CN111049838B - Black product equipment identification method and device, server and storage medium - Google Patents

Black product equipment identification method and device, server and storage medium Download PDF

Info

Publication number
CN111049838B
CN111049838B CN201911296336.6A CN201911296336A CN111049838B CN 111049838 B CN111049838 B CN 111049838B CN 201911296336 A CN201911296336 A CN 201911296336A CN 111049838 B CN111049838 B CN 111049838B
Authority
CN
China
Prior art keywords
data
equipment
black product
black
identifying
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911296336.6A
Other languages
Chinese (zh)
Other versions
CN111049838A (en
Inventor
王俊轩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Xunming Information Technology Co ltd
Original Assignee
Beijing Xunming Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Xunming Information Technology Co ltd filed Critical Beijing Xunming Information Technology Co ltd
Priority to CN201911296336.6A priority Critical patent/CN111049838B/en
Publication of CN111049838A publication Critical patent/CN111049838A/en
Application granted granted Critical
Publication of CN111049838B publication Critical patent/CN111049838B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3006Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3058Monitoring arrangements for monitoring environmental properties or parameters of the computing system or of the computing system component, e.g. monitoring of power, currents, temperature, humidity, position, vibrations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/951Indexing; Web crawling techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/953Querying, e.g. by the use of web search engines
    • G06F16/9537Spatial or temporal dependent retrieval, e.g. spatiotemporal queries

Abstract

The embodiment of the invention discloses a method and a device for identifying black product equipment, a server and a storage medium. The method comprises the following steps: acquiring characteristic data of a device executing preset operation, wherein the characteristic data comprises position data and network data; identifying a first black producing device according to the position data; identifying a second blackjack device based on the first blackjack device in combination with the network data. The method identifies the black product equipment based on the position data and the network data which are difficult to forge or bypass by the black product equipment by technology, and has accurate black product equipment identification effect on black product behaviors carried out by a plurality of pieces of equipment or black product behaviors carried out by sharing one piece of equipment.

Description

Black product equipment identification method and device, server and storage medium
Technical Field
The invention belongs to the field of network security, and particularly relates to a method and a device for identifying black product equipment, a server and a storage medium.
Background
Specifically, the method includes actively optimizing titles, descriptions, keywords, icons, screenshots, download amounts, comments and the like of APPs (applications) in App stores, so that the weight of APPs in each App market is increased, the exposure degree is increased, the display times are increased, and the download amounts are increased. And meanwhile, the process that the user downloads, shares and participates in the activity of the APP through each application market is also referred to, because the ASO is influenced by the application screenshot, the uploaded video, the specific downloading amount, the comments and the overall performance of the active user of the user. Many times, the APP can be downloaded through an application store, namely the mobile phone application store or some third-party application stores. Due to the accurate flow of the ASO energy band, the performance-price ratio is high. Therefore, the method becomes a serious disaster area for black-end users to get on and off the hands of the users. In some black products, normal ASO service is affected by batch operations such as batch underscoring, batch evaluation, and batch advertisement clicking in a group control manner. What is more, the system can intensively participate in the APP activity in a group control mode, so that the arbitrage effect is achieved.
The existing technical scheme mostly focuses on identifying and preventing users from fraud, or identifying whether the equipment body is a PC rather than a mobile terminal, and is difficult to accurately identify and provide effective precautionary measures when dealing with black-product attacks initiated by a plurality of devices.
Disclosure of Invention
In view of this, the present invention provides a black product device identification method, which can have an accurate black product device identification effect for a plurality of devices performing black product behaviors or for a common device performing black product behaviors.
In order to solve the technical problems, the invention adopts the following technical scheme:
in a first aspect, the present invention provides a black product device identification method, including:
acquiring characteristic data of a device executing preset operation, wherein the characteristic data comprises position data and network data;
identifying a first black producing device according to the position data;
identifying a second blackjack device based on the first blackjack device in combination with the network data.
In a second aspect, the present invention provides a black product device identification apparatus, including:
the data acquisition module is used for acquiring characteristic data of equipment executing preset operation, wherein the characteristic data comprises position data and network data;
the first identification module is used for identifying first black production equipment according to the position data;
and the second identification module is used for identifying second black-product equipment based on the combination of the first black-product equipment and the network data.
In a third aspect, the present invention provides a server, including a memory and a processor, where the memory stores a computer program executable by the processor, and the processor executes the computer program to implement the black product device identification method as described above.
In a fourth aspect, the present invention provides a computer-readable storage medium storing a computer program comprising program instructions that, when executed, implement the aforementioned black product device identification method.
The method for identifying the black product equipment provided by the invention identifies the black product equipment based on the position data and the network data which are difficult to forge or bypass the black product equipment by technology, and has accurate black product equipment identification effect on black product behaviors carried out on a plurality of pieces of equipment or black product behaviors carried out by sharing one piece of equipment.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only part of the embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a black product device identification method according to an embodiment of the present invention;
fig. 2 is a flowchart of a black product device identification method according to a second embodiment of the present invention;
FIG. 3 is a schematic diagram of the type of feature data provided by the second embodiment of the present invention
Fig. 4 is a schematic structural diagram of an identification apparatus for a black product device according to a third embodiment of the present invention;
fig. 5 is a schematic structural diagram of a server according to a fourth embodiment of the present invention.
Detailed Description
The technical solution in the implementation of the present application is described clearly and completely below with reference to the drawings in the embodiments of the present application. It is to be understood that the specific embodiments described herein are merely illustrative of some, and not restrictive, of the current application. It should be further noted that, based on the embodiments in the present application, all other embodiments obtained by a person of ordinary skill in the art without any creative effort belong to the protection scope of the present application.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
Furthermore, the terms "first," "second," and the like may be used herein to describe various orientations, actions, steps, elements, or the like, but the orientations, actions, steps, or elements are not limited by these terms. These terms are only used to distinguish one direction, action, step or element from another direction, action, step or element. For example, a first black producing device may be referred to as a second black producing device, and similarly, a second black producing device may be referred to as a first black producing device, without departing from the scope of the present invention. The first and second black producing devices are both black producing devices, but are not the same black producing device. The terms "first", "second", etc. are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include a combination of one or more features. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise. It should be noted that when one portion is referred to as being "secured to" another portion, it may be directly on the other portion or there may be an intervening portion. When a portion is said to be "connected" to another portion, it may be directly connected to the other portion or intervening portions may be present. The terms "vertical," "horizontal," "left," "right," and the like as used herein are for illustrative purposes only and do not denote a unique embodiment.
Before discussing exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart may describe the steps as a sequential process, many of the steps can be performed in parallel, concurrently or simultaneously. In addition, the order of the steps may be rearranged. A process may be terminated when its operations are completed, but may have additional steps not included in the figure. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc.
Example one
Referring to fig. 1, the present embodiment provides a black product device identification method, specifically, the method includes the following steps:
s110, acquiring characteristic data of the device for executing preset operation, wherein the characteristic data comprises position data and network data.
The black product is called black industry, and the black product equipment in the invention refers to special equipment for performing a large number of mechanical repeated operations on enterprises or APP in a short time to achieve the purpose of illegal profit, such as special equipment for realizing unnatural flow of water quantity/machine brush and the like. In the process of water volume/machine refreshing, for example, ASO, the process of promoting the ranking list and the search result ranking of specific APP in various application stores/duration through abnormal flow is achieved. The purpose of this embodiment is to find a blackout device for performing blackout behavior, and specifically, blackout devices with different blackout behaviors have different characteristics, so for different blackout behaviors, it is necessary to analyze characteristic data when a preset operation corresponding to the blackout behavior is performed on the blackout devices so as to accurately dig out the blackout devices.
Illustratively, according to relevant regulations, the network appointment platform performs relevant assessment and examination on registered drivers, such as certain driving ages, Beijing requirement 'Beijing people Beijing vehicles', and the like. Many non-compliant people would like to complete registration and would utilize a "registration generation" black-market service. Firstly, ASO black product information is subjected to frequent ordering/canceling, and crawler pulling is carried out in the background, so that real and specified human-vehicle information is obtained. The bid is then forwarded to the surrogate registration operator. The substitute registration operator processes the information in a way of PS and the like, combines the information with the purchaser information, integrates the respectively-compliant information into a whole set, completes the registration operation, and charges 300 plus 500 yuan. Even if found, the drip can only seal the driver. In this embodiment, for the black product behavior, the preset operation may be "order placing", and the feature data of the device during the order placing operation is acquired, so that the black product device can be accurately identified and captured when the black product device is frequently placed, and further operations such as restriction are performed to protect real information from being acquired. As another example, in order to increase the exposure level, a newly listed APP is frequently searched and downloaded at each APP store by using a black product service to increase the ranking of the APP at each APP store.
The device generates a lot of data when executing the preset operation, but not all the data are useful for identifying the black product device, and many data can be forged by the black product device, so that in the embodiment, part of the data when the device executes the preset operation is selected as the feature data, and the core features of the black product behavior and the actual situation of the data set can be combined specifically: low acquisition rate of equipment-related variables (data) and high acquisition rate of external-related variables (data). Data having a deletion rate of 50% or less and a uniform overall distribution is extracted from the plurality of data as feature data. Preferably, in the embodiment, the location data and the network data are selected as feature data to perform screening identification of the black product device, and the two types of data are feature data which are difficult to forge or bypass through technologies by the black product device.
And S120, identifying the first black production equipment according to the position data.
The first black product device referred to herein is the black product device identified in step S120, and is to be distinguished from the subsequently identified black product devices. Specifically, identifying the first black production device based on the location data may be divided into two steps, including:
the method comprises the following steps of firstly, confirming equipment which executes preset operation at a plurality of time nodes at the same position as suspicious equipment according to the position data.
The method is characterized in that the black product equipment is usually fixed at one position, so that position data of the equipment during the execution of preset operation is analyzed, if the equipment displays that the equipment is at the same position when the preset operation is executed at a plurality of time nodes, the probability that the equipment is the black product equipment is higher, but the same situation can occur in normal user use, and the equipment identified through the situation is taken as suspicious equipment, so that the suspicious equipment is further identified in the second step.
And secondly, according to the position data, when the number of the suspicious devices at the same position is larger than the preset number, confirming the suspicious devices at the same position as first black-producing devices.
This is because it is considered that the black production devices are usually concentrated in a large number of devices performing the black production in the same place, and when there are a large number of devices performing the preset operation in the same location, the probability of the black production devices is high, so in this embodiment, a preset number for determining a large number of the criteria is preset, and when the number of the suspicious devices in the same location is greater than the preset number, the suspicious devices in the same location may be considered as the black production devices, that is, the first black production device in this step.
S130, identifying second black product equipment based on the first black product equipment in combination with the network data.
According to the analysis of the actual situation, the clustering phenomenon of the black product devices is also shown on the network configuration besides the position, that is, the black product devices at the same position or close positions generally have commonalities on the network configuration, and in the identification process of the first black product device, some devices which are more likely to be black product devices, such as some devices which are at the same position as the first black product device but are not identified as suspicious devices, are likely to be missed, so in the embodiment, the black product devices are further mined through network data, other devices which have the same network configuration as the first black product device are mined through network data mining and serve as second black product devices, and the first black product device and the second black product device are both screened and identified black product devices.
