CN117708806B - Security authentication risk detection method, system, electronic equipment and storage medium - Google Patents
Security authentication risk detection method, system, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN117708806B CN117708806B CN202311723906.1A CN202311723906A CN117708806B CN 117708806 B CN117708806 B CN 117708806B CN 202311723906 A CN202311723906 A CN 202311723906A CN 117708806 B CN117708806 B CN 117708806B
- Authority
- CN
- China
- Prior art keywords
- address
- verification
- user
- verification information
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 97
- 238000012795 verification Methods 0.000 claims abstract description 447
- 238000004458 analytical method Methods 0.000 claims abstract description 56
- 238000000034 method Methods 0.000 claims abstract description 45
- 230000002159 abnormal effect Effects 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 9
- 238000004422 calculation algorithm Methods 0.000 claims description 8
- 230000005540 biological transmission Effects 0.000 claims description 2
- 230000006872 improvement Effects 0.000 abstract description 4
- 230000008569 process Effects 0.000 description 17
- 230000006870 function Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000003068 static effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000005484 gravity Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a security authentication risk detection method, a security authentication risk detection system, electronic equipment and a storage medium, and relates to the technical field of security authentication, wherein the security authentication risk detection method comprises the following steps: acquiring a plurality of historical verification information of a user for security authentication; analyzing a plurality of historical verification information of the user, and marking common i p of the user based on an analysis result; establishing i p a data detection method and a verification information detection method based on common i p of users; performing risk early warning on the security authentication of the user based on i p data detection method and verification information detection method; the invention is used for solving the problem that in the prior art, in the aspect of safety authentication by a user through acquiring verification information, an effective improvement method for carrying out risk early warning on the safety authentication of the user based on a plurality of i p addresses when the user acquires the verification information is lacked.
Description
Technical Field
The invention relates to the technical field of security authentication, in particular to a security authentication risk detection method, a security authentication risk detection system, electronic equipment and a storage medium.
Background
Security authentication refers to the process of verifying that a system, product or service meets certain security standards or requirements by evaluating and verifying that it is intended to ensure that the system, product or service is able to provide appropriate security to protect the user's data, properties and privacy from potential threats.
The existing improvement for the security authentication is usually an improvement in the aspect of processing efficiency of the security authentication, for example, in China patent with application publication number CN111814132A, a security authentication method and device, a security authentication chip and a storage medium are disclosed.
Disclosure of Invention
The invention aims to solve at least one of the technical problems in the prior art to a certain extent, and provides a security authentication risk detection method, a system, an electronic device and a storage medium, which are used for solving the problem that in the prior art, in the aspect of security authentication by a user by acquiring verification information, an effective improvement method for performing risk early warning on the security authentication of the user based on a plurality of ip addresses when the user acquires the verification information is lacked, which can cause that the risk early warning cannot be performed on the security authentication of the user based on the change of the ip addresses when the user is stolen by acquiring the verification information.
To achieve the above object, in a first aspect, the present invention provides a security authentication risk detection method, including:
Acquiring a plurality of history verification information used for safety authentication of a user, wherein the history verification information comprises an ip address of the user receiving the verification information, an ip address of a verification request sent by the user, the verification information and an ip address of successful login;
Analyzing a plurality of historical verification information of the user, and marking common ips of the user based on analysis results;
establishing an ip data detection method and a verification information detection method based on a common ip of a user;
And carrying out risk early warning on the security authentication of the user based on the ip data detection method and the verification information detection method.
Further, analyzing the plurality of historical verification information of the user, and marking the common ips of the user based on the analysis result comprises:
Sequentially marking a plurality of history verification information as history verification information 1 to history verification information N, analyzing all the history verification information by using a verification analysis method, and sequentially marking the obtained common addresses II of all the history verification information as labels ip1 to ipN;
When any one of the tags ip1 to ipN ipNX is equal to any one of the pending use addresses KX in any one of the history verification information, the pending use address KX is noted as a tag use address;
all tags ip and all tag usage addresses are uniformly marked as common ips for users.
Further, the verification analysis method includes:
For any one of the history verification information 1 to the history verification information N1, an ip address of a mobile phone number used by a user in the history verification information N1 is obtained and marked as a mobile phone address, an ip address of a verification request sent by the user in the history verification information N1 is obtained and marked as a request address, and when the request address is equal to the mobile phone address, the mobile phone address is marked as a common address of the user;
Acquiring time of transmitting the verification information to the mobile phone of the user and time of invalidating the verification information in the history verification information N1, sequentially marking the time as verification transmitting time and verification invalidating time, acquiring time of repeatedly transmitting the verification information to the other mobile phone after the verification transmitting time, marking the time as verification repeating time, when the verification repeating time is earlier than the verification invalidating time, replacing a time point corresponding to the verification invalidating time with the verification repeating time, acquiring an ip address used by the verification information between the verification transmitting time and the verification invalidating time, and sequentially marking the ip address as a verification using address 1 to a verification using address K, wherein the verification information is a verification code of pure number, pure letter, combination of number and letter or combination of number, letter and symbol;
When any one verification use address K1 is equal to a first common address, recording historical verification information N1 as first-level trust information, and recording the first common address as a second common address;
The authentication use addresses other than the authentication use address K1 among the authentication use address 1 to the authentication use address K are noted as pending use addresses.
Further, the method for detecting the ip data and the method for detecting the verification information based on the common ip of the user comprises the following steps:
Establishing an ip data detection method based on all commonly used ips of users;
and establishing a verification information detection method based on all commonly used ips of the user.
Further, the ip data detection method includes:
When a user sends a verification request, the ip address of the user sending the verification request is recorded as a sending address, and a virtual ip address is established;
After the server generates the verification information, marking the sending address of the verification information as a receiving address, and marking the verification as ip correct verification when the receiving address is equal to the sending address;
When the receiving address is not equal to the transmitting address, preferentially transmitting the verification information to the virtual ip address and then to the receiving address;
When the virtual ip address receives the verification information, logging in the account of the user by using the verification information and recording the account data of the user as standard user data;
When the receiving address receives the verification information, the address of the user for account login is obtained, and when the address of the account login is a transmitting address or a receiving address, the verification is recorded as ip correct verification;
When the address of the user for account login is not a transmitting address and is not a receiving address, acquiring account data of the user after standard login time, and recording the account data as pending user data; obtaining a data difference using a difference algorithm, the difference algorithm comprising:
Wherein B is a data difference value, alpha 1 is a first difference coefficient, alpha 2 is a second difference coefficient, alpha 3 is a third difference coefficient, J is the total number of data related to property in the account data of the user, G is the total number of data related to file in the account data of the user, H is the total number of data related to authority in the account data of the user, ji is the difference value of any property data between two analyzed data, gi is the difference value of any file data between two analyzed data, hi is the difference value of any authority data between two analyzed data;
when the data difference value between the undetermined user data and the standard user data is larger than the standard difference value, the address of the user for account login is recorded as a suspicious address Y, and the verification is recorded as ip dangerous verification;
And when the data difference value between the undetermined user data and the standard user data is smaller than or equal to the standard difference value, marking the verification as ip low-risk verification.
Further, the verification information detection method includes:
After a user sends a verification request, marking verification information generated by a server as real-time verification information, acquiring an ip address where the real-time verification information is used for login, sequentially marking the ip address as a real-time login address 1 to a real-time login address A, and marking the verification as verification information correct verification when only virtual ip addresses and sending addresses exist in the real-time login address 1 to the real-time login address A;
When the sending address and the receiving address in the ip data detection method are unequal and the real-time login address 1 to the real-time login address A comprise a virtual ip address, a sending address and a receiving address, marking the verification as verification information low-risk verification;
When the real-time login address 1 to the real-time login address a include an address X other than the virtual ip address, the transmission address, and the reception address, the address X is marked as a suspicious address X and the present verification is marked as verification information dangerous verification.
Further, performing risk early warning on security authentication of the user based on the ip data detection method and the verification information detection method includes:
When the user performs security authentication and sends a verification request, an ip data detection method and a verification information detection method are used for analysis, and when ip dangerous verification occurs in an analysis result, a high risk signal is sent to the user and a suspicious address Y is sent to the user for verification; when the analysis result shows that verification information dangerous verification occurs, a high risk signal is sent to a user, and a suspicious address X is sent to the user for verification;
When the analysis result is that the ip is correctly verified and the verification information is correctly verified, the security authentication is recorded as risk-free authentication;
when the analysis result shows that ip low-risk verification occurs, the security authentication is recorded as low-risk authentication, and an ip abnormal signal is sent to a user;
and when the analysis result shows low-risk verification of the verification information, the security authentication is recorded as low-risk authentication, and a verification and reception abnormal signal is sent to the user.
In a second aspect, the invention also provides a security authentication risk detection system, which comprises an information acquisition module, a verification analysis module, a method establishment module and a risk early warning module;
The information acquisition module is used for acquiring a plurality of pieces of history verification information used for safety authentication by a user, wherein the history verification information comprises an ip address of the user receiving the verification information, an ip address of a verification request sent by the user, the verification information and an ip address of successful login;
the verification analysis module is used for analyzing a plurality of historical verification information of the user and marking common ips of the user based on analysis results;
the method establishment module is used for establishing an ip data detection method and a verification information detection method based on the common ip of the user;
the risk early warning module is used for carrying out risk early warning on the security authentication of the user based on the ip data detection method and the verification information detection method.
In a third aspect, the invention provides a storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method as claimed in any of the preceding claims.
In a fourth aspect, the invention provides an electronic device comprising a processor and a memory storing computer readable instructions which, when executed by the processor, perform the steps of the method as claimed in any preceding claim.
The invention has the beneficial effects that: the method comprises the steps of obtaining a plurality of historical verification information of a user for safety authentication; then analyzing the plurality of historical verification information of the user and marking the common ip of the user based on the analysis result, which has the advantages that the plurality of ip addresses common to the user can be obtained by obtaining the plurality of historical verification information of the user and analyzing the plurality of historical verification information of the user, and the analysis of the addresses of the user for obtaining the verification information in the subsequent analysis process is facilitated, so that the analysis result is more accurate;
The invention also establishes the ip data detection method and the verification information detection method based on the common ip of the user, and finally carries out risk early warning on the security authentication of the user based on the ip data detection method and the verification information detection method.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
Drawings
Other features, objects and advantages of the present invention will become more apparent upon reading of the detailed description of non-limiting embodiments, given with reference to the accompanying drawings in which:
FIG. 1 is a schematic block diagram of a system of the present invention;
FIG. 2 is a flow chart of the steps of the method of the present invention;
FIG. 3 is a schematic diagram of an ip data detection method according to the present invention;
fig. 4 is a schematic diagram of an electronic device of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1
Referring to fig. 1, in a first aspect, the present application provides a security authentication risk detection system, including an information acquisition module, a verification analysis module, a method establishment module, and a risk early warning module;
The information acquisition module is used for acquiring a plurality of pieces of history verification information used for safety authentication by a user, wherein the history verification information comprises an ip address of the user receiving the verification information, an ip address of a verification request sent by the user, the verification information and an ip address of successful login;
the verification analysis module is used for analyzing a plurality of historical verification information of the user and marking common ips of the user based on analysis results;
The verification analysis module is configured with a verification analysis policy comprising:
Sequentially marking a plurality of history verification information as history verification information 1 to history verification information N, analyzing all the history verification information by using a verification analysis method, and sequentially marking the obtained common addresses II of all the history verification information as labels ip1 to ipN;
When any one of the tags ip1 to ipN ipNX is equal to any one of the pending use addresses KX in any one of the history verification information, the pending use address KX is noted as a tag use address;
In the specific implementation process, different history verification information contains different pending use addresses, so when one pending use address KX in any one history verification information is equal to a label ipNX in the other history verification information, it is indicated that the pending use address KX also belongs to the label ip, and the pending use address KX should be marked as a label use address;
uniformly marking all labels ip and all label use addresses as common ips of users;
The verification analysis method comprises the following steps:
For any one of the history verification information 1 to the history verification information N1, an ip address of a mobile phone number used by a user in the history verification information N1 is obtained and marked as a mobile phone address, an ip address of a verification request sent by the user in the history verification information N1 is obtained and marked as a request address, and when the request address is equal to the mobile phone address, the mobile phone address is marked as a common address of the user;
Acquiring time of transmitting the verification information to the mobile phone of the user and time of invalidating the verification information in the history verification information N1, sequentially marking the time as verification transmitting time and verification invalidating time, acquiring time of repeatedly transmitting the verification information to the other mobile phone after the verification transmitting time, marking the time as verification repeating time, when the verification repeating time is earlier than the verification invalidating time, replacing a time point corresponding to the verification invalidating time with the verification repeating time, acquiring an ip address used by the verification information between the verification transmitting time and the verification invalidating time, and sequentially marking the ip address as a verification using address 1 to a verification using address K, wherein the verification information is a verification code of pure number, pure letter, combination of number and letter or combination of number, letter and symbol;
In the implementation process, because the same piece of verification information is sent to another mobile phone to be verified after being sent for a certain time, and verification time is invalid, when verification repetition time is earlier than verification time, the obtained ip address is inaccurate, and therefore the verification time needs to be adjusted, for example, in one data acquisition, the verification sending time of the verification information is 12:10, the verification repetition time is 13:10, and the verification time is 13:30, adjusting the verification failure time to 13:10, and recording ip addresses with the verification information used between 12:10 and 13:10 as verification use addresses 1 to K;
When any one verification use address K1 is equal to a first common address, recording historical verification information N1 as first-level trust information, and recording the first common address as a second common address;
In the implementation process, the first common address is an address when the request address is equal to the mobile phone address, and the second common address is an address when the request address is equal to the mobile phone address and the address uses verification information;
marking the verification use addresses except the verification use address K1 from the verification use address 1 to the verification use address K as pending use addresses;
In the implementation process, because one history verification information only contains one verification information, one history verification information contains at most one common address No. two and one common address No. one;
the method establishment module is used for establishing an ip data detection method and a verification information detection method based on the common ip of the user;
The method establishment module is configured with an ip method establishment policy and a verification method establishment policy;
The ip method establishing strategy is used for establishing an ip data detection method, and the ip data detection method comprises the following steps:
When a user sends a verification request, the ip address of the user sending the verification request is recorded as a sending address, and a virtual ip address is established;
In the specific implementation process, the virtual ip address is an address built by a network, authentication information can be used in the virtual ip address, the account number of a user can be logged in through the authentication information, and data in the account number of the user can be extracted, but the virtual ip address does not modify the account number information of the user, and the authentication information can not be invalid due to the use of the authentication information through the virtual ip;
After the server generates the verification information, marking the sending address of the verification information as a receiving address, and marking the verification as ip correct verification when the receiving address is equal to the sending address;
In the specific implementation process, when the address of the user sending the verification request is the same as the receiving address of the verification information, the user sending the request and the user receiving the verification information are the same in the same ip, so that the verification can be recorded as the correct verification of the ip;
When the receiving address is not equal to the transmitting address, preferentially transmitting the verification information to the virtual ip address and then to the receiving address;
In the implementation process, when the receiving address is not equal to the sending address, it is indicated that two or more users request and receive the verification information, so that the verification information should be sent to the virtual ip address first, processed and then sent to the receiving address;
When the virtual ip address receives the verification information, logging in the account of the user by using the verification information and recording the account data of the user as standard user data;
When the receiving address receives the verification information, the address of the user for account login is obtained, and when the address of the account login is a transmitting address or a receiving address, the verification is recorded as ip correct verification;
In the specific implementation process, when the address of the user for the account login is a sending address or a receiving address, the user sending the verification request and the user for the account login are indicated to be the same person, or the user receiving the verification and the user for the account login are the same person, so that the verification can be recorded as ip correct verification;
When the address of the user for account login is not a transmitting address and is not a receiving address, acquiring account data of the user after standard login time, and recording the account data as pending user data; obtaining a data difference using a difference algorithm, the difference algorithm comprising:
Wherein B is a data difference value, alpha 1 is a first difference coefficient, alpha 2 is a second difference coefficient, alpha 3 is a third difference coefficient, J is the total number of data related to property in the account data of the user, G is the total number of data related to file in the account data of the user, H is the total number of data related to authority in the account data of the user, ji is the difference value of any property data between two analyzed data, gi is the difference value of any file data between two analyzed data, hi is the difference value of any authority data between two analyzed data;
In the specific implementation process, the standard login time can be set according to software corresponding to a specific user account, and in the embodiment, the standard login time is set to be 1h;
In a specific implementation process, the first difference coefficient, the second difference coefficient and the third difference coefficient can be adjusted according to specific gravities of property, file and authority in a specific user account, wherein in the embodiment, the first difference coefficient is set to be 0.6, the second difference coefficient is set to be 0.3, and the third difference coefficient is set to be 0.1;
In the specific implementation process, for example, the property data between two data corresponding to J10 and J7 are traffic property data, the amount corresponding to the traffic property data in the standard user data is 1000, the amount corresponding to the traffic property data in the undetermined user data is 800, and the value corresponding to J7 is 200; for example, the data of the file between two data corresponding to G3 is traffic file data, the data similarity comparison is carried out on the traffic file data in the standard user data and the traffic file data in the undetermined user data, the obtained comparison result is 80%, that is, 80% of the traffic file data in the standard user data is equal to the traffic file data in the undetermined user data, and the corresponding value of G3 is the difference value between the two data, namely the unequal part, so the corresponding value of G3 is 20%; for example, if H is 3, the authority data between two data corresponding to H2 is traffic authority data, the total number of the authority of the traffic authority data in the standard user data is 10, the authorities 1 to 8 are in an open state, the authorities 9 and 10 are in a closed state, the authorities 1 to 7 are in an open state, and the authorities 8 to 10 are in a closed state, then the traffic authority data in the standard user data and the traffic authority data in the undetermined user data differ by only the authority 8, and the authority 8 accounts for 1/10 of all the traffic authority data, so that the value of H2 is 0.1;
In the specific implementation process, the difference value of all property data detected in one detection is 0, 15 and 0, the difference value of all authority data is 0, 0 and 0, the difference value of all file data is 0.3, 0 and 0, and the calculated available data difference value is 3.03;
when the data difference value between the undetermined user data and the standard user data is larger than the standard difference value, the address of the user for account login is recorded as a suspicious address Y, and the verification is recorded as ip dangerous verification;
when the data difference value between the undetermined user data and the standard user data is smaller than or equal to the standard difference value, marking the verification as ip low-risk verification;
In the implementation process, the standard deviation value can be set according to the specific duty ratio of property data, file data and authority data in each account, in the embodiment, the standard deviation value is set to be 5, and when the data difference value obtained by calculation in one detection is 3.03, the verification is recorded as ip low-risk verification;
The verification method establishment strategy is used for establishing a verification information detection method, and the verification information detection method comprises the following steps:
After a user sends a verification request, marking verification information generated by a server as real-time verification information, acquiring an ip address where the real-time verification information is used for login, sequentially marking the ip address as a real-time login address 1 to a real-time login address A, and marking the verification as verification information correct verification when only virtual ip addresses and sending addresses exist in the real-time login address 1 to the real-time login address A;
When the sending address and the receiving address in the ip data detection method are unequal and the real-time login address 1 to the real-time login address A comprise a virtual ip address, a sending address and a receiving address, marking the verification as verification information low-risk verification;
When the real-time login address 1 to the real-time login address A comprise an address X except a virtual ip address, a sending address and a receiving address, marking the address X as a suspicious address X and marking the verification as verification information dangerous verification;
In the specific implementation process, when an unrecorded address X appears in the login address, the verification information of the user is possibly used by other people and logged in the account of the user, so that the address X should be saved and the verification should be recorded as dangerous verification of the verification information;
the risk early warning module is used for carrying out risk early warning on the security authentication of the user based on the ip data detection method and the verification information detection method;
the risk early-warning module is configured with a risk early-warning strategy, and the risk early-warning strategy comprises:
When the user performs security authentication and sends a verification request, an ip data detection method and a verification information detection method are used for analysis, and when ip dangerous verification occurs in an analysis result, a high risk signal is sent to the user and a suspicious address Y is sent to the user for verification; when the analysis result shows that verification information dangerous verification occurs, a high risk signal is sent to a user, and a suspicious address X is sent to the user for verification;
When the analysis result is that the ip is correctly verified and the verification information is correctly verified, the security authentication is recorded as risk-free authentication;
when the analysis result shows that ip low-risk verification occurs, the security authentication is recorded as low-risk authentication, and an ip abnormal signal is sent to a user;
in the specific implementation process, when the result obtained by analysis of the ip data detection method and the verification information detection method in one-time verification is ip dangerous verification and verification information low-risk verification, a user sends a high-risk signal and a suspicious address X to the user for verification, and sends a verification receiving abnormal signal to the user;
and when the analysis result shows low-risk verification of the verification information, the security authentication is recorded as low-risk authentication, and a verification and reception abnormal signal is sent to the user.
Example 2
Referring to fig. 2, in a second aspect, the present invention provides a security authentication risk detection method, including:
Step S1, acquiring a plurality of pieces of history verification information used for safety authentication by a user, wherein the history verification information comprises an ip address of the user receiving the verification information, an ip address of a verification request sent by the user, the verification information and an ip address of successful login;
s2, analyzing a plurality of historical verification information of the user, and marking common ips of the user based on analysis results;
Step S2 comprises the following sub-steps:
Step S201, sequentially marking a plurality of history verification information as history verification information 1 to history verification information N, analyzing all the history verification information by using a verification analysis method, and sequentially marking the obtained common addresses II of all the history verification information as labels ip1 to ipN;
Step S202, when any one of the tags ip1 to ipN has the tag ipNX equal to any one of the pending use addresses KX in any one of the history verification information, marking the pending use address KX as the tag use address;
step S203, uniformly marking all labels ip and all label use addresses as common ips of users;
The verification analysis method comprises the following steps:
For any one of the history verification information 1 to the history verification information N1, an ip address of a mobile phone number used by a user in the history verification information N1 is obtained and marked as a mobile phone address, an ip address of a verification request sent by the user in the history verification information N1 is obtained and marked as a request address, and when the request address is equal to the mobile phone address, the mobile phone address is marked as a common address of the user;
Acquiring time of transmitting the verification information to the mobile phone of the user and time of invalidating the verification information in the history verification information N1, sequentially marking the time as verification transmitting time and verification invalidating time, acquiring time of repeatedly transmitting the verification information to the other mobile phone after the verification transmitting time, marking the time as verification repeating time, when the verification repeating time is earlier than the verification invalidating time, replacing a time point corresponding to the verification invalidating time with the verification repeating time, acquiring an ip address used by the verification information between the verification transmitting time and the verification invalidating time, and sequentially marking the ip address as a verification using address 1 to a verification using address K, wherein the verification information is a verification code of pure number, pure letter, combination of number and letter or combination of number, letter and symbol;
When any one verification use address K1 is equal to a first common address, recording historical verification information N1 as first-level trust information, and recording the first common address as a second common address;
marking the verification use addresses except the verification use address K1 from the verification use address 1 to the verification use address K as pending use addresses;
step S3, an ip data detection method and a verification information detection method are established based on the common ips of the users;
Step S3 comprises the following sub-steps:
Step S301, an ip data detection method is established based on all commonly used ips of users;
step S302, a verification information detection method is established based on all commonly used ips of users;
the ip data detection method comprises the following steps:
When a user sends a verification request, the ip address of the user sending the verification request is recorded as a sending address, and a virtual ip address is established;
After the server generates the verification information, marking the sending address of the verification information as a receiving address, and marking the verification as ip correct verification when the receiving address is equal to the sending address;
When the receiving address is not equal to the transmitting address, preferentially transmitting the verification information to the virtual ip address and then to the receiving address;
When the virtual ip address receives the verification information, logging in the account of the user by using the verification information and recording the account data of the user as standard user data;
When the receiving address receives the verification information, the address of the user for account login is obtained, and when the address of the account login is a transmitting address or a receiving address, the verification is recorded as ip correct verification;
When the address of the user for account login is not a transmitting address and is not a receiving address, acquiring account data of the user after standard login time, and recording the account data as pending user data; obtaining a data difference using a difference algorithm, the difference algorithm comprising:
Wherein B is a data difference value, alpha 1 is a first difference coefficient, alpha 2 is a second difference coefficient, alpha 3 is a third difference coefficient, J is the total number of data related to property in the account data of the user, G is the total number of data related to file in the account data of the user, H is the total number of data related to authority in the account data of the user, ji is the difference value of any property data between two analyzed data, gi is the difference value of any file data between two analyzed data, hi is the difference value of any authority data between two analyzed data;
when the data difference value between the undetermined user data and the standard user data is larger than the standard difference value, the address of the user for account login is recorded as a suspicious address Y, and the verification is recorded as ip dangerous verification;
And when the data difference value between the undetermined user data and the standard user data is smaller than or equal to the standard difference value, marking the verification as ip low-risk verification.
The verification information detection method comprises the following steps:
After a user sends a verification request, marking verification information generated by a server as real-time verification information, acquiring an ip address where the real-time verification information is used for login, sequentially marking the ip address as a real-time login address 1 to a real-time login address A, and marking the verification as verification information correct verification when only virtual ip addresses and sending addresses exist in the real-time login address 1 to the real-time login address A;
When the sending address and the receiving address in the ip data detection method are unequal and the real-time login address 1 to the real-time login address A comprise a virtual ip address, a sending address and a receiving address, marking the verification as verification information low-risk verification;
When the real-time login address 1 to the real-time login address A comprise an address X except a virtual ip address, a sending address and a receiving address, marking the address X as a suspicious address X and marking the verification as verification information dangerous verification;
and S4, performing risk early warning on the security authentication of the user based on the ip data detection method and the verification information detection method.
The step S4 includes:
When the user performs security authentication and sends a verification request, an ip data detection method and a verification information detection method are used for analysis, and when ip dangerous verification occurs in an analysis result, a high risk signal is sent to the user and a suspicious address Y is sent to the user for verification; when the analysis result shows that verification information dangerous verification occurs, a high risk signal is sent to a user, and a suspicious address X is sent to the user for verification;
When the analysis result is that the ip is correctly verified and the verification information is correctly verified, the security authentication is recorded as risk-free authentication;
when the analysis result shows that ip low-risk verification occurs, the security authentication is recorded as low-risk authentication, and an ip abnormal signal is sent to a user;
and when the analysis result shows low-risk verification of the verification information, the security authentication is recorded as low-risk authentication, and a verification and reception abnormal signal is sent to the user.
Example 3
In a third aspect, the application provides an electronic device 50 comprising a processor 501 and a memory 502, the memory 502 storing computer readable instructions which, when executed by the processor 501, perform the steps of any of the methods described above. Through the foregoing technical solutions, the processor 501 and the memory 502 are interconnected and communicate with each other through a communication bus and/or other form of connection mechanism (not shown), and the memory 502 stores a computer program executable by the processor 501, which when executed by the electronic device 50, the processor 501 executes the computer program to perform the method in any of the alternative implementations of the foregoing embodiments to implement the following functions: firstly, acquiring a plurality of historical verification information of a user for security authentication; and then analyzing a plurality of historical verification information of the user, marking common ips of the user based on analysis results, establishing an ip data detection method and a verification information detection method based on the common ips of the user, and finally performing risk early warning on security authentication of the user based on the ip data detection method and the verification information detection method.
Example 4
In a fourth aspect, the present application provides a storage medium having stored thereon a computer program which, when executed by a processor 501, performs the steps of any of the methods described above. By the above technical solution, the computer program, when executed by the processor 501, performs the method in any alternative implementation manner of the above embodiment, so as to implement the following functions: firstly, acquiring a plurality of historical verification information of a user for security authentication; and then analyzing a plurality of historical verification information of the user, marking common ips of the user based on analysis results, establishing an ip data detection method and a verification information detection method based on the common ips of the user, and finally performing risk early warning on security authentication of the user based on the ip data detection method and the verification information detection method.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media having computer-usable program code embodied therein. The storage medium may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as static random access Memory (Static Random Access Memory, SRAM), electrically erasable Programmable Read-Only Memory (ELECTRICALLY ERASABLE PROGRAMMABLE READ-Only Memory, EEPROM), erasable Programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), programmable Read-Only Memory (PROM), read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk, or optical disk. These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
Claims (8)
1. A security authentication risk detection method, comprising:
Acquiring a plurality of history verification information used for safety authentication of a user, wherein the history verification information comprises an ip address of the user receiving the verification information, an ip address of a verification request sent by the user, the verification information and an ip address of successful login;
Analyzing a plurality of historical verification information of the user, and marking common ips of the user based on analysis results;
establishing an ip data detection method and a verification information detection method based on a common ip of a user;
Performing risk early warning on the security authentication of the user based on the ip data detection method and the verification information detection method; the ip data detection method comprises the following steps:
When a user sends a verification request, the ip address of the user sending the verification request is recorded as a sending address, and a virtual ip address is established;
After the server generates the verification information, marking the sending address of the verification information as a receiving address, and marking the verification as ip correct verification when the receiving address is equal to the sending address;
When the receiving address is not equal to the transmitting address, preferentially transmitting the verification information to the virtual ip address and then to the receiving address;
When the virtual ip address receives the verification information, logging in the account of the user by using the verification information and recording the account data of the user as standard user data;
When the receiving address receives the verification information, the address of the user for account login is obtained, and when the address of the account login is a transmitting address or a receiving address, the verification is recorded as ip correct verification;
When the address of the user for account login is not a transmitting address and is not a receiving address, acquiring account data of the user after standard login time, and recording the account data as pending user data; obtaining a data difference using a difference algorithm, the difference algorithm comprising:
Wherein B is a data difference value, alpha 1 is a first difference coefficient, alpha 2 is a second difference coefficient, alpha 3 is a third difference coefficient, J is the total number of data related to property in the account data of the user, G is the total number of data related to file in the account data of the user, H is the total number of data related to authority in the account data of the user, ji is the difference value of any property data between two analyzed data, gi is the difference value of any file data between two analyzed data, hi is the difference value of any authority data between two analyzed data;
when the data difference value between the undetermined user data and the standard user data is larger than the standard difference value, the address of the user for account login is recorded as a suspicious address Y, and the verification is recorded as ip dangerous verification;
when the data difference value between the undetermined user data and the standard user data is smaller than or equal to the standard difference value, marking the verification as ip low-risk verification;
The verification information detection method comprises the following steps:
After a user sends a verification request, marking verification information generated by a server as real-time verification information, acquiring an ip address where the real-time verification information is used for login, sequentially marking the ip address as a real-time login address 1 to a real-time login address A, and marking the verification as verification information correct verification when only virtual ip addresses and sending addresses exist in the real-time login address 1 to the real-time login address A;
When the sending address and the receiving address in the ip data detection method are unequal and the real-time login address 1 to the real-time login address A comprise a virtual ip address, a sending address and a receiving address, marking the verification as verification information low-risk verification;
When the real-time login address 1 to the real-time login address a include an address X other than the virtual ip address, the transmission address, and the reception address, the address X is marked as a suspicious address X and the present verification is marked as verification information dangerous verification.
2. The security authentication risk detection method according to claim 1, wherein analyzing the plurality of history verification information of the user, and marking the common ip of the user based on the analysis result comprises:
Sequentially marking a plurality of history verification information as history verification information 1 to history verification information N, analyzing all the history verification information by using a verification analysis method, and sequentially marking the obtained common addresses II of all the history verification information as labels ip1 to ipN;
When any one of the tags ip1 to ipN ipNX is equal to any one of the pending use addresses KX in any one of the history verification information, the pending use address KX is noted as a tag use address;
all tags ip and all tag usage addresses are uniformly marked as common ips for users.
3. The security authentication risk detection method according to claim 2, wherein the verification analysis method comprises:
For any one of the history verification information 1 to the history verification information N1, an ip address of a mobile phone number used by a user in the history verification information N1 is obtained and marked as a mobile phone address, an ip address of a verification request sent by the user in the history verification information N1 is obtained and marked as a request address, and when the request address is equal to the mobile phone address, the mobile phone address is marked as a common address of the user;
Acquiring time of transmitting the verification information to the mobile phone of the user and time of invalidating the verification information in the history verification information N1, sequentially marking the time as verification transmitting time and verification invalidating time, acquiring time of repeatedly transmitting the verification information to the other mobile phone after the verification transmitting time, marking the time as verification repeating time, when the verification repeating time is earlier than the verification invalidating time, replacing a time point corresponding to the verification invalidating time with the verification repeating time, acquiring an ip address used by the verification information between the verification transmitting time and the verification invalidating time, and sequentially marking the ip address as a verification using address 1 to a verification using address K, wherein the verification information is a verification code of pure number, pure letter, combination of number and letter or combination of number, letter and symbol;
When any one verification use address K1 is equal to a first common address, recording historical verification information N1 as first-level trust information, and recording the first common address as a second common address;
The authentication use addresses other than the authentication use address K1 among the authentication use address 1 to the authentication use address K are noted as pending use addresses.
4. A security authentication risk detection method according to claim 3, wherein the establishing ip data detection method and the verification information detection method based on the common ip of the user comprise:
Establishing an ip data detection method based on all commonly used ips of users;
and establishing a verification information detection method based on all commonly used ips of the user.
5. The security authentication risk detection method according to claim 4, wherein performing risk early warning on security authentication of a user based on an ip data detection method and a verification information detection method comprises:
When the user performs security authentication and sends a verification request, an ip data detection method and a verification information detection method are used for analysis, and when ip dangerous verification occurs in an analysis result, a high risk signal is sent to the user and a suspicious address Y is sent to the user for verification; when the analysis result shows that verification information dangerous verification occurs, a high risk signal is sent to a user, and a suspicious address X is sent to the user for verification;
When the analysis result is that the ip is correctly verified and the verification information is correctly verified, the security authentication is recorded as risk-free authentication;
when the analysis result shows that ip low-risk verification occurs, the security authentication is recorded as low-risk authentication, and an ip abnormal signal is sent to a user;
and when the analysis result shows low-risk verification of the verification information, the security authentication is recorded as low-risk authentication, and a verification and reception abnormal signal is sent to the user.
6. A system suitable for a security authentication risk detection method according to any one of claims 1 to 5, comprising an information acquisition module, a verification analysis module, a method establishment module and a risk early warning module;
The information acquisition module is used for acquiring a plurality of pieces of history verification information used for safety authentication by a user, wherein the history verification information comprises an ip address of the user receiving the verification information, an ip address of a verification request sent by the user, the verification information and an ip address of successful login;
the verification analysis module is used for analyzing a plurality of historical verification information of the user and marking common ips of the user based on analysis results;
the method establishment module is used for establishing an ip data detection method and a verification information detection method based on the common ip of the user;
the risk early warning module is used for carrying out risk early warning on the security authentication of the user based on the ip data detection method and the verification information detection method.
7. An electronic device comprising a processor and a memory storing computer readable instructions that, when executed by the processor, perform the steps in the method of any of claims 1-5.
8. A storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method according to any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311723906.1A CN117708806B (en) | 2023-12-14 | 2023-12-14 | Security authentication risk detection method, system, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311723906.1A CN117708806B (en) | 2023-12-14 | 2023-12-14 | Security authentication risk detection method, system, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117708806A CN117708806A (en) | 2024-03-15 |
| CN117708806B true CN117708806B (en) | 2024-05-07 |
Family
ID=90161877
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311723906.1A Active CN117708806B (en) | 2023-12-14 | 2023-12-14 | Security authentication risk detection method, system, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117708806B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8613064B1 (en) * | 2008-09-30 | 2013-12-17 | Symantec Corporation | Method and apparatus for providing a secure authentication process |
| CN112464200A (en) * | 2021-02-02 | 2021-03-09 | 北京安泰伟奥信息技术有限公司 | Authentication risk detection method and system |
| CN114943537A (en) * | 2022-05-30 | 2022-08-26 | 中国银行股份有限公司 | Transaction verification risk analysis method and device |
-
2023
- 2023-12-14 CN CN202311723906.1A patent/CN117708806B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8613064B1 (en) * | 2008-09-30 | 2013-12-17 | Symantec Corporation | Method and apparatus for providing a secure authentication process |
| CN112464200A (en) * | 2021-02-02 | 2021-03-09 | 北京安泰伟奥信息技术有限公司 | Authentication risk detection method and system |
| CN114943537A (en) * | 2022-05-30 | 2022-08-26 | 中国银行股份有限公司 | Transaction verification risk analysis method and device |
Non-Patent Citations (2)
| Title |
|---|
| 章思宇 ; 黄保青 ; 姜开达 ; .统一身份认证日志集中管理与账号风险检测.东南大学学报(自然科学版).2017,(S1),全文. * |
| 统一身份认证日志集中管理与账号风险检测;章思宇;黄保青;姜开达;;东南大学学报(自然科学版);20171120(S1);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117708806A (en) | 2024-03-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109525558B (en) | Data leakage detection method, system, device and storage medium | |
| CN104144419B (en) | Identity authentication method, device and system | |
| CN110232645B (en) | Electronic evidence fixing and network evidence obtaining method and system based on memory evidence obtaining and block chain | |
| US9781109B2 (en) | Method, terminal device, and network device for improving information security | |
| CN111756522B (en) | Data processing method and system | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| US20180309772A1 (en) | Method and device for automatically verifying security event | |
| US10270808B1 (en) | Auto-generated synthetic identities for simulating population dynamics to detect fraudulent activity | |
| CN112685682B (en) | Method, device, equipment and medium for identifying forbidden object of attack event | |
| CN114826946B (en) | Unauthorized access interface detection method, device, equipment and storage medium | |
| CN110839003A (en) | Method and device for identifying number stealing behavior, computer equipment and storage medium | |
| Heinl et al. | MERCAT: A metric for the evaluation and reconsideration of certificate authority trustworthiness | |
| CN114338171A (en) | Black product attack detection method and device | |
| CN110061981A (en) | A kind of attack detection method and device | |
| CN117708806B (en) | Security authentication risk detection method, system, electronic equipment and storage medium | |
| EP4068125B1 (en) | Method of monitoring and protecting access to an online service | |
| CN114676025A (en) | Computer data safety detection system based on internet | |
| Iorliam | Cybersecurity in Nigeria: A Case Study of Surveillance and Prevention of Digital Crime | |
| CN114218561A (en) | Weak password detection method, terminal equipment and storage medium | |
| CN114357403A (en) | User login request processing method and device based on equipment credibility and equipment | |
| CN110995658A (en) | Gateway protection method, device, computer equipment and storage medium | |
| CN106130996A (en) | A kind of website attack protection checking system and method | |
| CN112862504A (en) | Lawyer identity authentication method, device, equipment and storage medium | |
| CN111859362A (en) | Multi-stage identity authentication method in mobile environment and electronic device | |
| CN117037349B (en) | Face recognition technology and data interaction service management and control method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |