CN112825519B - Method and device for identifying abnormal login - Google Patents
Method and device for identifying abnormal login Download PDFInfo
- Publication number
- CN112825519B CN112825519B CN201911148031.0A CN201911148031A CN112825519B CN 112825519 B CN112825519 B CN 112825519B CN 201911148031 A CN201911148031 A CN 201911148031A CN 112825519 B CN112825519 B CN 112825519B
- Authority
- CN
- China
- Prior art keywords
- login
- request
- history
- determining
- initiator
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 79
- 238000000034 method Methods 0.000 title claims abstract description 36
- 239000003999 initiator Substances 0.000 claims abstract description 117
- 238000004590 computer program Methods 0.000 claims description 9
- 230000006399 behavior Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000010408 sweeping Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Abstract
The invention discloses a method and a device for identifying abnormal login, and relates to the technical field of computers. One embodiment of the method comprises the following steps: determining a history request record of a login request initiator; determining the login failure condition of the login request initiator according to the history request record and the current login state of the login request initiator; and when the login failure condition meets an abnormal login judgment condition, determining that the login request initiator performs abnormal login. According to the embodiment, under the condition that normal user login passes, abnormal login users can be effectively identified, the identification accuracy is improved, the number scanning behavior can be rapidly and accurately detected, and account safety is guaranteed.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and apparatus for identifying abnormal login.
Background
With the continuous development of the internet industry, black attack events are continuously occurring. An attacker acquires a large number of usernames and passwords through the modes of vulnerability attack on a third-party website or purchase and the like, tries to log in other websites in batches by the acquired usernames and passwords, and acquires the login passwords of the user if the login is successful. At present, the identification of abnormal login behavior is mainly identified through IP request frequency (counting the number of single IP requests in a period of time), request characteristics (characteristic information of http requests, such as user agent, website route reference) and the like.
In the process of implementing the present invention, the inventor finds that at least the following problems exist in the prior art: an attacker uses a large number of hijacked devices to initiate requests, the frequency of a single IP request is very low, the frequency of the single IP request is not very different from that of the IP request of a normal user, and the attacker can dynamically change the request characteristics through a program so as to bypass the identification rule.
Disclosure of Invention
Therefore, the embodiment of the invention provides the method for identifying the abnormal login, which can effectively identify the user with the abnormal login under the condition of ensuring the normal user login passing, and improves the identification accuracy, so that the number scanning behavior can be rapidly and accurately detected, and the account safety is ensured.
To achieve the above object, according to one aspect of the embodiments of the present invention, there is provided a method for identifying an abnormal login, including:
determining a history request record of a login request initiator;
determining the login failure condition of the login request initiator according to the history request record and the current login state of the login request initiator;
and when the login failure condition meets an abnormal login judgment condition, determining that the login request initiator performs abnormal login.
In an alternative embodiment, determining the history request record of the login request originator includes:
determining the IP address of a login request initiator;
and acquiring a history request record of the login request initiator according to the IP address.
In an alternative embodiment, the history request record includes a sweep number identifier and a first request time of the login request initiator;
before determining the login failure condition of the login request initiator, the method further comprises:
determining whether the number scanning mark is out of date according to the first request time;
judging the value of the number scanning mark under the condition that the number scanning mark is not expired;
and if the value of the sign of the scanning number is a preset value, determining that the login request initiator logs in abnormally.
In an alternative embodiment, the login failure condition meeting the abnormal login determination condition includes: the login failure rate is greater than the failure rate threshold.
To achieve the above object, according to another aspect of the embodiments of the present invention, there is provided an apparatus for identifying an abnormal login, including:
the history record determining module is used for determining a history request record of a login request initiator;
the login condition determining module is used for determining the login failure condition of the login request initiator according to the history request record and the current login state of the login request initiator;
and the abnormal login judging module is used for determining that the login request initiator performs abnormal login when the login failure condition meets the abnormal login judging condition.
In an alternative embodiment, the history determination module is further configured to: determining the IP address of a login request initiator; and acquiring a history request record of the login request initiator according to the IP address.
In an alternative embodiment, the history request record includes a sweep number identifier and a first request time of the login request initiator;
the abnormal login judging module is further used for:
determining whether the number scanning mark is out of date according to the first request time;
judging the value of the number scanning mark under the condition that the number scanning mark is not expired;
and if the value of the sign of the scanning number is a preset value, determining that the login request initiator logs in abnormally.
In an alternative embodiment, the login failure condition meeting the abnormal login determination condition includes: the login failure rate is greater than the failure rate threshold.
To achieve the above object, according to still another aspect of an embodiment of the present invention, there is provided an electronic device including: one or more processors; and the storage device is used for storing one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors are enabled to realize the method for identifying abnormal login.
To achieve the above object, according to one aspect of the embodiments of the present invention, there is provided a computer-readable medium having stored thereon a computer program which, when executed by a processor, implements a method of identifying an abnormal login of an embodiment of the present invention.
One embodiment of the above invention has the following advantages or benefits: according to the history request record of the login request initiator and the current login state of the login request initiator, the login failure condition of the login request initiator is determined, when the login failure condition meets the abnormal login judgment condition, the abnormal login means of the login request initiator is determined, the abnormal login user can be effectively identified under the condition that the normal user login passes, the identification accuracy is improved, the number scanning behavior can be rapidly and accurately detected, and the account safety is ensured.
Further effects of the above-described non-conventional alternatives are described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of a main flow of a method for identifying an abnormal login according to an embodiment of the present invention;
FIG. 2 is a schematic diagram showing the main flow of a method for identifying an abnormal login according to another embodiment of the present invention
FIG. 3 is a schematic diagram of main modules of an apparatus for identifying an abnormal login according to an embodiment of the present invention;
FIG. 4 is a schematic flow chart of an apparatus for identifying an abnormal login according to an embodiment of the present invention;
FIG. 5 is an exemplary system architecture diagram in which embodiments of the present invention may be applied;
fig. 6 is a schematic diagram of a computer system suitable for use in implementing an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, in which various details of the embodiments of the present invention are included to facilitate understanding, and are to be considered merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 is a main flow chart of a method for identifying abnormal login according to an embodiment of the present invention, as shown in fig. 1, the method includes:
step S101: a history of the login request originator is determined.
In this embodiment, the history request record includes the history request number and the history login failure number, that is, the total request number and login failure number that the login request originator initiated before the login request.
In an alternative embodiment, the history request record of the login request originator may be obtained according to the following procedure:
determining the IP address of a login request initiator;
and acquiring a history request record of the login request initiator according to the IP address.
In this embodiment, the history request record of the login request initiator corresponding to each IP address may be recorded in the cache. When a new login request is received, a corresponding history request record can be read from the cache according to the current IP address.
Step S102: and determining the login failure condition of the login request initiator according to the history request record and the current login state of the login request initiator.
Wherein the login failure condition includes a login failure rate, which is=login failure number/total request number.
If the current login state of the login request initiator comprises failure and success. If the current login status is failed, the current login failure rate of the login request initiator= (historical login failure times+1)/(total request times+1). If the current login status is successful, the current login failure rate of the login request initiator=the historical login failure times/(the total request times+1).
Step S103: and when the login failure condition meets an abnormal login judgment condition, determining that the login request initiator performs abnormal login.
In this step, the satisfaction of the abnormal login determination condition in the login failure condition includes: the login failure rate is greater than the failure rate threshold. That is, when the current login failure rate of the login request initiator is greater than the failure rate threshold, it is determined that the login request initiator is abnormally logged in. Wherein the failure rate threshold is not limiting in the present invention. As an example, the login failure rate of the normal IP and the login failure rate of the abnormal IP may be obtained through statistics of historical data, and the login failure rate threshold may be determined through a distribution map of the login failure rates.
According to the method for identifying abnormal login, disclosed by the embodiment of the invention, the login failure condition of the login request initiator is determined according to the history request record of the login request initiator and the current login state of the login request initiator, and when the login failure condition meets the abnormal login judgment condition, the means for determining the abnormal login of the login request initiator can effectively identify the user with abnormal login under the condition of ensuring normal user login passing, so that the identification accuracy is improved, the number scanning behavior can be rapidly and accurately detected, and the account safety is ensured.
FIG. 2 is a schematic flow chart of a method for identifying abnormal login according to another embodiment of the present invention, as shown in FIG. 2, the method includes:
step S201: determining the IP address of a login request initiator;
step S202: and acquiring a history request record of the login request initiator according to the IP address, wherein the history request record comprises a scanning number identification (sc), a first request time (ft), a history request time (rc) and a history login failure time (fc) of the login request initiator.
Step S203: determining whether the scan number identification (sc) has expired according to the first request time (ft);
step S204: judging the value of the number scanning mark under the condition that the number scanning mark is not expired;
step S205: if the value of the sign of the scanning number is a preset value, determining that the login request initiator logs in abnormally;
step S206: judging whether the user name and the password of the login request initiator are correct or not under the condition that the value of the number scanning identifier is not a preset value or the number scanning identifier is out of date;
step S207: if the login request is correct, the current login failure rate of the login request initiator=historical login failure times/(total request times+1);
step S208: if not, the current login failure rate of the login request initiator= (historical login failure times+1)/(total request times+1);
step S209: judging whether the current login failure rate of the login request initiator is larger than a failure rate threshold value or not;
step S210: if yes, determining that the login request initiator logs in abnormally;
step S211: if not, determining that the login request initiator logs in normally.
For step S203, the scan number identifier is used to mark whether there is a scan number behavior before a certain IP, if there is a scan number behavior, the value of the scan number identifier corresponding to the IP is marked as a preset value, for example, true; if no number scanning behavior exists, the value of the number scanning identification mark corresponding to the IP is marked as false. Whether the sweep number identification is expired is judged according to the difference between the current time and the first request time (ft) and the preset valid period. The sweep flag is valid if the difference between the current time and the first request time (ft) is less than or equal to a preset valid period, and invalid if the difference between the current time and the first request time (ft) is greater than the preset valid period.
For step S207, the present embodiment determines the login failure condition of the login request initiator according to the history request record and the current login status of the login request initiator, where the login status includes login success and login failure. The current login state of the login request initiator is judged by judging whether the login account and the login password filled by the login request initiator are correct or not. If the current login account number and the login password are correct, the current login state of the login request initiator is successful login. If one of the current login account number and the login password is incorrect, the current login state of the login request initiator is login failure.
According to the method for identifying abnormal login, disclosed by the embodiment of the invention, the login failure condition of the login request initiator is determined according to the history request record of the login request initiator and the current login state of the login request initiator, and when the login failure condition meets the abnormal login judgment condition, the means for determining the abnormal login of the login request initiator can effectively identify the user with abnormal login under the condition of ensuring normal user login passing, so that the identification accuracy is improved, the number scanning behavior can be rapidly and accurately detected, and the account safety is ensured.
Fig. 3 is a schematic diagram of main modules of an apparatus 300 for identifying abnormal login according to an embodiment of the present invention, and as shown in fig. 3, the apparatus 300 includes:
a history determining module 301, configured to determine a history request record of a login request initiator;
a login condition determining module 302, configured to determine a login failure condition of the login request initiator according to the history request record and a current login state of the login request initiator;
an abnormal login determination module 303, configured to determine that the login request initiator performs abnormal login when the login failure condition meets an abnormal login determination condition.
In an alternative embodiment, the history determination module 301 is further configured to:
determining the IP address of a login request initiator;
and acquiring a history request record of the login request initiator according to the IP address.
In an alternative embodiment, the history request record includes a sweep number identifier and a first request time of the login request initiator;
the abnormal login determination module 303 is further configured to: determining whether the number scanning mark is out of date according to the first request time; judging the value of the number scanning mark under the condition that the number scanning mark is not expired; and if the value of the sign of the scanning number is a preset value, determining that the login request initiator logs in abnormally.
In an alternative embodiment, the login failure condition meeting the abnormal login determination condition includes: the login failure rate is greater than the failure rate threshold.
According to the device for identifying abnormal login, disclosed by the embodiment of the invention, the login failure condition of the login request initiator is determined according to the history request record of the login request initiator and the current login state of the login request initiator, and when the login failure condition meets the abnormal login judgment condition, the means for determining the abnormal login of the login request initiator can effectively identify the user with abnormal login under the condition of ensuring normal user login passing, so that the identification accuracy is improved, the number scanning behavior can be rapidly and accurately detected, and the account safety is ensured.
The device can execute the method provided by the embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method. Technical details not described in detail in this embodiment may be found in the methods provided in the embodiments of the present invention.
Fig. 4 is a schematic flow chart of identifying abnormal login of the device identifying abnormal login according to an embodiment of the present invention, and as shown in fig. 4, the process includes:
the client initiates a login request to the service system, and the service system acquires the history request information of the login request initiator according to the IP address of the login request and sends the acquired history request information to a device for identifying abnormal login so as to identify whether the login requester is normally logged in. The device for identifying abnormal login judges whether the login failure rate of the login request initiator is greater than a failure rate threshold value according to the received historical request information and the current login state of the login request initiator so as to judge whether the login request initiator is normally logged in. Specifically, firstly, determining whether the scan number identifier (sc) is out of date according to the first request time; judging the value of the number scanning mark under the condition that the number scanning mark is not expired; if the value of the sign of the scanning number is a preset value, determining that the login request initiator logs in abnormally; if the value of the sign of sweeping number is not the preset value, judging whether the user name and the password of the login request initiator are correct; judging whether the user name and the password of the login request initiator are correct or not under the condition that the number scanning mark is out of date; if the login request is correct, the current login failure rate of the login request initiator=historical login failure times/(total request times+1); if not, the current login failure rate of the login request initiator= (historical login failure times+1)/(total request times+1); judging whether the current login failure rate of the login request initiator is larger than a failure rate threshold value, if so, determining that the login request initiator logs in abnormally, and if not, determining that the login request initiator logs in normally.
According to the device for identifying abnormal login, disclosed by the embodiment of the invention, the login failure condition of the login request initiator is determined according to the history request record of the login request initiator and the current login state of the login request initiator, and when the login failure condition meets the abnormal login judgment condition, the means for determining the abnormal login of the login request initiator can effectively identify the user with abnormal login under the condition of ensuring normal user login passing, so that the identification accuracy is improved, the number scanning behavior can be rapidly and accurately detected, and the account safety is ensured.
Fig. 5 illustrates an exemplary system architecture 500 to which the method of identifying an abnormal login or the apparatus of identifying an abnormal login of an embodiment of the present invention may be applied.
As shown in fig. 5, the system architecture 500 may include terminal devices 501, 502, 503, a network 504, and a server 505. The network 504 is used as a medium to provide communication links between the terminal devices 501, 502, 503 and the server 505. The network 504 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may interact with the server 505 via the network 504 using the terminal devices 501, 502, 503 to receive or send messages or the like. Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc., may be installed on the terminal devices 501, 502, 503.
The terminal devices 501, 502, 503 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 505 may be a server providing various services, such as a background management server providing support for shopping-type websites browsed by the user using the terminal devices 501, 502, 503. The background management server can analyze and other processing on the received data such as the product information inquiry request and the like, and feed back processing results (such as target push information and product information) to the terminal equipment.
It should be noted that, the method for identifying abnormal login provided in the embodiment of the present invention is generally executed by the server 505, and accordingly, the device for identifying abnormal login is generally disposed in the server 505.
It should be understood that the number of terminal devices, networks and servers in fig. 5 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 6, there is illustrated a schematic diagram of a computer system 600 suitable for use in implementing an embodiment of the present invention. The terminal device shown in fig. 6 is only an example, and should not impose any limitation on the functions and the scope of use of the embodiment of the present invention.
As shown in fig. 6, the computer system 600 includes a Central Processing Unit (CPU) 601, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data required for the operation of the system 600 are also stored. The CPU 601, ROM 602, and RAM 603 are connected to each other through a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, mouse, etc.; an output portion 607 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The drive 610 is also connected to the I/O interface 605 as needed. Removable media 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on drive 610 so that a computer program read therefrom is installed as needed into storage section 608.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication portion 609, and/or installed from the removable medium 611. The above-described functions defined in the system of the present invention are performed when the computer program is executed by a Central Processing Unit (CPU) 601.
The computer readable medium shown in the present invention may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules involved in the embodiments of the present invention may be implemented in software or in hardware. The described modules may also be provided in a processor, for example, as: a processor includes a sending module, an obtaining module, a determining module, and a first processing module. The names of these modules do not constitute a limitation on the unit itself in some cases, and for example, the transmitting module may also be described as "a module that transmits a picture acquisition request to a connected server".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be present alone without being fitted into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to include:
determining a history request record of a login request initiator;
determining the login failure condition of the login request initiator according to the history request record and the current login state of the login request initiator;
and when the login failure condition meets an abnormal login judgment condition, determining that the login request initiator performs abnormal login.
According to the technical scheme of the embodiment of the invention, the login failure condition of the login request initiator is determined according to the history request record of the login request initiator and the current login state of the login request initiator, and when the login failure condition meets the abnormal login judgment condition, the abnormal login means of the login request initiator is determined, so that the abnormal login user can be effectively identified under the condition that the normal user login passes, the identification accuracy is improved, the number scanning behavior can be rapidly and accurately detected, and the account safety is ensured.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives can occur depending upon design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (8)
1. A method of identifying an abnormal login, comprising:
determining a history request record of a login request initiator, wherein the history request record comprises a number scanning identifier, a first request time, history request times and history login failure times of the login request initiator;
determining a login failure condition of the login request initiator according to the history request record and the current login state of the login request initiator, including: identifying the current login state of the login request initiator as success or failure, and calculating a corresponding login failure rate according to the history request record and the current login state;
when the login failure condition meets an abnormal login judgment condition, determining that the login request initiator performs abnormal login;
the history request record comprises a number scanning identifier of the login request initiator and first request time; before determining the login failure condition of the login request initiator, the method further comprises: determining whether the scanning number identification is out of date or not according to the first request time, the difference value between the current time and the first request time and a preset effective time period; judging the value of the number scanning mark under the condition that the number scanning mark is not expired, wherein the value of the number scanning mark is determined through the number scanning behavior; and if the value of the sign of the scanning number is a preset value, determining that the login request initiator logs in abnormally.
2. The method of claim 1, wherein determining a history request record for a login request originator comprises:
determining the IP address of a login request initiator;
and acquiring a history request record of the login request initiator according to the IP address.
3. The method of claim 1, wherein the login failure condition meeting an abnormal login determination condition comprises: the login failure rate is greater than the failure rate threshold.
4. An apparatus for identifying an abnormal login, comprising:
the history record determining module is used for determining a history request record of a login request initiator, wherein the history request record comprises a number scanning identifier, a first request time, a history request time and a history login failure time of the login request initiator;
the login condition determining module is configured to determine a login failure condition of the login request initiator according to the history request record and a current login state of the login request initiator, and includes: identifying the current login state of the login request initiator as success or failure, and calculating a corresponding login failure rate according to the history request record and the current login state;
the abnormal login judging module is used for determining that the login request initiator logs in abnormally when the login failure condition meets the abnormal login judging condition;
the history request record comprises a number scanning identifier of the login request initiator and first request time; the abnormal login judging module is further used for: determining whether the scanning number identification is out of date or not according to the first request time, the difference value between the current time and the first request time and a preset effective time period; judging the value of the number scanning mark under the condition that the number scanning mark is not expired, wherein the value of the number scanning mark is determined through the number scanning behavior; and if the value of the sign of the scanning number is a preset value, determining that the login request initiator logs in abnormally.
5. The apparatus of claim 4, wherein the history determination module is further configured to:
determining the IP address of a login request initiator;
and acquiring a history request record of the login request initiator according to the IP address.
6. The apparatus of claim 4, wherein the login failure condition satisfying an abnormal login determination condition comprises: the login failure rate is greater than the failure rate threshold.
7. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-3.
8. A computer readable medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911148031.0A CN112825519B (en) | 2019-11-21 | 2019-11-21 | Method and device for identifying abnormal login |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911148031.0A CN112825519B (en) | 2019-11-21 | 2019-11-21 | Method and device for identifying abnormal login |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112825519A CN112825519A (en) | 2021-05-21 |
| CN112825519B true CN112825519B (en) | 2024-04-09 |
Family
ID=75907451
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911148031.0A Active CN112825519B (en) | 2019-11-21 | 2019-11-21 | Method and device for identifying abnormal login |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112825519B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113296982A (en) * | 2021-05-27 | 2021-08-24 | 北京京东振世信息技术有限公司 | Interface calling method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106027520A (en) * | 2016-05-19 | 2016-10-12 | 微梦创科网络科技(中国)有限公司 | Method and device for detecting and processing stealing of website accounts |
| CN106209862A (en) * | 2016-07-14 | 2016-12-07 | 微梦创科网络科技(中国)有限公司 | A kind of steal-number defence implementation method and device |
| CN108092975A (en) * | 2017-12-07 | 2018-05-29 | 上海携程商务有限公司 | Recognition methods, system, storage medium and the electronic equipment of abnormal login |
| CN110213199A (en) * | 2018-02-28 | 2019-09-06 | 中国移动通信集团有限公司 | Method, device and system for monitoring database collision attack and computer storage medium |
-
2019
- 2019-11-21 CN CN201911148031.0A patent/CN112825519B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106027520A (en) * | 2016-05-19 | 2016-10-12 | 微梦创科网络科技(中国)有限公司 | Method and device for detecting and processing stealing of website accounts |
| CN106209862A (en) * | 2016-07-14 | 2016-12-07 | 微梦创科网络科技(中国)有限公司 | A kind of steal-number defence implementation method and device |
| CN108092975A (en) * | 2017-12-07 | 2018-05-29 | 上海携程商务有限公司 | Recognition methods, system, storage medium and the electronic equipment of abnormal login |
| CN110213199A (en) * | 2018-02-28 | 2019-09-06 | 中国移动通信集团有限公司 | Method, device and system for monitoring database collision attack and computer storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112825519A (en) | 2021-05-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109981647B (en) | Method and apparatus for detecting brute force cracking | |
| CN108989369B (en) | Method and system for limiting current of user request | |
| CN113271296B (en) | Login authority management method and device | |
| CN111104675A (en) | Method and device for detecting system security vulnerability | |
| CN110445632B (en) | Method and device for preventing client from crashing | |
| CN109150790B (en) | Web page crawler identification method and device | |
| CN110704820A (en) | Login processing method and device, electronic equipment and computer readable storage medium | |
| CN112825519B (en) | Method and device for identifying abnormal login | |
| CN107634942B (en) | Method and device for identifying malicious request | |
| CN116566739B (en) | Security detection system, electronic equipment and storage medium | |
| CN112702229A (en) | Data transmission method, device, electronic equipment and storage medium | |
| CN113114611B (en) | Blacklist management method and device | |
| CN113722193A (en) | Method and device for detecting page abnormity | |
| CN114238928A (en) | Method and device for remote server management | |
| CN110875831B (en) | Method and device for monitoring network quality | |
| CN111259369B (en) | Man-machine identity verification method and system | |
| CN108471635B (en) | Method and apparatus for connecting wireless access points | |
| CN109087097B (en) | Method and device for updating same identifier of chain code | |
| CN111786936A (en) | Method and device for authentication | |
| CN110610365A (en) | Method and device for identifying transaction request | |
| CN111178696A (en) | Service processing time overtime early warning method and device | |
| CN112448931B (en) | Network hijacking monitoring method and device | |
| US11086990B2 (en) | Security module for mobile devices | |
| CN112866179B (en) | Current limiting method and current limiting device | |
| CN107729482B (en) | Method and device for collecting logs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |