CN115955331A

CN115955331A - Account risk detection method and device, computer equipment and storage medium

Info

Publication number: CN115955331A
Application number: CN202211522694.6A
Authority: CN
Inventors: 臧胜奎; 王犇; 张宇; 李善刚; 杨云祥; 高新; 王旭; 张恩东; 陈世杰; 张佳佳; 甄世航
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2022-11-30
Filing date: 2022-11-30
Publication date: 2023-04-11

Abstract

The application discloses an account risk detection method and device, computer equipment and a storage medium, and belongs to the technical field of computers. The method comprises the following steps: detecting an alarm event associated with an account, wherein the alarm event refers to an event that the login behavior of the account is abnormal; detecting a fragile event related to the account, wherein the fragile event refers to an event with potential safety hazards in a login environment of the account; acquiring value information of an account, wherein the value information represents the value of the account, the value information comprises at least one item of authority information or real-name information, the authority information represents authority of the account, and the real-name information refers to information related to a user and bound to the account; and determining a risk detection result by evaluating the severity of the alarm event, the severity of the fragile event and the importance of the value information. According to the method and the device, the login behavior, the login environment and the value information of the account are considered, the value of the account is evaluated according to the authority and the real-name condition of the account, and the accuracy of risk detection on the account is improved.

Description

Account risk detection method and device, computer equipment and storage medium

Technical Field

The embodiment of the application relates to the technical field of computers, in particular to an account risk detection method, an account risk detection device, computer equipment and a storage medium.

Background

With the development of information technologies such as computer technology and internet technology, the issue of network security is more and more emphasized. In a network environment providing various business services, a user can perform business processing on line by registering an account, but the account is also exposed to the risk of being attacked or stolen, so that it is important to detect whether the account is exposed to the risk.

In the related art, whether an account is in risk or not is determined by detecting whether the account has a login abnormal behavior, and because the considered factors are single, the accuracy of risk detection is not high enough.

Disclosure of Invention

The embodiment of the application provides an account risk detection method and device, computer equipment and a storage medium, and can improve accuracy of risk detection on an account. The technical scheme is as follows:

in one aspect, an account risk detection method is provided, and the method includes:

detecting an alarm event associated with an account, wherein the alarm event refers to an event that the login behavior of the account is abnormal;

detecting a fragile event associated with the account, wherein the fragile event refers to an event with potential safety hazard in a login environment of the account;

acquiring value information of the account, wherein the value information represents the value of the account, the value information comprises at least one of authority information or real-name information, the authority information represents the authority of the account, and the real-name information is information related to a user and bound to the account;

determining a risk detection result of the account by evaluating the severity of the alarm event, the severity of the fragile event and the importance of the value information, wherein the risk detection result represents the risk degree of the account.

In another aspect, an account risk detection apparatus is provided, the apparatus including:

the system comprises an alarm event detection module, a log-in module and a log-in module, wherein the alarm event detection module is used for detecting an alarm event related to an account, and the alarm event refers to an event that the log-in behavior of the account is abnormal;

the system comprises a fragile event detection module, a fragile event detection module and a fragile event processing module, wherein the fragile event detection module is used for detecting a fragile event related to the account, and the fragile event refers to an event with potential safety hazards in a login environment of the account;

the information acquisition module is used for acquiring value information of the account, wherein the value information represents the value of the account, the value information comprises at least one of authority information or real-name information, the authority information represents the authority of the account, and the real-name information is information related to a user and bound to the account;

and the risk detection module is used for determining a risk detection result of the account by evaluating the severity of the alarm event, the severity of the fragile event and the importance of the value information, wherein the risk detection result represents the risk degree of the account.

Optionally, the risk detection module includes:

the alarm parameter determination unit is used for performing parameter conversion on the alarm level to which the alarm event belongs according to an alarm parameter conversion rule to obtain an alarm parameter, wherein the alarm parameter represents the severity of the alarm event, and the alarm parameter conversion rule indicates that the alarm parameter is positively correlated with the alarm level;

a vulnerability parameter determination unit, configured to perform parameter transformation on a vulnerability class to which the vulnerability event belongs according to a vulnerability parameter transformation rule to obtain a vulnerability parameter, where the vulnerability parameter represents a severity of the vulnerability event, and the vulnerability parameter transformation rule indicates that the vulnerability parameter is positively correlated with the vulnerability class;

the value parameter determining unit is used for performing parameter conversion on the value information according to a value parameter conversion rule to obtain a value parameter, and the value parameter represents the importance degree of the account;

and the risk parameter determination unit is used for performing parameter conversion on the alarm parameter, the fragile parameter and the value parameter according to a risk parameter conversion rule to obtain a risk parameter, wherein the risk parameter is the risk detection result, and the risk parameter conversion rule indicates that the risk parameter is positively correlated with the alarm parameter, the fragile parameter and the value parameter.

Optionally, the number of the alarm events is multiple, and the alarm parameter determining unit is configured to:

determining the alarm level corresponding to the event type to which the alarm event belongs as the alarm level to which the alarm event belongs, wherein each alarm level corresponds to at least one event type;

for each alarm level, performing parameter conversion on the level numerical value of the alarm level and the quantity of the alarm events belonging to the alarm level according to the alarm parameter conversion rule to obtain a first influence parameter of the alarm level, wherein the alarm parameter conversion rule indicates that the first influence parameter is positively correlated with the level numerical value and the quantity, and the first influence parameter represents the influence degree of the alarm events belonging to the alarm level;

and performing parameter conversion on the sum of the first influence parameters of the multiple alarm levels according to the alarm parameter conversion rule to obtain the alarm parameter, wherein the alarm parameter conversion rule indicates that the alarm parameter is positively correlated with the sum of the influence parameters of the multiple alarm levels.

Optionally, the number of the fragile events is plural, and the fragile parameter determination unit is configured to:

determining a vulnerability grade corresponding to an event type to which the vulnerability event belongs as a vulnerability grade to which the vulnerability event belongs, wherein each vulnerability grade corresponds to at least one event type;

according to the fragile parameter conversion rule, performing parameter conversion on grade values of the fragile grades to which the plurality of fragile events belong to obtain second influence parameters of the plurality of fragile events, wherein the fragile parameter conversion rule indicates that the second influence parameters are positively correlated with the grade values, and the second influence parameters represent the influence degree of the fragile events;

and according to the fragile parameter conversion rule, performing parameter conversion on second influence parameters of the plurality of fragile events to obtain the fragile parameters, wherein the fragile parameter conversion rule indicates that the fragile parameters are positively correlated with the second influence parameters.

Optionally, the vulnerability parameter determination unit is configured to:

determining a target fragile event and a non-target fragile event in the plurality of fragile events, wherein the target fragile event is the fragile event with the smallest sequence number, the non-target fragile event is the fragile event except the target fragile event, and the sequence number is obtained by arranging the plurality of fragile events according to a second influence parameter from large to small;

for each non-target fragile event, performing parameter conversion on the second influence parameter and the sequence number of the non-target fragile event according to the fragile parameter conversion rule to obtain a third influence parameter, wherein the fragile parameter conversion rule indicates that the third influence parameter is positively correlated with the second influence parameter and negatively correlated with the third influence parameter;

performing parameter transformation on the second influence parameter of the target fragile event and the third influence parameter of each non-target fragile event according to the fragile parameter transformation rule to obtain the fragile parameter, wherein the fragile parameter transformation rule indicates that the fragile parameter is positively correlated with the second influence parameter and the third influence parameter.

Optionally, the value information includes the authority information and the real name information; the value parameter determination unit is configured to:

performing parameter conversion on the first number indicated by the permission information according to the value parameter conversion rule to obtain permission parameters, wherein the value parameter conversion rule indicates that the permission parameters are positively correlated with the first number, and the first number represents the number of permissions of the account;

performing parameter conversion on a second quantity indicated by the real name information according to the value parameter conversion rule to obtain a real name parameter, wherein the value parameter conversion rule indicates that the real name parameter is positively correlated with the second quantity, the second quantity indicates the quantity of real name items of the account, and one real name item indicates information related to a user and bound to the account;

and performing parameter conversion on the authority parameters and the real-name parameters according to the value parameter conversion rules to obtain the value parameters, wherein the value parameter conversion rules indicate that the value parameters are positively correlated with the authority parameters and the real-name parameters.

Optionally, the vulnerability event detection module is to:

determining an event with potential safety hazard in equipment logging in the account in an equipment running log associated with the account, wherein the equipment running log is the running log of the equipment logging in the account; alternatively, the first and second electrodes may be,

and determining an event with potential safety hazard in a client which logs in the account in a client running log associated with the account, wherein the client running log is the running log of the client which logs in the account.

Optionally, the alarm event detecting module is configured to:

detecting a candidate alarm event associated with the account within a preset time period, wherein the preset time period is a time period within a preset time length before the current time point;

determining a current event state of any detected candidate alarm event, wherein the event state comprises a processed state and an unprocessed state;

determining an alarm event in the unprocessed state among the detected candidate alarm events.

Optionally, the vulnerability event detection module is to:

detecting candidate fragile events associated with the account within a preset time period, wherein the preset time period is a time period within a preset time length before the current time point;

determining a current event state of any detected candidate fragile event, wherein the event state comprises a processed state and an unprocessed state;

determining, among the detected candidate fragile events, a fragile event in the unprocessed state.

In another aspect, a computer device is provided, and the computer device includes a processor and a memory, where at least one computer program is stored in the memory, and the at least one computer program is loaded and executed by the processor to implement the operations performed by the account risk detection method according to the above aspect.

In another aspect, a computer-readable storage medium is provided, in which at least one computer program is stored, and the at least one computer program is loaded and executed by a processor to implement the operations performed by the account risk detection method according to the above aspect.

In another aspect, a computer program product is provided, which includes a computer program that is loaded and executed by a processor to implement the operations performed by the account risk detection method according to the above aspect.

According to the scheme provided by the embodiment of the application, when whether the account faces risks or not is detected, the login behavior of the account, the login environment of the account and the value information of the account are comprehensively considered, systematic analysis is carried out by combining information from three angles, influence factors considered when the risk of the account is detected are enriched, and the value of the account is evaluated according to the authority of the account and the real-name condition, so that the information covered by the risk detection of the account is more comprehensive, and the accuracy of the risk detection of the account is improved.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

FIG. 1 is a schematic illustration of an implementation environment provided by an embodiment of the present application;

fig. 2 is a flowchart of an account risk detection method according to an embodiment of the present disclosure;

fig. 3 is a flowchart of another account risk detection method provided in the embodiment of the present application;

fig. 4 is a flowchart of another account risk detection method provided in the embodiment of the present application;

fig. 5 is a schematic structural diagram of an account risk detection apparatus according to an embodiment of the present disclosure;

fig. 6 is a schematic structural diagram of another account risk detection device provided in the embodiment of the present application;

fig. 7 is a schematic structural diagram of a terminal according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of a server according to an embodiment of the present application.

Detailed Description

To make the objects, technical solutions and advantages of the embodiments of the present application more clear, the embodiments of the present application will be further described in detail with reference to the accompanying drawings.

It will be understood that the terms "first," "second," and the like as used herein may be used herein to describe various concepts, which are not limited by these terms unless otherwise specified. These terms are only used to distinguish one concept from another. For example, a first impact parameter may be referred to as a second impact parameter, and similarly, a second impact parameter may be referred to as a first impact parameter, without departing from the scope of the present application.

For example, the at least one event type may be any integer number of event types greater than or equal to one, such as one event type, two event types, three event types, and the like. The plurality means two or more, for example, the plurality of event types may be any integer number of event types greater than or equal to two, such as two event types, three event types, and the like. Each refers to each of the at least one, for example, each event type refers to each of a plurality of event types, and if the plurality of event types is 3 event types, each event type refers to each of the 3 event types.

It is understood that, in the embodiments of the present application, related data such as user information, when the above embodiments of the present application are applied to specific products or technologies, user permission or consent needs to be obtained, and the collection, use and processing of related data need to comply with relevant laws and regulations and standards of relevant countries and regions.

Fig. 1 is a schematic diagram of an implementation environment provided by an embodiment of the present application. Referring to fig. 1, the implementation environment includes at least one terminal 101 (3 are taken as an example in fig. 1) and a server 102. The terminal 101 and the server 102 are directly or indirectly connected by wired or wireless communication.

In the embodiment of the application, the server 102 detects an alarm event and a fragile event associated with an account logged in by the terminal 101, acquires value information of the account, determines a risk detection result of the account based on the alarm event, the fragile event and the value information, and sends the risk detection result to the terminal 101, so that the terminal 101 determines a risk degree of the account currently facing to take measures.

In one possible implementation, the terminal 101 may be, but is not limited to, a smart phone, a tablet computer, a laptop computer, a desktop computer, a smart speaker, a smart watch, a smart voice interaction device, a smart home appliance, a vehicle-mounted terminal, an aircraft, and the like. In a possible implementation manner, the server 102 may be an independent physical server, may also be a server cluster or a distributed system formed by a plurality of physical servers, and may also be a cloud server that provides basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a CDN (Content Delivery Network), a big data and artificial intelligence platform, and the like.

The account risk detection method provided by the embodiment of the application can be applied to any scene of risk detection of the account.

For example, a wind control system, a device management system, and an information system are built inside an enterprise. The wind control system is used for detecting alarm events related to the account number registered in the enterprise, for example, abnormal login behaviors of the account number exist. The device management system is used for detecting a fragile event associated with the account, such as a security vulnerability existing in a login environment of the account. The information system is used for collecting value information associated with the account, such as authority information and real name information of the account. By adopting the method provided by the embodiment of the application, based on the detected alarm event, the fragile event and the collected value information, the risk detection result of the account can be determined, so that under the condition that the safety risk of the account is detected, the safety risk can be timely processed, and the safety risk of the account can be eliminated.

Fig. 2 is a flowchart of an account risk detection method provided in an embodiment of the present application, where the embodiment of the present application is executed by a computer device, and referring to fig. 2, the method includes:

201. the method comprises the steps that a computer device detects an alarm event related to an account, wherein the alarm event refers to an event that the login behavior of the account is abnormal.

The account is an account bound with information related to the user, and the information related to the user comprises a user name, a contact mode, a mailbox address, an identity card number and the like. The account may be any account, for example, if the computer device is a server, the account is an account registered in the server. For example, if the computer device is a terminal, the account is the account logged in by the terminal. Alternatively, the account may be an account that is notified to the computer device by another device, and the like, which is not limited in this embodiment of the application.

The alarm event associated with the account is an event that the login behavior of the account is abnormal, and under the condition that the login behavior of the account is abnormal, the possibility that the account is attacked is high, for example, the account is stolen. In other words, an alarm event refers to an event that an account is threatened, and the alarm event can be described by various attributes such as a threat agent, a threat motive, a threat path, a threat capability, and a threat frequency. The event of the account being threatened can be a direct or indirect attack on the account, which causes the account to be damaged in terms of confidentiality, integrity, availability and the like, and the event of the account being threatened can also be a sporadic or deliberate event.

202. The computer device detects a fragile event associated with the account, wherein the fragile event refers to an event with potential safety hazards in a login environment of the account.

The vulnerable event associated with the account is an event with potential safety hazard in a login environment of the account, and the existence of the potential safety hazard is a weak link which is not met with safety requirements or possibly threatened, for example, viruses or high-risk bugs exist in the login environment.

203. The method comprises the steps that a computer device obtains value information of an account, wherein the value information represents the value of the account, the value information comprises at least one item of authority information or real-name information, the authority information represents authority of the account, and the real-name information is information related to a user and bound to the account.

The value information includes at least one of authority information or real name information, the higher the authority the account has, the higher the value of the account is, and the lower the authority the account has, the lower the value of the account is. The more information about the user that an account binds, the higher the value of the account, and the less information about the user that an account binds, the lower the value of the account. Therefore, the value information of the account can represent the value of the account, and the value of the account refers to the importance degree of the account, that is, in the embodiment of the present application, the value of the account is measured by the authority information or the real-name information of the account.

204. The computer equipment determines a risk detection result of the account by evaluating the severity of the alarm event, the severity of the fragile event and the importance of the value information, wherein the risk detection result represents the risk degree of the account.

The higher the severity of an alarm event associated with an account, the higher the risk level that the account faces, and the lower the severity of an alarm event associated with an account, the lower the risk level that the account faces. The higher the severity of a fragile event associated with an account, the higher the risk level the account is exposed to, and the lower the severity of a fragile event associated with an account, the lower the risk level the account is exposed to. The higher the importance degree of the value information of the account is, the higher the possibility that the account is attacked is, that is, the higher the risk degree of the account is, the lower the importance degree of the information of the account is, the lower the possibility that the account is attacked is, that is, the lower the risk degree of the account is. Therefore, the risk degree of the account depends on the severity of the alarm event, the severity of the fragile event and the importance degree of the value information, and after the alarm event, the fragile event and the value information are acquired by the computer device, the three factors of the alarm event, the fragile event and the value information are comprehensively considered to determine the risk detection result of the account, that is, the risk degree of the account.

According to the method provided by the embodiment of the application, when whether the account faces risks or not is detected, the login behavior of the account, the login environment of the account and the value information of the account are comprehensively considered, systematic analysis is performed by combining information from three angles, influence factors considered when the risk of the account is detected are enriched, the value of the account is evaluated according to the authority of the account and the real-name condition, the information covered by the risk detection of the account is more comprehensive, and the accuracy of the risk detection of the account is improved.

On the basis of the above-described embodiment shown in fig. 2, the computer device determines an alarm parameter based on the alarm event, determines a vulnerability parameter based on the vulnerability event, determines a value parameter based on the value information, and then determines a risk parameter based on the alarm parameter, the vulnerability parameter, and the value parameter, where the risk parameter is a risk detection result. The specific process is described in detail in the embodiment shown in fig. 3 below. Fig. 3 is a flowchart of an account risk detection method provided in an embodiment of the present application, where the embodiment of the present application is executed by a computer device, referring to fig. 3, the method includes:

301. the method comprises the steps that a computer device detects an alarm event related to an account, wherein the alarm event refers to an event that the login behavior of the account is abnormal.

In the embodiment of the application, the alarm event is a concept provided for an account, and the alarm event associated with the account is determined to be detected under the condition that the login behavior of the account is abnormal. For example, the alarm event includes that the number of times of continuous login of the account exceeds a first preset number of times within a first preset time length. Or the alarm event includes that the account is logged in by the frequently-used device, and the like, optionally, the frequently-used device refers to a device that logs in the account for more than a second preset number of times within a second preset time period, and the frequently-used device refers to other devices except the frequently-used device.

In one possible implementation, a computer device is deployed with a wind control system for detecting alarm events associated with an account. The method comprises the steps that the wind control system can obtain a login log of the account, the login log records login behaviors of the account, and the wind control system detects the login log of the account to determine an alarm event related to the account.

In another possible implementation manner, the computer device presets a plurality of alarm levels, each alarm level corresponds to at least one event type, and the alarm level to which the alarm event belongs can be determined according to the event type to which the alarm event belongs. For example, 10 alarm levels are divided, the greater the level value corresponding to the alarm level, the higher the severity of the alarm event belonging to the alarm level, and the smaller the level value corresponding to the alarm level, the lower the severity of the alarm event belonging to the alarm level.

In another possible implementation manner, the computer device detects a candidate alarm event associated with the account within a preset time period, where the preset time period is a time period within a preset duration before the current time point. The computer device determines a current event state of any one of the detected candidate alarm events, the event state including a processed state and an unprocessed state, and determines an alarm event in the unprocessed state among the detected candidate alarm events.

Wherein the alarm event comprises an alarm event in a processed state and an alarm event in an unprocessed state. The alarm event in the processed state refers to that corresponding measures are taken for the alarm event to reduce the possibility that the account is threatened by the alarm event, for example, if the alarm event is that the account is logged in by an emergency device, the possibility that the account is threatened by the emergency device can be reduced by prohibiting the emergency device from logging in the account, and thus the alarm event is processed. An alarm event in an unprocessed state means that no corresponding measure has been taken with respect to the alarm event, i.e. the account is still likely to be threatened by the alarm event.

In the embodiment of the application, considering that the account is no longer threatened by the alarm event under the condition that the alarm event is processed, the risk degree of the account is no longer influenced by the alarm event, so that only the alarm event which is not processed is considered when the alarm event is determined, and the processed alarm event is not considered, which is beneficial to ensuring the accuracy of the risk detection result determined based on the alarm event subsequently.

302. The computer equipment carries out parameter conversion on the alarm grade to which the alarm event belongs according to the alarm parameter conversion rule to obtain the alarm parameter, wherein the alarm parameter represents the severity of the alarm event, and the alarm parameter conversion rule indicates that the alarm parameter is positively correlated with the alarm grade.

The higher the alert level, the higher the severity of the alert event, and the lower the alert level, the lower the severity of the alert event. The alarm parameter represents the severity of the alarm event, the higher the alarm parameter corresponding to the account is, the higher the possibility that the account is attacked is, and the lower the alarm parameter corresponding to the account is, the lower the possibility that the account is attacked is. Because the alarm parameter conversion rule indicates that the alarm parameter is in positive correlation with the alarm level, after parameter conversion is carried out according to the alarm parameter conversion rule, the higher the alarm level is, the larger the alarm parameter is, the lower the alarm level is, and the smaller the alarm parameter is.

In a possible implementation manner, the number of the alarm events is multiple, the computer device presets multiple alarm levels, each alarm level corresponds to at least one event type, and the computer device determines the alarm level corresponding to the event type to which the alarm event belongs as the alarm level to which the alarm event belongs. For each alarm level, the computer equipment performs parameter conversion on the level numerical value of the alarm level and the quantity of the alarm events belonging to the alarm level according to an alarm parameter conversion rule to obtain a first influence parameter of the alarm level, wherein the alarm parameter conversion rule indicates that the first influence parameter is in positive correlation with the level numerical value and the quantity, and the first influence parameter represents the influence degree of the alarm events belonging to the alarm level. And the computer equipment performs parameter conversion on the sum of the first influence parameters of the multiple alarm levels according to an alarm parameter conversion rule to obtain an alarm parameter, wherein the alarm parameter conversion rule indicates that the alarm parameter is positively correlated with the sum of the influence parameters of the multiple alarm levels.

For each alarm level, the degree of impact of at least one alarm event belonging to the alarm level is related to two factors, one being a level value of the alarm level, which level value is capable of indicating the severity of the alarm level, and the other being the number of alarm events belonging to the alarm level. Therefore, the alarm parameter conversion rule indicates that the first influence parameter of the alarm level is determined according to the level value of the alarm level and the number of the alarm events belonging to the alarm level, and the alarm parameter is positively correlated with the sum of the influence parameters of various alarm levels. That is, the larger the level value of the alarm level is, the larger the first influence parameter is, and the smaller the level value of the alarm level is, the smaller the first influence parameter is. The larger the number of alarm events belonging to an alarm level, the larger the first impact parameter, the smaller the number of alarm events belonging to an alarm level, the smaller the first impact parameter.

After the computer equipment determines the first influence parameter of each alarm level, the influence of the severity of the alarm parameter on various alarm levels is considered, so that the alarm parameter conversion rule indicates that the alarm parameter is determined according to the sum of the first influence parameters of the various alarm levels, and the alarm parameter is positively correlated with the sum of the influence parameters of the various alarm levels. That is, the larger the sum of the first impact parameters of the multiple alarm levels is, the larger the alarm parameter is, the smaller the sum of the first impact parameters of the multiple alarm levels is, and the smaller the alarm parameter is.

In the embodiment of the application, the alarm events are classified, and the alarm parameters are determined according to the alarm levels and the number of the alarm events belonging to each alarm level, so that the possibility of the account being attacked is evaluated, and the precision and the accuracy of the alarm parameters are improved.

In one possible implementation, for each alarm level, the computer device determines a risk index impact cardinality for the alarm level, the risk index impact cardinality being based on a first target value and indexed by the level value for the alarm level. And the computer equipment determines an alarm frequency influence coefficient of the alarm level, wherein the alarm frequency influence coefficient is obtained by calculating a target number by adopting an arc tangent trigonometric function, and the target number refers to the number of the alarm events belonging to the alarm level. And the computer equipment multiplies the adjusting coefficient, the risk index influence base number and the alarm frequency influence coefficient to obtain a first influence parameter of the alarm level. The computer equipment determines the sum of first influence parameters of various alarm levels, and determines the logarithm of a second target value taking the sum of the first influence parameters as a base number as an alarm parameter. In the embodiment of the application, the alarm parameters are determined by adopting the mode, so that the alarm parameters are larger when the alarm level is higher and the number of alarm events is larger, the possibility that the account is attacked can be accurately evaluated, and the precision and the accuracy of the alarm parameters are improved.

Optionally, the alarm levels are divided into 8 levels, and the number of alarm events belonging to these 8 alarm levels is n1, n2, n3, n4, n5, n6, n7 and n8, respectively. The computer device determines the alarm parameters using the following formula.

Wherein t represents an alarm parameter, i represents a level numerical value of an alarm level, i is a positive integer, and ni represents the number of alarm events belonging to the alarm level of i.

As an alarm frequency influence coefficient, 2 ⁱ Cardinality is affected for risk indices. The value range of the alarm parameter obtained by the formula is (0, 10)]The minimum particle size is 0.01.

In one possible implementation, the computer device determines a level value of an alarm level to which the alarm event belongs as the alarm parameter. Or, in the case that the number of the alarm events is multiple, the computer device determines an average value of the level values of the alarm levels to which the multiple alarm events belong as the alarm parameter.

Based on the above possible implementation manners, it can be known that the alarm parameters corresponding to the account are determined by the alarm event, the alarm parameters corresponding to the account can be reduced by processing the alarm event associated with the account, and the alarm event with higher severity has a greater influence on the alarm parameters corresponding to the account.

In addition, it should be noted that, in the embodiment of the present application, only an example that an alarm event associated with an account is detected is described, and when an alarm event associated with an account is not detected, the computer device determines an alarm parameter corresponding to the account as a preset character, where the preset character indicates that an alarm event associated with an account is not detected, and for example, the preset character is N/a. The method comprises the steps that the possibility that the account is threatened by an alarm event is 0 under the condition that the alarm parameter corresponding to the account is 0, and the fact that whether the account is threatened by the alarm event is uncertain under the condition that the alarm parameter corresponding to the account is N/A.

303. The computer device detects a fragile event associated with the account, wherein the fragile event refers to an event with potential safety hazard in a login environment of the account.

In the embodiment of the present application, a fragile event associated with an account refers to an event that a potential safety hazard exists in a login environment of the account, where the login environment of the account refers to a host of the account, for example, a terminal, a server, or a client of the login account. The potential safety hazard existing in the login environment means that the login environment is not met with safety requirements, and the operation environment of the account is fragile, so that the account is possibly attacked. For example, the potential safety hazard of the login environment includes that viruses exist in the login environment, unrepaired bugs exist in the login environment, and verification information is not configured according to the specification in the login environment.

In one possible implementation, a computer device is deployed with a device management system for detecting a fragile event associated with an account. The equipment management system can acquire an operation log of a login environment of the account, the operation log records the operation condition of the login environment, and the equipment management system detects the operation log of the login environment to determine a fragile event associated with the account.

In a possible implementation manner, the operation logs of the login environment include an equipment operation log and a client operation log, the equipment operation log is an operation log of equipment of the login account, the equipment may be a terminal or a server, and the client operation log is an operation log of a client of the login account. The method comprises the steps that computer equipment determines an event with potential safety hazard in equipment logging in an account in an equipment running log associated with the account; or determining an event with potential safety hazard in a client for logging in the account in a client running log associated with the account.

In the embodiment of the application, the operation log in the login environment of the account is collected, and based on the operation log, the fragile event associated with the account is detected, so that the factors considered in risk detection of the account are enriched, sufficient data support is provided for the risk detection, and the accuracy of the risk detection of the account is improved.

In one possible implementation, the computer device detects a candidate fragile event associated with the account within a preset time period, where the preset time period is a time period within a preset duration before the current time point. The computer device determines the current event state of any of the detected candidate fragile events, the event states including a processed state and an unprocessed state, and determines the fragile event in the unprocessed state among the detected candidate fragile events.

Wherein the fragile events comprise a fragile event in a processed state and a fragile event in an unprocessed state. The vulnerable event in the processed state refers to that measures are taken for the vulnerable event to reduce the possibility that the account is threatened by the vulnerable event, for example, if the vulnerable event is a login environment with a bug, the vulnerability of the account can be reduced by repairing the bug, so that the vulnerable event is processed. A vulnerable event in an unprocessed state refers to a situation where no corresponding measures have been taken with respect to the vulnerable event, i.e. the account is still at risk for being threatened by the vulnerable event.

In the embodiment of the application, in consideration that the account is no longer threatened by the fragile event when the fragile event is processed, the risk degree of the account is no longer influenced by the fragile event, so that only the unprocessed fragile event is considered when the fragile event is determined, and the processed fragile event is not considered, which is beneficial to ensuring the accuracy of the risk detection result determined based on the fragile event subsequently.

304. And the computer equipment performs parameter conversion on the vulnerability grade to which the vulnerability event belongs according to a vulnerability parameter conversion rule to obtain a vulnerability parameter, wherein the vulnerability parameter represents the severity of the vulnerability event, and the vulnerability parameter conversion rule indicates that the vulnerability parameter is positively correlated with the vulnerability grade.

Wherein the higher the vulnerability rating, the higher the severity of the vulnerability event, and the lower the vulnerability rating, the lower the severity of the vulnerability event. The vulnerability parameter represents the severity of the vulnerability event, the higher the vulnerability parameter corresponding to the account, the higher the possibility that the account is attacked, and the lower the vulnerability parameter corresponding to the account, the lower the possibility that the account is attacked. Since the vulnerability parameter transformation rule indicates that the vulnerability parameter is in positive correlation with the vulnerability level, after the parameter transformation is performed according to the vulnerability parameter transformation rule, the higher the vulnerability level is, the larger the vulnerability parameter is, and the lower the vulnerability level is, the smaller the vulnerability parameter is.

In one possible implementation manner, the number of the fragile events is multiple, the computer device is preset with multiple fragile levels, each fragile level corresponds to at least one event type, and the computer device determines the fragile level corresponding to the event type to which the fragile event belongs as the fragile level to which the fragile event belongs. The computer equipment carries out parameter conversion on grade values of the vulnerability grades to which the vulnerability events belong according to a vulnerability parameter conversion rule to obtain second influence parameters of the vulnerability events, wherein the vulnerability parameter conversion rule indicates that the second influence parameters are positively correlated with the grade values, and the second influence parameters represent the influence degree of the vulnerability events. And the computer equipment performs parameter conversion on the second influence parameters of the plurality of fragile events according to a fragile parameter conversion rule to obtain the fragile parameters, wherein the fragile parameter conversion rule indicates that the fragile parameters are positively correlated with the second influence parameters.

Wherein, the influence degree of each fragile event is related to the grade value of the fragile grade to which the fragile event belongs, and the grade value can indicate the severity degree of the fragile grade. Therefore, the fragile parameter conversion rule indicates that the second influence parameters of the plurality of fragile events are respectively determined based on the grade values of the fragile grades to which the plurality of fragile events belong. After determining the second impact parameter of each fragile event, the fragile parameter translation rule further indicates that the fragile parameter is determined based on the second impact parameter of the plurality of fragile events, considering that the fragile parameter is affected by the severity of the plurality of fragile events, and that the fragile parameter is positively correlated with the second impact parameter. I.e. the larger the second influencing parameter is, the larger the vulnerability parameter is, and the smaller the second influencing parameter is, the smaller the vulnerability parameter is.

In the embodiment of the application, the fragile events are graded, and the fragile parameters are determined according to the fragile grade so as to evaluate the possibility that the account is attacked, so that the precision and accuracy of the fragile parameters are improved.

Optionally, the computer device determines the vulnerability parameter based on a second impact parameter of the plurality of vulnerability events, including: the computer device determines a target fragile event and a non-target fragile event in the plurality of fragile events, wherein the target fragile event is the fragile event with the smallest sequence number, the non-target fragile event is the fragile event except the target fragile event, and the sequence number is obtained by arranging the plurality of fragile events according to the second influence parameter from big to small. And for each non-target fragile event, performing parameter conversion on the second influence parameter and the sequence number of the non-target fragile event according to a fragile parameter conversion rule to obtain a third influence parameter, wherein the fragile parameter conversion rule indicates that the third influence parameter is positively correlated with the second influence parameter and negatively correlated with the third influence parameter. And the computer equipment performs parameter conversion on the second influence parameter of the target fragile event and the third influence parameter of each non-target fragile event according to a fragile parameter conversion rule to obtain a fragile parameter, wherein the fragile parameter conversion rule indicates that the fragile parameter is positively correlated with the second influence parameter and the third influence parameter.

In the embodiment of the present application, the target fragile event is also the fragile event with the greatest severity, so when determining the fragile parameters based on the target fragile event, the second influence parameter of the target fragile event is directly considered, and the ordering of the target fragile event is not considered. For non-target fragile events, since the severity of the non-target fragile events is relatively small, when determining the fragile parameters based on the non-target fragile events, the computer device determines a third influence parameter based on the second influence parameter and the sequence number of the non-target fragile events, which is equivalent to weighting the second influence parameter of the non-target fragile events by using the sequence numbers of the non-target fragile events, so as to obtain the third influence parameter, and then determines the fragile parameters based on the weighted third influence parameter.

In one possible implementation, for non-target fragile events, the computer device determines a convergence coefficient that is the inverse of a value based on e and exponential with the sequence number of the sequence non-target fragile events. The computer device determines an influence base equal to a ratio of the second influence coefficient to the target value. The computer device determines an adjustment parameter that is a base number based on the number of fragile events and a logarithmic number of influencing bases. The computer device determines a product of the second influence parameter, the convergence coefficient and the adjustment parameter as a third influence parameter. The computer device determines a sum of the second impact parameter of the target fragile event and the third impact parameter of each non-target fragile event as the fragile parameter. In the embodiment of the application, the fragile parameters are determined by adopting the above mode, so that the higher the fragile grade is, the larger the number of fragile events is, the larger the fragile parameters are, the possibility that the account is attacked can be accurately evaluated, and the precision and the accuracy of the fragile parameters are improved.

Optionally, the vulnerability level is divided into 8 levels, the number of the vulnerability events is n, n is a positive integer, and the second influence parameters of the n vulnerability events are arranged from large to small and then are a1, a2, a3 \8230 \ 8230and an.

The computer device determines the vulnerability parameter using the following formula.

Where v denotes the vulnerability parameter, i denotes the sequence number of the vulnerability event, ai denotes the second influence parameter of the vulnerability event with sequence number i, for example, a1 denotes the second influence parameter of the vulnerability event with sequence number 1, that is, the second influence parameter of the target vulnerability event.

The convergence factor is represented, ai/the influence floor. The value range of the fragile parameter obtained by the formula is (0,10)]The minimum particle size is 0.01.e denotes a natural constant.

In one possible implementation, the computer device determines a level value of a vulnerability level to which the vulnerability event belongs as the vulnerability parameter. Alternatively, in a case where the number of the fragile events is plural, the computer device determines an average value of the grade values of the fragile grades to which the plural fragile events belong as the fragile parameter.

Based on the above possible implementation manners, the vulnerability parameters corresponding to the account are determined by the vulnerability event, the vulnerability parameters corresponding to the account can be reduced by processing the vulnerability event associated with the account, and the vulnerability parameters corresponding to the account are more affected by the vulnerability event with higher severity.

In addition, in the embodiment of the application, only the detection of the fragile event associated with the account is taken as an example for description, and in a case that the fragile event associated with the account is not detected, the computer device determines the fragile parameter corresponding to the account as a preset character, where the preset character indicates that the fragile event associated with the account is not detected, and for example, the preset character is N/a. When the vulnerability parameter corresponding to the account is 0, the possibility that the account is threatened by the vulnerability event is 0, and when the vulnerability parameter corresponding to the account is N/A, the possibility that whether the account is threatened by the vulnerability event is uncertain.

305. The method comprises the steps that the computer equipment obtains value information of an account, the value information represents the value of the account, the value information comprises authority information and real-name information, the authority information represents authority of the account, and the real-name information refers to information related to a user and bound to the account.

In the embodiment of the application, the value of the account is measured by the authority information or real name information of the account, and the value of the account refers to the importance degree of the account.

In one possible implementation, the computer device is deployed with an information system for collecting information related to an account, such as authority information, real name information, and the like, and the information system may be a B/S (Browser/Server) system or a C/S (Client/Server) system or the like that owns the account.

306. And the computer equipment performs parameter conversion on the value information according to a value parameter conversion rule to obtain a value parameter, wherein the value parameter represents the importance degree of the account.

The larger the value parameter of the account, the greater the importance of the account, and the smaller the value parameter of the account, the smaller the importance of the account.

In a possible implementation manner, the computer device performs parameter conversion on a first number indicated by the permission information according to a value parameter conversion rule to obtain permission parameters, the value parameter conversion rule indicates that the permission parameters are positively correlated with the first number, and the first number represents the number of permissions of the account. And performing parameter conversion on the second number indicated by the real-name information according to a value parameter conversion rule to obtain the real-name parameter, wherein the value parameter conversion rule indicates that the real-name parameter is positively correlated with the second number, the second number indicates the number of real-name items of the account, and one real-name item indicates information which is bound by the account and is related to the user. And performing parameter conversion on the authority parameters and the real-name parameters according to a value parameter conversion rule to obtain value parameters, wherein the value parameter conversion rule indicates that the value parameters are in positive correlation with the authority parameters and the real-name parameters.

The more the number of the permissions of the account is, the more important the account is, the larger the permission parameter is. The less the number of permissions an account has, the less important the account is, the smaller the permission parameters are. For example, the authority of the account includes three authorities, namely a system management authority, a security confidentiality authority and a security audit authority, if the account has 1 kind of authority, the authority parameter of the account is set to 1, if the account has only 2 kinds of authority, the authority parameter of the account is set to 3, and if the account has only 3 kinds of authority, the authority parameter of the account is set to 10.

The number of real-name items of the account number is larger, the account number is more complete, and the real-name parameter is larger. The less the number of real-name items the account has, the more incomplete the account is, the smaller the real-name parameter is. For example, the real name case of the account is divided into an unreal name, a semi-real name, and a real name. The non-real name means that the account only completes registration and only has virtual information such as a user name and the like which cannot lock the user identity. The semi-real name refers to information with obvious characteristics such as a bound contact way of an account and a mailbox address. The real name means that the account number has already passed through the real name, and the ways of the real name include multiple ways, such as binding the real name and the identification number of the user. If the account is in the non-real name state, the real name parameter of the account is set to 1, and if the account is in the semi-real name state, the real name parameter of the account is set to 3. If the account is in the real name state, the real name parameter of the account is set to 10.

The computer device determines a value parameter based on the permission parameter and the real name parameter. The larger the authority parameter is, the larger the value parameter is, and the smaller the authority parameter is, the smaller the value parameter is. The larger the real name parameter is, the larger the value parameter is, and the smaller the real name parameter is, the smaller the value parameter is.

In one possible implementation manner, the computer device determines a sum of the authority parameter and the real name parameter of the account, and rounds a ratio of the sum to 2 to obtain a value parameter of the account. By adopting the method to determine the value parameters, the value parameters of the account are higher as the authority of the account is more and the real name items are more, and the value parameters of the account can be restricted to specific values, so that the method is convenient for subsequent processing and reduces the calculation amount.

Optionally, the computer device determines a value parameter of the account using the following formula.

Value＝round((e ^impot +e ^Integrity )/2)

Wherein e is ^impot Presentation accountThe authority parameter of the number, for example, the value of the authority parameter is 1, 3 or 10. e.g. of a cylinder ^Integrity The real-name parameter representing the account number, for example, the value of the real-name parameter is 1, 3, or 10.Value represents a Value parameter, for example, the Value of the Value parameter is an integer between 1 and 10.

307. And the computer equipment performs parameter conversion on the alarm parameter, the fragile parameter and the value parameter according to a risk parameter conversion rule to obtain a risk parameter, wherein the risk parameter is a risk detection result, and the risk parameter conversion rule indicates that the risk parameter is positively correlated with the alarm parameter, the fragile parameter and the value parameter.

After determining the alarm parameters, the fragile parameters and the value parameters, the computer equipment performs parameter conversion on the alarm parameters, the fragile parameters and the value parameters according to a risk parameter conversion rule to obtain risk parameters, wherein the risk parameters are risk detection results. The risk parameter is a measure of the degree of risk faced by the account based on the alarm events, the fragile events associated with the account, and the value information of the account. The larger the risk parameter is, the higher the risk degree of the account is, and the smaller the risk parameter is, the lower the risk degree of the account is. The smaller the alarm parameter, the weaker parameter and the value parameter are, the smaller the risk parameter is, and the larger the alarm parameter, the weaker parameter and the value parameter are, the larger the risk parameter is.

In a possible implementation manner, the computer device performs parameter conversion on the alarm parameter and the fragile parameter according to a risk parameter conversion rule to obtain a first risk parameter, where the first risk parameter indicates the possibility of the account being attacked, and the computer device performs parameter conversion on the fragile parameter and the value parameter according to the risk parameter conversion rule to obtain a second risk parameter, where the second risk parameter indicates the severity of the loss after the account being attacked. And the computer equipment performs parameter conversion on the first risk parameter and the second risk parameter according to the risk parameter conversion rule to obtain the risk parameter of the account.

Optionally, the computer device determines the first risk parameter using the formula:

wherein P denotes a first risk parameter, T denotes an alarm parameter, and V denotes a vulnerability parameter. T and V are integers between 0 and 10, and P is (0, 10)]The accuracy was 0.01.

Optionally, the computer device determines the second risk parameter using the formula:

wherein L represents a second risk parameter, V represents a vulnerability parameter, and Value represents a Value parameter. Value and V are integers ranging from 0 to 10, and L is (0, 10)]The accuracy was 0.01.

In one possible implementation, the computer device, upon determining at least one of the alarm parameter, the vulnerability parameter, or the value parameter, determines the risk parameter in the following manner.

(1) Under the condition that the computer equipment obtains the alarm parameters, the fragile parameters and the value parameters, the computer equipment prescribes the product of the alarm parameters and the value parameters to obtain a first numerical value, prescribes the product of the fragile parameters and the value parameters to obtain a second numerical value, and determines the product of the first numerical value and the second numerical value as the risk parameters. Optionally, the computer device determines the risk parameter using the following formula.

Wherein, R represents a risk parameter, T represents an alarm parameter, V represents a fragile parameter, and Value represents a Value parameter.

(2) And under the condition that the computer equipment only acquires the fragile parameter and the value parameter and does not acquire the alarm parameter, determining the product of the fragile parameter and the value parameter as a risk parameter by the computer equipment. Optionally, the computer device determines the risk parameter using the following formula.

R＝V*Value

Wherein, R represents a risk parameter, represents a vulnerability parameter, and Value represents a Value parameter.

(3) And under the condition that the computer equipment only acquires the alarm parameters and the value parameters and does not acquire the fragile parameters, the computer equipment determines the product of the alarm parameters and the value parameters as risk parameters. Optionally, the computer device determines the risk parameter using the following formula.

R＝T*Value

Wherein, R represents a risk parameter, an alarm parameter and Value represents a Value parameter.

(4) And under the condition that the computer equipment does not acquire the alarm parameters and the fragile parameters, the computer equipment determines the risk parameters as preset characters, for example, the preset characters are N/A. When the risk parameter corresponding to the account is 0, it indicates that the account is not exposed to the risk, and when the risk parameter corresponding to the account is N/a, it indicates that the risk degree of the account is uncertain.

Fig. 4 is a flowchart of another account risk detection method provided in the embodiment of the present application, and as shown in fig. 4, the method includes the following steps.

Step 1, acquiring an alarm event from a wind control system, and calculating alarm parameters according to the alarm event. And storing the alarm parameters under the condition of successful calculation, and recording failure information under the condition of unsuccessful calculation. The wind control system is used for detecting alarm events, the computer equipment determines the alarm events related to the account number in the alarm events detected by the wind control system, and performs parameter conversion on the alarm level of the alarm events according to an alarm parameter conversion rule to obtain alarm parameters. Alternatively, in the event that an alarm event associated with the account is not detected, the alarm parameter calculation is determined to be unsuccessful in this case directly due to the lack of data support required to calculate the alarm parameter.

And 2, acquiring the fragile event from the equipment management system, and calculating the fragile parameter according to the fragile event. The fragile parameters are stored in case of successful calculation and failure information is recorded in case of unsuccessful calculation. The device management system is used for detecting fragile events, the computer device determines the fragile events related to the account number in the fragile events detected by the device management system, and performs parameter conversion on the fragile grades of the fragile events according to a fragile parameter conversion rule to obtain fragile parameters. Alternatively, in the event that a fragile event associated with the account is not detected, the fragile parameter calculation is determined to be unsuccessful in this case directly due to lack of data support required to calculate the fragile parameter.

And 3, acquiring the value information from the information system, and calculating the value parameters according to the value information. The value parameter is stored in case of successful calculation and failure information is recorded in case of unsuccessful calculation. The information system is used for collecting value information of the account, the computer equipment obtains the value information of the account in the equipment management system, and parameter conversion is carried out on the value information according to a value parameter conversion rule to obtain a value parameter. Alternatively, in the case where the value information of the account is not acquired, it is directly determined that the value parameter calculation is unsuccessful in this case due to lack of data support required for calculating the value parameter.

And 4, calculating risk parameters according to the alarm parameters, the fragile parameters and the value parameters. And the computer equipment performs parameter conversion on the alarm parameter, the fragile parameter and the value parameter according to a risk parameter conversion rule to obtain a risk parameter.

In the embodiment of the application, the login behavior, the login environment and the value information of the account are analyzed through complex data acquisition, so that risk detection is performed on the account.

Fig. 5 is a schematic structural diagram of an account risk detection apparatus according to an embodiment of the present application. Referring to fig. 5, the apparatus includes:

an alarm event detection module 501, configured to detect an alarm event associated with an account, where the alarm event is an event that a login behavior of the account is abnormal;

a fragile event detection module 502, configured to detect a fragile event associated with the account, where the fragile event is an event that a potential safety hazard exists in a login environment of the account;

an information obtaining module 503, configured to obtain value information of the account, where the value information indicates a value of the account, the value information includes at least one of authority information or real-name information, the authority information indicates authority that the account has, and the real-name information indicates information related to a user that is bound to the account;

the risk detection module 504 is configured to determine a risk detection result of the account by evaluating the severity of the alarm event, the severity of the fragile event, and the importance of the value information, where the risk detection result indicates a risk level of the account.

The account risk detection device provided by the embodiment of the application, whether the detection account faces risks or not, the login behavior of the account, the login environment of the account and the value information of the account are comprehensively considered, systematic analysis is carried out by combining the information from three angles, influence factors considered when the risk detection is carried out on the account are enriched, the value of the account is evaluated according to the authority and the real-name condition of the account, the information covered by the account risk detection is more comprehensive, and the accuracy of the risk detection carried out on the account is improved.

Optionally, referring to fig. 6, the risk detection module 504 includes:

an alarm parameter determining unit 514, configured to perform parameter conversion on the alarm level to which the alarm event belongs according to an alarm parameter conversion rule, to obtain an alarm parameter, where the alarm parameter indicates a severity of the alarm event, and the alarm parameter conversion rule indicates that the alarm parameter is positively correlated with the alarm level;

a vulnerability parameter determination unit 524, configured to perform parameter transformation on a vulnerability class to which the vulnerability event belongs according to a vulnerability parameter transformation rule, so as to obtain a vulnerability parameter, where the vulnerability parameter indicates a severity of the vulnerability event, and the vulnerability parameter transformation rule indicates that the vulnerability parameter is positively correlated with the vulnerability class;

a value parameter determining unit 534, configured to perform parameter conversion on the value information according to a value parameter conversion rule to obtain a value parameter, where the value parameter indicates an importance degree of the account;

a risk parameter determining unit 544, configured to perform parameter conversion on the alarm parameter, the vulnerability parameter, and the value parameter according to a risk parameter conversion rule, so as to obtain a risk parameter, where the risk parameter is the risk detection result, and the risk parameter conversion rule indicates that the risk parameter is positively correlated with the alarm parameter, the vulnerability parameter, and the value parameter.

Optionally, referring to fig. 6, the number of the alarm events is multiple, and the alarm parameter determining unit 514 is configured to:

determining the alarm level corresponding to the event type of the alarm event as the alarm level of the alarm event, wherein each alarm level corresponds to at least one event type;

Optionally, referring to fig. 6, the number of the fragile events is plural, and the fragile parameter determination unit 524 is configured to:

determining the vulnerability grade corresponding to the event type to which the vulnerability event belongs as the vulnerability grade to which the vulnerability event belongs, wherein each vulnerability grade corresponds to at least one event type;

performing parameter conversion on grade values of the grade of vulnerability to which the plurality of vulnerability events belong according to the vulnerability parameter conversion rule to obtain second influence parameters of the plurality of vulnerability events, wherein the vulnerability parameter conversion rule indicates that the second influence parameters are positively correlated with the grade values, and the second influence parameters represent the influence degree of the vulnerability events;

and performing parameter conversion on second influence parameters of the plurality of fragile events according to the fragile parameter conversion rule to obtain the fragile parameters, wherein the fragile parameter conversion rule indicates that the fragile parameters are positively correlated with the second influence parameters.

Optionally, referring to fig. 6, the vulnerability parameter determination unit 524 is configured to:

determining a target fragile event and a non-target fragile event in the plurality of fragile events, wherein the target fragile event is the fragile event with the smallest sequence number, the non-target fragile event is the fragile event except the target fragile event, and the sequence number is obtained by arranging the plurality of fragile events according to the second influence parameter from large to small;

Alternatively, referring to fig. 6, the value information includes the authority information and the real name information; the value parameter determination unit 534 is configured to:

performing parameter conversion on the first quantity indicated by the authority information according to the value parameter conversion rule to obtain an authority parameter, wherein the value parameter conversion rule indicates that the authority parameter is positively correlated with the first quantity, and the first quantity represents the quantity of the authority of the account;

performing parameter conversion on a second number indicated by the real name information according to the value parameter conversion rule to obtain a real name parameter, wherein the value parameter conversion rule indicates that the real name parameter is positively correlated with the second number, the second number indicates the number of real name items of the account, and one real name item indicates information related to a user and bound to the account;

and performing parameter conversion on the authority parameter and the real-name parameter according to the value parameter conversion rule to obtain the value parameter, wherein the value parameter conversion rule indicates that the value parameter is positively correlated with the authority parameter and the real-name parameter.

Optionally, referring to fig. 6, the fragile event detection module 502 is configured to:

determining an event with potential safety hazard in equipment logging in the account in an equipment operation log associated with the account, wherein the equipment operation log is an operation log of the equipment logging in the account; alternatively, the first and second electrodes may be,

and determining an event with potential safety hazard in a client which logs in the account in a client running log associated with the account, wherein the client running log is a running log of the client which logs in the account.

Optionally, referring to fig. 6, the alarm event detecting module 501 is configured to:

determining the current event state of any detected candidate alarm event, wherein the event state comprises a processed state and an unprocessed state;

among the detected candidate alarm events, an alarm event in the unprocessed state is determined.

among the detected candidate fragile events, the fragile event in the unprocessed state is determined.

It should be noted that: the account risk detection apparatus provided in the above embodiment is only illustrated by dividing the functional modules, and in practical applications, the functions may be allocated to different functional modules according to needs, that is, the internal structure of the computer device is divided into different functional modules to complete all or part of the functions described above. In addition, the account risk detection apparatus and the account risk detection method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.

The embodiment of the present application further provides a computer device, where the computer device includes a processor and a memory, where the memory stores at least one computer program, and the at least one computer program is loaded and executed by the processor, so as to implement the operations executed in the account risk detection method according to the foregoing embodiment.

Optionally, the computer device is provided as a terminal. Fig. 7 illustrates a schematic structural diagram of a terminal 700 according to an exemplary embodiment of the present application.

The terminal 700 includes: a processor 701 and a memory 702.

The processor 701 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and so on. The processor 701 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). The processor 701 may also include a main processor and a coprocessor, where the main processor is a processor for Processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 701 may be integrated with a GPU (Graphics Processing Unit, image Processing interactor) which is responsible for rendering and drawing the content required to be displayed by the display screen. In some embodiments, the processor 701 may further include an AI (Artificial Intelligence) processor for processing computing operations related to machine learning.

Memory 702 may include one or more computer-readable storage media, which may be non-transitory. Memory 702 may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in the memory 702 is used to store at least one computer program for being executed by the processor 701 to implement the account risk detection method provided by the method embodiments of the present application.

In some embodiments, the terminal 700 may further optionally include: a peripheral interface 703 and at least one peripheral. The processor 701, the memory 702, and the peripheral interface 703 may be connected by buses or signal lines. Various peripheral devices may be connected to the peripheral interface 703 via a bus, signal line, or circuit board. Optionally, the peripheral device comprises: at least one of radio frequency circuitry 704, display screen 705, camera assembly 706, and audio circuitry 707.

The peripheral interface 703 may be used to connect at least one peripheral related to I/O (Input/Output) to the processor 701 and the memory 702. In some embodiments, processor 701, memory 702, and peripheral interface 703 are integrated on the same chip or circuit board; in some other embodiments, any one or two of the processor 701, the memory 702, and the peripheral interface 703 may be implemented on a separate chip or circuit board, which is not limited in this embodiment.

The Radio Frequency circuit 704 is used for receiving and transmitting RF (Radio Frequency) signals, also called electromagnetic signals. The radio frequency circuitry 704 communicates with a communication network and other communication devices via electromagnetic signals. The rf circuit 704 converts an electrical signal into an electromagnetic signal to transmit, or converts a received electromagnetic signal into an electrical signal. Optionally, the radio frequency circuit 704 comprises: an antenna system, an RF transceiver, one or more amplifiers, a tuner, an oscillator, a digital signal processor, a codec chipset, a subscriber identity module card, and so forth. The radio frequency circuitry 704 may communicate with other devices via at least one wireless communication protocol. The wireless communication protocols include, but are not limited to: metropolitan area networks, various generation mobile communication networks (2G, 3G, 4G, and 5G), wireless local area networks, and/or WiFi (Wireless Fidelity) networks. In some embodiments, the radio frequency circuit 704 may further include NFC (Near Field Communication) related circuits, which are not limited in this application.

The display screen 705 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When the display screen 705 is a touch display screen, the display screen 705 also has the ability to capture touch signals on or over the surface of the display screen 705. The touch signal may be input to the processor 701 as a control signal for processing. At this point, the display 705 may also be used to provide virtual buttons and/or a virtual keyboard, also referred to as soft buttons and/or a soft keyboard. In some embodiments, the display 705 may be one, disposed on a front panel of the terminal 700; in other embodiments, the display 705 can be at least two, respectively disposed on different surfaces of the terminal 700 or in a foldable design; in other embodiments, the display 705 may be a flexible display disposed on a curved surface or on a folded surface of the terminal 700. Even more, the display 705 may be arranged in a non-rectangular irregular pattern, i.e. a shaped screen. The Display 705 may be made of LCD (Liquid Crystal Display), OLED (Organic Light-Emitting Diode), or other materials.

The camera assembly 706 is used to capture images or video. Optionally, camera assembly 706 includes a front camera and a rear camera. The front camera is disposed at a front panel of the terminal 700, and the rear camera is disposed at a rear surface of the terminal 700. In some embodiments, the number of the rear cameras is at least two, and each rear camera is any one of a main camera, a depth-of-field camera, a wide-angle camera and a telephoto camera, so that the main camera and the depth-of-field camera are fused to realize a background blurring function, the main camera and the wide-angle camera are fused to realize panoramic shooting and a VR (Virtual Reality) shooting function or other fusion shooting functions. In some embodiments, camera assembly 706 may also include a flash. The flash lamp can be a single-color temperature flash lamp or a double-color temperature flash lamp. The double-color-temperature flash lamp is a combination of a warm-light flash lamp and a cold-light flash lamp, and can be used for light compensation at different color temperatures.

The audio circuitry 707 may include a microphone and a speaker. The microphone is used for collecting sound waves of a user and the environment, converting the sound waves into electric signals, and inputting the electric signals to the processor 701 for processing or inputting the electric signals to the radio frequency circuit 704 to realize voice communication. For the purpose of stereo sound collection or noise reduction, a plurality of microphones may be provided at different portions of the terminal 700. The microphone may also be an array microphone or an omni-directional pick-up microphone. The speaker is used to convert electrical signals from the processor 701 or the radio frequency circuit 704 into sound waves. The loudspeaker can be a traditional film loudspeaker or a piezoelectric ceramic loudspeaker. When the speaker is a piezoelectric ceramic speaker, the speaker can be used for purposes such as converting an electric signal into a sound wave audible to a human being, or converting an electric signal into a sound wave inaudible to a human being to measure a distance. In some embodiments, the audio circuitry 707 may also include a headphone jack.

Those skilled in the art will appreciate that the configuration shown in fig. 7 is not limiting of terminal 700 and may include more or fewer components than shown, or some components may be combined, or a different arrangement of components may be used.

Optionally, the computer device is provided as a server. Fig. 8 is a schematic structural diagram of a server according to an embodiment of the present application, where the server 800 may generate a relatively large difference due to different configurations or performances, and may include one or more processors (CPUs) 801 and one or more memories 802, where the memory 802 stores at least one computer program, and the at least one computer program is loaded and executed by the processors 801 to implement the methods provided by the method embodiments. Of course, the server may also have components such as a wired or wireless network interface, a keyboard, and an input/output interface, so as to perform input/output, and the server may also include other components for implementing the functions of the device, which are not described herein again.

The embodiment of the present application further provides a computer-readable storage medium, where at least one computer program is stored in the computer-readable storage medium, and the at least one computer program is loaded and executed by a processor, so as to implement the operations performed by the account risk detection method in the foregoing embodiment.

The embodiment of the present application further provides a computer program product, which includes a computer program, and the computer program is loaded and executed by a processor to implement the operations performed by the account risk detection method according to the above embodiment. In some embodiments, the computer program according to the embodiments of the present application may be deployed to be executed on one computer device or on multiple computer devices located at one site, or may be executed on multiple computer devices distributed at multiple sites and interconnected by a communication network, and the multiple computer devices distributed at the multiple sites and interconnected by the communication network may constitute a block chain system.

It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.

The above description is only an alternative embodiment of the present application and should not be construed as limiting the present application, and any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims

1. An account risk detection method is characterized by comprising the following steps:

obtaining value information of the account, wherein the value information represents the value of the account, the value information comprises at least one of authority information or real-name information, the authority information represents authority of the account, and the real-name information is information related to a user and bound to the account;

2. The method of claim 1, wherein determining the risk detection result of the account by evaluating the severity of the alarm event, the severity of the fragile event, and the importance of the value information comprises:

performing parameter conversion on an alarm level to which the alarm event belongs according to an alarm parameter conversion rule to obtain an alarm parameter, wherein the alarm parameter represents the severity of the alarm event, and the alarm parameter conversion rule indicates that the alarm parameter is positively correlated with the alarm level;

performing parameter conversion on a vulnerability grade to which the vulnerability event belongs according to a vulnerability parameter conversion rule to obtain a vulnerability parameter, wherein the vulnerability parameter represents the severity of the vulnerability event, and the vulnerability parameter conversion rule indicates that the vulnerability parameter is positively correlated with the vulnerability grade;

performing parameter conversion on the value information according to a value parameter conversion rule to obtain a value parameter, wherein the value parameter represents the importance degree of the account;

and performing parameter conversion on the alarm parameter, the fragile parameter and the value parameter according to a risk parameter conversion rule to obtain a risk parameter, wherein the risk parameter is the risk detection result, and the risk parameter conversion rule indicates that the risk parameter is positively correlated with the alarm parameter, the fragile parameter and the value parameter.

3. The method according to claim 2, wherein the number of the alarm events is plural, and the obtaining the alarm parameter by performing parameter transformation on the alarm level to which the alarm event belongs according to the alarm parameter transformation rule comprises:

4. The method of claim 2, wherein the number of the fragile events is plural, and the performing parameter transformation on the fragile level to which the fragile event belongs according to the fragile parameter transformation rule to obtain the fragile parameter comprises:

5. The method according to claim 4, wherein said performing parameter transformation on second impact parameters of a plurality of said fragile events according to said fragile parameter transformation rule to obtain said fragile parameters comprises:

6. The method of claim 2, wherein the value information includes the rights information and the real name information; the parameter conversion is performed on the value information according to the value parameter conversion rule to obtain the value parameters, and the method comprises the following steps:

performing parameter conversion on the first quantity indicated by the permission information according to the value parameter conversion rule to obtain permission parameters, wherein the value parameter conversion rule indicates that the permission parameters are positively correlated with the first quantity, and the first quantity represents the quantity of the permissions of the account;

performing parameter conversion on a second quantity indicated by the real-name information according to the value parameter conversion rule to obtain real-name parameters, wherein the value parameter conversion rule indicates that the real-name parameters are positively correlated with the second quantity, the second quantity indicates the quantity of real-name items of the account, and one real-name item indicates information related to the user and bound to the account;

7. The method of any one of claims 1-6, wherein the detecting a fragile event associated with the account number comprises at least one of:

8. The method according to any one of claims 1-6, wherein the detecting an alarm event associated with an account number comprises:

9. The method of any one of claims 1-6, wherein the detecting a fragile event associated with the account number comprises:

detecting a candidate fragile event associated with the account within a preset time period, wherein the preset time period is a time period within a preset time length before the current time point;

10. An account risk detection apparatus, the apparatus comprising:

the fragile event detection module is used for detecting a fragile event related to the account, wherein the fragile event refers to an event with potential safety hazard in the login environment of the account;

11. A computer device comprising a processor and a memory, wherein at least one computer program is stored in the memory, and is loaded and executed by the processor to perform the operations of the account risk detection method according to any one of claims 1 to 9.

12. A computer-readable storage medium, wherein at least one computer program is stored in the computer-readable storage medium, and is loaded and executed by a processor to implement the operations performed by the account risk detection method according to any one of claims 1 to 9.

13. A computer program product comprising a computer program that is loaded and executed by a processor to perform the operations performed by the account risk detection method of any of claims 1 to 9.