US20140033306A1 - Method and Apparatus of Identifying User Risk - Google Patents
Method and Apparatus of Identifying User Risk Download PDFInfo
- Publication number
- US20140033306A1 US20140033306A1 US13/948,838 US201313948838A US2014033306A1 US 20140033306 A1 US20140033306 A1 US 20140033306A1 US 201313948838 A US201313948838 A US 201313948838A US 2014033306 A1 US2014033306 A1 US 2014033306A1
- Authority
- US
- United States
- Prior art keywords
- routing
- user
- information
- login
- characteristic information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/107—Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/26—Route discovery packet
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/52—Network services specially adapted for the location of the user terminal
Definitions
- the present disclosure relates to online security and, more specifically, to identifying risk associate with user identities.
- Online identity theft has become a serious problem for the Internet services. Online identity theft causes not only monetary losses to users but also harmful consequences to users (e.g., illegal conduct by a third party). Accordingly, service providers desire to find an efficient way to identify a user account at risk (i.e., suspicious user accounts) but also to allow legitimate user activities.
- a service provider determines whether a login is a non-local login by selecting a geographic position corresponding to an IP address used when the user logs in.
- a network operator may change its own IP address pool. For example, IP address allocation among cities may lead to identify a legitimate user as an illegal user. Thus, the identification error rate is relatively high.
- a geographic position identified by the method of the technique is relatively rough and generally only may be accurate when logins are conducted in different cities. For example, if a third party steals an identity of a user, and logs in in the same city that the user used to log in (e.g., using a proxy server), the risk may not be identified.
- an urgent problem needing resolution involves identifying user risk and reducing the influence of an IP address change associated with identification of the user risk.
- a technical problem to be solved by embodiments of the present disclosure is to identify user risk and to reduce the influence of an IP address change associated with identification of the user risk.
- Embodiments of the present disclosure also reduce error rates associated with the risk user identification, and identify geographic positions more accurately.
- Embodiments of the present disclosure also relate to methods for identifying that a user login is suspicious.
- the methods may include acquiring, by a server, a routing path logged in by a user based on login information of the user. Based on the routing path, the server may extract current routing characteristic information from the routing path logged in by the user, and then identify whether the current login is suspicious based on the current routing characteristic information.
- the login information of the user includes a user identity, information of a client terminal where the user initiates a login request and information of a server that receives the login request.
- the acquiring a routing path logged in by a user based on login information of the user includes sending a routing discovery message to the client terminal by the server, feeding back routing node information hop-by-hop by a router receiving the routing discovery message, and collecting the routing node information by the server to generate a currently logged-in routing path corresponding to the user identity.
- the login information of the user includes information of a client terminal where the user initiates a login request and information of a server that receives the login request.
- the acquiring a routing path logged in by a user based on login information of the user includes sending a routing discovery message to the server by the client terminal, feeding back routing node information hop-by-hop by a router receiving the routing discovery message, and collecting the routing node information by the client terminal to generate a currently logged-in routing path corresponding to the user identity.
- the extracting current routing characteristic information from the routing path logged in by the user includes extracting information of a key router from the routing path logged in by the user, wherein the information of the key router is information of a router with a traffic greater than a preset threshold, and organizing the information of the key router to form current routing characteristic information.
- the identifying whether the current user logs in non-locally based on the current routing characteristic information includes querying historical routing characteristic information corresponding to the user identity, and comparing whether the historical routing characteristic information and the current routing characteristic information are the same. If the historical routing characteristic information and the current routing characteristic information are not the same, the server may determine that the login is suspicious.
- the login information of the user also includes a machine identity.
- the identifying whether the current user logs in non-locally based on the current routing characteristic information includes presetting a legal correspondence table of a machine identity and a user class, and determining whether the user identity and the machine identity are present in the legal correspondence table of the machine identity and the user class.
- the user class is a cluster of the user identity with the same path characteristic information. If the user identity and the machine identity are not present, the server may determine that the login is suspicious.
- Embodiments of the present disclosure also relate to devices for identifying that a user is suspicious.
- the device may include a routing path acquisition module, a current path extraction module, and a risk judgment module.
- the routing path acquisition module is configured to acquire a routing path logged in by a user based on login information of the user.
- the current path extraction module is configured to extract current routing characteristic information from the routing path logged in by the user.
- the risk judgment module is configured to identify whether the current login is suspicious based on the current routing characteristic information.
- the login information of the user may include a user identity, information of a client terminal where the user initiates a login request, and information of a server which receives the login request.
- the routing path acquisition module may include a routing discovery message sending sub-module configured to send a routing discovery message to the client terminal, a collection sub-module configured to collect routing node information fed back hop-by-hop by a router receiving the routing discovery message, and a path generation sub-module configured to generate a currently logged-in routing path corresponding to the user identity.
- the login information of the user may include information of a client terminal where the user initiates a login request and information of a server which receives the login request.
- the routing path acquisition module may include a routing discovery message sending sub-module configured to send a routing discovery message to the server, a collection sub-module configured to collect routing node information fed back hop-by-hop by a router receiving the routing discovery message, and a path generation sub-module configured to generate a currently logged-in routing path corresponding to the user identity.
- the current path extraction module may include a user login routing path extraction sub-module configured to extract information of a key router from the routing path logged in by the user.
- the information of the key router is information of a router with traffic greater than a preset threshold, and a key router information formation sub-module configured to organize the information of the key router to form current routing characteristic information.
- the risk judgment module may include a user identity query sub-module configured to query historical routing characteristic information corresponding to the user identity, and a routing characteristic information comparison sub-module configured to compare whether the historical routing characteristic information and the current routing characteristic information are the same. If the historical routing characteristic information and the current routing characteristic information are not the same, the server may determine that the login is suspicious.
- the login information of the user may also include a machine identity.
- the risk judgment module may include a user identity clustering sub-module configured to preset a legal correspondence table of a machine identity and a user class, wherein the user class is a cluster of the user identity with the same path characteristic information, and a user identity and machine identity judgment sub-module configured to determine whether the user identity and the machine identity are present in the legal correspondence table of the machine identity and the user class. If the user identity and the machine identity are not present, the server may determine that the login is suspicious.
- Embodiments of the present disclosure acquire a routing path from a user to a server when the user logs in the server.
- the server also extracts routing characteristic information of a corresponding user from the routing path.
- a currently logged-in critical path may be obtained based on routing characteristic information of current login of a user, and the current critical path is compared with a critical path that is previously frequently logged in by a corresponding user based on server records.
- the server may be able to identify whether the current login of the user is a non-local login. This may be an auxiliary mechanism for user identity confirmation based on path reputation between a user machine and a login server.
- the mechanism allows the login server to identify whether the current login account is suspicious of theft and is capable of providing a relatively accurate risk control means.
- embodiments of the present disclosure may obtain traffic information of a router between a user and a server, and may provide a true position of the user more carefully. Accordingly, the present disclosure may reduce influence of an IP address change on user risk identification, reduce the error rate of risk user identification, and identify geographic position more accurately.
- FIG. 1 is a flow chart of an illustrative process for determining credibility of online identities.
- FIG. 2 is a schematic diagram of an illustrative computing architecture that enables user risk identification.
- Embodiments of this present disclosure include acquiring a routing path from a user to a server when the user logs in the server, and extract routing characteristic information of a corresponding user from the routing path.
- a currently logged-in critical path may be obtained based on routing characteristic information of a current login of a user, and the current critical path is compared with a critical path that is previously frequently logged in by a corresponding user in server records to identify whether the current login of the user is non-local login.
- FIG. 1 is a flow chart of an illustrative process for determining credibility of online identities.
- a server may acquire a routing path logged in by a user based on login information of the user.
- the login information of the user may include information of a client terminal where the user initiates a login request and information of a server which receives the login request.
- a message may be transferred from a client terminal to a server via a multistage router, and a message channel connected by various stages of routers may form a routing path logged in by a user.
- the server may acquire the routing path by sending a routing discovery message to the client terminal by the server, receiving routing node information hop-by-hop by a router receiving the routing discovery message, and collecting the routing node information by the server to form a routing path that is currently logged in by the user.
- a path collection application program may be deployed at a server.
- the path collection application program may be initiated and connected to a network to send an Internet Control Message Protocol (ICMP) routing discovery message to the client terminal.
- ICMP Internet Control Message Protocol
- a router receiving the message may provide feedback routing node information hop-by-hop.
- the routing path that is currently logged in by the user may be formed immediately after the path collection application program collects the hop-by-hop routing node information.
- the server may acquire the routing path by sending a routing discovery message to the server by the client terminal, feeding back routing node information hop-by-hop by a router receiving the routing discovery message, and collecting the routing node information by the client terminal to form a routing path that is currently logged in by the user.
- a path collection application program may be deployed at a client terminal; when a user submits a login request, the path collection application program is initiated and connected to a network to send an ICMP routing discovery message to the server.
- a router receiving the message may provide feedback routing node information hop-by-hop.
- the routing path that is currently logged in by the user may be formed immediately after the path collection application program collects the hop-by-hop routing node information.
- the server may extract routing characteristic information from the routing path logged in by the user.
- the server may extract the routing characteristic information by extracting information of a key router from the routing path logged in by the user, wherein the information of the key router is information of a router with traffic greater than a preset threshold, and organizing the information of the key router to form routing characteristic information.
- the server may identify whether the current login is suspicious based on the routing characteristic information. In some embodiments, the server may identify by querying historical routing characteristic information corresponding to the user identity, and comparing whether the historical routing characteristic information and the current routing characteristic information are the same. If the historical routing characteristic information and the current routing characteristic information are not the same, the server may determine that the login is suspicious.
- the routing characteristic information of current login of a user may be compared with preceding historical routing characteristic information of a corresponding user to view whether a critical path therein is consistent with a critical path in trusted routing characteristic information that is frequently used by the user. If there is a critical path, the server may determine that no non-local login occurs and the login is not at risk. But if there is no critical path, the server may determine that non-local login occurs and the login is suspicious.
- the trusted routing characteristic information may be generated by various ways.
- the trusted routing characteristic information may include a routing path used when an account is registered, and a routing path certified by strong identity authentication.
- the strong identity authentication may include answering of an authentication question, confirmation of a client via telephone communication, and so on.
- routing path There may be more than one routing path frequently used by a user.
- the user may access the Internet at an office, at home, via a mobile phone, and etc. Accordingly, there may be multiple critical paths in the trusted routing characteristic information to ensure more reliable and user friendly.
- the login information of the user also may include a machine identity.
- the server may identify whether the current login is suspicious based on the routing characteristic information by presetting a legal correspondence table of a machine identity and a user class, wherein the user class is a cluster of the user identity with the same path characteristic information. Then, the server may determine whether the user identity and the machine identity are present in the correspondence table of the machine identity and the user class. If the user identity and the machine identity are not present, the server may determine that the login is suspicious.
- a legal correspondence table of a machine identity and a user class may be set at a server.
- identity of a login client terminal and/or identity of a login server (machine identity) and user identity of current login may be compared with the legal correspondence table of the machine identity and the user class. If the corresponding relationship between the machine identity and the user identity of the current login is present in the legal correspondence table, the server may determine that the user does not log in non-locally and therefore the login is not at risk. Otherwise, the server may determine that the user logs is non-locally and therefore is suspicious.
- the process to build a network router is sometime complicated and also has relatively expensive.
- a common network operator may not easily change a critical routing path.
- a network operator changes its own IP address pool, and especially IP address allocation among cities.
- the technologies in the present disclosure for determining whether an account is logged in non-locally based on a critical routing path may more accurately determine that a login is suspicious.
- a determination of an account login address via a user identity may be inaccurate among cities.
- a third party using a stolen account may use a network proxy server in the same city that the legitimate user used to log in.
- the conventional technologies may not detect that the account is logged in non-locally.
- an auxiliary mechanism described in this disclosure confirms user identities based on path reputation between a user machine and a login server. This allows the login server to effectively identify whether the current login account is at risk (e.g., stolen), and therefore provides more accurate risk control.
- a user with a user identity may send a login request to a server of a website A via a client terminal of the website A.
- the server of the website A may complete login of the user in response to the request and generate login information of the user based on Cookies returned by the client terminal of the website A.
- the server of the website A may initiate a path collection application program to send an ICMP routing discovery message to a login server.
- the path collection application program may directly return hop-by-hop router information passed by the discovery message to the server after receiving the information.
- the hop-by-hop router information may be analyzed, and the user identity 2012 may be marked to acquire a routing path logged in by the user and to return the routing path to the server.
- the server of the website A may analyze routing information of each routing node in the routing path logged in by the user to extract a router with a traffic reaching a traffic preset value as a key router.
- a critical path may be generated based on the key router and marked with the user identity 2012 to generate path characteristic information of current login of the user.
- Historical routing characteristic information of last login of 2012 may be extracted from records of the server of the website A, and comparison may be made whether a key router of the historical routing characteristic information is the same as that of the path characteristic information of the current login.
- the server may determine that a corresponding account of the user 2012 is at the risk of non-local login.
- FIG. 2 is a schematic diagram of an illustrative computing architecture that enables user risk identification.
- the computing device 200 may be a user device or a server for a multiple location login control.
- the computing device 200 may include one or more processors 202 , input/output interfaces 204 , network interface 206 , and memory 208 .
- the memory 208 may include computer-readable media in the form of volatile memory, such as random-access memory (RAM) and/or non-volatile memory, such as read only memory (ROM) or flash RAM.
- RAM random-access memory
- ROM read only memory
- flash RAM flash random-access memory
- Computer-readable media includes volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules, or other data.
- Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random-access memory (SRAM), dynamic random-access memory (DRAM), other types of random-access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, compact disk read-only memory (CD-ROM), digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that may be used to store information for access by a computing device.
- computer-readable media does not include transitory media such as modulated data signals and carrier waves.
- the memory 208 may include a routing path acquisition module 210 configured to acquire a routing path logged in by a user based on login information of the user, a current path extraction module 212 configured to extract current routing characteristic information from the routing path logged in by the user, and a risk judgment module 214 configured to identify whether the current login is suspicious based on the current routing characteristic information.
- a routing path acquisition module 210 configured to acquire a routing path logged in by a user based on login information of the user
- a current path extraction module 212 configured to extract current routing characteristic information from the routing path logged in by the user
- a risk judgment module 214 configured to identify whether the current login is suspicious based on the current routing characteristic information.
- the login information of the user may include information of a client terminal where the user initiates a login request and information of a server which receives the login request.
- information may be transferred from a client terminal to a server via a multistage router, and a message channel connected by various stages of routers may form a routing path logged in by a user.
- the routing path acquisition module 210 may include a routing discovery message sending sub-module at the server configured to send a routing discovery message to the client terminal, and a collection sub-module configured to collect routing node information fed back hop-by-hop by a router receiving the routing discovery message, and a path generation sub-module configured to generate a currently logged-in routing path corresponding to the user identity. These sub-modules may be located on the server.
- a path collection application program may be deployed at a server.
- the path collection application program may be initiated and connected to a network to send an ICMP routing discovery message to the client terminal.
- a router receiving the message may provide feedback routing node information hop-by-hop.
- the routing path that is currently logged in by the user may be formed immediately after the path collection application program collects the hop-by-hop routing node information.
- the routing path acquisition module 210 may include a routing discovery message sending sub-module configured to send a routing discovery message to the server.
- the routing path acquisition module 210 may also include a collection sub-module configured to collect routing node information fed back hop-by-hop by a router receiving the routing discovery message, and a path generation sub-module configured to generate a currently logged-in routing path corresponding to the user identity. These sub-modules may be located in the client terminal.
- a path collection application program may be deployed at a client terminal; when a user submits a login request.
- the path collection application program may be initiated and connected to a network to send an ICMP routing discovery message to the server.
- a router receiving the message may provide feedback routing node information hop-by-hop.
- the routing path that may be currently logged in by the user may be formed immediately after the path collection application program collects the hop-by-hop routing node information.
- the current path extraction module 212 may include a user login routing path extraction sub-module configured to extract information of a key router from the routing path logged in by the user, wherein the information of the key router is information of a router with a traffic greater than a preset threshold, a key router information formation sub-module configured to organize the information of the key router to form current routing characteristic information, and a risk judgment module configured to identify whether the current login is suspicious based on the current routing characteristic information.
- a user login routing path extraction sub-module configured to extract information of a key router from the routing path logged in by the user, wherein the information of the key router is information of a router with a traffic greater than a preset threshold
- a key router information formation sub-module configured to organize the information of the key router to form current routing characteristic information
- a risk judgment module configured to identify whether the current login is suspicious based on the current routing characteristic information.
- the risk judgment module 214 may include a user identity query sub-module configured to query historical routing characteristic information corresponding to the user identity, and a routing characteristic information comparison module configured to compare whether the historical routing characteristic information and the current routing characteristic information are the same. If the historical routing characteristic information and the current routing characteristic information are not the same, the server may determine that the user login is suspicious.
- routing characteristic information of current login of a user may be compared with preceding historical routing characteristic information of a corresponding user to view whether a critical path therein is consistent with a critical path in a trusted routing characteristic information that is frequently used by the user. If a critical path therein is consistent with a critical path in a trusted routing characteristic information that is frequently used by the user, the server may determine that no non-local login occurs and the user is not at risk. Otherwise, the server may determine that non-local login occurs, and therefore the user login is suspicious.
- the trusted routing characteristic information may be generated by various ways.
- a routing path may be used when an account is registered, and a routing path may be certified by identity authentication.
- the strong identity authentication may include answering of an authentication question, confirmation of a client via telephone communication, and so on.
- routing path frequently used by a user e.g., an office, home, mobile phone, and etc.
- a user e.g., an office, home, mobile phone, and etc.
- the login information of the user may also include a machine identity; and the risk judgment module 214 may include a user identity clustering sub-module configured to preset a legal correspondence table of a machine identity and a user class, wherein the user class is a cluster of the user identity with the same path characteristic information, and a user identity and machine identity judgment sub-module configured to determine whether the user identity and the machine identity are present in the legal correspondence table of the machine identity and the user class. If the user identity and the machine identity are not present, the server may determine that the user login is suspicious.
- an authorized correspondence table of a machine identity and a user class may be set at a server.
- identity of a login client terminal and/or identity of a login server e.g., machine identity
- a user identity of a current login may be compared with the authorized correspondence table of the machine identity and the user class. If the corresponding relation between the machine identity and the user identity of the current login is present in the legal correspondence table of the machine identity and the user class, the server may determine that the user does not log in non-locally and is not suspicious. Otherwise, the user is considered to log in non-locally, and thus the login is suspicious.
- the embodiments of the present disclosure may be provided as a method, a system or a computer program product. Accordingly, the present disclosure may employ an entirely hardware embodiment, an entirely software embodiment, or a form of an embodiment combining software and hardware aspects. Moreover, the present disclosure may be a form of a computer program product implemented on one or more computer available storage media (including but not limited to a disk memory, a CD-ROM, an optical memory, etc.) which comprise computer available program codes.
- These computer program instructions may be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing equipment to produce a machine such that the instructions executed by a processor of a computer or other programmable data processing equipment may produce a device for realizing functions designated in one or more processes in a flow chart and/or one or more boxes in a block diagram.
- These computer program instructions also may be stored in a computer-readable memory that may guide a computer or other programmable data processing equipment to work in an ad hoc fashion such that the instructions stored in the computer-readable memory may produce a manufactured product including an instruction device, wherein the instruction device may realize functions designated in one or more processes in a flow chart and/or one or more boxes in a block diagram.
- These computer program instructions also may be loaded onto a computer or other programmable data processing equipment such that a series of operation steps may be executed on a computer or other programmable equipment to produce processing realized by a computer, thereby the instructions executed on a computer or other programmable equipment may provide steps for realizing functions designated in one or more processes in a flow chart and/or one or more boxes in a block diagram.
Abstract
The present disclosure provides techniques to identify suspicious user logins. These techniques may include acquiring, by a computing device, a routing path associated with a user login based on login information. The computing device may extract current routing characteristic information from the routing path, and identify whether the current user login is suspicious based on the current routing characteristic information. These techniques reduce the influence of IP address changes on user identification as well as errors associated with user identification, and identify geographic positions more accurately.
Description
- This application claims priority to Chinese Patent Application No. 201210258816.5, filed on Jul. 24, 2012, entitled “Method and Apparatus of Identifying User Risk,” which is hereby incorporated by reference in its entirety.
- The present disclosure relates to online security and, more specifically, to identifying risk associate with user identities.
- Online identity theft has become a serious problem for the Internet services. Online identity theft causes not only monetary losses to users but also harmful consequences to users (e.g., illegal conduct by a third party). Accordingly, service providers desire to find an efficient way to identify a user account at risk (i.e., suspicious user accounts) but also to allow legitimate user activities.
- In general, it's difficult for service providers to confirm the credibility of users who currently log in. To accurately identify whether a user account is suspicious, the service providers may determine whether the user account is logged in non-locally. Under traditional technologies, a service provider determines whether a login is a non-local login by selecting a geographic position corresponding to an IP address used when the user logs in.
- This techniques, however, has various defects. First, a network operator may change its own IP address pool. For example, IP address allocation among cities may lead to identify a legitimate user as an illegal user. Thus, the identification error rate is relatively high. Second, a geographic position identified by the method of the technique is relatively rough and generally only may be accurate when logins are conducted in different cities. For example, if a third party steals an identity of a user, and logs in in the same city that the user used to log in (e.g., using a proxy server), the risk may not be identified.
- Accordingly, an urgent problem needing resolution involves identifying user risk and reducing the influence of an IP address change associated with identification of the user risk. There is also a need to reduce error rates associated with the risk user identification, and identify geographic positions more accurately.
- A technical problem to be solved by embodiments of the present disclosure is to identify user risk and to reduce the influence of an IP address change associated with identification of the user risk. Embodiments of the present disclosure also reduce error rates associated with the risk user identification, and identify geographic positions more accurately.
- Embodiments of the present disclosure also relate to methods for identifying that a user login is suspicious. The methods may include acquiring, by a server, a routing path logged in by a user based on login information of the user. Based on the routing path, the server may extract current routing characteristic information from the routing path logged in by the user, and then identify whether the current login is suspicious based on the current routing characteristic information.
- In some embodiments, the login information of the user includes a user identity, information of a client terminal where the user initiates a login request and information of a server that receives the login request. The acquiring a routing path logged in by a user based on login information of the user includes sending a routing discovery message to the client terminal by the server, feeding back routing node information hop-by-hop by a router receiving the routing discovery message, and collecting the routing node information by the server to generate a currently logged-in routing path corresponding to the user identity.
- In some embodiments, the login information of the user includes information of a client terminal where the user initiates a login request and information of a server that receives the login request. The acquiring a routing path logged in by a user based on login information of the user includes sending a routing discovery message to the server by the client terminal, feeding back routing node information hop-by-hop by a router receiving the routing discovery message, and collecting the routing node information by the client terminal to generate a currently logged-in routing path corresponding to the user identity.
- In some embodiments, the extracting current routing characteristic information from the routing path logged in by the user includes extracting information of a key router from the routing path logged in by the user, wherein the information of the key router is information of a router with a traffic greater than a preset threshold, and organizing the information of the key router to form current routing characteristic information.
- In some embodiments, the identifying whether the current user logs in non-locally based on the current routing characteristic information includes querying historical routing characteristic information corresponding to the user identity, and comparing whether the historical routing characteristic information and the current routing characteristic information are the same. If the historical routing characteristic information and the current routing characteristic information are not the same, the server may determine that the login is suspicious.
- In some embodiments, the login information of the user also includes a machine identity. The identifying whether the current user logs in non-locally based on the current routing characteristic information includes presetting a legal correspondence table of a machine identity and a user class, and determining whether the user identity and the machine identity are present in the legal correspondence table of the machine identity and the user class. In these instances, the user class is a cluster of the user identity with the same path characteristic information. If the user identity and the machine identity are not present, the server may determine that the login is suspicious.
- Embodiments of the present disclosure also relate to devices for identifying that a user is suspicious. The device may include a routing path acquisition module, a current path extraction module, and a risk judgment module. The routing path acquisition module is configured to acquire a routing path logged in by a user based on login information of the user. The current path extraction module is configured to extract current routing characteristic information from the routing path logged in by the user. The risk judgment module is configured to identify whether the current login is suspicious based on the current routing characteristic information.
- In some embodiments, the login information of the user may include a user identity, information of a client terminal where the user initiates a login request, and information of a server which receives the login request. The routing path acquisition module may include a routing discovery message sending sub-module configured to send a routing discovery message to the client terminal, a collection sub-module configured to collect routing node information fed back hop-by-hop by a router receiving the routing discovery message, and a path generation sub-module configured to generate a currently logged-in routing path corresponding to the user identity.
- In some embodiments, the login information of the user may include information of a client terminal where the user initiates a login request and information of a server which receives the login request. The routing path acquisition module may include a routing discovery message sending sub-module configured to send a routing discovery message to the server, a collection sub-module configured to collect routing node information fed back hop-by-hop by a router receiving the routing discovery message, and a path generation sub-module configured to generate a currently logged-in routing path corresponding to the user identity.
- In some embodiments, the current path extraction module may include a user login routing path extraction sub-module configured to extract information of a key router from the routing path logged in by the user. In some instances, the information of the key router is information of a router with traffic greater than a preset threshold, and a key router information formation sub-module configured to organize the information of the key router to form current routing characteristic information.
- In some embodiments, the risk judgment module may include a user identity query sub-module configured to query historical routing characteristic information corresponding to the user identity, and a routing characteristic information comparison sub-module configured to compare whether the historical routing characteristic information and the current routing characteristic information are the same. If the historical routing characteristic information and the current routing characteristic information are not the same, the server may determine that the login is suspicious.
- In some embodiments, the login information of the user may also include a machine identity. The risk judgment module may include a user identity clustering sub-module configured to preset a legal correspondence table of a machine identity and a user class, wherein the user class is a cluster of the user identity with the same path characteristic information, and a user identity and machine identity judgment sub-module configured to determine whether the user identity and the machine identity are present in the legal correspondence table of the machine identity and the user class. If the user identity and the machine identity are not present, the server may determine that the login is suspicious.
- Compared with conventional techniques, embodiments of the present disclosure have various advantages. Embodiments of the present disclosure acquire a routing path from a user to a server when the user logs in the server. The server also extracts routing characteristic information of a corresponding user from the routing path. A currently logged-in critical path may be obtained based on routing characteristic information of current login of a user, and the current critical path is compared with a critical path that is previously frequently logged in by a corresponding user based on server records. Thus, the server may be able to identify whether the current login of the user is a non-local login. This may be an auxiliary mechanism for user identity confirmation based on path reputation between a user machine and a login server. The mechanism allows the login server to identify whether the current login account is suspicious of theft and is capable of providing a relatively accurate risk control means. Meanwhile, embodiments of the present disclosure may obtain traffic information of a router between a user and a server, and may provide a true position of the user more carefully. Accordingly, the present disclosure may reduce influence of an IP address change on user risk identification, reduce the error rate of risk user identification, and identify geographic position more accurately.
- This Summary is not intended to identify all key features or essential features of the claimed subject matter, nor is it intended to be used alone as an aid in determining the scope of the claimed subject matter.
- The Detailed Description is described with reference to the accompanying figures. The use of the same reference numbers in different figures indicates similar or identical items.
-
FIG. 1 is a flow chart of an illustrative process for determining credibility of online identities. -
FIG. 2 is a schematic diagram of an illustrative computing architecture that enables user risk identification. - The present disclosure is further described below in detail with reference to the drawings and embodiments.
- Embodiments of this present disclosure include acquiring a routing path from a user to a server when the user logs in the server, and extract routing characteristic information of a corresponding user from the routing path. A currently logged-in critical path may be obtained based on routing characteristic information of a current login of a user, and the current critical path is compared with a critical path that is previously frequently logged in by a corresponding user in server records to identify whether the current login of the user is non-local login.
-
FIG. 1 is a flow chart of an illustrative process for determining credibility of online identities. At 102, a server may acquire a routing path logged in by a user based on login information of the user. In some embodiments, the login information of the user may include information of a client terminal where the user initiates a login request and information of a server which receives the login request. In some instances, a message may be transferred from a client terminal to a server via a multistage router, and a message channel connected by various stages of routers may form a routing path logged in by a user. - In some embodiments, the server may acquire the routing path by sending a routing discovery message to the client terminal by the server, receiving routing node information hop-by-hop by a router receiving the routing discovery message, and collecting the routing node information by the server to form a routing path that is currently logged in by the user.
- In some embodiments, a path collection application program may be deployed at a server. When a login request that is submitted from a client terminal by a user is received, the path collection application program may be initiated and connected to a network to send an Internet Control Message Protocol (ICMP) routing discovery message to the client terminal. A router receiving the message may provide feedback routing node information hop-by-hop. The routing path that is currently logged in by the user may be formed immediately after the path collection application program collects the hop-by-hop routing node information.
- In some embodiments, the server may acquire the routing path by sending a routing discovery message to the server by the client terminal, feeding back routing node information hop-by-hop by a router receiving the routing discovery message, and collecting the routing node information by the client terminal to form a routing path that is currently logged in by the user.
- In some embodiments, a path collection application program may be deployed at a client terminal; when a user submits a login request, the path collection application program is initiated and connected to a network to send an ICMP routing discovery message to the server. A router receiving the message may provide feedback routing node information hop-by-hop. The routing path that is currently logged in by the user may be formed immediately after the path collection application program collects the hop-by-hop routing node information.
- At 104, the server may extract routing characteristic information from the routing path logged in by the user. The server may extract the routing characteristic information by extracting information of a key router from the routing path logged in by the user, wherein the information of the key router is information of a router with traffic greater than a preset threshold, and organizing the information of the key router to form routing characteristic information.
- At 106, the server may identify whether the current login is suspicious based on the routing characteristic information. In some embodiments, the server may identify by querying historical routing characteristic information corresponding to the user identity, and comparing whether the historical routing characteristic information and the current routing characteristic information are the same. If the historical routing characteristic information and the current routing characteristic information are not the same, the server may determine that the login is suspicious.
- In some embodiments, the routing characteristic information of current login of a user may be compared with preceding historical routing characteristic information of a corresponding user to view whether a critical path therein is consistent with a critical path in trusted routing characteristic information that is frequently used by the user. If there is a critical path, the server may determine that no non-local login occurs and the login is not at risk. But if there is no critical path, the server may determine that non-local login occurs and the login is suspicious.
- The trusted routing characteristic information may be generated by various ways. For example, the trusted routing characteristic information may include a routing path used when an account is registered, and a routing path certified by strong identity authentication. In these instances, the strong identity authentication may include answering of an authentication question, confirmation of a client via telephone communication, and so on.
- There may be more than one routing path frequently used by a user. For example, the user may access the Internet at an office, at home, via a mobile phone, and etc. Accordingly, there may be multiple critical paths in the trusted routing characteristic information to ensure more reliable and user friendly.
- In some embodiments, the login information of the user also may include a machine identity. In these instances, the server may identify whether the current login is suspicious based on the routing characteristic information by presetting a legal correspondence table of a machine identity and a user class, wherein the user class is a cluster of the user identity with the same path characteristic information. Then, the server may determine whether the user identity and the machine identity are present in the correspondence table of the machine identity and the user class. If the user identity and the machine identity are not present, the server may determine that the login is suspicious.
- In some embodiments, a legal correspondence table of a machine identity and a user class (e.g., a group of the user identity with the same routing characteristic information) may be set at a server. When a login request of a user is received, identity of a login client terminal and/or identity of a login server (machine identity) and user identity of current login may be compared with the legal correspondence table of the machine identity and the user class. If the corresponding relationship between the machine identity and the user identity of the current login is present in the legal correspondence table, the server may determine that the user does not log in non-locally and therefore the login is not at risk. Otherwise, the server may determine that the user logs is non-locally and therefore is suspicious.
- The process to build a network router is sometime complicated and also has relatively expensive. A common network operator may not easily change a critical routing path. Under conventional technologies, a network operator changes its own IP address pool, and especially IP address allocation among cities. Compared with the conventional technologies, the technologies in the present disclosure for determining whether an account is logged in non-locally based on a critical routing path may more accurately determine that a login is suspicious.
- In addition, under the conventional technologies, a determination of an account login address via a user identity may be inaccurate among cities. For example, a third party using a stolen account may use a network proxy server in the same city that the legitimate user used to log in. In this instance, the conventional technologies may not detect that the account is logged in non-locally. But an auxiliary mechanism described in this disclosure confirms user identities based on path reputation between a user machine and a login server. This allows the login server to effectively identify whether the current login account is at risk (e.g., stolen), and therefore provides more accurate risk control.
- In order to facilitate those skilled in the art to better understand the present disclosure, the present disclosure is further described using some embodiments below. In some embodiment, a user with a user identity (e.g., 2012) may send a login request to a server of a website A via a client terminal of the website A. The server of the website A may complete login of the user in response to the request and generate login information of the user based on Cookies returned by the client terminal of the website A.
- The server of the website A may initiate a path collection application program to send an ICMP routing discovery message to a login server. The path collection application program may directly return hop-by-hop router information passed by the discovery message to the server after receiving the information. The hop-by-hop router information may be analyzed, and the user identity 2012 may be marked to acquire a routing path logged in by the user and to return the routing path to the server.
- The server of the website A may analyze routing information of each routing node in the routing path logged in by the user to extract a router with a traffic reaching a traffic preset value as a key router. A critical path may be generated based on the key router and marked with the user identity 2012 to generate path characteristic information of current login of the user. Historical routing characteristic information of last login of 2012 may be extracted from records of the server of the website A, and comparison may be made whether a key router of the historical routing characteristic information is the same as that of the path characteristic information of the current login.
- If multiple key routers are found to be different in the historical routing characteristic information and the path characteristic information of the current login of the user 2012, the server may determine that a corresponding account of the user 2012 is at the risk of non-local login.
- It should be noted that, for simplicity, some embodiments are expressed as a combination of a series of actions, but those skilled in the art should know that the present disclosure is not limited by the described action sequence. Some steps may be performed in other sequences or simultaneously based on the present disclosure.
-
FIG. 2 is a schematic diagram of an illustrative computing architecture that enables user risk identification. Thecomputing device 200 may be a user device or a server for a multiple location login control. In one exemplary configuration, thecomputing device 200 may include one ormore processors 202, input/output interfaces 204,network interface 206, andmemory 208. - The
memory 208 may include computer-readable media in the form of volatile memory, such as random-access memory (RAM) and/or non-volatile memory, such as read only memory (ROM) or flash RAM. Thememory 208 is an example of computer-readable media. - Computer-readable media includes volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random-access memory (SRAM), dynamic random-access memory (DRAM), other types of random-access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, compact disk read-only memory (CD-ROM), digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that may be used to store information for access by a computing device. As defined herein, computer-readable media does not include transitory media such as modulated data signals and carrier waves.
- Turning to the
memory 208 in more detail, thememory 208 may include a routingpath acquisition module 210 configured to acquire a routing path logged in by a user based on login information of the user, a currentpath extraction module 212 configured to extract current routing characteristic information from the routing path logged in by the user, and arisk judgment module 214 configured to identify whether the current login is suspicious based on the current routing characteristic information. - In some embodiments, the login information of the user may include information of a client terminal where the user initiates a login request and information of a server which receives the login request. In some embodiments, information may be transferred from a client terminal to a server via a multistage router, and a message channel connected by various stages of routers may form a routing path logged in by a user.
- In some embodiments, the routing
path acquisition module 210 may include a routing discovery message sending sub-module at the server configured to send a routing discovery message to the client terminal, and a collection sub-module configured to collect routing node information fed back hop-by-hop by a router receiving the routing discovery message, and a path generation sub-module configured to generate a currently logged-in routing path corresponding to the user identity. These sub-modules may be located on the server. - In some embodiments, a path collection application program may be deployed at a server. When a login request that is submitted from a client terminal by a user is received, the path collection application program may be initiated and connected to a network to send an ICMP routing discovery message to the client terminal. A router receiving the message may provide feedback routing node information hop-by-hop. The routing path that is currently logged in by the user may be formed immediately after the path collection application program collects the hop-by-hop routing node information.
- In some embodiments, the routing
path acquisition module 210 may include a routing discovery message sending sub-module configured to send a routing discovery message to the server. The routingpath acquisition module 210 may also include a collection sub-module configured to collect routing node information fed back hop-by-hop by a router receiving the routing discovery message, and a path generation sub-module configured to generate a currently logged-in routing path corresponding to the user identity. These sub-modules may be located in the client terminal. - In some embodiments, a path collection application program may be deployed at a client terminal; when a user submits a login request. The path collection application program may be initiated and connected to a network to send an ICMP routing discovery message to the server. A router receiving the message may provide feedback routing node information hop-by-hop. The routing path that may be currently logged in by the user may be formed immediately after the path collection application program collects the hop-by-hop routing node information.
- In some embodiments, the current
path extraction module 212 may include a user login routing path extraction sub-module configured to extract information of a key router from the routing path logged in by the user, wherein the information of the key router is information of a router with a traffic greater than a preset threshold, a key router information formation sub-module configured to organize the information of the key router to form current routing characteristic information, and a risk judgment module configured to identify whether the current login is suspicious based on the current routing characteristic information. - In some embodiments, the
risk judgment module 214 may include a user identity query sub-module configured to query historical routing characteristic information corresponding to the user identity, and a routing characteristic information comparison module configured to compare whether the historical routing characteristic information and the current routing characteristic information are the same. If the historical routing characteristic information and the current routing characteristic information are not the same, the server may determine that the user login is suspicious. - In some embodiments, routing characteristic information of current login of a user may be compared with preceding historical routing characteristic information of a corresponding user to view whether a critical path therein is consistent with a critical path in a trusted routing characteristic information that is frequently used by the user. If a critical path therein is consistent with a critical path in a trusted routing characteristic information that is frequently used by the user, the server may determine that no non-local login occurs and the user is not at risk. Otherwise, the server may determine that non-local login occurs, and therefore the user login is suspicious.
- The trusted routing characteristic information may be generated by various ways. In some embodiments, a routing path may be used when an account is registered, and a routing path may be certified by identity authentication. In these instances, the strong identity authentication may include answering of an authentication question, confirmation of a client via telephone communication, and so on.
- There may be more than one routing path frequently used by a user (e.g., an office, home, mobile phone, and etc). Thus, there also may be multiple critical paths in the trusted routing characteristic information to ensure more reliable and humane judged results.
- In some embodiments, the login information of the user may also include a machine identity; and the
risk judgment module 214 may include a user identity clustering sub-module configured to preset a legal correspondence table of a machine identity and a user class, wherein the user class is a cluster of the user identity with the same path characteristic information, and a user identity and machine identity judgment sub-module configured to determine whether the user identity and the machine identity are present in the legal correspondence table of the machine identity and the user class. If the user identity and the machine identity are not present, the server may determine that the user login is suspicious. - In some embodiments, an authorized correspondence table of a machine identity and a user class (e.g., a cluster of the user identity with the same routing characteristic information) may be set at a server. When a login request of a user is received, identity of a login client terminal and/or identity of a login server (e.g., machine identity) and a user identity of a current login may be compared with the authorized correspondence table of the machine identity and the user class. If the corresponding relation between the machine identity and the user identity of the current login is present in the legal correspondence table of the machine identity and the user class, the server may determine that the user does not log in non-locally and is not suspicious. Otherwise, the user is considered to log in non-locally, and thus the login is suspicious.
- Reference may be made to relevant descriptions of the above-described embodiments; details are not repeated herein. Those skilled in the art should understand that the embodiments of the present disclosure may be provided as a method, a system or a computer program product. Accordingly, the present disclosure may employ an entirely hardware embodiment, an entirely software embodiment, or a form of an embodiment combining software and hardware aspects. Moreover, the present disclosure may be a form of a computer program product implemented on one or more computer available storage media (including but not limited to a disk memory, a CD-ROM, an optical memory, etc.) which comprise computer available program codes.
- The present disclosure is described with reference to a flow chart and/or a block diagram of a method, an apparatus (system) and a computer program product based on an embodiment of the present disclosure. It should be understood that each process and/or box in a flow chart and/or a block diagram and a combination of processes and/or boxes in a flow chart and/or a block diagram may be realized by computer program instructions. These computer program instructions may be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing equipment to produce a machine such that the instructions executed by a processor of a computer or other programmable data processing equipment may produce a device for realizing functions designated in one or more processes in a flow chart and/or one or more boxes in a block diagram.
- These computer program instructions also may be stored in a computer-readable memory that may guide a computer or other programmable data processing equipment to work in an ad hoc fashion such that the instructions stored in the computer-readable memory may produce a manufactured product including an instruction device, wherein the instruction device may realize functions designated in one or more processes in a flow chart and/or one or more boxes in a block diagram.
- These computer program instructions also may be loaded onto a computer or other programmable data processing equipment such that a series of operation steps may be executed on a computer or other programmable equipment to produce processing realized by a computer, thereby the instructions executed on a computer or other programmable equipment may provide steps for realizing functions designated in one or more processes in a flow chart and/or one or more boxes in a block diagram.
- Although the embodiments of the present disclosure have been described, once those skilled in the art know the basic creative concept, additional variations and modifications may be made to these embodiments. Accordingly, the appended claims are intended to be construed as including the embodiments as well as all variations and modifications that fall within the scope of the present disclosure.
- A detailed introduction has been made above to methods and devices for identifying risk of a user login as provided by the present disclosure. Examples are applied herein to explain the principles and embodiments of the present disclosure, and the description of the above embodiments is only used for the purpose of assisting in understanding the method of the present disclosure and its core ideas; meanwhile, those of ordinary skill in the art may make changes in terms of particular embodiments and application scopes based on the ideas of the present disclosure. In summary, the contents of the specification shall not be interpreted as limiting the present disclosure.
- The embodiments are merely for illustrating the present disclosure and are not intended to limit the scope of the present disclosure. It should be understood for persons in the technical field that certain modifications and improvements may be made and should be considered under the protection of the present disclosure without departing from the principles of the present disclosure.
Claims (20)
1. A method comprising:
receiving, by a server, login information of a user;
acquiring a routing path based on the login information of the user;
extracting routing characteristic information from the routing path; and
determining a risk associated with the user based on the routing characteristic information.
2. The method of claim 1 , wherein the login information of the user includes a user identity, information of a client terminal on which the user initiates a login request, and information of the server.
3. The method of claim 2 , wherein the acquiring the routing path based on the login information of the user comprises:
sending, by the server, a routing discovery message to the client terminal;
determining routing node information using hop-by-hop routing corresponding to the routing discovery message; and
generating the routing path based on the routing node information.
4. The method of claim 3 , wherein the acquiring the routing path based on the login information of the user comprises:
receiving, by the server, the routing discovery message from a client terminal;
determining routing node information using hop-by-hop routing corresponding to the routing discovery message; and
generating the routing path based on the routing node information.
5. The method of claim 1 , wherein the extracting routing characteristic information from the routing path comprises:
extracting information of a key router from the routing path; and
generating the routing characteristic information based on the information of the key router.
6. The method of claim 5 , wherein the information of the key router includes information of a router having an amount of traffic greater than a preset threshold.
7. The method of claim 1 , wherein the determining the risk associated with the user based on the routing characteristic information comprises:
retrieving historical routing characteristic information corresponding to the user; and
determining the risk by comparing the historical routing characteristic information with the routing characteristic information.
8. The method of claim 1 , wherein the login information of the user includes a machine identity, and the determining the degree of risk associated with the user based on the routing characteristic information comprises:
presetting one or more correspondences between a machine identity and a user class that includes multiple users each having the path characteristic information; and
determining the risk associated with the user based on the one or more correspondences.
9. A system comprising:
one or more processors; and
memory to maintain a plurality of components executable by the one or more processors, the plurality of components comprising:
a routing path acquisition module configured to:
receive login information of a user, and
acquire a routing path based on the login information of the user,
a current path extraction module configured to extract routing characteristic information from the routing path, and
a risk judgment module configured to determining a risk associated with the user based on the routing characteristic information.
10. The system of claim 9 , wherein the login information of the user includes a user identity, information of a client terminal on which the user initiates a login request, and information of a server associated with the system, and the acquiring the routing path based on the login information of the user comprises:
sending a routing discovery message to the client terminal;
determining routing node information using hop-by-hop routing corresponding to the routing discovery message; and
generating the routing path based on the routing node information.
11. The system of claim 10 , wherein the acquiring the routing path based on the login information of the user comprises:
receiving the routing discovery message from a client terminal;
determining routing node information using hop-by-hop routing corresponding to the routing discovery message; and
generating the routing path based on the routing node information.
12. The system of claim 9 , wherein the extracting routing characteristic information from the routing path comprises:
extracting information of a key router from the routing path; and
generating the routing characteristic information based on the information of the key router.
13. The system of claim 12 , wherein the information of the key router includes information of a router having an amount of traffic greater than a preset threshold.
14. The system of claim 9 , wherein the determining the risk associated with the user based on the routing characteristic information comprises:
retrieving historical routing characteristic information corresponding to the user; and
determining the risk by comparing the historical routing characteristic information with the routing characteristic information.
15. The system of claim 9 , wherein the login information of the user includes a machine identity, and the determining the degree of risk associated with the user based on the routing characteristic information comprises:
presetting one or more correspondences between a machine identity and a user class that includes multiple users each having the path characteristic information; and
determining the risk associated with the user based on the one or more correspondences.
16. One or more computer-readable media storing computer-executable instructions that, when executed by one or more processors, instruct the one or more processors to perform acts comprising:
receiving login information of a user;
acquiring a routing path based on the login information of the user;
extracting routing characteristic information from the routing path; and
determining a risk associated with the user based on the routing characteristic information.
17. The one or more computer-readable media of claim 16 , wherein the login information of the user includes a user identity, information of a client terminal on which the user initiates a login request, and information of a server, and the acquiring the routing path based on the login information of the user comprises:
sending, by the server, a routing discovery message to the client terminal;
determining routing node information using hop-by-hop routing corresponding to the routing discovery message; and
generating the routing path based on the routing node information.
18. The one or more computer-readable media of claim 17 , wherein the routing discovery message is an Internet Control Message Protocol (ICMP) discovery message.
19. The one or more computer-readable media of claim 18 , wherein the routing node information is associated with one or more nodes, and traffic of an individual node of the one or more nodes is greater than a predetermined value.
20. The one or more computer-readable media of claim 16 , wherein the determining the degree of risk comprising determining the degree of risk by comparing the routing node information and particular routing node information that is recorded within a predetermined time period.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/084,379 US9781134B2 (en) | 2012-07-24 | 2016-03-29 | Method and apparatus of identifying user risk |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210258816.5 | 2012-07-24 | ||
CN201210258816.5A CN103581120B (en) | 2012-07-24 | 2012-07-24 | A kind of method and apparatus for identifying consumer's risk |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/084,379 Continuation US9781134B2 (en) | 2012-07-24 | 2016-03-29 | Method and apparatus of identifying user risk |
Publications (1)
Publication Number | Publication Date |
---|---|
US20140033306A1 true US20140033306A1 (en) | 2014-01-30 |
Family
ID=48953442
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/948,838 Abandoned US20140033306A1 (en) | 2012-07-24 | 2013-07-23 | Method and Apparatus of Identifying User Risk |
US15/084,379 Active US9781134B2 (en) | 2012-07-24 | 2016-03-29 | Method and apparatus of identifying user risk |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/084,379 Active US9781134B2 (en) | 2012-07-24 | 2016-03-29 | Method and apparatus of identifying user risk |
Country Status (6)
Country | Link |
---|---|
US (2) | US20140033306A1 (en) |
JP (1) | JP6215935B2 (en) |
KR (1) | KR102124665B1 (en) |
CN (1) | CN103581120B (en) |
TW (1) | TWI584148B (en) |
WO (1) | WO2014018527A1 (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105991600A (en) * | 2015-02-25 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Identity authentication and apparatus, server and terminal |
US9781134B2 (en) | 2012-07-24 | 2017-10-03 | Alibaba Group Holding Limited | Method and apparatus of identifying user risk |
CN109859030A (en) * | 2019-01-16 | 2019-06-07 | 深圳壹账通智能科技有限公司 | Methods of risk assessment, device, storage medium and server based on user behavior |
TWI691957B (en) * | 2015-06-26 | 2020-04-21 | 美商英特爾股份有限公司 | Memory apparatus having magnetic storage cells and computing system |
CN111784375A (en) * | 2019-04-04 | 2020-10-16 | 北京嘀嘀无限科技发展有限公司 | User type identification method and device, electronic equipment and storage medium |
CN112738030A (en) * | 2020-12-16 | 2021-04-30 | 重庆扬成大数据科技有限公司 | Data acquisition and sharing working method for agricultural technicians through big data analysis |
CN116594870A (en) * | 2023-04-26 | 2023-08-15 | 南通大学 | Error positioning method based on suspicious sentence variation |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104902033B (en) * | 2014-03-05 | 2019-08-13 | 腾讯科技(深圳)有限公司 | Log in address recording method and device |
CN105306425B (en) * | 2014-07-15 | 2020-01-10 | 腾讯科技(深圳)有限公司 | Method and device for authenticating account number attribution |
CN105991609B (en) * | 2015-03-02 | 2019-08-23 | 阿里巴巴集团控股有限公司 | A kind of risk case determines method and device |
CN106295351B (en) * | 2015-06-24 | 2019-03-19 | 阿里巴巴集团控股有限公司 | A kind of Risk Identification Method and device |
US20170116584A1 (en) * | 2015-10-21 | 2017-04-27 | Mastercard International Incorporated | Systems and Methods for Identifying Payment Accounts to Segments |
CN107239680B (en) * | 2017-05-22 | 2019-09-06 | 微梦创科网络科技(中国)有限公司 | A kind of couple of user logs in the method and device for carrying out risk assessment |
CN107222489B (en) * | 2017-06-19 | 2019-11-01 | 微梦创科网络科技(中国)有限公司 | A kind of method and device for excavating abnormal process in security information modification log |
US11012413B2 (en) * | 2018-01-17 | 2021-05-18 | Byos Inc. | Device and method for securing a network connection |
CN109302346B (en) * | 2018-10-25 | 2020-09-18 | 网宿科技股份有限公司 | Method and device for transmitting data flow |
CN109495493A (en) * | 2018-12-06 | 2019-03-19 | 安徽云探索网络科技有限公司 | A kind of network link method for building up and device based on network communication |
KR102538540B1 (en) * | 2021-08-31 | 2023-06-01 | 국방과학연구소 | Cyber attack detection method of electronic apparatus |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7051367B1 (en) * | 2001-05-14 | 2006-05-23 | Juniper Networks, Inc. | Dynamically controlling packet processing |
US20070074272A1 (en) * | 2005-09-29 | 2007-03-29 | Fujitsu Limited | Network security apparatus, network security control method and network security system |
US20120060178A1 (en) * | 2010-09-08 | 2012-03-08 | Fujitsu Limited | Continuable communication management apparatus and continuable communication managing method |
Family Cites Families (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
SE9700871L (en) * | 1997-03-11 | 1998-09-12 | Ericsson Telefon Ab L M | Registration protocol |
ATE370458T1 (en) * | 2000-11-09 | 2007-09-15 | Ibm | METHOD AND SYSTEM FOR WEB-BASED CROSS-DOMAIN AUTHORIZATION WITH A SINGLE REGISTRATION |
JP4112284B2 (en) * | 2002-05-29 | 2008-07-02 | 富士通株式会社 | Database access control method and database access control program |
DE10247139A1 (en) | 2002-10-09 | 2004-04-22 | Siemens Ag | Authentification control device for telecommunication network esp. for automatic log-on/log-off, uses control device for monitoring data traffic on external data transmission interface |
US7200658B2 (en) * | 2002-11-12 | 2007-04-03 | Movielink, Llc | Network geo-location system |
US7788722B1 (en) * | 2002-12-02 | 2010-08-31 | Arcsight, Inc. | Modular agent for network security intrusion detection system |
US8572391B2 (en) * | 2003-09-12 | 2013-10-29 | Emc Corporation | System and method for risk based authentication |
US7412718B2 (en) | 2003-11-20 | 2008-08-12 | International Business Machines Corporation | Method for bidirectional data transfer |
US20050188222A1 (en) * | 2004-02-24 | 2005-08-25 | Covelight Systems, Inc. | Methods, systems and computer program products for monitoring user login activity for a server application |
JP2006139747A (en) * | 2004-08-30 | 2006-06-01 | Kddi Corp | Communication system, and security assurance device |
US8171303B2 (en) | 2004-11-03 | 2012-05-01 | Astav, Inc. | Authenticating a login |
US20080022004A1 (en) | 2004-12-04 | 2008-01-24 | Electronics And Telecommunications Research Institute | Method And System For Providing Resources By Using Virtual Path |
US8590007B2 (en) * | 2005-08-25 | 2013-11-19 | Guy Heffez | Method and system for authenticating internet user identity |
CN101375546B (en) * | 2005-04-29 | 2012-09-26 | 甲骨文国际公司 | System and method for fraud monitoring, detection, and tiered user authentication |
US8739278B2 (en) * | 2006-04-28 | 2014-05-27 | Oracle International Corporation | Techniques for fraud monitoring and detection using application fingerprinting |
US8364120B2 (en) * | 2006-08-02 | 2013-01-29 | Motorola Mobility Llc | Identity verification using location over time information |
US8341702B2 (en) | 2007-11-01 | 2012-12-25 | Bridgewater Systems Corp. | Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol |
US8315951B2 (en) | 2007-11-01 | 2012-11-20 | Alcatel Lucent | Identity verification for secure e-commerce transactions |
US20090307744A1 (en) | 2008-06-09 | 2009-12-10 | Microsoft Corporation | Automating trust establishment and trust management for identity federation |
CN101355504B (en) * | 2008-08-14 | 2012-08-08 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for confirming user behavior |
GB2464552B (en) | 2008-10-22 | 2012-11-21 | Skype | Authentication system and method for authenticating a user terminal with an access node providing restricted access to a communication network |
CN101404614B (en) * | 2008-11-05 | 2011-01-26 | 中国移动通信集团江苏有限公司 | Routing oscillation detection method |
EP2359290B8 (en) | 2008-11-10 | 2017-08-09 | CensorNet A/S | Method and system protecting against identity theft or replication abuse |
US8751794B2 (en) | 2011-12-28 | 2014-06-10 | Pitney Bowes Inc. | System and method for secure nework login |
CN103581120B (en) | 2012-07-24 | 2018-04-20 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus for identifying consumer's risk |
-
2012
- 2012-07-24 CN CN201210258816.5A patent/CN103581120B/en active Active
- 2012-12-12 TW TW101146906A patent/TWI584148B/en active
-
2013
- 2013-07-23 US US13/948,838 patent/US20140033306A1/en not_active Abandoned
- 2013-07-23 JP JP2015524389A patent/JP6215935B2/en active Active
- 2013-07-23 WO PCT/US2013/051673 patent/WO2014018527A1/en active Application Filing
- 2013-07-23 KR KR1020157001699A patent/KR102124665B1/en active IP Right Grant
-
2016
- 2016-03-29 US US15/084,379 patent/US9781134B2/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7051367B1 (en) * | 2001-05-14 | 2006-05-23 | Juniper Networks, Inc. | Dynamically controlling packet processing |
US20070074272A1 (en) * | 2005-09-29 | 2007-03-29 | Fujitsu Limited | Network security apparatus, network security control method and network security system |
US20120060178A1 (en) * | 2010-09-08 | 2012-03-08 | Fujitsu Limited | Continuable communication management apparatus and continuable communication managing method |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9781134B2 (en) | 2012-07-24 | 2017-10-03 | Alibaba Group Holding Limited | Method and apparatus of identifying user risk |
CN105991600A (en) * | 2015-02-25 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Identity authentication and apparatus, server and terminal |
EP3262552A4 (en) * | 2015-02-25 | 2018-03-21 | Alibaba Group Holding Limited | Methods, apparatus, and systems for identity authentication |
US10237272B2 (en) | 2015-02-25 | 2019-03-19 | Alibaba Group Holding Limited | Methods, apparatus, and systems for identity authentication |
US10757102B2 (en) * | 2015-02-25 | 2020-08-25 | Alibaba Group Holding Limited | Methods, apparatus, and systems for identity authentication |
TWI691957B (en) * | 2015-06-26 | 2020-04-21 | 美商英特爾股份有限公司 | Memory apparatus having magnetic storage cells and computing system |
CN109859030A (en) * | 2019-01-16 | 2019-06-07 | 深圳壹账通智能科技有限公司 | Methods of risk assessment, device, storage medium and server based on user behavior |
CN111784375A (en) * | 2019-04-04 | 2020-10-16 | 北京嘀嘀无限科技发展有限公司 | User type identification method and device, electronic equipment and storage medium |
CN112738030A (en) * | 2020-12-16 | 2021-04-30 | 重庆扬成大数据科技有限公司 | Data acquisition and sharing working method for agricultural technicians through big data analysis |
CN116594870A (en) * | 2023-04-26 | 2023-08-15 | 南通大学 | Error positioning method based on suspicious sentence variation |
Also Published As
Publication number | Publication date |
---|---|
CN103581120A (en) | 2014-02-12 |
KR20150036153A (en) | 2015-04-07 |
US20160212152A1 (en) | 2016-07-21 |
TWI584148B (en) | 2017-05-21 |
JP2015530783A (en) | 2015-10-15 |
TW201405354A (en) | 2014-02-01 |
CN103581120B (en) | 2018-04-20 |
US9781134B2 (en) | 2017-10-03 |
JP6215935B2 (en) | 2017-10-18 |
WO2014018527A1 (en) | 2014-01-30 |
KR102124665B1 (en) | 2020-06-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9781134B2 (en) | Method and apparatus of identifying user risk | |
US20190354964A1 (en) | Private Blockchain Services | |
EP3319293B1 (en) | Cross-terminal login-free method and device | |
EP3092749B1 (en) | Method and apparatus of identifying proxy ip address | |
EP3164793B1 (en) | Dual channel identity authentication | |
CN105141594B (en) | Password retrieving method and device | |
US20210342438A1 (en) | Platform for generation of passwords and/or email addresses | |
JP2017534964A (en) | Password protection question setting method and apparatus | |
US20150065089A1 (en) | Network application function authorisation in a generic bootstrapping architecture | |
CN112733001B (en) | Method and device for acquiring subscription information and electronic equipment | |
CN109561172B (en) | DNS transparent proxy method, device, equipment and storage medium | |
US20160189160A1 (en) | System and method for deanonymization of digital currency users | |
CN108696509B (en) | Access processing method and device for terminal | |
CN106921628B (en) | Method and device for identifying network access source based on network address | |
US20220103680A1 (en) | System and method for classifying and handling voice over ip traffic | |
US20220231837A1 (en) | Intelligent and secure packet captures for cloud solutions | |
CN104639321B (en) | A kind of identity identifying method, equipment and system | |
CN108768987B (en) | Data interaction method, device and system | |
CN111224918A (en) | Real-time networking security control platform and access authentication method | |
CN111404940B (en) | Data packet identification method and device, electronic equipment and storage medium | |
CN115189901B (en) | Method and device for identifying abnormal request, server and storage medium | |
CN113300867B (en) | CDN system, information processing method and device, and CDN node | |
CN114422140A (en) | Message time verification method, device, equipment and medium | |
GB2596306A (en) | Gateway server and method and DNS server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: ALIBABA GROUP HOLDING LIMITED, CAYMAN ISLANDS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HUANG, MIAN;REEL/FRAME:031259/0504 Effective date: 20130723 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |