CN110784470B - Method and device for determining abnormal login of user - Google Patents
Method and device for determining abnormal login of user Download PDFInfo
- Publication number
- CN110784470B CN110784470B CN201911045663.4A CN201911045663A CN110784470B CN 110784470 B CN110784470 B CN 110784470B CN 201911045663 A CN201911045663 A CN 201911045663A CN 110784470 B CN110784470 B CN 110784470B
- Authority
- CN
- China
- Prior art keywords
- login
- abnormal
- account
- adjacent point
- mac
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The embodiment of the invention provides a method for determining abnormal login of a user, which comprises the following steps: 1) Acquiring a log of a login interface, and processing the log of the login interface into structured data; 2) And identifying an object with an exception by using an exception entry algorithm, wherein the object comprises: an abnormal login account, an abnormal IP and an abnormal MAC; 3) And according to the object with the abnormality, constructing a relational network structure chart with the abnormal login object as a node by using a graph database, acquiring nodes respectively having connection relations with the abnormal login object according to the relational network structure chart, and taking a set of accounts, IP and MAC corresponding to the nodes as the abnormal login object. The embodiment of the invention provides a device for user abnormal login, and the application of the embodiment of the invention improves the safety.
Description
Technical Field
The invention relates to the technical field of internet security, in particular to a method and a device for determining abnormal login of a user.
Background
Along with the cloud of an enterprise business system, the capability opening and the gradual deepening of mobile internet application, some illegal persons, channel partner persons and external malicious attackers in an enterprise are driven by business interests, and malicious profit is obtained by utilizing the control defects existing in the login process of the business system, so that great and direct business loss is caused to the enterprise, and typical problems comprise: violent cracking is carried out by using the behavior of a machine colliding with a library, account numbers are stolen, malicious list brushing and second killing are carried out, and the prizes of new popularization activities just above are all robbed by wool parties. And the system login is utilized to control the illegal login with more inward unauthorized defects, and sensitive data of the user is tampered and stolen. And an external malicious attacker utilizes the behavior of logging in the machine to carry out malicious attack on the enterprise platform and gain illegal benefits. The above problems occur, which seriously affect the normal production and management order of enterprises and cause significant economic and reputation loss, and therefore, identifying illegal and abnormal login accounts and corresponding IP and MAC addresses is the key to solve the problems.
The invention patent with application number CN201610999792.7 discloses an abnormal login judgment method and device, and the method comprises the following steps: acquiring geographic position information of a current login place and a historical login place of a user; clustering all login places according to a preset clustering rule to obtain a plurality of login place clusters, wherein the login place clusters comprise common login place clusters and/or abnormal login place clusters; calculating the clustering distance between each login location cluster; and determining whether the current login is abnormal login or not based on the cluster type of the login place cluster in which the current login place is positioned and the cluster distance between the login place cluster and other login place clusters. The invention provides a judgment mechanism for judging the number stealing behavior deviating from the common login place, and the judgment mechanism has the advantages of low false alarm rate and wide application range.
The inventor finds that the prior art can only cluster the login places of the users to further identify the users with abnormal login behaviors, can not find the abnormal login behaviors in the same place or close places, and can not monitor abnormal login objects more comprehensively, so that the prior art has the technical problem of low safety.
Disclosure of Invention
The technical problem to be solved by the present invention is how to provide a method and a device for determining an abnormal login of a user to monitor an abnormal login object more comprehensively, thereby improving security.
The invention solves the technical problems through the following technical means:
the embodiment of the invention provides a method for determining abnormal login of a user, which comprises the following steps:
1) Acquiring a log of a login interface, and processing the log of the login interface into structured data;
2) And identifying an object with an exception by using an exception entry algorithm, wherein the object comprises: abnormal login account number, abnormal IP and abnormal MAC;
3) And according to the object with the abnormality, constructing a relational network structure chart with the abnormal login object as a node by using a chart database, acquiring nodes respectively having connection relations with the abnormal login object according to the relational network structure chart, and taking the set of account numbers, IP and MAC corresponding to the nodes as the abnormal login object.
Optionally, the step 2) includes: abnormal account number identification, including:
constructing account level login behavior characteristics, wherein the behavior characteristics comprise: the method comprises the following steps of logging in an account, the number of IP used by the account, the number of MAC of the account, the number of times of trial logging in the account, the number of times of failure logging in the account, the average logging time interval of the account, the variance of the logging time interval of the account, the number of times of logging in the account within a first preset time length and the number of times of logging in the account in a non-working period;
and then obtaining abnormal account numbers by using the isolated forest.
Optionally, the step 2) includes: abnormal IP identification, including:
constructing IP level login behavior characteristics, wherein the behavior characteristics comprise: login IP number, the number of IP login accounts, the login attempt times, the login failure times, the average login time interval, the login failure rate and the average login times of the IP number;
performing cluster analysis on the IP level login behavior characteristics by using a K-Means algorithm, clustering the IP level login behavior characteristics into K clusters, and finding out the mass center of each cluster;
calculating the distance from each IP-level login behavior feature to the centroid of the cluster to which the IP-level login behavior feature belongs for each IP-level login behavior feature; judging whether the distance is smaller than a preset threshold value or not;
if not, marking the IP level login behavior characteristic sample as abnormal, and deleting the abnormal sample from the clustered cluster; recursively circulating the steps until no abnormal sample is deleted;
and taking the IP corresponding to the abnormal characteristic as the abnormal IP.
Optionally, the obtaining, according to the relational network structure diagram, nodes having connection relationships with the abnormal login account, the abnormal IP, and the abnormal MAC respectively includes:
aiming at each object contained in the abnormal login account number and/or the abnormal IP and/or the abnormal MAC, starting from a node in a relational network structure chart corresponding to the object, and taking a set of all adjacent nodes of the node as an abnormal login object;
for each adjacent point, taking the adjacent point as a current adjacent point;
starting from the current adjacent point, adding a set of all adjacent nodes of the current adjacent node into an abnormal login object;
and taking the adjacent node of the current adjacent point as the current adjacent node, and recursively circulating the steps until no adjacent node exists in the current adjacent node.
Optionally, the method further includes:
and adding the detected abnormal login object into an enterprise login blacklist library, and intercepting and reporting related account number, IP and MAC login requests in real time.
The embodiment of the invention also provides a device for determining the abnormal login of the user, which comprises:
the acquisition device is used for acquiring the log of the login interface and processing the log of the login interface into structured data;
the identification module is used for identifying an object which generates an exception by using an exception login algorithm, wherein the object comprises: an abnormal login account, an abnormal IP and an abnormal MAC;
and the construction module is used for constructing a relational network structure chart with the abnormal login object as a node by using the graph database according to the object with the abnormality, acquiring nodes with connection relations with the abnormal login object respectively according to the relational network structure chart, and taking the set of account numbers, IP and MAC corresponding to the nodes as the abnormal login object.
Optionally, the identification module is configured to: abnormal account number identification, including:
constructing account level login behavior characteristics, wherein the behavior characteristics comprise: logging in an account, the number of IP used by the account, the number of MAC of the account, the number of times of trying to log in the account, the number of times of failing to log in the account, the average logging-in time interval of the account, the variance of the logging-in time interval of the account, the number of times of logging in the account within a first preset time period and the number of times of logging in the non-working time period of the account;
and then obtaining abnormal account numbers by using the isolated forest.
Optionally, the identification module is configured to: abnormal IP identification, comprising:
constructing IP level login behavior characteristics, wherein the behavior characteristics comprise: login IP number, the number of IP login accounts, the login attempt times, the login failure times, the average login time interval, the login failure rate and the average login times of the IP number;
performing cluster analysis on the IP level login behavior characteristics by using a K-Means algorithm, clustering the IP level login behavior characteristics into K clusters, and finding out the mass center of each cluster;
calculating the distance from each IP-level login behavior feature to the centroid of the cluster to which the IP-level login behavior feature belongs for each IP-level login behavior feature; judging whether the distance is smaller than a preset threshold value or not;
if not, marking the IP level login behavior characteristic sample as abnormal, and deleting the abnormal sample from the clustered cluster; recursively circulating the steps until no abnormal sample is deleted;
and taking the IP corresponding to the abnormal characteristic as the abnormal IP.
Optionally, the building module is configured to:
aiming at each object contained in the abnormal login account number and/or the abnormal IP and/or the abnormal MAC, starting from a node in a relational network structure chart corresponding to the object, and taking a set of all adjacent nodes of the node as an abnormal login object;
for each adjacent point, taking the adjacent point as a current adjacent point;
starting from the current adjacent point, adding a set of all adjacent nodes of the current adjacent node into an abnormal login object;
and taking the adjacent node of the current adjacent point as the current adjacent node, and recursively circulating the steps until the current adjacent node does not have the adjacent node.
Optionally, the apparatus further comprises: a join module to:
and adding the detected abnormal login object into an enterprise login blacklist library, and intercepting and reporting related account number, IP and MAC login requests in real time.
The invention has the advantages that:
by applying the embodiment of the invention, the traditional abnormity detection method can only identify the abnormal object, is not comprehensive enough and cannot prevent the abnormal object in the bud.
Drawings
Fig. 1 is a schematic flowchart of a method for determining an abnormal user login according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a graph database constructed in the method for determining user abnormal login according to the embodiment of the present invention;
fig. 3 is a schematic structural diagram of a device for determining an abnormal login of a user according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
Fig. 1 is a schematic flowchart of a method for determining abnormal login of a user according to an embodiment of the present invention, as shown in fig. 1, the method includes:
s101: and acquiring a log of a login interface, and processing the log of the login interface into structured data.
And extracting log interface logs in a specified time period (the time period is day in the example). The one-time login behavior generates a piece of login log data in the login log, wherein the login log data comprises a login account, a corresponding IP and MAC address, login starting time, login ending time, whether login is successful or not and the like. And analyzing the log data, wherein in the example, the logs and json packets of python3 are used for extracting and analyzing the log data, and the analyzed data is structured data containing the key information.
S102: identifying an object that is abnormal by using an abnormal login algorithm, wherein the object comprises: abnormal login account, abnormal IP and abnormal MAC.
Illustratively, login behavior feature data can be constructed according to the login log data obtained in step S101, and an abnormal login object of three types, i.e., an abnormal account, an abnormal IP, and an abnormal MAC, can be identified by using an abnormal identification algorithm, such as an isolated forest algorithm, a quantile algorithm, and the like. When the login behavior characteristics are established, the method can be based on the machine behavior service characteristics such as a collision library and the like: like a terminal or an IP, a large number of accounts try to log in, the number of login times of a single account is small, the login failure proportion is large, the same account frequently logs in, the same account tries to log in by using a large number of terminals or IPs, the same mobile phone number logs in through the same channel, the login behavior characteristics are determined, and the identification of an abnormal account, an abnormal IP and an abnormal MAC is introduced below.
1. And (3) abnormal account identification:
the method comprises the following steps of constructing account login behavior characteristics of each account, wherein each characteristic comprises the following steps: the system comprises a login account, the IP number used by the account, the MAC number used by the account, the login number attempted by the account, the login failure number of the account, the average login time interval of the account, the login time interval variance of the account, the number of times that the login time interval of the account is within 3 seconds, and the login number of times that the account is logged in the non-working period. Modeling learning is carried out by using an Isolation Forest (Isolation Forest) algorithm, and account number abnormal labels and abnormal scores are output.
The algorithm can be understood as assuming we cut the data space with one random hyperplane, two subspaces can be generated by cutting once. We then continue to cut each subspace with a random hyperplane, looping until there is only one data point inside each subspace. Intuitively, we can see that the clusters with high density can be cut many times to stop cutting, but the points with low density can easily stop in a subspace early. The specific implementation steps in this example are as follows:
first, the model is trained:
a) And (2) building t iTrees, wherein each iTree is a binary tree structure, randomly selecting psi point sample points from training data as sub-samples, and putting the sub-samples into a root node of the tree, wherein each sample is an account number level login behavior characteristic.
b) Randomly appointing a dimensionality as a boundary of the binary tree, and randomly generating a cutting point p in the current node data, wherein the cutting point is positioned between the maximum value and the minimum value of the appointed dimensionality in the current node data.
c) A hyperplane is generated by the cutting point, and then the data space of the current node is divided into 2 subspaces: data less than p in the specified dimension is placed on the left child of the current node and data greater than or equal to p is placed on the right child of the current node.
d) Recursion steps b and c in each child node, new child nodes are continually constructed until only one sample in each child node or child node has reached a defined height.
e) And finally, traversing the account number level login behavior characteristic x to be identified by each iTree, and calculating the number of layers of x finally falling in each tree. We can then derive the average of the height of the account-level login behavior feature x in each tree. And marking the account level login behavior characteristics with the height average value lower than a preset threshold h as abnormal.
Table 1 is a list of examples of abnormal login accounts obtained using an isolated forest algorithm model, as shown in table 1,
TABLE 1
2. And (3) abnormal IP identification:
constructing IP level login behavior characteristics, comprising: login IP, login account number, login attempt times, login failure times, average login time interval, login failure rate and account number average login times. The abnormal IP object is detected by using an abnormal point detection method based on a prototype, and the specific implementation steps are as follows, wherein a cluster K and a threshold r can be set and adjusted:
a) Performing cluster analysis on the IP level login behavior characteristics by using a K-Means algorithm, clustering samples into K clusters, and finding the mass center of each cluster;
b) Calculating the distance from each IP-level login behavior feature to the centroid of the cluster to which the IP-level login behavior feature belongs for each IP-level login behavior feature;
c) Comparing the distance from the IP level login behavior characteristic calculated in the step b) to the centroid of the cluster with a given preset threshold value, and if the distance is greater than the preset threshold value, considering that the object is an outlier, namely an outlier.
d) Marking abnormal labels on the abnormal points, deleting the abnormal labels from the sample data, and continuing the steps; and circulating the steps until the distance from the residual IP-level login behavior characteristics to the centroid of the cluster is smaller than a preset threshold value r, and finally obtaining K small clusters.
e) Finally checking whether the corresponding areas in the K small clusters contain the deleted IP level login behavior characteristics or not; if yes, all the points in the cluster are outliers, and the IP level login behavior characteristics in the cluster are marked as abnormal points.
3. And (3) abnormal MAC identification:
constructing MAC level login behavior characteristics, including: the login MAC, the IP number, the account number, the login attempt times, the login failure times, the average login time interval, the login failure rate and the account number average login times, and the abnormality detection method is the same as the abnormal IP identification method, and the embodiment of the invention is not described again.
Three abnormal entity objects can be detected by the method: and (4) marking an abnormal label on an abnormal login object by using an abnormal MAC, an abnormal IP and an abnormal account.
S103: according to the abnormal object, a relational network structure chart with the abnormal login object as a node is constructed by using a chart database, the nodes respectively having connection relations with the abnormal login object are obtained according to the relational network structure chart, and the set of accounts, IP and MAC corresponding to the nodes is used as the abnormal login object.
Specifically, for each object included in the abnormal login account and/or the abnormal IP and/or the abnormal MAC, starting from a node in the relationship type network structure diagram corresponding to the object, a set of all neighboring nodes of the node may be used as an abnormal login object; for each adjacent point, taking the adjacent point as a current adjacent point; starting from the current adjacent point, adding a set of all adjacent nodes of the current adjacent node into an abnormal login object; and recursing the steps by taking the adjacent node of the current adjacent point as the current adjacent node until no adjacent node exists in the current adjacent node. It is understood that the meaning of recursion refers to returning to the step of adding the set of all neighbors of the current neighbor to the abnormal login object starting from the current neighbor when recursion is performed.
Illustratively, a relational network structure diagram among the abnormal MAC, the abnormal IP and the abnormal account is constructed by using a graph database on the basis of the sample data in S101. The graph database is a non-relational database that stores relational information between entities using graph theory. Relational databases are not effective for storing "relational" data, are complex, slow, and beyond expectations in querying, and the unique design of graphic databases just remedies this deficiency. Two basic data types are contained in a graph: nodes and Relationships. Nodes and Relationships contain attributes in the form of key/values. Nodes are connected together through Relationships defined by Relationships to form a relational network structure.
In a graph database, an abnormal account number, an abnormal IP and an abnormal MAC are nodes, the relationship among the nodes is an edge, and the relationship is established by a one-time login behavior record. For example: account 1 uses IP1 \8230respectively, and IPN logs in, account 1 node will connect with IP1 \8230, IPN node build-in relation, similarly, IP1 uses account 1 \8230, account N logs in, IP1 node will connect with account 1 \8230, account N node build-in relation, simultaneously.
Fig. 2 is a schematic structural diagram of a graph database constructed in the method for determining abnormal user login according to the embodiment of the present invention, and as shown in fig. 2, IP1 and MAC1 attempt to login using n accounts in a time period, and establish a connection with an IP2 and MAC2 node by using account n to attempt to login using IP2 and MAC2 in the time period, where account n and account n attempt to login using n accounts in a time period, and 8230.
In fig. 2, MAC1 and IP1 are the outliers detected in step S2, and the account using the IP and the device is not detected as an outlier, which is obviously not practical. In practical application, in a relationship network formed by the account, the IP and the MAC, as long as a subgraph containing the outliers is included, all nodes in the subgraph are considered to be the outliers.
And traversing clusters where all abnormal points are located by using a breadth-first traversal algorithm by combining the abnormal nodes identified in the S2 and the relationship network of the account number, the IP and the MAC in the S3, and further detecting the abnormal login object. The specific implementation mode is as follows: a) Starting from a certain abnormal point V, accessing all adjacent points V1, V2.. VN of the vertex; b) Starting from the adjacent points V1, V2.. VN, accessing all the adjacent points of the adjacent points; c) The above steps are repeated until all vertices have been visited.
By the method, all nodes in the cluster where the abnormal point is located can be traversed, and one of an account, an IP and an MAC corresponding to the traversed node is marked as an abnormal login object.
By applying the embodiment of the invention, the traditional abnormity detection method can only identify the abnormal object, is not comprehensive enough and cannot prevent the abnormal object in the bud.
In addition, the embodiment of the invention analyzes according to the object which has already abnormal, and identifies the undetected abnormal object associated with the abnormal object on the basis of identifying the abnormal object, so that the suspected abnormal object or the object which may have abnormal in the future can be more comprehensively identified, and the safety is further improved.
Example 2
The embodiment 2 of the invention is added with the following steps on the basis of the embodiment:
and adding the detected abnormal login object into an enterprise login blacklist library, and intercepting and reporting related account number, IP and MAC login requests in real time.
Specifically, a login blacklist library can be established for an enterprise based on the detected abnormal login object, so that related account numbers, IP (Internet protocol) and MAC (media access control) login requests can be intercepted and reported in real time.
By applying the embodiment of the invention, the network security level of enterprises can be improved.
Example 3
Corresponding to embodiment 1 of the present invention, an embodiment of the present invention further provides a device for determining an abnormal login of a user.
Fig. 3 is a schematic structural diagram of an apparatus for determining an abnormal user login according to an embodiment of the present invention, and as shown in fig. 3, the apparatus includes:
an obtaining device 301, configured to obtain a log of a login interface, and process the log of the login interface into structured data;
an identification module 302, configured to identify an object that generates an exception by using an exception entry algorithm, where the object includes: abnormal login account number, abnormal IP and abnormal MAC;
a building module 303, configured to build, according to an abnormal object, a relational network structure diagram using a graph database, where the abnormal login object is a node, acquire nodes having connection relationships with the abnormal login object according to the relational network structure diagram, and use a set of accounts, IPs, and MACs corresponding to the nodes as the abnormal login object.
By applying the embodiment of the invention, the traditional abnormity detection method can only identify the abnormal object, is not comprehensive enough and cannot prevent the abnormal object in the bud.
In a specific implementation manner of the embodiment of the present invention, the identifying module 302 is configured to: abnormal account number identification, including:
constructing account level login behavior characteristics, wherein the behavior characteristics comprise: logging in an account, the number of IP used by the account, the number of MAC of the account, the number of times of trying to log in the account, the number of times of failing to log in the account, the average logging-in time interval of the account, the variance of the logging-in time interval of the account, the number of times of logging in the account within a first preset time period and the number of times of logging in the non-working time period of the account;
and then acquiring abnormal account numbers by using the isolated forest.
In a specific implementation manner of the embodiment of the present invention, the identifying module 302 is configured to: abnormal IP identification, including:
constructing IP level login behavior characteristics, wherein the behavior characteristics comprise: login IP number, the number of IP login accounts, the login attempt times, the login failure times, the average login time interval, the login failure rate and the average login times of the IP number;
clustering analysis is carried out on the IP level login behavior characteristics by using a K-Means algorithm, the IP level login behavior characteristics are clustered into K clusters, and the mass center of each cluster is found;
calculating the distance from each IP-level login behavior feature to the centroid of the cluster to which the IP-level login behavior feature belongs for each IP-level login behavior feature; judging whether the distance is smaller than a preset threshold value or not;
if not, marking the IP level login behavior characteristic sample as abnormal, and deleting the abnormal sample from the clustered cluster; recursively circulating the steps until no abnormal sample is deleted;
it can be understood that the meaning of recursion means that, when recursion is performed, the distance from the IP-level login behavior feature to the closest centroid of the IP-level login behavior feature to the IP-level login behavior feature is returned to be calculated; and judging whether the distance is smaller than a preset threshold value.
And taking the IP corresponding to the abnormal characteristic as the abnormal IP.
In a specific implementation manner of the embodiment of the present invention, the identifying module 302 is configured to: abnormal MAC identification, including:
the step 2) comprises the following steps: abnormal MAC identification, including:
constructing MAC-level login behavior characteristics, wherein the behavior characteristics comprise: the MAC number, the MAC login account number, the MAC login attempt times, the MAC login failure times, the MAC average login time interval, the MAC login failure rate and the MAC number average login times;
performing clustering analysis on the MAC-level login behavior characteristics by using a K-Means algorithm, taking the MAC-level login behavior characteristics as K clusters, and finding the mass center of each cluster;
calculating the distance from each MAC-level login behavior feature to the centroid of the cluster to which the MAC-level login behavior feature belongs for each MAC-level login behavior feature; judging whether the distance is smaller than a preset threshold value or not;
if not, marking the MAC-level login behavior characteristic sample as an abnormal characteristic, deleting the abnormal sample from the clustered cluster, and recursively circulating the steps until no abnormal characteristic is deleted;
and taking the MAC corresponding to the abnormal characteristic as the abnormal MAC.
In a specific implementation manner of the embodiment of the present invention, the building module 303 is configured to:
for each object contained in an abnormal login account number and/or an abnormal IP and/or an abnormal MAC, starting from a node in a relational network structure diagram corresponding to the object, and taking a set of all adjacent nodes of the node as an abnormal login object;
for each adjacent point, taking the adjacent point as a current adjacent point;
starting from the current adjacent point, adding a set of all adjacent nodes of the current adjacent node into an abnormal login object;
and taking the neighbor node of the current neighbor point as the current neighbor node, returning to execute the step of starting from the current neighbor point and adding the set of all neighbor nodes of the current neighbor node into the abnormal login object until the current neighbor node has no neighbor node.
In a specific implementation manner of the embodiment of the present invention, the apparatus further includes: a join module to:
and adding the detected abnormal login object into an enterprise login blacklist library, and intercepting and reporting related account number, IP and MAC login requests in real time.
The above examples are only intended to illustrate the technical solution of the present invention, and not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (7)
1. A method for determining abnormal login of a user, the method comprising:
1) Acquiring a log of a login interface, and processing the log of the login interface into structured data;
2) And identifying an object with an exception by using an exception entry algorithm, wherein the object comprises: constructing an applicable login behavior characteristic according to different login behavior characteristics of the abnormal login account, the abnormal IP and the abnormal MAC, selecting a targeted abnormality detection algorithm, analyzing abnormal behaviors from three dimensions respectively, and identifying an abnormal object;
3) According to the abnormal object, constructing a relational network structure chart with the abnormal login object as a node by using a graph database, acquiring nodes respectively having connection relations with the abnormal login object according to the relational network structure chart, and taking a set of account numbers, IP and MAC corresponding to the nodes as the abnormal login object;
the acquiring the nodes respectively having connection relations with the abnormal login object according to the relational network structure diagram comprises the following steps:
aiming at each object contained in the abnormal login account number and/or the abnormal IP and/or the abnormal MAC, starting from a node in a relational network structure chart corresponding to the object, and taking a set of all adjacent points of the node as an abnormal login object;
for each adjacent point, taking the adjacent point as a current adjacent point;
starting from the current adjacent point, adding a set of all adjacent points of the current adjacent point into an abnormal login object;
and taking the adjacent point of the current adjacent point as the current adjacent point, returning to execute the step of adding all the adjacent point sets of the current adjacent point into the abnormal login object from the current adjacent point until the current adjacent point does not have the adjacent point.
2. The method for determining abnormal login of user according to claim 1, wherein said step 2) comprises: abnormal account number identification, including:
constructing account level login behavior characteristics, wherein the behavior characteristics comprise: logging in an account, the number of IP used by the account, the MAC number of the account, the number of times of trying to log in the account, the number of times of failing to log in the account, the average logging-in time interval of the account, the variance of the logging-in time interval of the account, the number of times of logging in the account within a first preset time length and the number of times of logging in the non-working time interval of the account;
and then obtaining abnormal account numbers by using the isolated forest.
3. The method for determining abnormal login of user according to claim 1, wherein said step 2) comprises: abnormal IP identification, comprising:
constructing IP level login behavior characteristics, wherein the behavior characteristics comprise: login IP number, the number of IP login accounts, the login attempt times, the login failure times, the average login time interval, the login failure rate and the average login times of the IP number;
clustering analysis is carried out on the IP level login behavior characteristics by using a K-Means algorithm, the IP level login behavior characteristics are clustered into K clusters, and the mass center of each cluster is found; calculating the distance from each IP-level login behavior feature to the centroid of the cluster to which the IP-level login behavior feature belongs according to each IP-level login behavior feature; judging whether the distance is smaller than a preset threshold value or not;
if not, marking the IP level login behavior characteristic sample as abnormal, and deleting the abnormal sample from the clustered cluster; recursively circulating the steps until no abnormal sample is deleted;
and taking the IP corresponding to the abnormal characteristic as the abnormal IP.
4. The method for determining abnormal login of user according to claim 1, wherein said method further comprises:
and adding the detected abnormal login object into an enterprise login blacklist library, and intercepting and reporting related account number, IP and MAC login requests in real time.
5. An apparatus for determining abnormal login of a user, the apparatus comprising: the acquisition device is used for acquiring the log of the login interface and processing the log of the login interface into structured data;
an identification module, configured to identify an object that generates an exception by using an exception entry algorithm, where the object includes: constructing an applicable login behavior characteristic according to different login behavior characteristics of the abnormal login account, the abnormal IP and the abnormal MAC, selecting a targeted abnormality detection algorithm, analyzing abnormal behaviors from three dimensions respectively, and identifying an abnormal object;
the system comprises a construction module, a database and a server, wherein the construction module is used for constructing a relational network structure diagram taking an abnormal login object as a node according to the abnormal object, acquiring nodes respectively having connection relations with the abnormal login object according to the relational network structure diagram, taking the set of account numbers, IP and MAC corresponding to the nodes as the abnormal login object, adding the detected abnormal login object into an enterprise login blacklist library, and intercepting and reporting the related account numbers, IP and MAC login requests in real time;
wherein, the acquiring the nodes respectively having connection relations with the abnormal login object according to the relational network structure chart comprises:
aiming at each object contained in the abnormal login account number and/or the abnormal IP and/or the abnormal MAC, starting from a node in a relational network structure chart corresponding to the object, and taking a set of all adjacent points of the node as an abnormal login object;
for each adjacent point, taking the adjacent point as a current adjacent point;
starting from the current adjacent point, adding a set of all adjacent points of the current adjacent point into an abnormal login object;
and taking the adjacent point of the current adjacent point as the current adjacent point, returning to execute the step of adding all the adjacent point sets of the current adjacent point into the abnormal login object from the current adjacent point until the current adjacent point does not have the adjacent point.
6. The apparatus for determining an abnormal login of a user according to claim 5, wherein said identification module is configured to: abnormal account number identification, including:
constructing account level login behavior characteristics, wherein the behavior characteristics comprise: the method comprises the following steps of logging in an account, the number of IP used by the account, the number of MAC used by the account, the number of times of trial logging in the account, the number of times of failure logging in the account, the average logging time interval of the account, the variance of the logging time interval of the account, the number of times of logging in the account within a first preset time period and the number of times of logging in the account in a non-working period;
and then obtaining abnormal account numbers by using the isolated forest.
7. The apparatus for determining abnormal login of user according to claim 5, wherein said identification module is configured to: abnormal IP identification, including:
constructing IP level login behavior characteristics, wherein the behavior characteristics comprise: login IP number, the number of IP login accounts, the login attempt times, the login failure times, the average login time interval, the login failure rate and the average login times of the IP number;
performing cluster analysis on the IP level login behavior characteristics by using a K-Means algorithm, clustering the IP level login behavior characteristics into K clusters, and finding out the mass center of each cluster; calculating the distance from each IP-level login behavior feature to the centroid of the cluster to which the IP-level login behavior feature belongs for each IP-level login behavior feature; judging whether the distance is smaller than a preset threshold value or not;
if not, marking the IP level login behavior characteristic sample as abnormal, and deleting the abnormal sample from the clustered cluster; recursively circulating the steps until no abnormal sample is deleted;
and taking the IP corresponding to the abnormal characteristic as the abnormal IP.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911045663.4A CN110784470B (en) | 2019-10-30 | 2019-10-30 | Method and device for determining abnormal login of user |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911045663.4A CN110784470B (en) | 2019-10-30 | 2019-10-30 | Method and device for determining abnormal login of user |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110784470A CN110784470A (en) | 2020-02-11 |
| CN110784470B true CN110784470B (en) | 2022-10-11 |
Family
ID=69387717
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911045663.4A Active CN110784470B (en) | 2019-10-30 | 2019-10-30 | Method and device for determining abnormal login of user |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110784470B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111444534A (en) * | 2020-03-12 | 2020-07-24 | 中国建设银行股份有限公司 | Method, device, equipment and computer readable medium for monitoring user operation |
| CN111506895A (en) * | 2020-04-17 | 2020-08-07 | 支付宝(杭州)信息技术有限公司 | Construction method and device of application login graph |
| CN111614690B (en) * | 2020-05-28 | 2022-10-11 | 上海观安信息技术股份有限公司 | Abnormal behavior detection method and device |
| CN112398819A (en) * | 2020-11-02 | 2021-02-23 | 杭州海康威视数字技术股份有限公司 | Method and device for recognizing abnormality |
| CN113378899A (en) * | 2021-05-28 | 2021-09-10 | 百果园技术(新加坡)有限公司 | Abnormal account identification method, device, equipment and storage medium |
| CN114154166A (en) * | 2021-11-24 | 2022-03-08 | 百果园技术(新加坡)有限公司 | Abnormal data identification method, device, equipment and storage medium |
| CN114553473B (en) * | 2022-01-05 | 2023-12-29 | 云南电网有限责任公司信息中心 | Abnormal login behavior detection system and method based on login IP and login time |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103731413A (en) * | 2013-11-18 | 2014-04-16 | 广州多益网络科技有限公司 | Abnormal login handling method |
| CN105791255A (en) * | 2014-12-23 | 2016-07-20 | 阿里巴巴集团控股有限公司 | Method and system for identifying computer risks based on account clustering |
| CN107172104A (en) * | 2017-07-17 | 2017-09-15 | 顺丰科技有限公司 | One kind logs in method for detecting abnormality, system and equipment |
| CN108809745A (en) * | 2017-05-02 | 2018-11-13 | 中国移动通信集团重庆有限公司 | A kind of user's anomaly detection method, apparatus and system |
| US10419469B1 (en) * | 2017-11-27 | 2019-09-17 | Lacework Inc. | Graph-based user tracking and threat detection |
-
2019
- 2019-10-30 CN CN201911045663.4A patent/CN110784470B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103731413A (en) * | 2013-11-18 | 2014-04-16 | 广州多益网络科技有限公司 | Abnormal login handling method |
| CN105791255A (en) * | 2014-12-23 | 2016-07-20 | 阿里巴巴集团控股有限公司 | Method and system for identifying computer risks based on account clustering |
| CN108809745A (en) * | 2017-05-02 | 2018-11-13 | 中国移动通信集团重庆有限公司 | A kind of user's anomaly detection method, apparatus and system |
| CN107172104A (en) * | 2017-07-17 | 2017-09-15 | 顺丰科技有限公司 | One kind logs in method for detecting abnormality, system and equipment |
| US10419469B1 (en) * | 2017-11-27 | 2019-09-17 | Lacework Inc. | Graph-based user tracking and threat detection |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110784470A (en) | 2020-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110784470B (en) | Method and device for determining abnormal login of user | |
| US10491630B2 (en) | System and method for providing data-driven user authentication misuse detection | |
| US20190342307A1 (en) | System and method for monitoring security attack chains | |
| US10050985B2 (en) | System for implementing threat detection using threat and risk assessment of asset-actor interactions | |
| CN111800395A (en) | Threat information defense method and system | |
| Estevez-Tapiador et al. | Anomaly detection methods in wired networks: a survey and taxonomy | |
| US10635817B2 (en) | Targeted security alerts | |
| US20190215330A1 (en) | Detecting attacks on web applications using server logs | |
| CN106789935B (en) | Terminal abnormity detection method | |
| US20050091532A1 (en) | Method and apparatus to detect unauthorized information disclosure via content anomaly detection | |
| Yu et al. | Online botnet detection based on incremental discrete fourier transform | |
| WO2019220363A1 (en) | Creation and verification of behavioral baselines for the detection of cybersecurity anomalies using machine learning techniques | |
| CN107659584A (en) | A kind of food processing factory's network security management system | |
| Grover et al. | A Review on Block chain and Data Mining Based Data Security Methods | |
| Rosenthal et al. | ARBA: Anomaly and reputation based approach for detecting infected IoT devices | |
| CN110912933B (en) | Equipment identification method based on passive measurement | |
| Datta et al. | Real-time threat detection in ueba using unsupervised learning algorithms | |
| Lee et al. | AI-based network security enhancement for 5G industrial internet of things environments | |
| Agrawal et al. | A SURVEY ON ATTACKS AND APPROACHES OF INTRUSION DETECTION SYSTEMS. | |
| CN115396218A (en) | Enterprise API (application program interface) safety control method and system based on flow analysis | |
| Suresh et al. | Detection of malicious activities by AI-Supported Anomaly-Based IDS | |
| Cui et al. | An efficient framework for online malicious domain detection | |
| Liu et al. | Flow-based anomaly detection using access behavior profiling and time-sequenced relation mining | |
| Xu et al. | [Retracted] Method of Cumulative Anomaly Identification for Security Database Based on Discrete Markov chain | |
| Naukarkar et al. | Analysis of Implementing Network Intrusion Detection (NIDS) Algorithms Using Machine Learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |