CN114629693B

CN114629693B - Suspicious broadband account identification method and device

Info

Publication number: CN114629693B
Application number: CN202210187561.1A
Authority: CN
Inventors: 刘紫千; 常力元; 顾庆崴; 余启明; 孙福兴; 王大伟; 陈林; 刘长波
Original assignee: Tianyi Safety Technology Co Ltd
Current assignee: Tianyi Safety Technology Co Ltd
Priority date: 2022-02-28
Filing date: 2022-02-28
Publication date: 2023-10-31
Anticipated expiration: 2042-02-28
Also published as: CN114629693A

Abstract

The application relates to the technical field of network security, in particular to a method and a device for identifying suspicious broadband account numbers, which are used for solving the problem that an attacker cannot trace the source and trace the suspicious broadband account numbers through frequent online and offline behaviors, and the method comprises the following steps: after the internet surfing record information is received, if the account to be identified included in the internet surfing record information is not included in the dangerous account list and the suspicious account list, based on the internet surfing state information included in the internet surfing record information and the historical behavior characteristics of the account to be identified, analyzing the online and offline behaviors of the account to be identified to obtain real-time behavior characteristics, after the real-time behavior characteristics are determined to be matched with the abnormal behavior characteristic set, and based on an identification result returned by the service server, monitoring the account to be identified, and continuously synchronizing public network IP address and port allocation information of the account to be identified to the security equipment; thus, the user with potential risks can be timely and effectively found, and the trail of the user can be accurately synchronized with the safety equipment.

Description

Suspicious broadband account identification method and device

Technical Field

The application relates to the technical field of network security, in particular to a method and a device for identifying suspicious broadband accounts.

Background

Currently, the broadband service of the operator still uses the global public network internet protocol (Internet Protocol, IP) address after the network address conversion (Network Address Translation, NAT) as the external exposure address of the user, the external exposure address of the user can dynamically change along with the online and offline behaviors of the user, and a public network IP address shared by a plurality of users exists.

The current internet anti-fraud, attack tracing and safety protection scenes find that an attacker changes own public network IP addresses through frequent online and offline behaviors, so that network traces of the attacker are changed to realize escape tracking, and therefore an identification method is needed, the network traces of the attacker can be effectively mastered in time, and a new direction is brought to subsequent tracing and protection technology development.

Disclosure of Invention

The embodiment of the application provides a method and a device for identifying suspicious broadband account numbers, which are used for solving the problem that an attacker cannot trace the source and trace the suspicious broadband account numbers through frequent online and offline behaviors.

The specific technical scheme provided by the embodiment of the application is as follows:

in a first aspect, an embodiment of the present application provides a method for identifying a suspicious broadband account, including:

After the internet surfing record information is received, if the account to be identified included in the internet surfing record information is determined not to be included in the dangerous account list and the suspicious account list, analyzing the online and offline behaviors of the account to be identified based on the internet surfing record information and the historical behavior characteristics of the account to be identified, and obtaining the real-time behavior characteristics of the account to be identified;

after the real-time behavior characteristics are determined to be matched with the abnormal behavior characteristic sets, the account to be identified is sent to an associated service server, wherein the abnormal behavior characteristic sets are determined based on a decision tree analysis model, and the decision tree analysis model is obtained after training based on the abnormal behavior characteristics of each dangerous account in the dangerous account list;

after the account to be identified is determined to be a dangerous account based on the identification result returned by the service server, monitoring the account to be identified, and continuously synchronizing the public network IP address and port allocation information of the account to be identified to the security equipment so that the security equipment can trace and/or track the account to be identified.

According to the method, the decision tree analysis model is introduced to analyze and mine the abnormal behavior characteristics of the online and offline data of each dangerous account in the whole-network broadband user, and a rich and massive abnormal behavior characteristic set is constructed, so that whether the account to be identified has abnormal online behaviors or not can be further determined by matching the real-time behavior characteristics and the abnormal behavior characteristic set of the account to be identified when the account to be identified contained in the received online record information is determined not to be contained in the dangerous account list and the suspicious account list; after the abnormal internet surfing behavior of the account to be identified is determined, the account to be identified is sent to the associated service server, and the service server is triggered to analyze the internet surfing behavior of the account to be identified with the abnormal internet surfing behavior, so that the account to be identified which is determined to be a dangerous account can be timely and efficiently monitored, and the trace of the account to be identified is accurately and continuously synchronized with the security equipment, so that the security equipment timely and effectively grasps the internet surfing trace of a user with potential risks, and tracing and/or tracking work on the user with potential risks is smoothly carried out.

In some possible embodiments, determining whether the account to be identified included in the internet surfing record information is included in the dangerous account list and the suspicious account list includes performing the following operations:

Searching the account to be identified from the dangerous account list by adopting a distributed stream data stream engine Flink cluster;

when the account to be identified is not found in the dangerous account list, the Flink cluster is adopted to find the account to be identified from the suspicious account list;

and when the account to be identified is not found from the suspicious account list, determining that the account to be identified included in the internet surfing record information is not included in the dangerous account list and the suspicious account list.

According to the method, the Flink of the distributed stream data stream processing engine frame is combined, and the dangerous account list can be searched in real time, so that users with potential risks in the whole network users can be timely and efficiently found, follow-up tracking and monitoring of the found users with potential risks are facilitated, and further the trail of the users with potential risks is accurately notified.

In some possible embodiments, after receiving the internet log information, the method includes:

if the account to be identified included in the internet surfing record information is determined to be included in the suspicious account list, the account to be identified is sent to an associated service server;

After the account to be identified is determined to be a dangerous account based on the identification result returned by the service server, monitoring the account to be identified, and continuously synchronizing the public network IP address and port allocation information of the account to be identified to the security device.

According to the method, the distributed stream data stream processing engine frame Flink is combined, after the account to be identified is determined to be contained in the suspicious account list, namely, the account to be identified is determined to be the suspicious account, the account to be identified is sent to the associated service server, and the service server is triggered to analyze the networking behaviors of the account to be identified with abnormal networking behaviors, so that whether the account to be identified is a dangerous account can be timely and efficiently determined, the account to be identified which is determined to be the dangerous account is further monitored, and the trace of the account to be identified is accurately and continuously synchronized with the security device, so that the security device can timely and effectively master the networking trace of a user with potential risks.

In some possible embodiments, the decision tree analysis model is trained by:

performing multiple rounds of iterative training on the decision tree analysis model to be trained based on the training sample set until a preset convergence condition is met, and taking the decision tree analysis model output in the last round as a trained decision tree analysis model, wherein in the iterative training process, the following operations are executed:

Respectively inputting sample behavior characteristics of each dangerous account obtained from the training sample set into a decision tree analysis model to be trained to obtain an abnormal behavior characteristic analysis result corresponding to each dangerous account;

determining a loss value based on the analysis result of the abnormal behavior characteristics corresponding to each dangerous account and the comparison result of the corresponding sample labels;

based on the loss value, adjusting model parameters of the decision tree analysis model to be trained; the sample behavior characteristics of each dangerous account included in the training sample set are obtained by analyzing the online and offline behaviors of the online record information of the corresponding dangerous account.

According to the method, the decision tree analysis model to be trained is trained based on the sample behavior characteristics of each dangerous account, so that the trained decision tree analysis model is obtained, and a huge number of abnormal behavior characteristic sets are built, so that broadband accounts with abnormal internet surfing behaviors in all network users are effectively screened out.

In some possible embodiments, after the determining that the account to be identified is a dangerous account, the method further includes:

inputting the real-time behavior characteristics into the decision tree analysis model to obtain abnormal behavior characteristics of the account to be identified;

Updating the abnormal behavior feature set based on the abnormal behavior feature.

According to the method, based on the real-time behavior characteristics of the dangerous account number determined in real time, model parameters of the pre-trained decision tree analysis model are optimized and adjusted to update the abnormal behavior characteristic set, so that the abnormal behavior characteristic set has universal applicability and matching accuracy, and potential risk users can be screened out from the whole network users to a greater extent.

In some possible embodiments, if the received identification result returned by the service server indicates that the account to be identified is a dangerous account, determining that the account to be identified is a dangerous account; or alternatively, the process may be performed,

and if the received identification result returned by the service server indicates that the account to be identified is a normal account, determining that the account to be identified is not a dangerous account.

According to the method, based on different account properties represented by the recognition results returned by the service server, different processing modes are adopted for the account to be recognized, so that the efficient management of the whole network user is improved.

In some possible embodiments, after said determining that the real-time behavior feature matches the abnormal behavior feature set, further comprising:

Adding the account to be identified to the suspicious account list;

after the account to be identified is determined to be a dangerous account, the method further comprises:

adding the account to be identified to the dangerous account list, and deleting the account to be identified from the suspicious account list;

after the account to be identified is determined not to be a dangerous account, the method further comprises:

and deleting the account to be identified from the suspicious account list.

According to the method, based on the real-time condition of the network, the dangerous account list and the suspicious account list are updated, so that the potential risks of broadband accounts in the whole network user can be identified efficiently, and the risks of the broadband accounts are identified, the internet trace of the dangerous account can be pushed efficiently and accurately, the tracing and the protection of subsequent attacks are conducted in a beneficial way, and the network safety is improved.

if the account to be identified included in the internet surfing record information is determined to be included in the dangerous account list, monitoring the account to be identified, and continuously synchronizing the public network IP address and port allocation information of the account to be identified to the security device.

According to the method, the distributed stream data stream processing engine framework is combined, after the account to be identified is determined to be contained in the dangerous account list, namely, the account to be identified is determined to be the dangerous account, the account to be identified is monitored, and the trace of the account to be identified is accurately and continuously synchronized with the security equipment, so that the security equipment can timely and effectively master the Internet surfing trace of a user with potential risks.

In a second aspect, an embodiment of the present application provides an apparatus for identifying a suspicious broadband account, including:

the first determining unit is used for analyzing the online and offline behaviors of the account to be identified based on the online state information included in the online record information and the historical behavior characteristics of the account to be identified to obtain the real-time behavior characteristics of the account to be identified if the account to be identified included in the online record information is determined not to be included in the dangerous account list and the suspicious account list after the online record information is received;

the second determining unit is used for sending the account to be identified to an associated service server after determining that the real-time behavior characteristic is matched with an abnormal behavior characteristic set, wherein the abnormal behavior characteristic set is determined based on a decision tree analysis model, and the decision tree analysis model is obtained after training based on the abnormal behavior characteristics of each dangerous account in the dangerous account list;

And the monitoring unit is used for monitoring the account to be identified after determining that the account to be identified is a dangerous account based on the identification result returned by the service server, and continuously synchronizing the public network IP address and port allocation information of the account to be identified to the safety equipment so as to enable the safety equipment to trace and/or trace the account to be identified.

In some possible embodiments, after receiving the internet log information, the second determining unit is configured to:

the monitoring unit is used for:

In some possible embodiments, the decision tree analysis model is trained by:

In some possible embodiments, after the determining that the account to be identified is a dangerous account, the monitoring unit is further configured to:

In some possible embodiments, after said determining that the real-time behavior feature matches an abnormal behavior feature set, the second determining unit is further configured to:

Adding the account to be identified to the suspicious account list;

after the determining that the account to be identified is a dangerous account, the second determining unit is further configured to:

after the determining that the account to be identified is not a dangerous account, the second determining unit is further configured to:

and deleting the account to be identified from the suspicious account list.

In some possible embodiments, after receiving the internet log information, the monitoring unit is configured to:

In a third aspect, embodiments of the present application provide an electronic device, the electronic device including a processor and a memory,

the memory is used for storing a computer program or instructions;

the processor being configured to execute a computer program or instructions in a memory such that the method of any of the above first aspects is performed.

In a fourth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the steps of the method of any of the first aspects above.

In addition, the technical effects caused by any implementation manner of the second aspect to the fourth aspect may refer to the technical effects caused by different implementation manners of the first aspect, which are not described herein.

Drawings

Fig. 1 is a schematic diagram of an application scenario in an embodiment of the present application;

fig. 2 is a schematic diagram of an architecture of a suspicious broadband account identification system according to an embodiment of the present application;

FIG. 3 is a schematic diagram of another suspicious broadband account identification system according to an embodiment of the present application;

fig. 4A is a schematic implementation flow diagram of a first method for identifying suspicious broadband accounts according to an embodiment of the present application;

fig. 4B is a schematic implementation flow diagram of a second method for identifying suspicious broadband accounts according to an embodiment of the present application;

fig. 4C is a schematic implementation flow chart of a third method for identifying suspicious broadband accounts according to an embodiment of the present application;

FIG. 5 is a flowchart illustrating an updating of an abnormal behavior feature set according to an embodiment of the present application;

Fig. 6 is an interactive flow diagram of a method for identifying suspicious broadband accounts according to an embodiment of the present application;

fig. 7 is a schematic diagram of a logic architecture of a suspicious broadband account identification apparatus according to an embodiment of the present application;

fig. 8 is a schematic diagram of an entity architecture of an electronic device according to an embodiment of the application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

It should be noted that the terms "first," "second," "third," and the like in the description and the claims of the present application and in the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be capable of operation in sequences other than those illustrated or otherwise described.

In order to solve the problem that the online behavior of the account to be identified cannot be traced and tracked due to frequent online and offline behavior, in the embodiment of the application, after the online record information is received, whether the account to be identified included in the online record information is included in a dangerous account list and a suspicious account list is determined, if the account to be identified is determined not to be included in the dangerous account list and the suspicious account list, the online behavior of the account to be identified is analyzed based on the online state information included in the online record information and the historical behavior characteristics of the account to be identified, the real-time behavior characteristics of the account to be identified are obtained, the account to be identified is sent to an associated service server after the real-time behavior characteristics are determined to be matched with the abnormal behavior characteristic set, and after the account to be identified is determined to be the dangerous account based on the identification result returned by the service server, the account to be identified is monitored, and the public network IP address and port allocation information of the account to be identified are continuously synchronized to the security device, so that the user with potential risk is found timely and accurately and the security device is synchronized, and the trace of the user with the security device is performed, and the user with potential risk is successfully tracing the online behavior of the user or the user with the potential risk.

The preferred embodiments of the present application will be described in further detail below with reference to the accompanying drawings, it being understood that the preferred embodiments described herein are for illustration and explanation only, and not for limitation of the present application, and that the embodiments of the present application and features of the embodiments may be combined with each other without conflict.

Fig. 1 shows a schematic diagram of an application scenario according to an embodiment of the present application. Referring to fig. 1, in the embodiment of the present application, the application scenario includes an authentication, authorization, and accounting (Authentication, authorization, accounting, AAA) server, a deep packet inspection (Deep packet inspection, DPI) -AAA server, a suspicious broadband account identification system, a security device (such as a tracing system), and a service server, where,

and the AAA server is used for managing the access of the user to the network server and providing services for the user with the access right. In the embodiment of the application, after passing the authentication, the online/offline message of the user is sent to the associated server;

the DPI-AAA server is used for acquiring the outlet network flow (namely the online/offline message) of the AAA server by adopting a flow splitting/copying technology, and analyzing the acquired outlet network flow by adopting the DPI technology to obtain the online record information with a preset format; the system is also used for sending the obtained internet access record information to a suspicious broadband account identification system;

The suspicious broadband account identification system is used for receiving internet surfing record information sent by the DPI-AAA server and determining whether an account to be identified included in the internet surfing record information is included in the dangerous account list and the suspicious account list;

if the account to be identified is not contained in the dangerous account list and the suspicious account list, analyzing the online and offline behaviors of the account to be identified based on the online state information contained in the online record information and the historical behavior characteristics of the account to be identified to obtain the real-time behavior characteristics of the account to be identified; after the real-time behavior characteristics are determined to be matched with the abnormal behavior characteristic set, the account to be identified is sent to an associated service server;

the method is also used for monitoring the account to be identified after determining that the account to be identified is a dangerous account based on the identification result returned by the service server, and continuously synchronizing the public network IP address and port allocation information of the account to be identified to the safety equipment;

the security device (such as a tracing system) is used for continuously receiving public network IP address and port allocation information of the account to be identified, which are synchronized by the suspicious broadband account identification system, and tracing the source and/or tracking the account to be identified based on the continuously received public network IP address and port allocation information;

The service server is used for receiving the account to be identified, which is sent by the suspicious broadband account identification system, determining the identification result of the account to be identified based on the service data of the account to be identified, and returning the identification result to the suspicious broadband account identification system; the identification result characterizes that the account to be identified is a dangerous account or a normal account.

In the embodiment of the present application, the above-mentioned internet log information includes, but is not limited to, the following fields:

1. an account to be identified (i.e., a broadband account requesting internet access/offline);

2. a public network IP address;

3. a private network IP address;

4. the AAA server distributes port distribution information for the account to be identified;

5. upper net state information, etc.

Fig. 2 shows a schematic architecture diagram of a suspicious broadband account identification system according to an embodiment of the present application. Referring to fig. 2, in an embodiment of the present application, the suspicious broadband account identification system includes a data processing server and an application server, wherein,

the data processing server is used for determining whether the account to be identified is contained in the dangerous account list and the suspicious account list after receiving the internet access record information, and if the account to be identified is not contained in the dangerous account list and the suspicious account list, analyzing the online and offline behaviors of the account to be identified based on the internet access state information of the account to be identified and the historical behavior characteristics of the account to be identified to obtain real-time behavior characteristics; after the real-time behavior characteristics are determined to be matched with the abnormal behavior characteristic set, the account to be identified is sent to the application server, and after a message that the account to be identified is a dangerous account returned by the application server is received, the account to be identified is monitored, and the public network IP address and port allocation information of the account to be identified are continuously synchronized to the application server;

The application server is used for receiving the account to be identified, which is sent by the data processing server, and sending the account to be identified to the associated service server; the method is also used for returning corresponding information to the data processing server based on the received identification result returned by the service server; if the application server determines that the account to be identified is the dangerous account based on the identification result, sending a message that the account to be identified is the dangerous account to the data processing server, so that the data processing server monitors the account to be identified based on the message that the account to be identified is the dangerous account, and continuously sending public network IP address and port allocation information of the account to be identified to the application server.

In practical applications, in order to ensure reliability, scalability, etc. of data processing servers, the functional classifications of the data processing servers are typically deployed in different servers, i.e., as a distributed system. Referring to fig. 3, in an embodiment of the present application, the data processing server includes a data processing platform, a data storage server and a feature library server, wherein,

the data processing platform is used for storing the internet surfing record information in the data storage server after receiving the internet surfing record information; the method is also used for pulling the dangerous account list, the suspicious account list and the abnormal behavior feature set through the feature library server and receiving a message returned by the application server;

The method comprises the steps of determining whether an account to be identified is a dangerous account or not based on a dangerous account list, a suspicious account list and an abnormal behavior feature set, interacting with an application server, receiving a message returned by the application server, monitoring the account to be identified after determining that the account to be identified is the dangerous account, and continuously synchronizing public network IP address and port allocation information of the account to be identified to security equipment;

the data storage server is used for storing the internet surfing record information received by the data processing platform;

the feature library server is used for storing the dangerous account list, the suspicious account list and the abnormal behavior feature set; the method is also used for pulling Internet surfing record information and/or real-time behavior characteristics of the account to be identified from the data processing platform when the account to be identified returned by the application server is a dangerous account, and carrying out deep feature mining on the Internet surfing behavior of the account to be identified to obtain abnormal behavior characteristics of the account to be identified; and updating the stored abnormal behavior feature set based on the abnormal behavior feature.

It should be noted that, in the embodiment of the present application, the data processing server may pull the dangerous account list, the suspicious account list and the abnormal behavior feature set stored by the feature library server through the micro service established between the data processing server and the feature library server.

In the embodiment of the application, a distributed stream data stream engine (Flink) cluster is deployed by a data processing platform, whether each received internet access record information is contained in a dangerous account list and a suspicious account list or not is determined in real time through the Flink cluster, real-time behavior characteristics of the uplink and downlink behaviors of broadband accounts which are not contained in the internet access record information of the dangerous account list and the suspicious account list are analyzed in real time, the real-time behavior characteristics are matched with an abnormal behavior characteristic set, and when the identification result returned by a service server associated with the internet access record information determines that the account to be identified is the dangerous account, the account to be identified is monitored, and the public network IP address and port allocation information of the account to be identified are continuously synchronized to a security device.

In practical application, before implementing recognition, a decision tree analysis model to be trained is constructed, the decision tree analysis model to be trained is trained, and the abnormal behavior feature set is obtained based on the output result of the trained decision tree analysis model.

In the embodiment of the application, based on the internet surfing record information of each dangerous account in the dangerous account list, a decision tree algorithm is adopted to conduct deep behavior feature mining on the internet surfing record information of each dangerous account, so that abnormal behavior features of each dangerous account are obtained.

First, a simple description is given of the decision tree algorithm: the decision tree algorithm is a tree structure (which may be a binary tree or a non-binary tree) in which each internal node represents a decision on a feature, each branch represents a decision output of the attribute of the feature, and each leaf node represents a class. The decision making process using the decision tree is usually started from the root node, by judging the corresponding characteristic attribute in the classification item, and selecting the output branch according to the value until the leaf node is reached, and then taking the category stored in the leaf node as the decision result, namely the abnormal behavior characteristic in the embodiment of the application. The core idea of the decision tree algorithm is: different branches are constructed at a certain node according to different divisions of a certain characteristic attribute, and the aim is to make each split subset as "pure" as possible, i.e. to make the items to be classified in one split subset belong to the same category as much as possible.

For example, take the C4.5 algorithm in the decision tree algorithm as an example.

In the embodiment of the application, the analysis principle of the decision tree analysis model is as follows:

assuming that D is a set of partitions of the training sample (e.g., a certain behavioral characteristic of each of the above dangerous account numbers), the entropy of D is calculated by the following formula:

Again, assume that attribute a is a partitioning index.

Then, the expected information entropy after dividing D by attribute a is calculated by the following formula:

then, the difference in information entropy of D before and after division, that is, the Information Gain (IG), is calculated by the following formula:

gain(D，A)＝Info(D)-Info _A (D)

algorithm principle based on decision tree algorithm: the larger the information gain, the greater the purity improvement obtained by the division using the attribute a.

Further, the split Information (IV) can be expressed by the following formula:

intrinsic value of attribute A

Correspondingly, the Information Gain Ratio (IGR):

in this way, by the analysis principle of the decision tree analysis model, the abnormal behavior characteristics of each dangerous account in the dangerous account list can be obtained, so that an abnormal behavior characteristic set is obtained.

In the embodiment of the application, after the abnormal behavior characteristics of each dangerous account in the dangerous account list are obtained, the abnormal behavior characteristics and other behavior characteristics obtained by analyzing the online and offline behaviors of the online record information of each dangerous account are taken as a training sample set for training the decision tree analysis model to be trained, wherein the abnormal behavior characteristics and the other behavior characteristics are distinguished through sample labels.

Then, in the embodiment of the present application, after obtaining the training sample set, the trained decision tree analysis model is obtained by performing the following operations:

performing multiple rounds of iterative training on a decision tree analysis model to be trained based on a training sample set until a preset convergence condition is met, and taking the decision tree analysis model output in the last round as a trained decision tree analysis model, wherein in the iterative training process, the following operations are executed:

the method comprises the following steps of 1, respectively inputting sample behavior characteristics of each dangerous account obtained from a training sample set into a decision tree analysis model to be trained to obtain an abnormal behavior characteristic analysis result corresponding to each dangerous account;

2, determining a loss value based on the analysis result of the abnormal behavior characteristics corresponding to each dangerous account and the comparison result of the corresponding sample labels;

3, adjusting model parameters of the decision tree analysis model to be trained based on the loss value; the sample behavior characteristics of each dangerous account included in the training sample set are obtained by analyzing the online and offline behaviors of the online record information of the corresponding dangerous account.

And secondly, obtaining a trained decision tree analysis model when the preset convergence condition is determined to be met.

Referring to fig. 4A, a schematic implementation flow diagram of a suspicious broadband account identification method according to an embodiment of the present application is implemented based on DPI-AAA data, and is divided into three cases.

Referring to fig. 4A, the implementation flow of the identification method in the first case is as follows:

step 400A: after the internet surfing record information is received, if the account to be identified included in the internet surfing record information is determined to be included in the dangerous account list, the account to be identified is monitored, and the public network IP address and port allocation information of the account to be identified are continuously synchronized to the security equipment, so that the security equipment can trace and/or track the account to be identified.

In the embodiment of the application, after the internet surfing record information is received, a Flink cluster is adopted to search the account to be identified from the dangerous account list, if the account to be identified is searched from the dangerous account list, the account to be identified is monitored, the public network IP address and the port allocation information of the account to be identified are continuously obtained, and the obtained public network IP address and the port allocation information of the account to be identified are continuously synchronized to the security equipment, so that the security equipment performs tracing and/or tracking on the account to be identified.

Referring to fig. 4B, the implementation flow of the method in the second case is as follows:

step 400B: after the internet surfing record information is received, if the account to be identified included in the internet surfing record information is determined to be included in the suspicious account list, the account to be identified is sent to an associated service server.

In the embodiment of the application, after the internet surfing record information is received, a Flink cluster is adopted to search the account to be identified from the dangerous account list, if the account to be identified is not searched from the dangerous account list, the account to be identified is searched from the suspicious account list, and if the account to be identified is searched from the suspicious account list, the account to be identified is sent to the associated service server, so that the further identification of the account to be identified is realized.

In the embodiment of the application, after the real-time behavior characteristics are determined to be matched with the abnormal behavior characteristic set, the account to be identified can be added into the suspicious account list so as to facilitate the subsequent identification of the account to be identified included in the received internet access record information.

In the embodiment of the application, the online and offline behaviors of the online record information of the account to be identified are analyzed, and the real-time behavior characteristics obtained by the analysis are matched with the abnormal behavior characteristic set, so that only the abnormal online behaviors of the account to be identified can be determined, but the account to be identified cannot be accurately determined to be a dangerous account; the special service can cause frequent online and offline of the user, so that the online behavior of the account to be identified needs to be further analyzed, however, the online behavior is usually huge in data volume and is strongly related to the service, the account to be identified with abnormal online behavior is found to be sent to an associated service server, the service server is triggered to analyze the online behavior of the account to be identified with abnormal online behavior, whether the account to be identified is a dangerous account can be timely and efficiently determined, the account to be identified which is the dangerous account is monitored, the trace of the account to be identified is accurately and continuously synchronized with the security device, the security device timely and effectively grasps the online trace of the user with potential risk, and the source tracing and/or tracking work of the user with potential risk is smoothly carried out.

Step 410B: after the account to be identified is determined to be the dangerous account based on the identification result returned by the service server, the account to be identified is monitored, and the public network IP address and port allocation information of the account to be identified are continuously synchronized to the security equipment.

In the embodiment of the application, based on the identification result returned by the service server, whether the account to be identified is a dangerous account is determined, including but not limited to the following two cases:

in the first case, if the received identification result returned by the service server indicates that the account to be identified is a dangerous account, determining that the account to be identified is a dangerous account.

And secondly, if the received identification result returned by the service server indicates that the account to be identified is a normal account, determining that the account to be identified is not a dangerous account.

In the embodiment of the present application, when step 410B is executed, after determining that the account to be identified is a dangerous account based on the identification result returned by the service server, a link cluster is adopted to monitor the account to be identified, continuously obtain the public network IP address and port allocation information of the account to be identified, and continuously synchronize the obtained public network IP address and port allocation information of the account to be identified to the security device, so that the security device performs tracing and/or tracking on the account to be identified.

In the embodiment of the application, if the account to be identified is determined to be the dangerous account based on the identification result returned by the service server, the account to be identified is added into the dangerous account list, and the account to be identified is deleted from the suspicious account list so as to mark the account to be identified as the dangerous account, so that the subsequent identification and use are facilitated; and if the account to be identified is not the dangerous account based on the identification result returned by the service server, deleting the account to be identified from the suspicious account list, and marking that the account to be identified is a normal account so as to facilitate subsequent identification and use.

Referring to fig. 4C, the implementation flow of the method in the third case is as follows:

step 400C: after the internet surfing record information is received, if the account to be identified, which is included in the internet surfing record information, is not included in the dangerous account list and the suspicious account list, the internet surfing record information, the historical behavior characteristics of the account to be identified, and the online and offline behaviors of the account to be identified are analyzed based on the internet surfing state information, so that the real-time behavior characteristics of the account to be identified are obtained.

In the embodiment of the present application, when step 400C is executed, after the internet surfing record information is received, the following operations are executed to determine whether the account to be identified included in the internet surfing record information is included in the dangerous account list and the suspicious account list:

Operation 1: and searching the account to be identified from the dangerous account list by adopting the Flink cluster.

Operation 2: and when the account to be identified is not found from the dangerous account list, searching the account to be identified from the suspicious account list by adopting the Flink cluster.

Operation 3: when the account to be identified is not found from the suspicious account list, the account to be identified included in the internet surfing record information is determined to be not included in the dangerous account list and the suspicious account list.

In the embodiment of the present application, when step 400C is executed, if it is determined that the account to be identified included in the online record information is not included in the dangerous account list and the suspicious account list, based on the online information included in the online record information and the historical behavior characteristics of the account to be identified, a link cluster is adopted to analyze the online and offline behaviors of the account to be identified in real time, so as to obtain the real-time behavior characteristics of the account to be identified, where the online and offline behaviors are networking operation and off-network operation executed by a user through the account to be identified, and time period information corresponding to each of the networking operation and the off-network operation.

Step 410C: after the real-time behavior characteristics are determined to be matched with the abnormal behavior characteristic sets, the account to be identified is sent to an associated service server, wherein the abnormal behavior characteristic sets are determined based on a decision tree analysis model, and the decision tree analysis model is obtained after training based on the abnormal behavior characteristics of each dangerous account in a dangerous account list.

In the embodiment of the present application, before executing step 410C, the real-time behavior feature of the account to be identified is matched with the abnormal behavior feature set, and then, when determining that the real-time behavior feature is matched with the abnormal behavior feature set, step 410C is executed, and the account to be identified is sent to the associated service server, so as to realize further identification of the account to be identified.

Optionally, in the embodiment of the present application, after determining that the real-time behavior feature is not matched with the abnormal behavior feature set, the account to be identified is released as the normal account.

In the embodiment of the application, the online and offline behaviors of the online record information of the account to be identified are analyzed, the real-time behavior characteristics obtained by the analysis are matched with the abnormal behavior characteristic set, and only the abnormal online behaviors of the account to be identified can be determined, but the account to be identified cannot be accurately determined to be a dangerous account; the special service can cause frequent online and offline of the user, so that the online behavior of the account to be identified needs to be further analyzed, however, the online behavior is usually huge in data volume and is strongly related to the service, the account to be identified with abnormal online behavior is found to be sent to an associated service server, the service server is triggered to analyze the online behavior of the account to be identified with abnormal online behavior, whether the account to be identified is a dangerous account can be timely and efficiently determined, the account to be identified which is the dangerous account is monitored, the trace of the account to be identified is accurately and continuously synchronized with the security device, the security device timely and effectively grasps the online trace of the user with potential risk, and the source tracing and/or tracking work of the user with potential risk is smoothly carried out.

Step 420C: after the account to be identified is determined to be the dangerous account based on the identification result returned by the service server, the account to be identified is monitored, and the public network IP address and port allocation information of the account to be identified are continuously synchronized to the security device, so that the security device can trace and/or track the account to be identified.

In the embodiment of the present application, when step 420C is executed, after determining that the account to be identified is a dangerous account based on the identification result returned by the service server, a link cluster is adopted to monitor the account to be identified, continuously obtain the public network IP address and port allocation information of the account to be identified, and continuously synchronize the obtained public network IP address and port allocation information of the account to be identified to the security device, so that the security device performs tracing and/or tracking on the account to be identified.

Then, in the embodiment of the application, if the account to be identified is determined to be a dangerous account based on the identification result returned by the service server, the account to be identified is added to the dangerous account list, and the account to be identified is deleted from the suspicious account list so as to mark the account to be identified as the dangerous account, so that the subsequent identification and use are facilitated; and if the account to be identified is not the dangerous account based on the identification result returned by the service server, deleting the account to be identified from the suspicious account list, and marking that the account to be identified is a normal account so as to facilitate subsequent identification and use.

In the embodiment of the present application, referring to fig. 5, after determining that the account to be identified is a dangerous account, the following steps are further performed:

step 500: inputting the real-time behavior characteristics into a decision tree analysis model to obtain abnormal behavior characteristics of the account to be identified.

Step 510: the set of abnormal behavior features is updated based on the abnormal behavior features.

The above embodiments are described in further detail below using specific examples.

For example, referring to fig. 6, taking an account to be identified as a dangerous account determined based on an identification result of a service server as an example.

The suspicious broadband account identification system comprises a data processing platform, a data storage database, a feature library server and an application server.

Referring to fig. 6, in an embodiment of the present application, an interaction flow between servers of a suspicious broadband account identification method is as follows:

step 600: the AAA server sends the outlet network traffic obtained by the traffic splitting/copying technology to the DPI-AAA server.

Step 601: the DPI-AAA server analyzes the received outlet network flow of the AAA server to obtain internet surfing record information, wherein the internet surfing record information comprises an account to be identified, a public network IP address, a private network IP address, port allocation information and internet surfing state information.

In the embodiment of the present application, when executing step 601, the DPI-AAA server uses DPI technology to analyze the received egress network traffic, thereby obtaining the above-mentioned internet surfing record information.

Step 602: the DPI-AAA server sends the Internet surfing record information to the data processing platform.

Step 603: the data processing platform stores the received internet surfing record information in a data storage server.

In the embodiment of the application, the data processing platform can store the Internet surfing record information in the database clickhouse.

Step 604: the data processing platform pulls the dangerous account list, the suspicious account list and the abnormal behavior feature set from the feature library server.

Step 605: and the data processing platform identifies the received internet surfing record information based on the dangerous account list, the suspicious account list and the abnormal behavior feature set, and determines whether the account to be identified is a dangerous account.

Step 606-1: and after the data processing platform determines that the account to be identified is contained in the dangerous account list, monitoring the account to be identified, and continuously sending the public network IP address and port allocation information of the account to be identified to the traceability system.

In the embodiment of the application, the data processing platform adopts the Flink cluster to search the account to be identified from the dangerous account list, monitors the account to be identified after determining to search the account to be identified, and continuously sends the public network IP address and port allocation information of the account to be identified to the traceability system through kafka.

Step 606-2: after the data processing platform determines that the account to be identified is contained in the suspicious account list, the account to be identified is sent to an application server, and the account to be identified is further identified.

In the embodiment of the application, after the data processing platform determines that the account to be identified is not contained in the dangerous account list, the data processing platform searches the account to be identified from the suspicious account list by adopting the Flink cluster, and after determining that the account to be identified is found, the account to be identified is sent to the application server so as to further identify the account to be identified.

Step 606-3: and the data processing platform analyzes the online and offline behaviors of the account to be identified to obtain real-time behavior characteristics.

In the embodiment of the application, after the data processing platform determines that the account to be identified is not contained in the dangerous account list and the suspicious account list, the data processing platform adopts the Flink cluster, and based on the internet access information contained in the internet access record information and the historical behavior characteristics of the account to be identified, the online and offline behaviors of the account to be identified are analyzed in real time, so that the real-time behavior characteristics are obtained.

For example, the real-time analysis of the online and offline behavior of the account to be identified may be real-time analysis of the number of times of online and offline of the account to be identified within 1 hour.

Step 606-4: after the data processing platform determines that the real-time behavior characteristics are matched with the abnormal behavior characteristic set, the data processing platform sends the account to be identified to an application server, and the account to be identified is further identified.

In the embodiment of the application, the data processing platform compares the real-time behavior characteristics with the abnormal behavior characteristic set by adopting the Flink cluster, and after the real-time behavior characteristics are determined to be matched with the abnormal behavior characteristic set, the account to be identified is sent to the application server for further identification.

Optionally, in the embodiment of the present application, after determining that the real-time behavior feature is not matched with the abnormal behavior feature set, the data processing platform releases the account to be identified as a normal account.

Step 607: and the application server sends the account to be identified to the associated service server.

Step 608: and the service server returns the identification result to the application server.

In the embodiment of the application, the identification result is obtained by the service server acquiring associated service data based on the received account to be identified and identifying based on the service data.

Step 609: and the application server sends whether the account to be identified is a dangerous account or not to the data processing platform.

In the embodiment of the application, if the identification result returned by the service server indicates that the account to be identified is a dangerous account, the application server sends a message that the account to be identified is a dangerous account determined based on the identification result to the data processing platform; and if the identification result returned by the service server indicates that the account to be identified is a normal account, the application server sends a message that the account to be identified is not a dangerous account and is determined based on the identification result to the data processing platform.

Step 610: and if the account to be identified is the dangerous account, the application server sends a message that the account to be identified is the dangerous account to the feature library server.

In the embodiment of the application, if the identification result returned by the service server indicates that the account to be identified is a dangerous account, the application server simultaneously sends a message that the account to be identified is a dangerous account determined based on the identification result to the feature library server, so that the feature library server updates the abnormal behavior feature set based on the real-time analysis result of the account to be identified.

Step 611: and after the data processing platform determines that the account to be identified is the dangerous account, monitoring the account to be identified, and continuously sending the public network IP address and port allocation information of the account to be identified to the tracing system.

In the embodiment of the application, the data processing platform monitors the account to be identified by adopting the Flink cluster, and continuously sends the public network IP address and port allocation information of the account to be identified to the traceability system through the kafka.

Step 612: the feature library server pulls the internet surfing record information and/or the real-time behavior features from the data processing platform.

Step 613: the feature library server updates the abnormal behavior feature set based on the real-time behavior features.

In the embodiment of the application, the real-time behavior characteristics are input into a decision tree analysis model to obtain target behavior characteristics, and the abnormal behavior characteristic set is updated based on the target behavior characteristics.

In the embodiment of the application, by adopting the suspicious broadband account identification method, the broadband account with abnormal internet surfing behavior can be timely found in the aspect of internet anti-fraud, so that after the broadband account with abnormal internet surfing behavior is determined to be a dangerous account, the broadband account is monitored, and the internet surfing trace of the broadband account is continuously notified to related departments; in the attack tracing process, the attack main body can be traced back according to the IP address and port allocation information of the attack source; furthermore, the safety protection is facilitated, and the public network IP address and port allocation information obtained by monitoring are continuously provided for the safety equipment, so that the safety equipment can be protected accurately and efficiently.

Based on the same inventive concept, referring to fig. 7, an embodiment of the present application provides a suspicious broadband account identification device, including:

the first determining unit 710 is configured to, after receiving the internet surfing record information, analyze an online behavior of the account to be identified based on internet surfing state information included in the internet surfing record information and a historical behavior characteristic of the account to be identified, and obtain a real-time behavior characteristic of the account to be identified, if it is determined that the account to be identified included in the internet surfing record information is not included in the dangerous account list and the suspicious account list;

The second determining unit 720 is configured to send the account to be identified to an associated service server after determining that the real-time behavior feature matches an abnormal behavior feature set, where the abnormal behavior feature set is determined based on a decision tree analysis model, and the decision tree analysis model is obtained after training based on abnormal behavior features of each dangerous account in the dangerous account list;

and the monitoring unit 730 is configured to monitor the account to be identified after determining that the account to be identified is a dangerous account based on the identification result returned by the service server, and continuously synchronize the public network IP address and the port allocation information of the account to be identified to the security device, so that the security device performs tracing and/or tracking on the account to be identified.

In some possible embodiments, after receiving the internet log information, the second determining unit 720 is configured to:

the monitoring unit 730 is configured to:

In some possible embodiments, the decision tree analysis model is trained by:

In some possible embodiments, after the determining that the account to be identified is a dangerous account, the monitoring unit 730 is further configured to:

In some possible embodiments, after the determining that the real-time behavior feature matches the abnormal behavior feature set, the second determining unit 720 is further configured to:

adding the account to be identified to the suspicious account list;

after the determining that the account to be identified is a dangerous account, the second determining unit 720 is further configured to:

after the determining that the account to be identified is not a dangerous account, the second determining unit 720 is further configured to:

and deleting the account to be identified from the suspicious account list.

In some possible embodiments, after receiving the internet log information, the monitoring unit 730 is configured to:

Referring to fig. 8, an embodiment of the present application provides an electronic device, including: a processor 801 and a memory 802;

a memory 802 for storing a computer program for execution by the processor 801. The memory 802 may be a volatile memory (RAM), such as a random-access memory (RAM); the memory 802 may also be a non-volatile memory (non-volatile memory), such as a read-only memory, a flash memory (flash memory), a Hard Disk Drive (HDD) or a Solid State Drive (SSD), or the memory 802 may be any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto. Memory 802 may be a segment of the memory described above.

The processor 801 may include one or more central processing units (central processing unit, CPU), graphics processing units (Graphics Processing Unit, GPU), or digital processing units, among others.

The specific connection medium between the memory 802 and the processor 801 is not limited in the embodiments of the present application. The embodiment of the present application is shown in fig. 8 with a connection between the memory 802 and the processor 801 through a bus 803, the bus 803 being shown in fig. 8 with a thick line, and the bus 803 may be classified into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in fig. 8, but not only one bus or one type of bus.

Wherein the memory stores program code that, when executed by the processor 801, causes the processor 801 to perform any one of the methods performed by the control apparatus of the engine cooling system in the various embodiments described above.

Since the electronic device is an electronic device for executing the method in the embodiment of the present application, and the principle of the electronic device for solving the problem is similar to that of the method, the implementation of the electronic device may refer to the implementation of the method, and the repetition is omitted.

Based on the same inventive concept, an embodiment of the present application provides a computer readable storage medium, on which computer program instructions are stored, which when executed by a processor implement any one of the methods performed by the suspicious broadband account identification apparatus in the above embodiments.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart block or blocks and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart block or blocks and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims

1. The method for identifying the suspicious broadband account is characterized by comprising the following steps of:

2. The method of claim 1, wherein determining whether the account to be identified included in the internet surfing record information is included in the dangerous account list and the suspicious account list is performed by:

3. The method of claim 1, wherein after receiving the internet log information, the method comprises:

4. The method of claim 1, wherein the decision tree analysis model is trained by:

5. The method of any of claims 1-4, further comprising, after the determining that the account to be identified is a dangerous account number:

6. The method of claim 5, wherein if the received identification result returned by the service server indicates that the account to be identified is a dangerous account, determining that the account to be identified is a dangerous account; or alternatively, the process may be performed,

7. The method of claim 6, further comprising, after said determining that said real-time behavioral characteristics match a set of abnormal behavioral characteristics:

adding the account to be identified to the suspicious account list;

and deleting the account to be identified from the suspicious account list.

8. The method of claim 1, wherein after receiving the internet log information, the method comprises:

9. An identification device for a suspected broadband account, comprising:

10. An electronic device comprising a processor and a memory,

the memory is used for storing a computer program or instructions;

the processor for executing a computer program or instructions in a memory, such that the method of any of claims 1-8 is performed.

11. A computer readable storage medium having stored thereon computer program instructions, which when executed by a processor, implement the steps of the method of any of claims 1-8.