CN112434894A - Real-time risk control method, computer equipment and readable storage medium - Google Patents
Real-time risk control method, computer equipment and readable storage medium Download PDFInfo
- Publication number
- CN112434894A CN112434894A CN201910783934.XA CN201910783934A CN112434894A CN 112434894 A CN112434894 A CN 112434894A CN 201910783934 A CN201910783934 A CN 201910783934A CN 112434894 A CN112434894 A CN 112434894A
- Authority
- CN
- China
- Prior art keywords
- abnormal
- monitoring period
- user
- risk score
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/018—Certifying business or products
Landscapes
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- Engineering & Computer Science (AREA)
- Economics (AREA)
- Entrepreneurship & Innovation (AREA)
- Strategic Management (AREA)
- Physics & Mathematics (AREA)
- Development Economics (AREA)
- Theoretical Computer Science (AREA)
- Marketing (AREA)
- General Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- Educational Administration (AREA)
- Tourism & Hospitality (AREA)
- Quality & Reliability (AREA)
- Operations Research (AREA)
- Game Theory and Decision Science (AREA)
- Accounting & Taxation (AREA)
- Finance (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a real-time risk control method, which comprises the steps of generating an IP threat intelligence library and calculating an IP risk score through the IP threat intelligence library, wherein the step of generating the IP threat intelligence library comprises the following steps: collecting behavior logs of a plurality of users in a preset monitoring period in a live broadcast process; extracting key data of the behavior log; obtaining a key value of the key data in a single request interface; comparing the key value with a preset threshold value, and acquiring an IP corresponding to the key value exceeding the preset threshold value as an abnormal IP; and storing the abnormal IP to an IP threat intelligence library. According to the method, the key value of the key data in the single request interface is obtained to search for the abnormal IP, and the self-made IP threat information library is generated, so that the misjudgment probability is reduced.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a real-time risk control method, a computer device, and a readable storage medium.
Background
The network black product is called black product for short, and refers to an industrial system which forms a benefit group with clear division of labor and close connection through a network technology, and can obtain illegal benefits through invading a computer information system, illegally stealing computer information system data including personal information and the like. Black products are always spread as widely as possible in order to enlarge profit margins, so that black products are increasingly evolving towards mass production and automation, which presents new challenges to wind control. For example, for marketing, a general service platform often develops activities such as preferential benefits or cash back, black productions are popular, large-scale arbitrage is known as "wool pulling" in the industry, and the most common means is to register a large number of new users to obtain the activity reward of the platform.
In the risk control process, after the IP address information of the user is obtained, the user is inquired from the basic IP monitoring library, if the inquiry result indicates that the IP of the user exists, the condition that no risk exists under the grading rule of the IP address is implied, and if the inquiry result indicates that the IP of the user does not exist, the condition that the risk exists under the grading rule of the IP address is implied, and the risk score is calculated according to the risk scoring rule.
By utilizing the characteristics, the user with abnormal behaviors avoids the tracing of historical behaviors by using a method of a newly registered account and a small IP proxy pool.
Disclosure of Invention
In view of the above problems, a real-time risk control method, a computer device, and a readable storage medium are provided, in which an abnormal IP is obtained by obtaining a key value of key data in a single request interface, and a self-made IP threat information library is generated, thereby reducing the misjudgment probability.
The invention provides a real-time risk control method, which comprises the steps of generating an IP threat intelligence library, calculating an IP risk score through the IP threat intelligence library, and generating the IP threat intelligence library comprises the following steps:
collecting behavior logs of a plurality of users in a preset monitoring period in a live broadcast process;
extracting key data of the behavior log;
obtaining a key value of the key data in a single request interface;
comparing the key value with a preset threshold value, and acquiring an IP corresponding to the key value exceeding the preset threshold value as an abnormal IP;
and storing the abnormal IP to an IP threat intelligence library.
Preferably, the key data includes the total number of times of requesting to enter a room page and the number of rooms requested to enter.
Preferably, the preset threshold includes a first preset threshold and a second preset threshold, the key value of the total number of times of requesting to enter the room page is compared with the first preset threshold to determine whether the first key point is abnormal, the key value of the number of the room numbers requested to enter is compared with the second preset threshold to determine whether the second key point is abnormal, and an IP that satisfies that the first key point is abnormal and the second key point is also abnormal at the same time is obtained as an abnormal IP.
Preferably, the step of collecting the behavior logs of the plurality of users in a preset monitoring period in the live broadcast process includes collecting the behavior logs of a first monitoring period and a second monitoring period respectively, where the first monitoring period is smaller than the second monitoring period.
Preferably, after storing the abnormal IP to an IP threat intelligence repository, the method further comprises:
monitoring whether the abnormal IP exceeds a monitoring period;
if yes, deleting the expired abnormal IP from the IP threat information library.
Preferably, the step of calculating an IP risk score by the IP threat intelligence repository comprises: acquiring a user IP;
judging whether the user IP exists in an IP threat information library or not;
if yes, judging whether the user IP in the IP threat information library is updated in the monitoring period;
if not, recording the IP risk score of the user as zero score and storing;
if the user IP is updated in the monitoring period, calculating and storing the IP risk score of the user according to a first scoring rule;
and if the user IP is not updated in the monitoring period, calculating and storing the IP risk score of the user according to the second scoring rule.
Preferably, the first scoring rule is an up-regulation of a risk-accruing score on the basis of the second scoring rule.
Preferably, adjusting the risk score refers to adjusting the risk score in a convergent manner. The invention also provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the real-time risk control method when executing the computer program.
The invention also provides a computer-readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of the real-time risk control method.
The beneficial effects of the above technical scheme are that:
according to the method, the key value of the key data in the single request interface is obtained to search for the abnormal IP, and the self-made IP threat information library is generated, so that the misjudgment probability is reduced. The invention selects different risk scoring rules according to the updating condition of the user IP in the IP threat information base, and adopts a stricter risk evaluation rule to increase the IP risk score of the abnormal IP for the abnormal IP which repeatedly appears in different calculation periods, thereby effectively controlling the user with the abnormal IP to achieve the prohibition.
Drawings
FIG. 1 is a system framework diagram corresponding to the real-time risk control method of the present invention;
FIG. 2 is a main flow chart of the generation of an IP threat intelligence library in the real-time risk control method of the present invention;
FIG. 3 is a flow chart of another embodiment of generating an IP threat intelligence repository in the real-time risk control method of the present invention;
FIG. 4 is a flow chart of calculating an IP risk score in the real-time risk control method of the present invention;
FIG. 5 is a schematic diagram of computing an IP risk score for a user based on a first scoring rule and a second scoring rule;
FIG. 6 is a schematic diagram of the real-time risk control method of the present invention obtaining IP risk scores through a company-level big data platform;
FIG. 7 is a block diagram of the real-time risk control system of the present invention;
fig. 8 is a schematic diagram of a hardware structure of a computer device of the real-time risk control method according to the present invention.
Detailed Description
The advantages of the invention are further illustrated in the following description of specific embodiments in conjunction with the accompanying drawings.
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.
The terminology used in the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present disclosure. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
In the description of the present invention, it should be understood that the numerical references before the steps do not identify the order of performing the steps, but merely serve to facilitate the description of the present invention and to distinguish each step, and thus should not be construed as limiting the present invention.
Referring to fig. 1, in the embodiment of the present application, during the live broadcast, the user participates in the live broadcast and lottery activity by using the terminal device A, B, C, D, E, the terminal device A, B, C, D, E transmits the behavior data of the user to the server W, and the server W receives and processes the buried point data of the user and calculates the risk score. In order to reduce the misjudgment rate, the W server obtains abnormal IP by obtaining key values of the key data in the single request interface to generate a self-made IP threat information library, and when the W server scores the scoring item of the IP address of the user, the risk score is calculated according to an abnormal IP list of the IP threat information library. The W server can select different risk scoring rules according to the risk scores and the monitoring in the blocking period, and adopts a stricter risk evaluation rule for the users who monitor abnormal records so as to avoid the rapid unblocking of the abnormal users and effectively carry out risk control. For the case where only one server W is provided, the application scenario herein may further include a plurality of servers in communication with each other. The server W may be a cloud server or a local server. In the embodiment of the present application, the server W is placed in the cloud.
Referring to fig. 2, the present invention provides a real-time risk control method, including generating an IP threat intelligence library, and calculating an IP risk score through the IP threat intelligence library, where the generating an IP threat intelligence library includes the following steps:
s10: collecting behavior logs of a plurality of users in a preset monitoring period in a live broadcast process;
behavior logs are a very broad concept in computer systems and are an essential component of security audits. Behavioral log data is the basis for many enterprise applications, such as troubleshooting, debugging, monitoring, security, anti-fraud, compliance, electronic forensics, and the like. In order to maintain the self-operation of the system and protect the security status of the legitimate users, the server W will generally have a corresponding behavior log to record the date and time and various behavior attribute information of the information system about daily events, malfunctions, alarms, errors, and various daily operations of the users.
In this embodiment, the step of collecting the behavior logs of the plurality of users in the preset monitoring period in the live broadcast process includes collecting the behavior logs of a first monitoring period and a second monitoring period respectively, where the first monitoring period is smaller than the second monitoring period. For example, the real-time behavior log for the first 20 minutes is calculated every 10 minutes, and the real-time behavior log for the first 60 minutes is calculated every 30 minutes. The first monitoring period is 20 minutes, the second monitoring period is 60 minutes, and the data acquired in the first monitoring period are newer data, so that timeliness can be guaranteed; and the data volume collected in the second monitoring period is large, so that the accuracy of statistical analysis can be guaranteed. The simultaneous existence of a plurality of monitoring periods can guarantee timeliness and accuracy to a greater extent, and effectively reduce the probability of misjudgment.
S20: extracting key data of the behavior log;
in this embodiment, the key data in S20 includes the total number of times of requesting to enter the room page and the number of rooms requested to enter.
S30: obtaining a key value of the key data in a single request interface;
the key values in the request interface are illustrated as follows: the URL (universal Resource Locator) of an HTTP (hypertext transfer protocol) request generally consists of protocols, i.e., HTTP, domain name, path, and Query. Valuable information is mostly present in cookies and Query fields of URLs, expressed in the form of key-value pairs. The key-value pairs include the ID of the user participating in the network activity, which may be the ID of the social network, such as: WeChat ID, microblog ID, QQ and the like; the identification code can be an identification code of the user internet equipment, and can be an ID of a user browsing an e-commerce website, such as Taobao ID, Jingdong ID and the like; or personal privacy information of the user, such as a mobile phone number, an identity card and the like. The identity identification information can be used for describing the behaviors of the user from multiple angles and fusing various ID information, so that each behavior of each person is identified by using a uniform ID, a natural person in a real world can be completely depicted more accurately, and more accurate marketing is performed; on the other hand, the identity identification information can be encrypted and de-privatized, so that a network operator can flexibly utilize the internet access behavior data after desensitization to obtain higher commercial value while fully protecting the information privacy of the user.
S40: comparing the key value with a preset threshold value, and acquiring an abnormal IP corresponding to the key value exceeding the preset threshold value as an abnormal IP;
in this embodiment, the preset threshold in S40 includes a first preset threshold and a second preset threshold, the key value of the total number of times of requesting to enter the room page is compared with the first preset threshold to determine whether the first key point is abnormal, the key value of the number of the room numbers requested to enter is compared with the second preset threshold to determine whether the second key point is abnormal, and an IP that satisfies that the first key point is abnormal and the second key point is also abnormal at the same time is obtained as an abnormal IP.
For example, the total number of times that the first user requests to enter a room page is 10000, and meanwhile, the number of rooms that the first user requests to enter is 3000 (it can be understood that the first user only stays in a large number of rooms for a short time, does not participate in the interaction of live content, and is suspected to swipe certain data), then the first user has a suspicious behavior, and will acquire the IP1 corresponding to the first user terminal device as an abnormal IP. However, the total number of times the second user requests to enter the room page is 10000, but the number of the rooms requested to enter by the second user is 3 (it can be understood that the interaction is sufficiently participated in a few interested rooms), and then the second user has no suspicious behavior.
S50: and storing the abnormal IP to an IP threat intelligence library.
In this embodiment, the monitoring period of S50 is related to the activity rule in the service scenario, so that the IP threat intelligence library can be dynamically adjusted to meet the real-time judgment requirement.
Referring to fig. 3, fig. 3 is a flowchart illustrating another embodiment of generating an IP threat intelligence library in the real-time risk control method according to the present invention, wherein the real-time risk control method includes the following steps:
s10: collecting behavior logs of a plurality of users in a preset monitoring period in a live broadcast process;
s20: extracting key data of the behavior log;
s30: obtaining a key value of the key data in a single request interface;
s40: comparing the key value with a preset threshold value, and acquiring an IP corresponding to the key value exceeding the preset threshold value as an abnormal IP;
s50: storing the abnormal IP to an IP threat information library;
s60: monitoring whether the abnormal IP exceeds a monitoring period, if so, executing the step S70, otherwise, continuing to execute the step S60;
s70: the expired abnormal IP is deleted from the IP threat intelligence repository.
For example, in some activity and business scenarios, the monitoring period is only one day or several hours, in this case, even if the offline calculation obtains an accurate result after a certain period, the blocking is meaningless from the user dimension, and it is necessary to calculate the statistical rules and the wind control characteristics at the minute or hour level in the business scenario to timely identify and block the abnormal behavior in the monitoring period. In order to make the IP threat information base suitable for the current service scene, the data in the IP threat information base needs to be updated in time according to the monitoring requirement, and the overdue abnormal IP is deleted.
And the period of obtaining the abnormal IP in the S10-S50 is a calculation period T, the period of deleting the abnormal IP in the overtime is a monitoring period T, and the monitoring period T is greater than the calculation period T. Time is divided into a plurality of connected scoring cycles t1, t2, t3 … … according to time sequence
Embodiment one, case of deleting after abnormal IP storage
In a calculation period T1, if the abnormal IP acquired through S10-S50 includes IP1 and the IP threat information base does not store IP1, storing IP1 in the IP threat information base and starting to count down the monitoring period T; if the abnormal IP acquired through S10-S50 in the other calculation period (calculation period T2 … …) within the monitoring period T does not include the IP1, the IP1 is deleted from the IP threat intelligence repository after the monitoring period T is exceeded.
Embodiment two, case where the abnormal IP is not deleted after being stored
In a calculation period T1, if the abnormal IP acquired through S10-S50 includes IP1 and the IP threat information base does not store IP1, storing IP1 in the IP threat information base and starting to count down the monitoring period T; if the abnormal IP acquired through S10-S50 includes IP1 in other calculation periods (calculation period T2 … …) in the monitoring period T, the IP threat information base is updated, the countdown of the monitoring period T is started by acquiring the abnormal IP finally, and the IP1 is stored in the threat information base because the IP1 appears repeatedly in different calculation periods and the IP1 is continuously updated in the threat information base.
Referring to fig. 4 and 5, in each calculation cycle, calculating a risk score for the behavior of the user, wherein the risk score includes an IP risk score, and the real-time risk control method includes the steps of calculating the IP risk score through the IP threat intelligence repository, including:
s510: acquiring a user IP;
s520: judging whether the user IP exists in an IP threat information library or not; if yes, go to S540; if not, executing S530;
s530: recording and storing the IP risk score of the user as a zero score;
s540: judging whether the user IP in the IP threat information base is updated in the monitoring period; if yes, go to S550; if not, executing S560;
s550: calculating and saving the IP risk score of the user according to a first scoring rule (such as the IP risk score in the big circle black dot state of FIG. 5);
s560: and calculating and saving the IP risk score of the user according to a second scoring rule (such as the IP risk score in the rectangular stripe state of FIG. 5).
In this embodiment, the first scoring rule is to adjust the increased IP risk score based on the second scoring rule, and the adjusting the increased IP risk score is to adjust the risk score in a convergent manner.
Third embodiment, calculate IP Risk score of user
In a calculation period t1, if the abnormal IP acquired through S10-S50 includes IP1 and the IP threat information base does not store IP1, storing IP1 into the IP threat information base; the risk score of the IP1 is calculated to be 20 points according to the second scoring rule at the calculation period t1, and assuming that the other risk score of the user is 60 points, the risk score of the user is 80 points in total, the preset threshold value is 100 points, and the 80 points are less than 100 points, and the user is not prohibited.
If the abnormal IP obtained through S10-S50 includes IP1 in the monitoring period T and in the calculation period T2, the IP threat information base is updated, and the countdown of the monitoring period T is started by finally obtaining the abnormal IP, because IP1 repeatedly appears in different calculation periods, IP1 is updated in the threat information base. The risk score of the IP1 is calculated to be 50 points according to the first scoring rule at the calculation period t2, and if the other risk score of the user is 60 points, the risk score of the user is 110 points in total, the preset threshold value is 100 points, and the user is prohibited if the 110 points are less than 100 points. After containment, the user-generated behavioral data no longer flows to the real-time computing data source.
Referring to fig. 6, it makes sense to configure a business party in data integration of a company-level big data platform, and can provide calculated data to be output to Kafka, and then Spark Streaming reads data from Kafka, and outputs the data to a consumer of Kafka after processing, and the consumer of Kafka serves data of a wind control system, and stores risk scores in a Redis database in a certain structure. Among them, SparkStreaming is a tool for real-time computation relying on Spark.
Referring to fig. 7, the present invention provides a real-time risk control system 1, which calculates a risk score through an IP threat intelligence library, wherein the real-time risk control system 1 includes:
the system comprises an acquisition module 101, a monitoring module and a processing module, wherein the acquisition module 101 is used for collecting behavior logs of a plurality of users in a preset monitoring period in a live broadcast process; and is used for acquiring the user IP;
the characteristic module 102 is used for extracting key data of the behavior log;
the statistical module 103 is configured to obtain a key value of the key data in a single request interface;
the IP identification module 104 is configured to compare the key value with a preset threshold, and acquire an abnormal IP corresponding to the key value exceeding the preset threshold as an abnormal IP;
the first storage module 105 stores the abnormal IP to an IP threat information base;
a threshold obtaining module 106, configured to obtain a preset threshold;
a monitoring module 107, configured to monitor whether the abnormal IP exceeds a monitoring period; used for judging whether the user IP exists in the IP threat information library;
and an adjusting module 108 for deleting the expired abnormal IP.
The calculation module 109 is used for selecting the first scoring rule or the second scoring rule to calculate the IP risk score of the user according to the update result of the user IP in the IP threat information library in the monitoring period; and a second storage module 110, configured to store the IP risk score of the user.
In this embodiment, the key data extracted from the feature module 102 requests the total number of times of entering the room page and the number of rooms requested to enter.
In this embodiment, the collecting module 101 collects behavior logs of a plurality of users in a preset monitoring period in a live broadcast process, including collecting behavior logs of a first monitoring period and a second monitoring period respectively, where the first monitoring period is smaller than the second monitoring period. In this embodiment, the first scoring rule adjusts the risk score based on the second scoring rule, wherein the operation of adjusting the risk score is convergent.
Referring to fig. 8, the present invention further provides a computer device 2, where the computer device 2 includes:
a memory 21 for storing executable program code; and
a processor 22 for calling said executable program code in said memory 21, the execution steps including the above-mentioned real-time risk control method.
In fig. 8, one processor 22 is taken as an example.
The memory 21 is a non-volatile computer-readable storage medium, and can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules, such as program instructions/modules corresponding to the real-time risk control method in the embodiment of the present application. The processor 22 executes various functional applications and data processing of the computer device 2 by running the non-volatile software programs, instructions and modules stored in the memory 21, namely, implements the above-described method embodiment real-time risk control method.
The memory 21 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data of the burial point of the user at the computer device 2. Further, the memory 21 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, the memory 21 optionally includes memory 21 located remotely from the processor 22, and these remote memories 21 may be connected to the real-time risk control system 1 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more modules are stored in the memory 21 and, when executed by the one or more processors 22, perform the real-time risk control method in any of the method embodiments described above, e.g., the programs of fig. 2-4 described above.
The product can execute the method provided by the embodiment of the application, and has the corresponding functional modules and beneficial effects of the execution method. For technical details that are not described in detail in this embodiment, reference may be made to the methods provided in the embodiments of the present application.
The computer device 2 of the embodiment of the present application exists in various forms, including but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic devices with data interaction functions.
Still another embodiment of the present application provides a non-transitory computer-readable storage medium storing computer-executable instructions for execution by one or more processors, such as one of the processors 22 in fig. 8, to cause the one or more processors 22 to perform the real-time risk control method in any of the method embodiments described above, such as executing the programs of fig. 2-4 described above.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on at least two network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution of the embodiments of the present application. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a general hardware platform, and certainly can also be implemented by hardware. It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware related to instructions of a computer program, which can be stored in a computer readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-only memory (ROM), a Random Access Memory (RAM), or the like.
The beneficial effects of the above technical scheme are that:
abnormal IP is searched by obtaining key values of the key data in the single request interface, and a self-made IP threat information library is generated, so that the misjudgment probability is reduced.
The invention selects different risk scoring rules according to the updating condition of the user IP in the IP threat information base, and adopts a stricter risk evaluation rule to increase the IP risk score of the abnormal IP for the abnormal IP which repeatedly appears in different calculation periods, thereby effectively controlling the user with the abnormal IP to achieve the prohibition.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.
Claims (10)
1. A real-time risk control method is characterized by comprising the steps of generating an IP threat intelligence library, calculating an IP risk score through the IP threat intelligence library, and generating the IP threat intelligence library comprises the following steps:
collecting behavior logs of a plurality of users in a preset monitoring period in a live broadcast process;
extracting key data of the behavior log;
obtaining a key value of the key data in a single request interface;
comparing the key value with a preset threshold value, and acquiring an IP corresponding to the key value exceeding the preset threshold value as an abnormal IP;
and storing the abnormal IP to an IP threat intelligence library.
2. The method of claim 1, wherein: the key data includes the total number of times of requesting to enter a room page and the number of rooms requested to enter.
3. The method of claim 2, wherein: the preset threshold comprises a first preset threshold and a second preset threshold, the key value of the total number of times of requesting to enter the room page is compared with the first preset threshold to judge whether the first key point is abnormal, the key value of the number of the room numbers requested to enter is compared with the second preset threshold to judge whether the second key point is abnormal, and the IP which meets the condition that the first key point is abnormal and the second key point is abnormal at the same time is obtained as the abnormal IP.
4. The method of claim 1, wherein: the step of collecting the behavior logs of a plurality of users in a preset monitoring period in the live broadcast process comprises the following steps:
and respectively collecting behavior logs of a first monitoring period and a second monitoring period, wherein the first monitoring period is smaller than the second monitoring period.
5. The method of claim 1, wherein the step of storing the abnormal IP to an IP threat intelligence repository further comprises:
monitoring whether the abnormal IP exceeds a monitoring period;
if yes, deleting the expired abnormal IP from the IP threat information library.
6. The method of claim 1, wherein the step of calculating an IP risk score by the IP threat intelligence repository comprises: acquiring a user IP;
judging whether the user IP exists in an IP threat information library or not;
if yes, judging whether the user IP in the IP threat information library is updated in the monitoring period;
if not, recording the IP risk score of the user as zero score and storing;
if the user IP is updated in the monitoring period, calculating and storing the IP risk score of the user according to a first scoring rule;
and if the user IP is not updated in the monitoring period, calculating and storing the IP risk score of the user according to the second scoring rule.
7. The method of claim 6, wherein: the first scoring rule is to adjust an increased risk score based on the second scoring rule.
8. The method of claim 7, wherein: and adjusting the risk score refers to adjusting the risk score in a convergence manner.
9. A computer device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, characterized in that: the processor, when executing the computer program, realizes the steps of the method of any one of claims 1 to 8.
10. A computer-readable storage medium having stored thereon a computer program, characterized in that: the computer program when executed by a processor implements the steps of the method of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910783934.XA CN112434894A (en) | 2019-08-23 | 2019-08-23 | Real-time risk control method, computer equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910783934.XA CN112434894A (en) | 2019-08-23 | 2019-08-23 | Real-time risk control method, computer equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112434894A true CN112434894A (en) | 2021-03-02 |
Family
ID=74689741
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910783934.XA Pending CN112434894A (en) | 2019-08-23 | 2019-08-23 | Real-time risk control method, computer equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112434894A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113181637A (en) * | 2021-05-10 | 2021-07-30 | 上海幻电信息科技有限公司 | Game playback method and system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104702623A (en) * | 2015-03-27 | 2015-06-10 | 携程计算机技术(上海)有限公司 | IP lockout method and system |
| CN107679897A (en) * | 2017-09-25 | 2018-02-09 | 北京京东尚科信息技术有限公司 | A kind of security risk control method and device |
| CN108460278A (en) * | 2018-02-13 | 2018-08-28 | 北京奇安信科技有限公司 | A kind of threat information processing method and device |
| CN109120626A (en) * | 2018-08-28 | 2019-01-01 | 深信服科技股份有限公司 | Security threat processing method, system, safety perception server and storage medium |
| CN109862003A (en) * | 2019-01-24 | 2019-06-07 | 深信服科技股份有限公司 | Local generation method, device, system and the storage medium for threatening information bank |
| CN109962927A (en) * | 2019-04-17 | 2019-07-02 | 杭州安恒信息技术股份有限公司 | Based on the anti-attack method for threatening information |
| CN110084007A (en) * | 2014-10-13 | 2019-08-02 | 阿里巴巴集团控股有限公司 | Construction method, device and the terminal of risk control model |
-
2019
- 2019-08-23 CN CN201910783934.XA patent/CN112434894A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110084007A (en) * | 2014-10-13 | 2019-08-02 | 阿里巴巴集团控股有限公司 | Construction method, device and the terminal of risk control model |
| CN104702623A (en) * | 2015-03-27 | 2015-06-10 | 携程计算机技术(上海)有限公司 | IP lockout method and system |
| CN107679897A (en) * | 2017-09-25 | 2018-02-09 | 北京京东尚科信息技术有限公司 | A kind of security risk control method and device |
| CN108460278A (en) * | 2018-02-13 | 2018-08-28 | 北京奇安信科技有限公司 | A kind of threat information processing method and device |
| CN109120626A (en) * | 2018-08-28 | 2019-01-01 | 深信服科技股份有限公司 | Security threat processing method, system, safety perception server and storage medium |
| CN109862003A (en) * | 2019-01-24 | 2019-06-07 | 深信服科技股份有限公司 | Local generation method, device, system and the storage medium for threatening information bank |
| CN109962927A (en) * | 2019-04-17 | 2019-07-02 | 杭州安恒信息技术股份有限公司 | Based on the anti-attack method for threatening information |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113181637A (en) * | 2021-05-10 | 2021-07-30 | 上海幻电信息科技有限公司 | Game playback method and system |
| CN113181637B (en) * | 2021-05-10 | 2024-04-16 | 上海幻电信息科技有限公司 | Game playback method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110399925B (en) | Account risk identification method, device and storage medium | |
| CN106992994B (en) | Automatic monitoring method and system for cloud service | |
| CN111786950B (en) | Network security monitoring method, device, equipment and medium based on situation awareness | |
| US10740411B2 (en) | Determining repeat website users via browser uniqueness tracking | |
| CN110442712B (en) | Risk determination method, risk determination device, server and text examination system | |
| US8204928B2 (en) | System and method for analyzing internet usage | |
| CN110417778B (en) | Access request processing method and device | |
| CN113486334A (en) | Network attack prediction method and device, electronic equipment and storage medium | |
| CN104836781A (en) | Method distinguishing identities of access users, and device | |
| CN109729376B (en) | Life cycle processing method, life cycle processing device, life cycle processing equipment and life cycle processing storage medium | |
| US9866454B2 (en) | Generating anonymous data from web data | |
| US20170169062A1 (en) | Method and electronic device for recommending video | |
| CN104980421B (en) | Batch request processing method and system | |
| CN109547426B (en) | Service response method and server | |
| WO2020253364A1 (en) | Big data analytics-based information pushing method, apparatus, and device, and storage medium | |
| CN110519263B (en) | Anti-swipe method, device, apparatus, and computer-readable storage medium | |
| CN114338064B (en) | Method, device, system, equipment and storage medium for identifying network traffic type | |
| CN112418259A (en) | Method for configuring real-time rules based on user behaviors in live broadcast process, computer equipment and readable storage medium | |
| CN112370793A (en) | Risk control method and device for user account | |
| US11373103B2 (en) | Artificial intelligence based system and method for predicting and preventing illicit behavior | |
| CN112347457A (en) | Abnormal account detection method and device, computer equipment and storage medium | |
| CN112434894A (en) | Real-time risk control method, computer equipment and readable storage medium | |
| CN111160738A (en) | Event processing method and device, storage medium and electronic device | |
| CN110874638A (en) | Behavior analysis-oriented meta-knowledge federation method, device, electronic equipment and system | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |