CN111400357A - Method and device for identifying abnormal login - Google Patents
Method and device for identifying abnormal login Download PDFInfo
- Publication number
- CN111400357A CN111400357A CN202010107808.5A CN202010107808A CN111400357A CN 111400357 A CN111400357 A CN 111400357A CN 202010107808 A CN202010107808 A CN 202010107808A CN 111400357 A CN111400357 A CN 111400357A
- Authority
- CN
- China
- Prior art keywords
- historical
- login information
- abnormal
- information
- login
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2457—Query processing with adaptation to user needs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses a method and a device for identifying abnormal login, and relates to the technical field of computers. One embodiment of the method comprises: obtaining historical login information within a period of time, and determining historical image data and basic index characteristics of login dimensions of each user according to the historical login information; according to the historical portrait data of each user and the threshold value of each basic index characteristic, identifying the historical login information to obtain an identification result; taking the historical login information and the corresponding recognition result as training samples and training the training samples based on a machine learning algorithm to obtain a recognition model; and identifying the login information to be detected according to the historical portrait data of each user, the threshold value of each basic index characteristic and the identification model to obtain an identification result. The method and the device can solve the technical problem that the abnormal login identification result is inaccurate.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method and a device for identifying abnormal login.
Background
In recent years, security threats have changed greatly, directional threat attack events and new threats are increasing, and security risk identification performed according to the existing rules, association analysis and other technologies is increasingly difficult to meet future development trends.
At present, the login mode of each large website mainly comprises the login of a mobile phone APP, an attacker cannot tamper the content of a login request message, abnormal detection can be carried out on the login of a user through various risk media such as device fingerprints and login IP, the integral detection dimension can be single and definite, and the detection accuracy rate is high. However, when a website is logged in a browser login manner, since a risk medium can be artificially tampered, such as counterfeit device information, abnormal behaviors cannot be accurately located from a single dimension, and false alarm is easily caused.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for identifying an abnormal login, so as to solve the technical problem that an identification result of the abnormal login is inaccurate.
To achieve the above object, according to an aspect of an embodiment of the present invention, there is provided a method for identifying an abnormal login, including:
obtaining historical login information within a period of time, and determining historical portrait data of each user and basic index features of each dimension according to the historical login information;
identifying the historical login information according to the historical portrait data of each user and the threshold value of the basic index characteristic of each dimension to obtain an identification result;
taking the historical login information and the corresponding recognition result as training samples and training the training samples based on a machine learning algorithm to obtain a recognition model;
and identifying the login information to be detected according to the historical portrait data of each user, the threshold of the basic index characteristic of each dimension and the identification model to obtain an identification result.
Optionally, the historical login information includes login time, login channel, device information, IP address, account information, browser information, and login return code;
the historical portrait data comprises a common IP, a home of the common IP, common equipment information and common browser information; and/or the presence of a gas in the gas,
the basic index features of each dimension at least comprise index features of an IP dimension, index features of a device dimension and index features of an account dimension.
Optionally, identifying the historical login information according to the historical portrait data of each user and the threshold of the basic index feature of each dimension to obtain an identification result, including:
combining the basic index features of all dimensions, and obtaining a combined model according to the threshold values of the basic index features of all dimensions;
screening each piece of historical login information based on the combined model to obtain an abnormal list; wherein, the abnormal list comprises at least one piece of historical login information;
and identifying each piece of historical login information in the exception list based on the historical portrait data of each user so as to obtain an identification result.
Optionally, screening each piece of historical login information based on the combined model to obtain an exception list, including:
for each combined model, screening abnormal login information from the basic index features of each dimensionality based on the basic index features in the combined model and corresponding threshold values thereof;
and screening an abnormal list from the historical login information according to the abnormal login information.
Optionally, identifying each piece of historical login information in the exception list based on the historical portrait data of each user, so as to obtain an identification result, includes:
judging whether the historical login information is consistent with the historical portrait data of the user corresponding to the historical login information or not for each piece of historical login information in the abnormal list;
if yes, removing the historical login information from the abnormal list;
if not, identifying that the historical login information is abnormal.
Optionally, training the historical login information and the corresponding recognition result thereof as training samples based on a machine learning algorithm to obtain a recognition model, including:
and taking historical portrait data of each user corresponding to the historical login information, basic index features of each dimension and a recognition result corresponding to the historical login information as training samples, and performing supervised learning by adopting a gradient lifting decision number model so as to train to obtain a recognition model.
Optionally, identifying the login information to be detected according to the historical portrait data of each user, the threshold of each basic index feature and the identification model to obtain an identification result, including:
identifying the login information to be detected according to the historical portrait data of each user and the threshold value of the basic index characteristic of each dimension to obtain a first abnormal identification result;
identifying the login information to be detected based on the identification model to obtain a second abnormal identification result;
and merging the first abnormal recognition result and the second abnormal recognition result to serve as the recognition result of the login information to be tested.
In addition, according to another aspect of the embodiments of the present invention, there is provided an apparatus for identifying an abnormal login, including:
the calculation module is used for acquiring historical login information within a period of time and determining historical portrait data of each user and basic index characteristics of each dimension according to the historical login information;
the first identification module is used for identifying the historical login information according to the historical portrait data of each user and the threshold value of the basic index characteristic of each dimension to obtain an identification result;
the training module is used for taking the historical login information and the corresponding recognition result as training samples and training the training samples based on a machine learning algorithm to obtain a recognition model;
and the second identification module is used for identifying the login information to be detected according to the historical portrait data of each user, the threshold of the basic index features of each dimension and the identification model to obtain an identification result.
Optionally, the historical login information includes login time, login channel, device information, IP address, account information, browser information, and login return code;
the historical portrait data comprises a common IP, a home of the common IP, common equipment information and common browser information; and/or the presence of a gas in the gas,
the basic index features of each dimension at least comprise index features of an IP dimension, index features of a device dimension and index features of an account dimension.
Optionally, the first identification module is further configured to:
combining the basic index features of all dimensions, and obtaining a combined model according to the threshold values of the basic index features of all dimensions;
screening each piece of historical login information based on the combined model to obtain an abnormal list; wherein, the abnormal list comprises at least one piece of historical login information;
and identifying each piece of historical login information in the exception list based on the historical portrait data of each user so as to obtain an identification result.
Optionally, the first identification module is further configured to:
for each combined model, screening abnormal login information from the basic index features of each dimensionality based on the basic index features in the combined model and corresponding threshold values thereof;
and screening an abnormal list from the historical login information according to the abnormal login information.
Optionally, the first identification module is further configured to:
judging whether the historical login information is consistent with the historical portrait data of the user corresponding to the historical login information or not for each piece of historical login information in the abnormal list;
if yes, removing the historical login information from the abnormal list;
if not, identifying that the historical login information is abnormal.
Optionally, the training module is further configured to:
and taking historical portrait data of each user corresponding to the historical login information, basic index features of each dimension and a recognition result corresponding to the historical login information as training samples, and performing supervised learning by adopting a gradient lifting decision number model so as to train to obtain a recognition model.
Optionally, the second identification module is further configured to:
identifying the login information to be detected according to the historical portrait data of each user and the threshold value of the basic index characteristic of each dimension to obtain a first abnormal identification result;
identifying the login information to be detected based on the identification model to obtain a second abnormal identification result;
and merging the first abnormal recognition result and the second abnormal recognition result to serve as the recognition result of the login information to be tested.
According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any of the embodiments described above.
According to another aspect of the embodiments of the present invention, there is also provided a computer readable medium, on which a computer program is stored, which when executed by a processor implements the method of any of the above embodiments.
One embodiment of the above invention has the following advantages or benefits: the method adopts the technical means that the historical login information is identified according to the historical portrait data of each user and the threshold of the basic index features of each dimension, the historical login information and the corresponding identification result are used as training samples and are trained on the basis of a machine learning algorithm to obtain the identification model, and therefore the login information to be detected is identified by combining the historical portrait data of each user, the threshold of the basic index features of each dimension and the identification model, and the technical problem that the identification result of abnormal login is inaccurate in the prior art is solved. The embodiment of the invention identifies the abnormal login of the website by combining the rule model and the supervised machine learning model, on one hand, the unsupervised learning is converted into the supervised learning by the identification result of the rule model, and the problems that the complex rule and the rule threshold value cannot be measured are solved by the machine learning; on the other hand, the stability and the recall in a larger range of the model are ensured, so that attack threats and potential unknown risks can be accurately identified, the manual risk investigation cost is reduced, and the safety deep defense capability is improved.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of the main flow of a method of identifying an abnormal login according to an embodiment of the present invention;
FIG. 2 is a schematic view of a main flow of a method of identifying an abnormal login according to one referential embodiment of the present invention;
FIG. 3 is a schematic view of a main flow of a method of identifying an abnormal login according to another referential embodiment of the present invention;
FIG. 4 is a schematic diagram of the main modules of an apparatus for identifying abnormal logins according to an embodiment of the present invention;
FIG. 5 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 6 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server of an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art:
1) and (3) detecting based on the rule model: when there are many business attributes and strong attributes are few, it is difficult to manually summarize rules; the coverage rate of the rule identification for the identification of different login risks is not high enough, and the accuracy rate and the recall rate are difficult to ensure at the same time.
2) Detecting based on a supervised machine learning model: certain samples are needed for supervised machine learning, and in a risk login identification scene, available samples are possibly few; the supervised model has a good recognition effect on known login risks, and for unknown login risks, the supervised machine learning model alone cannot bring more recall rate.
3) Detection is carried out based on an unsupervised machine learning model (such as an iForest and other abnormal detection methods): the iForest does not consider business knowledge in the aspect of finding isolated points, and the interpretability of the result obtained by learning is not strong; in the case of certain labeled examples, unsupervised machine learning does not fully utilize the existing labeled examples.
In order to solve the technical problems in the prior art, the invention adopts an identification method combining a rule model and a supervised machine learning model in real time, can discover more abnormal login risks based on the rule model, and can effectively identify the known login risks based on the supervised machine learning model, thereby improving the accuracy of the abnormal login identification result.
Fig. 1 is a schematic diagram of a main flow of a method of identifying an abnormal login according to an embodiment of the present invention. As an embodiment of the present invention, as shown in fig. 1, the method for identifying an abnormal login may include:
step 101, obtaining historical login information within a period of time, and determining historical portrait data of each user and basic index features of each dimension according to the historical login information.
The method comprises the steps of firstly obtaining historical login information in a past period of time (such as in the past 1 month, 2 months, 3 months and the like), wherein each piece of historical login information can comprise login time, login channels (APP login, mobile phone webpage login, computer login and the like), equipment information (equipment identification, mac address, bios serial number, hard disk serial number and the like), IP address, account information, browser information (browser name, version number and the like) and login return codes (success, failure types: user does not exist, password errors and the like).
Then, the acquired historical login information can be preprocessed through a big data component (such as hdfs, hive and the like), and the preprocessing mainly comprises data filtering and data exception processing. Optionally, the data filtering is to filter out user login information of non-APP login according to a login channel, for example, to filter out user login information of non-APP login modes such as mobile phone web page login and computer login. Optionally, the data exception handling is mainly to set exception information to be null according to a preset rule. For example, the abnormal IP: identifying an abnormal IP according to the rule of the IP, and if the abnormal IP is not the IP address, judging the abnormal IP to be null; an abnormal device: the length of the identification of the general equipment is less than or equal to 5, whether the equipment is abnormal equipment is judged according to the identification of the equipment, and if the equipment is abnormal equipment, the equipment is set to be null. Mac address exception: and if the Mac address length is not 12 bits, exception is carried out, and the address is set to be null.
And finally, determining historical portrait data of each user and basic index features of each dimension according to the preprocessed historical login information. Optionally, the historical portrait data includes a common IP, a home of the common IP, common device information, and common browser information. Specifically, historical portrait data of each user can be processed through a big data component, and the historical portrait data mainly comprises an IP address commonly used by each user, a home location of the commonly used IP, commonly used equipment information, commonly used browser information and the like, so that the information of the dimensions is generalized into portrait information of each user.
For example, if it is found that a certain user has logged in using the same IP for a long period of time by counting the history login information, it is considered that the IP address belongs to the own IP, and the IP is used as the history image data of the user. The IP home location is also an important figure, and if a user logs in a certain area for a long time, the area can be regarded as historical figure data of the user. The device information and the browser information are the same, and are not described again.
Optionally, the basic index features of the respective dimensions at least include an index feature of an IP dimension, an index feature of a device dimension, and an index feature of an account dimension. Specifically, the base index features for each dimension can be processed through a big data component (such as hive's sql). For example:
IP1 min, 10 min, 30 min, 60 min, 1 day, 3 days, 7 days entry return codes are: password error, times and account number;
IP1 min, 10 min, 30 min, 60 min, 1 day, 3 days, 7 days entry return codes are: user does not exist, times and account number;
IP1 minutes, 10 minutes, 30 minutes, 60 minutes, 1 day, 3 days, 7 days login account number, failure account number, sensitive time (in the morning) login account number, failure account number;
maximum values, mean values and variances of interval times before and after IP registration of IP1 minutes, 10 minutes, 30 minutes, 60 minutes, 1 day, 3 days and 7 days;
the login times, failure times, sensitive time (in the morning) login times and failure times of the equipment for 1 minute, 10 minutes, 30 minutes, 60 minutes, 1 day, 3 days and 7 days;
maximum values, mean values and variances of interval time before and after logging in the equipment for 1 minute, 10 minutes, 30 minutes, 60 minutes, 1 day, 3 days and 7 days;
the number of login times, failure times, sensitive time (in the morning) login times and failure times of 1 minute, 10 minutes, 30 minutes, 60 minutes, 1 day, 3 days and 7 days of the account;
account number 1 minute, 10 minutes, 30 minutes, 60 minutes, 1 day, 3 days, number of account numbers logged in for 7 days, number of failed accounts, number of logged in accounts for sensitive time (in the morning), number of failed accounts.
In the embodiment of the invention, the basic index characteristics of each dimension can be constructed according to rule models such as a database-collision number-scanning model, a brute force cracking model, a robot login model, an IP cross-region abnormal-movement model and the like, so that the basic index characteristics of each dimension can be calculated according to historical login information.
For example, the typical behavior of the number scanning model of the collision library is as follows: within a certain period of time, some client/IP sets have accessed more than m different accounts using x different passwords and the login success rate is below a certain threshold n. The basic index features constructed according to the database-collision number-scanning model can include the login times of the IP, the login account number of the IP, the login times of the device, the login account number of the device, the login time summary of the account corresponding to the IP/device, the login return codes of the account corresponding to the IP/device (the number of different return codes is respectively counted, and the return codes mainly corresponding to the database-collision number-scanning model are not present in the account), and the like; time windows were taken at 10 minutes, 60 minutes, 1 day, 3 days, 7 days.
The typical behavior of the brute force cracking model is as follows: in a certain period of time, a certain device/IP/account has logged in for multiple times, has a large number of failures, or has a large number of failed accounts, for example, the number of device/account login times > in 1 day is 80; the number of times of device/IP/account login failure > is 80 in 10 minutes; the number of accounts with failed device/IP login > 16 in 10 minutes. The basic index features constructed according to the brute force cracking model can include the login times of the IP in one day, the login account number in one day and the login failure account number; time windows were taken at 10 minutes, 60 minutes, 1 day, 3 days, 7 days.
A typical behavior of the robot login model is: there may be some regularity in the time sequence (e.g. regular login intervals), while the operation behavior and access path are similar and the login failure rate is high. Then, the mean value of the time difference values of the two logins and the variance of the login interval time can be obtained according to the basic index features constructed by the robot login model.
The typical behavior of the IP cross-regional transaction model is: the location switching distance for the account/device in a short time is too large and failure may occur. The basic characteristic index constructed according to the IP cross-region transaction model may include the number of login provinces in the IP unit time corresponding to the account, and the cross-region distance of login in the IP unit time corresponding to the account. Time windows were taken at 10 minutes, 60 minutes, 1 day, 3 days, 7 days.
According to the embodiment of the invention, the big data component is used for extracting data from massive data and processing and calculating the data, so that the problem of large data volume performance is solved, key information is effectively extracted from massive data with low value density, the reliability of the data is high, and the identification accuracy is improved.
And 102, identifying the historical login information according to the historical portrait data of each user and the threshold of the basic index features of each dimension to obtain an identification result.
And identifying each piece of historical login information according to the historical portrait data of each user obtained in the step 101 and the threshold value of the basic index feature of each dimension, and identifying abnormal historical login information.
Optionally, step 102 may comprise: combining the basic index features of all dimensions, and obtaining a combined model according to the threshold values of the basic index features of all dimensions; screening each piece of historical login information based on the combined model to obtain an abnormal list; wherein, the abnormal list comprises at least one piece of historical login information; and identifying each piece of historical login information in the exception list based on the historical portrait data of each user so as to obtain an identification result. In the embodiment of the invention, the basic index features are combined based on the business rules, the dimensionality coverage of various combined models is comprehensive, and the screening accuracy is improved. Alternatively, the base index features and their corresponding thresholds in the combined model may be determined empirically.
Optionally, the combined model may be constructed according to corresponding basic index features such as a library collision number scanning model, a brute force cracking model, a robot login model, an IP cross-region transaction model, a non-self login model, and the like. For example, the basic index features corresponding to the database-collision number-scanning model and the basic index features corresponding to the non-self-registration model are combined to obtain a combined model, and if the combined model is hit, the hit historical registration information is written into an exception list. For example, the combined model may be: the login frequency in one day is more than x, the failure rate in one day is more than x, and the current login non-personal common IP probability is less than 5%. For another example, the combined model may be: the login frequency of the equipment in one day is larger than x, the failure rate of the equipment in one day is larger than x, and the probability of logging in the equipment which is not commonly used by the user at present is smaller than 5%.
The typical behavior of the non-self-registration model is as follows: an account is commonly used for logging in an IP section, a place, a time section and the like, and non-self logging can use a non-self common environment and has high failure rate. The constructed basic index characteristics are as follows: the user commonly used login IP, the commonly used login area, the commonly used equipment, the currently logged area and the currently logged equipment.
Optionally, screening each piece of historical login information based on the combined model to obtain an exception list, including: for each combined model, screening abnormal login information (such as abnormal IP, abnormal equipment and abnormal user account) from the basic index features of each dimension based on the basic index features in the combined model and corresponding threshold values thereof; and screening an abnormal list from the historical login information according to the abnormal login information.
Optionally, identifying each piece of historical login information in the exception list based on the historical portrait data of each user, so as to obtain an identification result, includes: judging whether the historical login information is consistent with the historical portrait data of the user corresponding to the historical login information or not for each piece of historical login information in the abnormal list; if yes, removing the historical login information from the abnormal list; if not, identifying that the historical login information is abnormal. After the abnormal list is screened out according to abnormal risk media such as IP, equipment and user account, the historical login information in the abnormal list needs to be further judged by combining the historical portrait data of the user (because some of the historical login information may belong to normal user behaviors), so that the abnormal login can be accurately identified.
According to the embodiment of the invention, the characteristics of the establishment of several rule models commonly used for abnormal risk login are integrated, and the omnidirectional characteristics of the multi-dimensional multi-time window are established, so that the identification accuracy can be improved, and the reliability of the identification model obtained by training is improved.
And 103, training the historical login information and the corresponding recognition result thereof to obtain a recognition model by taking the historical login information and the corresponding recognition result as training samples based on a machine learning algorithm.
Since the historical registration information in the past period is identified in step 102, the historical registration information and the corresponding identification result thereof can be used as training samples and trained based on the computational learning model, so as to train and obtain the identification model. Optionally, step 103 may comprise: and taking historical portrait data of each user corresponding to the historical login information, basic index features of each dimension and a recognition result corresponding to the historical login information as training samples, and performing supervised learning by adopting a gradient lifting decision number model so as to train to obtain a recognition model. In the embodiment of the invention, historical portrait data of each user and basic index features of each dimension obtained in the step 101 can be used as training samples, and user basic information such as registration time of a user account, user age and the like can also be used as training samples, so that the overall generalization capability of the model is increased, and the identification accuracy is improved.
And 104, identifying the login information to be detected according to the historical portrait data of each user, the threshold of the basic index features of each dimension and the identification model to obtain an identification result.
Optionally, the login information to be detected may be recent login information, such as login information of the previous day, login information of the previous two days, login information of the previous three days, and the like, and the recent login information is accurately identified by combining the identification process of step 102 and the identification model trained in step 103. Optionally, the login information to be tested may also be a certain current login information, which is not limited in this embodiment of the present invention.
Optionally, step 104 may include: identifying the login information to be detected according to the historical portrait data of each user and the threshold value of the basic index characteristic of each dimension to obtain a first abnormal identification result; identifying the login information to be detected based on the identification model to obtain a second abnormal identification result; and merging the first abnormal recognition result and the second abnormal recognition result to serve as the recognition result of the login information to be tested. The embodiment of the invention integrates the two abnormal recognition results, and the concentrated login information is abnormal login, thereby obtaining the user accounts with abnormal login, and then recalling the online operations (such as transferring, ordering, payment and the like) triggered under the user accounts with abnormal login.
According to the embodiment of the invention, the recognition results of the rule model and the supervised machine learning model are merged, so that an accurate threshold value does not need to be set for each basic index feature. If the rule model is adopted to identify abnormal login, the threshold value is often strict, although the accuracy is high, the recall rate is low, and the embodiment of the invention further combines the identification model on the basis of the rule model and merges the identification results of the identification model and the recognition model, thereby ensuring the identification accuracy of the model and increasing the recall rate.
According to the various embodiments, the technical means that the historical login information is identified according to the historical portrait data of each user and the threshold of the basic index features of each dimension, the historical login information and the corresponding identification result are used as training samples, and the identification model is obtained through training based on the machine learning algorithm, so that the login information to be detected is identified by combining the historical portrait data of each user, the threshold of the basic index features of each dimension and the identification model, and the technical problem that the identification result of abnormal login is inaccurate in the prior art is solved. The embodiment of the invention identifies the abnormal login of the website by combining the rule model and the supervised machine learning model, on one hand, the unsupervised learning is converted into the supervised learning by the identification result of the rule model, and the problems that the complex rule and the rule threshold value cannot be measured are solved by the machine learning; on the other hand, the stability and the recall in a larger range of the model are ensured, so that attack threats and potential unknown risks can be accurately identified, the manual risk investigation cost is reduced, and the safety deep defense capability is improved.
Fig. 2 is a schematic diagram of a main flow of a method of identifying an abnormal login according to a referential embodiment of the present invention. As another embodiment of the present invention, as shown in fig. 2, the method for identifying an abnormal login may include:
step 201, obtaining historical login information in a period of time.
Alternatively, historical login information within the last 1 month, 2 months or 3 months from the current time can be obtained from the database, and each piece of historical login information can comprise login time, login channel (APP login, mobile phone webpage login, computer login and the like), equipment information (equipment identifier, mac address, bios serial number, hard disk serial number and the like), IP address, account information, browser information (browser name, version number and the like) and login return code (success, failure type: user does not exist, password error and the like).
Step 202, determining historical portrait data of each user and basic index characteristics of each dimension according to the historical login information.
Optionally, the historical portrait data includes a common IP, a home of the common IP, common device information, and common browser information. Specifically, historical portrait data of each user can be processed through a big data component, and the historical portrait data mainly comprises an IP address commonly used by each user, a home location of the commonly used IP, commonly used equipment information, commonly used browser information and the like, so that the information of the dimensions is generalized into portrait information of each user. Optionally, the basic index features of the respective dimensions at least include an index feature of an IP dimension, an index feature of a device dimension, and an index feature of an account dimension. Specifically, the base index features of various dimensions can be processed through the big data component. The basic index features of all dimensions can be constructed according to rule models such as a database collision number scanning model, a brute force cracking model, a robot login model and an IP cross-region abnormal model, so that the basic index features of all dimensions can be calculated according to historical login information.
And 203, combining the basic index features of each dimension, and obtaining a combined model according to the threshold value of the basic index features of each dimension.
Alternatively, a combined model may be constructed according to corresponding basic index features such as a database-collision number-scanning model, a brute force cracking model, a robot login model, an IP cross-region transaction model, a non-self login model, and the like, and a threshold of the basic index features may be set according to experience.
And 204, screening each piece of historical login information based on the combined model to obtain an abnormal list.
Specifically, if a certain piece of history login information hits the combination model, the hit history login information is written in the exception list.
Step 205, identifying each piece of history registration information in the exception list based on the history portrait data of each user, thereby obtaining an identification result.
And for each piece of historical login information in the abnormal list, further judging whether the information is abnormal or not by combining historical portrait data of the user, thereby improving the identification accuracy.
And step 206, taking the historical portrait data of each user corresponding to the historical login information, the basic index features of each dimension and the recognition result corresponding to the historical login information as training samples, and performing supervised learning by adopting a gradient lifting decision number model so as to train to obtain a recognition model.
When the model is trained, user basic information such as registration time of a user account and user age can be increased and also used as a training sample, so that the overall generalization capability of the model is increased, and the identification accuracy is improved.
And step 207, identifying the login information to be detected according to the historical portrait data of each user and the threshold of the basic index features of each dimension to obtain a first abnormal identification result.
And 208, identifying the login information to be detected based on the identification model to obtain a second abnormal identification result.
Step 209, taking the union of the first abnormal recognition result and the second abnormal recognition result as the recognition result of the login information to be tested.
In addition, in a reference embodiment of the present invention, the detailed implementation of the method for identifying abnormal login is described in detail above, so that the repeated content will not be described herein.
Fig. 3 is a schematic diagram of a main flow of a method of identifying an abnormal login according to another referential embodiment of the present invention. As another embodiment of the present invention, as shown in fig. 3, the method for identifying an abnormal login may include:
step 301, taking historical login information within a period of time, and determining historical portrait data of each user and basic index features of each dimension according to the historical login information.
And 302, combining the basic index features of each dimension, and obtaining a combined model according to the threshold value of the basic index features of each dimension.
Step 303, for each combination model, based on the basic index features in the combination model and the corresponding threshold thereof, screening abnormal login information (such as abnormal IP, abnormal device, and abnormal user account) from the basic index features of each dimension.
And 304, screening an abnormal list from the historical login information according to the abnormal login information.
Step 305, judging whether the historical login information is consistent with the historical image data of the user corresponding to the historical login information or not for each piece of historical login information in the abnormal list; if yes, go to step 306; if not, go to step 307.
Step 306, removing the historical login information from the abnormal list.
Step 307, identifying the historical login information as abnormal.
And 308, training the historical login information and the corresponding recognition result thereof to obtain a recognition model by taking the historical login information and the corresponding recognition result as training samples and based on a machine learning algorithm.
And 309, identifying the login information to be detected according to the historical portrait data of each user, the threshold of the basic index characteristic of each dimension and the identification model to obtain an identification result.
In addition, in a reference embodiment of the present invention, the detailed implementation of the method for identifying abnormal login is described in detail above, so that the repeated content will not be described herein.
Fig. 4 is a schematic diagram of main modules of an apparatus for recognizing abnormal login according to an embodiment of the present invention. As shown in fig. 4, the apparatus 400 for recognizing abnormal login includes a calculation module 401, a first recognition module 402, a training module 403, and a second recognition module 404. The calculation module 401 is configured to obtain historical login information within a period of time, and determine historical portrait data of each user and basic index features of each dimension according to the historical login information; the first identification module 402 is configured to identify the historical login information according to the historical portrait data of each user and the threshold of the basic index feature of each dimension, so as to obtain an identification result; the training module 403 is configured to use the historical login information and the corresponding recognition result as training samples and train the training samples based on a machine learning algorithm to obtain a recognition model; the second identification module 404 is configured to identify the login information to be detected according to the historical portrait data of each user, the threshold of the basic index feature of each dimension, and the identification model, so as to obtain an identification result.
Optionally, the historical login information includes login time, login channel, device information, IP address, account information, browser information, and login return code;
the historical portrait data comprises a common IP, a home of the common IP, common equipment information and common browser information; and/or the presence of a gas in the gas,
the basic index features of each dimension at least comprise index features of an IP dimension, index features of a device dimension and index features of an account dimension.
Optionally, the first identifying module 402 is further configured to:
combining the basic index features of all dimensions, and obtaining a combined model according to the threshold values of the basic index features of all dimensions;
screening each piece of historical login information based on the combined model to obtain an abnormal list; wherein, the abnormal list comprises at least one piece of historical login information;
and identifying each piece of historical login information in the exception list based on the historical portrait data of each user so as to obtain an identification result.
Optionally, the first identifying module 402 is further configured to:
for each combined model, screening abnormal login information from the basic index features of each dimensionality based on the basic index features in the combined model and corresponding threshold values thereof;
and screening an abnormal list from the historical login information according to the abnormal login information.
Optionally, the first identifying module 402 is further configured to:
judging whether the historical login information is consistent with the historical portrait data of the user corresponding to the historical login information or not for each piece of historical login information in the abnormal list;
if yes, removing the historical login information from the abnormal list;
if not, identifying that the historical login information is abnormal.
Optionally, the training module 403 is further configured to:
and taking historical portrait data of each user corresponding to the historical login information, basic index features of each dimension and a recognition result corresponding to the historical login information as training samples, and performing supervised learning by adopting a gradient lifting decision number model so as to train to obtain a recognition model.
Optionally, the second identifying module 404 is further configured to:
identifying the login information to be detected according to the historical portrait data of each user and the threshold value of the basic index characteristic of each dimension to obtain a first abnormal identification result;
identifying the login information to be detected based on the identification model to obtain a second abnormal identification result;
and merging the first abnormal recognition result and the second abnormal recognition result to serve as the recognition result of the login information to be tested.
According to the various embodiments, the technical means that the historical login information is identified according to the historical portrait data of each user and the threshold of the basic index features of each dimension, the historical login information and the corresponding identification result are used as training samples, and the identification model is obtained through training based on the machine learning algorithm, so that the login information to be detected is identified by combining the historical portrait data of each user, the threshold of the basic index features of each dimension and the identification model, and the technical problem that the identification result of abnormal login is inaccurate in the prior art is solved. The embodiment of the invention identifies the abnormal login of the website by combining the rule model and the supervised machine learning model, on one hand, the unsupervised learning is converted into the supervised learning by the identification result of the rule model, and the problems that the complex rule and the rule threshold value cannot be measured are solved by the machine learning; on the other hand, the stability and the recall in a larger range of the model are ensured, so that attack threats and potential unknown risks can be accurately identified, the manual risk investigation cost is reduced, and the safety deep defense capability is improved.
It should be noted that, in the implementation of the apparatus for identifying abnormal login of the present invention, the above method for identifying abnormal login has been described in detail, and therefore, the repeated content is not described herein.
Fig. 5 illustrates an exemplary system architecture 500 to which a method of identifying an abnormal login or an apparatus for identifying an abnormal login of embodiments of the present invention may be applied.
As shown in fig. 5, the system architecture 500 may include terminal devices 501, 502, 503, a network 504, and a server 505. The network 504 serves to provide a medium for communication links between the terminal devices 501, 502, 503 and the server 505. Network 504 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 501, 502, 503 to interact with a server 505 over a network 504 to receive or send messages or the like. The terminal devices 501, 502, 503 may have installed thereon various communication client applications, such as shopping-like applications, web browser applications, search-like applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 501, 502, 503 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 505 may be a server providing various services, such as a background management server (for example only) providing support for shopping websites browsed by users using the terminal devices 501, 502, 503. The background management server may analyze and otherwise process the received data such as the item information query request, and feed back a processing result (for example, target push information, item information — just an example) to the terminal device.
It should be noted that the method for identifying abnormal login provided by the embodiment of the present invention is generally executed by the server 505, and accordingly, the apparatus for identifying abnormal login is generally disposed in the server 505. The method for identifying abnormal login provided by the embodiment of the present invention may also be executed by the terminal devices 501, 502, 503, and accordingly, the apparatus for identifying abnormal login may be disposed in the terminal devices 501, 502, 503.
It should be understood that the number of terminal devices, networks, and servers in fig. 5 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 6, a block diagram of a computer system 600 suitable for use with a terminal device implementing an embodiment of the invention is shown. The terminal device shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 6, the computer system 600 includes a Central Processing Unit (CPU)601 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. In the RAM603, various programs and data necessary for the operation of the system 600 are also stored. The CPU 601, ROM 602, and RAM603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
To the I/O interface 605, AN input section 606 including a keyboard, a mouse, and the like, AN output section 607 including a network interface card such as a Cathode Ray Tube (CRT), a liquid crystal display (L CD), and the like, a speaker, and the like, a storage section 608 including a hard disk, and the like, and a communication section 609 including a network interface card such as a L AN card, a modem, and the like, the communication section 609 performs communication processing via a network such as the internet, a drive 610 is also connected to the I/O interface 605 as necessary, a removable medium 611 such as a magnetic disk, AN optical disk, a magneto-optical disk, a semiconductor memory, and the like is mounted on the drive 610 as necessary, so that a computer program read out therefrom is mounted into the storage section 608 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 601.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer programs according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes a calculation module, a first recognition module, a training module, and a second recognition module, where the names of the modules do not in some cases constitute a limitation on the modules themselves.
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: obtaining historical login information within a period of time, and determining historical portrait data of each user and basic index features of each dimension according to the historical login information; identifying the historical login information according to the historical portrait data of each user and the threshold value of the basic index characteristic of each dimension to obtain an identification result; taking the historical login information and the corresponding recognition result as training samples and training the training samples based on a machine learning algorithm to obtain a recognition model; and identifying the login information to be detected according to the historical portrait data of each user, the threshold of the basic index characteristic of each dimension and the identification model to obtain an identification result.
According to the technical scheme of the embodiment of the invention, the historical login information is identified according to the historical image data of each user and the threshold of the basic index feature of each dimension, the historical login information and the corresponding identification result are used as training samples and are trained on the basis of the machine learning algorithm to obtain the identification model, and therefore, the technical means for identifying the login information to be detected by combining the historical image data of each user, the threshold of the basic index feature of each dimension and the identification model is adopted, and the technical problem that the abnormal login identification result is inaccurate in the prior art is solved. The embodiment of the invention identifies the abnormal login of the website by combining the rule model and the supervised machine learning model, on one hand, the unsupervised learning is converted into the supervised learning by the identification result of the rule model, and the problems that the complex rule and the rule threshold value cannot be measured are solved by the machine learning; on the other hand, the stability and the recall in a larger range of the model are ensured, so that attack threats and potential unknown risks can be accurately identified, the manual risk investigation cost is reduced, and the safety deep defense performance is improved.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (16)
1. A method for identifying an abnormal login, comprising:
obtaining historical login information within a period of time, and determining historical portrait data of each user and basic index features of each dimension according to the historical login information;
identifying the historical login information according to the historical portrait data of each user and the threshold value of the basic index characteristic of each dimension to obtain an identification result;
taking the historical login information and the corresponding recognition result as training samples and training the training samples based on a machine learning algorithm to obtain a recognition model;
and identifying the login information to be detected according to the historical portrait data of each user, the threshold of the basic index characteristic of each dimension and the identification model to obtain an identification result.
2. The method of claim 1, wherein the historical login information includes login time, login channel, device information, IP address, account information, browser information, and login return code;
the historical portrait data comprises a common IP, a home of the common IP, common equipment information and common browser information; and/or the presence of a gas in the gas,
the basic index features of each dimension at least comprise index features of an IP dimension, index features of a device dimension and index features of an account dimension.
3. The method of claim 1, wherein identifying the historical login information according to the historical image data of each user and the threshold of the basic index feature of each dimension to obtain an identification result comprises:
combining the basic index features of all dimensions, and obtaining a combined model according to the threshold values of the basic index features of all dimensions;
screening each piece of historical login information based on the combined model to obtain an abnormal list; wherein, the abnormal list comprises at least one piece of historical login information;
and identifying each piece of historical login information in the exception list based on the historical portrait data of each user so as to obtain an identification result.
4. The method of claim 3, wherein filtering each of the historical login information based on the combined model to obtain an exception list comprises:
for each combined model, screening abnormal login information from the basic index features of each dimensionality based on the basic index features in the combined model and corresponding threshold values thereof;
and screening an abnormal list from the historical login information according to the abnormal login information.
5. The method of claim 3, wherein identifying each piece of historical login information in the exception list based on historical profile data of each user to obtain an identification result comprises:
judging whether the historical login information is consistent with the historical portrait data of the user corresponding to the historical login information or not for each piece of historical login information in the abnormal list;
if yes, removing the historical login information from the abnormal list;
if not, identifying that the historical login information is abnormal.
6. The method of claim 1, wherein training the historical login information and the corresponding recognition result as training samples based on a machine learning algorithm to obtain a recognition model comprises:
and taking historical portrait data of each user corresponding to the historical login information, basic index features of each dimension and a recognition result corresponding to the historical login information as training samples, and performing supervised learning by adopting a gradient lifting decision number model so as to train to obtain a recognition model.
7. The method of claim 1, wherein identifying the log-in information to be tested according to the historical image data of each user, the threshold value of each basic index feature and the identification model to obtain an identification result comprises:
identifying the login information to be detected according to the historical portrait data of each user and the threshold value of the basic index characteristic of each dimension to obtain a first abnormal identification result;
identifying the login information to be detected based on the identification model to obtain a second abnormal identification result;
and merging the first abnormal recognition result and the second abnormal recognition result to serve as the recognition result of the login information to be tested.
8. An apparatus for identifying an abnormal login, comprising:
the calculation module is used for acquiring historical login information within a period of time and determining historical portrait data of each user and basic index characteristics of each dimension according to the historical login information;
the first identification module is used for identifying the historical login information according to the historical portrait data of each user and the threshold value of the basic index characteristic of each dimension to obtain an identification result;
the training module is used for taking the historical login information and the corresponding recognition result as training samples and training the training samples based on a machine learning algorithm to obtain a recognition model;
and the second identification module is used for identifying the login information to be detected according to the historical portrait data of each user, the threshold of the basic index features of each dimension and the identification model to obtain an identification result.
9. The apparatus of claim 8, wherein the historical login information comprises login time, login channel, device information, IP address, account information, browser information, and login return code;
the historical portrait data comprises a common IP, a home of the common IP, common equipment information and common browser information; and/or the presence of a gas in the gas,
the basic index features of each dimension at least comprise index features of an IP dimension, index features of a device dimension and index features of an account dimension.
10. The apparatus of claim 8, wherein the first identification module is further configured to:
combining the basic index features of all dimensions, and obtaining a combined model according to the threshold values of the basic index features of all dimensions;
screening each piece of historical login information based on the combined model to obtain an abnormal list; wherein, the abnormal list comprises at least one piece of historical login information;
and identifying each piece of historical login information in the exception list based on the historical portrait data of each user so as to obtain an identification result.
11. The apparatus of claim 10, wherein the first identification module is further configured to:
for each combined model, screening abnormal login information from the basic index features of each dimensionality based on the basic index features in the combined model and corresponding threshold values thereof;
and screening an abnormal list from the historical login information according to the abnormal login information.
12. The apparatus of claim 8, wherein the first identification module is further configured to:
judging whether the historical login information is consistent with the historical portrait data of the user corresponding to the historical login information or not for each piece of historical login information in the abnormal list;
if yes, removing the historical login information from the abnormal list;
if not, identifying that the historical login information is abnormal.
13. The apparatus of claim 8, wherein the training module is further configured to:
and taking historical portrait data of each user corresponding to the historical login information, basic index features of each dimension and a recognition result corresponding to the historical login information as training samples, and performing supervised learning by adopting a gradient lifting decision number model so as to train to obtain a recognition model.
14. The apparatus of claim 8, wherein the second identification module is further configured to:
identifying the login information to be detected according to the historical portrait data of each user and the threshold value of the basic index characteristic of each dimension to obtain a first abnormal identification result;
identifying the login information to be detected based on the identification model to obtain a second abnormal identification result;
and merging the first abnormal recognition result and the second abnormal recognition result to serve as the recognition result of the login information to be tested.
15. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-7.
16. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010107808.5A CN111400357A (en) | 2020-02-21 | 2020-02-21 | Method and device for identifying abnormal login |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010107808.5A CN111400357A (en) | 2020-02-21 | 2020-02-21 | Method and device for identifying abnormal login |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111400357A true CN111400357A (en) | 2020-07-10 |
Family
ID=71434272
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010107808.5A Pending CN111400357A (en) | 2020-02-21 | 2020-02-21 | Method and device for identifying abnormal login |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111400357A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112966732A (en) * | 2021-03-02 | 2021-06-15 | 东华大学 | Multi-factor interactive behavior anomaly detection method with periodic attribute |
| CN113347021A (en) * | 2021-04-29 | 2021-09-03 | 北京奇艺世纪科技有限公司 | Model generation method, collision library detection method and device, electronic equipment and computer readable storage medium |
| CN113660238A (en) * | 2021-08-10 | 2021-11-16 | 建信金融科技有限责任公司 | Man-machine recognition method, device, system, equipment and readable storage medium |
| CN114157490A (en) * | 2021-12-03 | 2022-03-08 | 武汉极意网络科技有限公司 | User request event analysis method based on clustering algorithm |
| CN114465977A (en) * | 2022-01-05 | 2022-05-10 | 广东盈世计算机科技有限公司 | Method, device, equipment and storage medium for detecting mailbox login abnormity |
| CN115296855A (en) * | 2022-07-11 | 2022-11-04 | 绿盟科技集团股份有限公司 | User behavior baseline generation method and related device |
| CN117272325A (en) * | 2023-10-12 | 2023-12-22 | 华盛星晖(北京)科技有限公司 | DOS-based equipment operation protection method, system, equipment and storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160105801A1 (en) * | 2014-10-09 | 2016-04-14 | Microsoft Corporation | Geo-based analysis for detecting abnormal logins |
| CN108092975A (en) * | 2017-12-07 | 2018-05-29 | 上海携程商务有限公司 | Recognition methods, system, storage medium and the electronic equipment of abnormal login |
| CN108512827A (en) * | 2018-02-09 | 2018-09-07 | 世纪龙信息网络有限责任公司 | The identification of abnormal login and method for building up, the device of supervised learning model |
| CN108768943A (en) * | 2018-04-26 | 2018-11-06 | 腾讯科技(深圳)有限公司 | A kind of method, apparatus and server of the abnormal account of detection |
| US20190132323A1 (en) * | 2017-10-27 | 2019-05-02 | Mastercard International Incorporated | Systems and methods for dynamically adjusting a password attempt threshold |
| CN110138791A (en) * | 2019-05-20 | 2019-08-16 | 四川长虹电器股份有限公司 | Web service account takeover method of real-time and system based on Flink |
| CN110152306A (en) * | 2019-07-22 | 2019-08-23 | 成都卓杭网络科技股份有限公司 | Script user identification method and system |
| CN110198310A (en) * | 2019-05-20 | 2019-09-03 | 腾讯科技(深圳)有限公司 | A kind of anti-cheat method of network behavior, device and storage medium |
| CN110399925A (en) * | 2019-07-26 | 2019-11-01 | 腾讯科技(武汉)有限公司 | Risk Identification Method, device and the storage medium of account |
| CN110598157A (en) * | 2019-09-20 | 2019-12-20 | 北京字节跳动网络技术有限公司 | Target information identification method, device, equipment and storage medium |
-
2020
- 2020-02-21 CN CN202010107808.5A patent/CN111400357A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160105801A1 (en) * | 2014-10-09 | 2016-04-14 | Microsoft Corporation | Geo-based analysis for detecting abnormal logins |
| US20190132323A1 (en) * | 2017-10-27 | 2019-05-02 | Mastercard International Incorporated | Systems and methods for dynamically adjusting a password attempt threshold |
| CN108092975A (en) * | 2017-12-07 | 2018-05-29 | 上海携程商务有限公司 | Recognition methods, system, storage medium and the electronic equipment of abnormal login |
| CN108512827A (en) * | 2018-02-09 | 2018-09-07 | 世纪龙信息网络有限责任公司 | The identification of abnormal login and method for building up, the device of supervised learning model |
| CN108768943A (en) * | 2018-04-26 | 2018-11-06 | 腾讯科技(深圳)有限公司 | A kind of method, apparatus and server of the abnormal account of detection |
| CN110138791A (en) * | 2019-05-20 | 2019-08-16 | 四川长虹电器股份有限公司 | Web service account takeover method of real-time and system based on Flink |
| CN110198310A (en) * | 2019-05-20 | 2019-09-03 | 腾讯科技(深圳)有限公司 | A kind of anti-cheat method of network behavior, device and storage medium |
| CN110152306A (en) * | 2019-07-22 | 2019-08-23 | 成都卓杭网络科技股份有限公司 | Script user identification method and system |
| CN110399925A (en) * | 2019-07-26 | 2019-11-01 | 腾讯科技(武汉)有限公司 | Risk Identification Method, device and the storage medium of account |
| CN110598157A (en) * | 2019-09-20 | 2019-12-20 | 北京字节跳动网络技术有限公司 | Target information identification method, device, equipment and storage medium |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112966732A (en) * | 2021-03-02 | 2021-06-15 | 东华大学 | Multi-factor interactive behavior anomaly detection method with periodic attribute |
| CN113347021A (en) * | 2021-04-29 | 2021-09-03 | 北京奇艺世纪科技有限公司 | Model generation method, collision library detection method and device, electronic equipment and computer readable storage medium |
| CN113347021B (en) * | 2021-04-29 | 2023-06-27 | 北京奇艺世纪科技有限公司 | Model generation method, collision library detection method, device, electronic equipment and computer readable storage medium |
| CN113660238A (en) * | 2021-08-10 | 2021-11-16 | 建信金融科技有限责任公司 | Man-machine recognition method, device, system, equipment and readable storage medium |
| CN113660238B (en) * | 2021-08-10 | 2023-05-16 | 建信金融科技有限责任公司 | Man-machine identification method, device, system, equipment and readable storage medium |
| CN114157490A (en) * | 2021-12-03 | 2022-03-08 | 武汉极意网络科技有限公司 | User request event analysis method based on clustering algorithm |
| CN114465977A (en) * | 2022-01-05 | 2022-05-10 | 广东盈世计算机科技有限公司 | Method, device, equipment and storage medium for detecting mailbox login abnormity |
| CN115296855A (en) * | 2022-07-11 | 2022-11-04 | 绿盟科技集团股份有限公司 | User behavior baseline generation method and related device |
| CN115296855B (en) * | 2022-07-11 | 2023-11-07 | 绿盟科技集团股份有限公司 | User behavior baseline generation method and related device |
| CN117272325A (en) * | 2023-10-12 | 2023-12-22 | 华盛星晖(北京)科技有限公司 | DOS-based equipment operation protection method, system, equipment and storage medium |
| CN117272325B (en) * | 2023-10-12 | 2024-03-26 | 华盛星晖(北京)科技有限公司 | DOS-based equipment operation protection method, system, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111400357A (en) | Method and device for identifying abnormal login | |
| US11750659B2 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
| US20200389495A1 (en) | Secure policy-controlled processing and auditing on regulated data sets | |
| CN112417439B (en) | Account detection method, device, server and storage medium | |
| CN108092975B (en) | Abnormal login identification method, system, storage medium and electronic equipment | |
| CN112953933B (en) | Abnormal attack behavior detection method, device, equipment and storage medium | |
| US10686829B2 (en) | Identifying changes in use of user credentials | |
| US20180309772A1 (en) | Method and device for automatically verifying security event | |
| US10135830B2 (en) | Utilizing transport layer security (TLS) fingerprints to determine agents and operating systems | |
| CN110442712B (en) | Risk determination method, risk determination device, server and text examination system | |
| US20210360032A1 (en) | Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance | |
| CN112581259B (en) | Account risk identification method and device, storage medium and electronic equipment | |
| CN112714093A (en) | Account abnormity detection method, device and system and storage medium | |
| US20210281609A1 (en) | Rating organization cybersecurity using probe-based network reconnaissance techniques | |
| CN113452656B (en) | Method, apparatus, electronic device and computer readable medium for identifying abnormal behavior | |
| CN110602030A (en) | Network intrusion blocking method, server and computer readable medium | |
| CN111404937B (en) | Method and device for detecting server vulnerability | |
| WO2020016906A1 (en) | Method and system for intrusion detection in an enterprise | |
| CN111783073A (en) | Black product identification method and device and readable storage medium | |
| CN114553456A (en) | Digital identity network alerts | |
| CN113886821A (en) | Malicious process identification method and device based on twin network, electronic equipment and storage medium | |
| CN112685255A (en) | Interface monitoring method and device, electronic equipment and storage medium | |
| CN112579418A (en) | Method, device, equipment and computer readable medium for identifying access log | |
| CN115589339A (en) | Network attack type identification method, device, equipment and storage medium | |
| CN114925365A (en) | File processing method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220921 Address after: 25 Financial Street, Xicheng District, Beijing 100033 Applicant after: CHINA CONSTRUCTION BANK Corp. Address before: 25 Financial Street, Xicheng District, Beijing 100033 Applicant before: CHINA CONSTRUCTION BANK Corp. Applicant before: Jianxin Financial Science and Technology Co.,Ltd. |