CN112437034A - False terminal detection method and device, storage medium and electronic device - Google Patents

False terminal detection method and device, storage medium and electronic device Download PDF

Info

Publication number
CN112437034A
CN112437034A CN201910791889.2A CN201910791889A CN112437034A CN 112437034 A CN112437034 A CN 112437034A CN 201910791889 A CN201910791889 A CN 201910791889A CN 112437034 A CN112437034 A CN 112437034A
Authority
CN
China
Prior art keywords
terminal
detected
data
value
account
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910791889.2A
Other languages
Chinese (zh)
Other versions
CN112437034B (en
Inventor
范小龙
李文
杨正朋
张谋辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201910791889.2A priority Critical patent/CN112437034B/en
Publication of CN112437034A publication Critical patent/CN112437034A/en
Application granted granted Critical
Publication of CN112437034B publication Critical patent/CN112437034B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a false terminal detection method and device, a storage medium and an electronic device. Wherein, the method comprises the following steps: acquiring data to be detected of a terminal to be detected, wherein the data to be detected comprises at least one of the following data: the system comprises a data processing module, a data processing module and a data processing module, wherein the data processing module is used for logging in account behavior data of an account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected; performing integration analysis on the data to be detected to obtain a target abnormal value of the terminal to be detected; and determining the terminal to be detected as a false terminal under the condition that the target abnormal value is greater than a preset threshold value. The invention solves the technical problem of low accuracy of detecting the false terminal in the related technology.

Description

False terminal detection method and device, storage medium and electronic device
Technical Field
The invention relates to the field of computers, in particular to a false terminal detection method and device, a storage medium and an electronic device.
Background
In the related art, in the process of detecting the false terminal, the detection is mainly realized by a front-end buried point, protocol verification and the like, for example, various verification state bits are added in a communication protocol, or an encrypted ID is used for realizing the detection.
However, these protocols are broken quickly in the frequent black-yielding access attack requests every day, and the embedded points of the protocols are infinitely circulated to the countermeasure, so that the countermeasure cost is very high.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a false terminal detection method and device, a storage medium and an electronic device, which are used for at least solving the technical problem of low false terminal detection accuracy in the related technology.
According to an aspect of the embodiments of the present invention, there is provided a false terminal detection method, including: acquiring data to be detected of a terminal to be detected, wherein the data to be detected comprises at least one of the following data: the account behavior data is used for logging in the account of the terminal to be detected, the hardware data of the terminal to be detected, the network environment data of the terminal to be detected and the associated account data of the account of the terminal to be detected; performing integration analysis on the data to be detected to obtain a target abnormal value of the terminal to be detected; and determining the terminal to be detected as a false terminal under the condition that the target abnormal value is greater than a preset threshold value.
According to another aspect of the embodiments of the present invention, there is also provided a false terminal detection apparatus, including: the terminal comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring data to be detected of a terminal to be detected, and the data to be detected comprises at least one of the following data: the account behavior data is used for logging in the account of the terminal to be detected, the hardware data of the terminal to be detected, the network environment data of the terminal to be detected and the associated account data of the account of the terminal to be detected; the analysis unit is used for performing integrated analysis on the data to be detected to obtain a target abnormal value of the terminal to be detected; and the determining unit is used for determining the terminal to be detected as a false terminal under the condition that the target abnormal value is greater than a preset threshold value.
As an optional implementation, the analysis unit includes: the first acquisition module is used for acquiring a first abnormal value matched with the hardware data; the second acquisition module is used for acquiring a second abnormal value matched with the network environment data; the third acquisition module is used for acquiring a third abnormal value matched with the account behavior data; the fourth acquisition module is used for acquiring a fourth abnormal value matched with the associated account data; and the calculation module is used for performing weighted summation on the first abnormal value, the second abnormal value, the third abnormal value and the fourth abnormal value to obtain the target abnormal value.
As an optional implementation manner, the first obtaining module includes: the first obtaining sub-module is used for obtaining a white list corresponding to the hardware data of the terminal to be detected, wherein the white list comprises the hardware data of the entity terminal; the first determining submodule is used for determining the first abnormal value as a first target value under the condition that the white list is detected not to include the hardware data of the terminal to be detected.
As an optional implementation manner, the network environment data of the terminal to be detected includes: the second acquiring module includes: the second determining submodule is used for determining the first abnormal sub-value as a second target value when the protocol version number is different from the standard version number; a third determining submodule, configured to determine that the second abnormal sub-value is a third target value when the number of terminals under the IP where the terminal to be detected is located is greater than the first threshold; a fourth determining submodule, configured to determine, when the network reported data is abnormal, that a third exception value is a fourth target value; a fifth determining submodule, configured to determine that the fourth abnormal sub-value is a fifth target value when the number of requests of the terminal to be detected is greater than the second threshold; and the first calculation submodule is used for fusing the first abnormal sub-value, the second abnormal sub-value, the third abnormal sub-value and the fourth abnormal sub-value to obtain the second abnormal value.
As an optional implementation manner, the account behavior data includes a login time period, a login position, and an operation scenario of the account that logs in the terminal to be detected, and the third obtaining module includes: a sixth determining submodule, configured to determine, when the login time period is not within a range of a common login time period, a fifth abnormal sub-value as a sixth target value; a seventh determining submodule, configured to determine a sixth abnormal sub-value as a seventh target value when the login position is different from the common login position; an eighth determining submodule, configured to determine a seventh exception sub-value as an eighth target value when the operation scenario is different from a common operation scenario; and the second calculation submodule is used for fusing the fifth abnormal sub-value, the sixth abnormal sub-value and the seventh abnormal sub-value to obtain the third abnormal value.
As an optional implementation manner, the associated account data includes an account associated with an account logged in the terminal to be detected, and the fourth obtaining module includes: and the ninth determining submodule is used for determining the fourth abnormal value as a ninth target value under the condition that the terminal logged by the account related to the account logged in the terminal to be detected is a false terminal.
According to still another aspect of the embodiments of the present invention, there is also provided a storage medium having a computer program stored therein, wherein the computer program is configured to execute the above-mentioned false terminal detection method when running.
According to another aspect of the embodiments of the present invention, there is also provided an electronic apparatus, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the above-mentioned false terminal detection method through the computer program.
In the embodiment of the present invention, data to be detected of a terminal to be detected is obtained, where the data to be detected includes at least one of the following data: the method comprises the steps of logging account behavior data of an account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected, performing integration analysis on the data to be detected to obtain a target abnormal value of the terminal to be detected, and determining the terminal to be detected to be a false terminal under the condition that the target abnormal value is larger than a preset threshold value, wherein any one of the account behavior data of the account of the terminal to be detected, the hardware data of the terminal to be detected, the network environment data of the terminal to be detected and the associated account data of the account of the terminal to be detected is obtained, and then the data to be detected is analyzed to obtain a result of whether the terminal to be detected is the false terminal or not, therefore, the accuracy of the detection of the terminal to be detected is improved, and the technical problem of low accuracy of false terminal detection in the related technology is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a schematic diagram of an application environment of an alternative false terminal detection method according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating an alternative false terminal detection method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an alternative false terminal detection method according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of an alternative false terminal detection apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an alternative electronic device according to an embodiment of the invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
According to an aspect of the embodiments of the present invention, a false terminal detection method is provided, and optionally, as an optional implementation manner, the false terminal detection method may be applied to, but is not limited to, the environment shown in fig. 1.
User device 102 in fig. 1 may interact with server 106 via network 104. The server 106 comprises a database 108 for storing interaction data and a processing engine 110 for processing the interaction data.
The server 106 may obtain data to be detected of the user device 102, where the data to be detected includes at least one of: account behavior data for the account of the logged-in user device 102, hardware data of the user device 102, network environment data of the user device 102, and associated account data of the account of the logged-in user device 102. After the server acquires the data to be detected, the server may analyze the data to be detected to obtain a result for determining whether the user equipment 102 is a false device.
According to the scheme, any one of the account behavior data of the terminal to be detected, the hardware data of the terminal to be detected, the network environment data of the terminal to be detected and the associated account data of the account of the terminal to be detected is acquired, and then the data to be detected is analyzed to obtain a result of whether the terminal to be detected is a false terminal, so that the accuracy of detection of the terminal to be detected is improved.
Alternatively, the network may include, but is not limited to, a wireless network or a wired network. Wherein, this wireless network includes: bluetooth, WIFI, and other networks that enable wireless communication. Such wired networks may include, but are not limited to: wide area networks, metropolitan area networks, and local area networks. The server may include, but is not limited to, any hardware device capable of performing computations.
Optionally, as an optional implementation manner, as shown in fig. 2, the false terminal detection method includes:
s202, acquiring data to be detected of the terminal to be detected, wherein the data to be detected comprises at least one of the following data: the system comprises account behavior data used for logging in an account of a terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected;
s204, integrating and analyzing the data to be detected to obtain a target abnormal value of the terminal to be detected;
and S206, determining the terminal to be detected as a false terminal under the condition that the target abnormal value is greater than the preset threshold value.
Optionally, the device to be detected in the present scheme may be, but is not limited to, an automaton. If a plurality of different accounts of the same type are logged on the automaton, behaviors of refreshing praise, commenting and the like can be realized through the different accounts. A large amount of false traffic can be produced for related Internet platforms by setting and realizing large-scale batch operation of a small number of devices.
Alternatively, the above false terminal detection method can be applied, but not limited to, in the field of false traffic detection. For example, for an account number of a login client application, detecting whether a terminal logged in by the account number is an automaton, and taking the terminal logged in by the account number as a terminal to be detected to obtain data to be detected of the terminal to be detected, wherein the data to be detected comprises at least one of the following data: the system comprises account behavior data used for logging in an account of a terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected; performing integration analysis on data to be detected to obtain a target abnormal value of the terminal to be detected; and determining the terminal to be detected as a false terminal under the condition that the target abnormal value is greater than a preset threshold value. The dummy terminal may be an automaton.
According to the scheme, any one of account behavior data of the terminal to be detected, which is used for logging in the account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected is acquired, and then the data to be detected is analyzed to obtain a result of whether the terminal to be detected is a false terminal, so that the accuracy of detection of the terminal to be detected is improved.
Optionally, in the present scheme, during the process of analyzing and detecting the terminal to be detected, the terminal to be detected may be analyzed according to one or a combination of multiple kinds of data to be detected in the number of lines, so as to determine whether the terminal to be detected is a false terminal. For example, whether the terminal to be detected is a false terminal is determined by using account behavior data for logging in an account of the terminal to be detected and hardware data of the terminal to be detected. Or determining whether the terminal to be detected is a false terminal according to the account behavior data of the account of the terminal to be detected, the network environment data of the terminal to be detected and the associated account data of the account of the terminal to be detected.
Optionally, it may be determined whether the terminal to be detected is a false terminal by using account behavior data for logging in an account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected, and associated account data of the account of the terminal to be detected. In the process of determining whether the terminal to be detected is a false terminal by using the four data to be detected, the data to be detected can be integrated and analyzed to obtain a target abnormal value of the terminal to be detected.
Optionally, each of the four types of data to be detected corresponds to an abnormal value. Acquiring a first abnormal value matched with the hardware data; acquiring a second abnormal value matched with the network environment data; acquiring a third abnormal value matched with the account behavior data; acquiring a fourth abnormal value matched with the associated account data; and carrying out weighted summation on the first abnormal value, the second abnormal value, the third abnormal value and the fourth abnormal value to obtain a target abnormal value.
Optionally, the obtaining the first outlier matching the hardware data comprises: acquiring a white list corresponding to hardware data of a terminal to be detected, wherein the white list comprises the hardware data of an entity terminal; and under the condition that the white list is detected not to include the hardware data of the terminal to be detected, determining the first abnormal value as a first target value.
For example, a white list is preset, and hardware data of normal terminal devices are stored in the white list. The type of the terminal device may be included in the hardware data. After the hardware data of the terminal to be detected is obtained, the hardware data can be searched from the white list, and whether the hardware data of the terminal to be detected is contained in the white list is searched. If not included in the white list, determining the first abnormal value as a first target value. The first outlier may be zero and the first target value is a value greater than the first outlier. The first target value may be any value.
Optionally, the network environment data of the terminal to be detected includes: the method comprises the following steps that the protocol version number used by the terminal to be detected, the number of terminals under the IP of the terminal to be detected, the reported data of the terminal to be detected and the number of requests of the terminal to be detected are obtained, and the step of obtaining a second abnormal value matched with the network environment data comprises the following steps: when the protocol version number is different from the standard version number, determining the first abnormal sub-value as a second target value; determining the second abnormal sub-value as a third target value under the condition that the number of the terminals under the IP of the terminal to be detected is greater than the first threshold value; determining the third anomaly value as a fourth target value under the condition of data report abnormality on the network; determining a fourth abnormal sub-value as a fifth target value under the condition that the request number of the terminal to be detected is greater than a second threshold value; and fusing the first abnormal sub-value, the second abnormal sub-value, the third abnormal sub-value and the fourth abnormal sub-value to obtain a second abnormal value.
Alternatively, the second outlier may be a sum of the first outlier through the fourth outlier. For example, when the first abnormal sub-value is determined, it is determined whether the protocol version number of the terminal to be detected is a standard version number. And if the protocol version number of the terminal to be detected is not the standard version number, determining the first abnormal sub-value as a second target value. The second target value is greater than the first exception sub-value. When the second abnormal sub-value is determined, the number of the terminals under the IP where the terminal to be detected is located can be detected. If the number is too large, the probability that the terminal to be detected is a false terminal is high. At this time, the second abnormal sub-value is determined as the third target value. The third target value may be a value greater than the second outlier.
Optionally, after the first abnormal sub-value to the fourth abnormal sub-value are determined, the first abnormal sub-value to the fourth abnormal sub-value are subjected to weighted summation to obtain a second abnormal value.
Optionally, the account behavior data includes a login time period, a login position, and an operation scene of the account that logs in the terminal to be detected, and calculating the third anomaly of the terminal to be detected according to the account behavior data includes: determining the fifth abnormal sub-value as a sixth target value when the login time period is not within the range of the common login time period; determining a sixth abnormal sub-value as a seventh target value under the condition that the login position is different from the common login position; determining a seventh exception sub-value as an eighth target value under the condition that the operation scene is different from the common operation scene; and fusing the fifth exception sub-value, the sixth exception sub-value and the seventh exception sub-value to obtain a third exception value.
For example, taking the first account number of the client to be detected as an example, the first account number usually logs in the first application client from seven pm to 9 pm every day. And if the account logs in the first application client at 8 am on a certain day, determining that the account logs in within the login time period which is not commonly used any more. If the account is normally logged in the sea, and sometime the account is logged in on sand, the account is considered to be not logged in at the common login location. If a certain account usually watches videos after logging in, and the account publishes videos after logging in at a certain day, the account is considered not to use a common operation scene.
Optionally, after the fifth to seventh exception sub-values are determined, weighted summation may be performed on the fifth to seventh exception sub-values to obtain a third exception value.
Optionally, the associated account data includes an account associated with an account logged in the terminal to be detected, and calculating a fourth abnormal value of the terminal to be detected according to the associated account data includes: and determining the fourth abnormal value as a ninth target value under the condition that the terminal logged by the account related to the account logged in the terminal to be detected is a false terminal.
For example, if a friend who logs in the account of the terminal to be detected or a terminal logged in by another account in the address book is a false terminal, the fourth abnormal value of the terminal to be detected is the ninth target value. The ninth target value is greater than the fourth outlier.
Optionally, the data to be detected for determining the first abnormal value to the fourth abnormal value in the scheme can be flexibly combined. For example, when the first and second abnormal values are determined, the determination may be performed by the above-described method. And when the third anomaly value is determined, it may be determined according to an operation performed by the terminal to be detected. At this time, the terminal to be detected may not log in the account, and the terminal to be detected may perform an action. Such as registering, viewing videos, browsing web pages, etc. Such as registration, video or traffic generation, and login, click, like, forward, and browse duration in different scenarios. And determining a third abnormal value of the terminal to be detected through the behaviors. For example, the various behaviors include normal behavior and abnormal behavior. The abnormal behavior may be an excessive number of operations performed within a predetermined period of time. The number of operations such as login, click, like clicking in a predetermined time period is huge. The third anomaly value needs to be determined as a higher value. If the behaviors of the terminal to be detected are normal, the third abnormal value may be a lower value or zero. And when the fourth abnormal value is determined, the fourth abnormal value can be determined according to the attribute of the account which logs in the terminal to be detected. For example, according to the user age of the account, the account level, whether to bind a mobile phone/real name authentication, whether to register different lengths, whether to have multiple illegal operations, and the like. If the data of the account number meet the requirements and no abnormal operation is performed, the value of the fourth abnormal value is smaller or zero. If the attributes of the account do not meet the predetermined requirements and the account performs the violation operation multiple times, the fourth abnormal value is larger and larger according to the number of the violation operation and the abnormal data.
The following description is made with reference to a specific example. As shown in fig. 3, fig. 3 is a diagram illustrating that after data to be detected of a terminal to be detected is acquired, the data to be detected is analyzed item by item to obtain corresponding abnormal values, and finally, the target abnormal values are judged to determine whether the terminal to be detected is a false terminal.
The process in the embodiment mainly comprises three modules, namely basic data, feature mining and virtual hypothesis recognition. The basic data module mainly realizes the collection and collection of basic equipment attribute characteristics and equipment operation behavior data, and the equipment basic data comprises: software hardware attribute data; the environment operation data includes: operating IP/time/associated account/protocol version, etc.; the behavior data includes: operation time, business scene and other trajectory data, historical behavior in the scene, common behavior and the like. The characteristic mining model is mainly used for cleaning and digitizing collected data, establishing a perfect equipment portrait and providing basic characteristics for a plurality of subsequent analyses. The process of feature mining involves data cleaning. The cleaning is mainly to remove collected error data, such as IP is not collected and device core ID data is removed, such as insufficient collected behavior data and the like are also required to be removed. Digitizing, which mainly converts original pipeline behavior data, such as difference operation of time stamps of click operations of multiple sequences, into difference numerical characteristics; such as software version/hardware ID/network card, etc., into category-value features. The device picture (established according to historical data) mainly establishes a device ID and an IP/region/time/user binding relationship, a common login region of the device, a common IP, common behavior habits (such as login/use frequency every day), a common use time period, a common user and the like; this establishes the historic representation characteristics of the device. The false hypothesis recognition is established based on mass device data and related scene behavior data, the whole data volume is billions of a day +, the model is updated regularly every day, and the detection result of false malicious devices can be updated and calculated regularly and dynamically to deal with the change of device attributes.
When the basic data module collects data to be detected, the basic data module mainly collects related equipment behavior data recorded by a front end and a background, and can be specifically divided into 4 categories of original basic data: direct behavior class: the operation behavior track of the associated user on the device comprises service scene ID records of registration, login, message sending, praise refreshing and the like, and violation operation records in a plurality of scenes, wherein the commonly used behavior records are as follows: including common time/IP/region/software version, etc.; the software information class: the method mainly comprises the steps of system information, virtual machine identification, special process ID identification and the like on a current terminal; hardware information class: CPU, memory ID, network card ID, etc.; the acquisition method is different from platform to platform, but the data is uniform in category. The environmental information class: client IP, client version, client protocol, etc.; in the acquisition process, desensitization treatment is carried out on relevant sensitive information, and numeralization and redundant data filtering treatment are carried out on part of detection data.
During feature mining, the method mainly integrates mass data such as equipment attributes, application program materials, registration and login of equipment, social behaviors and the like, and deeply extracts multi-dimensional effective features including core basic features such as active days, black birth and bad time, common APP rate, social activity, use days, login days and the like, wherein the feature number is 200-dimensional +, and can be continuously expanded according to scenes. The feature mining module is used for preprocessing the data, mainly performing feature conversion extraction on the data and performing filtering and completion processing on the noise data. Such as: and performing version time, new and old version and other feature conversion on the client version, performing time sequence difference feature extraction and modeling on the keyboard timestamp, and performing filtering processing on the repeated interference data.
The false terminal identification part is mainly used for establishing a multi-latitude false hypothesis comprehensive discrimination model aiming at various extracted data, and the false terminal identification part can be mainly divided into four categories. And (3) abnormal detection of the terminal: and detecting equipment attribute tampering/root/hook/simulator through detection data reported by the multi-platform terminal program, and outputting a first abnormal value. Checking an environmental protocol: the method mainly detects the abnormality of the network and the protocol environment used by the equipment, and counts the number of users/equipment/clients under the same IP, the number of users/requests under the same equipment and the like to obtain a second abnormal value according to the protocol version number, the equipment aggregation degree on the IP and whether the network reported data is normal. Analyzing a behavior track: the method mainly aims at analyzing the track of the common behaviors used by the equipment, establishes a common use time period, a common use place, a common use service scene and other characteristic images, finally outputs a third abnormal value, and identifies whether the equipment has multiple illegal abnormal operations. And (3) social behavior association checking: the method is characterized in that a batch group operation equipment group is analyzed and a highly malicious equipment group is excavated by utilizing the historical operation behaviors of equipment-associated users and the direct association relationship of the users, such as a social network formed by IP login/address list/friend attributes and the like, and the fourth abnormal value of the equipment is comprehensively output. And finally, comprehensively weighting the first abnormal value to the fourth abnormal value to obtain a final target abnormal value. And judging the target abnormal value so as to judge whether the terminal to be detected is a false terminal.
For the malicious and normal sample mining part of the abnormal classification model, unsupervised and semi-supervised algorithms are mainly performed offline for analysis, for example, a plurality of category groups are distinguished through a clustering algorithm, a malicious virtual hypothesis group is extracted through related abnormal features to serve as a false malicious sample, and then a normal sample is sampled from other categories. Non- (semi-) supervised analysis algorithms include kmeans, PCA, LPA, etc.
The supervised classification model method used by the abnormal classification model is not limited to the traditional machine learning method, but also can be realized by using logistic regression, random forests, gradient lifting trees and the like, or a deep learning model, a convolutional neural network and the like, and each sub-model can be realized by adopting one or more methods for combined weighting.
According to the embodiment, any one of account behavior data of the terminal to be detected, which is used for logging in the account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected is acquired, and then the data to be detected is analyzed to obtain a result of whether the terminal to be detected is a false terminal, so that the accuracy of detection of the terminal to be detected is improved.
As an optional implementation scheme, performing integration analysis on the data to be detected to obtain a target abnormal value of the terminal to be detected includes:
s1, acquiring a first abnormal value matched with the hardware data;
s2, acquiring a second abnormal value matched with the network environment data;
s3, acquiring a third abnormal value matched with the account behavior data;
s4, acquiring a fourth abnormal value matched with the associated account data;
and S5, carrying out weighted summation on the first abnormal value, the second abnormal value, the third abnormal value and the fourth abnormal value to obtain a target abnormal value.
Optionally, in the present scheme, in the process of determining whether the terminal to be detected is a false terminal, whether the terminal to be detected is a false terminal is determined by using a combination of four data, namely account behavior data for logging in an account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected, and associated account data of the account of the terminal to be detected, so that the effect of improving the detection accuracy of the terminal to be detected is achieved.
As an alternative embodiment, obtaining the first outlier that matches the hardware data comprises:
s1, acquiring a white list corresponding to the hardware data of the terminal to be detected, wherein the white list comprises the hardware data of the entity terminal;
and S2, determining the first abnormal value as a first target value when the white list is detected not to include the hardware data of the terminal to be detected.
Optionally, in the scheme, whether the hardware data of the terminal to be detected is in the white list is detected, so that if the terminal to be detected is an automaton or other terminal, the white list does not include the hardware data of the automaton, and the effect of accurately acquiring the first abnormal value of the terminal to be detected is achieved.
As an optional implementation, the network environment data of the terminal to be detected includes: the method comprises the following steps that the protocol version number used by the terminal to be detected, the number of terminals under the IP of the terminal to be detected, the reported data of the terminal to be detected and the number of requests of the terminal to be detected are obtained, and the step of obtaining a second abnormal value matched with the network environment data comprises the following steps:
s1, when the protocol version number is different from the standard version number, determining the first abnormal sub-value as a second target value;
s2, determining the second abnormal sub-value as a third target value under the condition that the number of terminals under the IP of the terminal to be detected is greater than the first threshold value;
s3, determining the third anomaly value as a fourth target value under the condition of data exception reported on the network;
s4, determining the fourth abnormal sub-value as a fifth target value under the condition that the request number of the terminal to be detected is greater than the second threshold value;
and S5, fusing the first abnormal sub-value, the second abnormal sub-value, the third abnormal sub-value and the fourth abnormal sub-value to obtain a second abnormal value.
Optionally, in this scheme, the terminal to be detected may be a false terminal when the protocol version number of the terminal to be detected is not the standard version number. There may be multiple terminals under the IP of the terminal to be detected. If the number of the terminals is large, the terminal to be detected is probably a false terminal. And if the data reported by the terminal to be detected is abnormal, the terminal to be detected may be a false terminal. And if the number of the requests of the terminal to be detected in the preset time is large, the terminal to be detected is probably a false terminal.
The second abnormal value is determined by determining the first abnormal sub-value to the fourth abnormal sub-value, so that the accuracy of determining the second abnormal value is improved.
As an optional implementation scheme, the account behavior data includes a login time period, a login position, and an operation scenario for logging in an account of the terminal to be detected, and calculating a third anomaly of the terminal to be detected according to the account behavior data includes:
s1, determining the fifth abnormal sub-value as a sixth target value when the login time period is not within the range of the common login time period;
s2, determining the sixth abnormal sub-value as a seventh target value when the login position is different from the normal login position;
s3, determining the seventh abnormal sub-value as an eighth target value under the condition that the operation scene is different from the common operation scene;
and S4, fusing the fifth exception sub-value, the sixth exception sub-value and the seventh exception sub-value to obtain a third exception value.
By the embodiment, the third anomaly value is determined by the method, so that the third anomaly value of the account which is not used in the common operation scene and is registered at the common time of the common place can be increased. The accuracy of determining the third anomaly is improved.
As an optional implementation scheme, the associated account data includes an account associated with an account logged in the terminal to be detected, and calculating a fourth abnormal value of the terminal to be detected according to the associated account data includes:
and S1, determining the fourth abnormal value as a ninth target value under the condition that the terminal logged by the account related to the account logged in the terminal to be detected is a false terminal.
According to the embodiment, whether the false terminal is logged in according to the associated account of the account logged in the terminal to be detected or not is determined, so that the accuracy of determining the fourth abnormal value is improved.
As an optional implementation, after acquiring the data to be detected of the terminal to be detected, the method further includes:
and S1, deleting sensitive data in the data to be detected, wherein the sensitive data are privacy data of an account number of the terminal to be detected.
According to the embodiment, the privacy and the safety of the user are protected by deleting the sensitive data in the data to be detected.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
According to another aspect of the embodiments of the present invention, there is also provided a false terminal detection apparatus for implementing the above false terminal detection method. As shown in fig. 4, the apparatus includes:
(1) an obtaining unit 402, configured to obtain data to be detected of a terminal to be detected, where the data to be detected includes at least one of the following: the system comprises account behavior data used for logging in an account of a terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected;
(2) the analysis unit 404 is configured to perform integration analysis on the data to be detected to obtain a target abnormal value of the terminal to be detected;
(3) a determining unit 406, configured to determine that the terminal to be detected is a false terminal if the target abnormal value is greater than the predetermined threshold.
Optionally, the device to be detected in the present scheme may be, but is not limited to, an automaton. If a plurality of different accounts of the same type are logged on the automaton, behaviors of refreshing praise, commenting and the like can be realized through the different accounts. A large amount of false traffic can be produced for related Internet platforms by setting and realizing large-scale batch operation of a small number of devices.
Alternatively, the above false terminal detection method can be applied, but not limited to, in the field of false traffic detection. For example, for an account number of a login client application, detecting whether a terminal logged in by the account number is an automaton, and taking the terminal logged in by the account number as a terminal to be detected to obtain data to be detected of the terminal to be detected, wherein the data to be detected comprises at least one of the following data: the system comprises account behavior data used for logging in an account of a terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected; performing integration analysis on data to be detected to obtain a target abnormal value of the terminal to be detected; and determining the terminal to be detected as a false terminal under the condition that the target abnormal value is greater than a preset threshold value. The dummy terminal may be an automaton.
According to the scheme, any one of account behavior data of the terminal to be detected, which is used for logging in the account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected is acquired, and then the data to be detected is analyzed to obtain a result of whether the terminal to be detected is a false terminal, so that the accuracy of detection of the terminal to be detected is improved.
Optionally, in the present scheme, during the process of analyzing and detecting the terminal to be detected, the terminal to be detected may be analyzed according to one or a combination of multiple kinds of data to be detected in the number of lines, so as to determine whether the terminal to be detected is a false terminal. For example, whether the terminal to be detected is a false terminal is determined by using account behavior data for logging in an account of the terminal to be detected and hardware data of the terminal to be detected. Or determining whether the terminal to be detected is a false terminal according to the account behavior data of the account of the terminal to be detected, the network environment data of the terminal to be detected and the associated account data of the account of the terminal to be detected.
Optionally, it may be determined whether the terminal to be detected is a false terminal by using account behavior data for logging in an account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected, and associated account data of the account of the terminal to be detected. In the process of determining whether the terminal to be detected is a false terminal by using the four data to be detected, the data to be detected can be integrated and analyzed to obtain a target abnormal value of the terminal to be detected.
Optionally, each of the four types of data to be detected corresponds to an abnormal value. Acquiring a first abnormal value matched with the hardware data; acquiring a second abnormal value matched with the network environment data; acquiring a third abnormal value matched with the account behavior data; acquiring a fourth abnormal value matched with the associated account data; and carrying out weighted summation on the first abnormal value, the second abnormal value, the third abnormal value and the fourth abnormal value to obtain a target abnormal value.
Optionally, the obtaining the first outlier matching the hardware data comprises: acquiring a white list corresponding to hardware data of a terminal to be detected, wherein the white list comprises the hardware data of an entity terminal; and under the condition that the white list is detected not to include the hardware data of the terminal to be detected, determining the first abnormal value as a first target value.
For example, a white list is preset, and hardware data of normal terminal devices are stored in the white list. The type of the terminal device may be included in the hardware data. After the hardware data of the terminal to be detected is obtained, the hardware data can be searched from the white list, and whether the hardware data of the terminal to be detected is contained in the white list is searched. If not included in the white list, determining the first abnormal value as a first target value. The first outlier may be zero and the first target value is a value greater than the first outlier. The first target value may be any value.
Optionally, the network environment data of the terminal to be detected includes: the method comprises the following steps that the protocol version number used by the terminal to be detected, the number of terminals under the IP of the terminal to be detected, the reported data of the terminal to be detected and the number of requests of the terminal to be detected are obtained, and the step of obtaining a second abnormal value matched with the network environment data comprises the following steps: when the protocol version number is different from the standard version number, determining the first abnormal sub-value as a second target value; determining the second abnormal sub-value as a third target value under the condition that the number of the terminals under the IP of the terminal to be detected is greater than the first threshold value; determining the third anomaly value as a fourth target value under the condition of data report abnormality on the network; determining a fourth abnormal sub-value as a fifth target value under the condition that the request number of the terminal to be detected is greater than a second threshold value; and fusing the first abnormal sub-value, the second abnormal sub-value, the third abnormal sub-value and the fourth abnormal sub-value to obtain a second abnormal value.
Alternatively, the second outlier may be a sum of the first outlier through the fourth outlier. For example, when the first abnormal sub-value is determined, it is determined whether the protocol version number of the terminal to be detected is a standard version number. And if the protocol version number of the terminal to be detected is not the standard version number, determining the first abnormal sub-value as a second target value. The second target value is greater than the first exception sub-value. When the second abnormal sub-value is determined, the number of the terminals under the IP where the terminal to be detected is located can be detected. If the number is too large, the probability that the terminal to be detected is a false terminal is high. At this time, the second abnormal sub-value is determined as the third target value. The third target value may be a value greater than the second outlier.
Optionally, after the first abnormal sub-value to the fourth abnormal sub-value are determined, the first abnormal sub-value to the fourth abnormal sub-value are subjected to weighted summation to obtain a second abnormal value.
Optionally, the account behavior data includes a login time period, a login position, and an operation scene of the account that logs in the terminal to be detected, and calculating the third anomaly of the terminal to be detected according to the account behavior data includes: determining the fifth abnormal sub-value as a sixth target value when the login time period is not within the range of the common login time period; determining a sixth abnormal sub-value as a seventh target value under the condition that the login position is different from the common login position; determining a seventh exception sub-value as an eighth target value under the condition that the operation scene is different from the common operation scene; and fusing the fifth exception sub-value, the sixth exception sub-value and the seventh exception sub-value to obtain a third exception value.
For example, taking the first account number of the client to be detected as an example, the first account number usually logs in the first application client from seven pm to 9 pm every day. And if the account logs in the first application client at 8 am on a certain day, determining that the account logs in within the login time period which is not commonly used any more. If the account is normally logged in the sea, and sometime the account is logged in on sand, the account is considered to be not logged in at the common login location. If a certain account usually watches videos after logging in, and the account publishes videos after logging in at a certain day, the account is considered not to use a common operation scene.
Optionally, after the fifth to seventh exception sub-values are determined, weighted summation may be performed on the fifth to seventh exception sub-values to obtain a third exception value.
Optionally, the associated account data includes an account associated with an account logged in the terminal to be detected, and calculating a fourth abnormal value of the terminal to be detected according to the associated account data includes: and determining the fourth abnormal value as a ninth target value under the condition that the terminal logged by the account related to the account logged in the terminal to be detected is a false terminal.
For example, if a friend who logs in the account of the terminal to be detected or a terminal logged in by another account in the address book is a false terminal, the fourth abnormal value of the terminal to be detected is the ninth target value. The ninth target value is greater than the fourth outlier.
According to the embodiment, any one of account behavior data of the terminal to be detected, which is used for logging in the account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected is acquired, and then the data to be detected is analyzed to obtain a result of whether the terminal to be detected is a false terminal, so that the accuracy of detection of the terminal to be detected is improved.
As an alternative embodiment, the analysis unit comprises:
(1) the first acquisition module is used for acquiring a first abnormal value matched with the hardware data;
(2) the second acquisition module is used for acquiring a second abnormal value matched with the network environment data;
(3) the third acquisition module is used for acquiring a third abnormal value matched with the account behavior data;
(4) the fourth acquisition module is used for acquiring a fourth abnormal value matched with the associated account data;
(5) and the calculation module is used for performing weighted summation on the first abnormal value, the second abnormal value, the third abnormal value and the fourth abnormal value to obtain a target abnormal value.
Optionally, in the present scheme, in the process of determining whether the terminal to be detected is a false terminal, whether the terminal to be detected is a false terminal is determined by using a combination of four data, namely account behavior data for logging in an account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected, and associated account data of the account of the terminal to be detected, so that the effect of improving the detection accuracy of the terminal to be detected is achieved.
As an optional implementation, the first obtaining module includes:
(1) the first acquisition submodule is used for acquiring a white list corresponding to the hardware data of the terminal to be detected, wherein the white list comprises the hardware data of the entity terminal;
(2) and the first determining submodule is used for determining the first abnormal value as the first target value under the condition that the white list is detected not to include the hardware data of the terminal to be detected.
Optionally, in the scheme, whether the hardware data of the terminal to be detected is in the white list is detected, so that if the terminal to be detected is an automaton or other terminal, the white list does not include the hardware data of the automaton, and the effect of accurately acquiring the first abnormal value of the terminal to be detected is achieved.
As an optional implementation, the network environment data of the terminal to be detected includes: the second acquiring module comprises a protocol version number used by the terminal to be detected, the number of terminals under the IP of the terminal to be detected, the reported data of the terminal to be detected and the number of requests of the terminal to be detected, and the second acquiring module comprises:
(1) the second determining submodule is used for determining the first abnormal sub-value as a second target value when the protocol version number is different from the standard version number;
(2) the third determining submodule is used for determining the second abnormal sub-value as a third target value under the condition that the number of the terminals under the IP where the terminal to be detected is located is larger than the first threshold value;
(3) the fourth determining submodule is used for determining the third abnormal submodule value as a fourth target value under the condition of reporting data abnormity on the network;
(4) the fifth determining submodule is used for determining the fourth abnormal sub-value as a fifth target value under the condition that the request number of the terminal to be detected is greater than the second threshold value;
(5) and the first calculation submodule is used for fusing the first abnormal sub-value, the second abnormal sub-value, the third abnormal sub-value and the fourth abnormal sub-value to obtain a second abnormal value.
Optionally, in this scheme, the terminal to be detected may be a false terminal when the protocol version number of the terminal to be detected is not the standard version number. There may be multiple terminals under the IP of the terminal to be detected. If the number of the terminals is large, the terminal to be detected is probably a false terminal. And if the data reported by the terminal to be detected is abnormal, the terminal to be detected may be a false terminal. And if the number of the requests of the terminal to be detected in the preset time is large, the terminal to be detected is probably a false terminal.
The second abnormal value is determined by determining the first abnormal sub-value to the fourth abnormal sub-value, so that the accuracy of determining the second abnormal value is improved.
As an optional implementation scheme, the account behavior data includes a login time period, a login position, and an operation scenario of a login of an account of the terminal to be detected, and the third obtaining module includes:
(1) a sixth determining submodule, configured to determine that the fifth abnormal sub-value is the sixth target value when the login time period is not within the range of the common login time period;
(2) a seventh determining submodule, configured to determine the sixth abnormal sub-value as a seventh target value when the login position is different from the common login position;
(3) the eighth determining submodule is used for determining the seventh abnormal sub-value as an eighth target value under the condition that the operation scene is different from the common operation scene;
(4) and the second calculation submodule is used for fusing the fifth abnormal sub-value, the sixth abnormal sub-value and the seventh abnormal sub-value to obtain a third abnormal value.
By the embodiment, the third anomaly value is determined by the method, so that the third anomaly value of the account which is not used in the common operation scene and is registered at the common time of the common place can be increased. The accuracy of determining the third anomaly is improved.
As an optional implementation, the associated account data includes an account associated with an account logged in the terminal to be detected, and the fourth obtaining module includes:
(1) and the ninth determining submodule is used for determining the fourth abnormal value as the ninth target value under the condition that the terminal logged by the account related to the account logged in the terminal to be detected is a false terminal.
According to the embodiment, whether the false terminal is logged in according to the associated account of the account logged in the terminal to be detected or not is determined, so that the accuracy of determining the fourth abnormal value is improved.
As an alternative embodiment, the above apparatus further comprises:
(1) the deleting unit is used for deleting sensitive data in the data to be detected after the data to be detected of the terminal to be detected is acquired, wherein the sensitive data are privacy data of an account number of the terminal to be detected.
According to the embodiment, the privacy and the safety of the user are protected by deleting the sensitive data in the data to be detected.
According to another aspect of the embodiments of the present invention, there is also provided an electronic device for implementing the above-mentioned false terminal detection method, as shown in fig. 5, the electronic device includes a memory 502 and a processor 504, the memory 502 stores a computer program therein, and the processor 504 is configured to execute the steps in any one of the above-mentioned method embodiments through the computer program.
Optionally, in this embodiment, the electronic apparatus may be located in at least one network device of a plurality of network devices of a computer network.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, acquiring data to be detected of the terminal to be detected, wherein the data to be detected comprises at least one of the following data: the system comprises account behavior data used for logging in an account of a terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected;
s2, performing integration analysis on the data to be detected to obtain a target abnormal value of the terminal to be detected;
and S3, determining the terminal to be detected as a false terminal under the condition that the target abnormal value is larger than the preset threshold value.
Alternatively, it can be understood by those skilled in the art that the structure shown in fig. 5 is only an illustration, and the electronic device may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 5 is a diagram illustrating a structure of the electronic device. For example, the electronic device may also include more or fewer components (e.g., network interfaces, etc.) than shown in FIG. 5, or have a different configuration than shown in FIG. 5.
The memory 502 may be used to store software programs and modules, such as program instructions/modules corresponding to the false terminal detection method and apparatus in the embodiments of the present invention, and the processor 504 executes various functional applications and data processing by running the software programs and modules stored in the memory 502, that is, the false terminal detection method described above is implemented. The memory 502 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 502 may further include memory located remotely from the processor 504, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof. The memory 502 may be, but is not limited to, used for storing information such as data to be detected. As an example, as shown in fig. 5, the memory 502 may include, but is not limited to, the acquiring unit 402, the analyzing unit 404, and the determining unit 406 of the false terminal detecting device. In addition, other module units in the above false terminal detection device may also be included, but are not limited to this, and are not described in detail in this example.
Optionally, the transmission device 506 is used for receiving or sending data via a network. Examples of the network may include a wired network and a wireless network. In one example, the transmission device 506 includes a Network adapter (NIC) that can be connected to a router via a Network cable and other Network devices to communicate with the internet or a local area Network. In one example, the transmission device 506 is a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
In addition, the electronic device further includes: a display 508 for displaying the determination result; and a connection bus 510 for connecting the respective module parts in the above-described electronic apparatus.
According to a further aspect of embodiments of the present invention, there is also provided a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above-mentioned method embodiments when executed.
Alternatively, in the present embodiment, the storage medium may be configured to store a computer program for executing the steps of:
s1, acquiring data to be detected of the terminal to be detected, wherein the data to be detected comprises at least one of the following data: the system comprises account behavior data used for logging in an account of a terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected;
s2, performing integration analysis on the data to be detected to obtain a target abnormal value of the terminal to be detected;
and S3, determining the terminal to be detected as a false terminal under the condition that the target abnormal value is larger than the preset threshold value.
Alternatively, in this embodiment, a person skilled in the art may understand that all or part of the steps in the methods of the foregoing embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing one or more computer devices (which may be personal computers, servers, network devices, etc.) to execute all or part of the steps of the method according to the embodiments of the present invention.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims (10)

1. A false terminal detection method is characterized by comprising the following steps:
acquiring data to be detected of a terminal to be detected, wherein the data to be detected comprises at least one of the following data: the system comprises a data processing module, a data processing module and a data processing module, wherein the data processing module is used for logging in account behavior data of an account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected;
performing integration analysis on the data to be detected to obtain a target abnormal value of the terminal to be detected;
and determining the terminal to be detected as a false terminal under the condition that the target abnormal value is greater than a preset threshold value.
2. The method according to claim 1, wherein the performing the integrated analysis on the data to be detected to obtain the target abnormal value of the terminal to be detected comprises:
acquiring a first abnormal value matched with the hardware data;
acquiring a second abnormal value matched with the network environment data;
acquiring a third abnormal value matched with the account behavior data;
acquiring a fourth abnormal value matched with the associated account data;
and performing weighted summation on the first abnormal value, the second abnormal value, the third abnormal value and the fourth abnormal value to obtain the target abnormal value.
3. The method of claim 2, wherein obtaining the first outlier that matches the hardware data comprises:
acquiring a white list corresponding to the hardware data of the terminal to be detected, wherein the white list comprises the hardware data of the entity terminal;
and under the condition that the white list is detected not to include the hardware data of the terminal to be detected, determining the first abnormal value as a first target value.
4. The method according to claim 2, wherein the network environment data of the terminal to be detected comprises: the protocol version number used by the terminal to be detected, the number of terminals under the IP where the terminal to be detected is located, the reported data of the terminal to be detected, and the number of requests of the terminal to be detected, and the acquiring of the second abnormal value matched with the network environment data includes:
when the protocol version number is different from the standard version number, determining a first abnormal sub-value as a second target value;
determining a second abnormal sub-value as a third target value under the condition that the number of the terminals under the IP of the terminal to be detected is greater than a first threshold value;
determining a third anomaly value as a fourth target value under the condition that the data reported by the network are abnormal;
determining a fourth abnormal sub-value as a fifth target value under the condition that the request number of the terminal to be detected is greater than a second threshold value;
and fusing the first abnormal sub-value, the second abnormal sub-value, the third abnormal sub-value and the fourth abnormal sub-value to obtain the second abnormal value.
5. The method according to claim 2, wherein the account behavior data includes a login time period, a login position, and an operation scene for logging in the account of the terminal to be detected, and the calculating the third anomaly of the terminal to be detected according to the account behavior data includes:
determining a fifth abnormal sub-value as a sixth target value when the login time period is not within the range of the common login time period;
determining a sixth abnormal sub-value as a seventh target value under the condition that the login position is different from the common login position;
determining a seventh exception sub-value as an eighth target value under the condition that the operation scene is different from the common operation scene;
and fusing the fifth exception sub-value, the sixth exception sub-value and the seventh exception sub-value to obtain the third exception value.
6. The method according to claim 2, wherein the associated account data includes an account associated with an account registered in the terminal to be detected, and the calculating a fourth abnormal value of the terminal to be detected according to the associated account data includes:
and determining the fourth abnormal value as a ninth target value under the condition that the terminal logged by the account related to the account logged in the terminal to be detected is a false terminal.
7. The method according to claim 1, further comprising, after acquiring the data to be detected of the terminal to be detected:
and deleting sensitive data in the data to be detected, wherein the sensitive data is privacy data of an account number of the terminal to be detected.
8. A false terminal detection apparatus, comprising:
the terminal comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring data to be detected of a terminal to be detected, and the data to be detected comprises at least one of the following: the system comprises a data processing module, a data processing module and a data processing module, wherein the data processing module is used for logging in account behavior data of an account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected;
the analysis unit is used for performing integrated analysis on the data to be detected to obtain a target abnormal value of the terminal to be detected;
and the determining unit is used for determining the terminal to be detected as a false terminal under the condition that the target abnormal value is greater than a preset threshold value.
9. A storage medium storing a computer program, characterized in that the computer program executes the method of any of claims 1 to 7 when running.
10. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to execute the method of any of claims 1 to 7 by means of the computer program.
CN201910791889.2A 2019-08-26 2019-08-26 False terminal detection method and device, storage medium and electronic device Active CN112437034B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910791889.2A CN112437034B (en) 2019-08-26 2019-08-26 False terminal detection method and device, storage medium and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910791889.2A CN112437034B (en) 2019-08-26 2019-08-26 False terminal detection method and device, storage medium and electronic device

Publications (2)

Publication Number Publication Date
CN112437034A true CN112437034A (en) 2021-03-02
CN112437034B CN112437034B (en) 2022-11-22

Family

ID=74689856

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910791889.2A Active CN112437034B (en) 2019-08-26 2019-08-26 False terminal detection method and device, storage medium and electronic device

Country Status (1)

Country Link
CN (1) CN112437034B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113271315A (en) * 2021-06-08 2021-08-17 工银科技有限公司 Virtual private network abnormal use detection method and device and electronic equipment
CN113676480A (en) * 2021-08-20 2021-11-19 北京顶象技术有限公司 Equipment fingerprint tampering detection method and device
CN114697079A (en) * 2022-02-28 2022-07-01 山东赤子城网络技术有限公司 Method and system for detecting illegal user of application client

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160142435A1 (en) * 2014-11-13 2016-05-19 Cyber-Ark Software Ltd. Systems and methods for detection of anomalous network behavior
CN105975379A (en) * 2016-05-25 2016-09-28 北京比邻弘科科技有限公司 False mobile device recognition method and system
WO2016182156A1 (en) * 2015-05-14 2016-11-17 디투이모션 주식회사 Mobile terminal for detecting abnormal activity and system including same
CN106657062A (en) * 2016-12-22 2017-05-10 珠海市魅族科技有限公司 Method and device for user identification
CN108171519A (en) * 2016-12-07 2018-06-15 阿里巴巴集团控股有限公司 The processing of business datum, account recognition methods and device, terminal
CN108512980A (en) * 2018-02-13 2018-09-07 维沃移动通信有限公司 A kind of detection method and mobile terminal of mobile terminal

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160142435A1 (en) * 2014-11-13 2016-05-19 Cyber-Ark Software Ltd. Systems and methods for detection of anomalous network behavior
WO2016182156A1 (en) * 2015-05-14 2016-11-17 디투이모션 주식회사 Mobile terminal for detecting abnormal activity and system including same
CN105975379A (en) * 2016-05-25 2016-09-28 北京比邻弘科科技有限公司 False mobile device recognition method and system
CN108171519A (en) * 2016-12-07 2018-06-15 阿里巴巴集团控股有限公司 The processing of business datum, account recognition methods and device, terminal
CN106657062A (en) * 2016-12-22 2017-05-10 珠海市魅族科技有限公司 Method and device for user identification
CN108512980A (en) * 2018-02-13 2018-09-07 维沃移动通信有限公司 A kind of detection method and mobile terminal of mobile terminal

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113271315A (en) * 2021-06-08 2021-08-17 工银科技有限公司 Virtual private network abnormal use detection method and device and electronic equipment
CN113676480A (en) * 2021-08-20 2021-11-19 北京顶象技术有限公司 Equipment fingerprint tampering detection method and device
CN113676480B (en) * 2021-08-20 2023-11-14 北京顶象技术有限公司 Equipment fingerprint tampering detection method and device
CN114697079A (en) * 2022-02-28 2022-07-01 山东赤子城网络技术有限公司 Method and system for detecting illegal user of application client
CN114697079B (en) * 2022-02-28 2023-08-11 山东赤子城网络技术有限公司 Method and system for detecting illegal user of application client

Also Published As

Publication number Publication date
CN112437034B (en) 2022-11-22

Similar Documents

Publication Publication Date Title
CN110399925B (en) Account risk identification method, device and storage medium
EP3622402B1 (en) Real time detection of cyber threats using behavioral analytics
US11496495B2 (en) System and a method for detecting anomalous patterns in a network
CN106469276B (en) Type identification method and device of data sample
CN112437034B (en) False terminal detection method and device, storage medium and electronic device
CN113489713B (en) Network attack detection method, device, equipment and storage medium
CN108334758B (en) Method, device and equipment for detecting user unauthorized behavior
CN111786950A (en) Situation awareness-based network security monitoring method, device, equipment and medium
CN104836781A (en) Method distinguishing identities of access users, and device
CN110798709B (en) Video processing method and device, storage medium and electronic device
CN110188538B (en) Method and device for detecting data by adopting sandbox cluster
CN113271322B (en) Abnormal flow detection method and device, electronic equipment and storage medium
CN114143049B (en) Abnormal flow detection method and device, storage medium and electronic equipment
CN110457601B (en) Social account identification method and device, storage medium and electronic device
CN114338064B (en) Method, device, system, equipment and storage medium for identifying network traffic type
CN111949702B (en) Abnormal transaction data identification method, device and equipment
CN107409134A (en) Method card analysis
CN111125702A (en) Virus identification method and device
CN110162957B (en) Authentication method and device for intelligent equipment, storage medium and electronic device
CN112347457A (en) Abnormal account detection method and device, computer equipment and storage medium
CN110572302A (en) Diskless local area network scene identification method and device and terminal
CN105227528B (en) To the detection method and device of the attack of Web server group
CN117097571A (en) Method, system, device and medium for detecting network transmission sensitive data
CN117294873A (en) Abnormal media resource detection method and device, storage medium and electronic equipment
EP4254241A1 (en) Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant