CN112347457A - Abnormal account detection method and device, computer equipment and storage medium - Google Patents
Abnormal account detection method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN112347457A CN112347457A CN201910721718.2A CN201910721718A CN112347457A CN 112347457 A CN112347457 A CN 112347457A CN 201910721718 A CN201910721718 A CN 201910721718A CN 112347457 A CN112347457 A CN 112347457A
- Authority
- CN
- China
- Prior art keywords
- account
- abnormal
- detected
- link
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 294
- 238000001514 detection method Methods 0.000 title claims abstract description 156
- 238000000034 method Methods 0.000 claims abstract description 25
- 230000002547 anomalous effect Effects 0.000 claims description 3
- 238000010276 construction Methods 0.000 claims description 2
- 238000004590 computer program Methods 0.000 claims 4
- 230000001680 brushing effect Effects 0.000 abstract description 6
- 238000012549 training Methods 0.000 description 14
- 238000004458 analytical method Methods 0.000 description 7
- 230000006399 behavior Effects 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 5
- 230000005856 abnormality Effects 0.000 description 4
- 238000011835 investigation Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 230000002265 prevention Effects 0.000 description 3
- 230000009193 crawling Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000003384 imaging method Methods 0.000 description 1
- 238000012417 linear regression Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Abstract
An abnormal account detection method, an abnormal account detection device, computer equipment and a storage medium are provided, wherein the abnormal account detection method comprises the following steps: acquiring account information of an account to be detected; acquiring a historical operation record according to the account information of the account to be detected, and establishing an operation link of the account to be detected according to the historical record; acquiring a trained abnormal operation detection model, and detecting whether an operation link of the account to be detected is normal or not according to the abnormal operation detection model; and when the operation link of the account to be detected is abnormal, marking the account to be detected as an abnormal account. The method effectively identifies the abnormal account of malicious score and order brushing.
Description
Technical Field
The invention relates to the technical field of computers, in particular to an abnormal account detection method, an abnormal account detection device, computer equipment and a storage medium.
Background
With the internet stepping into the big data era, many companies use data-management platform (DMP) systems to manage mass business data, perform intelligent marketing, and improve company profits. As is well known, DMP system access data includes not only advertisement placement data, business order data, membership data, but also log data of game applications or wechat applets. For example, a company has developed a member registration cookie to obtain new users; the game applet helps the member to obtain the credit value; the lottery applet may allow members to draw a lottery using points. However, some illegal persons may use a program plug-in, a physical plug-in, etc. to perform fraudulent operations (e.g., swiping points) to try for illegal use. If the lottery drawing is not processed, the probability of winning the lottery by the group of the malicious points brushing is increased, and the normal lottery drawing order is influenced; meanwhile, malicious point brushing crowds can enter the DMP system along with log data, so that the data accuracy of the company in user imaging is reduced, and the accurate marketing quality is influenced. Therefore, how to find the list-refreshing crowd in time and eliminate the abnormal data is an urgent problem to be solved in the DMP system.
At present, the main direction of wind control brushing prevention in the Internet industry is brushing prevention electronic commerce orders, and no mature scheme for brushing prevention game small program points exists. A general e-commerce company constructs a transaction risk system according to the modes of IP source analysis of order logs, binding of real-name customer bank cards, customer consumption map analysis, user shopping habit models and the like, so that the probability of order swiping is reduced. These approaches are not fully applicable to anti-swipe gaming applications or scenarios where a WeChat applet accumulates credits. Firstly, no real-name system information exists in the log and data of the game application or the WeChat applet, the function of binding a real-name system bank card does not exist, and the actual consumption record of a client does not exist, so that a consumption map cannot be constructed; therefore, in the prior art, under the scenes of non-real-name system and no relation to the actual consumption record of a client, the abnormal account with malicious points and orders can not be effectively identified.
Disclosure of Invention
The technical problem solved by the invention is that the abnormal account for carrying out the deceptive abnormal operation cannot be identified under the scenes of non-real name system and not related to the actual consumption record of the client.
In order to solve the above technical problem, an embodiment of the present invention provides an abnormal account detection method, including: acquiring account information of an account to be detected; acquiring a historical operation record according to the account information of the account to be detected, and establishing an operation link of the account to be detected according to the historical operation record; acquiring a trained abnormal operation detection model, and detecting whether an operation link of the account to be detected is normal or not according to the abnormal operation detection model; and when the operation link of the account to be detected is abnormal, marking the account to be detected as an abnormal account.
Optionally, after the account information of the account to be detected is acquired, the method further includes: acquiring a preset account detection rule, and detecting whether the account information of the account to be detected contains abnormal data according to the account detection rule; and when the account information of the account to be detected does not contain abnormal data, continuing to acquire a historical operation record according to the account information of the account to be detected.
Optionally, the obtaining a preset account detection rule, and detecting whether the account information of the account to be detected contains abnormal data according to the account detection rule includes: acquiring abnormal data from a preset website; and detecting whether the account information of the account to be detected contains the abnormal data.
Optionally, after detecting whether the account information includes abnormal data according to the account detection rule, the method further includes: and when the account information contains abnormal data, skipping to the step of marking the account to be detected as an abnormal account.
Optionally, the generation manner of the abnormal operation detection model includes: acquiring a historical operation record of an abnormal account sample, and establishing an operation link of the abnormal account sample according to the historical operation record of the abnormal account sample; marking the operation link of the abnormal account sample as an abnormal link; and generating the abnormal operation detection model according to the abnormal link.
Optionally, the abnormal operation model includes an abnormal feature in the abnormal link; the acquiring of the trained abnormal operation detection model and detecting whether the operation link of the account to be detected is normal according to the abnormal operation detection model comprise: inputting the operation link of the account to be detected into the abnormal operation detection model; identifying whether the operation link of the account to be detected contains the abnormal features or not; and when the operation link of the account to be detected contains the abnormal characteristic, the operation link of the account to be detected is abnormal.
Optionally, the detecting of the abnormal account further includes: acquiring a current operation record of a non-abnormal account; and correspondingly storing the current operation record and the account information of the non-abnormal account.
An embodiment of the present invention further provides an abnormal account detection apparatus, including: the detection starting module is used for acquiring account information of the account to be detected; the operation link construction module is used for acquiring a historical operation record according to the account information of the account to be detected and establishing an operation link of the account to be detected according to the historical operation record; the abnormal detection module is used for acquiring a trained abnormal operation detection model and detecting whether the operation link of the account to be detected is normal or not according to the abnormal operation detection model; and the abnormal account marking module is used for marking the account to be detected as the abnormal account when the operation link of the account to be detected is abnormal.
The embodiment of the invention also provides a storage medium, wherein computer instructions are stored on the storage medium, and the computer instructions execute the steps of the method when running.
The embodiment of the present invention further provides a terminal, which includes a memory and a processor, where the memory stores computer instructions capable of running on the processor, and the processor executes the steps of the method when executing the computer instructions.
Compared with the prior art, the technical scheme of the embodiment of the invention has the following beneficial effects:
the embodiment of the invention provides an abnormal account detection method, which comprises the following steps: acquiring account information of an account to be detected; acquiring a historical operation record according to the account information of the account to be detected, and establishing an operation link of the account to be detected according to the historical operation record; acquiring a trained abnormal operation detection model, and detecting whether an operation link of the account to be detected is normal or not according to the abnormal operation detection model; and when the operation link of the account to be detected is abnormal, marking the account to be detected as an abnormal account.
Compared with the prior art, the embodiment of the invention can identify the abnormity represented in the operation link established by the historical operation record of the account to be detected according to the abnormal operation detection model obtained by big data training, thereby identifying the abnormal account; under the scenes of non-real-name system and no relation to the actual consumption record of the client, whether the account has risks or not can be identified according to the difference between the abnormal account and other accounts in an operation link, so that the abnormal account which performs fraudulent operation, such as an account which is maliciously swiped for points and is swiped for orders, can be effectively identified.
Further, before obtaining the historical operation record of the account to be detected and constructing the operation link of the account to be detected, the account information of the account to be detected can be subjected to one-time pre-detection operation, and only the next operation is performed on the account information which passes the detection; because the historical operation record data volume of one account is large, the server analyzes the data and needs to consume large calculation amount for constructing an operation link, a part of accounts which do not meet the requirements can be filtered out by pre-detection operation, the calculation amount is saved, and the detection efficiency of the server on abnormal accounts is improved.
Furthermore, the training sample data of the abnormal operation detection model is an abnormal account sample collected in the same application scene with the account to be detected, so that the abnormal operation detection model capable of accurately identifying whether the account to be detected is the abnormal account can be trained. The detection basis of the abnormal operation detection model can be to summarize and extract abnormal features from the abnormal link. Further, the current operation record after each login of the non-abnormal account can be uploaded and stored as a data source for detecting the abnormality of the account or training the model.
Drawings
Fig. 1 is a schematic diagram illustrating an application of an abnormal account detection method according to an embodiment of the present invention;
FIG. 2 is a flow chart of a method of detecting an abnormal account according to an embodiment of the present invention;
FIG. 3 is a flow chart of another abnormal account detection method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an abnormal account detection apparatus according to an embodiment of the present invention.
Detailed Description
As a background art, in the prior art, under a non-real-name system and a scene that does not involve actual consumption records of a client, an abnormal account with malicious points and orders can not be effectively identified.
In order to solve the above technical problem, an embodiment of the present invention provides an abnormal account detection method. In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in detail below.
The abnormal account detection method provided by the application can be applied to the application environment shown in fig. 1. The user terminal 102 communicates with the server 104 through a network, the user terminal 102 can be connected to the server 104 through a login mode of an account number and a password, the server 104 performs abnormality detection operation on an account represented by the user terminal according to information such as the account number after obtaining account connection, and if the server 104 detects that the login account of the user terminal is an abnormal account, the user terminal is refused to obtain data of the server side or part of access authority of the user terminal is limited. The user terminal 102 may be, but is not limited to, various personal computers, notebook computers, smart phones, and tablet computers, and the workflow server 104 may be implemented by an independent server or a server cluster composed of a plurality of servers.
In one embodiment, as shown in fig. 2, an abnormal account detection method is provided, which is described by taking the method as an example applied to the server in fig. 1, and includes the following steps:
step S202, account information of the account to be detected is obtained.
The account to be detected is a detection object in the abnormal account detection operation, and can be an account of a program or page authority provided by a user terminal access server, and the user terminal can register in the page or the program provided by the server to establish the account; when an account logs in a program or a page, the server takes the account as an account to be detected, and starts an abnormal account detection step; or when the detection terminal connected with the sending server sends the operation needing to detect whether the operation of a certain account is abnormal to the server, the detection terminal can send a detection request to the server and provide the account information of the account to be detected to the server, so that the server starts the step of carrying out abnormal detection on the account to be detected. The account information of the account to be detected is information representing the account, and can be information such as an account name and a bound mobile phone number.
And step S204, acquiring a historical operation record according to the account information of the account to be detected, and establishing an operation link of the account to be detected according to the historical operation record.
The historical operation records are stored operation records after all the accounts to be detected are accessed into the server; for example, when a user performs operations such as clicking, accessing, and virtual purchasing on a terminal through a wechat applet or APP, the terminal may upload and store the operations to a server to form a history operation record. The server detects that a new account is registered, namely a storage position corresponding to the new account is established for storing an operation record of the account, and the operation record executed after a user logs in the account each time is recorded and stored according to the operation time as a historical operation record of the account; when the server needs to acquire the historical operation record of the account to be detected, the server can acquire the stored historical operation record from the storage position corresponding to the account to be detected. The server can store the historical operation records of all accounts in a key-value database, and takes the user names of the accounts and the bound mobile phone numbers as keys for acquiring the historical operation records corresponding to the accounts from the database.
The operation link of the account is link information which is established according to the historical operation record of the account to be detected and can reflect the evolution situation of the operation behavior (such as purchasing behavior, access behavior and the like) of the account to be detected after self-registration. The operation link of the account comprises a plurality of link nodes arranged according to a time sequence, and the content of each link node is determined according to the operation behavior of the account in the time period corresponding to the link node. More specifically, the operation link of the account may be obtained by starting from account registration of the account to be detected, dividing the operation performed by the account to be detected at the user terminal into a plurality of stages as link nodes, classifying and counting the operation behavior performed by the account in each stage as node content, and finally concatenating the plurality of link nodes. For example, after a user registers in a certain WeChat applet, a game may be played in the applet to obtain a credit value, and a lottery may be performed through the obtained credit value, and the historical operation records of an account A are as follows: 10/2010, 20/18: 00, the account is registered, the game is operated for 5 times through the small program on the day of 10 months and 20 days in 2010, the points are earned for 100 points, the five operation times are XXX to 10 months and 25 days in 2010 respectively, the game is operated for 10 times through the small program, the points are earned for 150 points, the 10 operation times are XXX to 30 days in 10 months in 2010, the points are consumed for 200 points through the small program respectively, and the consumption time is XXX. The server can establish an operation link of the account A according to the historical operation record as follows: registration phase-game phase-points consumption phase; in the registration stage, the information verification frequency of the user A is 1 successful verification; in the game stage, the login frequency of the user A is login once every 5 days, and the average game frequency of each time is 7.5 times; and in the point consumption stage, the user A normally consumes 200 points.
And step S206, acquiring the trained abnormal operation detection model, and detecting whether the operation link of the account to be detected is normal or not according to the abnormal operation detection model.
The abnormal operation detection model is obtained by taking an operation link established by historical operation records of a large number of abnormal accounts as a data sample and performing multiple regression training, and can identify whether the input operation link is normal or not. For example, in the above game and lottery applet, the server collects the historical operation records of 1000 abnormal accounts, constructs the operation links of the abnormal accounts as training samples, and trains an abnormal operation detection model capable of reflecting the common characteristics of the training samples. The model can comprise a plurality of rules for judging whether the input operation link of the account to be detected is normal or not; for example, in the account registration phase, when the account information is verified more than five times, the verified account is passed, and the possibility of being an abnormal account is high; in the game stage, when the login frequency exceeds 50 times per day, the account is more likely to be an abnormal account; in the point consumption stage, if the point donation action frequently occurs, the possibility that the account is an abnormal account is high; if a certain account is frequently switched between the game stage and the point consumption stage, the account is more likely to be an abnormal account, and the like. The abnormal operation detection model can comprehensively judge whether an account is an abnormal account according to the information contained in each node in the operation link of the account to be detected and the relevance among the nodes. And step S208, when the operation link of the account to be detected is abnormal, marking the account to be detected as an abnormal account.
Specifically, when the detection result of the operation link of the account to be detected by the abnormal operation detection model is that the operation link is judged to be abnormal, the server marks the detected account as an abnormal account, and rejects the operation of accessing the abnormal account to the server or limits the partial access authority of the abnormal account.
According to the abnormal account detection method, the abnormal operation detection model obtained by big data training is used for identifying the abnormality expressed in the operation link established by the historical operation record of the account to be detected, so that the abnormal account is identified; under the scenes of non-real-name system and no relation to the actual consumption record of a client, whether the account has risks or not can be identified according to the difference between the abnormal account and other accounts in an operation link, and therefore the abnormal account with malicious points and orders can be effectively identified.
In an embodiment, referring to fig. 3, after the step S202 obtains the account information of the account to be detected, a pre-detection step may be further included, which specifically includes:
step S203, acquiring a preset account detection rule, and detecting whether the account information of the account to be detected contains abnormal data according to the account detection rule; and when the account information of the account to be detected does not contain abnormal data, continuously acquiring the historical operation record according to the account information of the account to be detected.
The account detection rule is a rule according to which a pre-detection step is performed on an account to be detected before model analysis, and the server can identify abnormal data contained in account information according to the account detection rule. For example, the account detection rule may be to detect whether a contact phone bound to the account to be detected is a domestic number, and if the phone is not the domestic number, the contact phone is considered as abnormal data; or the server can acquire the IP address accessed by the account to be detected and determine whether the IP address is a plurality of marked abnormal IP addresses, and the like.
When the server detects that the account information of the account to be detected does not contain abnormal data in the pre-detection step, the server continues to execute the steps of model analysis, namely step S204 to step S208.
In the embodiment, before the historical operation record of the account to be detected is obtained, a pre-detection operation is firstly carried out on the account information of the account to be detected, and only the next operation is carried out on the account information passing the detection; because the historical operation record data volume of one account is large, the server analyzes the data and needs to consume large calculation amount for constructing an operation link, a part of accounts which do not meet the requirements can be filtered out by pre-detection operation, the calculation amount is saved, and the detection efficiency of the server on abnormal accounts is improved.
Preferably, the obtaining of the preset account detection rule and detecting whether the account information of the account to be detected contains abnormal data according to the account detection rule may include: acquiring abnormal data from a preset website; and detecting whether the account information of the account to be detected contains abnormal data.
The preset website refers to a website recorded with abnormal data, such as some websites publishing illegal IP addresses, fraudulent calls, and the like, and may be an agent IP website or a credit investigation website. The abnormal data in the embodiment is data which is acquired by the server from a preset website and is used for pre-detecting the account to be detected; when the preset website is a geographic IP website, the abnormal data is an illegal IP address published by the IP website; when the preset website is a credit investigation website, the abnormal data may be the telephone number of the credit loss person published in the credit investigation website, and the like.
The method comprises the steps that the server detects account information of an account to be detected, and the detection is carried out according to abnormal data published on some preset websites, so that some agent IPs and abnormal data published in credit investigation websites are accessed to be used as abnormal data for judging whether the account to be detected meets the pre-detection requirement or not; the server can crawl abnormal data from a preset website in real time through a crawler technology of a script framework (an application framework for crawling website data), namely installing the script framework on a server segment, and then compiling crawler rules to select target data crawled by the server from the preset website and crawl frequency; preferably, the crawling frequency can be set to crawl each time data update of the preset website is detected.
In the embodiment, the server is accessed to the preset websites of other data providers, and the abnormal data for detection is acquired from the preset websites, so that the data sources of the accounts to be detected and the detection steps of the server can be increased, the accuracy of the pre-detection operation is improved, more abnormal accounts can be removed in the pre-detection step, the calculation amount of the subsequent operation is effectively reduced, and the detection efficiency is improved.
Further, please continue to refer to fig. 3, after the step of detecting whether the account information includes abnormal data according to the account detection rule, the method may further include: and when the account information contains abnormal data, skipping to the step of marking the account to be detected as the abnormal account.
When the server is subjected to pre-detection and detects that the account information of the account to be detected contains abnormal data, the steps from step S204 to step S208 are skipped, the account to be detected is directly marked as an abnormal account, and the steps of constructing the operation link of the account to be detected and the subsequent model analysis in the steps from step S204 to step S208 are not executed.
In an embodiment, the generation manner of the abnormal operation detection model may include: acquiring a historical operation record of the abnormal account sample, and establishing an operation link of the abnormal account sample according to the historical operation record of the abnormal account sample; marking the operation link of the abnormal account sample as an abnormal link; and generating an abnormal operation detection model according to the abnormal link.
The abnormal account sample is a sample collected by the server and used for training an abnormal operation detection model, and can be an account number which is collected by an application program or a WeChat applet and is proved to be maliciously brushed and ordered by using the abnormal account detection method in the invention. The server collects historical operation records of the abnormal accounts identified in the past as data samples, and establishes operation links corresponding to the historical operation records of the abnormal account samples as abnormal links of the training model according to rules for establishing the operation links.
The abnormal operation detection model is used for analyzing an abnormal link and constructing the abnormal operation detection model capable of reflecting the connectivity of the abnormal link through methods such as big data training and linear regression. When the server wants to judge whether the operation link of a certain account to be detected is normal, the operation link of the account to be detected is input into the abnormal operation detection model, and the abnormal operation detection model can directly output a detection result of whether the operation link is normal or not.
In this embodiment, a sample data source and a training mode for training the abnormal operation detection model are supplemented, and the abnormal operation detection model capable of accurately identifying whether the account to be detected is an abnormal account is trained through the abnormal account sample collected in the same application scene as the account to be detected.
In one embodiment, the abnormal operation model in the abnormal account detection method includes abnormal features in an abnormal link; acquiring a trained abnormal operation detection model, and detecting whether an operation link of an account to be detected is normal according to the abnormal operation detection model, wherein the method comprises the following steps: inputting an operation link of an account to be detected into an abnormal operation detection model; identifying whether an operation link of the account to be detected contains abnormal features or not; and when the operation link of the account to be detected contains the abnormal characteristic, the operation link of the account to be detected is abnormal.
The abnormal features are feature points reflecting the characteristics of the abnormal links; the abnormal operation detection model can summarize and extract the universality of a plurality of abnormal links when analyzing the abnormal links to obtain abnormal characteristics; for example, the characteristics as they occur in multiple exceptional links are: the account can access the server through a plurality of different IP addresses, and the server can take the characteristic as an abnormal characteristic; in addition, some abnormal account operation links occur in the short time of account registration, and the point acquisition operation is frequently performed, and the characteristic can be used as an abnormal characteristic. The abnormal operation detection model is used for detecting whether the input operation link of the account to be detected is normal or not, and substantially detecting whether the input operation link of the account to be detected contains the abnormal characteristics or not, and if so, determining that the operation link of the account to be detected is abnormal; and if not, the operation link of the account to be detected is considered to be normal.
In addition, the abnormal features stored in the abnormal operation detection model can be obtained by generalizing and extracting the abnormal link in a general way through the abnormal link, and can also be obtained according to the difference between the abnormal link and the non-abnormal link, namely when the abnormal operation detection model is trained, the historical operation record of the non-abnormal account needs to be acquired to construct the corresponding operation link as a negative sample; and taking the abnormal link as a positive sample, and obtaining abnormal characteristics through comparison of the positive sample and the negative sample.
In this embodiment, the abnormal operation detection model summarizes and extracts the abnormal features from the abnormal link, and the abnormal features are used as a basis for the model to determine whether the input operation link of the account to be detected is normal, so as to further explain the working principle of the abnormal operation detection model.
Further, the abnormal account detection method may further include: acquiring a current operation record of a non-abnormal account; and correspondingly storing the current operation record and the account information of the non-abnormal account.
Specifically, non-anomalous accounts, i.e., accounts that are not flagged as anomalous accounts; the current operation record is an operation record executed by the current non-abnormal account in the application program or the WeChat applet, the application program or the WeChat applet can continuously send the current operation to the server, and the server acquires the current operation record of the non-abnormal account and stores the current operation record according to the corresponding account information.
In this embodiment, the application program or the wechat applet allows access to the non-abnormal account, but uploads the current operation record of the non-abnormal account after each login to the server for storage, and the current operation record is used as a data source for the server to detect abnormality of the account or perform model training.
In one application example, a user is provided with a WeChat game applet which can obtain credits, the user can access an applet page through WeChat, the user can operate a game in the applet page to obtain the game credits, and the user can draw a lottery or consume virtual goods according to the game credits; in the application example, in order to prevent the malicious credit swiping of the user, when the user logs in the applet on the mobile phone, the mobile phone is used as a user terminal to use the account as an account to be detected, and a management server of the applet requests the abnormal detection of the account to be detected; the server acquires information such as an IP address, an account name, an equipment name and the like of the account accessed to the applet from a user terminal side as account information, and performs pre-detection on the account information according to a preset account detection rule, namely whether the IP address of a detector is an illegal IP or whether a mobile phone number of the equipment is an authorized number or not; if the server passes the pre-detection of the account information, reading the historical operation record of the account from the storage position for storing the historical operation record according to the account information of the account, constructing an operation link of the account to be detected, analyzing whether the operation link of the account to be detected is normal according to a trained abnormal operation detection model, if the model also judges that the operation link of the account to be detected is normal, the server sends an operation instruction allowing access to the user terminal, the user can continue to operate the game at the mobile phone end, the user terminal records the operation of the user in the applet at this time as the current operation record, and the current operation record is returned to the server end for storage. If the server detects the account to be detected, the account to be detected does not pass the pre-detection step, or the abnormal operation detection model detects that the operation link of the account to be detected is abnormal, the server sends a restriction instruction to the user terminal, the user terminal restricts the account from accessing the applet, and displays a description for restricting access on a related interface of the applet, for example, the description can prompt that the account is illegal to be blocked, and the applet can be continuously accessed after the user unlocks by providing information such as certificates.
And the server updates the proxy IP of the known proxy IP website every day by using a crawler technology, constructs a local proxy IP monitoring pool, and judges that the account to be detected does not pass the pre-detection step when the IP of the account accessing the applet is consistent with the proxy IP when the account to be detected is subjected to pre-detection. In addition, the server may also monitor the mobile phone number, for example, the number of times of occurrence of the mobile phone number in the game applet log in a unit time (for example, 1 day) is monitored to determine whether the mobile phone number represents a malicious credit card, it is generally considered that the number of times of game in 1 day exceeding 300 times is a malicious credit card, and the server may record the account coordinate bound to the mobile phone number corresponding to the number of times of game in 1 day exceeding 300 times as an abnormal account.
When the server detects an operation link of an account to be detected, the server can aggregate three log data of an account registration applet and a game log of the applet to each account according to a mobile phone number or an account name, construct the operation link of the account to be detected according to timeline data of each event, game and lottery frequency analysis and the like, and identify abnormal behaviors of the account to be detected according to an abnormal operation detection model obtained by training historical abnormal accounts, so as to judge whether the account to be detected is abnormal.
The server stores the abnormal account in a blacklist. And the account or the related mobile phone number in the blacklist can not be subjected to lottery drawing, and a lottery drawing page is displayed to 'pause lottery drawing due to the existence of the risk of ticket swiping'. If the management end constructs the user portrait, the data of the account in the blacklist can not access the user portrait, and the influence on the accuracy of the user portrait is avoided.
Fig. 4 is a schematic structural diagram of an abnormal account detection apparatus according to an embodiment of the present invention. Those skilled in the art understand that the abnormal account detection apparatus of the present embodiment may be used to implement the method technical solutions in the embodiments shown in fig. 2 to fig. 3.
Specifically, in this embodiment, the abnormal account detection apparatus may include:
the detection starting module 100 is configured to obtain account information of an account to be detected.
The operation link establishing module 200 is configured to obtain a historical operation record according to the account information of the account to be detected, and establish an operation link of the account to be detected according to the historical operation record.
And the abnormal detection module 300 is configured to obtain the trained abnormal operation detection model, and detect whether the operation link of the account to be detected is normal according to the abnormal operation detection model.
The abnormal account marking module 400 is configured to mark the account to be detected as an abnormal account when the operation link of the account to be detected is abnormal.
In one embodiment, the above abnormal account detection apparatus may further include:
and the abnormal data detection module is used for acquiring a preset account detection rule and detecting whether the account information of the account to be detected contains abnormal data or not according to the account detection rule.
And the continuous execution module is used for continuously acquiring the historical operation record according to the account information of the account to be detected when the account information of the account to be detected does not contain abnormal data.
In one embodiment, the abnormal data detection module may include:
the abnormal data acquisition unit is used for acquiring abnormal data from a preset website;
and the abnormal data detection unit is used for detecting whether the account information of the account to be detected contains the abnormal data. In one embodiment, the above abnormal account detection apparatus may further include:
and the skipping module is used for skipping to the step of marking the account to be detected as the abnormal account when the account information contains abnormal data.
In one embodiment, the above abnormal account detection apparatus may further include:
and the sample analysis module is used for acquiring the historical operation records of the abnormal account samples and establishing the operation link of the abnormal account samples according to the historical operation records of the abnormal account samples.
And the abnormal link marking module is used for marking the operation link of the abnormal account sample as an abnormal link.
And the model generation module is used for generating an abnormal operation detection model according to the abnormal link.
Preferably, the abnormal operation model includes abnormal features in the abnormal link; the anomaly detection module may include:
and the data input unit is used for inputting the operation link of the account to be detected into the abnormal operation detection model.
And the characteristic identification unit is used for identifying whether the operation link of the account to be detected contains abnormal characteristics.
And the model judging unit is used for judging that the operation link of the account to be detected is abnormal when the operation link of the account to be detected contains abnormal characteristics. In one embodiment, the above abnormal account detection apparatus may further include:
and the operation record acquisition module is used for acquiring the current operation record of the non-abnormal account.
And the record storage module is used for correspondingly storing the current operation record and the account information of the non-abnormal account.
For more details of the operation principle and the operation mode of the abnormal account detection apparatus, reference may be made to the above description in fig. 2 to 3, and details are not repeated here.
Further, the embodiment of the present invention also discloses a storage medium, on which computer instructions are stored, and when the computer instructions are executed, the method technical solutions in the embodiments shown in fig. 2 to fig. 3 are executed. Preferably, the storage medium may include a computer-readable storage medium such as a non-volatile (non-volatile) memory or a non-transitory (non-transient) memory. The storage medium may include ROM, RAM, magnetic or optical disks, and the like.
Further, the embodiment of the present invention further discloses a computer device, which includes a memory and a processor, where the memory stores computer instructions capable of running on the processor, and the processor executes the technical solutions of the methods in the embodiments shown in fig. 2 to fig. 3 when executing the computer instructions. Preferably, the computer device may be a User Equipment (UE) applied to the abnormal account detection method.
Although the present invention is disclosed above, the present invention is not limited thereto. Various changes and modifications may be effected therein by one skilled in the art without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (10)
1. An abnormal account detection method, characterized in that the method comprises:
acquiring account information of an account to be detected;
acquiring a historical operation record according to the account information of the account to be detected, and establishing an operation link of the account to be detected according to the historical operation record;
acquiring a trained abnormal operation detection model, and detecting whether an operation link of the account to be detected is normal or not according to the abnormal operation detection model;
and when the operation link of the account to be detected is abnormal, marking the account to be detected as an abnormal account.
2. The method according to claim 1, wherein after acquiring the account information of the account to be detected, the method further comprises:
acquiring a preset account detection rule, and detecting whether the account information of the account to be detected contains abnormal data according to the account detection rule;
and when the account information of the account to be detected does not contain abnormal data, continuing to acquire a historical operation record according to the account information of the account to be detected.
3. The method according to claim 2, wherein the obtaining of the preset account detection rule and the detecting of whether the account information of the account to be detected contains abnormal data according to the account detection rule comprise:
acquiring abnormal data from a preset website;
and detecting whether the account information of the account to be detected contains the abnormal data.
4. The method of claim 2, wherein after detecting whether the account information contains abnormal data according to the account detection rule, the method further comprises:
and when the account information contains abnormal data, skipping to the step of marking the account to be detected as an abnormal account.
5. The method of claim 1, wherein the abnormal operation detection model is generated in a manner that includes:
acquiring a historical operation record of an abnormal account sample, and establishing an operation link of the abnormal account sample according to the historical operation record of the abnormal account sample;
marking the operation link of the abnormal account sample as an abnormal link;
and generating the abnormal operation detection model according to the abnormal link.
6. The method of claim 5, wherein the abnormal operation model includes abnormal features in the abnormal link; the acquiring of the trained abnormal operation detection model and detecting whether the operation link of the account to be detected is normal according to the abnormal operation detection model comprise:
inputting the operation link of the account to be detected into the abnormal operation detection model;
identifying whether the operation link of the account to be detected contains the abnormal features or not;
and when the operation link of the account to be detected contains the abnormal characteristic, the operation link of the account to be detected is abnormal.
7. The method of any one of claims 1 to 6, further comprising: acquiring a current operation record of a non-abnormal account;
and correspondingly storing the current operation record and the account information of the non-abnormal account.
8. An anomalous account detection device, the device comprising:
the detection starting module is used for acquiring account information of the account to be detected;
the operation link construction module is used for acquiring a historical operation record according to the account information of the account to be detected and establishing an operation link of the account to be detected according to the historical operation record;
the abnormal detection module is used for acquiring a trained abnormal operation detection model and detecting whether the operation link of the account to be detected is normal or not according to the abnormal operation detection model;
and the abnormal account marking module is used for marking the account to be detected as the abnormal account when the operation link of the account to be detected is abnormal.
9. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the method of any one of claims 1 to 7 when executing the computer program.
10. A storage medium having a computer program stored thereon, the computer program, when being executed by a processor, realizing the steps of the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910721718.2A CN112347457A (en) | 2019-08-06 | 2019-08-06 | Abnormal account detection method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910721718.2A CN112347457A (en) | 2019-08-06 | 2019-08-06 | Abnormal account detection method and device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112347457A true CN112347457A (en) | 2021-02-09 |
Family
ID=74366524
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910721718.2A Pending CN112347457A (en) | 2019-08-06 | 2019-08-06 | Abnormal account detection method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112347457A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113158152A (en) * | 2021-05-13 | 2021-07-23 | 广西科技师范学院 | Computer intelligent auxiliary system based on behavior analysis |
| CN113742719A (en) * | 2021-08-26 | 2021-12-03 | 深圳依时货拉拉科技有限公司 | Order grabbing and plug-in hanging detection method and computer equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105471819A (en) * | 2014-08-19 | 2016-04-06 | 腾讯科技(深圳)有限公司 | Account abnormity detection method and account abnormity detection device |
| CN107305611A (en) * | 2016-04-22 | 2017-10-31 | 腾讯科技(深圳)有限公司 | The corresponding method for establishing model of malice account and device, the method and apparatus of malice account identification |
| CN109145595A (en) * | 2018-07-31 | 2019-01-04 | 顺丰科技有限公司 | A kind of user's unusual checking system, method, equipment and storage medium |
| CN109345260A (en) * | 2018-10-09 | 2019-02-15 | 北京芯盾时代科技有限公司 | A kind of fraud detection model training method and device and fraud detection method and device |
| CN109818942A (en) * | 2019-01-07 | 2019-05-28 | 微梦创科网络科技(中国)有限公司 | A kind of user account number method for detecting abnormality and device based on temporal aspect |
-
2019
- 2019-08-06 CN CN201910721718.2A patent/CN112347457A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105471819A (en) * | 2014-08-19 | 2016-04-06 | 腾讯科技(深圳)有限公司 | Account abnormity detection method and account abnormity detection device |
| CN107305611A (en) * | 2016-04-22 | 2017-10-31 | 腾讯科技(深圳)有限公司 | The corresponding method for establishing model of malice account and device, the method and apparatus of malice account identification |
| CN109145595A (en) * | 2018-07-31 | 2019-01-04 | 顺丰科技有限公司 | A kind of user's unusual checking system, method, equipment and storage medium |
| CN109345260A (en) * | 2018-10-09 | 2019-02-15 | 北京芯盾时代科技有限公司 | A kind of fraud detection model training method and device and fraud detection method and device |
| CN109818942A (en) * | 2019-01-07 | 2019-05-28 | 微梦创科网络科技(中国)有限公司 | A kind of user account number method for detecting abnormality and device based on temporal aspect |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113158152A (en) * | 2021-05-13 | 2021-07-23 | 广西科技师范学院 | Computer intelligent auxiliary system based on behavior analysis |
| CN113742719A (en) * | 2021-08-26 | 2021-12-03 | 深圳依时货拉拉科技有限公司 | Order grabbing and plug-in hanging detection method and computer equipment |
| CN113742719B (en) * | 2021-08-26 | 2022-04-15 | 深圳依时货拉拉科技有限公司 | Order grabbing and plug-in hanging detection method and computer equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110399925B (en) | Account risk identification method, device and storage medium | |
| CN107818344B (en) | Method and system for classifying and predicting user behaviors | |
| JP5551704B2 (en) | Evaluating online marketing efficiency | |
| EP2691848B1 (en) | Determining machine behavior | |
| EP2748781B1 (en) | Multi-factor identity fingerprinting with user behavior | |
| CN110442712B (en) | Risk determination method, risk determination device, server and text examination system | |
| CN104836781A (en) | Method distinguishing identities of access users, and device | |
| US9934310B2 (en) | Determining repeat website users via browser uniqueness tracking | |
| CN109345417B (en) | Online assessment method and terminal equipment for business personnel based on identity authentication | |
| CN109978033B (en) | Method and device for constructing same-operator recognition model and method and device for identifying same-operator | |
| US11570214B2 (en) | Crowdsourced innovation laboratory and process implementation system | |
| CN108399565A (en) | Financial product recommendation apparatus, method and computer readable storage medium | |
| CN111090807A (en) | Knowledge graph-based user identification method and device | |
| CN104852916A (en) | Social engineering-based webpage verification code recognition method and system | |
| CN112561565A (en) | User demand identification method based on behavior log | |
| CN114693192A (en) | Wind control decision method and device, computer equipment and storage medium | |
| CN112819611A (en) | Fraud identification method, device, electronic equipment and computer-readable storage medium | |
| CN112347457A (en) | Abnormal account detection method and device, computer equipment and storage medium | |
| CN109711849B (en) | Ether house address portrait generation method and device, electronic equipment and storage medium | |
| JP7015927B2 (en) | Learning model application system, learning model application method, and program | |
| CN112330412A (en) | Product recommendation method and device, computer equipment and storage medium | |
| CN112511632A (en) | Object pushing method, device and equipment based on multi-source data and storage medium | |
| CN115689571A (en) | Abnormal user behavior monitoring method, device, equipment and medium | |
| CN113780318B (en) | Method, device, server and medium for generating prompt information | |
| US10755290B1 (en) | Merchant advertisement informed item level data predictions |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |