CN114499966A - Fraud traffic aggregation analysis method and device, electronic equipment and storage medium - Google Patents
Fraud traffic aggregation analysis method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114499966A CN114499966A CN202111612908.4A CN202111612908A CN114499966A CN 114499966 A CN114499966 A CN 114499966A CN 202111612908 A CN202111612908 A CN 202111612908A CN 114499966 A CN114499966 A CN 114499966A
- Authority
- CN
- China
- Prior art keywords
- fraud
- asset information
- asset
- group
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002776 aggregation Effects 0.000 title claims abstract description 70
- 238000004220 aggregation Methods 0.000 title claims abstract description 70
- 238000004458 analytical method Methods 0.000 title claims abstract description 69
- 238000000034 method Methods 0.000 claims abstract description 22
- 238000004891 communication Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 12
- 230000009286 beneficial effect Effects 0.000 abstract description 4
- 238000012545 processing Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 12
- 230000003321 amplification Effects 0.000 description 6
- 238000003199 nucleic acid amplification method Methods 0.000 description 6
- 238000005070 sampling Methods 0.000 description 6
- 238000001514 detection method Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 2
- 230000005484 gravity Effects 0.000 description 2
- 238000005065 mining Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000010219 correlation analysis Methods 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/90335—Query processing
- G06F16/90344—Query processing by using string matching techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/906—Clustering; Classification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
- G06Q50/10—Services
- G06Q50/26—Government or public services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The invention provides a fraud traffic aggregation analysis method, a fraud traffic aggregation analysis device, electronic equipment and a storage medium, wherein the method comprises the following steps: obtaining a fraud traffic log; wherein the fraud traffic log is a traffic log of visiting a background of a fraud website; extracting first asset information from the fraud traffic log, and comparing the first asset information with pre-stored second asset information; determining a fraud group corresponding to the fraud traffic log as a first fraud group, associating the first asset information with the second asset information, and saving the first asset information into a set of asset information of the first fraud group, in case there is an intersection of the first asset information and the second asset information. The fraud traffic aggregation analysis method, the fraud traffic aggregation analysis device, the electronic equipment and the storage medium provided by the embodiment of the invention realize accurate positioning of fraud groups and are beneficial to effective attack on the fraud groups.
Description
Technical Field
The present invention relates to the field of data monitoring technologies, and in particular, to a fraud traffic aggregation analysis method and apparatus, an electronic device, and a storage medium.
Background
In the current phishing cases related to network crime, the number of single crimes gradually decreases, the group crimes account for the vast majority, and the current group crimes have the following characteristics: managing a plurality of fraud websites simultaneously; cross-managing fraud websites within a group; there are technology teams that maintain fraud websites with uniform background support.
The existing system for fraud prevention still stays in recording and analyzing the fraudsters through single-point search or case report, only the information of a certain fraudster can be known finally, more asset information used by the whole fraud group can not be found, and the fraud case can not be broken through efficiently. Therefore, how to find high-value and strikable fraud groups based on the current characteristics related to phishing becomes a problem worthy of solution.
Disclosure of Invention
The invention provides a fraud traffic aggregation analysis method, a fraud traffic aggregation analysis device, electronic equipment and a storage medium, which are used for solving the technical problems in the prior art.
The invention provides a fraud traffic aggregation analysis method, which comprises the following steps: obtaining a fraud traffic log; wherein the fraud traffic log is a traffic log of visiting a background of a fraud website;
extracting first asset information from the fraud traffic log, and comparing the first asset information with pre-stored second asset information; wherein the asset information comprises a plurality of asset item information;
determining a fraud group corresponding to said fraud traffic log as a first fraud group, associating said first asset information with said second asset information, and saving said first asset information into a set of asset information of said first fraud group, if there is an intersection of said first asset information and said second asset information; wherein the first fraud group is a fraud group corresponding to the second asset information.
According to the fraud traffic aggregation analysis method provided by the present invention, the method further comprises:
determining a fraud group corresponding to said fraud traffic log as a newly added second fraud group, saving first asset information into a set of asset information of said second fraud group, in case there is no intersection between said first asset information and said second asset information.
According to the fraud traffic aggregation analysis method provided by the invention, the asset item information comprises equipment asset item information and fraud website asset item information; wherein the equipment asset item information comprises at least one of an international mobile equipment identification code and a mobile phone number, and the fraud website asset item information comprises at least one of a fraud website address, a fraud website domain name and a fraud website IP address.
According to the fraud traffic aggregation analysis method provided by the present invention, the obtaining of the fraud traffic log comprises: and acquiring a fraud traffic log from the Internet access traffic through the website substring template.
According to the fraud traffic aggregation analysis method provided by the present invention, said extracting first asset information from said fraud traffic log comprises: first asset information is extracted from the fraud traffic log based on a regular match.
According to the fraud traffic aggregation analysis method provided by the present invention, the method further comprises:
searching for asset information that intersects with the third asset information among a plurality of identified fraud-group asset information sets based on the third asset information of the third fraud-group asset information sets; wherein the third fraudulent party is any one of the confirmed fraudulent parties; in case of intersection of the third asset information and the fourth asset information, attributing the fourth fraud group and the third fraud group to the same fraud group, associating the third asset information with the fourth asset information, merging the asset information set of the fourth fraud group with the asset information set of the third fraud group; wherein the fourth fraud group is a fraud group corresponding to the fourth asset information.
According to the fraud traffic aggregation analysis method provided by the present invention, the method further comprises:
establishing a connection relation graph taking the asset item information as nodes and taking the relation among the asset item information as edges on the basis of the asset information in the asset information set of the fifth fraud group; wherein the fifth fraud group is any one of the determined fraud groups; the node style of the node is determined according to the type of the asset item information;
determining the number of other nodes communicated with any one node according to the communication relation graph;
determining the size of any node according to the number of other nodes communicated with the any node;
and displaying the detailed information of the designated node and other nodes communicated with the designated node in the communication relation graph.
The present invention also provides a fraud traffic aggregation analysis apparatus, including:
the obtaining module is used for obtaining a fraud traffic log; wherein the fraud traffic log is a traffic log of visiting a background of a fraud website;
the comparison module is used for extracting first asset information from the fraud traffic log and comparing the first asset information with pre-stored second asset information; wherein the asset information comprises a plurality of asset item information;
an association module for determining a fraud group corresponding to said fraud traffic log as a first fraud group, associating said first asset information with said second asset information, and saving said first asset information into a set of asset information of said first fraud group, if there is an intersection between said first asset information and said second asset information; wherein the first fraud group is a fraud group corresponding to the second asset information.
The present invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the fraud traffic aggregation analysis method as described in any of the above when executing the program.
The present invention also provides a non-transitory computer readable storage medium, having stored thereon a computer program, which when executed by a processor, implements the steps of the fraud traffic aggregation analysis method as described in any of the above.
According to the fraud traffic aggregation analysis method, the fraud traffic aggregation analysis device, the electronic equipment and the storage medium, the traffic log of the background of the fraud website is obtained, the asset information is extracted from the traffic log and compared with the pre-stored asset information, and the fraud group is subjected to associated identification based on the comparison result.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is one of the flow diagrams of a fraud traffic aggregation analysis method provided by the present invention;
FIG. 2 is a schematic diagram of group affiliation with domain name provided by the present invention;
FIG. 3 is a schematic diagram of neighbor sampling processing provided by the present invention;
FIG. 4 is a schematic diagram of the weight amplification process provided by the present invention;
FIG. 5 is a second schematic flow chart of a fraud traffic aggregation analysis method provided by the present invention;
FIG. 6 is a schematic structural diagram of a fraud traffic aggregation analysis apparatus provided by the present invention;
fig. 7 is a schematic structural diagram of an electronic device provided by the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
Fig. 1 is one of the flow diagrams of the fraud traffic aggregation analysis method provided by the present invention, as shown in fig. 1, the method includes:
s110, obtaining a fraud traffic log; wherein the fraud traffic log is a traffic log of visiting a background of a fraud website;
s120, extracting first asset information from the fraud traffic log, and comparing the first asset information with pre-stored second asset information; wherein the asset information comprises a plurality of asset item information;
s130, determining a fraud group corresponding to said fraud traffic log as a first fraud group, associating said first asset information with said second asset information, and saving said first asset information into a set of asset information of said first fraud group, if there is an intersection between said first asset information and said second asset information; wherein the first fraud group is a fraud group corresponding to the second asset information.
It should be noted that criminals in fraud groups need to operate the background of fraud websites when performing operation management on each fraud website, and each time someone visits the background of fraud websites, a fraud traffic log is generated, which contains the device information and the managed website information of visiting the background of fraud websites, that is: which website is managed by what device.
Based on the above operation features, extracting first asset information from the fraud traffic log, where the first asset information is the above device information and managed website information, comparing the first asset information with second asset information prestored in the system, where the second asset information is the device information prestored in the system and the managed website information, and the second asset information is affiliated to the first fraud group; when the intersection exists between the first asset information and the second asset information, the fact that at least one of the device information and the managed website information is the same is indicated, and at the moment, the first asset information is associated with the pre-stored second asset information, and meanwhile, the first asset information is included in the first fraud group for storage.
For example, the current flow rate 1: website (yx.yixingjr.com), device number (867624033939330), cell phone number (19147318888), traffic 2: com, the web site (yx. yixingjr. com), the device number (355411071852693), and the cell phone number (19147317777) can be compared to find that the web site in traffic 1 and 2 are the same, and therefore, the traffic is considered as the same group.
According to the fraud traffic aggregation analysis method provided by the invention, the traffic log of the background of the fraud website is obtained, the asset information is extracted from the traffic log and compared with the prestored asset information, the fraud group is subjected to association identification based on the comparison result, when the two asset information are intersected, the extracted asset information is classified into the prestored fraud group, and the association between the asset information and the prestored asset information is realized, so that the association relationship between the asset information is improved, the asset information content in the first fraud group is filled, and the understanding degree of the first fraud group is improved; the method and the device realize accurate positioning of the fraud partners and are beneficial to realizing efficient and accurate striking of the fraud partners based on the positioning information.
According to the fraud traffic aggregation analysis method provided by the present invention, in the present invention, the method further comprises: determining a fraud group corresponding to said fraud traffic log as a newly added second fraud group, saving first asset information into a set of asset information of said second fraud group, in case there is no intersection between said first asset information and said second asset information.
When no intersection exists between the first asset information acquired in real time and the second asset information prestored, the device information and the managed website information are different, and the fraud groups corresponding to the two asset information are inconsistent, at this time, a new fraud group is added to the system, and the acquired first asset information is stored into the added fraud group.
For example, the current flow rate 1: website (xyz. yixingjr. com), device number (355411071852693), cell phone number (19147316666), traffic 2: com, the website (yx. yixingjr. com), the device number (866708042094780), and the cell phone number (19147315555), which are compared to find that the website is different in flows 1 and 2, and therefore, the website is considered as a different group.
According to the fraud traffic aggregation analysis method provided by the invention, the extracted asset information and the pre-stored asset information are compared, and when the extracted asset information is inconsistent with the pre-stored asset information, the extracted asset information is stored in the newly added fraud group, so that the boundaries among all crime groups are effectively cleared, the crime groups are favorably stricken in a targeted manner, and accurate control and efficient processing are realized.
According to the fraud traffic aggregation analysis method provided by the invention, in the invention, the asset item information comprises equipment asset item information and fraud website information; wherein the equipment asset item information comprises at least one of an international mobile equipment identity and a cell phone number.
It should be noted that website address information in the network relationship is equivalent to an identity card of a website, and the website address can uniquely determine which website is specifically referred to; the International Mobile Equipment Identity (IMEI) and the mobile phone number are in a binding relationship with each other, and can also be regarded as an entity, and the mobile phone number and the website are in an access relationship, so that the plurality of data can be regarded as related as long as one factor is the same.
According to the fraud traffic aggregation analysis method provided by the invention, the equipment is locked through the international mobile equipment identification code and the mobile phone number, the fraud website is locked based on the website address, and then the fraud group is locked through the incidence relation among the parameters.
According to the fraud traffic aggregation analysis method provided by the invention, the fraud traffic log is obtained from the internet access traffic through the website substring template.
It should be noted that the website substring template refers to a public character string included in a batch of website links, and is directly matched with the traffic logs by using the website substring template, and the inclusion relationship is a fraud traffic log, so that the fraud traffic log can be obtained from a large amount of internet access logs.
According to the fraud traffic aggregation analysis method provided by the invention, the fraud traffic logs are quickly and accurately acquired through the website substring template.
According to the fraud traffic aggregation analysis method provided by the present invention, in the fraud traffic log, the extracting first asset information comprises: first asset information is extracted from the fraud traffic log based on a regular match.
It should be noted that the regular matching is a character string matching pattern, which is used to check whether a character string contains a certain substring, replace the matched substring, or extract a substring meeting a certain condition from a certain character string; the purpose of extracting the traffic logs is achieved by writing the regular expression, and the fraud traffic logs can be obtained from a large number of internet access logs based on the process.
According to the fraud traffic aggregation analysis method provided by the invention, the target asset information is efficiently and accurately acquired in the fraud traffic log in a regular matching manner.
According to the fraud traffic aggregation analysis method provided by the present invention, in the present invention, the method further comprises:
searching for asset information that intersects with the third asset information among a plurality of identified fraud-group asset information sets based on the third asset information of the third fraud-group asset information sets; wherein the third fraudulent party is any one of the confirmed fraudulent parties;
in case of intersection of the third asset information and the fourth asset information, attributing the fourth fraud group and the third fraud group to the same fraud group, associating the third asset information with the fourth asset information, merging the asset information set of the fourth fraud group with the asset information set of the third fraud group; wherein the fourth fraud group is a fraud group corresponding to the fourth asset information.
It should be noted that the third asset information includes a domain name and an IP address of a fraud website, and in the embodiment of the present invention, the domain name and the IP address of the fraud website are operated based on a "summoning" concept, because the aforementioned fraud traffic aggregation analysis uses an association relationship among an IMEI, a mobile phone number and a fraud website, and in a network environment, the website has an IP address and a domain name at a higher layer, when two fraud groups contain the same IP address or domain name, the two fraud groups can be associated into one, based on which the element breadth in the fraud groups is expanded, the accuracy of the whole group is improved, and more judgment bases are provided for customers.
Fig. 2 is a schematic diagram of group partners with the same domain name provided by the present invention, as shown in fig. 2, which is visualized in view by "summoning" the domain name or other group partners with the same IP through the domain name and IP. For example, the current flow rate 1: website (yx.yixingjr.com), domain name (yixingjr.com), IP (47.244.25.119), traffic 2: website (xyz. yixingjr. com), domain name (yixingjr. com), IP (47.244.25.120), it can be found by comparison that in traffic 1 and 2, the domain name is the same, but not in the same group, and traffic 1 and traffic 2 can be mutually "summoned" to the group display by the domain name to expand the investigation range.
According to the fraud traffic aggregation analysis method provided by the invention, the domain name and the IP address of the fraud website are utilized to realize further aggregation of each fraud group, so that the association degree among the fraud groups is improved, and the mining and the detection of larger fraud groups are favorably realized.
According to the fraud traffic aggregation analysis method provided by the present invention, in the present invention, the method further comprises:
establishing a connection relation graph taking the asset item information as nodes and taking the relation among the asset item information as edges on the basis of the asset information in the asset information set of the fifth fraud group; wherein the fifth fraud group is any one of the determined fraud groups; the node style of the node is determined according to the type of the asset item information;
determining the number of other nodes communicated with any one node according to the communication relation graph;
determining the size of any node according to the number of other nodes communicated with the any node;
and displaying the detailed information of the designated node and other nodes communicated with the designated node in the communication relation graph.
It should be noted that, a connection relation graph is established, in which asset item information is used as a node and an association relation between asset item information is a side, which is actually an application of neighbor sampling processing, fig. 3 is a schematic diagram of neighbor sampling processing provided by the present invention, and as shown in fig. 3, one element is used as a central point, and its surrounding related elements can be displayed; determining the size of any node according to the number of other nodes communicated with the any node is actually an application of weight amplification processing, fig. 4 is a schematic diagram of the weight amplification processing provided by the present invention, as shown in fig. 4, taking an element as an example, the more peripheral elements connected with the element, the greater the weight, the larger the point; based on the application of the neighbor sampling processing and the weight amplification processing, the association relation among the asset item information can be known more intuitively and clearly, and the proportion of the asset item information in the connection relation graph can be further determined.
The fraud traffic aggregation analysis method provided by the invention realizes accurate grasp of the incidence relation between the asset item information through neighbor sampling processing and weight amplification processing, further determines the specific gravity of the asset item information in the communication relation graph, and provides a direction for the subsequent detection of fraud groups.
Fig. 5 is a second flow chart of the fraud traffic aggregation analysis method provided by the present invention, as shown in fig. 5, the method includes:
step1, inputting traffic, namely, traffic accessing the background of the fraud website;
step2, managing background traffic, namely acquiring a traffic log of the background of the fraud website;
step3, structuring the traffic data, namely extracting the asset information in the background traffic log of the fraud website;
step4, performing correlation analysis through each dimension, namely comparing the asset information in the historical flow with the asset information of the input flow, wherein the asset information of the historical flow and the asset information of the input flow both comprise website addresses, mobile phone numbers and equipment identification numbers;
step5, when the comparison result shows that the correlation exists, correlating and storing the input flow and the asset information in the historical flow; and when the comparison result shows that no association relationship exists, adding a new management relationship in the system, namely adding a new fraud group, and storing the asset information in the input flow into the new fraud group.
According to the fraud traffic aggregation analysis method provided by the invention, the traffic log of the background of the fraud website is obtained, the asset information is extracted from the traffic log and compared with the prestored asset information, and the fraud group is subjected to associated identification based on the comparison result.
Fig. 6 is a schematic structural diagram of a fraud traffic aggregation analysis apparatus provided by the present invention, as shown in fig. 6, the apparatus includes:
an obtaining module 610, configured to obtain a fraud traffic log; wherein the fraud traffic log is a traffic log of visiting a background of a fraud website;
a comparing module 620, configured to extract first asset information from the fraud traffic log, and compare the first asset information with pre-stored second asset information; wherein the asset information comprises a plurality of asset item information;
an associating module 630, for determining a fraud group corresponding to said fraud traffic log as a first fraud group, associating said first asset information with said second asset information, and saving said first asset information into a set of asset information of said first fraud group, in case there is an intersection between said first asset information and said second asset information; wherein the first fraud group is a fraud group corresponding to the second asset information.
According to the fraud traffic aggregation analysis device provided by the invention, the traffic log of the background of the fraud website is obtained, the asset information is extracted from the traffic log and compared with the prestored asset information, the fraud group is subjected to association identification based on the comparison result, when the two asset information are intersected, the extracted asset information is classified into the prestored fraud group, and the association between the asset information and the prestored asset information is realized, so that the association relationship between the asset information is improved, the asset information content in the first fraud group is filled, and the understanding degree of the first fraud group is improved; the method and the device realize accurate positioning of the fraud partners and are beneficial to realizing efficient and accurate striking of the fraud partners based on the positioning information.
According to the fraud traffic aggregation analysis apparatus provided by the present invention, in the present invention, the apparatus further includes: a newly-adding module for determining a fraud group corresponding to said fraud traffic log as a newly-added second fraud group if there is no intersection between said first asset information and said second asset information, and saving the first asset information into the asset information set of said second fraud group.
According to the fraud traffic aggregation analysis device provided by the invention, the extracted asset information and the pre-stored asset information are compared, and when the extracted asset information is inconsistent with the pre-stored asset information, the extracted asset information is stored in the newly added fraud group, so that the boundaries among all crime groups are effectively cleared, the crime groups are favorably stricken in a targeted manner, and accurate control and efficient processing are realized.
According to the fraud traffic aggregation analysis device provided by the invention, in the invention, the asset item information comprises equipment asset item information and fraud website information; wherein the equipment asset item information comprises at least one of an international mobile equipment identity and a cell phone number.
According to the fraud traffic aggregation analysis device provided by the invention, the locking of the equipment is realized through the international mobile equipment identification code and the mobile phone number, the locking of the fraud website is realized based on the website address, and then the locking of the fraud group is realized through the incidence relation among all the parameters, so that the accurate positioning of the fraud group is realized, and the efficient and accurate attack on the fraud group is realized based on the positioning information.
According to the fraud traffic aggregation analysis apparatus provided by the present invention, in the present invention, the obtaining module 610, when being used for obtaining the fraud traffic log, is specifically configured to: and acquiring a fraud traffic log from the Internet access traffic through the website substring template.
According to the fraud traffic aggregation analysis method provided by the invention, the fraud traffic logs are quickly and accurately acquired through the website substring template.
According to the fraud traffic aggregation analysis apparatus provided by the present invention, in the present invention, the comparison module 620, when being used for extracting the first asset information from the fraud traffic log, is specifically configured to: first asset information is extracted from the fraud traffic log based on a regular match.
According to the fraud traffic aggregation analysis method provided by the invention, the target asset information is efficiently and accurately acquired in the fraud traffic log in a regular matching manner.
According to the fraud traffic aggregation analysis apparatus provided by the present invention, in the present invention, the apparatus further includes: a summoning module for searching asset information that intersects with third asset information among a plurality of confirmed fraud groups 'asset information sets based on the third asset information among the third fraud groups' asset information sets; wherein the third fraudulent party is any one of the confirmed fraudulent parties; in case of intersection of the third asset information and the fourth asset information, attributing the fourth fraud group and the third fraud group to the same fraud group, associating the third asset information with the fourth asset information, merging the asset information set of the fourth fraud group with the asset information set of the third fraud group; wherein the fourth fraud group is a fraud group corresponding to the fourth asset information.
The fraud traffic aggregation analysis device provided by the invention further aggregates the fraud groups by utilizing the domain name and the IP address of the fraud website, thereby improving the association degree among the fraud groups and being beneficial to realizing the mining and detection of larger fraud groups.
According to the fraud traffic aggregation analysis apparatus provided by the present invention, in the present invention, the apparatus further includes: an illustration module for establishing a connectivity graph with asset item information as nodes and association between asset item information as edges based on asset information in the asset information set of the fifth fraud group; wherein the fifth fraud group is any one of the determined fraud groups; the node style of the node is determined according to the type of the asset item information;
determining the number of other nodes communicated with any one node according to the communication relation graph;
determining the size of any node according to the number of other nodes communicated with the any node;
and displaying the detailed information of the designated node and other nodes communicated with the designated node in the communication relation graph.
The fraud traffic aggregation analysis device provided by the invention realizes accurate grasp of the incidence relation among the asset item information through neighbor sampling processing and weight amplification processing, further determines the specific gravity of the asset item information in the communication relation graph, and provides a direction for the subsequent detection of fraud groups.
Fig. 7 illustrates a physical structure diagram of an electronic device, and as shown in fig. 7, the electronic device may include: a processor (processor)710, a communication Interface (Communications Interface)720, a memory (memory)730, and a communication bus 740, wherein the processor 710, the communication Interface 720, and the memory 830 communicate with each other via the communication bus 740. Processor 710 may invoke logic instructions in memory 730 to perform a fraud traffic aggregation analysis method, the method comprising: obtaining a fraud traffic log; wherein the fraud traffic log is a traffic log of a background accessing a fraud website; extracting first asset information from the fraud traffic log, and comparing the first asset information with pre-stored second asset information; wherein the asset information comprises a plurality of asset item information; determining a fraud group corresponding to said fraud traffic log as a first fraud group, associating said first asset information with said second asset information, and saving said first asset information into a set of asset information of said first fraud group, if there is an intersection of said first asset information and said second asset information; wherein the first fraud group is a fraud group corresponding to the second asset information.
In addition, the logic instructions in the memory 730 can be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, including a computer program stored on a non-transitory computer readable storage medium, the computer program including program instructions, which when executed by a computer, the computer is capable of executing the fraud traffic aggregation analysis method provided by the above methods, the method including: obtaining a fraud traffic log; wherein the fraud traffic log is a traffic log of visiting a background of a fraud website; extracting first asset information from the fraud traffic log, and comparing the first asset information with pre-stored second asset information; wherein the asset information comprises a plurality of asset item information; determining a fraud group corresponding to said fraud traffic log as a first fraud group, associating said first asset information with said second asset information, and saving said first asset information into a set of asset information of said first fraud group, if there is an intersection of said first asset information and said second asset information; wherein the first fraud group is a fraud group corresponding to the second asset information.
In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium, having stored thereon a computer program, which when executed by a processor, is implemented to perform the above-provided fraud traffic aggregation analysis methods, the method comprising: obtaining a fraud traffic log; wherein the fraud traffic log is a traffic log of visiting a background of a fraud website; extracting first asset information from the fraud traffic log, and comparing the first asset information with pre-stored second asset information; wherein the asset information comprises a plurality of asset item information; determining a fraud group corresponding to said fraud traffic log as a first fraud group, associating said first asset information with said second asset information, and saving said first asset information into a set of asset information of said first fraud group, if there is an intersection of said first asset information and said second asset information; wherein the first fraud group is a fraud group corresponding to the second asset information.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (11)
1. A fraud traffic aggregation analysis method is characterized by comprising the following steps:
obtaining a fraud traffic log; wherein the fraud traffic log is a traffic log of visiting a background of a fraud website;
extracting first asset information from the fraud traffic log, and comparing the first asset information with pre-stored second asset information; wherein the asset information comprises a plurality of asset item information;
determining a fraud group corresponding to said fraud traffic log as a first fraud group, associating said first asset information with said second asset information, and saving said first asset information into a set of asset information of said first fraud group, if there is an intersection of said first asset information and said second asset information; wherein the first fraud group is a fraud group corresponding to the second asset information.
2. The fraud traffic aggregation analysis method of claim 1, wherein the method further comprises:
determining a fraud group corresponding to said fraud traffic log as a newly added second fraud group, saving first asset information into a set of asset information of said second fraud group, in case there is no intersection between said first asset information and said second asset information.
3. The fraud traffic aggregation analysis method according to claim 1 or 2, wherein said asset item information comprises equipment asset item information and fraud website address information; wherein the equipment asset item information comprises at least one of an international mobile equipment identity and a cell phone number.
4. The fraud traffic aggregation analysis method according to claim 1 or 2, wherein said obtaining a fraud traffic log comprises:
and acquiring a fraud traffic log from the Internet access traffic through the website substring template.
5. The fraud traffic aggregation analysis method according to claim 1 or 2, wherein said extracting first asset information from said fraud traffic log comprises:
first asset information is extracted from the fraud traffic log based on a regular match.
6. The fraud traffic aggregation analysis method according to claim 1 or 2, wherein the method further comprises:
searching for asset information that intersects with the third asset information among a plurality of identified fraud-group asset information sets based on the third asset information of the third fraud-group asset information sets; wherein said third fraudulent group is any one fraudulent group that has been identified;
in case of intersection of the third asset information and the fourth asset information, attributing the fourth fraud group and the third fraud group to the same fraud group, associating the third asset information with the fourth asset information, merging the asset information set of the fourth fraud group with the asset information set of the third fraud group; wherein the fourth fraud group is a fraud group corresponding to the fourth asset information.
7. The fraud traffic aggregation analysis method according to claim 1 or 2, wherein the method further comprises:
establishing a connection relation graph taking the asset item information as nodes and taking the relation among the asset item information as edges on the basis of the asset information in the asset information set of the fifth fraud group; wherein the fifth fraud group is any one of the determined fraud groups; the node style of the node is determined according to the type of the asset item information;
determining the number of other nodes communicated with any one node according to the communication relation graph;
determining the size of any node according to the number of other nodes communicated with the any node;
and displaying the detailed information of the designated node and other nodes communicated with the designated node in the communication relation graph.
8. A fraud traffic aggregation analysis apparatus, comprising:
an obtaining module, configured to obtain a fraud traffic log; wherein the fraud traffic log is a traffic log of visiting a background of a fraud website;
the comparison module is used for extracting first asset information from the fraud traffic log and comparing the first asset information with pre-stored second asset information; wherein the asset information comprises a plurality of asset item information;
an association module for determining a fraud group corresponding to said fraud traffic log as a first fraud group, associating said first asset information with said second asset information, and saving said first asset information into a set of asset information of said first fraud group, if there is an intersection between said first asset information and said second asset information; wherein the first fraud group is a fraud group corresponding to the second asset information.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program implements the steps of the fraud traffic aggregation analysis method according to any one of claims 1 to 7.
10. A non-transitory computer readable storage medium, having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the steps of the fraud traffic aggregation analysis method according to any one of claims 1 to 7.
11. A computer program product comprising a computer program, wherein the computer program, when executed by a processor, implements the steps of the fraud traffic aggregation analysis method according to any one of claims 1 to 7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111612908.4A CN114499966A (en) | 2021-12-27 | 2021-12-27 | Fraud traffic aggregation analysis method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111612908.4A CN114499966A (en) | 2021-12-27 | 2021-12-27 | Fraud traffic aggregation analysis method and device, electronic equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114499966A true CN114499966A (en) | 2022-05-13 |
Family
ID=81495266
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111612908.4A Pending CN114499966A (en) | 2021-12-27 | 2021-12-27 | Fraud traffic aggregation analysis method and device, electronic equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114499966A (en) |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108133061A (en) * | 2018-02-01 | 2018-06-08 | 天津市国瑞数码安全系统股份有限公司 | A kind of swindle Stock discrimination system |
CN108764917A (en) * | 2018-05-04 | 2018-11-06 | 阿里巴巴集团控股有限公司 | It is a kind of fraud clique recognition methods and device |
CN110248322A (en) * | 2019-06-28 | 2019-09-17 | 国家计算机网络与信息安全管理中心 | A kind of swindling gang identifying system and recognition methods based on fraud text message |
US20200242615A1 (en) * | 2019-01-28 | 2020-07-30 | Fair Isaac Corporation | First party fraud detection |
CN111865925A (en) * | 2020-06-24 | 2020-10-30 | 国家计算机网络与信息安全管理中心 | Network traffic based fraud group identification method, controller and medium |
US20210099477A1 (en) * | 2019-10-01 | 2021-04-01 | RiskIQ, Inc. | Identifying Similar Assets Across A Digital Attack Surface |
CN113098870A (en) * | 2021-04-01 | 2021-07-09 | 恒安嘉新(北京)科技股份公司 | Phishing detection method and device, electronic equipment and storage medium |
WO2021169631A1 (en) * | 2020-02-29 | 2021-09-02 | 深圳壹账通智能科技有限公司 | Fraudster identification method, apparatus and device, and storage medium |
CN113641827A (en) * | 2021-06-29 | 2021-11-12 | 武汉众智数字技术有限公司 | Phishing network identification method and system based on knowledge graph |
-
2021
- 2021-12-27 CN CN202111612908.4A patent/CN114499966A/en active Pending
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108133061A (en) * | 2018-02-01 | 2018-06-08 | 天津市国瑞数码安全系统股份有限公司 | A kind of swindle Stock discrimination system |
CN108764917A (en) * | 2018-05-04 | 2018-11-06 | 阿里巴巴集团控股有限公司 | It is a kind of fraud clique recognition methods and device |
US20200242615A1 (en) * | 2019-01-28 | 2020-07-30 | Fair Isaac Corporation | First party fraud detection |
CN110248322A (en) * | 2019-06-28 | 2019-09-17 | 国家计算机网络与信息安全管理中心 | A kind of swindling gang identifying system and recognition methods based on fraud text message |
US20210099477A1 (en) * | 2019-10-01 | 2021-04-01 | RiskIQ, Inc. | Identifying Similar Assets Across A Digital Attack Surface |
WO2021169631A1 (en) * | 2020-02-29 | 2021-09-02 | 深圳壹账通智能科技有限公司 | Fraudster identification method, apparatus and device, and storage medium |
CN111865925A (en) * | 2020-06-24 | 2020-10-30 | 国家计算机网络与信息安全管理中心 | Network traffic based fraud group identification method, controller and medium |
CN113098870A (en) * | 2021-04-01 | 2021-07-09 | 恒安嘉新(北京)科技股份公司 | Phishing detection method and device, electronic equipment and storage medium |
CN113641827A (en) * | 2021-06-29 | 2021-11-12 | 武汉众智数字技术有限公司 | Phishing network identification method and system based on knowledge graph |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11025674B2 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
US11601475B2 (en) | Rating organization cybersecurity using active and passive external reconnaissance | |
US20200389495A1 (en) | Secure policy-controlled processing and auditing on regulated data sets | |
US9830593B2 (en) | Cryptographic currency user directory data and enhanced peer-verification ledger synthesis through multi-modal cryptographic key-address mapping | |
JP6220407B2 (en) | Document classification using multi-scale text fingerprinting | |
JP5990284B2 (en) | Spam detection system and method using character histogram | |
JP5941163B2 (en) | Spam detection system and method using frequency spectrum of character string | |
US10270808B1 (en) | Auto-generated synthetic identities for simulating population dynamics to detect fraudulent activity | |
US20200067980A1 (en) | Increasing security of network resources utilizing virtual honeypots | |
CN110677384B (en) | Phishing website detection method and device, storage medium and electronic device | |
US20210281609A1 (en) | Rating organization cybersecurity using probe-based network reconnaissance techniques | |
US20230362200A1 (en) | Dynamic cybersecurity scoring and operational risk reduction assessment | |
US20160269431A1 (en) | Predictive analytics utilizing real time events | |
Pujara et al. | Phishing website detection using machine learning: a review | |
CN113496033A (en) | Access behavior recognition method and device and storage medium | |
US11968184B2 (en) | Digital identity network alerts | |
CN107231383B (en) | CC attack detection method and device | |
CN115883187A (en) | Method, device, equipment and medium for identifying abnormal information in network traffic data | |
Kamal et al. | Detection of phishing websites using naïve Bayes algorithms | |
KR102318496B1 (en) | Method and blockchain nodes for detecting abusing based on blockchain networks | |
CN114499966A (en) | Fraud traffic aggregation analysis method and device, electronic equipment and storage medium | |
CN113553370A (en) | Abnormality detection method, abnormality detection device, electronic device, and readable storage medium | |
CN113674083A (en) | Internet financial platform credit risk monitoring method, device and computer system | |
TWI827066B (en) | Methods and systems for preventing and controlling Internet fraud | |
US20220398588A1 (en) | Identifying an unauthorized data processing transaction |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |