CN114465977A - Method, device, equipment and storage medium for detecting mailbox login abnormity - Google Patents
Method, device, equipment and storage medium for detecting mailbox login abnormity Download PDFInfo
- Publication number
- CN114465977A CN114465977A CN202210013302.7A CN202210013302A CN114465977A CN 114465977 A CN114465977 A CN 114465977A CN 202210013302 A CN202210013302 A CN 202210013302A CN 114465977 A CN114465977 A CN 114465977A
- Authority
- CN
- China
- Prior art keywords
- login
- records
- list
- mailbox
- record
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 55
- 230000002159 abnormal effect Effects 0.000 claims abstract description 23
- 238000012216 screening Methods 0.000 claims abstract description 17
- 238000001514 detection method Methods 0.000 claims abstract description 9
- 238000005336 cracking Methods 0.000 claims description 39
- 230000005856 abnormality Effects 0.000 claims description 20
- 238000010586 diagram Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 16
- 230000005540 biological transmission Effects 0.000 claims description 12
- 230000004044 response Effects 0.000 claims description 5
- 230000000903 blocking effect Effects 0.000 claims description 4
- 238000012163 sequencing technique Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 7
- 239000003795 chemical substances by application Substances 0.000 description 5
- 238000013500 data storage Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012804 iterative process Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000012954 risk control Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000003384 imaging method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses a method, a device, equipment and a storage medium for detecting mailbox login abnormity, wherein the method comprises the following steps: acquiring all login records of a user mailbox, and establishing a trusted IP list and a standard user portrait according to a preset normal mail in the user mailbox; acquiring the longitude and latitude of a region corresponding to each login record according to a preset geographic information base of the login IP; each login record comprises a login IP and login time; sequentially calculating the switching speed of the longitude and latitude of the region corresponding to each two adjacent login records according to the login time, and screening out suspicious login records according to a preset speed threshold; and according to the credible IP list and the standard user portrait, removing the suspicious login records, and taking the suspicious login records after the removing operation as abnormal records. The invention solves the technical problem of low login anomaly detection accuracy in login area switching in the prior art.
Description
Technical Field
The invention relates to the field of network information technology security, in particular to a method, a device, equipment and a storage medium for detecting mailbox login abnormity.
Background
Unauthorized login detection of electronic mailboxes is an important application in the field of mail security. The application of the electronic mailbox is very wide, the safety of the enterprise mailbox is more concerned with the interests of companies, enterprises and the like, most enterprises, government departments, scientific research units and the like adopt enterprise mails to transmit, modify and approve documents, and a lot of highly confidential data are contained in the documents. But the e-mail needs to be forwarded on different mail servers in the transmission process, which brings an opportunity for an attacker. The password of the e-mail box is leaked in many ways, including but not limited to phishing mails (a user is tricked into clicking an unknown link URL in the mail to an illegal login page and stealing the account password of the user), brute force cracking (a large number of passwords for trying a large number of accounts quickly by using a large number of IPs, mailbox accounts with certain probability can be cracked by some simple passwords), trojans (trojans are installed on client machines and the account passwords of the user are stolen by mails or other downloading ways), and a library collision (the account passwords of the user are shared by a plurality of websites, so that after one website background is stolen by a broken account password, the same password can be used for logging in other systems or corresponding mail systems). Since the attack method is infinite, it can only be considered that a user is certain to steal the corresponding mailbox account password for some reasons, and therefore a method is needed to judge whether the user himself or other unauthorized users log in at present.
At present, most of safety detection of mailbox account login risk control is directed at a certain specific leakage path, for example, the use IP of an attacker is obtained by methods such as clustering and the like, the common login IP of a suspicious mailbox is finally determined to determine the attacker, but for the attackers who have a large number of agents and can log in stolen accounts from different IPs or for low-frequency continuous monitoring attack of a small number of high-value accounts, the common login IP-based method cannot always capture abnormal login; for brute force cracking, a certain threshold value is set for the same IP trying a large number of different account numbers and a large number of different passwords; for the risk control of remote login, double-factor authentication needs to be additionally performed on a logged-in user, but when the user may use agents such as VPN (virtual private network) and the like to switch corresponding geographic positions, or based on different IP geographic unknown information bases, the wrong IP corresponding geographic position is returned with a certain probability, so that the login process is complicated and even fails.
Therefore, a policy for detecting login abnormality of an enterprise mailbox is needed to solve the problem that false alarm is caused by login area switching due to the use of an agent by a user in the prior art, so that detection is inaccurate.
Disclosure of Invention
The invention provides a method, a device, equipment and a storage medium for detecting mailbox login abnormity, which aim to solve the technical problem of low login abnormity detection accuracy of login area switching in the prior art.
In order to solve the above technical problem, an embodiment of the present invention provides a method for detecting mailbox login abnormality, including:
acquiring all login records of a user mailbox, and establishing a trusted IP list and a standard user portrait according to a preset normal mail in the user mailbox;
acquiring longitude and latitude of a region corresponding to each login record according to a preset geographic information base of the login IP; wherein each login record comprises a login IP and a login time;
sequentially calculating the switching speed of the longitude and latitude of the region corresponding to each two adjacent login records according to the login time, and screening out suspicious login records according to a preset speed threshold;
and according to the credible IP list and the standard user portrait, removing the suspicious login records, and taking the suspicious login records after the removing operation as abnormal records.
Preferably, after the suspicious log record after the removing operation is used as an abnormal record, the method further includes:
responding to mailbox login operation of a current user, generating a first login record, and judging whether the first login record is normal or not according to the trusted IP list and the standard user portrait;
if the first login record is normal, saving the login record;
and if the first login record is abnormal, triggering double-factor authentication so as to ensure that the current user confirms login.
Preferably, after the generating a first login record in response to the mailbox login operation of the current user and judging whether the first login record is normal according to the trusted IP list and the standard user representation, the method further includes:
recording the number of generated login records in a first preset time period, and if the number of the generated login records is larger than a preset first threshold value, blocking the mailbox of the current user.
As a preferred scheme, after the obtaining of the longitude and latitude of the area corresponding to each login record according to the preset geographic information base of the login IP, the method further comprises the following steps:
acquiring login records of all login failures in a second preset time period, and performing classification operation on the login records of all login failures according to a preset brute force cracking rule to obtain brute force cracking records and non-brute force cracking records;
if the brute force cracking record exceeds a preset second threshold value, all login IPs in the brute force cracking record are marked to serve as a brute force cracking IP list;
and updating the abnormal record according to the login record corresponding to the login IP which accords with the brute force cracking IP list.
As a preferred scheme, the method comprises the steps of acquiring all login records of a user mailbox, establishing a trusted IP list and a standard user portrait according to a preset normal mail in the user mailbox, and specifically comprises the following steps:
acquiring the number of unique senders corresponding to the IP of all preset normal mails in a user mailbox, taking the IP of which the number is greater than a third threshold as a trusted IP seed, and taking the client IDs of all mails sent from the trusted IP as a trusted ID list; wherein, each login record also comprises a client ID;
according to the credible IP seeds and the credible ID list, taking each credible IP seed as a vertex, wherein the weight value of each vertex is the number of unique senders corresponding to each credible IP seed, so as to construct a credit transmission diagram, carrying out iterative growth and propagation on the credit transmission diagram until the iteration times reach a preset value, obtaining the weight value of each vertex after iteration, and obtaining the credible IP list according to the weight value of each vertex after iteration;
and calculating to obtain a standard user portrait according to the credible IP list.
Preferably, the calculating to obtain the standard user portrait according to the trusted IP specifically includes:
acquiring all login records of the mailbox of the user, and screening out the login records conforming to the trusted IP list according to the trusted IP list;
and calculating a characteristic vector of the user according to the login record conforming to the credible IP list, and taking the characteristic vector as a standard user portrait.
As a preferred scheme, sequentially calculating the switching speed of the longitude and latitude of the region corresponding to each two adjacent login records according to the login time, and screening out suspicious login records according to a preset speed threshold, specifically:
and sequencing all login records according to the login time, sequentially calculating the switching speed of the longitude and latitude of the region corresponding to each two adjacent login records, and screening out the two adjacent login records corresponding to the switching speed greater than the preset speed threshold value according to a preset speed threshold value to serve as suspicious login records.
Correspondingly, the invention also provides a device for detecting mailbox login abnormality, which comprises: the system comprises a list image module, a region position module, a suspicious login module and an exception recording module;
the list portrait module is used for acquiring all login records of a user mailbox, and establishing a trusted IP list and a standard user portrait according to a normal mail preset in the user mailbox;
the region position module is used for acquiring the longitude and latitude of the region corresponding to each login record according to a preset geographic information base of the login IP; wherein each login record comprises a login IP and a login time;
the suspicious login module is used for sequentially calculating the switching speed of the longitude and latitude of the region corresponding to each two adjacent login records according to the login time, and screening out the suspicious login records according to a preset speed threshold;
and the abnormal recording module is used for removing the suspicious login records according to the credible IP list and the standard user portrait and taking the suspicious login records after the removing operation as abnormal records.
Accordingly, the present invention further provides a terminal device, which includes a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, wherein the processor implements the method for detecting mailbox login abnormality as described in any one of the above items when executing the computer program.
Accordingly, the present invention also provides a computer readable storage medium comprising a stored computer program; the computer program controls, when running, a device where the computer-readable storage medium is located to execute the method for detecting mailbox login abnormality as described in any one of the above.
Compared with the prior art, the embodiment of the invention has the following beneficial effects:
according to the technical scheme, all login records of a user mailbox are acquired, a trusted IP list and a standard user portrait are established according to a normal mail preset in the user mailbox, so that mailbox login abnormity is detected according to the habit of using the mailbox of the user, the accuracy of detecting the login abnormity is improved, suspicious login records are screened out by calculating according to the switching speed of the longitude and latitude of the area corresponding to the two adjacent login records, the screening accuracy of the two login records is improved, the suspicious login records are removed according to the trusted IP list and the standard user portrait, the phenomenon that false alarm occurs in detection abnormity caused by switching of the login areas after agents are used in the prior art is avoided, the experience of using the mailbox of the user is improved, and the accuracy of detecting the mailbox login abnormity is improved.
Drawings
FIG. 1: the steps of the method for detecting mailbox login abnormality provided by the embodiment of the invention are flow charts;
FIG. 2: the IP credit spreading diagram in the initial state in the method for detecting the mailbox login abnormity provided by the embodiment of the invention is provided;
FIG. 3: the reputation propagation diagram of the IP1 in the method for detecting the mailbox login abnormality provided by the embodiment of the invention is shown;
FIG. 4: the reputation propagation diagram of the IP2 in the method for detecting the mailbox login abnormality provided by the embodiment of the invention is shown;
FIG. 5: the reputation propagation diagram of the IP3 in the method for detecting the mailbox login abnormality provided by the embodiment of the invention is shown;
FIG. 6: the embodiment of the invention provides a structural schematic diagram of a mailbox login abnormity detection device.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
Referring to fig. 1, a method for detecting mailbox login abnormality provided in an embodiment of the present invention includes the following steps:
s101: and acquiring all login records of a user mailbox, and establishing a trusted IP list and a standard user portrait according to a preset normal mail in the user mailbox.
Specifically, the number of unique senders corresponding to the IPs of all preset normal mails in a user mailbox is obtained, the IPs with the number of unique senders being larger than a third threshold value are used as credible IP seeds, and client IDs of all mails sent from the credible IPs are used as credible ID lists; wherein, each login record also comprises a client ID; according to the credible IP seeds and the credible ID list, taking each credible IP seed as a vertex, wherein the weight value of each vertex is the number of unique senders corresponding to each credible IP seed, so as to construct a credit transmission diagram, carrying out iterative growth and propagation on the credit transmission diagram until the iteration times reach a preset value, obtaining the weight value of each vertex after iteration, and obtaining the credible IP list according to the weight value of each vertex after iteration; and calculating to obtain a standard user portrait according to the credible IP list.
It should be noted that the preset normal mails are: the receiver and the sender in the outbox have a plurality of times of mails with mutual receiving and sending communication relations. Through the preset normal mail, the IP when the normal mail is sent can be ensured to be the IP when the user operates the normal mail, so that an accurate and credible IP list with credible value and a user portrait can be ensured to be generated. The method comprises the steps of obtaining the number of unique senders corresponding to the IPs of all preset normal mails in a user mailbox, taking the IPs with the number of the unique senders larger than a third threshold as credible IP seeds, and preferably, in the practical process, for enterprise mailboxes, the IPs are generally found to be common outlet IPs of company offices. The number of unique senders corresponding to the IPs of the normal mails can be understood as that each normal mail has one IP, and the number of unique senders corresponding to the same IP is counted.
In this embodiment, after acquiring the number of unique senders corresponding to the IPs of all normal mails in a mailbox of a user, taking the IPs whose number is greater than a third threshold as trusted IP seeds, eliminating the IPs whose number is too small, taking client IDs of all mails sent from the trusted IP as a trusted ID list, taking the trusted IP seeds as vertices, taking weights of the vertices as the number of unique senders of corresponding IPs, that is, reputation size, and the trusted ID list as edges between each vertex, thereby constructing an initial reputation propagation graph. And then, performing iterative growth and propagation on the credit transmission graph until the number of iterations reaches a preset value, obtaining the weight value of each top point after iteration, and obtaining a credible IP list according to the weight value of each top point after iteration.
As a preferred solution of this embodiment, please refer to fig. 2, which is a reputation propagation diagram in an initial state. In the preferred embodiment, a total of four IPs are obtained, which are IP1, IP2, IP3 and IP4, wherein IP1 has 100 unique senders, the initial reputation is 100, and there are 100 reliable IDs, i.e. 100 edges, 7 edges are connected to IP2, i.e. 7 common IDs to IP2, and 3 edges are connected to IP3, i.e. 3 common IDs to IP 3; the IP2 has 10 unique senders, the initial reputation is 10, 10 credible IDs are totally 10, namely 10 edges, 7 edges are connected with the IP1, and the remaining 3 edges are connected with other external IPs; the IP3 has 0 unique senders, the initial reputation is 0, and 3 edge lines are connected with the IP 1; IP4 has no unique sender, initial reputation of 0, and no common clients with IP1, IP2, and IP3, so there is no reputation propagation by IP 4. And respectively carrying out credit propagation on the IP1, the IP2 and the IP3, wherein the credit size of each propagation is propagated according to the proportion of the edge connection number of each IP, and each IP carries out one credit propagation as an iterative process. Preferably, please refer to fig. 3, which is a schematic diagram of the reputation propagation from IP1 to IP2 and IP3, where IP2 obtains the 100 (7/100) to 7 reputation from IP1, i.e., the current reputation 17 of IP2, and IP3 obtains the 100 (3/100) to 3 reputation from IP1, i.e., the current reputation 3 of IP 3; please refer to fig. 4, which is a schematic diagram illustrating the reputation propagation from IP2 to IP1, where IP1 obtains the reputation of 17 (7/10) to 11.9 from IP2, i.e., the current reputation of IP1 is 111.9; please refer to fig. 5, which is a schematic diagram illustrating the reputation propagation from IP3 to IP1, where IP1 obtains the 3 × 3 (3/3) ═ 3 reputation from IP3, i.e., the current reputation of IP1 is 114.9; in the preferred embodiment, all IPs complete a reputation propagation, i.e., an iterative process of reputation computation is performed.
Preferably, the iteration number reaches 4 times, the ranking of the reputation value of each IP is basically stable and converged, and the top 80% of the IPs with the highest ranking of the reputation value are reserved to be used as a trusted IP list.
Through the credit transmission process, the credit value of the credible IP can be transmitted to other credible IPs, including but not limited to the condition that a user changes the IP by using a network agent and the like, a relatively credible IP list can be obtained, in order to avoid potential cheating processes such as subjective factors and the like, only the IP with the credit value ranked at the front after the credit transmission is reserved, the IP with the lower credit is removed, wherein the reserved proportion is determined according to the requirements of actual conditions.
Specifically, all login records of the mailbox of the user are obtained, and the login records conforming to the trusted IP list are screened out according to the trusted IP list; and calculating a characteristic vector of the user according to the login record conforming to the credible IP list, and taking the characteristic vector as a standard user portrait.
The login record further includes login time, login country, login city, login IP C segment and login client ID, and according to the login record conforming to the trusted IP list, preferably, by means of item2vec, a feature vector of the user is calculated and used as a standard user portrait.
S102: acquiring longitude and latitude of a region corresponding to each login record according to a preset geographic information base of the login IP; wherein each login record comprises a login IP and a login time.
As a preferred embodiment of this embodiment, after obtaining the longitude and latitude of the area corresponding to each login record according to the preset geographic information base of the login IP, the method further includes: acquiring login records of all login failures in a second preset time period, and performing classification operation on the login records of all login failures according to a preset brute force cracking rule to obtain brute force cracking records and non-brute force cracking records; if the brute force cracking record exceeds a preset second threshold value, all login IPs in the brute force cracking record are marked to serve as a brute force cracking IP list; and updating the abnormal record according to the login record corresponding to the login IP which accords with the brute force cracking IP list.
Preferably, the preset brute force cracking rule classifies all login records failed to be logged into four cases, wherein the first case is a: hackers may crack the same account number with a large number of different passwords using a small number of IPs, resulting in a large number of failure records; second case b: if a small amount of IP is used, the same password is used to try to crack a large number of different account numbers, and a large number of failure records exist; third case c: hackers may crack a large number of different accounts with a large number of different passwords using a small number of IPs, resulting in a large number of failure records; fourth case d: the normal user may forget to modify the password of the mail client after modifying the mailbox password, so that the situation that the same account is tried by the same password by using a single IP and partial failure records exist. And the preset brute force cracking rules classify a, b and c into brute force cracking records, and d is a non-brute force cracking record. And when the brute force cracking record a, b or c exceeds the second threshold value, marking the IP corresponding to the brute force cracking record a, b or c as a brute force cracking IP list, analyzing all login IPs according to the brute force cracking IP list, and updating the exception record obtained in the step S104 by taking the login record of the IP corresponding to the brute force cracking IP list as a new exception record.
S103: and sequentially calculating the switching speed of the longitude and latitude of the region corresponding to each two adjacent login records according to the login time, and screening out suspicious login records according to a preset speed threshold value.
Specifically, according to the login time, all login records are sorted, the switching speed of the longitude and latitude of the area corresponding to each two adjacent login records is calculated in sequence, and according to a preset speed threshold, the two adjacent login records corresponding to the switching speed larger than the preset speed threshold are screened out and used as suspicious login records.
It should be noted that the preset speed threshold is the maximum reasonable moving speed, preferably, the speed threshold is 800km/h, that is, the average speed of the aircraft, and if the switching speed of the longitude and latitude of the area corresponding to the two adjacent login records is greater than the speed threshold, the two login records are taken as suspicious login records. The switching speed of the longitude and latitude of the area corresponding to the adjacent two-time login records is obtained by the ratio of the difference of the geography between the longitude and latitude and the difference of the two-time login time.
S104: and according to the credible IP list and the standard user portrait, removing the suspicious login records, and taking the suspicious login records after the removing operation as abnormal records.
As a preferable solution of this embodiment, after the taking the suspicious login record after the removing operation as the abnormal record, the method further includes: responding to mailbox login operation of a current user, generating a first login record, and judging whether the first login record is normal or not according to the trusted IP list and the standard user portrait; if the first login record is normal, saving the login record; and if the first login record is abnormal, triggering double-factor authentication so as to ensure that the current user confirms login.
It should be noted that, in response to the mailbox login operation of the current user, the generated first login record is a login record of the mailbox login operation performed by the current user, and in the login process, whether the first login record is normal or not is judged according to the trusted IP list and the standard user portrait of the current user; if not, the method triggers the double-factor authentication, and the double-factor authentication mode includes but is not limited to a mobile phone verification code and a telephone voice verification.
As a preferable solution of this embodiment, after the generating a first login record in response to the mailbox login operation of the current user, and determining whether the first login record is normal according to the trusted IP list and the standard user profile, the method further includes: recording the number of generated login records in a first preset time period, and if the number of the generated login records is larger than a preset first threshold value, blocking the mailbox of the current user.
It should be noted that, after each login operation is performed, the number of login records generated in a first preset time period is recorded and detected, both the first preset time period and a preset first threshold are determined according to the actual requirement, and if the number of login records generated in the first preset time period is greater than the preset first threshold, that is, multiple login records exist in the first preset time period, the mailbox of the current user is prohibited until the current user retrieves and modifies the password in a two-factor authentication manner, and then the mailbox is allowed to be used.
The embodiment of the invention has the following effects:
the method and the device for detecting the mailbox login abnormality acquire all login records of a user mailbox, establish a trusted IP list and a standard user portrait according to a normal mail preset in the user mailbox, perform iterative computation on the trusted IP list in a credit propagation diagram mode, improve the accuracy and the reliability of the trusted IP list, detect the mailbox login abnormality according to the habit of using the mailbox of the user, improve the accuracy of detecting the login abnormality, perform computation according to the switching speed of the longitude and latitude of the region corresponding to the two adjacent login records, screen out suspicious login records, remove the suspicious login records, improve the experience of using the mailbox of the user and improve the accuracy of detecting the mailbox login abnormality.
Example two
Accordingly, please refer to fig. 6, which is a device for detecting mailbox login abnormality according to the present invention, comprising: list imaging module 201, region location module 202, suspect logging module 203, and anomaly logging module 204.
The list image module 201 is configured to obtain all login records of a user mailbox, and establish a trusted IP list and a standard user image according to a normal mail preset in the user mailbox.
As a preferred scheme of this embodiment, the obtaining of all login records of a user mailbox, and establishing a trusted IP list and a standard user portrait according to a normal email preset in the user mailbox specifically includes:
acquiring the number of unique senders corresponding to the IP of all preset normal mails in a mailbox of a user, taking the IP of which the number is greater than a third threshold value as a trusted IP seed, and taking client end IDs of all mails sent from the trusted IP as a trusted ID list; wherein, each login record also comprises a client ID; according to the credible IP seeds and the credible ID list, taking each credible IP seed as a vertex, wherein the weight value of each vertex is the number of unique senders corresponding to each credible IP seed, so as to construct a credit transmission diagram, carrying out iterative growth and propagation on the credit transmission diagram until the iteration times reach a preset value, obtaining the weight value of each vertex after iteration, and obtaining the credible IP list according to the weight value of each vertex after iteration; and calculating to obtain a standard user portrait according to the credible IP list.
As a preferable solution of this embodiment, the calculating to obtain the standard user portrait according to the trusted IP specifically includes:
acquiring all login records of the mailbox of the user, and screening out the login records conforming to the trusted IP list according to the trusted IP list; and calculating a characteristic vector of the user according to the login record conforming to the credible IP list, and taking the characteristic vector as a standard user portrait.
The region location module 202 is configured to obtain the longitude and latitude of the region corresponding to each login record according to a preset geographic information base of the login IP; wherein each login record comprises a login IP and a login time.
As a preferred embodiment of this embodiment, after obtaining the longitude and latitude of the area corresponding to each login record according to the preset geographic information base of the login IP, the method further includes:
acquiring login records of all login failures in a second preset time period, and performing classification operation on the login records of all login failures according to a preset brute force cracking rule to obtain brute force cracking records and non-brute force cracking records; if the brute force cracking record exceeds a preset second threshold value, all login IPs in the brute force cracking record are marked to serve as a brute force cracking IP list; and updating the abnormal record according to the login record corresponding to the login IP which accords with the brute force cracking IP list.
The suspicious login module 203 is configured to sequentially calculate, according to the login time, a switching speed of the longitude and latitude of the area corresponding to each two adjacent login records, and screen out the suspicious login records according to a preset speed threshold.
As a preferred scheme of this embodiment, the sequentially calculating, according to the login time, the switching speed of the longitude and latitude of the area corresponding to each two adjacent login records, and screening out the suspicious login record according to a preset speed threshold specifically includes:
and sequencing all login records according to the login time, sequentially calculating the switching speed of the longitude and latitude of the region corresponding to each two adjacent login records, and screening out the two adjacent login records corresponding to the switching speed greater than the preset speed threshold value according to a preset speed threshold value to serve as suspicious login records.
The abnormal record module 204 is configured to perform a removing operation on the suspicious login record according to the trusted IP list and the standard user profile, and use the suspicious login record after the removing operation as an abnormal record.
As a preferable solution of this embodiment, after the taking the suspicious login record after the removing operation as the abnormal record, the method further includes:
responding to mailbox login operation of a current user, generating a first login record, and judging whether the first login record is normal or not according to the trusted IP list and the standard user portrait; if the first login record is normal, saving the login record; and if the first login record is abnormal, triggering double-factor authentication so as to ensure that the current user confirms login.
As a preferable solution of this embodiment, after the generating a first login record in response to the mailbox login operation of the current user, and determining whether the first login record is normal according to the trusted IP list and the standard user profile, the method further includes:
recording the number of generated login records in a first preset time period, and if the number of the generated login records is larger than a preset first threshold value, blocking the mailbox of the current user.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working process of the apparatus described above may refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
The above embodiment is implemented, and has the following effects:
the embodiment of the invention acquires all login records of the user mailbox, establishes a credible IP list and a standard user portrait according to a preset normal mail in the user mailbox, iterative computation is carried out on the credible IP list in a credit propagation diagram mode, the accuracy and the credibility of the credible IP list are improved, and realizes the detection of mailbox login abnormality according to the habit of using the mailbox of the user, improves the accuracy of detecting the login abnormality, calculating according to the switching speed of longitude and latitude of the region corresponding to the two adjacent login records, thereby screening out the suspicious login records, and removing the suspicious login records, detecting the login operation of the current user, and triggering the two-factor authentication only under the condition that the suspicious login records appear, so that the condition that the user experiences in use because the two-factor authentication is required to be performed at each login in the prior art is avoided.
EXAMPLE III
The embodiment of the present invention further provides a terminal device, where the terminal device includes a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, and the processor implements the method for detecting mailbox login abnormality according to any one of the above embodiments when executing the computer program.
Preferably, the computer program may be divided into one or more modules/units (e.g., computer program) that are stored in the memory and executed by the processor to implement the invention. The one or more modules/units may be a series of computer program instruction segments capable of performing specific functions, which are used for describing the execution process of the computer program in the terminal device.
The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, a discrete hardware component, etc., the general purpose Processor may be a microprocessor, or the Processor may be any conventional Processor, the Processor is a control center of the terminal device, and various interfaces and lines are used to connect various parts of the terminal device.
The memory mainly includes a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function, and the like, and the data storage area may store related data and the like. In addition, the memory may be a high speed random access memory, may also be a non-volatile memory, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card), and the like, or may also be other volatile solid state memory devices.
It should be noted that the terminal device may include, but is not limited to, a processor and a memory, and those skilled in the art will understand that the terminal device is only an example and does not constitute a limitation of the terminal device, and may include more or less components, or combine some components, or different components.
Example four
An embodiment of the present invention further provides a computer-readable storage medium, where the computer-readable storage medium includes a stored computer program; when running, the computer program controls the device where the computer-readable storage medium is located to execute the method for monitoring mailbox login abnormality in any one of the above embodiments.
The above-mentioned embodiments are provided to further explain the objects, technical solutions and advantages of the present invention in detail, and it should be understood that the above-mentioned embodiments are only examples of the present invention and are not intended to limit the scope of the present invention. It should be understood that any modifications, equivalents, improvements and the like, which come within the spirit and principle of the invention, may occur to those skilled in the art and are intended to be included within the scope of the invention.
Claims (10)
1. A method for detecting mailbox login abnormity is characterized by comprising the following steps:
acquiring all login records of a user mailbox, and establishing a trusted IP list and a standard user portrait according to a preset normal mail in the user mailbox;
acquiring longitude and latitude of a region corresponding to each login record according to a preset geographic information base of the login IP; wherein each login record comprises a login IP and a login time;
sequentially calculating the switching speed of the longitude and latitude of the region corresponding to each two adjacent login records according to the login time, and screening out suspicious login records according to a preset speed threshold;
and removing the suspicious login records according to the credible IP list and the standard user portrait, and taking the suspicious login records after the removing operation as abnormal records.
2. A method as claimed in claim 1, wherein after the suspicious log record after the removing operation is used as the abnormal record, the method further comprises:
responding to mailbox login operation of a current user, generating a first login record, and judging whether the first login record is normal or not according to the trusted IP list and the standard user portrait;
if the first login record is normal, saving the login record;
and if the first login record is abnormal, triggering double-factor authentication so as to ensure that the current user confirms login.
3. A method as claimed in claim 2, wherein after generating a first login record in response to the mailbox login operation of the current user, and determining whether the first login record is normal according to the trusted IP list and the standard user representation, the method further comprises:
recording the number of generated login records in a first preset time period, and if the number of the generated login records is larger than a preset first threshold value, blocking the mailbox of the current user.
4. The method according to claim 1, wherein after obtaining the longitude and latitude of the area corresponding to each login record according to the preset geographic information base of the login IP, the method further comprises:
acquiring login records of all login failures in a second preset time period, and performing classification operation on the login records of all login failures according to a preset brute force cracking rule to obtain brute force cracking records and non-brute force cracking records;
if the brute force cracking record exceeds a preset second threshold value, all login IPs in the brute force cracking record are marked to serve as a brute force cracking IP list;
and updating the abnormal record according to the login record corresponding to the login IP which accords with the brute force cracking IP list.
5. A method as claimed in claim 1, wherein said method for detecting a mailbox login anomaly comprises the steps of obtaining all login records of a user mailbox, establishing a trusted IP list and a standard user representation according to a preset normal mail in the user mailbox, specifically:
acquiring the number of unique senders corresponding to the IP of all preset normal mails in a user mailbox, taking the IP of which the number is greater than a third threshold as a trusted IP seed, and taking the client IDs of all mails sent from the trusted IP as a trusted ID list; wherein, each login record also comprises a client ID;
according to the credible IP seeds and the credible ID list, taking each credible IP seed as a vertex, wherein the weight value of each vertex is the number of unique senders corresponding to each credible IP seed, so as to construct a credit transmission diagram, carrying out iterative growth and propagation on the credit transmission diagram until the iteration times reach a preset value, obtaining the weight value of each vertex after iteration, and obtaining the credible IP list according to the weight value of each vertex after iteration;
and calculating to obtain a standard user portrait according to the credible IP list.
6. A method as claimed in claim 5, wherein said computing a standard user representation based on said trusted IP, specifically:
acquiring all login records of the mailbox of the user, and screening out the login records conforming to the trusted IP list according to the trusted IP list;
and calculating a characteristic vector of the user according to the login record conforming to the credible IP list, and taking the characteristic vector as a standard user portrait.
7. The method according to claim 1, wherein the step of sequentially calculating the switching speed of the longitude and latitude of the area corresponding to each two adjacent login records according to the login time, and screening out the suspicious login records according to a preset speed threshold specifically comprises:
and sequencing all login records according to the login time, sequentially calculating the switching speed of the longitude and latitude of the region corresponding to each two adjacent login records, and screening out the two adjacent login records corresponding to the switching speed greater than the preset speed threshold value according to a preset speed threshold value to serve as suspicious login records.
8. A mailbox login abnormity detection device is characterized by comprising: the system comprises a list image module, a region position module, a suspicious login module and an exception recording module;
the list portrait module is used for acquiring all login records of a user mailbox, and establishing a trusted IP list and a standard user portrait according to a normal mail preset in the user mailbox;
the region position module is used for acquiring the longitude and latitude of the region corresponding to each login record according to a preset geographic information base of the login IP; wherein each login record comprises a login IP and a login time;
the suspicious login module is used for sequentially calculating the switching speed of the longitude and latitude of the region corresponding to each two adjacent login records according to the login time, and screening out the suspicious login records according to a preset speed threshold;
and the abnormal recording module is used for removing the suspicious login records according to the credible IP list and the standard user portrait and taking the suspicious login records after the removing operation as abnormal records.
9. A terminal device comprising a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, the processor implementing the method of detecting mailbox login anomalies as claimed in any one of claims 1-7 when executing the computer program.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium comprises a stored computer program; wherein the computer program, when running, controls an apparatus in which the computer-readable storage medium is located to perform the method for detecting mailbox login abnormality as recited in any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210013302.7A CN114465977A (en) | 2022-01-05 | 2022-01-05 | Method, device, equipment and storage medium for detecting mailbox login abnormity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210013302.7A CN114465977A (en) | 2022-01-05 | 2022-01-05 | Method, device, equipment and storage medium for detecting mailbox login abnormity |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114465977A true CN114465977A (en) | 2022-05-10 |
Family
ID=81409958
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210013302.7A Pending CN114465977A (en) | 2022-01-05 | 2022-01-05 | Method, device, equipment and storage medium for detecting mailbox login abnormity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114465977A (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102325062A (en) * | 2011-09-20 | 2012-01-18 | 北京神州绿盟信息安全科技股份有限公司 | Abnormal login detecting method and device |
| CN102664877A (en) * | 2012-03-30 | 2012-09-12 | 北京千橡网景科技发展有限公司 | Method and device for exception handling in login process |
| CN103457923A (en) * | 2012-06-05 | 2013-12-18 | 阿里巴巴集团控股有限公司 | Method, device and system for controlling different-place login |
| WO2014082484A1 (en) * | 2012-11-29 | 2014-06-05 | 北京奇虎科技有限公司 | User login monitoring device and method |
| CN107172104A (en) * | 2017-07-17 | 2017-09-15 | 顺丰科技有限公司 | One kind logs in method for detecting abnormality, system and equipment |
| CN108768943A (en) * | 2018-04-26 | 2018-11-06 | 腾讯科技(深圳)有限公司 | A kind of method, apparatus and server of the abnormal account of detection |
| CN109067802A (en) * | 2018-10-08 | 2018-12-21 | 安徽艾可信网络科技有限公司 | A kind of identity authorization system of electric business platform account |
| CN109862029A (en) * | 2019-03-01 | 2019-06-07 | 论客科技(广州)有限公司 | A kind of method and system of the reply Brute Force behavior using big data analysis |
| CN111400357A (en) * | 2020-02-21 | 2020-07-10 | 中国建设银行股份有限公司 | Method and device for identifying abnormal login |
| CN111988278A (en) * | 2020-07-23 | 2020-11-24 | 微梦创科网络科技(中国)有限公司 | Abnormal user determination method and device based on user geographical location log |
| CN113378127A (en) * | 2021-06-09 | 2021-09-10 | 中国工商银行股份有限公司 | Abnormal login identification method, abnormal login identification device and electronic equipment |
-
2022
- 2022-01-05 CN CN202210013302.7A patent/CN114465977A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102325062A (en) * | 2011-09-20 | 2012-01-18 | 北京神州绿盟信息安全科技股份有限公司 | Abnormal login detecting method and device |
| CN102664877A (en) * | 2012-03-30 | 2012-09-12 | 北京千橡网景科技发展有限公司 | Method and device for exception handling in login process |
| CN103457923A (en) * | 2012-06-05 | 2013-12-18 | 阿里巴巴集团控股有限公司 | Method, device and system for controlling different-place login |
| WO2014082484A1 (en) * | 2012-11-29 | 2014-06-05 | 北京奇虎科技有限公司 | User login monitoring device and method |
| CN107172104A (en) * | 2017-07-17 | 2017-09-15 | 顺丰科技有限公司 | One kind logs in method for detecting abnormality, system and equipment |
| CN108768943A (en) * | 2018-04-26 | 2018-11-06 | 腾讯科技(深圳)有限公司 | A kind of method, apparatus and server of the abnormal account of detection |
| CN109067802A (en) * | 2018-10-08 | 2018-12-21 | 安徽艾可信网络科技有限公司 | A kind of identity authorization system of electric business platform account |
| CN109862029A (en) * | 2019-03-01 | 2019-06-07 | 论客科技(广州)有限公司 | A kind of method and system of the reply Brute Force behavior using big data analysis |
| CN111400357A (en) * | 2020-02-21 | 2020-07-10 | 中国建设银行股份有限公司 | Method and device for identifying abnormal login |
| CN111988278A (en) * | 2020-07-23 | 2020-11-24 | 微梦创科网络科技(中国)有限公司 | Abnormal user determination method and device based on user geographical location log |
| CN113378127A (en) * | 2021-06-09 | 2021-09-10 | 中国工商银行股份有限公司 | Abnormal login identification method, abnormal login identification device and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11722497B2 (en) | Message security assessment using sender identity profiles | |
| US10715543B2 (en) | Detecting computer security risk based on previously observed communications | |
| US11936604B2 (en) | Multi-level security analysis and intermediate delivery of an electronic message | |
| US10530806B2 (en) | Methods and systems for malicious message detection and processing | |
| US11044267B2 (en) | Using a measure of influence of sender in determining a security risk associated with an electronic message | |
| CN110620753B (en) | System and method for countering attacks on a user's computing device | |
| US9521114B2 (en) | Securing email communications | |
| Onaolapo et al. | What happens after you are pwnd: Understanding the use of leaked webmail credentials in the wild | |
| KR101689296B1 (en) | Automated verification method of security event and automated verification apparatus of security event | |
| US9609010B2 (en) | System and method for detecting insider threats | |
| Stringhini et al. | {EVILCOHORT}: Detecting communities of malicious accounts on online services | |
| US20180343254A1 (en) | Method and system for tracking machines on a network using fuzzy guid technology | |
| AU2008207926B2 (en) | Correlation and analysis of entity attributes | |
| US10606991B2 (en) | Distributed user-centric cyber security for online-services | |
| US8713674B1 (en) | Systems and methods for excluding undesirable network transactions | |
| US20210314355A1 (en) | Mitigating phishing attempts | |
| US20230362142A1 (en) | Network action classification and analysis using widely distributed and selectively attributed sensor nodes and cloud-based processing | |
| EP3195140B1 (en) | Malicious message detection and processing | |
| WO2018081016A1 (en) | Multi-level security analysis and intermediate delivery of an electronic message | |
| CN114465977A (en) | Method, device, equipment and storage medium for detecting mailbox login abnormity | |
| Mehendele et al. | Review of Phishing Attacks and Anti Phishing Tools |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |