WO2016192495A1 - 账号被盗的风险识别方法、识别装置及防控系统 - Google Patents

账号被盗的风险识别方法、识别装置及防控系统 Download PDF

Info

Publication number
WO2016192495A1
WO2016192495A1 PCT/CN2016/080446 CN2016080446W WO2016192495A1 WO 2016192495 A1 WO2016192495 A1 WO 2016192495A1 CN 2016080446 W CN2016080446 W CN 2016080446W WO 2016192495 A1 WO2016192495 A1 WO 2016192495A1
Authority
WO
WIPO (PCT)
Prior art keywords
risk
user
information
user identity
operation behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2016/080446
Other languages
English (en)
French (fr)
Chinese (zh)
Inventor
谭纯平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to EP16802418.0A priority Critical patent/EP3306512B1/en
Priority to SG11201709594XA priority patent/SG11201709594XA/en
Priority to ES16802418T priority patent/ES2808974T3/es
Priority to PL16802418T priority patent/PL3306512T3/pl
Priority to JP2017562009A priority patent/JP6732806B2/ja
Priority to KR1020177037102A priority patent/KR102138965B1/ko
Publication of WO2016192495A1 publication Critical patent/WO2016192495A1/zh
Priority to US15/816,207 priority patent/US11233812B2/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent

Definitions

  • the present application relates to network security technologies, and in particular, to a method for identifying a risk of an account being stolen, an identification device, and an prevention and control system.
  • One type of solution is to identify the risk of piracy by monitoring whether the transaction request of the transaction user is abnormal. For example, detecting whether the user logs in remotely, and asking the user to perform verification when the remote login occurs; if the verification is unsuccessful, the user account will be frozen.
  • Offsite login is a common form of piracy, so monitoring the remote login request helps identify the risk of piracy in a timely manner.
  • the network operator may change the pool of IP addresses it owns, especially when IP addresses are allocated between cities, normal users will be identified as risky users, which results in a higher error rate for pirate identification.
  • Another type of solution is to identify the risk of piracy by monitoring key equipment. For example, the number of transaction users on the transaction log-in device is counted as an input variable that identifies the stolen risk score model, thereby evaluating the risk level of the stolen account on the device. If there are fewer users trading on one device, the probability of the risk of piracy is relatively low; otherwise, if there are many users trading on the device, the risk of burglary is greatly increased. Therefore, it is important to monitor such devices with more transaction users and to some extent identify the piracy incidents. However, the variable number of transaction users on the device has a poor distinguishing ability and stability. For a normal single-device multi-user transaction, the solution is likely to cause a recognition error.
  • piracy risk identification schemes of other network operation behaviors often have the problems of misjudgment and missed judgment, and their ability to distinguish between piracy risks is not strong enough, resulting in the overall effect of these schemes is not ideal. In view of this, it is necessary to design a new piracy risk identification scheme.
  • the purpose of the present application is to provide a risk identification method, an identification device, and an prevention and control system for the theft of an account, so as to effectively improve the ability to distinguish the risk of piracy.
  • the present application provides a risk identification method for account theft, including:
  • the user identity information includes the certificate information in the user registration information; the step of resolving the user identity of the user identity information in the analysis of the user identity information, and the number of the device user identity resolutions in the time period, specifically: According to the ID type and the ID number in each user registration information, the user identity is obtained and the number of the device user identity is calculated.
  • the step of obtaining the user identity resolution and counting the device user identity resolution according to the document type and the document number in each user registration information includes:
  • the document type is a domestic identity card in China
  • the first six digits of each document number are parsed to obtain the user identity resolution location, and the number of the device user identity is calculated according to this;
  • the type of documents is a non-resident ID card in China or a foreign certificate in China
  • the type of each certificate or Each ID number corresponds to a user identity resolution, and the number of device user IDs is calculated according to this.
  • the step of collecting the device information of the operation behavior carrying device according to the current operation behavior information includes: acquiring the device information corresponding to the device by collecting the device identification code of the device.
  • the step of acquiring the corresponding device information of the device by using the device identification code of the device includes:
  • the collected device information includes MAC, IP, and/or UMID;
  • the collected device information includes a MAC, an IMEI, a TID, and/or a mobile phone number.
  • the step of acquiring the corresponding device information of the device by using the device identification code of the device includes:
  • the unique device When the unique device is identified, the number of the user identity of the device is analyzed and counted;
  • the number of user identity resolutions of each device is analyzed and counted;
  • the device user identity is counted as 0;
  • the obtained device user identity resolution number is used as an input variable of the preset scoring model to evaluate the device's piracy risk level.
  • the step of determining the risk of the account being stolen according to the number of the user's identity in the time period is determined according to the number of all users on the device, and the current operation behavior is bound to the mobile phone number.
  • Number, current user history operation behavior device number, current user history operation behavior IP address number, current user's current operation behavior information and historical operation behavior information difference and/or current operation behavior routing feature information and history The operational behavior routing feature information is the same to assess the user's risk of piracy for the current operational behavior.
  • the determining the current operating behavior according to the number of the device user identity in the time period is The risk step of the account being stolen further includes: calculating the account stolen risk value according to the piracy risk level of the device and the piracy risk level of the current operation behavior user, and identifying that the account is stolen when the risk value is greater than a preset threshold .
  • the application also provides a risk identification device for the theft of an account, comprising:
  • the device information collection module collects device information of the operation behavior login device according to the current operation behavior information
  • the user information obtaining module acquires all user identity information of historical operation behaviors on the device within a preset time period before the operation behavior;
  • the user identity parsing module parses the user identity resolved in the identity information of each user, and counts the number of device user identity resolving points in the time period;
  • the piracy risk assessment module determines the number of the device user identity in the time period to determine whether the current operation behavior has the risk of the account being stolen.
  • the user identity information includes the credential information in the user registration information; the user identity parsing module obtains the user identity resolving point and counts the device user identity parsing according to the ID type and the ID number in each user registration information. number.
  • the user identity parsing module determines the parsing method of the user identity parsing according to the type of the credential type; and parses the first six digits of each credential number to obtain the user identity parsing when the credential type is a Chinese resident ID card Ground, and according to this statistics, the number of users of the device is resolved; when the document type is a non-resident ID card in China or a Chinese overseas ID, it is presumed that each document type or each document number corresponds to a user identity resolution, and accordingly Count the number of user IDs of the device.
  • the device information collection module acquires device information corresponding to the device by collecting the device identification code of the device.
  • the device information collection module determines the collection content of the device information according to the type of the device; when the device is a PC, the collected device information includes MAC, IP, and/or UMID; when the device is a mobile terminal, The collected device information includes MAC, IMEI, TID, and/or mobile phone number.
  • the user identity parsing module determines, according to the number of devices identified by the device information collection module by using the device identification code, a statistical manner of determining the number of the device user identity: when the unique device is identified, the statistical analysis is performed.
  • the number of device user IDs is resolved; when multiple devices are identified, the number of user identity resolutions of each device is analyzed and counted; when the device is not identified, the device user identity is counted as 0; the obtained device user identity is resolved.
  • the number of grounds is used as an input variable of the default scoring model of the piracy risk assessment module, and is used to assess the piracy risk level of the device.
  • the piracy risk assessment module combines the total number of users on the device, the number of mobile phone numbers bound by the current operation behavior, the number of current user history operation behavior devices, the current user history operation behavior IP address number, and the current number.
  • the current operational behavior of the user differs from the historical operational behavior information and/or whether the current operational behavior routing feature information and the historical operational behavior routing feature information are the same, to assess the current operational behavior user's risk of piracy.
  • the piracy risk assessment module calculates the account stolen risk value according to the piracy risk level of the device and the piracy risk level of the current operation behavior user, and identifies that the account is stolen when the risk value is greater than a preset threshold.
  • the present application further provides a risk prevention and control system for the theft of an account, comprising: the above-mentioned risk identification device, the pirate reporting device and the risk processing device, wherein:
  • the risk identification device is configured to calculate an account stolen risk value in the operation behavior platform, and identify that the account is stolen when the risk value is greater than a preset threshold;
  • the hacking and reporting device is configured to report the account theft information to the risk processing device and the user receiving device when the risk identification device identifies that the account is stolen;
  • the risk processing device is configured to freeze the stolen account of the user and intercept the risk data associated with the stolen account when receiving the account stolen message.
  • the system includes: having a case database for storing the risk processing device intercepted
  • the risk data is used by the risk processing device to check the risk data, and the risk identification device performs verification on the scoring model.
  • the present application proposes a solution for identifying the risk of piracy based on the number of device user identities, which analyzes the statistics by logging all user identity information on the device for a period of time before the operation behavior is collected.
  • the user identity of the device is analyzed, and the statistic is used as an input variable of the risk scoring model to assess the risk of piracy, which can effectively improve the ability to distinguish the risk of piracy.
  • the different identity of the user on the login device in the recent period of time is a more effective and stable variable. If the device has multiple different identity resolutions in the most recent period of time, The risk of piracy is high in the operation behavior account.
  • FIG. 1 is a diagram showing the relationship between the number of device user identity resolutions and the risk of piracy in a network platform of a network platform within 7 days before the current operation behavior;
  • FIG. 2 is a flow chart showing a method for identifying a risk of an account being stolen according to an embodiment of the present application
  • FIG. 3 is a block diagram showing a risk identification device for stealing an account in accordance with an embodiment of the present application
  • FIG. 4 is a block diagram showing a risk prevention and control system in which an account is stolen according to an embodiment of the present application.
  • the following embodiments of the present application introduce equipment within a period of time prior to the current operational behavior in the risk scoring model
  • the user identity resolves the number of such input variables to improve the risk differentiation ability of the model variables.
  • This solution requires the establishment of a risk scoring model based on data mining techniques.
  • the main modeling steps include determining research objectives, determining data sources and sample extraction, data exploration, model development, and model validation.
  • the focus of this application is on the scoring model. Build the appropriate input variables. Since the scoring model itself is not the primary focus of this application, other details of the modeling are not being developed. For details, please refer to the prior art.
  • the inventor of the present application collects massive data of user operation behavior on a certain network platform for data analysis and data mining. For example, for the above platform, the device information is collected when each operation behavior of the user occurs, and the number of users of the platform on the device in the latest period of time on the device is also counted, and the user of the platform on the device is used. The number can identify the risk of piracy, but this often leads to misjudgment. Based on the data analysis, the inventor of the present application found that, for the above-mentioned platform operation behavior, the situation of human operation behavior in the same place on the same device is far more common than the situation of human operation behavior in different places.
  • a more effective and stable variable is to calculate different identity resolutions of the number of users of the above-mentioned platform on the device in the recent period of time, and the identity resolution is best resolved to the county (city) granularity; if the operation behavior When the device has a number of different identity resolutions in the most recent period of time, the risk of such operational behavior is very high.
  • the “operational behavior” referred to in this application is a broad concept, which is not limited to the above-mentioned platforms, such as business activities with funds and goods transfer, between users and service platforms in various network applications, and different users.
  • the data exchange between the two is also within the scope of the "operational behavior" of the present application.
  • the login event of the social networking site belongs to the "operational behavior” referred to in the present application.
  • the inventor of the present application regards the number of device user identifications in the preset time period before the operation behavior as a risk.
  • the input variable for the scoring model can eliminate some of the multi-user operation behaviors but have low risk, thus improving the ability and stability of variables to distinguish risks.
  • the inventor of the present application proposes the following basic idea: the number of the user identity of the device user is used as an input variable for a period of time before the current operational behavior, and the risk level of the device is assessed by a predetermined scoring model, so as to be more timely and effective. Identify the risk of a user account being stolen.
  • This technical concept mainly involves three aspects: variable construction, recognition process, and model verification, which are described in further detail below.
  • the operation information (such as the operation behavior of a payment platform) is the device information of the login device.
  • Device information can be obtained through the device identification code of the collection device, such as MAC (Medium Access Control), UMID (Unique Material Identifier), IP (Internet Protocol) address, IMEI (International Mobile) Equipment Identity, mobile device country ID, TID (THREAD Identifier), mobile phone number, etc. to identify.
  • MAC Medium Access Control
  • UMID Unique Material Identifier
  • IP Internet Protocol
  • IMEI International Mobile Equipment Identity
  • mobile device country ID mobile device country ID
  • TID TID
  • mobile phone number etc.
  • a PC Personal Computer
  • the operation behavior is the user identity resolution on the login device.
  • the user identity resolution is usually determined according to the type of the certificate and the ID number.
  • the first six digits of the Chinese resident ID card can be expressed as the county (city), and the first six digits can be identified to know which administrative region the user is from, and thus Get the user identity resolution.
  • Interval The interval between the operation time (such as 30 minutes, 2 hours, 12 hours, 1 day, 3 days, 7 days, etc.). There are large differences in various operational behavior platforms, which may be determined according to factors such as operational behavior requests and operational behaviors, and will not be described again.
  • the number of user identity resolutions on the statistical device In the normal operating behavior environment, the number of user identity resolutions on the device is usually small; if the number of device user resolutions is large, it indicates that the account is stolen. The risk is high, which is a very reliable conclusion based on a large amount of data analysis.
  • the present application determines the specific variable as the number of different identity resolutions of all users of the operation behavior device within a certain time interval before the current operation behavior, and this statistical variable can improve the risk differentiation ability of the model variable.
  • This variable has a strong correlation with the risk of piracy. If there are multiple different identities in the device in the most recent period before the operation, the risk of account hacking on the device is higher.
  • the piracy risk can be identified based on the user identity of different devices.
  • the advantage is that the ability and stability of the variable to distinguish risks can be improved. Specifically, the following process is required to identify the risk of piracy.
  • the user identity here is usually identified as a city.
  • the “city” here refers to the administrative area and cannot be narrowly understood as the concept opposite to the rural area.
  • the device evaluates the risk level according to the number of user identifications. Specifically, after obtaining the number of device user identifications within the preset time period before the current operation behavior, the device is input as a variable into the risk scoring model. After comprehensively considering the weights of the variables in the model, the risk level of the equipment can be obtained. If the score is high, it indicates that the risk of piracy is high. At this time, it is necessary to monitor this equipment.
  • the input variable "the number of device user IDs in the preset time period before the current operation behavior" affects the prediction effect of the risk scoring model and should be verified. If the variable is valid, the user's risk of piracy can be automatically identified according to the process of step 2 above; otherwise, the scoring model and related input variables need to be re-adjusted.
  • the historical operational behavior identification is a case.
  • the historical operation behavior data on the device needs to be associated in order to prove that the introduced such variables are valid. That is to say, whether the variable is valid or not needs to be measured by historical operational behavior data; in other words, historical operational behavior data can distinguish whether or not the piracy is made.
  • the historical operation behavior is stealing, and the flag is "bad”; otherwise the flag is "good”. If the risk of piracy identified by step 2 is “bad” and the historical operational behavior indicator is “bad”; or the result of the piracy risk identified by step 2 is “good”, and the historical operational behavior indicator is also It is "good”; the verification is passed, otherwise the verification does not pass. If the probability of passing the verification is high, it indicates that the number of device user identifications in the preset time period before the current operation behavior is introduced as an input variable into the scoring model, that is, the variable has a high risk distinguishing ability.
  • the risk differentiation ability of the above variables can be further quantified. Specifically, it can be realized by segmentation calculation of the piracy discrimination ability index of the number of device identity resolving points in the preset time period before the current operation behavior.
  • These quantitative indicators mainly include two categories: the degree of lift and the interval IV value (Infofmation Value, Information value).
  • Lifting degree interval stolen account transaction concentration / average stolen account transaction concentration
  • Interval IV WE ⁇ (interval non-stealing account transactions accounted for all non-stealing account transactions ratio-interval stolen account transactions accounted for all stolen account transactions)
  • WOE Weight Of Eividence
  • the risk differentiation ability result of the variable “the number of devices in the pre-set time period before the current operation behavior” is calculated, which can effectively verify the validity of the introduction of the scoring model.
  • the following is an example of the piracy discriminating ability index of the number of parsing device users in the 7 days before the current operating behavior of the MAC device. The calculation results are shown in Table 1:
  • Table 1 The number of device user identity resolutions before the MAC device operation behavior
  • Table 1 can be presented in a graphical manner. Referring to FIG. 1 , the relationship between the number of device user identity resolutions and the risk of piracy in a payment platform MAC device within 7 days before the current operation behavior is shown. It can be seen from Table 1 and FIG. 1 that the lifting degree of the device user identity resolving number is greater than 2, which is 13.82, that is, the ability to identify the risk of piracy by the MAC device within 7 days of the operation behavior of the user identity is improved by 13.82. Double, thus indicating that the ability to distinguish between the piracy of this variable is very effective.
  • each quantitative indicator is also ideal. This indicates that the application introduces input variables such as the number of device user identifications in the risk scoring model for a period of time before the current operational behavior to assess the risk of piracy, which can improve the risk differentiation ability of the model variables. Other piracy risk identification effects are ideal.
  • the present application also binds the number of users on the device and the current operation behavior.
  • the technical concept of identifying the risk of piracy is determined systematically and in principle by using the statistic of the number of device user identifications in the preset time period before the current operation behavior, and the following further concretely The implementation plan is explained. Based on the previous analysis, after determining the risk scoring model and the input variables and verifying the success, as long as the application is deployed in the server segment according to the foregoing step 2, it is not necessary to repeat the modeling and verification.
  • the risk identification method includes the following main steps, such as steps 210 to 240, which are described in detail below.
  • S210 Collect device information of the operation behavior login device according to the current operation behavior information.
  • the device information of the operation behavior login device is collected by the corresponding device on the server side, which is generally obtained by collecting the device identification code of the device.
  • PC devices often have MAC, IP, and/or UMID.
  • Mobile terminals often have MAC, IMEI, TID, and/or mobile phone numbers, etc., so The type to determine the collection content of the device information.
  • the PC collects the MAC, the IP, and/or the UMID, and the mobile terminal can collect the MAC, the TID, and/or the mobile phone number.
  • the specific information collection and identification method please refer to the prior art, and details are not described herein.
  • the current operational behavior referred to in this S210 step may be a login for a user account.
  • the request may also be a preset data operation request for a user account or the like.
  • the preset data operation request for the user account may include: a password modification request for the user account, a balance transfer request for the user account, an item purchase request for the user account, and the like. It can be understood that the preset data operation request may be preset by the server, or may be preset by the user through the client, and is not limited herein.
  • the login information of the user usually includes the user identifier, the information of the client that the user initiates the login request, and the information of the server that receives the login request. Therefore, the routing path of the user is obtained according to the login information of the user, and the current routing feature information is extracted from the routing path of the user login, and the routing information information of the current operation behavior is compared with the historical operation behavior routing feature information. It is also possible to assess the level of risk of piracy for users of current operational behavior.
  • the risk identification for a single account single operation behavior is very complicated and difficult to implement, and it is a very effective method to mine the relationship between multiple account operation behaviors.
  • the present application assesses the risk of piracy of the device by the number of device user resolutions within a preset time period before the current operation behavior, which requires extracting all user identities of historical operation behaviors on the device during the time period. Information, especially the extraction of user identity analysis is particularly important.
  • the time interval (eg, 30 minutes, 2 hours, 12 hours, 1 day, 3 days, 7 days, etc.) of the user on the device may be generally determined according to factors such as an operation behavior platform, an operation behavior request, and an operational behavior.
  • the identity area of each user can be further analyzed, and after counting the number of the device user identity in the time period, it can be used as a variable of the risk score model. score.
  • the operation behavior of the device in the most recent period before the current operation behavior is used by a payment platform.
  • the different identity of the number of households is a very effective and stable variable, so the statistic of the number of device user identities in the time period can be input into the risk scoring model as a variable, and finally the user is identified. Whether the account is stolen.
  • the granularity of the user identity resolution has a large correlation with the output of the scoring model.
  • the application distinguishes the granularity of the city as the user identity, so that the piracy risk recognition effect achieves a satisfactory effect.
  • the step S230 obtains the user identity resolution and counts the number of device user identity resolutions according to the document type and the certificate number in each user registration information, and specifically determines the resolution method of the user identity resolution according to the type of the certificate type. :
  • the document type is a Chinese resident ID card
  • the first six of them are county (city) level administrative areas, so the first six digits of each ID number can be easily parsed to obtain the user identity resolution location, and the device user identity is counted accordingly. Analyze the number of places;
  • the document type is a non-resident ID card in China (such as a military officer's card) or a Chinese overseas certificate (such as a passport)
  • the administrative area where the user's identity is located cannot be directly identified.
  • this situation is relatively small, so it can be simply considered that each document type or each document number corresponds to a user identity resolution, and according to this, the device user identity is calculated.
  • the numbering manner of these document types is obtained during modeling, the user identity can be obtained according to the specific document number, and will not be described again.
  • the device information acquired in step S210 may have different situations: in most cases, multiple device information, such as MAC, IMEI, etc., may be collected at the same time; however, due to technical reasons, certain scenarios or system restrictions The device information when the operation behavior cannot be collected; or the device information collected during the operation behavior is an obvious hot spot and needs to be excluded; and so on. For these situations, it is necessary to adjust the parsing and statistical methods of the number of device user identity parsing accordingly.
  • multiple device information such as MAC, IMEI, etc.
  • steps S220-S230 the number of devices identified by the device identification code is required to determine the device.
  • the statistical method of the number of user identity resolutions specifically:
  • the identity of each user in the unique device is resolved, and the number of the user identity of the device is counted;
  • each user identity resolution field in each device is parsed, and the number of user identity resolutions of each device is counted;
  • the number of the device user identity is determined to be 0;
  • the number of device user identifications obtained in the above manner is used as an input variable of the preset scoring model, and is introduced into the risk scoring model to assess the risk piracy level of the device, so as to measure the variable pair in the scoring model through historical operational behavior data.
  • S240 Determine the number of the device user identity in the time period to determine whether the current operation behavior has the risk of the account being stolen.
  • the number of resolving the device user identity in the time period is an input variable of the preset scoring model, and the piracy risk level of the device is assessed.
  • the piracy risk level indicates the risk of the account being stolen. If the piracy risk level exceeds the set threshold, the account is stolen; otherwise, the account is not stolen.
  • the user After obtaining the statistics of the number of device user identifications in the preset time period before the operation behavior according to the foregoing steps S210-S230, the user may be introduced into the risk score model to obtain the equipment piracy risk level, thereby achieving Identify the risk of account theft so that timely action can be taken to eliminate the risk.
  • the present application further combines the number of all users on the device, the number of mobile phone numbers bound by the current operation behavior, and the current user.
  • the ability of the pirate risk identification of the present application is greatly improved after combining various factors.
  • the application calculates the account stolen risk value according to the piracy risk level of the device and the piracy risk level of the current operation behavior user. When the risk value is greater than the preset threshold, the account is stolen, and the account is stolen when the account is stolen.
  • the piracy reminder information is processed by the operation platform and the user in time to eliminate the security risks of piracy and avoid property damage or other problems.
  • the present application also provides a risk identification device for stealing an account (hereinafter referred to as a device), which will be described in detail below.
  • the device 300 is composed of a device information collection module 310, a user information acquisition module 320, a user identity analysis module 330, and a piracy risk assessment module 340.
  • the following sections describe each part.
  • the device information collection module 310 can collect device information of the operation behavior login device according to the current operation behavior information.
  • the device information collection module 310 obtains the device information corresponding to the device by collecting the device identification code of the device, and determines the content of the device information according to the type of the device, that is, for the PC, collecting the MAC, IP, and/or UMID; for mobile terminals, collect MAC, IMEI, TID and/or mobile number.
  • the user information obtaining module 320 may acquire all user identity information of the historical operation behavior on the device within a preset time period before the operation behavior. After obtaining the user information of the historical operation behavior in the corresponding time period, the user information obtaining module 320 provides the user identity analysis module 330 to analyze the identity region of each user, and counts the number of device user identity resolutions in the time period, and then It can be scored as a variable in the risk scoring model.
  • the user identity parsing module 330 can parse the user identity resolving location represented in each user identity information. Count the number of device user IDs in the time period. Specifically, the user identity parsing module 330 uses the city as the user identity to resolve the granularity, and the user identity information includes the credential information in the user registration information, and obtains the user identity resolution according to the ID type and the ID number in each user registration information. The number of the user identity of the device is counted, and the number of the user's identity is determined according to the type of the certificate. Specifically, if the document type is a Chinese resident ID card, the first six digits of each ID number are parsed.
  • each document type or each document number corresponds to a user identity Analyze the location, and based on this statistics device user identity resolution number.
  • the user identity parsing module 330 can determine the statistical manner of the number of the device user identity resolving according to the number of devices identified by the device information collection module 310, that is, if the unique device is identified, the device is parsed and counted. If the number of user IDs is resolved, if the number of devices is identified, the number of user IDs of each device is analyzed and counted; if the device is not identified, the number of user IDs of the device is counted as 0; The number of parsing grounds is used as an input variable of the scoring model by the piracy risk assessment module 340 to assess the piracy risk level of the device.
  • the piracy risk assessment module 340 can estimate the piracy risk level of the device by inputting the number of the device user identity in the time period as an input variable of the preset scoring model.
  • the piracy risk assessment module 340 further combines the number of all users on the device, the number of mobile phone numbers bound by the current operation behavior, the number of current user history operation behavior devices, the current user history operation behavior IP address number, and the current user's
  • the sub-operation behavior uses the difference between the information and the historical operation behavior information and/or whether the current operation behavior routing characteristic information and the historical operation behavior routing characteristic information are the same, to assess the current operational behavior user's stolen risk level.
  • the piracy risk assessment module 340 calculates the account theft risk value by combining the piracy risk level of the device with the piracy risk level of the current operation behavior user, and identifies the account as the risk value when the risk value is greater than the preset threshold. Pirates.
  • the risk prevention and control system is applicable to operation behavior risk prevention and control of a user (not shown) and an operation behavior platform (not shown), and has a risk identification device 300, a pirate report device 200, a risk processing device 100, and a case. Database 400.
  • the risk identification device 300 calculates the risk value of the account theft in the operation behavior platform, and identifies the account being stolen when the risk value is greater than the preset threshold;
  • the pirate reporting device 200 reports the account theft information to the risk processing device 400 and the user receiving device (such as the mobile phone) 500;
  • the risk processing device 100 receives the account theft message, the user is frozen.
  • the account is stolen and the risk data associated with the stolen account is intercepted; the case database 400 stores the risk data intercepted by the risk processing device 100 for the risk processing device 300 to check the risk data, and the risk identification device 300 verifies the scoring model. .
  • the risk identification device 300 refers to the structure shown in FIG. 3, and other devices can select a known device or application.
  • the risk prevention and control system can identify the risk of theft of the user account in time, and can process the account in time if it is confirmed that the account is stolen, thereby providing a safe network operation behavior environment, and thus having good application value.
  • FIG. 5 an embodiment of the present application is shown.
  • a computing device includes one or more processing modules (CPUs), input/output interfaces, network interfaces, and memory.
  • CPUs processing modules
  • input/output interfaces input/output interfaces
  • network interfaces network interfaces
  • memory volatile and non-volatile memory
  • the memory may include non-persistent storage modules, random access memory modules (RAM), and/or non-volatile memory in a computer readable medium, such as a read only memory module (ROM) or flash memory.
  • RAM random access memory modules
  • ROM read only memory
  • Memory is an example of a computer readable medium.
  • Computer readable media including both permanent and non-persistent, removable and non-removable media may be stored by any system or technology.
  • the information can be computer readable instructions, data structures, modules of programs, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), Read-only memory module (ROM), EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) Or other optical storage, magnetic tape cartridge, magnetic tape storage or other magnetic storage device or any other non-transporting medium that can be used to store information that can be accessed by the computing device.
  • computer readable media does not include non-transitory computer readable media, such as modulated data signals and carrier waves.
  • embodiments of the present application can be provided as a system, system, or computer program product.
  • the present application can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment in combination of software and hardware.
  • the application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage modules, CD-ROMs, optical storage modules, etc.) having computer usable program code embodied therein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Power Engineering (AREA)
  • Telephonic Communication Services (AREA)
  • Alarm Systems (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
PCT/CN2016/080446 2015-05-29 2016-04-28 账号被盗的风险识别方法、识别装置及防控系统 Ceased WO2016192495A1 (zh)

Priority Applications (7)

Application Number Priority Date Filing Date Title
EP16802418.0A EP3306512B1 (en) 2015-05-29 2016-04-28 Account theft risk identification method, identification apparatus, and prevention and control system
SG11201709594XA SG11201709594XA (en) 2015-05-29 2016-04-28 Account theft risk identification method, identification apparatus, and prevention and control system
ES16802418T ES2808974T3 (es) 2015-05-29 2016-04-28 Procedimiento de identificación de riesgo de robo de cuenta, aparato de identificación y sistema de prevención y control
PL16802418T PL3306512T3 (pl) 2015-05-29 2016-04-28 Sposób identyfikacji ryzyka kradzieży konta, urządzenie do identyfikacji oraz system zapobiegania i kontroli
JP2017562009A JP6732806B2 (ja) 2015-05-29 2016-04-28 アカウント盗難リスクの識別方法、識別装置、及び防止・制御システム
KR1020177037102A KR102138965B1 (ko) 2015-05-29 2016-04-28 계정 도난 위험 식별 방법, 식별 장치, 예방 및 통제 시스템
US15/816,207 US11233812B2 (en) 2015-05-29 2017-11-17 Account theft risk identification

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510289825.4A CN106295349B (zh) 2015-05-29 2015-05-29 账号被盗的风险识别方法、识别装置及防控系统
CN201510289825.4 2015-05-29

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US15/816,207 Continuation US11233812B2 (en) 2015-05-29 2017-11-17 Account theft risk identification

Publications (1)

Publication Number Publication Date
WO2016192495A1 true WO2016192495A1 (zh) 2016-12-08

Family

ID=57440281

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/080446 Ceased WO2016192495A1 (zh) 2015-05-29 2016-04-28 账号被盗的风险识别方法、识别装置及防控系统

Country Status (9)

Country Link
US (1) US11233812B2 (enExample)
EP (1) EP3306512B1 (enExample)
JP (1) JP6732806B2 (enExample)
KR (1) KR102138965B1 (enExample)
CN (1) CN106295349B (enExample)
ES (1) ES2808974T3 (enExample)
PL (1) PL3306512T3 (enExample)
SG (1) SG11201709594XA (enExample)
WO (1) WO2016192495A1 (enExample)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180129194A (ko) * 2017-05-25 2018-12-05 삼성에스디에스 주식회사 리스크 기반 인증을 위한 리스크 분석 장치 및 방법
CN109257356A (zh) * 2018-09-26 2019-01-22 杭州安恒信息技术股份有限公司 互联网账号风险评估方法及系统
CN110268452A (zh) * 2016-12-15 2019-09-20 维萨国际服务协会 报警访问覆盖
CN110570188A (zh) * 2019-08-15 2019-12-13 阿里巴巴集团控股有限公司 用于处理交易请求的方法和系统
CN111242770A (zh) * 2020-01-08 2020-06-05 贵阳货车帮科技有限公司 风险设备识别方法、装置、电子设备及可读存储介质
CN111343173A (zh) * 2020-02-21 2020-06-26 腾讯云计算(北京)有限责任公司 数据访问的异常监测方法及装置
CN116701914A (zh) * 2023-06-21 2023-09-05 广东星云开物科技股份有限公司 一种硬件设备异常使用识别方法、装置、存储装置及系统

Families Citing this family (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10917412B2 (en) * 2016-05-05 2021-02-09 Paypal, Inc. Authentication and risk assessment through header injections
CN108287855B (zh) * 2017-01-10 2022-11-11 阿里巴巴集团控股有限公司 基于社工库的数据识别方法及装置、界面交互装置
US10764303B2 (en) * 2018-04-25 2020-09-01 Microsoft Technology Licensing, Llc Detecting unauthorized cloud access by detecting malicious velocity incidents
CN110555451B (zh) * 2018-05-31 2025-01-17 北京京东尚科信息技术有限公司 信息识别方法和装置
CN108804640B (zh) * 2018-06-05 2021-03-19 重庆小雨点小额贷款有限公司 基于最大化iv的数据分组方法、装置、储存介质及设备
CN109064175B (zh) * 2018-06-11 2022-08-12 创新先进技术有限公司 一种账户盗用风险防控方法及装置
CN108833258A (zh) * 2018-06-12 2018-11-16 广东睿江云计算股份有限公司 一种邮件服务主动发现异常的方法
CN108694547B (zh) * 2018-06-15 2021-10-29 顺丰科技有限公司 账号异常识别方法、装置、设备和储存介质
CN112508568B (zh) * 2018-08-15 2024-08-30 创新先进技术有限公司 核身产品推送及核身方法和系统
CN110839003A (zh) * 2018-08-16 2020-02-25 北京嘀嘀无限科技发展有限公司 盗号行为识别方法、装置、计算机设备和存储介质
CN109165514B (zh) * 2018-10-16 2019-08-09 北京芯盾时代科技有限公司 一种风险检测方法
CN110033151B (zh) * 2018-11-09 2024-01-19 创新先进技术有限公司 关系风险评价方法、装置、电子设备及计算机存储介质
CN109753772A (zh) * 2018-11-29 2019-05-14 武汉极意网络科技有限公司 一种账户安全验证方法及系统
CN109660529B (zh) * 2018-12-06 2021-10-26 深圳蓝贝科技有限公司 用于售卖机的安全风控方法、装置、售卖机和系统
CN111292085B (zh) * 2018-12-10 2023-06-30 北京嘀嘀无限科技发展有限公司 交易风险评估的方法、装置、设备及计算机可读存储介质
CN111753266B (zh) * 2019-03-29 2024-11-15 阿里巴巴(上海)有限公司 用户认证方法、多媒体内容的推送方法及装置
CN111950829B (zh) * 2019-05-17 2024-06-04 泰康保险集团股份有限公司 风险对象定位方法、装置、计算机存储介质和电子设备
CN110276178B (zh) * 2019-05-28 2023-04-28 创新先进技术有限公司 一种基于身份验证的风险控制方法、装置及设备
CN110414985A (zh) * 2019-06-12 2019-11-05 阿里巴巴集团控股有限公司 一种异常账户的检测方法及装置
CN110335045A (zh) * 2019-07-01 2019-10-15 阿里巴巴集团控股有限公司 异地风险判定方法和装置
CN110351267B (zh) * 2019-07-04 2021-12-03 微梦创科网络科技(中国)有限公司 一种社交媒体账号被盗的确定方法及装置
CN110399925B (zh) * 2019-07-26 2023-09-19 腾讯科技(武汉)有限公司 账号的风险识别方法、装置及存储介质
CN112449371B (zh) * 2019-08-30 2023-08-15 中国移动通信集团广东有限公司 一种无线路由器的性能评测方法及电子设备
CN110851881B (zh) * 2019-10-31 2023-07-04 成都欧珀通信科技有限公司 终端设备的安全检测方法及装置、电子设备及存储介质
CN111507377B (zh) * 2020-03-24 2023-08-11 微梦创科网络科技(中国)有限公司 一种养号帐号批量识别方法及装置
US20210397903A1 (en) * 2020-06-18 2021-12-23 Zoho Corporation Private Limited Machine learning powered user and entity behavior analysis
CN111985769B (zh) * 2020-07-07 2024-03-22 国网电动汽车服务有限公司 一种车桩身份快速识别风险控制方法和系统
CN113938692B (zh) * 2020-07-13 2024-02-09 广州壹点通网络科技有限公司 一种视频直播的风险控制方法及装置
CN111861240A (zh) * 2020-07-27 2020-10-30 深圳前海微众银行股份有限公司 可疑用户识别方法、装置、设备及可读存储介质
CN112434214A (zh) * 2020-11-03 2021-03-02 中国南方电网有限责任公司 一种基于Redis的操作事件的推送方法
CN112566098A (zh) * 2020-11-27 2021-03-26 中国联合网络通信集团有限公司 识别信息的验证方法和服务器
WO2022133632A1 (en) * 2020-12-21 2022-06-30 Beijing Didi Infinity Technology And Development Co., Ltd. Systems and methods for identity risk assessment
CN113239331B (zh) * 2021-04-16 2021-12-07 广州趣米网络科技有限公司 一种基于大数据的风险账号防入侵识别方法及系统
CN118382089B (zh) * 2024-06-24 2024-09-06 济南杰睿信息科技有限公司 一种无线信号保密通讯的检查方法及系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1497450A (zh) * 2002-10-03 2004-05-19 �Ҵ���˾ 分层的虚拟身份系统和方法
CN1801764A (zh) * 2006-01-23 2006-07-12 北京交通大学 一种基于身份与位置分离的互联网接入方法
CN103297444A (zh) * 2012-02-23 2013-09-11 王正伟 身份解析方法和装置
CN104618919A (zh) * 2015-01-05 2015-05-13 重庆邮电大学 传感器网络传感节点标识符解析一致性测试方法

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7272728B2 (en) * 2004-06-14 2007-09-18 Iovation, Inc. Network security and fraud detection system and method
CN100497450C (zh) * 2006-06-11 2009-06-10 上海三泰橡胶制品有限公司 硅橡胶开孔海绵
US8295898B2 (en) * 2008-07-22 2012-10-23 Bank Of America Corporation Location based authentication of mobile device transactions
US8588744B2 (en) * 2008-11-26 2013-11-19 Ringcentral, Inc. Fraud prevention techniques
CN102200987A (zh) * 2011-01-27 2011-09-28 北京开心人信息技术有限公司 一种基于用户账号行为分析的查找马甲账号的方法及系统
CN102325062A (zh) * 2011-09-20 2012-01-18 北京神州绿盟信息安全科技股份有限公司 异常登录检测方法及装置
US9298890B2 (en) * 2012-03-20 2016-03-29 Facebook, Inc. Preventing unauthorized account access using compromised login credentials
US8904496B1 (en) * 2012-03-30 2014-12-02 Emc Corporation Authentication based on a current location of a communications device associated with an entity
CN103457923A (zh) 2012-06-05 2013-12-18 阿里巴巴集团控股有限公司 异地登录的控制方法、装置及系统
CN103581355A (zh) * 2012-08-02 2014-02-12 北京千橡网景科技发展有限公司 用户行为异常处理方法和设备
CN103023718B (zh) 2012-11-29 2015-12-23 北京奇虎科技有限公司 一种用户登录监测设备和方法
CN103001826B (zh) 2012-11-29 2015-09-30 北京奇虎科技有限公司 用于监测用户登录的设备和方法
CN103024744B (zh) * 2012-12-24 2015-08-05 百度在线网络技术(北京)有限公司 移动终端的身份验证的方法和系统
CN103532797B (zh) 2013-11-06 2017-07-04 网之易信息技术(北京)有限公司 一种用户登录异常监测方法和装置
CN104144419B (zh) * 2014-01-24 2017-05-24 腾讯科技(深圳)有限公司 一种身份验证的方法、装置及系统
US20150310434A1 (en) * 2014-04-29 2015-10-29 Dennis Takchi Cheung Systems and methods for implementing authentication based on location history
US10142308B1 (en) * 2014-06-30 2018-11-27 EMC IP Holding Company LLC User authentication
US9858575B2 (en) * 2014-12-16 2018-01-02 At&T Mobility Ii Llc Fraud detection via mobile device location tracking
CN104601547A (zh) 2014-12-22 2015-05-06 新浪网技术(中国)有限公司 一种非法操作的识别方法及装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1497450A (zh) * 2002-10-03 2004-05-19 �Ҵ���˾ 分层的虚拟身份系统和方法
CN1801764A (zh) * 2006-01-23 2006-07-12 北京交通大学 一种基于身份与位置分离的互联网接入方法
CN103297444A (zh) * 2012-02-23 2013-09-11 王正伟 身份解析方法和装置
CN104618919A (zh) * 2015-01-05 2015-05-13 重庆邮电大学 传感器网络传感节点标识符解析一致性测试方法

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110268452A (zh) * 2016-12-15 2019-09-20 维萨国际服务协会 报警访问覆盖
KR20180129194A (ko) * 2017-05-25 2018-12-05 삼성에스디에스 주식회사 리스크 기반 인증을 위한 리스크 분석 장치 및 방법
US11003749B2 (en) 2017-05-25 2021-05-11 Samsung Sds Co., Ltd. Risk analysis apparatus and method for risk based authentication
KR102369228B1 (ko) * 2017-05-25 2022-02-28 삼성에스디에스 주식회사 리스크 기반 인증을 위한 리스크 분석 장치 및 방법
CN109257356A (zh) * 2018-09-26 2019-01-22 杭州安恒信息技术股份有限公司 互联网账号风险评估方法及系统
CN109257356B (zh) * 2018-09-26 2020-12-25 杭州安恒信息技术股份有限公司 互联网账号风险评估方法及系统
CN110570188A (zh) * 2019-08-15 2019-12-13 阿里巴巴集团控股有限公司 用于处理交易请求的方法和系统
CN111242770A (zh) * 2020-01-08 2020-06-05 贵阳货车帮科技有限公司 风险设备识别方法、装置、电子设备及可读存储介质
CN111242770B (zh) * 2020-01-08 2023-04-07 贵阳货车帮科技有限公司 风险设备识别方法、装置、电子设备及可读存储介质
CN111343173A (zh) * 2020-02-21 2020-06-26 腾讯云计算(北京)有限责任公司 数据访问的异常监测方法及装置
CN111343173B (zh) * 2020-02-21 2022-08-26 腾讯云计算(北京)有限责任公司 数据访问的异常监测方法及装置
CN116701914A (zh) * 2023-06-21 2023-09-05 广东星云开物科技股份有限公司 一种硬件设备异常使用识别方法、装置、存储装置及系统

Also Published As

Publication number Publication date
JP2018519586A (ja) 2018-07-19
EP3306512A1 (en) 2018-04-11
US20180077192A1 (en) 2018-03-15
KR102138965B1 (ko) 2020-07-29
SG11201709594XA (en) 2017-12-28
EP3306512B1 (en) 2020-06-03
CN106295349B (zh) 2020-06-05
JP6732806B2 (ja) 2020-07-29
PL3306512T3 (pl) 2021-02-08
ES2808974T3 (es) 2021-03-02
EP3306512A4 (en) 2018-12-12
KR20180013998A (ko) 2018-02-07
US11233812B2 (en) 2022-01-25
CN106295349A (zh) 2017-01-04

Similar Documents

Publication Publication Date Title
WO2016192495A1 (zh) 账号被盗的风险识别方法、识别装置及防控系统
US12204641B2 (en) Systems and methods for detecting resources responsible for events
US11276022B2 (en) Enhanced system and method for identity evaluation using a global score value
CN108989150B (zh) 一种登录异常检测方法及装置
CN105590055B (zh) 用于在网络交互系统中识别用户可信行为的方法及装置
CN114389871B (zh) 一种账号异常登录自动分析方法和装置
US20180097790A1 (en) Systems and methods to authenticate users and/or control access made by users on a computer network based on scanning elements for inspection according to changes made in a relation graph
CN109842858B (zh) 一种业务异常订购检测方法及装置
US11968184B2 (en) Digital identity network alerts
WO2015043491A1 (zh) 一种用于对互联网账号的登录进行安全验证的方法及系统
CN108122114A (zh) 针对异常重复交易欺诈检测方法、系统、介质及设备
CN111709603A (zh) 基于风控的服务请求处理方法、装置及系统
CN109242658B (zh) 可疑交易报告生成方法、系统、计算机设备和存储介质
CN113283906A (zh) 基于设备指纹的支付购电风险监测方法及装置
KR20160078281A (ko) 위치기반 이상 금융 거래 탐지 시스템, 및 방법
CN116342276A (zh) 异常对象的确定方法、装置和服务器
CN117459262A (zh) 一种基于行为分析的金融业务逻辑漏洞告警监测方法、系统及存储介质
WO2017124954A1 (zh) 一种通过丢失账号定位恶意账号的方法和系统
CN116823485A (zh) 风险账号的检测方法、装置和服务器
CN119865337A (zh) 异常账号的确定方法和装置、存储介质及电子设备
CN111835696A (zh) 一种检测异常请求个体的方法及装置
HK1224043B (zh) 用於在网络交互系统中识别用户可信行为的方法及装置
KR20150078597A (ko) 카드 결제 및 사이버 머니 결제에 있어서 사기 결제를 방지하는 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16802418

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 11201709594X

Country of ref document: SG

ENP Entry into the national phase

Ref document number: 2017562009

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 20177037102

Country of ref document: KR

Kind code of ref document: A