CN111526110B - Method, device, equipment and medium for detecting unauthorized login of email account - Google Patents

Method, device, equipment and medium for detecting unauthorized login of email account Download PDF

Info

Publication number
CN111526110B
CN111526110B CN201910105743.8A CN201910105743A CN111526110B CN 111526110 B CN111526110 B CN 111526110B CN 201910105743 A CN201910105743 A CN 201910105743A CN 111526110 B CN111526110 B CN 111526110B
Authority
CN
China
Prior art keywords
log
detected
login
classification
email account
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910105743.8A
Other languages
Chinese (zh)
Other versions
CN111526110A (en
Inventor
雷君
黄蒙
温森浩
姚力
朱芸茜
王小群
陈阳
徐剑
王适文
肖崇惠
贾子骁
张帅
吕志泉
韩志辉
马莉雅
周彧
高川
贾世琳
文静
楼书逸
吕卓航
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Original Assignee
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center filed Critical National Computer Network and Information Security Management Center
Priority to CN201910105743.8A priority Critical patent/CN111526110B/en
Publication of CN111526110A publication Critical patent/CN111526110A/en
Application granted granted Critical
Publication of CN111526110B publication Critical patent/CN111526110B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/42Mailbox-related aspects, e.g. synchronisation of mailboxes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The embodiment of the invention provides a method, a device, equipment and a medium for detecting unauthorized login of an email account. Wherein the method comprises the following steps: collecting log to be detected and log before the log which are continuously logged in an email account, and historical log of the email account in a preset time period; classifying the log to be detected based on the log to be detected and the log before the log to be detected; determining login behavior mode information of the email account according to the historical login log, the log to be detected and the classification result; matching the log to be detected, the classification result thereof and the log behavior mode information with a preset alarm rule; and if so, determining the login behavior of the user to be detected as the login behavior of the unauthorized user. By the embodiment of the invention, the technical problem of how to identify the unauthorized login of the email account is solved, and the analysis of the email content can be independent.

Description

Method, device, equipment and medium for detecting unauthorized login of email account
Technical Field
The present invention relates to the field of information transfer technologies, and in particular, to a method, an apparatus, a device, and a medium for detecting unauthorized login of an email account.
Background
Electronic mailboxes are an important way of delivering information over the internet. As network application complexity increases, many higher level network applications use electronic mailboxes as an infrastructure for traffic flows-such as common user registration, authentication, messaging, and so forth. Thus, protecting email security is an important component of network information security.
Identifying unauthorized user logins is an important technical problem for email security.
Therefore, providing a method for identifying unauthorized login of email account is a technical problem to be solved.
Disclosure of Invention
The embodiment of the invention aims to provide a method, a device, equipment and a medium for detecting unauthorized login of an email account, so as to solve the technical problem of how to identify the unauthorized login of the email account.
In order to achieve the above object, according to a first aspect of the present invention, the following technical solutions are provided:
a method for detecting unauthorized entry of an electronic mailbox account, comprising:
Collecting a log to be detected and a log before the log which are continuously logged in the email account and a historical log of the email account in a preset time period; the log to be detected is used for identifying the log-in behavior of the user to be detected;
classifying the log to be detected according to a preset classification rule based on the log to be detected and the log before the log to be detected;
determining login behavior mode information of the email account according to the historical login log, the log to be detected and the classification result thereof;
matching the log to be detected, the classification result and the log behavior mode information with a preset alarm rule;
and if the user login behavior to be detected is matched, determining the user login behavior to be detected as an unauthorized user login behavior.
Preferably, the email account is applied to a server; the server comprises a cache;
based on the log to be detected and the log before the log to be detected, classifying the log to be detected according to a preset classification rule, wherein the method specifically comprises the following steps:
obtaining two log-in logs which are continuously logged in the cache;
Comparing the log to be detected, the log before the log to be detected and the difference between the two logs in the cache;
determining a login log with the latest login time as the login log to be detected according to the comparison result;
and classifying the log to be detected according to a preset classification rule.
Preferably, the predetermined classification rule is constructed by at least one of the following methods: a priori rule method and a method for training decision tree rules by a machine learning algorithm.
Preferably, the predetermined classification rule is constructed by:
acquiring two history log-in logs adjacent in time and user feedback information;
comparing the difference between the two log entries;
based on the user feedback information, the email account and the difference between the two log-in logs, determining the classification rule by a method of training a decision tree rule by a machine learning algorithm.
Preferably, after the step of determining the user login behavior to be detected as an unauthorized user login behavior if there is a match, the method further comprises:
and generating alarm information and prompting the alarm information to a user in the form of a popup frame or a floating page.
In order to achieve the above object, the second aspect of the present invention further provides the following technical solutions:
an apparatus for detecting unauthorized entry of an electronic mailbox account, comprising:
the acquisition module is used for acquiring a log to be detected and a log before the log which are continuously logged in the email account and a historical log of the email account in a preset time period; the log to be detected is used for identifying the log-in behavior of the user to be detected;
the classification module is used for classifying the log to be detected according to a preset classification rule based on the log to be detected and the log before the log to be detected;
the first determining module is used for determining login behavior mode information of the email account according to the historical login log, the log to be detected and the classification result thereof;
the matching module is used for matching the log to be detected, the classification result thereof and the login behavior mode information with a preset alarm rule;
and the second determining module is used for determining the login behavior of the user to be detected as the login behavior of the unauthorized user under the condition of matching.
Preferably, the email account is applied to a server; the server comprises a cache;
the classification module is specifically configured to:
obtaining two log-in logs which are continuously logged in the cache;
comparing the log to be detected, the log before the log to be detected and the difference between the two logs in the cache;
determining a login log with the latest login time as the login log to be detected according to the comparison result;
and classifying the log to be detected according to a preset classification rule.
Preferably, the classification module is further configured to:
acquiring two history log-in logs adjacent in time and user feedback information;
comparing the difference between the two log entries;
based on the user feedback information, the email account and the difference between the two log-in logs, determining the classification rule in a mode of training a decision tree rule by a machine learning algorithm.
Preferably, the apparatus further comprises:
and the alarm module is used for generating alarm information and prompting the alarm information to a user in a form of a popup frame or a suspension page.
In order to achieve the above object, a third aspect of the present invention further provides the following technical solutions:
An electronic device comprising a processor and a memory; wherein:
the memory is used for storing a computer program;
the processor is configured to implement the method steps when executing the program stored in the memory.
In order to achieve the above object, a fourth aspect of the present invention further provides the following technical solutions:
a computer readable storage medium, wherein a computer program is stored in the computer readable storage medium, which computer program, when being executed by a processor, implements the method steps.
Compared with the prior art, the invention has at least the following beneficial effects:
the embodiment of the invention provides a method, a device, equipment and a medium for detecting unauthorized login of an email account. The method for detecting the unauthorized login of the email account comprises the following steps: collecting log to be detected and log before the log which are continuously logged in an email account, and historical log of the email account in a preset time period; the log to be detected is used for identifying the log-in behavior of the user to be detected; classifying the log to be detected according to a preset classification rule based on the log to be detected and the log before the log to be detected; determining login behavior mode information of the email account according to the historical login log, the log to be detected and the classification result; matching the log to be detected, the classification result thereof and the log behavior mode information with a preset alarm rule; and if so, determining the login behavior of the user to be detected as the login behavior of the unauthorized user.
According to the embodiment of the invention, the login logs are collected, classified and the login behavior mode information is determined, the login logs are matched according to the preset rule, and whether the electronic mailbox account has the login behavior of an unauthorized user or not is judged according to the matching result. The technical scheme provided by the embodiment of the invention does not identify the content of the E-mail, but logs in, so that the technical effect that the login of the E-mail account by an unauthorized user can be identified in a user login stage is realized, the analysis of the E-mail content is not relied on, the user privacy information in the E-mail content is protected, the network topology structure is not relied on, the applicability is wide, and the method and the device are applicable to various mail access scenes (such as clients, browsers, application programs and the like).
In order to make the technical means of the present invention more clearly understood, the present invention can be implemented according to the content of the specification, and in order to make the above and other objects, features and advantages of the present invention more comprehensible, preferred embodiments accompanied with the accompanying drawings are described in detail below. Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings. Of course, it is not necessary for any one product or method of practicing the invention to achieve all of the advantages set forth above at the same time.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art. Wherein:
FIG. 1 is a flow chart of a method for detecting unauthorized entry of an email account according to an embodiment of the invention;
FIG. 2 is a schematic diagram of classification rules according to an embodiment of the invention;
FIG. 3 is a flow chart of determining classification rules according to an embodiment of the invention;
fig. 4 is a schematic structural diagram of an apparatus for detecting unauthorized login of an email account according to an embodiment of the present invention.
Detailed Description
Other advantages and effects of the present invention will become apparent to those skilled in the art from the following disclosure, which describes the embodiments of the present invention with reference to specific examples. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. The invention may be practiced or carried out in other embodiments that depart from the specific details, and the details of the present description may be modified or varied from the spirit and scope of the present invention. It should be noted that the following embodiments and features in the embodiments may be combined with each other without conflict. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It is noted that various aspects of the embodiments are described below within the scope of the following claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the present disclosure, one skilled in the art will appreciate that one aspect described herein may be implemented independently of any other aspect, and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. In addition, such apparatus may be implemented and/or such methods practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
It should also be noted that the illustrations provided in the following embodiments merely illustrate the basic concept of the present invention by way of illustration, and only the components related to the present invention are shown in the drawings and are not drawn according to the number, shape and size of the components in actual implementation, and the form, number and proportion of the components in actual implementation may be arbitrarily changed, and the layout of the components may be more complicated.
In addition, in the following description, specific details are provided in order to provide a thorough understanding of the examples. However, it will be understood by those skilled in the art that the aspects may be practiced without these specific details.
CN201110152417.6 document discloses a system and method for detecting spam robots by detecting data transmissions. Also, CN200610033978.3 document discloses an e-mail exception feature handling system and method. These prior art techniques mainly adopt a blacklist blocking mode, but cannot identify the login behavior of unauthorized users.
The CN201210294945.X literature discloses a malicious code capturing method and a malicious code capturing system, and the technical scheme is based on the identification of the content of a sent mail. This prior art helps trace the source after a security event has occurred, but cannot be identified in advance.
As can be seen, the prior art still lacks an effective solution for identifying unauthorized entry of an email account.
In view of this, in order to solve the technical problem of how to identify unauthorized login of an email account, an embodiment of the present invention provides a method for detecting login of an unauthorized user of an email. As shown in fig. 1, the method mainly includes steps S100 to S140. Wherein:
S100: collecting log to be detected and log before the log which are continuously logged in an email account, and historical log of the email account in a preset time period; the log to be detected is used for identifying the log-in behavior of the user to be detected.
Among these log entries include, but are not limited to: account name, account domain name, login time, source IP (Internet Protocol ) address, destination IP address, login protocol, and/or login mode. The log to be detected can be a current log, a historical log and the like.
The log system connected to the mail server can be used for collecting log to be detected and log before log.
The collection mode in the step can be off-line batch collection or on-line flow collection, and the invention is not limited to the off-line batch collection. In practical application, the log may be collected according to the time sequence of logging.
Specifically, the collection mode includes, but is not limited to, pull mode collection and subscription mode collection. Wherein, the pull mode can be applied to the scene of a small mail server without an independent log system; the new log is pulled back to the local server by continually scanning the log database/file of the mini mail server. The subscription mode can be applied to a scenario of a large mail server cluster with an independent log system; the large mail server cluster stores an independent log system for converging log of a plurality of servers; the independent log system may issue log-in logs.
After the log is collected, the log can be subjected to deduplication storage. For example, log logs may be cached via a relational or key-value data structure. Where the data structure includes, but is not limited to, an array, linked list, tree, heap, stack, etc. After receiving the log, a data structure object with the email account as a key value can be established. When the current log is collected, the previous log of the current log can be queried from the cache.
In practical application, a corresponding relationship can be established between the data structure object and the sorting rule adopted in the sorting process, so that the log-in log of continuous logging (namely adjacent in time) can be queried at the fastest speed. For example, the data structure object may be constructed using information of log in reverse order of log time, so that the query may be started from scratch out of order, and thus the query efficiency may be improved.
The above-described predetermined period of time may be a period of time in units of weeks, months, etc., and may be, for example, one week, one month, etc. For example, if time units are in weeks, log entries during 2018, 12, 10, to 2018, 12, 16 may be used as historical log entries for a predetermined period of time.
In this step, the accumulated history data may be used to obtain a history log in a predetermined period of time as a log feature of the email account.
S110: classifying the log to be detected according to a preset classification rule based on the log to be detected and the log before the log to be detected.
Specifically, the present step may include the following steps S111 to S114. Wherein:
s111: and obtaining two log-in logs of continuous login in the cache.
Wherein, two log-in logs of continuous log-in refer to two log-in logs adjacent in time.
S112: and comparing the log to be detected, the log before the log to be detected and the difference between the two logs in the cache.
For example, the log to be detected, the log preceding it, and the two logs in the cache may be ordered in time order; then, their login time sizes are compared. The login time may be represented by a UTC (Coordinated Universal Time ) timestamp, among others.
S113: and determining the login log with the latest login time as the log to be detected according to the comparison result.
For ease of understanding, the process of determining log-to-be-detected log is described in detail below by way of example.
Assume that the acquired email account log is A n And A n-1 . Wherein A is n Representing the current log-in. A is that n-1 Representation A n The previous log.
Assume again that the log in the cache is A c And A c-1 . Wherein A is c Representing the latest login log in the cache. A is that c-1 Representation A c The previous log.
At this time, in time series, there may be three cases:
(one) A n And A c Is the logical agreement of (3)
Pair A n-1 And A n Make a tag and store A in the cache c Replaced by A n 、A c-1 Replaced by A n-1 . Will A n And determining the log to be detected.
(II) A n And A c Is the logical agreement of A c-1 And A n-1 Two log-in logs for up-to-date, continuous log-in
Pair A c-1 And A n-1 Make a tag and store A in the cache c-1 Replaced by A n-1 . Will A n-1 And determining the log to be detected.
(III) A n And A c Is the logical agreement of A n-1 And A c-1 Two log-in logs for up-to-date, continuous log-in
Pair A n-1 And A c-1 Marking is carried out, and the cache content is kept unchanged. Will A c-1 And determining the log to be detected.
S114: and classifying the log to be detected according to a preset classification rule.
The classification rules can be obtained according to a priori rule method, a method for training decision tree rules by a machine learning algorithm, and the like. The predetermined classification rule may be a predetermined set of classification rules, etc.
The classification result may be expressed by an integer of 1 to 5, for example. Here, the integers 1 to 5 represent a classification. Of course, boolean data, probability values, category variables, etc. may also be employed to represent classification results.
For example, when the (n-1) th log and the n-th log are received continuously in time sequence, classifying the n-th log as the log to be detected according to the classification rule set.
Fig. 2 shows an exemplary hierarchical rule diagram of a classification rule. Wherein, the reasonable time means: the time interval of logging in between different provinces in the same country recorded in the two log is more than 2 hours, and the time interval of logging in between different countries is more than 6 hours.
The log-in log (in which the active IP country, the source IP province, the log-in time, the source IP, the log-in mode, etc. are recorded) can be classified according to the classification rule shown in fig. 2. For example, if the information recorded in the log is the same in terms of country, province, IP as compared to the classification rule, the classification result is marked 1 (as indicated by the numbers in the circles in fig. 2). And the like, and will not be described in detail herein.
As an alternative embodiment, the above classification rule may also be implemented in, but not limited to, the following ways: constructing a classification rule through a decision tree by utilizing a data set of a log in a preset time period; wherein the data set includes user feedback information (e.g., abnormal login information or normal login information).
Specifically, as shown in fig. 3, the present embodiment may include the following steps Sa1 to Sa3. Wherein:
sa1: and acquiring two historical login logs adjacent in time and user feedback information.
The log may include: login time, source IP location, destination IP, login mode, etc.
Sa2: the difference between the two log entries is compared.
For example, when the (n-1) th log and the n-th log are received consecutively in time series, the (n-1) th log and the n-th log are compared. The log includes, but is not limited to, account domain name, source IP, destination IP, login time, login protocol or login mode, etc.
The login time may be represented by UTC (Coordinated Universal Time ) time stamps in units of milliseconds, among others. The account domain name, source IP difference, or destination IP difference may be represented by a difference in source IP integer values. The login style differences may be represented by an enumeration set. The user feedback information may be represented by boolean values.
Preferably, if the detection of the login behavior of the unauthorized user is performed on a plurality of email accounts, the login log may further include the domain name address information of the email accounts. In this step, the email account domain name address information difference may be represented by a difference between integers of email account domain name addresses.
According to the embodiment, by considering the feedback information of the user, more accurate classification rules can be obtained, and further the alarm precision can be improved.
Sa3: based on the user feedback information, the email account and the difference between the two log-in logs, a method for training decision tree rules by a machine learning algorithm is used for determining classification rules.
Wherein each path from root to leaf on the decision tree can be used as a classification rule.
In the specific implementation process, the user feedback information is used as a dependent variable, the difference between the email account and the two log-in logs is used as the independent variable, and the decision tree rule is trained by a machine learning algorithm to calculate, so that the classification rule can be obtained.
S120: and determining the login behavior mode information of the email account according to the historical login log, the log to be detected and the classification result.
In this step, descriptive statistics, classifiers, etc. may be used to represent the determined login behavior pattern information of the email account. And, with the update of the login log, the determined login behavior pattern information of the email account may be updated.
S130: and matching the log to be detected, the classification result thereof and the log behavior mode information with a preset alarm rule.
The predetermined alarm rule can be obtained through methods such as priori knowledge, statistical samples or machine learning.
The alert rule may be a series of conditions. The condition may be a log content feature with a classification flag.
For example, the alarm rule may be "the classification result of the log is level 5, then the alarm is performed", or "the source IP recorded in the log is overseas, the classification result of the log is level 4, and the login frequency percentage of level 4 is 0%".
In order to facilitate understanding of this step, a detailed description will be given below with reference to specific examples.
Assume that the log to be detected of the email account at least includes: account name, login time, source IP address, source IP location, destination IP address, and login protocol. The classification result of the log to be detected is 4. The login behavior mode information of the email account comprises: 1, the method comprises the following steps: 60%, 2:: 30%, 3:: 10,4 minutes: 0%,5 min: 0%. Wherein 0% represents a login frequency percentage of 0.
Further, assume that the alert rule includes at least: and (3) if the classification mark is greater than or equal to 4 minutes and the login frequency percentages of 4 minutes and 5 minutes in the login behavior mode information are 0, alarming.
In this embodiment, "account name, login time, source IP address, source IP location, destination IP address, login protocol, classification result is 4", and "1 score: 60%, 2:: 30%, 3:: 10,4 minutes: 0%,5 min: 0% ", and" if the classification flag is greater than or equal to 4 minutes and the login frequency percentages of 4 minutes and 5 minutes in the login behavior mode information are both 0, carrying out alarm "for matching.
S140: and if so, determining the login behavior of the user to be detected as the login behavior of the unauthorized user.
In this step, if the match result indicates: logging to be detected and marking results thereof, wherein logging behavior mode information of the email account is matched with a preset alarm rule; the user login behavior to be detected is determined as an unauthorized user login behavior.
Of course, if there is no match, the determination of the user login behavior to be detected as an unauthorized user login behavior is refused.
In a preferred embodiment, after step S140, the method for detecting unauthorized login of an email account may further include:
S150: and generating alarm information and prompting the alarm information to a user in the form of a bullet frame or a suspension page.
In this embodiment, the flick frame or the suspension page may be presented by text, video, and/or animation.
By the embodiment, the login behavior of the unauthorized user for logging in the email account can be alarmed in the login stage, so that the early warning effect of the email unauthorized user login is realized.
In summary, the embodiment of the invention collects the log, classifies the log and determines the log behavior mode information, matches the log according to the predetermined rule, and judges whether the email account has the login behavior of the unauthorized user according to the matching result. The technical scheme provided by the embodiment of the invention does not identify the content of the email, but logs in, so that the technical effect that the login of the email account by an unauthorized user can be identified in the user login stage is realized; and the method also does not depend on analysis of the e-mail content, protects the privacy information of the user in the e-mail content, does not depend on a network topology structure, has wide applicability, and can be suitable for various mail access scenes (such as clients, browsers, application programs and the like).
In the foregoing, although the steps of the method embodiment for detecting unauthorized login of an email account are described in the above order, it should be clear to those skilled in the art that the steps in the embodiment of the present invention are not necessarily performed in the above order, but may be performed in reverse order, parallel, cross, etc., and other steps may be added to those skilled in the art on the basis of the above steps, and these obvious modifications or equivalent alternatives are also included in the protection scope of the present invention and are not repeated herein.
The following is an embodiment of the apparatus, which is used to execute steps implemented by the embodiment of the method, for convenience of explanation, only the relevant parts of the embodiment of the invention are shown, and specific technical details are not disclosed, and please refer to the embodiment of the method. The functional units in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in hardware plus software functional units.
The embodiment of the invention provides a device for detecting unauthorized login of an email account. The device mainly comprises: the device comprises an acquisition module 41, a classification module 42, a first determination module 43, a matching module 44 and a second determination module 45. The collecting module 41 is configured to collect log-in logs to be detected and log-in logs before the log-in logs, which are continuously logged in the email account, and historical log-in logs of the email account in a predetermined period of time; the log to be detected is used for identifying the log-in behavior of the user to be detected. The classification module 42 is configured to classify the log to be detected according to a predetermined classification rule based on the log to be detected and a log preceding the log to be detected. The first determining module 43 is configured to determine login behavior mode information of the email account according to the historical login log, the log to be detected, and the classification result thereof. The matching module 44 is configured to match the log to be detected, the classification result thereof, and the log behavior pattern information with a predetermined alarm rule. The second determining module 45 is configured to determine, in case of matching, the user login behavior to be detected as an unauthorized user login behavior.
Among these log entries include, but are not limited to: account name, account domain name, login time, source IP address, destination IP address, login protocol, and/or login mode. The log to be detected can be a current log, a historical log and the like.
The acquisition module 41 may perform acquisition by a pull mode, a subscription mode, or the like. Wherein, the pull mode can be applied to the scene of a small mail server without an independent log system; the new log is pulled back to the local server by continually scanning the log database/file of the mini mail server. The subscription mode can be applied to a scenario of a large mail server cluster with an independent log system; the large mail server cluster stores an independent log system for converging log of a plurality of servers; the independent log system may issue log-in logs.
The above-described predetermined period of time may be a period of time in units of weeks, months, etc., and may be, for example, one week, one month, etc. For example, if time units are in weeks, log entries during 2018, 12, 10, to 2018, 12, 16 may be used as historical log entries for a predetermined period of time.
In a preferred embodiment, the email account is applied to a server; the server comprises a cache;
the classification module 42 is specifically configured to: obtaining two log-in logs of continuous login in a cache; comparing the log to be detected, the log before the log to be detected and the difference between the two logs in the cache; determining a login log with the latest login time as a log to be detected according to the comparison result; and classifying the log to be detected according to a preset classification rule.
The classification rules can be obtained according to a priori rule method, a method for training decision tree rules by a machine learning algorithm, and the like. The predetermined classification rule may be a predetermined set of classification rules, etc.
The classification result may be expressed by an integer of 1 to 5, for example. Here, the integers 1 to 5 represent a classification. Of course, boolean data, probability values, category variables, etc. may also be employed to represent classification results.
In a preferred embodiment, classification module 42 is further configured to: acquiring two history log-in logs adjacent in time and user feedback information; comparing the difference between the two log entries; based on the user feedback information, the email account and the difference between the two log-in logs, the classification rule is determined in a way that a machine learning algorithm trains the decision tree rule.
Wherein each path from root to leaf on the decision tree can be used as a classification rule.
In a preferred embodiment, the means for detecting unauthorized entry of the electronic mailbox account further comprises an alert module. The alarm module is used for generating alarm information and prompting the alarm information to a user in a form of a popup frame or a suspension page.
The predetermined alarm rule can be obtained through methods such as priori knowledge, statistical samples or machine learning.
The alert rule may be a series of conditions. The condition may be a log content feature with a classification flag.
In summary, the embodiment of the present invention uses the collection module 41, the classification module 42, the first determination module 43, the matching module 44 and the second determination module 45 to collect the log, classify the log and determine the log behavior pattern information, and then match the log according to a predetermined rule; and finally, judging whether the electronic mailbox account has the login behavior of the unauthorized user according to the matching result. The technical scheme provided by the embodiment of the invention does not identify the content of the email, but logs in, so that the technical effect that the login of the email account by an unauthorized user can be identified in the user login stage is realized; and the method also does not depend on analysis of the e-mail content, protects the privacy information of the user in the e-mail content, does not depend on a network topology structure, has wide applicability, and can be suitable for various mail access scenes (such as clients, browsers, application programs and the like).
For details of the device for detecting unauthorized login of an email account, reference may be made to the description related to the foregoing embodiment of the method for detecting unauthorized login of an email account, which is not repeated herein.
In addition, the embodiment of the invention also provides electronic equipment which comprises a processor and a memory. Wherein the memory is used for storing a computer program. The processor is configured to implement method steps for detecting unauthorized entry of an email account when executing a program stored on the memory.
The electronic device may be, for example, a computer, a smart phone, a tablet computer, etc.
When the processor executes the program stored in the memory, the electronic equipment can identify the unauthorized login behavior of the email account; but also does not rely on analysis of email content; the user privacy information in the E-mail content is protected; the method is independent of a network topology structure, and has wide applicability; may be applicable to a variety of mail access scenarios (e.g., clients, browsers, applications, etc.).
For detailed descriptions of the technical problems to be solved by the electronic device, the obtained technical effects and the like can refer to the related descriptions in the foregoing method embodiment for detecting unauthorized login of an email account, and are not repeated herein.
The processor may include one or more processing cores, such as a 4-core processor, an 8-core processor, or the like. The processor may be implemented in at least one hardware form of DSP (Digital Signal Processing ), FPGA (Field Programmable Gate Array, field programmable gate array), PLA (Programmable Logic Array ). The processor may also include a main processor, which is a processor for processing data in an awake state, also called a CPU (Central Processing Unit ), and a coprocessor; a coprocessor is a low-power processor for processing data in a standby state. In some embodiments, the processor may incorporate a GPU (Graphics Processing Unit, image processor) for rendering and rendering of content required to be displayed by the display screen. In some embodiments, the processor may also include an AI (Artificial Intelligence ) processor for processing computing operations related to machine learning.
The memory may include one or more computer-readable storage media, which may be non-transitory. The memory may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in memory is used to store at least one instruction for execution by a processor.
In some embodiments, the electronic device further optionally includes: a peripheral interface and at least one peripheral. The processor, memory, and peripheral interfaces may be connected by buses or signal lines. The individual peripheral devices may be connected to the peripheral device interface via buses, signal lines or circuit boards.
Furthermore, the embodiment of the invention also provides a computer readable storage medium. The computer readable storage medium has stored therein a computer program which, when executed by a processor, performs method steps for detecting unauthorized entry of an email account.
The above-described computer-readable storage medium may be applied to a terminal, and at least one instruction, at least one program, a code set, or an instruction set stored in the computer-readable storage medium, the instruction, the program, the code set, or the instruction set being loaded and executed by a processor to realize the above-described terminal.
The computer-readable storage medium described above may include, but is not limited to, random Access Memory (RAM), dynamic Random Access Memory (DRAM), static Random Access Memory (SRAM), read Only Memory (ROM), programmable Read Only Memory (PROM), erasable Programmable Read Only Memory (EPROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory (e.g., NOR-type flash memory or NAND-type flash memory), content Addressable Memory (CAM), polymer memory (e.g., ferroelectric polymer memory), phase change memory, bidirectional switching semiconductor memory, silicon-Oxide-Nitride-Silicon-Oxide-Silicon (SONOS) memory, magnetic or optical cards, or any other suitable type of computer-readable storage medium.
The computer readable storage medium may identify unauthorized login behavior of an email account when the computer program is executed by the processor; but also does not rely on analysis of email content; the user privacy information in the E-mail content is protected; the method is independent of a network topology structure, and has wide applicability; may be applicable to a variety of mail access scenarios (e.g., clients, browsers, applications, etc.).
For details on the computer-readable storage medium, reference may be made to the description related to the foregoing embodiment of the method for detecting unauthorized login of an email account, which is not repeated herein.
The basic principles of the present disclosure have been described above in connection with specific embodiments, however, it should be noted that the advantages, benefits, effects, etc. mentioned in the present disclosure are merely examples and not limiting, and these advantages, benefits, effects, etc. are not to be considered as necessarily possessed by the various embodiments of the present disclosure. Furthermore, the specific details disclosed herein are for purposes of illustration and understanding only, and are not intended to be limiting, since the disclosure is not necessarily limited to practice with the specific details described.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
It is also noted that in the systems and methods of the present disclosure, components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered equivalent to the present disclosure.
In this specification, each embodiment is described in a related manner, and each embodiment is mainly described in a different manner from other embodiments, so that identical and similar parts between the embodiments are referred to each other. Various changes, substitutions, and alterations are possible to the techniques described herein without departing from the teachings of the techniques defined by the appended claims. Furthermore, the scope of the claims of the present disclosure is not limited to the particular aspects of the process, machine, manufacture, composition of matter, means, methods and acts described above. The processes, machines, manufacture, compositions of matter, means, methods, or acts, presently existing or later to be developed that perform substantially the same function or achieve substantially the same result as the corresponding aspects described herein may be utilized. Accordingly, the appended claims are intended to include within their scope such processes, machines, manufacture, compositions of matter, means, methods, or acts.
The foregoing description is only of the preferred embodiments of the present invention and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention are included in the protection scope of the present invention.

Claims (8)

1. A method for detecting unauthorized entry of an electronic mailbox account, comprising:
collecting a log to be detected and a log before the log which are continuously logged in the email account and a historical log of the email account in a preset time period; the log to be detected is used for identifying the log-in behavior of the user to be detected;
classifying the log to be detected according to a preset classification rule based on the log to be detected and the log before the log to be detected;
comprising the following steps: the email account is applied to a server; the server comprises a cache;
obtaining two log-in logs of continuous login in a cache;
comparing the log to be detected, the log before the log to be detected and the difference between the two logs in the cache;
determining a login log with the latest login time as a log to be detected according to the comparison result;
classifying log to be detected according to a preset classification rule;
the preset classification rules comprise classification rules of preset classification rules, a preset classification rule set and classification rules obtained by a prior rule method and a method for training decision tree rules by a machine learning algorithm;
Determining login behavior mode information of the email account according to the historical login log, the log to be detected and the classification result thereof;
matching the log to be detected, the classification result and the log behavior mode information with a preset alarm rule;
and if the user login behavior to be detected is matched, determining the user login behavior to be detected as an unauthorized user login behavior.
2. The method of claim 1, wherein the predetermined classification rule is further constructed by:
acquiring two historical login logs adjacent in time and user feedback information;
comparing the difference between the two log entries;
based on the user feedback information, the email account and the difference between the two log-in logs, determining the classification rule by a method of training a decision tree rule by a machine learning algorithm.
3. The method according to claim 1, wherein after the step of determining the user login behavior to be detected as an unauthorized user login behavior if there is a match, the method further comprises:
and generating alarm information and prompting the alarm information to a user in the form of a popup frame or a floating page.
4. An apparatus for detecting unauthorized entry of an electronic mailbox account, comprising:
the acquisition module is used for acquiring a log to be detected and a log before the log which are continuously logged in the email account and a historical log of the email account in a preset time period; the log to be detected is used for identifying the log-in behavior of the user to be detected;
the classification module is used for classifying the log to be detected according to a preset classification rule based on the log to be detected and the log before the log to be detected;
comprising the following steps: the email account is applied to a server; the server comprises a cache;
the classification module is specifically configured to:
obtaining two log-in logs of continuous login in a cache; wherein, the two log-in logs of continuous log-in refer to two log-in logs adjacent in time;
comparing the log to be detected, the log before the log to be detected and the difference between the two logs in the cache;
determining a login log with the latest login time as a log to be detected according to the comparison result;
classifying log to be detected according to a preset classification rule;
The preset classification rules comprise classification rules of preset classification rules, a preset classification rule set and classification rules obtained by a prior rule method and a method for training decision tree rules by a machine learning algorithm;
the first determining module is used for determining login behavior mode information of the email account according to the historical login log, the log to be detected and the classification result thereof;
the matching module is used for matching the log to be detected, the classification result thereof and the login behavior mode information with a preset alarm rule;
and the second determining module is used for determining the login behavior of the user to be detected as the login behavior of the unauthorized user under the condition of matching.
5. The apparatus of claim 4, wherein the classification module is further to:
acquiring two historical login logs adjacent in time and user feedback information;
comparing the difference between the two log entries;
based on the user feedback information, the email account and the difference between the two log-in logs, determining the classification rule in a mode of training a decision tree rule by a machine learning algorithm.
6. The apparatus of claim 4, wherein the apparatus further comprises:
and the alarm module is used for generating alarm information and prompting the alarm information to a user in a form of a popup frame or a suspension page.
7. An electronic device comprising a processor and a memory; wherein:
the memory is used for storing a computer program;
the processor is configured to implement the method steps of any one of claims 1-3 when executing a program stored on the memory.
8. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored therein a computer program which, when executed by a processor, implements the method steps of any of claims 1-3.
CN201910105743.8A 2019-02-01 2019-02-01 Method, device, equipment and medium for detecting unauthorized login of email account Active CN111526110B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910105743.8A CN111526110B (en) 2019-02-01 2019-02-01 Method, device, equipment and medium for detecting unauthorized login of email account

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910105743.8A CN111526110B (en) 2019-02-01 2019-02-01 Method, device, equipment and medium for detecting unauthorized login of email account

Publications (2)

Publication Number Publication Date
CN111526110A CN111526110A (en) 2020-08-11
CN111526110B true CN111526110B (en) 2024-02-27

Family

ID=71900382

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910105743.8A Active CN111526110B (en) 2019-02-01 2019-02-01 Method, device, equipment and medium for detecting unauthorized login of email account

Country Status (1)

Country Link
CN (1) CN111526110B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114793168B (en) * 2022-03-15 2024-04-23 上海聚水潭网络科技有限公司 Method, system and equipment for tracing source of subsided user based on log and IP

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103532797A (en) * 2013-11-06 2014-01-22 网之易信息技术(北京)有限公司 Abnormity monitoring method and device for user registration
CN105141448A (en) * 2015-07-28 2015-12-09 杭州华为数字技术有限公司 Method and device for collecting log
CN107483418A (en) * 2017-07-27 2017-12-15 阿里巴巴集团控股有限公司 Login process method, method for processing business, device and server
CN107548547A (en) * 2015-04-30 2018-01-05 帕马索有限公司 The method for identifying the unauthorized access of the account of online service
CN108768943A (en) * 2018-04-26 2018-11-06 腾讯科技(深圳)有限公司 A kind of method, apparatus and server of the abnormal account of detection

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6859829B1 (en) * 1999-02-23 2005-02-22 Microsoft Corp. Method and mechanism for providing computer programs with computer system events

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103532797A (en) * 2013-11-06 2014-01-22 网之易信息技术(北京)有限公司 Abnormity monitoring method and device for user registration
CN107548547A (en) * 2015-04-30 2018-01-05 帕马索有限公司 The method for identifying the unauthorized access of the account of online service
CN105141448A (en) * 2015-07-28 2015-12-09 杭州华为数字技术有限公司 Method and device for collecting log
CN107483418A (en) * 2017-07-27 2017-12-15 阿里巴巴集团控股有限公司 Login process method, method for processing business, device and server
CN108768943A (en) * 2018-04-26 2018-11-06 腾讯科技(深圳)有限公司 A kind of method, apparatus and server of the abnormal account of detection

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"基于主机日志的入侵检测研究与实现";黄自力;《信息科技》(第5期);全文 *

Also Published As

Publication number Publication date
CN111526110A (en) 2020-08-11

Similar Documents

Publication Publication Date Title
JP5990284B2 (en) Spam detection system and method using character histogram
ES2866723T3 (en) Online fraud detection dynamic score aggregation methods and systems
US8554907B1 (en) Reputation prediction of IP addresses
JP5941163B2 (en) Spam detection system and method using frequency spectrum of character string
CN108809745A (en) A kind of user's anomaly detection method, apparatus and system
CN105634855B (en) The abnormality recognition method and device of network address
CN111917740A (en) Abnormal flow alarm log detection method, device, equipment and medium
Wardman et al. High-performance content-based phishing attack detection
CN111786950A (en) Situation awareness-based network security monitoring method, device, equipment and medium
CN110647896B (en) Phishing page identification method based on logo image and related equipment
CN112685735A (en) Method, apparatus, and computer-readable storage medium for detecting abnormal data
CN110647895B (en) Phishing page identification method based on login box image and related equipment
EP3281144B1 (en) Message report processing and threat prioritization
Las-Casas et al. A big data architecture for security data and its application to phishing characterization
CN111526110B (en) Method, device, equipment and medium for detecting unauthorized login of email account
US20200372085A1 (en) Classification apparatus, classification method, and classification program
CN111245815B (en) Data processing method and device, storage medium and electronic equipment
Althobaiti et al. Using Clustering Algorithms to Automatically Identify Phishing Campaigns
CN116738369A (en) Traffic data classification method, device, equipment and storage medium
Wardman et al. Automating phishing website identification through deep MD5 matching
CN115001724B (en) Network threat intelligence management method, device, computing equipment and computer readable storage medium
CN114090850A (en) Log classification method, electronic device and computer-readable storage medium
CN113112323A (en) Abnormal order identification method, device, equipment and medium based on data analysis
US20230291764A1 (en) Content-based socially-engineered threat classifier
Satane et al. Survey paper on phishing detection: Identification of malicious URL using Bayesian classification on social network sites

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant