US20140033306A1 - Method and Apparatus of Identifying User Risk - Google Patents

Method and Apparatus of Identifying User Risk Download PDF

Info

Publication number
US20140033306A1
US20140033306A1 US13/948,838 US201313948838A US2014033306A1 US 20140033306 A1 US20140033306 A1 US 20140033306A1 US 201313948838 A US201313948838 A US 201313948838A US 2014033306 A1 US2014033306 A1 US 2014033306A1
Authority
US
United States
Prior art keywords
routing
user
information
login
characteristic information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US13/948,838
Inventor
Mian Huang
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Assigned to ALIBABA GROUP HOLDING LIMITED reassignment ALIBABA GROUP HOLDING LIMITED ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HUANG, Mian
Publication of US20140033306A1 publication Critical patent/US20140033306A1/en
Priority to US15/084,379 priority Critical patent/US9781134B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/26Route discovery packet
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/52Network services specially adapted for the location of the user terminal

Definitions

  • the present disclosure relates to online security and, more specifically, to identifying risk associate with user identities.
  • Online identity theft has become a serious problem for the Internet services. Online identity theft causes not only monetary losses to users but also harmful consequences to users (e.g., illegal conduct by a third party). Accordingly, service providers desire to find an efficient way to identify a user account at risk (i.e., suspicious user accounts) but also to allow legitimate user activities.
  • a service provider determines whether a login is a non-local login by selecting a geographic position corresponding to an IP address used when the user logs in.
  • a network operator may change its own IP address pool. For example, IP address allocation among cities may lead to identify a legitimate user as an illegal user. Thus, the identification error rate is relatively high.
  • a geographic position identified by the method of the technique is relatively rough and generally only may be accurate when logins are conducted in different cities. For example, if a third party steals an identity of a user, and logs in in the same city that the user used to log in (e.g., using a proxy server), the risk may not be identified.
  • an urgent problem needing resolution involves identifying user risk and reducing the influence of an IP address change associated with identification of the user risk.
  • a technical problem to be solved by embodiments of the present disclosure is to identify user risk and to reduce the influence of an IP address change associated with identification of the user risk.
  • Embodiments of the present disclosure also reduce error rates associated with the risk user identification, and identify geographic positions more accurately.
  • Embodiments of the present disclosure also relate to methods for identifying that a user login is suspicious.
  • the methods may include acquiring, by a server, a routing path logged in by a user based on login information of the user. Based on the routing path, the server may extract current routing characteristic information from the routing path logged in by the user, and then identify whether the current login is suspicious based on the current routing characteristic information.
  • the login information of the user includes a user identity, information of a client terminal where the user initiates a login request and information of a server that receives the login request.
  • the acquiring a routing path logged in by a user based on login information of the user includes sending a routing discovery message to the client terminal by the server, feeding back routing node information hop-by-hop by a router receiving the routing discovery message, and collecting the routing node information by the server to generate a currently logged-in routing path corresponding to the user identity.
  • the login information of the user includes information of a client terminal where the user initiates a login request and information of a server that receives the login request.
  • the acquiring a routing path logged in by a user based on login information of the user includes sending a routing discovery message to the server by the client terminal, feeding back routing node information hop-by-hop by a router receiving the routing discovery message, and collecting the routing node information by the client terminal to generate a currently logged-in routing path corresponding to the user identity.
  • the extracting current routing characteristic information from the routing path logged in by the user includes extracting information of a key router from the routing path logged in by the user, wherein the information of the key router is information of a router with a traffic greater than a preset threshold, and organizing the information of the key router to form current routing characteristic information.
  • the identifying whether the current user logs in non-locally based on the current routing characteristic information includes querying historical routing characteristic information corresponding to the user identity, and comparing whether the historical routing characteristic information and the current routing characteristic information are the same. If the historical routing characteristic information and the current routing characteristic information are not the same, the server may determine that the login is suspicious.
  • the login information of the user also includes a machine identity.
  • the identifying whether the current user logs in non-locally based on the current routing characteristic information includes presetting a legal correspondence table of a machine identity and a user class, and determining whether the user identity and the machine identity are present in the legal correspondence table of the machine identity and the user class.
  • the user class is a cluster of the user identity with the same path characteristic information. If the user identity and the machine identity are not present, the server may determine that the login is suspicious.
  • Embodiments of the present disclosure also relate to devices for identifying that a user is suspicious.
  • the device may include a routing path acquisition module, a current path extraction module, and a risk judgment module.
  • the routing path acquisition module is configured to acquire a routing path logged in by a user based on login information of the user.
  • the current path extraction module is configured to extract current routing characteristic information from the routing path logged in by the user.
  • the risk judgment module is configured to identify whether the current login is suspicious based on the current routing characteristic information.
  • the login information of the user may include a user identity, information of a client terminal where the user initiates a login request, and information of a server which receives the login request.
  • the routing path acquisition module may include a routing discovery message sending sub-module configured to send a routing discovery message to the client terminal, a collection sub-module configured to collect routing node information fed back hop-by-hop by a router receiving the routing discovery message, and a path generation sub-module configured to generate a currently logged-in routing path corresponding to the user identity.
  • the login information of the user may include information of a client terminal where the user initiates a login request and information of a server which receives the login request.
  • the routing path acquisition module may include a routing discovery message sending sub-module configured to send a routing discovery message to the server, a collection sub-module configured to collect routing node information fed back hop-by-hop by a router receiving the routing discovery message, and a path generation sub-module configured to generate a currently logged-in routing path corresponding to the user identity.
  • the current path extraction module may include a user login routing path extraction sub-module configured to extract information of a key router from the routing path logged in by the user.
  • the information of the key router is information of a router with traffic greater than a preset threshold, and a key router information formation sub-module configured to organize the information of the key router to form current routing characteristic information.
  • the risk judgment module may include a user identity query sub-module configured to query historical routing characteristic information corresponding to the user identity, and a routing characteristic information comparison sub-module configured to compare whether the historical routing characteristic information and the current routing characteristic information are the same. If the historical routing characteristic information and the current routing characteristic information are not the same, the server may determine that the login is suspicious.
  • the login information of the user may also include a machine identity.
  • the risk judgment module may include a user identity clustering sub-module configured to preset a legal correspondence table of a machine identity and a user class, wherein the user class is a cluster of the user identity with the same path characteristic information, and a user identity and machine identity judgment sub-module configured to determine whether the user identity and the machine identity are present in the legal correspondence table of the machine identity and the user class. If the user identity and the machine identity are not present, the server may determine that the login is suspicious.
  • Embodiments of the present disclosure acquire a routing path from a user to a server when the user logs in the server.
  • the server also extracts routing characteristic information of a corresponding user from the routing path.
  • a currently logged-in critical path may be obtained based on routing characteristic information of current login of a user, and the current critical path is compared with a critical path that is previously frequently logged in by a corresponding user based on server records.
  • the server may be able to identify whether the current login of the user is a non-local login. This may be an auxiliary mechanism for user identity confirmation based on path reputation between a user machine and a login server.
  • the mechanism allows the login server to identify whether the current login account is suspicious of theft and is capable of providing a relatively accurate risk control means.
  • embodiments of the present disclosure may obtain traffic information of a router between a user and a server, and may provide a true position of the user more carefully. Accordingly, the present disclosure may reduce influence of an IP address change on user risk identification, reduce the error rate of risk user identification, and identify geographic position more accurately.
  • FIG. 1 is a flow chart of an illustrative process for determining credibility of online identities.
  • FIG. 2 is a schematic diagram of an illustrative computing architecture that enables user risk identification.
  • Embodiments of this present disclosure include acquiring a routing path from a user to a server when the user logs in the server, and extract routing characteristic information of a corresponding user from the routing path.
  • a currently logged-in critical path may be obtained based on routing characteristic information of a current login of a user, and the current critical path is compared with a critical path that is previously frequently logged in by a corresponding user in server records to identify whether the current login of the user is non-local login.
  • FIG. 1 is a flow chart of an illustrative process for determining credibility of online identities.
  • a server may acquire a routing path logged in by a user based on login information of the user.
  • the login information of the user may include information of a client terminal where the user initiates a login request and information of a server which receives the login request.
  • a message may be transferred from a client terminal to a server via a multistage router, and a message channel connected by various stages of routers may form a routing path logged in by a user.
  • the server may acquire the routing path by sending a routing discovery message to the client terminal by the server, receiving routing node information hop-by-hop by a router receiving the routing discovery message, and collecting the routing node information by the server to form a routing path that is currently logged in by the user.
  • a path collection application program may be deployed at a server.
  • the path collection application program may be initiated and connected to a network to send an Internet Control Message Protocol (ICMP) routing discovery message to the client terminal.
  • ICMP Internet Control Message Protocol
  • a router receiving the message may provide feedback routing node information hop-by-hop.
  • the routing path that is currently logged in by the user may be formed immediately after the path collection application program collects the hop-by-hop routing node information.
  • the server may acquire the routing path by sending a routing discovery message to the server by the client terminal, feeding back routing node information hop-by-hop by a router receiving the routing discovery message, and collecting the routing node information by the client terminal to form a routing path that is currently logged in by the user.
  • a path collection application program may be deployed at a client terminal; when a user submits a login request, the path collection application program is initiated and connected to a network to send an ICMP routing discovery message to the server.
  • a router receiving the message may provide feedback routing node information hop-by-hop.
  • the routing path that is currently logged in by the user may be formed immediately after the path collection application program collects the hop-by-hop routing node information.
  • the server may extract routing characteristic information from the routing path logged in by the user.
  • the server may extract the routing characteristic information by extracting information of a key router from the routing path logged in by the user, wherein the information of the key router is information of a router with traffic greater than a preset threshold, and organizing the information of the key router to form routing characteristic information.
  • the server may identify whether the current login is suspicious based on the routing characteristic information. In some embodiments, the server may identify by querying historical routing characteristic information corresponding to the user identity, and comparing whether the historical routing characteristic information and the current routing characteristic information are the same. If the historical routing characteristic information and the current routing characteristic information are not the same, the server may determine that the login is suspicious.
  • the routing characteristic information of current login of a user may be compared with preceding historical routing characteristic information of a corresponding user to view whether a critical path therein is consistent with a critical path in trusted routing characteristic information that is frequently used by the user. If there is a critical path, the server may determine that no non-local login occurs and the login is not at risk. But if there is no critical path, the server may determine that non-local login occurs and the login is suspicious.
  • the trusted routing characteristic information may be generated by various ways.
  • the trusted routing characteristic information may include a routing path used when an account is registered, and a routing path certified by strong identity authentication.
  • the strong identity authentication may include answering of an authentication question, confirmation of a client via telephone communication, and so on.
  • routing path There may be more than one routing path frequently used by a user.
  • the user may access the Internet at an office, at home, via a mobile phone, and etc. Accordingly, there may be multiple critical paths in the trusted routing characteristic information to ensure more reliable and user friendly.
  • the login information of the user also may include a machine identity.
  • the server may identify whether the current login is suspicious based on the routing characteristic information by presetting a legal correspondence table of a machine identity and a user class, wherein the user class is a cluster of the user identity with the same path characteristic information. Then, the server may determine whether the user identity and the machine identity are present in the correspondence table of the machine identity and the user class. If the user identity and the machine identity are not present, the server may determine that the login is suspicious.
  • a legal correspondence table of a machine identity and a user class may be set at a server.
  • identity of a login client terminal and/or identity of a login server (machine identity) and user identity of current login may be compared with the legal correspondence table of the machine identity and the user class. If the corresponding relationship between the machine identity and the user identity of the current login is present in the legal correspondence table, the server may determine that the user does not log in non-locally and therefore the login is not at risk. Otherwise, the server may determine that the user logs is non-locally and therefore is suspicious.
  • the process to build a network router is sometime complicated and also has relatively expensive.
  • a common network operator may not easily change a critical routing path.
  • a network operator changes its own IP address pool, and especially IP address allocation among cities.
  • the technologies in the present disclosure for determining whether an account is logged in non-locally based on a critical routing path may more accurately determine that a login is suspicious.
  • a determination of an account login address via a user identity may be inaccurate among cities.
  • a third party using a stolen account may use a network proxy server in the same city that the legitimate user used to log in.
  • the conventional technologies may not detect that the account is logged in non-locally.
  • an auxiliary mechanism described in this disclosure confirms user identities based on path reputation between a user machine and a login server. This allows the login server to effectively identify whether the current login account is at risk (e.g., stolen), and therefore provides more accurate risk control.
  • a user with a user identity may send a login request to a server of a website A via a client terminal of the website A.
  • the server of the website A may complete login of the user in response to the request and generate login information of the user based on Cookies returned by the client terminal of the website A.
  • the server of the website A may initiate a path collection application program to send an ICMP routing discovery message to a login server.
  • the path collection application program may directly return hop-by-hop router information passed by the discovery message to the server after receiving the information.
  • the hop-by-hop router information may be analyzed, and the user identity 2012 may be marked to acquire a routing path logged in by the user and to return the routing path to the server.
  • the server of the website A may analyze routing information of each routing node in the routing path logged in by the user to extract a router with a traffic reaching a traffic preset value as a key router.
  • a critical path may be generated based on the key router and marked with the user identity 2012 to generate path characteristic information of current login of the user.
  • Historical routing characteristic information of last login of 2012 may be extracted from records of the server of the website A, and comparison may be made whether a key router of the historical routing characteristic information is the same as that of the path characteristic information of the current login.
  • the server may determine that a corresponding account of the user 2012 is at the risk of non-local login.
  • FIG. 2 is a schematic diagram of an illustrative computing architecture that enables user risk identification.
  • the computing device 200 may be a user device or a server for a multiple location login control.
  • the computing device 200 may include one or more processors 202 , input/output interfaces 204 , network interface 206 , and memory 208 .
  • the memory 208 may include computer-readable media in the form of volatile memory, such as random-access memory (RAM) and/or non-volatile memory, such as read only memory (ROM) or flash RAM.
  • RAM random-access memory
  • ROM read only memory
  • flash RAM flash random-access memory
  • Computer-readable media includes volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random-access memory (SRAM), dynamic random-access memory (DRAM), other types of random-access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, compact disk read-only memory (CD-ROM), digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that may be used to store information for access by a computing device.
  • computer-readable media does not include transitory media such as modulated data signals and carrier waves.
  • the memory 208 may include a routing path acquisition module 210 configured to acquire a routing path logged in by a user based on login information of the user, a current path extraction module 212 configured to extract current routing characteristic information from the routing path logged in by the user, and a risk judgment module 214 configured to identify whether the current login is suspicious based on the current routing characteristic information.
  • a routing path acquisition module 210 configured to acquire a routing path logged in by a user based on login information of the user
  • a current path extraction module 212 configured to extract current routing characteristic information from the routing path logged in by the user
  • a risk judgment module 214 configured to identify whether the current login is suspicious based on the current routing characteristic information.
  • the login information of the user may include information of a client terminal where the user initiates a login request and information of a server which receives the login request.
  • information may be transferred from a client terminal to a server via a multistage router, and a message channel connected by various stages of routers may form a routing path logged in by a user.
  • the routing path acquisition module 210 may include a routing discovery message sending sub-module at the server configured to send a routing discovery message to the client terminal, and a collection sub-module configured to collect routing node information fed back hop-by-hop by a router receiving the routing discovery message, and a path generation sub-module configured to generate a currently logged-in routing path corresponding to the user identity. These sub-modules may be located on the server.
  • a path collection application program may be deployed at a server.
  • the path collection application program may be initiated and connected to a network to send an ICMP routing discovery message to the client terminal.
  • a router receiving the message may provide feedback routing node information hop-by-hop.
  • the routing path that is currently logged in by the user may be formed immediately after the path collection application program collects the hop-by-hop routing node information.
  • the routing path acquisition module 210 may include a routing discovery message sending sub-module configured to send a routing discovery message to the server.
  • the routing path acquisition module 210 may also include a collection sub-module configured to collect routing node information fed back hop-by-hop by a router receiving the routing discovery message, and a path generation sub-module configured to generate a currently logged-in routing path corresponding to the user identity. These sub-modules may be located in the client terminal.
  • a path collection application program may be deployed at a client terminal; when a user submits a login request.
  • the path collection application program may be initiated and connected to a network to send an ICMP routing discovery message to the server.
  • a router receiving the message may provide feedback routing node information hop-by-hop.
  • the routing path that may be currently logged in by the user may be formed immediately after the path collection application program collects the hop-by-hop routing node information.
  • the current path extraction module 212 may include a user login routing path extraction sub-module configured to extract information of a key router from the routing path logged in by the user, wherein the information of the key router is information of a router with a traffic greater than a preset threshold, a key router information formation sub-module configured to organize the information of the key router to form current routing characteristic information, and a risk judgment module configured to identify whether the current login is suspicious based on the current routing characteristic information.
  • a user login routing path extraction sub-module configured to extract information of a key router from the routing path logged in by the user, wherein the information of the key router is information of a router with a traffic greater than a preset threshold
  • a key router information formation sub-module configured to organize the information of the key router to form current routing characteristic information
  • a risk judgment module configured to identify whether the current login is suspicious based on the current routing characteristic information.
  • the risk judgment module 214 may include a user identity query sub-module configured to query historical routing characteristic information corresponding to the user identity, and a routing characteristic information comparison module configured to compare whether the historical routing characteristic information and the current routing characteristic information are the same. If the historical routing characteristic information and the current routing characteristic information are not the same, the server may determine that the user login is suspicious.
  • routing characteristic information of current login of a user may be compared with preceding historical routing characteristic information of a corresponding user to view whether a critical path therein is consistent with a critical path in a trusted routing characteristic information that is frequently used by the user. If a critical path therein is consistent with a critical path in a trusted routing characteristic information that is frequently used by the user, the server may determine that no non-local login occurs and the user is not at risk. Otherwise, the server may determine that non-local login occurs, and therefore the user login is suspicious.
  • the trusted routing characteristic information may be generated by various ways.
  • a routing path may be used when an account is registered, and a routing path may be certified by identity authentication.
  • the strong identity authentication may include answering of an authentication question, confirmation of a client via telephone communication, and so on.
  • routing path frequently used by a user e.g., an office, home, mobile phone, and etc.
  • a user e.g., an office, home, mobile phone, and etc.
  • the login information of the user may also include a machine identity; and the risk judgment module 214 may include a user identity clustering sub-module configured to preset a legal correspondence table of a machine identity and a user class, wherein the user class is a cluster of the user identity with the same path characteristic information, and a user identity and machine identity judgment sub-module configured to determine whether the user identity and the machine identity are present in the legal correspondence table of the machine identity and the user class. If the user identity and the machine identity are not present, the server may determine that the user login is suspicious.
  • an authorized correspondence table of a machine identity and a user class may be set at a server.
  • identity of a login client terminal and/or identity of a login server e.g., machine identity
  • a user identity of a current login may be compared with the authorized correspondence table of the machine identity and the user class. If the corresponding relation between the machine identity and the user identity of the current login is present in the legal correspondence table of the machine identity and the user class, the server may determine that the user does not log in non-locally and is not suspicious. Otherwise, the user is considered to log in non-locally, and thus the login is suspicious.
  • the embodiments of the present disclosure may be provided as a method, a system or a computer program product. Accordingly, the present disclosure may employ an entirely hardware embodiment, an entirely software embodiment, or a form of an embodiment combining software and hardware aspects. Moreover, the present disclosure may be a form of a computer program product implemented on one or more computer available storage media (including but not limited to a disk memory, a CD-ROM, an optical memory, etc.) which comprise computer available program codes.
  • These computer program instructions may be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing equipment to produce a machine such that the instructions executed by a processor of a computer or other programmable data processing equipment may produce a device for realizing functions designated in one or more processes in a flow chart and/or one or more boxes in a block diagram.
  • These computer program instructions also may be stored in a computer-readable memory that may guide a computer or other programmable data processing equipment to work in an ad hoc fashion such that the instructions stored in the computer-readable memory may produce a manufactured product including an instruction device, wherein the instruction device may realize functions designated in one or more processes in a flow chart and/or one or more boxes in a block diagram.
  • These computer program instructions also may be loaded onto a computer or other programmable data processing equipment such that a series of operation steps may be executed on a computer or other programmable equipment to produce processing realized by a computer, thereby the instructions executed on a computer or other programmable equipment may provide steps for realizing functions designated in one or more processes in a flow chart and/or one or more boxes in a block diagram.

Abstract

The present disclosure provides techniques to identify suspicious user logins. These techniques may include acquiring, by a computing device, a routing path associated with a user login based on login information. The computing device may extract current routing characteristic information from the routing path, and identify whether the current user login is suspicious based on the current routing characteristic information. These techniques reduce the influence of IP address changes on user identification as well as errors associated with user identification, and identify geographic positions more accurately.

Description

    CROSS REFERENCE TO RELATED PATENT APPLICATIONS
  • This application claims priority to Chinese Patent Application No. 201210258816.5, filed on Jul. 24, 2012, entitled “Method and Apparatus of Identifying User Risk,” which is hereby incorporated by reference in its entirety.
    • TECHNICAL FIELD
  • The present disclosure relates to online security and, more specifically, to identifying risk associate with user identities.
    • BACKGROUND
  • Online identity theft has become a serious problem for the Internet services. Online identity theft causes not only monetary losses to users but also harmful consequences to users (e.g., illegal conduct by a third party). Accordingly, service providers desire to find an efficient way to identify a user account at risk (i.e., suspicious user accounts) but also to allow legitimate user activities.
  • In general, it's difficult for service providers to confirm the credibility of users who currently log in. To accurately identify whether a user account is suspicious, the service providers may determine whether the user account is logged in non-locally. Under traditional technologies, a service provider determines whether a login is a non-local login by selecting a geographic position corresponding to an IP address used when the user logs in.
  • This techniques, however, has various defects. First, a network operator may change its own IP address pool. For example, IP address allocation among cities may lead to identify a legitimate user as an illegal user. Thus, the identification error rate is relatively high. Second, a geographic position identified by the method of the technique is relatively rough and generally only may be accurate when logins are conducted in different cities. For example, if a third party steals an identity of a user, and logs in in the same city that the user used to log in (e.g., using a proxy server), the risk may not be identified.
  • Accordingly, an urgent problem needing resolution involves identifying user risk and reducing the influence of an IP address change associated with identification of the user risk. There is also a need to reduce error rates associated with the risk user identification, and identify geographic positions more accurately.
    • SUMMARY
  • A technical problem to be solved by embodiments of the present disclosure is to identify user risk and to reduce the influence of an IP address change associated with identification of the user risk. Embodiments of the present disclosure also reduce error rates associated with the risk user identification, and identify geographic positions more accurately.
  • Embodiments of the present disclosure also relate to methods for identifying that a user login is suspicious. The methods may include acquiring, by a server, a routing path logged in by a user based on login information of the user. Based on the routing path, the server may extract current routing characteristic information from the routing path logged in by the user, and then identify whether the current login is suspicious based on the current routing characteristic information.
  • In some embodiments, the login information of the user includes a user identity, information of a client terminal where the user initiates a login request and information of a server that receives the login request. The acquiring a routing path logged in by a user based on login information of the user includes sending a routing discovery message to the client terminal by the server, feeding back routing node information hop-by-hop by a router receiving the routing discovery message, and collecting the routing node information by the server to generate a currently logged-in routing path corresponding to the user identity.
  • In some embodiments, the login information of the user includes information of a client terminal where the user initiates a login request and information of a server that receives the login request. The acquiring a routing path logged in by a user based on login information of the user includes sending a routing discovery message to the server by the client terminal, feeding back routing node information hop-by-hop by a router receiving the routing discovery message, and collecting the routing node information by the client terminal to generate a currently logged-in routing path corresponding to the user identity.
  • In some embodiments, the extracting current routing characteristic information from the routing path logged in by the user includes extracting information of a key router from the routing path logged in by the user, wherein the information of the key router is information of a router with a traffic greater than a preset threshold, and organizing the information of the key router to form current routing characteristic information.
  • In some embodiments, the identifying whether the current user logs in non-locally based on the current routing characteristic information includes querying historical routing characteristic information corresponding to the user identity, and comparing whether the historical routing characteristic information and the current routing characteristic information are the same. If the historical routing characteristic information and the current routing characteristic information are not the same, the server may determine that the login is suspicious.
  • In some embodiments, the login information of the user also includes a machine identity. The identifying whether the current user logs in non-locally based on the current routing characteristic information includes presetting a legal correspondence table of a machine identity and a user class, and determining whether the user identity and the machine identity are present in the legal correspondence table of the machine identity and the user class. In these instances, the user class is a cluster of the user identity with the same path characteristic information. If the user identity and the machine identity are not present, the server may determine that the login is suspicious.
  • Embodiments of the present disclosure also relate to devices for identifying that a user is suspicious. The device may include a routing path acquisition module, a current path extraction module, and a risk judgment module. The routing path acquisition module is configured to acquire a routing path logged in by a user based on login information of the user. The current path extraction module is configured to extract current routing characteristic information from the routing path logged in by the user. The risk judgment module is configured to identify whether the current login is suspicious based on the current routing characteristic information.
  • In some embodiments, the login information of the user may include a user identity, information of a client terminal where the user initiates a login request, and information of a server which receives the login request. The routing path acquisition module may include a routing discovery message sending sub-module configured to send a routing discovery message to the client terminal, a collection sub-module configured to collect routing node information fed back hop-by-hop by a router receiving the routing discovery message, and a path generation sub-module configured to generate a currently logged-in routing path corresponding to the user identity.
  • In some embodiments, the login information of the user may include information of a client terminal where the user initiates a login request and information of a server which receives the login request. The routing path acquisition module may include a routing discovery message sending sub-module configured to send a routing discovery message to the server, a collection sub-module configured to collect routing node information fed back hop-by-hop by a router receiving the routing discovery message, and a path generation sub-module configured to generate a currently logged-in routing path corresponding to the user identity.
  • In some embodiments, the current path extraction module may include a user login routing path extraction sub-module configured to extract information of a key router from the routing path logged in by the user. In some instances, the information of the key router is information of a router with traffic greater than a preset threshold, and a key router information formation sub-module configured to organize the information of the key router to form current routing characteristic information.
  • In some embodiments, the risk judgment module may include a user identity query sub-module configured to query historical routing characteristic information corresponding to the user identity, and a routing characteristic information comparison sub-module configured to compare whether the historical routing characteristic information and the current routing characteristic information are the same. If the historical routing characteristic information and the current routing characteristic information are not the same, the server may determine that the login is suspicious.
  • In some embodiments, the login information of the user may also include a machine identity. The risk judgment module may include a user identity clustering sub-module configured to preset a legal correspondence table of a machine identity and a user class, wherein the user class is a cluster of the user identity with the same path characteristic information, and a user identity and machine identity judgment sub-module configured to determine whether the user identity and the machine identity are present in the legal correspondence table of the machine identity and the user class. If the user identity and the machine identity are not present, the server may determine that the login is suspicious.
  • Compared with conventional techniques, embodiments of the present disclosure have various advantages. Embodiments of the present disclosure acquire a routing path from a user to a server when the user logs in the server. The server also extracts routing characteristic information of a corresponding user from the routing path. A currently logged-in critical path may be obtained based on routing characteristic information of current login of a user, and the current critical path is compared with a critical path that is previously frequently logged in by a corresponding user based on server records. Thus, the server may be able to identify whether the current login of the user is a non-local login. This may be an auxiliary mechanism for user identity confirmation based on path reputation between a user machine and a login server. The mechanism allows the login server to identify whether the current login account is suspicious of theft and is capable of providing a relatively accurate risk control means. Meanwhile, embodiments of the present disclosure may obtain traffic information of a router between a user and a server, and may provide a true position of the user more carefully. Accordingly, the present disclosure may reduce influence of an IP address change on user risk identification, reduce the error rate of risk user identification, and identify geographic position more accurately.
  • This Summary is not intended to identify all key features or essential features of the claimed subject matter, nor is it intended to be used alone as an aid in determining the scope of the claimed subject matter.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The Detailed Description is described with reference to the accompanying figures. The use of the same reference numbers in different figures indicates similar or identical items.
  • FIG. 1 is a flow chart of an illustrative process for determining credibility of online identities.
  • FIG. 2 is a schematic diagram of an illustrative computing architecture that enables user risk identification.
    •  DETAILED DESCRIPTION
  • The present disclosure is further described below in detail with reference to the drawings and embodiments.
  • Embodiments of this present disclosure include acquiring a routing path from a user to a server when the user logs in the server, and extract routing characteristic information of a corresponding user from the routing path. A currently logged-in critical path may be obtained based on routing characteristic information of a current login of a user, and the current critical path is compared with a critical path that is previously frequently logged in by a corresponding user in server records to identify whether the current login of the user is non-local login.
  • FIG. 1 is a flow chart of an illustrative process for determining credibility of online identities. At 102, a server may acquire a routing path logged in by a user based on login information of the user. In some embodiments, the login information of the user may include information of a client terminal where the user initiates a login request and information of a server which receives the login request. In some instances, a message may be transferred from a client terminal to a server via a multistage router, and a message channel connected by various stages of routers may form a routing path logged in by a user.
  • In some embodiments, the server may acquire the routing path by sending a routing discovery message to the client terminal by the server, receiving routing node information hop-by-hop by a router receiving the routing discovery message, and collecting the routing node information by the server to form a routing path that is currently logged in by the user.
  • In some embodiments, a path collection application program may be deployed at a server. When a login request that is submitted from a client terminal by a user is received, the path collection application program may be initiated and connected to a network to send an Internet Control Message Protocol (ICMP) routing discovery message to the client terminal. A router receiving the message may provide feedback routing node information hop-by-hop. The routing path that is currently logged in by the user may be formed immediately after the path collection application program collects the hop-by-hop routing node information.
  • In some embodiments, the server may acquire the routing path by sending a routing discovery message to the server by the client terminal, feeding back routing node information hop-by-hop by a router receiving the routing discovery message, and collecting the routing node information by the client terminal to form a routing path that is currently logged in by the user.
  • In some embodiments, a path collection application program may be deployed at a client terminal; when a user submits a login request, the path collection application program is initiated and connected to a network to send an ICMP routing discovery message to the server. A router receiving the message may provide feedback routing node information hop-by-hop. The routing path that is currently logged in by the user may be formed immediately after the path collection application program collects the hop-by-hop routing node information.
  • At 104, the server may extract routing characteristic information from the routing path logged in by the user. The server may extract the routing characteristic information by extracting information of a key router from the routing path logged in by the user, wherein the information of the key router is information of a router with traffic greater than a preset threshold, and organizing the information of the key router to form routing characteristic information.
  • At 106, the server may identify whether the current login is suspicious based on the routing characteristic information. In some embodiments, the server may identify by querying historical routing characteristic information corresponding to the user identity, and comparing whether the historical routing characteristic information and the current routing characteristic information are the same. If the historical routing characteristic information and the current routing characteristic information are not the same, the server may determine that the login is suspicious.
  • In some embodiments, the routing characteristic information of current login of a user may be compared with preceding historical routing characteristic information of a corresponding user to view whether a critical path therein is consistent with a critical path in trusted routing characteristic information that is frequently used by the user. If there is a critical path, the server may determine that no non-local login occurs and the login is not at risk. But if there is no critical path, the server may determine that non-local login occurs and the login is suspicious.
  • The trusted routing characteristic information may be generated by various ways. For example, the trusted routing characteristic information may include a routing path used when an account is registered, and a routing path certified by strong identity authentication. In these instances, the strong identity authentication may include answering of an authentication question, confirmation of a client via telephone communication, and so on.
  • There may be more than one routing path frequently used by a user. For example, the user may access the Internet at an office, at home, via a mobile phone, and etc. Accordingly, there may be multiple critical paths in the trusted routing characteristic information to ensure more reliable and user friendly.
  • In some embodiments, the login information of the user also may include a machine identity. In these instances, the server may identify whether the current login is suspicious based on the routing characteristic information by presetting a legal correspondence table of a machine identity and a user class, wherein the user class is a cluster of the user identity with the same path characteristic information. Then, the server may determine whether the user identity and the machine identity are present in the correspondence table of the machine identity and the user class. If the user identity and the machine identity are not present, the server may determine that the login is suspicious.
  • In some embodiments, a legal correspondence table of a machine identity and a user class (e.g., a group of the user identity with the same routing characteristic information) may be set at a server. When a login request of a user is received, identity of a login client terminal and/or identity of a login server (machine identity) and user identity of current login may be compared with the legal correspondence table of the machine identity and the user class. If the corresponding relationship between the machine identity and the user identity of the current login is present in the legal correspondence table, the server may determine that the user does not log in non-locally and therefore the login is not at risk. Otherwise, the server may determine that the user logs is non-locally and therefore is suspicious.
  • The process to build a network router is sometime complicated and also has relatively expensive. A common network operator may not easily change a critical routing path. Under conventional technologies, a network operator changes its own IP address pool, and especially IP address allocation among cities. Compared with the conventional technologies, the technologies in the present disclosure for determining whether an account is logged in non-locally based on a critical routing path may more accurately determine that a login is suspicious.
  • In addition, under the conventional technologies, a determination of an account login address via a user identity may be inaccurate among cities. For example, a third party using a stolen account may use a network proxy server in the same city that the legitimate user used to log in. In this instance, the conventional technologies may not detect that the account is logged in non-locally. But an auxiliary mechanism described in this disclosure confirms user identities based on path reputation between a user machine and a login server. This allows the login server to effectively identify whether the current login account is at risk (e.g., stolen), and therefore provides more accurate risk control.
  • In order to facilitate those skilled in the art to better understand the present disclosure, the present disclosure is further described using some embodiments below. In some embodiment, a user with a user identity (e.g., 2012) may send a login request to a server of a website A via a client terminal of the website A. The server of the website A may complete login of the user in response to the request and generate login information of the user based on Cookies returned by the client terminal of the website A.
  • The server of the website A may initiate a path collection application program to send an ICMP routing discovery message to a login server. The path collection application program may directly return hop-by-hop router information passed by the discovery message to the server after receiving the information. The hop-by-hop router information may be analyzed, and the user identity 2012 may be marked to acquire a routing path logged in by the user and to return the routing path to the server.
  • The server of the website A may analyze routing information of each routing node in the routing path logged in by the user to extract a router with a traffic reaching a traffic preset value as a key router. A critical path may be generated based on the key router and marked with the user identity 2012 to generate path characteristic information of current login of the user. Historical routing characteristic information of last login of 2012 may be extracted from records of the server of the website A, and comparison may be made whether a key router of the historical routing characteristic information is the same as that of the path characteristic information of the current login.
  • If multiple key routers are found to be different in the historical routing characteristic information and the path characteristic information of the current login of the user 2012, the server may determine that a corresponding account of the user 2012 is at the risk of non-local login.
  • It should be noted that, for simplicity, some embodiments are expressed as a combination of a series of actions, but those skilled in the art should know that the present disclosure is not limited by the described action sequence. Some steps may be performed in other sequences or simultaneously based on the present disclosure.
  • FIG. 2 is a schematic diagram of an illustrative computing architecture that enables user risk identification. The computing device 200 may be a user device or a server for a multiple location login control. In one exemplary configuration, the computing device 200 may include one or more processors 202, input/output interfaces 204, network interface 206, and memory 208.
  • The memory 208 may include computer-readable media in the form of volatile memory, such as random-access memory (RAM) and/or non-volatile memory, such as read only memory (ROM) or flash RAM. The memory 208 is an example of computer-readable media.
  • Computer-readable media includes volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random-access memory (SRAM), dynamic random-access memory (DRAM), other types of random-access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, compact disk read-only memory (CD-ROM), digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that may be used to store information for access by a computing device. As defined herein, computer-readable media does not include transitory media such as modulated data signals and carrier waves.
  • Turning to the memory 208 in more detail, the memory 208 may include a routing path acquisition module 210 configured to acquire a routing path logged in by a user based on login information of the user, a current path extraction module 212 configured to extract current routing characteristic information from the routing path logged in by the user, and a risk judgment module 214 configured to identify whether the current login is suspicious based on the current routing characteristic information.
  • In some embodiments, the login information of the user may include information of a client terminal where the user initiates a login request and information of a server which receives the login request. In some embodiments, information may be transferred from a client terminal to a server via a multistage router, and a message channel connected by various stages of routers may form a routing path logged in by a user.
  • In some embodiments, the routing path acquisition module 210 may include a routing discovery message sending sub-module at the server configured to send a routing discovery message to the client terminal, and a collection sub-module configured to collect routing node information fed back hop-by-hop by a router receiving the routing discovery message, and a path generation sub-module configured to generate a currently logged-in routing path corresponding to the user identity. These sub-modules may be located on the server.
  • In some embodiments, a path collection application program may be deployed at a server. When a login request that is submitted from a client terminal by a user is received, the path collection application program may be initiated and connected to a network to send an ICMP routing discovery message to the client terminal. A router receiving the message may provide feedback routing node information hop-by-hop. The routing path that is currently logged in by the user may be formed immediately after the path collection application program collects the hop-by-hop routing node information.
  • In some embodiments, the routing path acquisition module 210 may include a routing discovery message sending sub-module configured to send a routing discovery message to the server. The routing path acquisition module 210 may also include a collection sub-module configured to collect routing node information fed back hop-by-hop by a router receiving the routing discovery message, and a path generation sub-module configured to generate a currently logged-in routing path corresponding to the user identity. These sub-modules may be located in the client terminal.
  • In some embodiments, a path collection application program may be deployed at a client terminal; when a user submits a login request. The path collection application program may be initiated and connected to a network to send an ICMP routing discovery message to the server. A router receiving the message may provide feedback routing node information hop-by-hop. The routing path that may be currently logged in by the user may be formed immediately after the path collection application program collects the hop-by-hop routing node information.
  • In some embodiments, the current path extraction module 212 may include a user login routing path extraction sub-module configured to extract information of a key router from the routing path logged in by the user, wherein the information of the key router is information of a router with a traffic greater than a preset threshold, a key router information formation sub-module configured to organize the information of the key router to form current routing characteristic information, and a risk judgment module configured to identify whether the current login is suspicious based on the current routing characteristic information.
  • In some embodiments, the risk judgment module 214 may include a user identity query sub-module configured to query historical routing characteristic information corresponding to the user identity, and a routing characteristic information comparison module configured to compare whether the historical routing characteristic information and the current routing characteristic information are the same. If the historical routing characteristic information and the current routing characteristic information are not the same, the server may determine that the user login is suspicious.
  • In some embodiments, routing characteristic information of current login of a user may be compared with preceding historical routing characteristic information of a corresponding user to view whether a critical path therein is consistent with a critical path in a trusted routing characteristic information that is frequently used by the user. If a critical path therein is consistent with a critical path in a trusted routing characteristic information that is frequently used by the user, the server may determine that no non-local login occurs and the user is not at risk. Otherwise, the server may determine that non-local login occurs, and therefore the user login is suspicious.
  • The trusted routing characteristic information may be generated by various ways. In some embodiments, a routing path may be used when an account is registered, and a routing path may be certified by identity authentication. In these instances, the strong identity authentication may include answering of an authentication question, confirmation of a client via telephone communication, and so on.
  • There may be more than one routing path frequently used by a user (e.g., an office, home, mobile phone, and etc). Thus, there also may be multiple critical paths in the trusted routing characteristic information to ensure more reliable and humane judged results.
  • In some embodiments, the login information of the user may also include a machine identity; and the risk judgment module 214 may include a user identity clustering sub-module configured to preset a legal correspondence table of a machine identity and a user class, wherein the user class is a cluster of the user identity with the same path characteristic information, and a user identity and machine identity judgment sub-module configured to determine whether the user identity and the machine identity are present in the legal correspondence table of the machine identity and the user class. If the user identity and the machine identity are not present, the server may determine that the user login is suspicious.
  • In some embodiments, an authorized correspondence table of a machine identity and a user class (e.g., a cluster of the user identity with the same routing characteristic information) may be set at a server. When a login request of a user is received, identity of a login client terminal and/or identity of a login server (e.g., machine identity) and a user identity of a current login may be compared with the authorized correspondence table of the machine identity and the user class. If the corresponding relation between the machine identity and the user identity of the current login is present in the legal correspondence table of the machine identity and the user class, the server may determine that the user does not log in non-locally and is not suspicious. Otherwise, the user is considered to log in non-locally, and thus the login is suspicious.
  • Reference may be made to relevant descriptions of the above-described embodiments; details are not repeated herein. Those skilled in the art should understand that the embodiments of the present disclosure may be provided as a method, a system or a computer program product. Accordingly, the present disclosure may employ an entirely hardware embodiment, an entirely software embodiment, or a form of an embodiment combining software and hardware aspects. Moreover, the present disclosure may be a form of a computer program product implemented on one or more computer available storage media (including but not limited to a disk memory, a CD-ROM, an optical memory, etc.) which comprise computer available program codes.
  • The present disclosure is described with reference to a flow chart and/or a block diagram of a method, an apparatus (system) and a computer program product based on an embodiment of the present disclosure. It should be understood that each process and/or box in a flow chart and/or a block diagram and a combination of processes and/or boxes in a flow chart and/or a block diagram may be realized by computer program instructions. These computer program instructions may be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing equipment to produce a machine such that the instructions executed by a processor of a computer or other programmable data processing equipment may produce a device for realizing functions designated in one or more processes in a flow chart and/or one or more boxes in a block diagram.
  • These computer program instructions also may be stored in a computer-readable memory that may guide a computer or other programmable data processing equipment to work in an ad hoc fashion such that the instructions stored in the computer-readable memory may produce a manufactured product including an instruction device, wherein the instruction device may realize functions designated in one or more processes in a flow chart and/or one or more boxes in a block diagram.
  • These computer program instructions also may be loaded onto a computer or other programmable data processing equipment such that a series of operation steps may be executed on a computer or other programmable equipment to produce processing realized by a computer, thereby the instructions executed on a computer or other programmable equipment may provide steps for realizing functions designated in one or more processes in a flow chart and/or one or more boxes in a block diagram.
  • Although the embodiments of the present disclosure have been described, once those skilled in the art know the basic creative concept, additional variations and modifications may be made to these embodiments. Accordingly, the appended claims are intended to be construed as including the embodiments as well as all variations and modifications that fall within the scope of the present disclosure.
  • A detailed introduction has been made above to methods and devices for identifying risk of a user login as provided by the present disclosure. Examples are applied herein to explain the principles and embodiments of the present disclosure, and the description of the above embodiments is only used for the purpose of assisting in understanding the method of the present disclosure and its core ideas; meanwhile, those of ordinary skill in the art may make changes in terms of particular embodiments and application scopes based on the ideas of the present disclosure. In summary, the contents of the specification shall not be interpreted as limiting the present disclosure.
  • The embodiments are merely for illustrating the present disclosure and are not intended to limit the scope of the present disclosure. It should be understood for persons in the technical field that certain modifications and improvements may be made and should be considered under the protection of the present disclosure without departing from the principles of the present disclosure.

Claims (20)

What is claimed is:
1. A method comprising:
receiving, by a server, login information of a user;
acquiring a routing path based on the login information of the user;
extracting routing characteristic information from the routing path; and
determining a risk associated with the user based on the routing characteristic information.
2. The method of claim 1, wherein the login information of the user includes a user identity, information of a client terminal on which the user initiates a login request, and information of the server.
3. The method of claim 2, wherein the acquiring the routing path based on the login information of the user comprises:
sending, by the server, a routing discovery message to the client terminal;
determining routing node information using hop-by-hop routing corresponding to the routing discovery message; and
generating the routing path based on the routing node information.
4. The method of claim 3, wherein the acquiring the routing path based on the login information of the user comprises:
receiving, by the server, the routing discovery message from a client terminal;
determining routing node information using hop-by-hop routing corresponding to the routing discovery message; and
generating the routing path based on the routing node information.
5. The method of claim 1, wherein the extracting routing characteristic information from the routing path comprises:
extracting information of a key router from the routing path; and
generating the routing characteristic information based on the information of the key router.
6. The method of claim 5, wherein the information of the key router includes information of a router having an amount of traffic greater than a preset threshold.
7. The method of claim 1, wherein the determining the risk associated with the user based on the routing characteristic information comprises:
retrieving historical routing characteristic information corresponding to the user; and
determining the risk by comparing the historical routing characteristic information with the routing characteristic information.
8. The method of claim 1, wherein the login information of the user includes a machine identity, and the determining the degree of risk associated with the user based on the routing characteristic information comprises:
presetting one or more correspondences between a machine identity and a user class that includes multiple users each having the path characteristic information; and
determining the risk associated with the user based on the one or more correspondences.
9. A system comprising:
one or more processors; and
memory to maintain a plurality of components executable by the one or more processors, the plurality of components comprising:
a routing path acquisition module configured to:
receive login information of a user, and
acquire a routing path based on the login information of the user,
a current path extraction module configured to extract routing characteristic information from the routing path, and
a risk judgment module configured to determining a risk associated with the user based on the routing characteristic information.
10. The system of claim 9, wherein the login information of the user includes a user identity, information of a client terminal on which the user initiates a login request, and information of a server associated with the system, and the acquiring the routing path based on the login information of the user comprises:
sending a routing discovery message to the client terminal;
determining routing node information using hop-by-hop routing corresponding to the routing discovery message; and
generating the routing path based on the routing node information.
11. The system of claim 10, wherein the acquiring the routing path based on the login information of the user comprises:
receiving the routing discovery message from a client terminal;
determining routing node information using hop-by-hop routing corresponding to the routing discovery message; and
generating the routing path based on the routing node information.
12. The system of claim 9, wherein the extracting routing characteristic information from the routing path comprises:
extracting information of a key router from the routing path; and
generating the routing characteristic information based on the information of the key router.
13. The system of claim 12, wherein the information of the key router includes information of a router having an amount of traffic greater than a preset threshold.
14. The system of claim 9, wherein the determining the risk associated with the user based on the routing characteristic information comprises:
retrieving historical routing characteristic information corresponding to the user; and
determining the risk by comparing the historical routing characteristic information with the routing characteristic information.
15. The system of claim 9, wherein the login information of the user includes a machine identity, and the determining the degree of risk associated with the user based on the routing characteristic information comprises:
presetting one or more correspondences between a machine identity and a user class that includes multiple users each having the path characteristic information; and
determining the risk associated with the user based on the one or more correspondences.
16. One or more computer-readable media storing computer-executable instructions that, when executed by one or more processors, instruct the one or more processors to perform acts comprising:
receiving login information of a user;
acquiring a routing path based on the login information of the user;
extracting routing characteristic information from the routing path; and
determining a risk associated with the user based on the routing characteristic information.
17. The one or more computer-readable media of claim 16, wherein the login information of the user includes a user identity, information of a client terminal on which the user initiates a login request, and information of a server, and the acquiring the routing path based on the login information of the user comprises:
sending, by the server, a routing discovery message to the client terminal;
determining routing node information using hop-by-hop routing corresponding to the routing discovery message; and
generating the routing path based on the routing node information.
18. The one or more computer-readable media of claim 17, wherein the routing discovery message is an Internet Control Message Protocol (ICMP) discovery message.
19. The one or more computer-readable media of claim 18, wherein the routing node information is associated with one or more nodes, and traffic of an individual node of the one or more nodes is greater than a predetermined value.
20. The one or more computer-readable media of claim 16, wherein the determining the degree of risk comprising determining the degree of risk by comparing the routing node information and particular routing node information that is recorded within a predetermined time period.
US13/948,838 2012-07-24 2013-07-23 Method and Apparatus of Identifying User Risk Abandoned US20140033306A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/084,379 US9781134B2 (en) 2012-07-24 2016-03-29 Method and apparatus of identifying user risk

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210258816.5 2012-07-24
CN201210258816.5A CN103581120B (en) 2012-07-24 2012-07-24 A kind of method and apparatus for identifying consumer's risk

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US15/084,379 Continuation US9781134B2 (en) 2012-07-24 2016-03-29 Method and apparatus of identifying user risk

Publications (1)

Publication Number Publication Date
US20140033306A1 true US20140033306A1 (en) 2014-01-30

Family

ID=48953442

Family Applications (2)

Application Number Title Priority Date Filing Date
US13/948,838 Abandoned US20140033306A1 (en) 2012-07-24 2013-07-23 Method and Apparatus of Identifying User Risk
US15/084,379 Active US9781134B2 (en) 2012-07-24 2016-03-29 Method and apparatus of identifying user risk

Family Applications After (1)

Application Number Title Priority Date Filing Date
US15/084,379 Active US9781134B2 (en) 2012-07-24 2016-03-29 Method and apparatus of identifying user risk

Country Status (6)

Country Link
US (2) US20140033306A1 (en)
JP (1) JP6215935B2 (en)
KR (1) KR102124665B1 (en)
CN (1) CN103581120B (en)
TW (1) TWI584148B (en)
WO (1) WO2014018527A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105991600A (en) * 2015-02-25 2016-10-05 阿里巴巴集团控股有限公司 Identity authentication and apparatus, server and terminal
US9781134B2 (en) 2012-07-24 2017-10-03 Alibaba Group Holding Limited Method and apparatus of identifying user risk
CN109859030A (en) * 2019-01-16 2019-06-07 深圳壹账通智能科技有限公司 Methods of risk assessment, device, storage medium and server based on user behavior
TWI691957B (en) * 2015-06-26 2020-04-21 美商英特爾股份有限公司 Memory apparatus having magnetic storage cells and computing system
CN111784375A (en) * 2019-04-04 2020-10-16 北京嘀嘀无限科技发展有限公司 User type identification method and device, electronic equipment and storage medium
CN112738030A (en) * 2020-12-16 2021-04-30 重庆扬成大数据科技有限公司 Data acquisition and sharing working method for agricultural technicians through big data analysis
CN116594870A (en) * 2023-04-26 2023-08-15 南通大学 Error positioning method based on suspicious sentence variation

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104902033B (en) * 2014-03-05 2019-08-13 腾讯科技(深圳)有限公司 Log in address recording method and device
CN105306425B (en) * 2014-07-15 2020-01-10 腾讯科技(深圳)有限公司 Method and device for authenticating account number attribution
CN105991609B (en) * 2015-03-02 2019-08-23 阿里巴巴集团控股有限公司 A kind of risk case determines method and device
CN106295351B (en) * 2015-06-24 2019-03-19 阿里巴巴集团控股有限公司 A kind of Risk Identification Method and device
US20170116584A1 (en) * 2015-10-21 2017-04-27 Mastercard International Incorporated Systems and Methods for Identifying Payment Accounts to Segments
CN107239680B (en) * 2017-05-22 2019-09-06 微梦创科网络科技(中国)有限公司 A kind of couple of user logs in the method and device for carrying out risk assessment
CN107222489B (en) * 2017-06-19 2019-11-01 微梦创科网络科技(中国)有限公司 A kind of method and device for excavating abnormal process in security information modification log
US11012413B2 (en) * 2018-01-17 2021-05-18 Byos Inc. Device and method for securing a network connection
CN109302346B (en) * 2018-10-25 2020-09-18 网宿科技股份有限公司 Method and device for transmitting data flow
CN109495493A (en) * 2018-12-06 2019-03-19 安徽云探索网络科技有限公司 A kind of network link method for building up and device based on network communication
KR102538540B1 (en) * 2021-08-31 2023-06-01 국방과학연구소 Cyber attack detection method of electronic apparatus

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7051367B1 (en) * 2001-05-14 2006-05-23 Juniper Networks, Inc. Dynamically controlling packet processing
US20070074272A1 (en) * 2005-09-29 2007-03-29 Fujitsu Limited Network security apparatus, network security control method and network security system
US20120060178A1 (en) * 2010-09-08 2012-03-08 Fujitsu Limited Continuable communication management apparatus and continuable communication managing method

Family Cites Families (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SE9700871L (en) * 1997-03-11 1998-09-12 Ericsson Telefon Ab L M Registration protocol
ATE370458T1 (en) * 2000-11-09 2007-09-15 Ibm METHOD AND SYSTEM FOR WEB-BASED CROSS-DOMAIN AUTHORIZATION WITH A SINGLE REGISTRATION
JP4112284B2 (en) * 2002-05-29 2008-07-02 富士通株式会社 Database access control method and database access control program
DE10247139A1 (en) 2002-10-09 2004-04-22 Siemens Ag Authentification control device for telecommunication network esp. for automatic log-on/log-off, uses control device for monitoring data traffic on external data transmission interface
US7200658B2 (en) * 2002-11-12 2007-04-03 Movielink, Llc Network geo-location system
US7788722B1 (en) * 2002-12-02 2010-08-31 Arcsight, Inc. Modular agent for network security intrusion detection system
US8572391B2 (en) * 2003-09-12 2013-10-29 Emc Corporation System and method for risk based authentication
US7412718B2 (en) 2003-11-20 2008-08-12 International Business Machines Corporation Method for bidirectional data transfer
US20050188222A1 (en) * 2004-02-24 2005-08-25 Covelight Systems, Inc. Methods, systems and computer program products for monitoring user login activity for a server application
JP2006139747A (en) * 2004-08-30 2006-06-01 Kddi Corp Communication system, and security assurance device
US8171303B2 (en) 2004-11-03 2012-05-01 Astav, Inc. Authenticating a login
US20080022004A1 (en) 2004-12-04 2008-01-24 Electronics And Telecommunications Research Institute Method And System For Providing Resources By Using Virtual Path
US8590007B2 (en) * 2005-08-25 2013-11-19 Guy Heffez Method and system for authenticating internet user identity
CN101375546B (en) * 2005-04-29 2012-09-26 甲骨文国际公司 System and method for fraud monitoring, detection, and tiered user authentication
US8739278B2 (en) * 2006-04-28 2014-05-27 Oracle International Corporation Techniques for fraud monitoring and detection using application fingerprinting
US8364120B2 (en) * 2006-08-02 2013-01-29 Motorola Mobility Llc Identity verification using location over time information
US8341702B2 (en) 2007-11-01 2012-12-25 Bridgewater Systems Corp. Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol
US8315951B2 (en) 2007-11-01 2012-11-20 Alcatel Lucent Identity verification for secure e-commerce transactions
US20090307744A1 (en) 2008-06-09 2009-12-10 Microsoft Corporation Automating trust establishment and trust management for identity federation
CN101355504B (en) * 2008-08-14 2012-08-08 成都市华为赛门铁克科技有限公司 Method and apparatus for confirming user behavior
GB2464552B (en) 2008-10-22 2012-11-21 Skype Authentication system and method for authenticating a user terminal with an access node providing restricted access to a communication network
CN101404614B (en) * 2008-11-05 2011-01-26 中国移动通信集团江苏有限公司 Routing oscillation detection method
EP2359290B8 (en) 2008-11-10 2017-08-09 CensorNet A/S Method and system protecting against identity theft or replication abuse
US8751794B2 (en) 2011-12-28 2014-06-10 Pitney Bowes Inc. System and method for secure nework login
CN103581120B (en) 2012-07-24 2018-04-20 阿里巴巴集团控股有限公司 A kind of method and apparatus for identifying consumer's risk

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7051367B1 (en) * 2001-05-14 2006-05-23 Juniper Networks, Inc. Dynamically controlling packet processing
US20070074272A1 (en) * 2005-09-29 2007-03-29 Fujitsu Limited Network security apparatus, network security control method and network security system
US20120060178A1 (en) * 2010-09-08 2012-03-08 Fujitsu Limited Continuable communication management apparatus and continuable communication managing method

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9781134B2 (en) 2012-07-24 2017-10-03 Alibaba Group Holding Limited Method and apparatus of identifying user risk
CN105991600A (en) * 2015-02-25 2016-10-05 阿里巴巴集团控股有限公司 Identity authentication and apparatus, server and terminal
EP3262552A4 (en) * 2015-02-25 2018-03-21 Alibaba Group Holding Limited Methods, apparatus, and systems for identity authentication
US10237272B2 (en) 2015-02-25 2019-03-19 Alibaba Group Holding Limited Methods, apparatus, and systems for identity authentication
US10757102B2 (en) * 2015-02-25 2020-08-25 Alibaba Group Holding Limited Methods, apparatus, and systems for identity authentication
TWI691957B (en) * 2015-06-26 2020-04-21 美商英特爾股份有限公司 Memory apparatus having magnetic storage cells and computing system
CN109859030A (en) * 2019-01-16 2019-06-07 深圳壹账通智能科技有限公司 Methods of risk assessment, device, storage medium and server based on user behavior
CN111784375A (en) * 2019-04-04 2020-10-16 北京嘀嘀无限科技发展有限公司 User type identification method and device, electronic equipment and storage medium
CN112738030A (en) * 2020-12-16 2021-04-30 重庆扬成大数据科技有限公司 Data acquisition and sharing working method for agricultural technicians through big data analysis
CN116594870A (en) * 2023-04-26 2023-08-15 南通大学 Error positioning method based on suspicious sentence variation

Also Published As

Publication number Publication date
CN103581120A (en) 2014-02-12
KR20150036153A (en) 2015-04-07
US20160212152A1 (en) 2016-07-21
TWI584148B (en) 2017-05-21
JP2015530783A (en) 2015-10-15
TW201405354A (en) 2014-02-01
CN103581120B (en) 2018-04-20
US9781134B2 (en) 2017-10-03
JP6215935B2 (en) 2017-10-18
WO2014018527A1 (en) 2014-01-30
KR102124665B1 (en) 2020-06-19

Similar Documents

Publication Publication Date Title
US9781134B2 (en) Method and apparatus of identifying user risk
US20190354964A1 (en) Private Blockchain Services
EP3319293B1 (en) Cross-terminal login-free method and device
EP3092749B1 (en) Method and apparatus of identifying proxy ip address
EP3164793B1 (en) Dual channel identity authentication
CN105141594B (en) Password retrieving method and device
US20210342438A1 (en) Platform for generation of passwords and/or email addresses
JP2017534964A (en) Password protection question setting method and apparatus
US20150065089A1 (en) Network application function authorisation in a generic bootstrapping architecture
CN112733001B (en) Method and device for acquiring subscription information and electronic equipment
CN109561172B (en) DNS transparent proxy method, device, equipment and storage medium
US20160189160A1 (en) System and method for deanonymization of digital currency users
CN108696509B (en) Access processing method and device for terminal
CN106921628B (en) Method and device for identifying network access source based on network address
US20220103680A1 (en) System and method for classifying and handling voice over ip traffic
US20220231837A1 (en) Intelligent and secure packet captures for cloud solutions
CN104639321B (en) A kind of identity identifying method, equipment and system
CN108768987B (en) Data interaction method, device and system
CN111224918A (en) Real-time networking security control platform and access authentication method
CN111404940B (en) Data packet identification method and device, electronic equipment and storage medium
CN115189901B (en) Method and device for identifying abnormal request, server and storage medium
CN113300867B (en) CDN system, information processing method and device, and CDN node
CN114422140A (en) Message time verification method, device, equipment and medium
GB2596306A (en) Gateway server and method and DNS server

Legal Events

Date Code Title Description
AS Assignment

Owner name: ALIBABA GROUP HOLDING LIMITED, CAYMAN ISLANDS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HUANG, MIAN;REEL/FRAME:031259/0504

Effective date: 20130723

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION