser fingerprint uses is described below table:
Second step, server obtain geographical location after getting the IP value of user.
The browser fingerprint that server obtains is as logging device data.The history of the account is taken in log in history data Log in ground data, historical log time data, historical log device data.
Third step calculates current login ground with historical log data distance d1, current login time and historical log Distance d2, current logging device and the historical log device data distance d3 of time data.
Specifically, in the present embodiment, the calculation formula of d1 are as follows:The calculation formula of d2 Are as follows:The calculation formula of d3 are as follows:
In above-mentioned calculation formula, m is positive integer, and Ti is that user's i-th logs in time of the act apart from present number of weeks, Di is that i-th user logs in ground data, and D is that active user logs in ground data, and d (D, Di) is D at a distance from Di, when D and Di phase D (D, Di)=1, is otherwise i-th user's login time data for 0, Di ' whens equal, and D ' is active user's login time data, d (D ', Di ') is D ' at a distance from Di ', as D ' and Di when equal ' d (D ', Di ')=1, it is otherwise 0, Di " is that i-th user steps on Recording apparatus data, D " are active user's logging device data, and d (D ", Di ") is the d when D " is equal with Di " at a distance from D " and Di " Otherwise (D ", Di ")=1 is 0.
4th step determines whether current login behavior is abnormal.
Specifically, calculate d1+d2+d3, when the value of d1+d2+d3 belongs to (2,3] section when, then determine current to log in behavior For low danger;If belong to (1,2] section when, then determine that current to log in behavior be middle danger;If belong to [0,1] section, then determine to work as Preceding login behavior is high-risk.
In summary, method of the invention has merged login time in user's login behavior, with logging in, three kinds of logging device Characteristic synthetic judges the abnormal behaviour in process of user login, improves the accuracy of analysis, wherein user logging device is logical Browser finger print data is crossed to identify, the compatibility with browser is high, and the advantage that recognition accuracy is high.
It is understood that the principle that embodiment of above is intended to be merely illustrative of the present and the exemplary implementation that uses Mode, however the present invention is not limited thereto.For those skilled in the art, essence of the invention is not being departed from In the case where mind and essence, various changes and modifications can be made therein, these variations and modifications are also considered as protection scope of the present invention.

Claims (5)

1. a kind of account method for detecting abnormality for logging in behavior based on user, which comprises the following steps:
A. login page acquires user behavior information by javascript;
B. server obtains log in history data after getting the IP value of user;
C. current login ground with historical log data distance d1, the current login time of calculating and historical log time number are calculated According to distance d2, calculate current logging device and historical log device data distance d3;
D. determine whether current login behavior is abnormal.
2. a kind of account method for detecting abnormality for logging in behavior based on user according to claim 1, which is characterized in that institute Stating user behavior information includes browser fingerprint, user's login IP, user's login time.
3. a kind of account method for detecting abnormality for logging in behavior based on user according to claim 2, which is characterized in that institute Stating in step B is specifically server using the browser fingerprint that obtains as logging device data, obtains log in history data, and from The historical log of the account is obtained in log in history data data, historical log time data, historical log device data.
4. a kind of account method for detecting abnormality for logging in behavior based on user according to claim 3, which is characterized in that d1 Calculation formula are as follows:The calculation formula of d2 are as follows: The calculation formula of d3 are as follows:
Wherein, m is positive integer, and Ti is that user's i-th logs in time of the act apart from present number of weeks, and Di is that i-th user steps on Record ground data, D are that active user logs in ground data, and d (D, Di) is D at a distance from Di, d (D, the Di)=1 when D is equal with Di, Otherwise be 0, Di ' be i-th user's login time data, D ' is active user's login time data, d (D ', Di ') be D ' with The distance of Di ', as D ' and Di when equal ' d (D ', Di ')=1, it is otherwise 0, Di " is i-th user logging device data, and D " is Active user's logging device data, d (D ", Di ") are at a distance from D " and Di ", and when D " is equal with Di ", d (D ", Di ")=1, no It is then 0.
5. a kind of account method for detecting abnormality for logging in behavior based on user according to claim 4, which is characterized in that institute State step D specifically: when the value of d1+d2+d3 belongs to (2,3] section when, then determine that current to log in behavior be low danger;If belonging to (1,2] section when, then determine that current to log in behavior be middle danger;If belong to [0,1] section, then determine that current login behavior is height Danger.
CN201910739790.8A 2019-08-12 2019-08-12 A kind of account method for detecting abnormality logging in behavior based on user Pending CN110445790A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910739790.8A CN110445790A (en) 2019-08-12 2019-08-12 A kind of account method for detecting abnormality logging in behavior based on user

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910739790.8A CN110445790A (en) 2019-08-12 2019-08-12 A kind of account method for detecting abnormality logging in behavior based on user

Publications (1)

Publication Number Publication Date
CN110445790A true CN110445790A (en) 2019-11-12

Family

ID=68434600

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910739790.8A Pending CN110445790A (en) 2019-08-12 2019-08-12 A kind of account method for detecting abnormality logging in behavior based on user

Country Status (1)

Country Link
CN (1) CN110445790A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112491875A (en) * 2020-11-26 2021-03-12 四川长虹电器股份有限公司 Intelligent tracking safety detection method and system based on account system
WO2023236538A1 (en) * 2022-06-06 2023-12-14 中国移动通信集团设计院有限公司 Risky code pre-detection method and apparatus, electronic device, computer readable storage medium, and computer program product

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104426835A (en) * 2013-08-20 2015-03-18 深圳市腾讯计算机系统有限公司 Login detection method, login server, and login detection device and system thereof
CN108090332A (en) * 2017-12-06 2018-05-29 国云科技股份有限公司 A kind of air control method that behavioural analysis is logged in based on user
CN108234449A (en) * 2017-12-07 2018-06-29 深圳市买买提信息科技有限公司 Log on request processing method, server and computer readable storage medium
CN108989150A (en) * 2018-07-19 2018-12-11 新华三信息安全技术有限公司 A kind of login method for detecting abnormality and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104426835A (en) * 2013-08-20 2015-03-18 深圳市腾讯计算机系统有限公司 Login detection method, login server, and login detection device and system thereof
CN108090332A (en) * 2017-12-06 2018-05-29 国云科技股份有限公司 A kind of air control method that behavioural analysis is logged in based on user
CN108234449A (en) * 2017-12-07 2018-06-29 深圳市买买提信息科技有限公司 Log on request processing method, server and computer readable storage medium
CN108989150A (en) * 2018-07-19 2018-12-11 新华三信息安全技术有限公司 A kind of login method for detecting abnormality and device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112491875A (en) * 2020-11-26 2021-03-12 四川长虹电器股份有限公司 Intelligent tracking safety detection method and system based on account system
CN112491875B (en) * 2020-11-26 2022-07-08 四川长虹电器股份有限公司 Intelligent tracking safety detection method and system based on account system
WO2023236538A1 (en) * 2022-06-06 2023-12-14 中国移动通信集团设计院有限公司 Risky code pre-detection method and apparatus, electronic device, computer readable storage medium, and computer program product

Similar Documents

Publication Publication Date Title
JP6732806B2 (en) Account theft risk identification method, identification device, and prevention/control system
CN104202339B (en) A kind of across cloud authentication service method based on user behavior
CN108989150A (en) A kind of login method for detecting abnormality and device
CN104301286A (en) User login authentication method and device
CN105930727A (en) Web-based crawler identification algorithm
CN105471842B (en) A kind of Network Security Analysis Method under big data environment
CN112765578B (en) Method for realizing safety privacy calculation based on browser client
CN116644825B (en) Big data-based outpatient information inquiry reservation management system
CN115174205B (en) Network space safety real-time monitoring method, system and computer storage medium
CN110445790A (en) A kind of account method for detecting abnormality logging in behavior based on user
CN105656867A (en) Monitoring method and device for account theft event
CN112003846A (en) Credit threshold training method, IP address detection method and related device
CN115130122A (en) Big data security protection method and system
CN115204733A (en) Data auditing method and device, electronic equipment and storage medium
WO2016048129A2 (en) A system and method for authenticating a user based on user behaviour and environmental factors
CN111444484B (en) Enterprise intranet user identity portrait processing method based on unified login management
CN111814121A (en) Login authentication management system and method based on computer system
CN216122450U (en) Power grid safety audit system
CN112118259B (en) Unauthorized vulnerability detection method based on classification model of lifting tree
CN114357403A (en) User login request processing method and device based on equipment credibility and equipment
CN112995128A (en) Interface information automatic verification assembly and method based on artificial intelligence
CN112149089A (en) Computer login authentication management system based on Internet of things
CN108241803B (en) A kind of access control method of heterogeneous system
CN112149095B (en) Student data safety management method and system
JP7059741B2 (en) Fraud detection device, fraud detection method and fraud detection program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20191112