The embodiment provides a method for identifying black product equipment, which can accurately identify first black product equipment by utilizing position data under the condition of sharing one equipment or using a plurality of equipment to conduct black product actions, can further dig out second black product equipment by combining network data on the basis of the first black product equipment, and has the advantages that the position data and the network data are difficult to forge and bypass the black product equipment by technology.
Example two
The second embodiment provides a black product device identification method, which is different from the first embodiment in that the process of identifying black product devices according to feature data is explained in further detail, and specifically as shown in fig. 2, the method includes:
s210, acquiring characteristic data of the device for executing the preset operation, wherein the characteristic data comprises position data, network data and sensor data.
The behavior of the device is recorded when the device performs the preset operation, and in some embodiments, whether to collect corresponding feature data is screened according to the number of records, because it is difficult for the device with too few records to strictly determine the specific situation, it is preferable to delete the related data of the device with the number of records of 3 or more. In particular, details of the data recorded in this embodiment may be as shown in fig. 3 and obtained based on a specific application, where the location data is longitude and latitude data with a time stamp, and the longitude and latitude data includes: longitude, latitude, and accuracy, the corresponding timestamp is createtime (generation time), and the network data includes wifiip, wifimac, ssid, and proxype. It should be understood that the above data content is only an example and not a limitation of the recorded data.
The record-based data also needs to be combined with the core features of black production ASO and the actual condition of the data set: the device-related variable acquisition rate is low, the external-related variable acquisition rate is high, the required data can be obtained by further screening, and the screening mode is as follows: and extracting data with the missing rate of less than 50% and relatively uniform overall distribution as characteristic data.
S220, preprocessing the feature data, wherein the preprocessing comprises dirty data processing, core data extraction and data type conversion.
Through the data analysis in fig. 3, it is found that dirty data is contained in the data, and dirty data processing is required: the character type of partial double-quotation mark dirty data with characters is processed by cast (regexp _ place (feature, "%", ") as string), the unix _ timestamp is used for converting the createtime into a timestamp for facilitating subsequent calculation, and invalid data (NULL,") is screened out for all data.
And (3) extracting core data for longitude and latitude data: five decimal places are reserved because the longitude moves 10 times at the latitude of china-5Degree, actual moving distance 1.1m, latitude per moving 10-5Degree, the actual moving distance is about 0.6-0.75 m. That is, if the latitude and longitude of the device varies below four decimal places, it is considered that the moving distance of the device does not exceed
Figure BDA0002320649330000091
This is a feature that belongs entirely under the same building.
In addition to the above two preprocessing methods, detailed processing such as data type conversion is also required: the variable Boolean type is converted into character type, and the character type is selectively converted into integer type.
And S230, according to the position data, confirming the equipment which executes preset operation at a plurality of time nodes at the same position as suspicious equipment.
In this embodiment, the location data is longitude and latitude data with a timestamp, and accordingly, the process of identifying the suspicious device is to identify, according to the location data of the device, a device, of the devices performing the preset operation, whose longitude and latitude variances are smaller than a first threshold and whose corresponding timestamp variance is not equal to zero, and determine that the device is the suspicious device. The method specifically comprises the following steps: all records for all devices and features closely related to location: longitude, latitude, acutacy for ANOVA. And the concrete address is digitalized and also subjected to variance analysis. When the variance is 0 (or less than a threshold value, taking 5 decimal places into consideration of latitude and longitude), the threshold value should be (10)-5+1)2=10-8) The device is considered to be in the same location. Considering the temporal space createtime again, if the timestamp variance corresponding to the createtime is not 0, this indicates that the operation of the device at multiple time nodes corresponds to the same location. This would then allow a batch of suspect equipment to be picked up.
S240, according to the position data, when the number of the suspicious devices at the same position is larger than a preset number, confirming the suspicious devices at the same position as first black-producing devices.
In this embodiment, the position data is longitude and latitude data with time marks, and if the first black product device is identified based on the suspicious device, the first black product device is to establish a spatial index based on the longitude and latitude to obtain a plurality of sub-regions, and determine whether the number of the suspicious devices falling into the same sub-region in the suspicious device is greater than a preset number, and if so, determine the suspicious device falling into the same sub-region as the first black product device. The process is realized based on the Geohash principle, Geohash is a mode of spatial indexing, the basic principle is that the earth is understood as a two-dimensional plane, the plane is decomposed into smaller subblocks in a recursion mode, and each subblock has the same code in a certain latitude and longitude range. The space index is established in a GeoHash mode, and the efficiency of performing longitude and latitude retrieval on the space data can be improved. Considering that a plurality of black products are always positioned at the same longitude and latitude, in other words, if a plurality of black products are positioned at the same longitude and latitude, the possibility that the black products belong to the black products is greatly improved. Therefore, two features of longtude and latitude are used for associating the confirmed suspicious equipment. The geographical position aggregation GeoHash algorithm is applied, longitude and latitude data of the user are converted into GeoHash 7-bit codes (representing a rectangular range with the accuracy of 89 m), and therefore aggregation risk performance under the area is further analyzed, and the first black-producing equipment can be determined.
And S250, identifying a second black product device based on the first black product device in combination with the network data.
After the first blackout device is identified according to the location data, other blackout devices need to be further mined based on the first blackout device in combination with the network data, as in the first embodiment. Specifically, other devices with the same name of the connection network as the first black product device when the preset operation is executed, other devices with the same IP address as the first black product device when the preset operation is executed, or other devices with the same MAC address as the first black product device when the preset operation is executed are searched to serve as second black product devices.
In the network data, wifiip, wifimac, ssid, and proxype are all network data that can be considered for use. Firstly, counting the wifi frequency of the first black production device, and excluding wifi which is similar to TP-LINK and cannot be used as reference. And then combining the wifi and the wifi, firstly collecting all the connected wifi and the wifi of the first black product equipment, and then searching for the same wifi and the wifi in all the recorded data.
Through having the same name wifi, with wifi, connect with wifi etc. can accomplish preliminary radiation, and in fact, network configuration and network connection are the strong correlation characteristic next to the longitude and latitude. All data after secondary association is carried out through different strategies are subjected to statistical discovery, all device feature distributions related by the wifi ip and the wifi mac accord with the characteristics of black-producing devices, and other data are relatively poor in performance, so that only the part of associated data is reserved in the step.
Optionally, in some embodiments, when the first blackout device is identified according to the location data in steps S230 to S240, in addition to the location data, there is a strict limitation on many other data, such as appnum (device App number) and batterlyel (device current power), and in these embodiments, after the first blackout device is identified, a step may be further provided: the restriction on the other data is relaxed to increase the recognition range of the first black producing device.
S260, judging the operation postures of the first black product equipment and the second black product equipment according to the sensor data, and further judging whether the identification of the first black product equipment and the identification of the second black product equipment are correct or not according to the operation postures.
After the first black production equipment and the second black production equipment are identified, the embodiment also provides a step of cross check, and the data used in the step has no decisive effect on the identification result, because the black production equipment can forge or bypass the data by using a relatively simple technology with lower cost, but can further judge whether the identification of the black production equipment is correct by using the data. Specifically, the operation postures of the first black product equipment and the second black product equipment are judged according to the sensor data, and whether the identification of the first black product equipment and the identification of the second black product equipment are correct or not is further judged according to the operation postures. Taking gyro _ scope _ sensor as an example, the gyro sensor is used to analyze the angular velocity to determine whether the device is stationary. The gyroscope records the instantaneous angular velocity of the handset, which is typically resolved into velocities about the x, y, and z axes. (0,0,0) represents that the device is stationary, (10,20, -10) represents that the current angular velocity of the device is: rotate 10 clockwise about the x-axis, 20 clockwise about the y-axis, and 10 counterclockwise about the z-axis per second. Angular velocity should be detectable as long as the device is not completely stationary. When shopping-type APPs are used, the rotational speed of the device is only about tens of degrees, and when racing-type games APPs are used, the rotational speed is hundreds of degrees. The principle of judging the stillness is as follows: the standard deviation of the angular velocities recorded in three dimensions is less than 10, i.e. the motion state of the device is considered to be very weak (even motionless). The identified black products can be further screened.
And S270, determining black product characteristic data according to the first black product equipment and the second black product equipment.
In the embodiment, an updatable defense is provided in consideration of black product attacks which may occur in the future, and after the black product devices are identified (namely, the first black product device and the second black product device), the feature data of the black product devices are analyzed to sort out important data in the black product devices to obtain black product feature data, and the black product feature data are updated along with the update of the identified black product devices.
And S280, identifying the equipment to be monitored according to the black product characteristic data.
After the blackout feature data is determined, devices which may launch the blackout attack in the future can be mined according to the blackout feature data, and the monitoring of the devices needs to be strengthened to strengthen defense against damage caused by the blackout attack.
The method for identifying the black product equipment further provides a more detailed process for identifying the black product equipment according to the characteristic data, the identification result is verified through the sensor data, the black product characteristic data is determined according to the identified black product equipment to identify the equipment to be monitored for preventing future black product attack, the identification accuracy of the black product equipment is further improved, the prevention of the black product attack is enhanced, and the method is established on the basis of analysis of full data, and the computing power advantage is improved.
EXAMPLE III
Fig. 4 is a schematic structural diagram of a black product device identification apparatus according to a third embodiment of the present invention, and as shown in fig. 3, the apparatus includes:
the data obtaining module 310 is configured to obtain feature data of a device performing a preset operation, where the feature data includes location data and network data.
The first identification module 320 is configured to identify the first black production device according to the location data.
Specifically, the first identifying module 320 includes:
and the suspicious device identification unit is used for confirming the devices which execute preset operations at a plurality of time nodes at the same position as the suspicious devices according to the position data.
In some embodiments, the location data is longitude and latitude data with a timestamp, the suspicious device identifying unit is configured to identify, according to the location data of the device, a device that performs the preset operation, where a variance of the longitude and the latitude is smaller than a first threshold and a corresponding variance of the timestamp is not equal to zero, and the device is determined to be a suspicious device.
And the first black product equipment identification unit is used for confirming the suspicious equipment at the same position as the first black product equipment when the number of the suspicious equipment at the same position is greater than the preset number according to the position data.
In some embodiments, the location data is longitude and latitude data with a time stamp, the first black product device identification unit is configured to establish a spatial index based on the longitude and latitude to obtain a plurality of sub-areas, determine whether the number of suspicious devices falling into the same sub-area in the suspicious devices is greater than a preset number, and determine the suspicious devices falling into the same sub-area as the first black product device if the number of suspicious devices falling into the same sub-area is greater than the preset number.
A second identifying module 330, configured to identify a second blackout device based on the first blackout device in combination with the network data.
The method specifically comprises the following steps: and searching other equipment with the same name of the connecting network as the first black product equipment when executing preset operation, or other equipment with the same IP address as the first black product equipment when executing preset operation, or other equipment with the same MAC address as the first black product equipment when executing preset operation, and taking the other equipment as second black product equipment.
Optionally, in some embodiments, the black product device identification apparatus further includes:
the defense module is used for determining black product characteristic data according to the first black product equipment and the second black product equipment after the identification of the second black product equipment based on the first black product equipment and the network data; and identifying the equipment to be monitored according to the black product characteristic data.
And the preprocessing module is used for preprocessing the characteristic data before the first black production equipment is identified according to the position data, and the preprocessing comprises dirty data processing, core data extraction and data type conversion.
And the verification module is used for judging the operation postures of the first black product equipment and the second black product equipment according to the sensor data when the characteristic data further comprises the sensor data, and further judging whether the identification of the first black product equipment and the second black product equipment is correct or not according to the operation postures.
The embodiment provides a black product equipment identification device, which can accurately identify first black product equipment by utilizing position data under the condition of sharing one equipment or using a plurality of equipment to perform black product actions, can further dig out second black product equipment by combining network data on the basis of the first black product equipment, and has the advantages that the position data and the network data are difficult to forge and bypass the black product equipment by technology.
Example four
Fig. 5 is a schematic structural diagram of a server 400 according to a sixth embodiment of the present invention, as shown in fig. 5, the server includes a memory 410 and a processor 420, where the number of the processors 420 in the server may be one or more, and one processor 420 is taken as an example in fig. 5; the memory 410 and the processor 420 in the server may be connected by a bus or other means, and fig. 5 illustrates the connection by the bus as an example.
The memory 410 is a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the black product device identification method in the embodiment of the present invention (for example, the data acquisition module 310, the first identification module 320, and the second identification module 330 in the black product device identification apparatus). The processor 420 executes various functional applications of the server and data processing by executing software programs, instructions, and modules stored in the memory 410, that is, implements the black product device identification method described above.
Wherein the processor 420 is configured to run the computer executable program stored in the memory 410 to implement the following steps: step S110, acquiring characteristic data of a device for executing a preset operation, wherein the characteristic data comprises position data and network data; step S120, identifying first black producing equipment according to the position data; and S130, identifying a second black product device based on the first black product device in combination with the network data.
Of course, the server provided in the embodiment of the present invention is not limited to the above method operations, and may also perform related operations in the black product device identification method provided in any embodiment of the present invention.
The memory 410 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 410 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, memory 410 may further include memory located remotely from processor 420, which may be connected to a server over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The embodiment provides the identification server, the first black product equipment can be accurately identified under the condition that one piece of equipment is shared or a plurality of pieces of equipment are used for black product behaviors by utilizing the position data, the second black product equipment can be further dug out by combining the network data on the basis of the first black product equipment, the position data and the network data are difficult to forge and bypass the black product equipment by the technology, the identification accuracy of the black product equipment is high, and the identification range is wide.
EXAMPLE five
An embodiment of the present invention further provides a storage medium containing computer-executable instructions, where the computer-executable instructions are executed by a computer processor to perform a black product device identification method, where the black product device identification method includes:
acquiring characteristic data of a device executing preset operation, wherein the characteristic data comprises position data and network data;
identifying a first black producing device according to the position data;
identifying a second blackjack device based on the first blackjack device in combination with the network data.
Of course, the storage medium provided by the embodiment of the present invention contains computer-executable instructions, and the computer-executable instructions are not limited to the operations of the method described above, and may also perform related operations in the black product device identification method provided by any embodiment of the present invention.
From the above description of the embodiments, it is clear to those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly can be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a device, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the authorization apparatus, the included units and modules are merely divided according to functional logic, but are not limited to the above division as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. Those skilled in the art will appreciate that the present invention is not limited to the particular embodiments described herein, and that various obvious changes, rearrangements and substitutions will now be apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (8)

1. A black product equipment identification method is characterized by comprising the following steps:
acquiring characteristic data of a device executing preset operation, wherein the characteristic data comprises position data and network data;
identifying a first black producing device according to the position data;
identifying a second blackjack device based on the first blackjack device in combination with the network data;
the identifying a first black production device according to the location data includes:
according to the position data, confirming equipment which executes preset operation at a plurality of time nodes at the same position as suspicious equipment;
according to the position data, when the number of the suspicious devices at the same position is larger than a preset number, confirming the suspicious devices at the same position as first black-producing devices;
after the identifying a second blackout device based on the first blackout device in combination with the network data, the method further includes:
determining black product characteristic data according to the first black product equipment and the second black product equipment;
identifying equipment to be monitored according to the black product characteristic data;
after the first black product equipment is identified according to the position data, the limitation on other data is relaxed so as to increase the identification range of the first black product equipment.
2. The method of claim 1, wherein the location data is time-stamped longitude and latitude data, and the determining, according to the location data, a device that performs a preset operation at a plurality of time nodes in the same location as a suspicious device comprises:
identifying the equipment with longitude and latitude variances smaller than a first threshold and corresponding timestamp variances not equal to zero in the equipment executing the preset operation according to the position data of the equipment, and determining the equipment as suspicious equipment;
according to the position data, when the number of the suspicious devices at the same position is greater than the preset number, the suspicious devices at the same position are determined as first black-producing devices, and the method comprises the following steps:
and establishing a space index according to the longitude and latitude to obtain a plurality of sub-areas, judging whether the number of suspicious devices falling into the same sub-area in the suspicious devices is larger than a preset number, and if so, determining the suspicious devices falling into the same sub-area as first black-production devices.
3. The method of claim 1, wherein identifying a second blackout device based on the first blackout device in combination with the network data comprises:
and searching other equipment with the same name of the connecting network as the first black product equipment when executing preset operation, or other equipment with the same IP address as the first black product equipment when executing preset operation, or other equipment with the same MAC address as the first black product equipment when executing preset operation, and taking the other equipment as second black product equipment.
4. The method of claim 2, wherein prior to identifying the first black production device based on the location data, further comprising:
and preprocessing the characteristic data, wherein the preprocessing comprises dirty data processing, core data extraction and data type conversion.
5. The method of claim 4, wherein the characterization data further comprises sensor data, and further comprising identifying a second blackout device based on the first blackout device in combination with the network data after identifying the second blackout device
And judging the operation postures of the first black product equipment and the second black product equipment according to the sensor data, and further judging whether the identification of the first black product equipment and the second black product equipment is correct or not according to the operation postures.
6. A black product device identification apparatus, comprising:
the data acquisition module is used for acquiring characteristic data of equipment executing preset operation, wherein the characteristic data comprises position data and network data;
the first identification module is used for identifying first black production equipment according to the position data;
the second identification module is used for identifying second black-production equipment based on the combination of the first black-production equipment and the network data;
the first identification module comprises:
the suspicious device identification unit is used for confirming the devices which execute preset operations at a plurality of time nodes at the same position as the suspicious devices according to the position data;
the first black product equipment identification unit is used for determining the suspicious equipment at the same position as the first black product equipment when the number of the suspicious equipment at the same position is larger than the preset number according to the position data;
the defense module is used for determining black product characteristic data according to the first black product equipment and the second black product equipment after the identification of the second black product equipment based on the first black product equipment and the network data; identifying equipment to be monitored according to the black product characteristic data;
after the first identification module, the limitation on other data is relaxed to increase the identification range of the first black production device.
7. A server, characterized by comprising a memory and a processor, the memory having stored thereon a computer program executable on the processor, the processor implementing the black product device identification method according to any one of claims 1 to 5 when executing the computer program.
8. A computer-readable storage medium, characterized in that the storage medium stores a computer program comprising program instructions that, when executed, implement the blackout device identification method according to any one of claims 1 to 5.
CN201911296336.6A 2019-12-16 2019-12-16 Black product equipment identification method and device, server and storage medium Active CN111049838B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911296336.6A CN111049838B (en) 2019-12-16 2019-12-16 Black product equipment identification method and device, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911296336.6A CN111049838B (en) 2019-12-16 2019-12-16 Black product equipment identification method and device, server and storage medium

Publications (2)

Publication Number Publication Date
CN111049838A CN111049838A (en) 2020-04-21
CN111049838B true CN111049838B (en) 2022-05-13

Family

ID=70236815

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911296336.6A Active CN111049838B (en) 2019-12-16 2019-12-16 Black product equipment identification method and device, server and storage medium

Country Status (1)

Country Link
CN (1) CN111049838B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111783073A (en) * 2020-07-23 2020-10-16 北京斗米优聘科技发展有限公司 Black product identification method and device and readable storage medium
CN114553598B (en) * 2022-04-22 2022-07-26 北京数业专攻科技有限公司 Heiyuan mobile phone number and Heiyuan user equipment identification method, system and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103428189A (en) * 2012-05-25 2013-12-04 阿里巴巴集团控股有限公司 Method, apparatus and system for identifying malicious network equipment
CN108513301A (en) * 2017-02-23 2018-09-07 中国移动通信有限公司研究院 A kind of disabled user's recognition methods and device
CN109194627A (en) * 2018-08-16 2019-01-11 深圳乐信软件技术有限公司 Cheat detection method, device, equipment and medium
CN109688094A (en) * 2018-09-07 2019-04-26 平安科技(深圳)有限公司 Suspicious IP configuration method, device, equipment and storage medium based on network security
CN110070383A (en) * 2018-09-04 2019-07-30 中国平安人寿保险股份有限公司 Abnormal user recognition methods and device based on big data analysis
CN110365634A (en) * 2019-05-23 2019-10-22 中国平安人寿保险股份有限公司 Abnormal data monitoring method, device, medium and electronic equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10193915B2 (en) * 2016-09-30 2019-01-29 Oath Inc. Computerized system and method for automatically determining malicious IP clusters using network activity data

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103428189A (en) * 2012-05-25 2013-12-04 阿里巴巴集团控股有限公司 Method, apparatus and system for identifying malicious network equipment
CN108513301A (en) * 2017-02-23 2018-09-07 中国移动通信有限公司研究院 A kind of disabled user's recognition methods and device
CN109194627A (en) * 2018-08-16 2019-01-11 深圳乐信软件技术有限公司 Cheat detection method, device, equipment and medium
CN110070383A (en) * 2018-09-04 2019-07-30 中国平安人寿保险股份有限公司 Abnormal user recognition methods and device based on big data analysis
CN109688094A (en) * 2018-09-07 2019-04-26 平安科技(深圳)有限公司 Suspicious IP configuration method, device, equipment and storage medium based on network security
CN110365634A (en) * 2019-05-23 2019-10-22 中国平安人寿保险股份有限公司 Abnormal data monitoring method, device, medium and electronic equipment

Also Published As

Publication number Publication date
CN111049838A (en) 2020-04-21

Similar Documents

Publication Publication Date Title
CN106992994B (en) Automatic monitoring method and system for cloud service
CN109698934B (en) Region monitoring method and device
CN108183900B (en) Method, server, system, terminal device and storage medium for detecting mining script
CN108243421B (en) Pseudo base station identification method and system
CN105471819A (en) Account abnormity detection method and account abnormity detection device
CN111049838B (en) Black product equipment identification method and device, server and storage medium
CN108924759B (en) Method, device and system for identifying mobile generator
CN108009424A (en) Virus behavior detection method, apparatus and system
CN112770265B (en) Pedestrian identity information acquisition method, system, server and storage medium
CN108399336B (en) Detection method and device for malicious behaviors of android application
CN107038620A (en) Based on user call a taxi preference information push and device
CN112087445A (en) Electric power Internet of things security vulnerability assessment method fusing business security
CN112017323A (en) Patrol alarm method and device, readable storage medium and terminal equipment
CN112463859B (en) User data processing method and server based on big data and business analysis
CN112437034B (en) False terminal detection method and device, storage medium and electronic device
CN107172622B (en) Method, device and system for identifying and analyzing pseudo base station short message
Bhatia et al. Tipped Off by Your Memory Allocator: Device-Wide User Activity Sequencing from Android Memory Images.
CN111065044B (en) Big data based data association analysis method and device and computer storage medium
CN115471865A (en) Operation site digital safety control method, device, equipment and storage medium
CN106331060A (en) Control execution method and system based on WIFI
CN110995687B (en) Cat pool equipment identification method, device, equipment and storage medium
CN112507265A (en) Method and device for anomaly detection based on tree structure and related products
CN112184241A (en) Identity authentication method and device
CN109873836A (en) A kind of methods of risk assessment and device of data
CN112181527B (en) Method and device for processing jump data of small program and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: Room 201-a051, unit 1, building 17, courtyard 3, gaolizhang Road, Haidian District, Beijing 100095

Applicant after: Beijing Xunming Information Technology Co.,Ltd.

Address before: Room 201-a051, unit 1, building 17, courtyard 3, gaolizhang Road, Haidian District, Beijing 100095

Applicant before: Suishou (Beijing) Information Technology Co.,Ltd.

GR01 Patent grant
GR01 Patent grant