CN112073258A - Method for identifying user, electronic equipment and storage medium - Google Patents

Method for identifying user, electronic equipment and storage medium Download PDF

Info

Publication number
CN112073258A
CN112073258A CN202010784920.2A CN202010784920A CN112073258A CN 112073258 A CN112073258 A CN 112073258A CN 202010784920 A CN202010784920 A CN 202010784920A CN 112073258 A CN112073258 A CN 112073258A
Authority
CN
China
Prior art keywords
login
information data
data group
log
login information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010784920.2A
Other languages
Chinese (zh)
Other versions
CN112073258B (en
Inventor
李运凯
蔡家坡
柏志云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202010784920.2A priority Critical patent/CN112073258B/en
Publication of CN112073258A publication Critical patent/CN112073258A/en
Application granted granted Critical
Publication of CN112073258B publication Critical patent/CN112073258B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The application discloses a method for identifying a user, electronic equipment and a storage medium. The method for identifying the user applied to the first electronic equipment comprises the following steps: under the condition that the network access data is monitored to contain a login page of an application program of a set type, determining a corresponding first login information data group based on the login page, and writing the first login information data group into a first log in a set format; wherein, at least one first login information data group is written in the first log; the first log is used for the second electronic equipment to store or display the corresponding relation between each second login information data group and the user Internet Protocol (IP) address in at least one second login information data group; the at least one second login information data group corresponds to the at least one first login information data group one by one; the second login information data group comprises the corresponding first login information data group.

Description

Method for identifying user, electronic equipment and storage medium
Technical Field
The present application relates to the field of network technologies, and in particular, to a method for identifying a user, an electronic device, and a storage medium.
Background
When a user enters a network without real-name authentication, if some network security events occur, such as account sharing leakage is detected, related users need to be checked out.
Currently, users are typically located using an IP address that identifies the relevant client. With the introduction of dynamic IP addresses and Virtual Private Networks (VPN), this approach has no longer been effective.
Disclosure of Invention
The embodiment of the invention provides a method for identifying a user, electronic equipment and a storage medium, which are used for at least solving the problem of determining the identity of a user using an IP address in the related art.
The technical scheme of the embodiment of the application is realized as follows:
in a first aspect, an embodiment of the present application provides a method for identifying a user, where the method is applied to a first electronic device, and the method includes:
under the condition that the network access data is monitored to contain a login page of an application program of a set type, determining a corresponding first login information data group based on the login page, and writing the first login information data group into a first log in a set format;
wherein, at least one first login information data group is written in the first log; the first log is used for the second electronic equipment to store or display the corresponding relation between each second login information data group and the user Internet Protocol (IP) address in at least one second login information data group; the at least one second login information data group corresponds to the at least one first login information data group one by one; the second login information data group comprises the corresponding first login information data group.
In a second aspect, an embodiment of the present application provides a method for identifying a user, which is applied to a second electronic device, and the method includes:
monitoring a sending port of first electronic equipment to obtain all or part of a first log; at least one first login information data group is written in all or part of the first log; each first login information data group in the at least one first login information data group is determined by the first electronic device based on a login page of an application program of a set category and is written into the first log in a set format under the condition that the login page is monitored to contain the application program of the set category in network access data;
extracting the at least one first log information data set based on all or part of the first log;
determining at least one second login information data group corresponding to the at least one first login information data group one to one, and storing or displaying the corresponding relation between each second login information data group in the at least one second login information data group and the user IP address; and the second login information data group comprises the corresponding first login information data group.
In a third aspect, an embodiment of the present application provides an electronic device, including:
the determining unit is used for determining a corresponding first login information data group based on a login page when the login page of the application program of a set type is contained in the network access data under monitoring, and writing the first login information data group into a first log in a set format;
wherein, at least one first login information data group is written in the first log; the first log is used for the second electronic equipment to store or display the corresponding relation between each second login information data group and the user IP address in at least one second login information data group; the at least one second login information data group corresponds to the at least one first login information data group one by one; the second login information data group comprises the corresponding first login information data group.
In a fourth aspect, an embodiment of the present application provides an electronic device, including:
the monitoring unit is used for monitoring a sending port of the first electronic equipment to obtain all or part of the first log; at least one first login information data group is written in all or part of the first log; each first login information data group in the at least one first login information data group is determined by the first electronic device based on a login page of an application program of a set category and is written into the first log in a set format under the condition that the login page is monitored to contain the application program of the set category in network access data;
an extracting unit configured to extract the at least one first login information data group based on all or part of the first log;
the determining unit is used for determining at least one second login information data group corresponding to the at least one first login information data group one by one, and storing or displaying the corresponding relation between each second login information data group in the at least one second login information data group and the IP address of the user; and the second login information data group comprises the corresponding first login information data group.
In a fifth aspect, an embodiment of the present application provides an electronic device, including: a processor and a memory for storing a computer program operable on the processor, wherein the processor is configured to perform the above-described respective user identifying methods when executing the computer program.
In a sixth aspect, the present application provides a storage medium, on which a computer program is stored, where the computer program is executed by a processor to perform the above-mentioned methods for identifying a user.
In the embodiment of the application, because the first electronic device determines the corresponding first login information data group based on the set application program login page, and writes the first login information data group into the first log in the set format, the first log can be used for the second electronic device to determine the second login information data group related to the first login information data group, the first login information data group and the second login information data group can provide the virtual account number of the user to assist in identifying the user, and the second electronic device stores or displays the corresponding relationship between each second login information data group in at least one second login information data group and the user IP address, the problem of error identification of the user due to the fact that no other auxiliary identification information exists when the same IP address under dynamic IP is allocated to different users can be avoided. Therefore, the identity of the user using the IP address can be determined in network environments such as dynamic IP addresses and VPNs, the quick identification effect of the user using the IP address is achieved in response to handling situations such as intranet risks, and the accuracy of user identification is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 is a flowchart illustrating a method for identifying a user applied to a first electronic device according to an embodiment of the present application;
FIG. 2 is a schematic view of an audit cycle applied to a first electronic device according to an embodiment of the present disclosure;
fig. 3 is a flowchart illustrating a method for identifying a user applied to a second electronic device according to an embodiment of the present application;
fig. 4 is a schematic view of a listening process based on a selection function according to an embodiment of the present application;
fig. 5 is a schematic flowchart of acquiring all or part of a first log according to an embodiment of the present disclosure;
fig. 6 is a schematic flowchart of determining a second login information data set according to an embodiment of the present application;
fig. 7 is a schematic flowchart of a process of storing or displaying a corresponding relationship between a second login information data set and an IP address according to an embodiment of the present application;
fig. 8 is a schematic structural component diagram of an electronic device according to an embodiment of the present disclosure;
fig. 9 is a schematic structural component diagram of another electronic device provided in the embodiment of the present application;
fig. 10 is a schematic diagram of a hardware component structure of an electronic device according to an embodiment of the present application.
Detailed Description
The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
In order to facilitate understanding of the technical solutions of the embodiments of the present application, the following description will be made of related technologies related to the embodiments of the present application.
Dynamic Host Configuration Protocol (DHCP), which is a network Protocol for a local area network. The method is characterized in that a server controls a range of IP addresses, and a client can automatically obtain the IP address and the subnet mask allocated by the server when logging in the server.
Virtual Private Network (VPN): the method is used for representing that a private network is established on a public network to carry out encrypted communication. VPN is widely used in enterprise networks, and VPN gateways implement remote access by encrypting data packets and converting destination addresses of the data packets.
In the related art, in a scenario of a network security event, a specific user related to the network security event is mostly located by using an IP address location method, but in a DHCP or VPN environment, even if the IP address of the user is finally located, the specific user related to the network security event may not be determined or erroneous judgment may be caused due to the fact that the IP address is reallocated, so that accuracy of identifying the user is affected.
Based on this, the following technical solution of the embodiment of the present application is provided, where a first electronic device determines a corresponding first login information data set based on a set application login page, and writes the first login information data set into a first log in a set format, where the first log may be used by a second electronic device to determine a second login information data set related to the first login information data set, the first and second login information data sets may provide a virtual account number of a user to assist in identifying the user, and the second electronic device stores or displays a corresponding relationship between each second login information data set in at least one second login information data set and an IP address of the user, so as to avoid a problem of erroneous identification of the user due to the absence of other auxiliary identification information when the same IP address under a dynamic IP is allocated to different users. Therefore, the identity of the user using the IP address can be determined in network environments such as dynamic IP addresses and VPNs, the quick identification effect of the user using the IP address is achieved in response to handling situations such as intranet risks, and the accuracy of user identification is improved.
Describing the execution steps of the method for identifying a user, fig. 1 is a schematic flowchart of a method for identifying a user applied to a first electronic device according to an embodiment of the present application, and as shown in fig. 1, the flowchart includes the following steps:
step 101: under the condition that the network access data is monitored to contain a login page of an application program of a set type, determining a corresponding first login information data group based on the login page, and writing the first login information data group into a first log in a set format;
wherein, at least one first login information data group is written in the first log; the first log is used for the second electronic equipment to store or display the corresponding relation between each second login information data group and the user Internet Protocol (IP) address in at least one second login information data group; the at least one second login information data group corresponds to the at least one first login information data group one by one; the second login information data group comprises the corresponding first login information data group.
Here, the main body of execution of step 101 is the first electronic device, and the first electronic device may be implemented in various forms, for example, the first electronic device may be a gateway device or a terminal.
In step 101, when monitoring that the network access data includes a login page of an application program of a set type, the first electronic device identifies a corresponding first login information data set at least including login account information from the login page based on the monitored login page, and writes the first login information data set into a first log in a set format. Here, the first login information data group may include login account information, and may further include other auxiliary information such as a name of a logged-in application.
In practical applications, the first log may refer to a gateway log stored by the first electronic device. It should be understood that when the second electronic device acquires the first log by listening or the like, the virtual identity of the user of the IP address corresponding to the first login information group may be determined based on the first login information group in the first log. Here, the virtual identity refers to data that can be used to assist in determining the identity of another person, such as a virtual account number.
In some possible embodiments, before the monitoring the login page of the application program with the set category included in the network access data, the method for identifying the user further includes the following steps:
and for the login pages of the application programs with set categories, storing a first field which represents login account information in each login page into a first configuration file.
It should be noted that, as to how to determine the first field in the above steps, one possible implementation is to analyze a Uniform Resource Locator (URL) of a login page of a set category of applications, for example, in some browsers, by clicking the function key F12, a development and debugging tool of the browser may be accessed, and in the development and debugging tool of the browser, it may be specifically determined which field in the login page URL is the first field for characterizing the login account information of the user.
It should be understood that in other possible embodiments, the first configuration file is already pre-stored on the first electronic device.
In practical applications, the determining the corresponding first login information data set based on the login page in step 101 may include the following steps:
and determining corresponding login account information based on the login page and the first configuration file.
It is easy to understand that, in the case where the login page URL and the first configuration file have been acquired, the first electronic device may extract login account information corresponding to a first field for the login page URL stored in the first configuration file.
Before monitoring that the network access data contains the login page of the application program of the set category, the method for identifying the user according to the embodiment of the application may further include the following steps:
registering a corresponding callback function for a login page of an application program of a set type; the callback function is to:
and determining corresponding login account information based on the login page and the first configuration file, and writing the login account information into the first log in a set format.
It should be noted that the login account information belongs to the first login information data group. Here, in some embodiments, the following process in step 101 may be specifically executed by registering a callback function in an audit module of the first electronic device: and determining a corresponding first login information data group based on the login page, and writing the first login information data group into a first log in a set format.
How the first electronic device performs step 101 is further illustrated in conjunction with fig. 2. Fig. 2 is a schematic view of an audit cycle applied to a first electronic device according to an embodiment of the present application. As shown in fig. 2, when the first electronic device includes an audit function, the first electronic device may sequentially or simultaneously perform flows 1, 2, and 3, specifically, flow 1 includes the following steps:
for the login page of the application program with the set type, a callback function is registered.
And calling a callback function under the condition that the corresponding login page is audited.
And capturing login account information by using a callback function, and writing the login account information into a first log in a set format.
In the flow 2, the first log is stored in the hard disk at regular time.
And the flow 3 is to send the first log stored in the hard disk to other gateway devices or log analysis devices at regular time.
It should be understood that the first electronic device should complete the write operation of the corresponding first login information data group in the first log for all the set login pages included in the first log before the first log is transmitted to the other devices.
With respect to step 101, in some possible embodiments, the writing the first login information data group into the first log in a set format may include:
writing login account information into the first log by using a first identifier;
and writing the name of the login application program into the first log by using a second identifier.
In other possible embodiments, the writing the first log information data group into the first log in the set format may include:
and writing the login account information into the first log by using a first identifier.
In practical application, the login account information is written in the first log with the first identifier, and the login account information may be marked with the following characters: account, i.e. in the first log, writes a specific login account character in a new line headed by the account character. The second identifier may be the following character tag: app name. It will be appreciated that the use of the identification will facilitate the extraction of the relevant first login information data set by the subsequent second electronic device.
The following describes the steps performed by the method for identifying a user applied to a second electronic device, and as shown in fig. 3, the flow includes the following steps:
step 301: monitoring a sending port of first electronic equipment to obtain all or part of a first log; at least one first login information data group is written in all or part of the first log; and each first login information data group in the at least one first login information data group is determined by the first electronic equipment based on the login page and written into the first log in a set format under the condition that the login page of the application program of a set category is contained in the network access data.
Step 302: extracting the at least one first login information data set based on all or part of the first log.
Step 303: determining at least one second login information data group corresponding to the at least one first login information data group one to one, and storing or displaying the corresponding relation between each second login information data group in the at least one second login information data group and the user IP address; and the second login information data group comprises the corresponding first login information data group.
It should be noted that, for the steps 301-303, the execution main body is the second electronic device. In practical applications, the second electronic device may be integrated with the first electronic device as a same device. The second electronic device may also be a device that exists independently of the first electronic device, in which case it will be appreciated that the first log of the first electronic device may not be transmitted to the second electronic device, e.g. the first electronic device transmits the first log to another gateway device. Here, the second electronic device is an electronic device that listens to the transmission port of the first electronic device.
In step 301, the second electronic device monitors the transmitting port of the first electronic device, and obtains all or part of the first log according to the set monitoring configuration. Here, the first log is gateway log data transmitted from the first electronic device to a device such as another gateway. All or part of the first log is written with at least one first log information data group.
It should be noted that, in some possible embodiments, the second electronic device needs to initialize the listening module first. It is easy to understand that, in order to obtain as many first logs as possible by listening, the second electronic device may set the portal responsible for listening to a promiscuous mode to grab all the first logs sent by the first electronic device to other devices.
In step 301, in some possible embodiments, the monitoring a transmission port of the first electronic device to obtain all or part of the first log includes the following steps:
at least one socket handle is created.
A selection function is used to listen for changes to the at least one socket handle.
Under the condition that the return value of the selection function is larger than zero, grabbing all or part of the corresponding first logs; and the return value of the selection function represents the number of socket handles which are ready for data transmission in the at least one socket handle.
Here, a possible implementation manner of the foregoing listening step is further described with reference to fig. 4, and fig. 4 is a schematic view of a listening process based on a selection function according to an embodiment of the present application. As shown in fig. 4, in the case where the second electronic device has created at least one socket handle, the second electronic device monitors for a change in the socket. In some possible embodiments, the second electronic device listens for changes to the at least one socket handle using a select function. If the return value of the select function is-1, it indicates that the snoop flow has an error, in which case the snoop flow should be exited and the error is handled first. In particular, it may be provided that the second electronic device automatically terminates the listening process. If the return value of the select function is 0, it indicates that the second electronic device has not listened to the data that can be transmitted. And if the return value of the select function is more than zero, the return value of the select function represents the number of handles ready for transmission. In this case 1, the second electronic device will read the first log through the first electronic device transmission port.
The following further describes a process of acquiring the first log by the second electronic device with reference to fig. 5, and fig. 5 is a schematic view of a process of acquiring all or part of the first log according to an embodiment of the present application. As shown in fig. 5, the process of fetching the first log includes the following steps:
and setting the internet access of the second electronic equipment to be in a promiscuous mode, and starting to capture all or part of the first logs sent to other equipment by the first electronic equipment.
If the return value of the select function is larger than zero, representing that the second electronic equipment catches the corresponding log data, otherwise, continuing to monitor the sending port of the first electronic equipment.
And performing preliminary filtering on the captured log data according to set filtering conditions. And if the captured log data does not meet the requirements, continuing monitoring the sending port of the first electronic equipment. Here, the filtering condition may be to determine whether a port, a protocol, a log type, and the like of the captured log data meet a set requirement. For example, it may be configured to discard both the non-login log and the non-chat log, and only the login log and the chat log are sent to the subsequent analysis module through socket communication to perform the analysis process.
In some possible embodiments, the extracting the at least one first login information data set based on all or part of the first log in step 302 includes the following steps:
filtering all or part of the first logs according to set filtering conditions to obtain second logs;
and extracting all first login information data groups contained in the second log.
Here, the extracting all the first login information data groups included in the second log may be specifically implemented in the following manner:
extracting all login account information contained in the second log based on the first identification; wherein the first identification is written to the first log by the first electronic device.
It should be noted that the first identifier may be a specific character identifier or a specific logic identifier.
In a possible embodiment, the first login information data set includes login account information, the second login information data set includes the login account information and a login application name, and the determining 303 at least one second login information data set corresponding to the at least one first login information data set in a one-to-one manner may include:
determining a login page of an application program corresponding to each login account information in all login account information based on all the extracted login account information;
and determining the name of the login application program corresponding to each login account information in all login account information based on the login page of the application program corresponding to each login account information in all login account information.
Here, it should be understood that, in the case where only the login account information is included in the first log, the second electronic device may reversely deduce the login application name corresponding to the login account information through the login page corresponding to the login account information. Because in the login page of an application, a character with a set length is usually used to characterize the name of the application. The operation can be specifically completed according to a preset configuration file.
It should be noted that, in step 303, the second login information data set may include information such as login account information, a login application name, a login time period, and the number of login times within a set time. In practical application, some keyword reviews may be set according to the network security requirements of the application scenario, and the second login information data set includes the usage records of the keywords related to the login account.
The following describes a process of determining the second login information data set by way of example with reference to fig. 6. Fig. 6 is a schematic flowchart of determining a second login information data set according to an embodiment of the present application. As shown in fig. 6, the process includes the following steps:
a connection is established with a Remote Dictionary service (Remote Dictionary Server) Server.
Establishing a thread loop: and performing further filtering on the received log data subjected to the preliminary filtering, for example, determining that the format of the log data meets the set requirement, and obtaining a second log. And if the log data is not received or does not meet the set filtering requirement, continuing the circulation.
And when the second login information data group contains more login information data than the corresponding first login information data group, further determining the second login information data group and the user IP address corresponding to the second login information data group based on the second log. And storing the second login information data group and the corresponding IP address into a Redis database.
Here, the IP address and the second login information data set may be stored in the Redis database in the form of a key-value pair using the IP address as a key. In some other embodiments, the database may be in other forms as well.
It is easy to understand that the corresponding relation between the IP address in the database and the second login information data set can assist in judging the identity of the IP address user. The method is favorable for improving the accuracy of user identity judgment.
A possible implementation of storing or displaying the corresponding relationship between each second login information data set and the user IP address in the at least one second login information data set in step 303 is further described below with reference to fig. 7. Fig. 7 is a schematic flowchart of a process for storing or displaying a corresponding relationship between a second login information data set and an IP address according to an embodiment of the present application, and as shown in fig. 7, the process may include the following steps:
and reading the corresponding relation between the second login information data group stored in the database and the IP address at regular time.
And updating and displaying the content of the second login information data group corresponding to the IP address on the front-end page.
In another possible implementation manner, the corresponding second login information data group may be displayed on the front-end display interface based on the selected IP address in the user list.
In order to implement the method for identifying a user according to the embodiment of the present application, an embodiment of the present application further provides an electronic device, as shown in fig. 8, where the electronic device is a sending end of a first log and is characterized by a first electronic device, and the electronic device includes:
a determining unit 801, configured to, when monitoring that a login page of an application program of a set category is included in network access data, determine a corresponding first login information data group based on the login page, and write the first login information data group into a first log in a set format;
wherein, at least one first login information data group is written in the first log; the first log is used for the second electronic equipment to store or display the corresponding relation between each second login information data group and the user Internet Protocol (IP) address in at least one second login information data group; the at least one second login information data group corresponds to the at least one first login information data group one by one; the second login information data group comprises the corresponding first login information data group.
In one embodiment, the electronic device further comprises:
and the storing unit is used for storing a first field representing login account information in each login page into a first configuration file for the login page of the application program with the set type before the login page of the application program with the set type is contained in the monitored network access data.
The determination unit 801, when determining the corresponding first login information data group based on the login page, is configured to:
and determining corresponding login account information based on the login page and the first configuration file.
In one embodiment, before monitoring a login page of an application program with a set category included in network access data, the electronic device further includes:
the registration unit is used for registering a corresponding callback function for a login page of an application program with a set category; wherein the callback function is to:
and determining corresponding login account information based on the login page and the first configuration file, and writing the login account information into the first log in a set format.
In an embodiment, the determining unit 801, when writing the first login information data group into the first log in the set format, is configured to:
writing login account information into the first log by using a first identifier;
and writing the name of the login application program into the first log by using a second identifier.
In practical applications, the determining unit 801, the storing unit and the registering unit may be implemented by a processor in the first electronic device, and of course, the processor needs to run a program stored in the memory to implement the functions of the above program modules.
In order to implement the method for identifying a user according to the embodiment of the present application, an embodiment of the present application further provides an electronic device, as shown in fig. 9, where the electronic device is a log capture and analysis device and is characterized by a second electronic device, and the electronic device includes:
a monitoring unit 901, configured to monitor a sending port of a first electronic device to obtain all or part of a first log; at least one first login information data group is written in all or part of the first log; each first login information data group in the at least one first login information data group is determined by the first electronic device based on a login page of an application program of a set category and is written into the first log in a set format under the condition that the login page is monitored to contain the application program of the set category in network access data;
an extracting unit 902, configured to extract the at least one first login information data set based on all or part of the first log;
a determining unit 903, configured to determine at least one second login information data group corresponding to the at least one first login information data group one to one, and store or display a corresponding relationship between each second login information data group in the at least one second login information data group and a user IP address; and the second login information data group comprises the corresponding first login information data group.
In an embodiment, when monitoring the sending port of the first electronic device to obtain all or part of the first log, the monitoring unit 901 is specifically configured to:
creating at least one socket handle;
listening for changes to the at least one socket handle using a selection function;
under the condition that the return value of the selection function is larger than zero, grabbing all or part of the corresponding first logs; wherein the return value of the selection function represents the number of socket handles ready for data transmission in the at least one socket handle
In an embodiment, when extracting the at least one first login information data set based on all or part of the first log, the extracting unit 902 is specifically configured to:
filtering all or part of the first logs according to set filtering conditions to obtain second logs;
and extracting all first login information data groups contained in the second log.
In an embodiment, when extracting all the first login information data sets included in the second log, the extracting unit 902 is specifically configured to:
extracting all login account information contained in the second log based on the first identification; wherein the first identification is written to the first log by the first electronic device.
In an embodiment, the first login information data group includes login account information, the second login information data group includes login account information and a login application name, and when at least one second login information data group corresponding to the at least one first login information data group in a one-to-one manner is determined, the determining unit 903 is configured to:
determining a login page of an application program corresponding to each login account information in all login account information based on all the extracted login account information;
and determining the name of the login application program corresponding to each login account information in all login account information based on the login page of the application program corresponding to each login account information in all login account information.
In practical applications, the monitoring unit 901, the extracting unit 902, and the determining unit 903 may be implemented by a processor in the second electronic device, and of course, the processor needs to run a program stored in the memory to implement the functions of the above program modules.
It should be noted that, in the above-mentioned fig. 8 and fig. 9, the electronic device provided in the embodiment is only exemplified by the division of the above-mentioned program modules, and in practical applications, the above-mentioned processing distribution may be completed by different program modules according to needs, that is, the internal structure of the electronic device is divided into different program modules to complete all or part of the above-mentioned processing. In addition, the electronic device provided by the above embodiment and the transmission method embodiment for identifying the user belong to the same concept, and specific implementation processes thereof are detailed in the method embodiment and are not described herein again.
Based on the hardware implementation of the program module, in order to implement the method of the embodiment of the present application, an embodiment of the present application further provides an electronic device. Fig. 10 is a schematic diagram of a hardware component structure of an electronic device 1000 according to an embodiment of the present application. The electronic device 1000 shown in fig. 10 includes a processor 1010, and the processor 1010 may call and execute a computer program from a memory to implement the method in the embodiment of the present application.
Optionally, as shown in fig. 10, the electronic device 1000 may further include a memory 1020. From the memory 1020, the processor 1010 may call and execute a computer program to implement the method in the embodiment of the present application.
The memory 1020 may be a separate device from the processor 1010 or may be integrated into the processor 1010.
Optionally, as shown in fig. 10, the electronic device 1000 may further include a transceiver 1030, and the processor 1010 may control the transceiver 1030 to communicate with other devices, and specifically, may transmit information or data to the other devices or receive information or data transmitted by the other devices.
The transceiver 1030 may include a transmitter and a receiver, among others. The transceiver 1030 may further include an antenna, and the number of antennas may be one or more.
Optionally, the electronic device 1000 may implement corresponding processes of the methods for identifying a user in the embodiments of the present application, and for brevity, details are not described here again.
The memory in the embodiments of the present application is used to store various types of data to support operations in an electronic device. Examples of such data include: any computer program for operating on an associated device.
It will be appreciated that the memory can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Memory (DRmb Access), and Random Access Memory (DRAM). The memories described in the embodiments of the present application are intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed in the embodiments of the present application may be applied to a processor, or may be implemented by a processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The processor described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in a memory where a processor reads the programs in the memory and in combination with its hardware performs the steps of the method as previously described.
When the processor executes the program, corresponding processes in the methods of the embodiments of the present application are implemented, and for brevity, are not described herein again.
In an exemplary embodiment, the present application further provides a storage medium, i.e., a computer storage medium, specifically a computer readable storage medium, for example, including a memory storing a computer program, which is executable by a processor to perform the steps of the foregoing method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, electronic device and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
Alternatively, the integrated units described above in the present application may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or portions thereof that contribute to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for enabling an electronic device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (13)

1. A method for identifying a user, applied to a first electronic device, the method comprising:
under the condition that the network access data is monitored to contain a login page of an application program of a set type, determining a corresponding first login information data group based on the login page, and writing the first login information data group into a first log in a set format;
wherein, at least one first login information data group is written in the first log; the first log is used for the second electronic equipment to store or display the corresponding relation between each second login information data group and the user Internet Protocol (IP) address in at least one second login information data group; the at least one second login information data group corresponds to the at least one first login information data group one by one; the second login information data group comprises the corresponding first login information data group.
2. The method of claim 1, wherein prior to the monitoring the network access data for a landing page containing a set category of applications, the method further comprises:
for login pages of application programs with set categories, storing a first field representing login account information in each login page into a first configuration file;
the determining a corresponding first login information data set based on the login page comprises:
and determining corresponding login account information based on the login page and the first configuration file.
3. The method of claim 2, wherein prior to monitoring the network access data for a landing page containing a set category of applications, the method further comprises:
registering a corresponding callback function for a login page of an application program of a set type;
wherein the callback function is to:
and determining corresponding login account information based on the login page and the first configuration file, and writing the login account information into the first log in a set format.
4. The method of claim 1, wherein writing the first log information data set to the first log in a set format comprises:
writing login account information into the first log by using a first identifier;
and writing the name of the login application program into the first log by using a second identifier.
5. A method for identifying a user, applied to a second electronic device, the method comprising:
monitoring a sending port of first electronic equipment to obtain all or part of a first log; at least one first login information data group is written in all or part of the first log; each first login information data group in the at least one first login information data group is determined by the first electronic device based on a login page of an application program of a set category and is written into the first log in a set format under the condition that the login page is monitored to contain the application program of the set category in network access data;
extracting the at least one first log information data set based on all or part of the first log;
determining at least one second login information data group corresponding to the at least one first login information data group one to one, and storing or displaying the corresponding relation between each second login information data group in the at least one second login information data group and the user IP address; and the second login information data group comprises the corresponding first login information data group.
6. The method of claim 5, wherein listening to a transmission port of the first electronic device to obtain all or part of the first log comprises:
creating at least one socket handle;
listening for changes to the at least one socket handle using a selection function;
under the condition that the return value of the selection function is larger than zero, grabbing all or part of the corresponding first logs; and the return value of the selection function represents the number of socket handles which are ready for data transmission in the at least one socket handle.
7. The method of claim 5, wherein said extracting said at least one first log information data set based on said all or part of said first log comprises:
filtering all or part of the first logs according to set filtering conditions to obtain second logs;
and extracting all first login information data groups contained in the second log.
8. The method of claim 7, wherein said extracting all first log information data sets contained in said second log comprises:
extracting all login account information contained in the second log based on the first identification; wherein the first identification is written to the first log by the first electronic device.
9. The method according to any one of claims 5 to 7, wherein the first login information data group includes login account information, the second login information data group includes the login account information and a login application name, and the determining at least one second login information data group corresponding to the at least one first login information data group in a one-to-one manner includes:
determining a login page of an application program corresponding to each login account information in all login account information based on all the extracted login account information;
and determining the name of the login application program corresponding to each login account information in all login account information based on the login page of the application program corresponding to each login account information in all login account information.
10. An electronic device, comprising:
the determining unit is used for determining a corresponding first login information data group based on a login page when the login page of the application program of a set type is contained in the network access data under monitoring, and writing the first login information data group into a first log in a set format;
wherein, at least one first login information data group is written in the first log; the first log is used for the second electronic equipment to store or display the corresponding relation between each second login information data group and the user IP address in at least one second login information data group; the at least one second login information data group corresponds to the at least one first login information data group one by one; the second login information data group comprises the corresponding first login information data group.
11. An electronic device, comprising:
the monitoring unit is used for monitoring a sending port of the first electronic equipment to obtain all or part of the first log; at least one first login information data group is written in all or part of the first log; each first login information data group in the at least one first login information data group is determined by the first electronic device based on a login page of an application program of a set category and is written into the first log in a set format under the condition that the login page is monitored to contain the application program of the set category in network access data;
an extracting unit configured to extract the at least one first login information data group based on all or part of the first log;
the determining unit is used for determining at least one second login information data group corresponding to the at least one first login information data group one by one, and storing or displaying the corresponding relation between each second login information data group in the at least one second login information data group and the IP address of the user; and the second login information data group comprises the corresponding first login information data group.
12. An electronic device, comprising: a processor and a memory for storing a computer program capable of running on the processor,
wherein the processor is configured to perform the steps of the method of any one of claims 1 to 4 or any one of claims 5 to 9 when running the computer program.
13. A storage medium having stored thereon a computer program for implementing the steps of the method of any one of claims 1 to 4 or of any one of claims 5 to 9 when executed by a processor.
CN202010784920.2A 2020-08-06 2020-08-06 Method for identifying user, electronic equipment and storage medium Active CN112073258B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010784920.2A CN112073258B (en) 2020-08-06 2020-08-06 Method for identifying user, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010784920.2A CN112073258B (en) 2020-08-06 2020-08-06 Method for identifying user, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112073258A true CN112073258A (en) 2020-12-11
CN112073258B CN112073258B (en) 2022-09-30

Family

ID=73660804

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010784920.2A Active CN112073258B (en) 2020-08-06 2020-08-06 Method for identifying user, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112073258B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001014989A1 (en) * 1999-08-23 2001-03-01 3Com Corporation Architecture for a network management service which identifies and locates users and/or devices within an enterprise network
CN102065147A (en) * 2011-01-07 2011-05-18 深圳市易聆科信息技术有限公司 Method and device for obtaining user login information based on enterprise application system
CN105827522A (en) * 2015-11-10 2016-08-03 广东亿迅科技有限公司 Gateway equipment for processing log files
CN107948148A (en) * 2017-11-21 2018-04-20 北京天融信网络安全技术有限公司 It is a kind of to simulate for the method and device filled out
CN110035087A (en) * 2019-04-24 2019-07-19 全知科技(杭州)有限责任公司 A kind of method, apparatus, equipment and storage medium from flow reduction account information
CN110390043A (en) * 2019-06-17 2019-10-29 深圳壹账通智能科技有限公司 Crawling method, device, terminal and the storage medium of webpage mailbox data
US20190340388A1 (en) * 2018-05-03 2019-11-07 Salesforce.Com, Inc. Method and system for enabling log record consumers to comply with regulations and requirements regarding privacy and the handling of personal data
CN111200665A (en) * 2018-11-19 2020-05-26 中国移动通信集团吉林有限公司 User source tracing method and device and computer readable storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001014989A1 (en) * 1999-08-23 2001-03-01 3Com Corporation Architecture for a network management service which identifies and locates users and/or devices within an enterprise network
CN102065147A (en) * 2011-01-07 2011-05-18 深圳市易聆科信息技术有限公司 Method and device for obtaining user login information based on enterprise application system
CN105827522A (en) * 2015-11-10 2016-08-03 广东亿迅科技有限公司 Gateway equipment for processing log files
CN107948148A (en) * 2017-11-21 2018-04-20 北京天融信网络安全技术有限公司 It is a kind of to simulate for the method and device filled out
US20190340388A1 (en) * 2018-05-03 2019-11-07 Salesforce.Com, Inc. Method and system for enabling log record consumers to comply with regulations and requirements regarding privacy and the handling of personal data
CN111200665A (en) * 2018-11-19 2020-05-26 中国移动通信集团吉林有限公司 User source tracing method and device and computer readable storage medium
CN110035087A (en) * 2019-04-24 2019-07-19 全知科技(杭州)有限责任公司 A kind of method, apparatus, equipment and storage medium from flow reduction account information
CN110390043A (en) * 2019-06-17 2019-10-29 深圳壹账通智能科技有限公司 Crawling method, device, terminal and the storage medium of webpage mailbox data

Also Published As

Publication number Publication date
CN112073258B (en) 2022-09-30

Similar Documents

Publication Publication Date Title
CN105808399B (en) Remote debugging method and device
CN108259425A (en) The determining method, apparatus and server of query-attack
CN108063833B (en) HTTP DNS analysis message processing method and device
JP2009017298A (en) Data analysis apparatus
CN107995321A (en) A kind of VPN client acts on behalf of the method and device of DNS
CN111752770A (en) Service request processing method, system, computer device and storage medium
US10142359B1 (en) System and method for identifying security entities in a computing environment
CN113992382B (en) Service data processing method and device, electronic equipment and storage medium
CN106411819A (en) Method and apparatus for recognizing proxy Internet protocol address
CN101599857A (en) Detect method, device and the network measuring system that inserts number of host of sharing
CN111224878A (en) Route forwarding method and device, electronic equipment and storage medium
CN110851334A (en) Flow statistical method, electronic device, system and medium
CN104639387A (en) Users' network behavior tracking method and equipment
CN105207829B (en) Intrusion detection data processing method, device and system
CN113873057A (en) Data processing method and device
CN111859069B (en) Network malicious crawler identification method, system, terminal and storage medium
CN109189652A (en) A kind of acquisition method and system of close network terminal behavior data
CN112073258B (en) Method for identifying user, electronic equipment and storage medium
CN111225038A (en) Server access method and device
CN113395367A (en) HTTPS service identification method and device, storage medium and electronic equipment
CN110737861A (en) webpage data processing method, device, equipment and storage medium
CN110633432A (en) Method, device, terminal equipment and medium for acquiring data
CN111970250B (en) Method for identifying account sharing, electronic device and storage medium
CN114417198A (en) Phishing early warning method, phishing early warning device, phishing early warning system
CN108667769B (en) Domain name tracing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant