WO2015018314A1 - Method, device and system for detecting whether account is stolen - Google Patents

Method, device and system for detecting whether account is stolen Download PDF

Info

Publication number
WO2015018314A1
WO2015018314A1 PCT/CN2014/083706 CN2014083706W WO2015018314A1 WO 2015018314 A1 WO2015018314 A1 WO 2015018314A1 CN 2014083706 W CN2014083706 W CN 2014083706W WO 2015018314 A1 WO2015018314 A1 WO 2015018314A1
Authority
WO
WIPO (PCT)
Prior art keywords
stolen
user
data
user account
accounts
Prior art date
Application number
PCT/CN2014/083706
Other languages
French (fr)
Inventor
Jie Zhang
Chang Liu
Haisheng LIU
Original Assignee
Tencent Technology (Shenzhen) Company Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology (Shenzhen) Company Limited filed Critical Tencent Technology (Shenzhen) Company Limited
Publication of WO2015018314A1 publication Critical patent/WO2015018314A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/316User authentication by observing the pattern of computer usage, e.g. typical user behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Definitions

  • the disclosure relates to the field of Internet technology, particularly to the information security, and specifically to the detection of whether an account is stolen.
  • a method for detecting whether an account is stolen including: detecting, by a server, data operated by user terminals through user accounts;
  • the server judges, by the server, whether the probability that the at least one user account is stolen is greater than a preset threshold, determining the at least one user account to be stolen in the case of positive judgment, and storing the at least one user account in a stolen account database.
  • a method for detecting whether an account is stolen including: detecting, by a detecting server, data operated by user terminals through user accounts, where the user accounts-related data are of a plurality of types, each of which corresponds to a type identifier;
  • the computing server judges, by the computing server, whether the probability that the at least one user account is stolen is greater than a preset threshold, determining the at least one user account to be stolen in the case of positive judgment, and sending the at least one user account to a storage server.
  • a device for detecting whether an account is stolen including: a detecting and determining module, configured to detect data operated by user terminals through user accounts, determine whether abnormality occurs to the user accounts-related data based on a preset rule, where the user accounts-related data are of a plurality of types, each of which corresponds to a type identifier;
  • a collecting module configured to collect at least one user account with data abnormality and at least two type identifiers corresponding to the abnormal data
  • a computing module configured to compute a probability that the at least one user account is stolen based on the collected at least two type identifiers and stolen probabilities corresponding to individual preserved type identifiers;
  • a judging and storing module configured to determine whether the probability that the at least one user account is stolen is greater than a preset threshold, determine that the at least one user account is stolen in the case of positive judgment and stores the at least one user account into a stolen account database.
  • a system for detecting whether an account is stolen including: a detecting server, a computing server, and a storage server, where: the detecting server is configured to detect a plurality of types of data operated by user terminals through user accounts, where each type corresponds to a type identifier, determine whether abnormality occurs to the user accounts-related data based on a preset rule, and transmit at least two type identifiers corresponding to the types of abnormal data and at least one user account with data abnormality to the computing server in the case of positive determination;
  • the computing server is configured to collect the at least one user account with data abnormality and the at least two type identifiers corresponding to the abnormal data, compute a probability that the collected at least one user account is stolen based on the at least two type identifiers corresponding to the collected at least one user account and stolen probabilities corresponding to individual preserved type identifiers, judge whether the probability that the at least one user account is stolen is greater than a preset threshold, determine that the at least one user account is stolen in the case of positive judgment, and transmit the at least one user account to the storage server for storage.
  • a non-transitory computer storage medium having stored therein a program when executed causing a computer to execute the afore-mentioned methods.
  • FIG.l is an operating environment diagram of a method for detecting whether an account is stolen according to an embodiment of the invention
  • Fig.2 is a flowchart of a method for detecting whether an account is stolen according to an embodiment of the invention
  • Fig.3 is a flowchart of a method for computing a stolen probability corresponding to individual type identifiers in Fig.2;
  • Fig.4 is a flowchart of a method for detecting whether an account is stolen according to another embodiment of the invention;
  • FIG.5 is a structural diagram of a device for detecting whether an account is stolen according to an embodiment of the invention.
  • Fig.6 is a structural diagram of a computing module in Fig.5;
  • Fig.7 is another structural diagram of a computing module in Fig.5;
  • Fig.8 is a structural diagram of a system for detecting whether an account is stolen according to an embodiment of the invention.
  • a method for detecting whether an account is stolen and a device thereof according to the embodiments of the invention may be applied in one server, or more servers as shown in Fig.l.
  • the one or more servers may be connected directly through a communication network.
  • the one or more servers are connected with an application server which provides applications (including an interface server and a service server).
  • the one or more servers are an application server.
  • the user account refers to an account used by a user to log onto a browser or an application at a terminal, such as an account used by a user to log onto an instant communication application.
  • account information of the account and basic information of the terminal are communicated by the terminal to an application server and are recorded by the application server in an account list.
  • the account list keeps a record of all the basic information of a terminal corresponding to each piece of account information.
  • the basic information of a terminal may include an identifier and a type of a terminal.
  • the stolen account in the embodiments of the invention refers to an account whose password is stolen.
  • the terminal may include a PC, a tablet, a cell phone, an electronic reading device, a laptop, an intelligent TV set, a set-top box and a vehicle portable terminal.
  • Fig.2 illustrates a flowchart of a method for detecting whether an account is stolen according to an embodiment of the invention.
  • the method includes steps SI 1 to SI 4.
  • a server detects data operated by user terminals through user accounts, and determines whether abnormality occurs to the user accounts-related data based on a preset rule, where the user accounts-related data are of multiple types, each of which corresponds to a type identifier.
  • the data operated by the user terminals through the user accounts is stored in an application server which provides applications. These data may be categorized into multiple independent types. Each type corresponds to a unique type identifier, such as a serial number. It may also be understood that, each type represents an independent dimension, and the server detects whether abnormality occurs to the data of the user accounts in individual dimensions.
  • the user accounts-related data includes at least one of the following types: login data (including login time, login password, login place and user terminal used for login) of the user accounts, virtual property consumption data (including consumption amount and consumption frequency) of the user accounts, text data that the user accounts transmit to other user accounts, and image data that the user accounts transmit to other user accounts.
  • login data including login time, login password, login place and user terminal used for login
  • virtual property consumption data including consumption amount and consumption frequency
  • the preset rule includes: determining as an abnormality in the case that any one of the login data of a user account, including a login time, a login password, a login place and a user terminal used for login, changes;
  • step SI 2 the server collects at least one user account with data abnormality and at least two type identifiers corresponding to the abnormal data.
  • the server collects the at least one user account and the LI in the case that the server detects that the login password of the login data of the at least one user account changes or that the user terminal used for login changes, the server collects the at least one user account and the L2 in the case that the server detects that the consumption amount of the virtual property consumption data of the at least one user account exceeds the preset amount or that the consumption frequency of the virtual property consumption data of the at least one user account exceeds the preset frequency, the server collects the at least one user account and the L3 in the case that the server detects that the text data that the at least one user account transmits to other user accounts includes advertisement information, and the server collects the at least one user account and the L4 in the case that the server detects that the image data that the at least one user account transmits to other user accounts includes an erotic image.
  • step SI 3 the server computes a probability that the at least one user account is stolen based on the collected at least two type identifiers and stolen probabilities corresponding to individual preserved type identifiers.
  • the stolen probabilities corresponding to the individual preserved type identifiers may be obtained by the process as shown in Fig.3.
  • the process includes steps S131 to S133.
  • step S131 multiple samples of stolen accounts and multiple samples of normal accounts are collected.
  • step SI 32 the amount of abnormal samples corresponding to the individual type identifiers among the multiple samples of stolen accounts and the amount of abnormal samples corresponding to the individual type identifiers among the multiple samples of normal accounts are counted.
  • step SI 33 stolen probabilities corresponding to the individual type identifiers are computed.
  • step S131 50000 samples of stolen accounts (hereinafter referred to as S) and 50000 samples of normal accounts (hereinafter referred to as S') are collected.
  • S 50000 samples of stolen accounts
  • S' 50000 samples of normal accounts
  • step SI 32 upon counting, abnormality occurs to 8900 pieces of data with the type identifier LI among the samples of stolen accounts, and abnormality occurs to 2790 pieces of data with the type identifier LI among the samples of normal accounts.
  • step SI 33 the stolen probability corresponding to the type identifier LI is given by the following formula, i.e., 76%, based on the Bayes algorithm:
  • the stolen probability corresponding to the type identifier L2 is computed as 60%
  • the stolen probability corresponding to the type identifier L3 is computed as 70%
  • the stolen probability corresponding to the type identifier L4 is computed as 50%.
  • the probability that the user account is stolen may be alternatively obtained by any other algorithm (such as accumulation).
  • step SI 4 the server judges whether the probability that the at least one user account is stolen is greater than a preset threshold, determines that the at least one user account is stolen in the case of positive judgment, and stores the at least one user account in a stolen account database.
  • the preset threshold may be set based on an empirical value, e.g., 80%).
  • the at least one user account in the stolen account database is further submitted to an account protection system for protection or restriction.
  • an announcement of abnormality is delivered to a client device corresponding to the at least one user account, where the announcement of abnormality includes existing risks and password change suggestion.
  • the account may be directly restricted.
  • it is detected whether a user account is stolen based on the abnormality of multiple types of data, which is of high precision and is convenient for a system to protect the user account.
  • Fig.4 illustrates a flowchart of a method for detecting whether an account is stolen according to another embodiment of the invention.
  • the steps of the method in this embodiment are substantively the same with the steps illustrated in Fig.1 (which shall be omitted herein).
  • the executing element of the steps in Fig.4 is different from that in Fig.l.
  • this embodiment includes steps S21-S24.
  • Step S21 is executed by a detecting server, which sends at least one user account with data abnormality and at least two type identifiers corresponding to the abnormal data to a computing server.
  • Steps S22 and S23 are executed by the computing server, and the storage of a stolen user account in a storage server instead of the stolen account database is executed and determined by the computing server.
  • the number of the detecting server may be one or more. In the case of more than one detecting servers, each of which detects one type of data.
  • Another embodiment of the invention provides a non-transitory computer storage medium, having stored therein a program when executed causing a computer to execute a part or all of the steps of methods as illustrated in any one of embodiments in Fig.2-Fig.4.
  • Fig.5 illustrates a structural view of a device for detecting whether an account is stolen according to an embodiment of the invention.
  • the device 10 includes: a detecting and determining module 11, a collecting module 12, a computing module 13, and a determining and storing module 14.
  • the detecting and determining module 11 detects data operated by user terminals through user accounts, determines whether abnormality occurs to the user accounts-related data based on a preset rule, where the user accounts-related data are of multiple types, each of which corresponds to a type identifier.
  • the collecting module 12 collects at least one user account with data abnormality and at least two type identifiers corresponding to the abnormal data.
  • the computing module 13 computes a probability that the at least one user account is stolen based on the collected at least two type identifiers and stolen probabilities corresponding to individual preserved type identifiers.
  • the judging and storing module 14 judges whether the probability that the at least one user account is stolen is greater than a preset threshold, determines that the at least one user account is stolen in the case of positive judgment and stores the at least one user account into a stolen account database.
  • the user accounts-related data includes at least one of the following types: virtual property consumption data of the user accounts, text data that the user accounts transmit to other user accounts and image data that the user accounts transmit to other user accounts.
  • the preset rule may include: determining as an abnormality in the case that a consumption amount of virtual property consumption data of a user account exceeds a preset amount or that a consumption frequency exceeds a preset frequency;
  • the computing module 13 includes:
  • a sample collecting unit 131 configured to collect multiple samples of stolen accounts and multiple samples of normal samples
  • a counting unit 132 configured to count the amount of abnormal samples corresponding to the individual type identifiers among the multiple samples of stolen accounts and the amount of abnormal samples corresponding to the individual type identifiers among the multiple samples of normal accounts;
  • a first computing unit 133 configured to compute stolen probabilities corresponding to the individual type identifiers.
  • Fig.7 is another structural diagram of a computing module in Fig.5. Compared with Fig.6, the computing module as illustrated in Fig.7 further includes: a second computing unit 134, configured to compute the probability that the collected at least one user account is stolen.
  • the probability that the collected at least one user account is stolen may be computed by Bayes algorithm.
  • modules are classified based on logic functions. In practice, a function of one module may also be achieved by multiple modules, or a function of multiple modules may be achieved by one module.
  • the system 20 includes: a detecting server 21, a computing server 22, and a storage server 23.
  • the detecting server 21 is configured to detect multiple types of data operated by user terminals through user accounts, where each type corresponds to a type identifier, determine whether abnormality occurs to the user accounts-related data based on a preset rule, and transmit at least two type identifiers corresponding to the types of abnormal data and at least one user account with data abnormality to the computing server 22 in the case of a positive determination.
  • the computing server 22 is configured to collect the at least one user account with data abnormality and the at least two type identifiers corresponding to the abnormal data, compute a probability that the collected at least one user account is stolen based on the at least two type identifiers corresponding to the collected at least one user account and stolen probabilities corresponding to individual preserved type identifiers, judge whether the probability that the at least one user account is stolen is greater than a preset threshold, determine that the at least one user account is stolen in the case of positive judgment, and transmit the at least one user account to the storage server 23 for storage.
  • first and second are just for the distinguishment of one entity/operation from another entity/operation, which does not require or indicate any relationship or order in between these entities/operations.
  • the term “include” or any other variant is intended to cover other non-exclusive inclusion, making the process, method, article or device which contains a series of elements not only contain those elements but also contain other elements which are not specifically listed, or further contain elements that are inherently contained in the process, method, article or device. Under the condition that there are no further restriction, an element defined by a sentence "including one " shall not exclude that other same elements may exist in the process, method, article or device which contains these elements.

Abstract

A method for detecting whether an account is stolen is provided. In the method, a server detects data operated by user terminals through user accounts, determines whether abnormality occurs to user accounts-related data based on preset rule, wherein user accounts-related data are of a plurality of types, each of which corresponds to a type identifier, the server collects at least one user account with data abnormality and at least two type identifiers corresponding to the abnormal data, compute a probability that the at least one user account is stolen based on the collected at least two type identifiers and stolen probabilities corresponding to individual preserved type identifiers, judge whether the probability that the at least one user account is stolen is greater than a preset threshold, determine to be stolen in the case of positive judgment, and store the at least one user account in a stolen account database.

Description

METHOD, DEVICE AND SYSTEM FOR DETECTING WHETHER ACCOUNT IS
STOLEN
CROSS REFERENCE TO RELATED APPLICATION
[0001] This application claims the priority to Chinese Patent Application No. 201310337072.0, entitled "METHOD, DEVICE AND SYSTEM FOR DETECTING WHETHER ACCOUNT IS STOLEN", filed August 5, 2013 with the State Intellectual Property Office of People's Republic of China, which is incorporated herein by reference in its entirety.
FIELD
[0002] The disclosure relates to the field of Internet technology, particularly to the information security, and specifically to the detection of whether an account is stolen.
BACKGROUND
[0003] Nowadays, the situation becomes increasingly severe that a user account on the internet is leaked out. On the one hand, it happens because a password of the user account is simple and easy to break; and on the other hand, the user account and the password are stolen as a result of a fishing website or an intrusion of a Trojan virus. The leakage of user account results in the leakage of personal information, the unintended transmission of illegal information to others and the loss of personal property. Therefore, it requires a technical solution to detect whether a user account is stolen.
SUMMARY
[0004] In an aspect, it is provided a method for detecting whether an account is stolen, including: detecting, by a server, data operated by user terminals through user accounts;
determining, by the server, whether abnormality occurs to the user accounts-related data based on a preset rule, where the user accounts-related data are of a plurality of types, each of which corresponds to a type identifier; collecting, by the server, at least one user account with data abnormality and at least two type identifiers corresponding to the abnormal data;
computing, by the server, a probability that the at least one user account is stolen based on the collected at least two type identifiers and stolen probabilities corresponding to individual preserved type identifiers; and
judging, by the server, whether the probability that the at least one user account is stolen is greater than a preset threshold, determining the at least one user account to be stolen in the case of positive judgment, and storing the at least one user account in a stolen account database.
[0005] In another aspect, it is provided a method for detecting whether an account is stolen, including: detecting, by a detecting server, data operated by user terminals through user accounts, where the user accounts-related data are of a plurality of types, each of which corresponds to a type identifier;
determining, by the detecting server, whether abnormality occurs to the user accounts-related data based on a preset rule;
sending, by the detecting server, at least one user account with data abnormality and at least two type identifiers corresponding to the abnormal data to a computing server in the case of abnormality;
collecting, by the computing server, the at least one user account with data abnormality and the at least two type identifiers corresponding to the abnormal data;
computing, by the computing server, a probability that the collected at least one user account is stolen, based on the collected at least two type identifiers and stolen probabilities corresponding to individual preserved type identifiers; and
judging, by the computing server, whether the probability that the at least one user account is stolen is greater than a preset threshold, determining the at least one user account to be stolen in the case of positive judgment, and sending the at least one user account to a storage server.
[0006] In another aspect, it is provided a device for detecting whether an account is stolen, including: a detecting and determining module, configured to detect data operated by user terminals through user accounts, determine whether abnormality occurs to the user accounts-related data based on a preset rule, where the user accounts-related data are of a plurality of types, each of which corresponds to a type identifier;
a collecting module, configured to collect at least one user account with data abnormality and at least two type identifiers corresponding to the abnormal data;
a computing module, configured to compute a probability that the at least one user account is stolen based on the collected at least two type identifiers and stolen probabilities corresponding to individual preserved type identifiers; and
a judging and storing module, configured to determine whether the probability that the at least one user account is stolen is greater than a preset threshold, determine that the at least one user account is stolen in the case of positive judgment and stores the at least one user account into a stolen account database.
[0007] In another aspect, it is provided a system for detecting whether an account is stolen, including: a detecting server, a computing server, and a storage server, where: the detecting server is configured to detect a plurality of types of data operated by user terminals through user accounts, where each type corresponds to a type identifier, determine whether abnormality occurs to the user accounts-related data based on a preset rule, and transmit at least two type identifiers corresponding to the types of abnormal data and at least one user account with data abnormality to the computing server in the case of positive determination;
the computing server is configured to collect the at least one user account with data abnormality and the at least two type identifiers corresponding to the abnormal data, compute a probability that the collected at least one user account is stolen based on the at least two type identifiers corresponding to the collected at least one user account and stolen probabilities corresponding to individual preserved type identifiers, judge whether the probability that the at least one user account is stolen is greater than a preset threshold, determine that the at least one user account is stolen in the case of positive judgment, and transmit the at least one user account to the storage server for storage.
[0008] In a further aspect, it is provided a non-transitory computer storage medium, having stored therein a program when executed causing a computer to execute the afore-mentioned methods.
[0009] According to the embodiments of the invention, it is detected whether a user account is stolen based on the abnormality of various types of data, which brings a high accuracy and convenience to protect the user accounts in the communications network.
BRIEF DESCRIPTION OF THE DRAWINGS
[0010] Fig.l is an operating environment diagram of a method for detecting whether an account is stolen according to an embodiment of the invention;
[0011] Fig.2 is a flowchart of a method for detecting whether an account is stolen according to an embodiment of the invention;
[0012] Fig.3 is a flowchart of a method for computing a stolen probability corresponding to individual type identifiers in Fig.2; [0013] Fig.4 is a flowchart of a method for detecting whether an account is stolen according to another embodiment of the invention;
[0014] Fig.5 is a structural diagram of a device for detecting whether an account is stolen according to an embodiment of the invention;
[0015] Fig.6 is a structural diagram of a computing module in Fig.5; [0016] Fig.7 is another structural diagram of a computing module in Fig.5; and
[0017] Fig.8 is a structural diagram of a system for detecting whether an account is stolen according to an embodiment of the invention.
DETAILED DESCRIPTION
[0018] Technical solutions provided in the embodiments of the disclosure are described hereinafter in conjunction with drawings.
[0019] A method for detecting whether an account is stolen and a device thereof according to the embodiments of the invention may be applied in one server, or more servers as shown in Fig.l. The one or more servers may be connected directly through a communication network. Alternatively, the one or more servers are connected with an application server which provides applications (including an interface server and a service server). Alternatively, the one or more servers are an application server.
[0020] In the embodiments of the invention, the user account refers to an account used by a user to log onto a browser or an application at a terminal, such as an account used by a user to log onto an instant communication application. In the case that the account is used for the first time, account information of the account and basic information of the terminal are communicated by the terminal to an application server and are recorded by the application server in an account list. The account list keeps a record of all the basic information of a terminal corresponding to each piece of account information. The basic information of a terminal may include an identifier and a type of a terminal. The stolen account in the embodiments of the invention refers to an account whose password is stolen. And the terminal may include a PC, a tablet, a cell phone, an electronic reading device, a laptop, an intelligent TV set, a set-top box and a vehicle portable terminal.
[0021] A detailed description of a method for detecting whether an account is stolen according to the embodiments of the invention is given hereinafter in conjunction with Fig.l to Fig.4.
[0022] Fig.2 illustrates a flowchart of a method for detecting whether an account is stolen according to an embodiment of the invention. The method includes steps SI 1 to SI 4.
[0023] In step SI 1, a server detects data operated by user terminals through user accounts, and determines whether abnormality occurs to the user accounts-related data based on a preset rule, where the user accounts-related data are of multiple types, each of which corresponds to a type identifier. [0024] In the embodiment, the data operated by the user terminals through the user accounts is stored in an application server which provides applications. These data may be categorized into multiple independent types. Each type corresponds to a unique type identifier, such as a serial number. It may also be understood that, each type represents an independent dimension, and the server detects whether abnormality occurs to the data of the user accounts in individual dimensions.
[0025] In the embodiment, the user accounts-related data includes at least one of the following types: login data (including login time, login password, login place and user terminal used for login) of the user accounts, virtual property consumption data (including consumption amount and consumption frequency) of the user accounts, text data that the user accounts transmit to other user accounts, and image data that the user accounts transmit to other user accounts. [0026] For example, the type identifier corresponding to the login data of the user account is defined as LI, the type identifier corresponding to the virtual property consumption data of the user account is defined as L2, the type identifier corresponding to the text data that the user account transmits to other user accounts are defined as L3, and the type identifier corresponding to the image data that the user account transmits to other user accounts are defined as L4.
[0027] In the embodiment, the preset rule includes: determining as an abnormality in the case that any one of the login data of a user account, including a login time, a login password, a login place and a user terminal used for login, changes;
determining as an abnormality in the case that the consumption amount of the virtual property consumption data of a user account exceeds a preset amount or the consumption frequency exceeds a preset frequency; determining as an abnormality in the case that the text data that a user account transmits to other user accounts includes advertisement information; or determining as an abnormality in the case that the image data that a user account transmits to other user accounts includes an erotic image.
[0028] It should be understood that the types of user account related data and the preset rule may be set according to practice. Correspondingly, in the case of one more new type, there would be one more type identifier for uniquely identifying the type.
[0029] In step SI 2, the server collects at least one user account with data abnormality and at least two type identifiers corresponding to the abnormal data.
[0030] For example, the server collects the at least one user account and the LI in the case that the server detects that the login password of the login data of the at least one user account changes or that the user terminal used for login changes, the server collects the at least one user account and the L2 in the case that the server detects that the consumption amount of the virtual property consumption data of the at least one user account exceeds the preset amount or that the consumption frequency of the virtual property consumption data of the at least one user account exceeds the preset frequency, the server collects the at least one user account and the L3 in the case that the server detects that the text data that the at least one user account transmits to other user accounts includes advertisement information, and the server collects the at least one user account and the L4 in the case that the server detects that the image data that the at least one user account transmits to other user accounts includes an erotic image.
[0031] In step SI 3, the server computes a probability that the at least one user account is stolen based on the collected at least two type identifiers and stolen probabilities corresponding to individual preserved type identifiers.
[0032] The stolen probabilities corresponding to the individual preserved type identifiers may be obtained by the process as shown in Fig.3. The process includes steps S131 to S133.
[0033] In step S131, multiple samples of stolen accounts and multiple samples of normal accounts are collected.
[0034] In step SI 32, the amount of abnormal samples corresponding to the individual type identifiers among the multiple samples of stolen accounts and the amount of abnormal samples corresponding to the individual type identifiers among the multiple samples of normal accounts are counted. [0035] In step SI 33, stolen probabilities corresponding to the individual type identifiers are computed.
[0036] For example, in step S131, 50000 samples of stolen accounts (hereinafter referred to as S) and 50000 samples of normal accounts (hereinafter referred to as S') are collected.
[0037] In step SI 32, upon counting, abnormality occurs to 8900 pieces of data with the type identifier LI among the samples of stolen accounts, and abnormality occurs to 2790 pieces of data with the type identifier LI among the samples of normal accounts. In this case, the probability that abnormality occurs to the data with the type identifier LI among the samples of stolen accounts is computed, i.e., P(L1/S)=8900/50000=17.8%, and the probability that abnormality occurs to the data with the type identifier LI among the samples of normal accounts is computed, i.e., P(Ll/S')=2790/50000=5.58%.
[0038] In step SI 33, the stolen probability corresponding to the type identifier LI is given by the following formula, i.e., 76%, based on the Bayes algorithm:
= PjLi/sy pjS) = ) _ where p(s)=P(sl)
' P(Li/S) * P(S) + P(Li/S ) * P(S ) P(Ll/S) + P(Ll/S )
Likewise, the stolen probability corresponding to the type identifier L2 is computed as 60%, the stolen probability corresponding to the type identifier L3 is computed as 70%, and the stolen probability corresponding to the type identifier L4 is computed as 50%.
[0039] Supposing that type identifiers corresponding to abnormal data of a certain user account, as collected by the server, are LI, L2 and L3, the probability that the user account is stolen P can be given by the following formula based on the Bayes algorithm, i.e., P=92%: p P(S/L\) * P(S/L2) * P(S/L3)
~ P(S/L\) * P(S/L2) * P(S/L3) + (1 - P(S/Ll)) * (1 - P(S/L2)) * (1 - P(S/L3))
[0040] It may be understood that the probability that the user account is stolen may be alternatively obtained by any other algorithm (such as accumulation).
[0041] In step SI 4, the server judges whether the probability that the at least one user account is stolen is greater than a preset threshold, determines that the at least one user account is stolen in the case of positive judgment, and stores the at least one user account in a stolen account database.
[0042] The preset threshold may be set based on an empirical value, e.g., 80%).
[0043] In another embodiment of the method for detecting a user account, the at least one user account in the stolen account database is further submitted to an account protection system for protection or restriction. For example, an announcement of abnormality is delivered to a client device corresponding to the at least one user account, where the announcement of abnormality includes existing risks and password change suggestion. For another example, the account may be directly restricted. [0044] In the embodiments of the invention, it is detected whether a user account is stolen based on the abnormality of multiple types of data, which is of high precision and is convenient for a system to protect the user account.
[0045] Reference is made to Fig.4, which illustrates a flowchart of a method for detecting whether an account is stolen according to another embodiment of the invention. The steps of the method in this embodiment are substantively the same with the steps illustrated in Fig.1 (which shall be omitted herein). However, the executing element of the steps in Fig.4 is different from that in Fig.l. As shown in Fig.4, this embodiment includes steps S21-S24. Step S21 is executed by a detecting server, which sends at least one user account with data abnormality and at least two type identifiers corresponding to the abnormal data to a computing server. Steps S22 and S23 are executed by the computing server, and the storage of a stolen user account in a storage server instead of the stolen account database is executed and determined by the computing server.
[0046] The number of the detecting server may be one or more. In the case of more than one detecting servers, each of which detects one type of data.
[0047] Another embodiment of the invention provides a non-transitory computer storage medium, having stored therein a program when executed causing a computer to execute a part or all of the steps of methods as illustrated in any one of embodiments in Fig.2-Fig.4.
[0048] Reference is made to Fig.5, which illustrates a structural view of a device for detecting whether an account is stolen according to an embodiment of the invention. The device 10 includes: a detecting and determining module 11, a collecting module 12, a computing module 13, and a determining and storing module 14.
[0049] The detecting and determining module 11 detects data operated by user terminals through user accounts, determines whether abnormality occurs to the user accounts-related data based on a preset rule, where the user accounts-related data are of multiple types, each of which corresponds to a type identifier.
[0050] The collecting module 12 collects at least one user account with data abnormality and at least two type identifiers corresponding to the abnormal data.
[0051] The computing module 13 computes a probability that the at least one user account is stolen based on the collected at least two type identifiers and stolen probabilities corresponding to individual preserved type identifiers.
[0052] The judging and storing module 14 judges whether the probability that the at least one user account is stolen is greater than a preset threshold, determines that the at least one user account is stolen in the case of positive judgment and stores the at least one user account into a stolen account database. [0053] In this embodiment, the user accounts-related data includes at least one of the following types: virtual property consumption data of the user accounts, text data that the user accounts transmit to other user accounts and image data that the user accounts transmit to other user accounts.
[0054] The preset rule may include: determining as an abnormality in the case that a consumption amount of virtual property consumption data of a user account exceeds a preset amount or that a consumption frequency exceeds a preset frequency;
determining as an abnormality in the case that text data that a user account transmits to other user accounts includes advertisement information; and determining as an abnormality in the case that image data that a user account transmits to other user accounts includes an erotic image.
[0055] As shown in Fig.6, the computing module 13 includes:
a sample collecting unit 131, configured to collect multiple samples of stolen accounts and multiple samples of normal samples;
a counting unit 132, configured to count the amount of abnormal samples corresponding to the individual type identifiers among the multiple samples of stolen accounts and the amount of abnormal samples corresponding to the individual type identifiers among the multiple samples of normal accounts; and
a first computing unit 133, configured to compute stolen probabilities corresponding to the individual type identifiers.
[0056] Fig.7 is another structural diagram of a computing module in Fig.5. Compared with Fig.6, the computing module as illustrated in Fig.7 further includes: a second computing unit 134, configured to compute the probability that the collected at least one user account is stolen.
[0057] The probability that the collected at least one user account is stolen may be computed by Bayes algorithm.
[0058] It shall be stated that functions of individual functional modules of a detecting device of the stolen accounts in the embodiments of the invention may be achieved according to the method in the aforementioned embodiments of methods, the implementing process of which may be referred to the description of the aforementioned embodiments of methods, which shall be omitted herein.
[0059] It shall be stated that the above modules are classified based on logic functions. In practice, a function of one module may also be achieved by multiple modules, or a function of multiple modules may be achieved by one module.
[0060] Reference is made to Fig.8, which illustrates a structural view of a system for detecting whether an account is stolen according to an embodiment of the invention. The system 20 includes: a detecting server 21, a computing server 22, and a storage server 23. [0061] The detecting server 21 is configured to detect multiple types of data operated by user terminals through user accounts, where each type corresponds to a type identifier, determine whether abnormality occurs to the user accounts-related data based on a preset rule, and transmit at least two type identifiers corresponding to the types of abnormal data and at least one user account with data abnormality to the computing server 22 in the case of a positive determination.
[0062] The computing server 22 is configured to collect the at least one user account with data abnormality and the at least two type identifiers corresponding to the abnormal data, compute a probability that the collected at least one user account is stolen based on the at least two type identifiers corresponding to the collected at least one user account and stolen probabilities corresponding to individual preserved type identifiers, judge whether the probability that the at least one user account is stolen is greater than a preset threshold, determine that the at least one user account is stolen in the case of positive judgment, and transmit the at least one user account to the storage server 23 for storage.
[0063] It shall be stated that the functions of individual servers of the system for testing whether an account is stolen according to the present embodiment of the disclosure may be achieved according to the methods in the aforementioned embodiments for methods, the implementing process of which may be referred to the description in the aforementioned embodiments for methods and shall be omitted herein.
[0064] In the present disclosure, the term "first" and "second" are just for the distinguishment of one entity/operation from another entity/operation, which does not require or indicate any relationship or order in between these entities/operations. Also, the term "include" or any other variant is intended to cover other non-exclusive inclusion, making the process, method, article or device which contains a series of elements not only contain those elements but also contain other elements which are not specifically listed, or further contain elements that are inherently contained in the process, method, article or device. Under the condition that there are no further restriction, an element defined by a sentence "including one " shall not exclude that other same elements may exist in the process, method, article or device which contains these elements.
[0065] It shall be understood by those with ordinary skills in the art that all or part of the steps in the above embodiments can be completed through hardware, or be completed through a program instructing a relevant hardware (such as a processor). The program can be stored in a computer readable storage medium, where the aforementioned storage medium may be a ROM (Read-Only Memory), a magnetic disk or an optical disk.
[0066] The foregoing description is merely embodiments of the invention. The protection scope sought for in the present application is defined in the appended claims.

Claims

1. A method for detecting whether an account is stolen, comprising:
detecting, by a server, data operated by user terminals through user accounts;
determining, by the server, whether abnormality occurs to the user accounts-related data based on a preset rule, wherein the user accounts-related data are of a plurality of types, each of which corresponds to a type identifier;
collecting, by the server, at least one user account with data abnormality and at least two type identifiers corresponding to the abnormal data;
computing, by the server, a probability that the at least one user account is stolen based on the collected at least two type identifiers and stolen probabilities corresponding to individual preserved type identifiers; and
judging, by the server, whether the probability that the at least one user account is stolen is greater than a preset threshold, determining the at least one user account to be stolen in the case of positive judgment, and storing the at least one user account in a stolen account database.
2. The method according to claim 1, wherein the user accounts-related data comprises at least one of the following types: login data of the user accounts, virtual property consumption data of the user accounts, text data that the user accounts transmit to other user accounts, and image data that the user accounts transmit to other user accounts.
3. The method according to claim 2, wherein the preset rule comprises:
determining as an abnormality in the case that any one of the login data of a user account, including a login time, a login password, a login place and a user terminal used for login, changes;
determining as an abnormality in the case that the consumption amount of the virtual property consumption data of a user account exceeds a preset amount or the consumption frequency exceeds a preset frequency;
determining as an abnormality in the case that the text data that a user account transmits to other user accounts includes advertisement information; or
determining as an abnormality in the case that the image data that a user account transmits to other user accounts includes an erotic image.
4. The method according to claim 1, wherein the stolen probabilities corresponding to the individual preserved type identifiers may be obtained by a process comprising:
collecting a plurality of samples of stolen accounts and a plurality of samples of normal accounts;
counting the amount of abnormal samples corresponding to the individual type identifiers among the plurality of samples of stolen accounts and the amount of abnormal samples corresponding to the individual type identifiers among the plurality of samples of normal accounts; and
computing stolen probabilities corresponding to the individual type identifiers.
5. The method according to claim 1, wherein the probability that the collected at least one user account is computed based on the Bayes algorithm.
6. A method for detecting whether an account is stolen, comprising:
detecting, by a detecting server, data operated by user terminals through user accounts, wherein the user accounts-related data are of a plurality of types, each of which corresponds to a type identifier;
determining, by the detecting server, whether abnormality occurs to the user accounts-related data based on a preset rule;
sending, by the detecting server, at least one user account with data abnormality and at least two type identifiers corresponding to the abnormal data to a computing server in the case of abnormality;
collecting, by the computing server, the at least one user account with data abnormality and the at least two type identifiers corresponding to the abnormal data;
computing, by the computing server, a probability that the collected at least one user account is stolen, based on the collected at least two type identifiers and stolen probabilities corresponding to individual preserved type identifiers; and
judging, by the computing server, whether the probability that the at least one user account is stolen is greater than a preset threshold, determining the at least one user account to be stolen in the case of positive judgment, and sending the at least one user account to a storage server.
7. A device for detecting whether an account is stolen, comprising:
a detecting and determining module, configured to detect data operated by user terminals through user accounts, determine whether abnormality occurs to the user accounts-related data based on a preset rule, wherein the user accounts-related data are of a plurality of types, each of which corresponds to a type identifier;
a collecting module, configured to collect at least one user account with data abnormality and at least two type identifiers corresponding to the abnormal data;
a computing module, configured to compute a probability that the at least one user account is stolen based on the collected at least two type identifiers and stolen probabilities corresponding to individual preserved type identifiers; and
a judging and storing module, configured to determine whether the probability that the at least one user account is stolen is greater than a preset threshold, determine that the at least one user account is stolen in the case of positive judgment and stores the at least one user account into a stolen account database.
8. The device according to claim 7, wherein the user accounts-related data includes at least one of the following types: virtual property consumption data of the user accounts, text data that the user accounts transmit to other user accounts, and image data that the user accounts transmit to other user accounts.
9. The device according to claim 8, wherein the preset rule comprises:
determining as an abnormality in the case that a consumption amount of virtual property consumption data of a user account exceeds a preset amount or that a consumption frequency exceeds a preset frequency;
determining as an abnormality in the case that text data that a user account transmits to other user accounts includes advertisement information; or
determining as an abnormality in the case that image data that a user account transmits to other user accounts includes an erotic image.
10. The device according to claim 7, wherein the computing module comprises: a sample collecting unit, configured to collect multiple samples of stolen accounts and multiple samples of normal samples;
a counting unit, configured to count the amount of abnormal samples corresponding to the individual type identifiers among the multiple samples of stolen accounts and the amount of abnormal samples corresponding to the individual type identifiers among the multiple samples of normal accounts; and
a first computing unit, configured to compute stolen probabilities corresponding to the individual type identifiers.
11. The device according to claim 7, wherein the computing module comprises: a second computing unit, configured to compute the probability that the collected at least one user account is stolen.
12. A system for detecting whether an account is stolen, comprising: a detecting server, a computing server, and a storage server, wherein:
the detecting server is configured to detect a plurality of types of data operated by user terminals through user accounts, wherein each type corresponds to a type identifier, determine whether abnormality occurs to the user accounts-related data based on a preset rule, and transmit at least two type identifiers corresponding to the types of abnormal data and at least one user account with data abnormality to the computing server in the case of positive determination;
the computing server is configured to collect the at least one user account with data abnormality and the at least two type identifiers corresponding to the abnormal data, compute a probability that the collected at least one user account is stolen based on the at least two type identifiers corresponding to the collected at least one user account and stolen probabilities corresponding to individual preserved type identifiers, judge whether the probability that the at least one user account is stolen is greater than a preset threshold, determine that the at least one user account is stolen in the case of positive judgment, and transmit the at least one user account to the storage server for storage.
13. A non-transitory computer storage medium, having stored therein a program when executed causing a computer to execute the method of any one of claims 1-5.
PCT/CN2014/083706 2013-08-05 2014-08-05 Method, device and system for detecting whether account is stolen WO2015018314A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310337072.0 2013-08-05
CN201310337072.0A CN104348810B (en) 2013-08-05 2013-08-05 The detection method of stolen account number, apparatus and system

Publications (1)

Publication Number Publication Date
WO2015018314A1 true WO2015018314A1 (en) 2015-02-12

Family

ID=52460652

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/083706 WO2015018314A1 (en) 2013-08-05 2014-08-05 Method, device and system for detecting whether account is stolen

Country Status (2)

Country Link
CN (1) CN104348810B (en)
WO (1) WO2015018314A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105528535A (en) * 2015-12-25 2016-04-27 北京奇虎科技有限公司 Log information based user behavior analysis method and apparatus
CN106953738A (en) * 2016-10-11 2017-07-14 阿里巴巴集团控股有限公司 Risk control method and device
CN107451157A (en) * 2016-06-01 2017-12-08 阿里巴巴集团控股有限公司 Disorder data recognition method, apparatus and system, searching method and device
CN111343197A (en) * 2016-01-27 2020-06-26 阿里巴巴集团控股有限公司 Account processing method and device
CN111860647A (en) * 2020-07-21 2020-10-30 金陵科技学院 Abnormal consumption mode judgment method

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105992211B (en) * 2015-02-12 2019-09-17 深圳市腾讯计算机系统有限公司 A kind of steal-number detection method, device and system
CN106372938A (en) * 2015-07-21 2017-02-01 华为技术有限公司 Abnormal account identification method and system
CN106600021A (en) * 2015-10-16 2017-04-26 阿里巴巴集团控股有限公司 Account stolen probability determination method and apparatus
CN108205763A (en) * 2016-12-19 2018-06-26 北京京东尚科信息技术有限公司 A kind of user account detection method
CN108462595B (en) * 2017-02-21 2021-09-24 阿里巴巴集团控股有限公司 Account processing system, method for determining disposal window period and server
CN107526667B (en) * 2017-07-28 2020-04-28 阿里巴巴集团控股有限公司 Index abnormality detection method and device and electronic equipment
CN110839003A (en) * 2018-08-16 2020-02-25 北京嘀嘀无限科技发展有限公司 Method and device for identifying number stealing behavior, computer equipment and storage medium
CN110351267B (en) * 2019-07-04 2021-12-03 微梦创科网络科技(中国)有限公司 Method and device for determining social media account number stolen

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040039686A1 (en) * 2002-01-10 2004-02-26 Klebanoff Victor Franklin Method and system for detecting payment account fraud
CN102034182A (en) * 2010-11-29 2011-04-27 深圳市爱贝信息技术有限公司 Method and device for secure transaction of payment platform account
CN102325062A (en) * 2011-09-20 2012-01-18 北京神州绿盟信息安全科技股份有限公司 Abnormal login detecting method and device
WO2013054983A1 (en) * 2011-10-13 2013-04-18 Neople, Inc. Apparatus and method for detecting abnormal account
CN103095658A (en) * 2011-11-03 2013-05-08 北京神州泰岳软件股份有限公司 Account login method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040039686A1 (en) * 2002-01-10 2004-02-26 Klebanoff Victor Franklin Method and system for detecting payment account fraud
CN102034182A (en) * 2010-11-29 2011-04-27 深圳市爱贝信息技术有限公司 Method and device for secure transaction of payment platform account
CN102325062A (en) * 2011-09-20 2012-01-18 北京神州绿盟信息安全科技股份有限公司 Abnormal login detecting method and device
WO2013054983A1 (en) * 2011-10-13 2013-04-18 Neople, Inc. Apparatus and method for detecting abnormal account
CN103095658A (en) * 2011-11-03 2013-05-08 北京神州泰岳软件股份有限公司 Account login method and system

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105528535A (en) * 2015-12-25 2016-04-27 北京奇虎科技有限公司 Log information based user behavior analysis method and apparatus
CN111343197A (en) * 2016-01-27 2020-06-26 阿里巴巴集团控股有限公司 Account processing method and device
CN111343197B (en) * 2016-01-27 2022-12-23 创新先进技术有限公司 Account risk identification method and device
CN107451157A (en) * 2016-06-01 2017-12-08 阿里巴巴集团控股有限公司 Disorder data recognition method, apparatus and system, searching method and device
CN107451157B (en) * 2016-06-01 2020-12-18 阿里巴巴集团控股有限公司 Abnormal data identification method, device and system, and searching method and device
CN106953738A (en) * 2016-10-11 2017-07-14 阿里巴巴集团控股有限公司 Risk control method and device
CN111860647A (en) * 2020-07-21 2020-10-30 金陵科技学院 Abnormal consumption mode judgment method
CN111860647B (en) * 2020-07-21 2023-11-10 金陵科技学院 Abnormal consumption mode judging method

Also Published As

Publication number Publication date
CN104348810A (en) 2015-02-11
CN104348810B (en) 2019-02-22

Similar Documents

Publication Publication Date Title
WO2015018314A1 (en) Method, device and system for detecting whether account is stolen
US11750659B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
CN110383789B (en) Near real-time detection of suspicious outbound traffic
US20200389495A1 (en) Secure policy-controlled processing and auditing on regulated data sets
EP3356985B1 (en) Detection of security incidents with low confidence security events
CN108763031B (en) Log-based threat information detection method and device
US20220014560A1 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
EP3433995B1 (en) Systems and techniques for guiding a response to a cybersecurity incident
US9479357B1 (en) Detecting malware on mobile devices based on mobile behavior analysis
US20220201042A1 (en) Ai-driven defensive penetration test analysis and recommendation system
US9692776B2 (en) Systems and methods for evaluating content provided to users via user interfaces
CN110417778B (en) Access request processing method and device
CN109690548B (en) Computing device protection based on device attributes and device risk factors
US10599662B2 (en) Query engine for remote endpoint information retrieval
US20160241589A1 (en) Method and apparatus for identifying malicious website
US10003606B2 (en) Systems and methods for detecting security threats
US20210360032A1 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
WO2014113367A1 (en) System for and a method of cognitive behavior recognition
US8689341B1 (en) Anti-phishing system based on end user data submission quarantine periods for new websites
CN107682345B (en) IP address detection method and device and electronic equipment
US9843934B1 (en) Systems and methods for detecting public networks
GB2532630A (en) Network intrusion alarm method and system for nuclear power station
CN102891861A (en) Client-based phishing website detecting method and device
US9203850B1 (en) Systems and methods for detecting private browsing mode
US11606383B1 (en) Securing against network vulnerabilities

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14834036

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC ( EPO FORM 1205A DATED (13/07/2016)

122 Ep: pct application non-entry in european phase

Ref document number: 14834036

Country of ref document: EP

Kind code of ref document: A1