WO2020248658A1 - Procédé et appareil de détection de compte anormal - Google Patents

Procédé et appareil de détection de compte anormal Download PDF

Info

Publication number
WO2020248658A1
WO2020248658A1 PCT/CN2020/082440 CN2020082440W WO2020248658A1 WO 2020248658 A1 WO2020248658 A1 WO 2020248658A1 CN 2020082440 W CN2020082440 W CN 2020082440W WO 2020248658 A1 WO2020248658 A1 WO 2020248658A1
Authority
WO
WIPO (PCT)
Prior art keywords
transaction
attribute
preset
transaction log
target
Prior art date
Application number
PCT/CN2020/082440
Other languages
English (en)
Chinese (zh)
Inventor
方思羽
左军
Original Assignee
创新先进技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 创新先进技术有限公司 filed Critical 创新先进技术有限公司
Publication of WO2020248658A1 publication Critical patent/WO2020248658A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4016Transaction verification involving fraud or risk level assessment in transaction processing

Definitions

  • One or more embodiments of this specification relate to the field of computer technology, and in particular to a method and device for detecting abnormal accounts.
  • Blockchain technology is built on a point-to-point (P2P) network, using chained data structures to verify and store data, using distributed node consensus algorithms to generate and update data, and using cryptography to ensure data transmission and Access security, a new distributed infrastructure and computing paradigm that uses smart contracts composed of automated script codes to program and manipulate data. Because of its weak centralization, non-tampering, tolerance and other advantages, it is widely used in the financial industry.
  • P2P point-to-point
  • the accounts and keys (such as public keys and private keys) for users to access blockchain nodes in the blockchain network are usually saved in the user terminal in a text file format.
  • the user terminal is attacked by hackers, it is extremely easy to cause the leakage of the user's account and key. After the hacker steals the user's account and key, he can use the user's account and key to log in to the blockchain node and conduct transactions, thereby causing the user's economic losses.
  • One or more embodiments of this specification describe a detection method and device for abnormal accounts, which can realize detection of abnormal accounts.
  • a method for detecting abnormal accounts is provided.
  • the method is applied to a blockchain node in a blockchain network.
  • the method includes: when a preset sampling period is reached, according to each area in the blockchain The time stamp of the block, the target block whose time stamp belongs to the preset time range is obtained; the transaction log set corresponding to the target account is obtained from the transaction log contained in the target block, and the transaction log set includes the target account Multiple transaction logs related to multiple transactions initiated, each transaction log having multiple target attributes, the target attributes being transaction time, Internet Protocol IP address, transaction status, or transaction amount; for each transaction log set A target attribute, at least according to the attribute value of the target attribute in each transaction log and the abnormal condition preset for the target attribute, determine the risk score of the target attribute in the transaction log set; and according to each transaction log set The risk score of the target attribute determines the total risk score of the transaction log collection; if the total risk score is greater than a preset score threshold, the target account is determined to be an abnormal account.
  • the multiple target attributes include a first attribute
  • the target is determined in the transaction log set at least according to the attribute value of the target attribute in each transaction log and an abnormal condition preset for the target attribute
  • the risk score of the attribute includes: if the attribute value of the first attribute in each transaction log satisfies the first abnormal condition preset for the first attribute, then the risk score for the first attribute is determined For the first score preset for the first attribute, the first score indicates that the first attribute is an abnormal attribute; if the attribute value of the first attribute in each transaction log does not satisfy the For the first abnormal condition, the risk score for the first attribute is determined to be zero.
  • the multiple target attributes include a second attribute
  • the target attribute in the transaction log set is determined at least according to the attribute value of the target attribute in each transaction log and an abnormal condition preset for the target attribute
  • the risk score of the attribute includes: determining that the number of transaction logs whose attribute value of the second attribute in each transaction log satisfies the second abnormal condition preset for the second attribute accounts for the total number of transaction logs in the transaction log set.
  • the ratio of the number of transaction logs, and the risk score of the second attribute is determined according to the ratio.
  • the first attribute is transaction time
  • the attribute value of the first attribute in each transaction log satisfies a first abnormal condition preset for the first attribute
  • the The determination of the risk score of the first attribute as the first score preset for the first attribute includes: determining the time interval between adjacent transaction logs in the transaction log set according to the transaction time of each transaction log If there is a first preset number of time intervals less than the preset first preset duration in the transaction log set, the risk score for the transaction time is determined as the first score preset for the transaction time.
  • the first attribute is an IP address
  • the attribute value of the first attribute in the transaction logs meets the first abnormal condition preset for the first attribute
  • the The risk score of the first attribute is determined as the first score preset for the first attribute, including: if there are adjacent transaction logs in the transaction log set, the time interval of transaction time is less than a second preset duration, And the IP addresses are not the same, the risk score for the IP address is determined as the first score preset for the IP address.
  • the first attribute is a transaction status
  • the attribute value of the first attribute in each transaction log satisfies the first abnormal condition preset for the first attribute
  • the The risk score of the first attribute is determined as the first score preset for the first attribute, including: if there are a second preset number of consecutive transaction logs in the transaction log set and the transaction status is transaction failure, then The risk score for the transaction state is determined as the first score preset for the transaction state.
  • the first attribute is the transaction amount
  • the attribute value of the first attribute in each transaction log satisfies the first abnormal condition preset for the first attribute
  • the The risk score of the first attribute is determined as the first score preset for the first attribute, including: if there is a transaction log with a transaction amount greater than a preset transaction amount threshold in the transaction log set, then The risk score of the transaction amount is determined as the first score preset for the transaction amount.
  • the second attribute is a transaction status
  • the number of transaction logs for which the attribute value of the second attribute in each transaction log meets a second abnormal condition preset for the second attribute is determined
  • the proportion of the total number of transaction logs in the transaction log set, and the determination of the risk score of the second attribute according to the proportion includes: determining that the transaction status in each transaction log is a transaction log with a transaction failure
  • the ratio of the number to the total number of transaction logs in the transaction log set, and the risk score for the transaction state is determined as the product of the second score preset for the transaction state and the ratio.
  • the second attribute is a transaction amount
  • the number of transaction logs for which the attribute value of the second attribute in each transaction log meets a second abnormal condition preset for the second attribute is determined
  • the ratio of the total number of transaction logs in the transaction log set, and determining the risk score of the second attribute according to the ratio includes: determining that the transaction amount in each transaction log is greater than a preset transaction amount
  • the ratio of the number of threshold transaction logs to the total number of transaction logs in the transaction log set, and the risk score for the transaction amount is determined as the ratio.
  • the preset transaction amount threshold is determined according to the average value of the transaction amount of each transaction log in the transaction log set.
  • the determining the total risk score of the transaction log set according to the risk score of each target attribute in the transaction log set includes: determining the total risk score of each target attribute according to a preset weight coefficient for each target attribute The weighted sum of the risk scores of, obtains the total risk score of the transaction log collection.
  • the method further includes: when it is detected that the target account is logged in, sending alarm information to the user terminal logging in the target account.
  • a device for detecting abnormal accounts is provided.
  • the device is applied to a blockchain node in a blockchain network.
  • the device includes: a first acquisition module for when the preset sampling period is reached , According to the timestamp of each block in the blockchain, obtain the target block whose timestamp belongs to the preset time range; the second obtaining module is used to obtain the transaction log corresponding to the target account from the transaction log contained in the target block
  • the transaction log collection includes multiple transaction logs related to multiple transactions initiated by the target account, each transaction log has multiple target attributes, and the target attributes are transaction time, Internet Protocol IP address, transaction Status or transaction amount;
  • the first determining module is used to determine for each target attribute in the transaction log set, at least according to the attribute value of the target attribute in each transaction log and the abnormal condition preset for the target attribute
  • the risk score of the target attribute in the transaction log set a second determining module, configured to determine the total risk score of the transaction log set according to the risk score of each target attribute in the transaction log set; a third
  • the multiple target attributes include a first attribute
  • the first determining module is specifically configured to: if the attribute value of the first attribute in each transaction log satisfies a predetermined value for the first attribute If the first abnormal condition is set, the risk score for the first attribute is determined as the first score preset for the first attribute, and the first score indicates that the first attribute is an abnormal attribute; if If the attribute value of the first attribute in each transaction log does not satisfy the first abnormal condition, the risk score for the first attribute is determined to be zero.
  • the multiple target attributes include a second attribute
  • the first determining module is specifically configured to: determine that the attribute value of the second attribute in each transaction log satisfies a predetermined value for the second attribute. Set the ratio of the number of transaction logs of the second abnormal condition to the total number of transaction logs in the transaction log set, and determine the risk score of the second attribute according to the ratio.
  • the first attribute is transaction time
  • the first determining module is specifically configured to: determine the time interval between adjacent transaction logs in the transaction log set according to the transaction time of each transaction log If there is a first preset number of time intervals less than the preset first preset duration in the transaction log set, the risk score for the transaction time is determined as the first score preset for the transaction time.
  • the first attribute is an IP address
  • the first determining module is specifically configured to: if the transaction time interval of adjacent transaction logs in the transaction log set is less than a second preset duration, And the IP addresses are not the same, the risk score for the IP address is determined as the first score preset for the IP address.
  • the first attribute is a transaction status
  • the first determining module is specifically configured to: if there are a second preset number of consecutive transaction logs in the transaction log set, the transaction status is transaction failure, then The risk score for the transaction state is determined as the first score preset for the transaction state.
  • the first attribute is a transaction amount
  • the first determining module is specifically configured to: if there is a transaction log with a transaction amount greater than a preset transaction amount threshold in the transaction log set, target the transaction amount The risk score of the transaction amount is determined as the first score preset for the transaction amount.
  • the second attribute is a transaction status
  • the first determining module is specifically configured to: determine that the number of transaction logs whose transaction status is a transaction failure in each transaction log accounts for the transaction log set And determine the risk score for the transaction status as the product of the second score preset for the transaction status and the ratio.
  • the second attribute is a transaction amount
  • the first determining module is specifically configured to: determine that the number of transaction logs in each transaction log whose transaction amount is greater than a preset transaction amount threshold accounts for The ratio of the total number of transaction logs in the transaction log set is determined, and the risk score for the transaction amount is determined as the ratio.
  • the preset transaction amount threshold is determined according to the average value of the transaction amount of each transaction log in the transaction log set.
  • the second determination module is specifically configured to: according to a weight coefficient preset for each target attribute, weighted and sum the risk scores of each target attribute to obtain the total risk score of the transaction log set.
  • the device further includes: a sending module, configured to send alarm information to the user terminal logging in the target account when the target account is detected to be logged in.
  • a sending module configured to send alarm information to the user terminal logging in the target account when the target account is detected to be logged in.
  • a blockchain node including a memory and a processor, wherein executable code is stored in the memory, and when the processor executes the executable code, any one of the first aspect is implemented The method described in the item.
  • a computer-readable storage medium on which a computer program is stored, wherein when the computer program is executed in a computer, the computer is caused to execute the method in any one of the first aspect.
  • the embodiments of this specification provide a method and device for detecting abnormal accounts.
  • the blockchain node obtains the target block whose time stamp belongs to the preset time range according to the timestamp of each block in the blockchain, and obtains it from the transaction log contained in the target block
  • the transaction log collection corresponding to the target account.
  • the transaction log collection includes multiple transaction logs initiated by the target account, each transaction log has multiple target attributes, and the target attributes are transaction time, Internet Protocol IP address, transaction status, or transaction amount.
  • the blockchain node determines the target attribute in the transaction log collection at least according to the attribute value of the target attribute in each transaction log and the abnormal conditions preset for the target attribute. Risk score.
  • the blockchain node determines the total risk score of the transaction log set according to the risk score of each target attribute in the transaction log set. If the total risk score is greater than the preset score threshold, the blockchain node determines that the target account is an abnormal account. In this way, the blockchain node can detect whether the target account is an abnormal account by analyzing the transaction log in the transaction log collection of the target account.
  • Fig. 1 is an architecture diagram of a blockchain system provided by an embodiment of the specification
  • FIG. 2 is a flowchart of a method for detecting abnormal accounts according to an embodiment of this specification
  • FIG. 3 is a schematic structural diagram of an abnormal account detection device provided by an embodiment of this specification.
  • FIG. 4 is a schematic structural diagram of an abnormal account detection device provided by an embodiment of this specification.
  • Fig. 1 is an architecture diagram of a blockchain system provided by an embodiment of this specification.
  • the system includes a user terminal and a blockchain network.
  • the blockchain network includes multiple blockchain nodes, and each blockchain node runs a trading platform, which can interact with multiple users and provide services for the users.
  • the user can log in to the service platform by entering the account and key on the client terminal in the user terminal, and conduct transactions with other users.
  • the client can be an application (Application, APP), a distributed application (Decentralized Application, DAPP), a browser, etc. on the user terminal.
  • the blockchain node in the blockchain network will record the transaction log corresponding to the account.
  • each transaction log may include multiple target attributes.
  • the target attributes may be transaction time, Internet Protocol (IP) address, transaction status or transaction amount, or other attributes, which are not limited in the embodiment of this specification.
  • IP Internet Protocol
  • This manual introduces the target attribute as transaction time, IP address, transaction status or transaction amount as an example. Other situations are similar.
  • the embodiment of this specification provides a method for detecting abnormal accounts, which is applied to blockchain nodes in a blockchain network, as shown in Figure 2, the processing process is as follows:
  • Step 201 When the preset sampling period is reached, obtain the target block whose time stamp belongs to the preset time range according to the time stamp of each block in the blockchain.
  • the sampling period and time range may be pre-stored in the blockchain node.
  • the sampling period and time range can be set by technicians based on experience.
  • the blockchain node can package the transaction into a block, and add the block to the zone based on the consensus algorithm between each node Block chain.
  • the blockchain node can also record the transaction status or transaction information of transactions initiated by each account in the form of a log, thereby generating a transaction log.
  • the transaction log can record the time when each transaction was initiated, the account initiated, whether the transaction was successful, the type of transaction, the amount of the transaction, and so on.
  • the blockchain node may generate a transaction log based on one transaction, or generate a transaction log based on multiple consecutive transaction records, which is not limited in the embodiment of this specification.
  • the blockchain node can store the transaction log corresponding to each account in the local database, and can also store the transaction log on the blockchain in the form of blocks.
  • a timestamp corresponding to the block will be generated according to the time of addition.
  • the blockchain node can periodically obtain the timestamp of the block from the blockchain according to the preset sampling period. Time range (such as one week or one month or one year) block (ie target block), in order to read the transaction log of the corresponding time range.
  • Step 202 Obtain a transaction log set corresponding to the target account from the transaction log contained in the target block.
  • the transaction log collection includes multiple transaction logs related to multiple transactions initiated by the target account, each transaction log has multiple target attributes, and the target attributes are transaction time, IP address, transaction status, or transaction amount.
  • the blockchain node after the blockchain node obtains the target block, it can further obtain the transaction log with the originator (from) field being the target account from the transaction log contained in the target block to form a transaction log set corresponding to the target account.
  • the transaction set includes log content of multiple transactions initiated by the target account; each transaction log in the transaction log set may include multiple target attributes; the target attributes may be transaction time, IP address, transaction status Or the transaction amount may also be other attributes, which are not limited in the embodiment of this description.
  • Table 1 shows the transaction log set corresponding to account 1 obtained by the blockchain node.
  • Step 203 For each target attribute in the transaction log set, determine the risk score of the target attribute in the transaction log set at least according to the attribute value of the target attribute in each transaction log and the abnormal condition preset for the target attribute.
  • the abnormal conditions corresponding to each target attribute can be pre-stored in the blockchain node.
  • the abnormal condition corresponding to each target attribute can be set by the technician based on experience.
  • the block chain node After the block chain node obtains the transaction log set corresponding to the target account, for each target attribute in the transaction log set, the block chain node can according to the attribute value of the target attribute in each transaction log and the abnormal condition corresponding to the target attribute , To determine the risk score of the target attribute in the transaction log collection.
  • the blockchain node can determine the risk score of the target attribute in the transaction log collection in various ways. The embodiment of this specification provides two feasible ways for introduction, which are specifically as follows:
  • the multiple target attributes include the first attribute. If the attribute value of the first attribute in each transaction log satisfies the first abnormal condition preset for the first attribute, the blockchain node will assign the risk score for the first attribute Determined as the first score preset for the first attribute. Wherein, the first score indicates that the first attribute is an abnormal attribute. If the attribute value of the first attribute in each transaction log does not meet the first abnormal condition, the blockchain node determines the risk score for the first attribute as 0.
  • the corresponding relationship between the target attribute and the score can be pre-stored in the blockchain node.
  • the corresponding relationship between the target attribute and the score can be set by the technician based on experience.
  • Table 2 shows the correspondence between the target attributes and scores stored in the blockchain nodes.
  • Serial number Target attribute fraction 1 transaction hour 30 2 IP address 10 3 trading status 40 4 The transaction amount 20
  • the blockchain node can determine whether the attribute value of the first attribute in each transaction log satisfies the corresponding value of the first attribute Abnormal conditions. If the attribute value of the first attribute satisfies the abnormal condition corresponding to the first attribute, the blockchain node can determine that the first attribute is an abnormal attribute, and determine the risk score of the first attribute as the first attribute corresponding to the first attribute. One score. If the attribute value of the first attribute does not satisfy the abnormal condition corresponding to the first attribute, the blockchain node can determine that the first attribute is a normal attribute, and determine the risk score of the first attribute as zero.
  • the abnormal conditions corresponding to the target attributes are different. The embodiments of this specification provide several examples of judging whether the target attribute is an abnormal attribute and determining the risk score of the target attribute, as follows:
  • Example 1 The first attribute is the transaction time.
  • the blockchain node determines whether the first attribute is an abnormal attribute, and the process of determining the risk score of the first attribute is as follows:
  • Step 1 Determine the time interval between adjacent transactions in the transaction log set according to the transaction time recorded in each transaction log.
  • the blockchain node can determine the time interval of the transaction time of adjacent transactions in the transaction log set according to the transaction time in each transaction log.
  • the transaction time interval of transaction log 1 and transaction log 2 is 35 seconds
  • the transaction time interval of transaction log 2 and transaction log 3 is 1 minute and 20 seconds
  • the time interval of transaction time of 4 is 3 minutes and 25 seconds
  • the time interval of transaction time of transaction log 4 and transaction log 5 is 31 seconds
  • the time interval of transaction time of transaction log 5 and transaction log 6 is 3 minutes 59 seconds.
  • Step 2 If there are a first preset number of time intervals less than the preset first preset duration in the transaction log set, the risk score for the transaction time is determined as the first score preset for the transaction time.
  • the first preset number and the first preset duration may be pre-stored in the blockchain node.
  • the first preset number and the first preset duration can be set by a technician based on experience.
  • the blockchain node After the blockchain node obtains the time interval of the transaction time of adjacent transaction logs in the transaction log set, it can further determine whether there are a first preset number of time intervals less than the preset first preset duration in the transaction log set . If there are a first preset number of time intervals less than the preset first preset duration in the transaction log collection, it means that the target account may be stolen by hackers and frequent transactions are performed, and the blockchain node can determine the transaction time Is an abnormal attribute, and the risk score of the transaction time is determined as the first score corresponding to the transaction time.
  • the blockchain node can determine that the transaction time is a normal attribute, and take the transaction The risk score of time is determined to be zero.
  • the first preset duration is 1 minute, and the first preset number is 2.
  • the time interval (35 seconds) between the transaction time of transaction log 1 and transaction log 2 is less than the first preset Duration (1 minute)
  • the time interval (31 seconds) between transaction log 4 and transaction log 5 transaction time is less than the first preset duration (1 minute)
  • the number of time intervals less than the preset first preset duration is 2
  • the blockchain node can determine that the transaction time is an abnormal attribute, and the risk score of the transaction time is determined to be 30.
  • Example 2 The first attribute is the IP address, and the blockchain node judges whether the first attribute is an abnormal attribute, and the process of determining the risk score of the first attribute is: if there are adjacent transaction log transaction times in the transaction log set If the time interval is less than the second preset time period and the IP addresses are different, the risk score for the IP address is determined as the first score preset for the IP address.
  • the second preset duration may be pre-stored in the blockchain node.
  • the second preset duration can be set by a technician based on experience.
  • the blockchain node can determine whether there are adjacent transaction logs in the transaction log set. The time interval of the transaction time is less than the second preset time period and the IP addresses are different. If the transaction time interval of adjacent transaction logs in the transaction log set is less than the second preset time period and the IP addresses are different, it means that the target account may be stolen by hackers and the target account is logged in to perform transactions in a remote place.
  • the blockchain node can determine that the IP address is an abnormal attribute, and determine the risk score of the IP address as the first score corresponding to the IP address.
  • the transaction time interval is less than the second preset duration and the IP addresses are not the same, then the IP address is normal, and the blockchain node can determine that the IP address is a normal attribute, and The risk score of the IP address is determined to be 0.
  • the second preset duration is 5 minutes.
  • the time interval (3 minutes and 25 seconds) between the transaction time of transaction log 3 and transaction log 4 is less than the second preset duration (5 minutes).
  • the IP address (10.0.0.1) of transaction log 3 and the IP address (20.0.0.1) of transaction log 4 are not the same, the blockchain node can determine that the IP address is an abnormal attribute, and determine the risk score of the IP address as 10.
  • Example 3 The first attribute is the transaction status.
  • the blockchain node judges whether the first attribute is an abnormal attribute, and the process of determining the risk score of the first attribute is: if there are a second preset number of consecutive transactions in the transaction log collection
  • the transaction status of the log is transaction failure, and the risk score for the transaction status is determined as the first score preset for the transaction status.
  • the second preset number may be pre-stored in the blockchain node.
  • the second preset number can be set by a technician based on experience.
  • the blockchain node can determine whether there is a second preset number of consecutive transaction logs in the transaction log set in which the transaction status is transaction failure. If there is a second preset number of consecutive transaction logs in the transaction log set and the transaction status is transaction failure, it means that the target account may be stolen by a hacker and a key attempt is made.
  • the blockchain node can determine that the transaction status is an abnormal attribute. And the risk score of the transaction status is determined as the first score corresponding to the transaction status.
  • the transaction status is normal, and the blockchain node can determine that the transaction status is a normal attribute, and calculate the risk score of the transaction status Determined to be 0.
  • the second preset number is 3.
  • the transaction statuses of transaction 3, transaction 4, and transaction 5 are all transaction failures, and the blockchain node can determine that the transaction status is an abnormal attribute, and The risk score of this transaction status is determined to be 40.
  • Example 4 The first attribute is the transaction amount, the blockchain node judges whether the target attribute is an abnormal attribute, and the process of determining the risk score of the first attribute is: if there is a transaction log set whose transaction amount is greater than the preset transaction amount threshold In the transaction log, the risk score for the transaction amount is determined as the first score preset for the transaction amount.
  • the transaction amount threshold may be pre-stored in the blockchain node.
  • the transaction amount threshold can be set by a technician based on experience.
  • the blockchain node can determine whether there is a transaction log with a transaction amount greater than a preset transaction amount threshold in the transaction log collection. If there is a transaction log whose transaction amount is greater than the preset transaction amount threshold in the transaction log collection, it means that the target account has been stolen by hackers and a large-value transaction is performed.
  • the blockchain node can determine that the transaction amount is an abnormal attribute and take The risk score of the amount is determined as the first score corresponding to the transaction amount. If there is no transaction log with a transaction amount greater than the preset transaction amount threshold in the transaction log set, it means that the transaction amount is normal, and the blockchain node can determine the transaction amount as a normal attribute, and determine the risk score of the transaction amount as 0.
  • the transaction amount threshold is 3000. As shown in Table 1 and Table 2, the transaction amount of transaction 5 (5000) and the transaction amount of transaction 6 (8000) are both greater than the transaction amount threshold (3000), then the blockchain node can determine The transaction amount is an abnormal attribute, and the risk score of the transaction amount is determined to be 20.
  • Method 2 The multiple target attributes include the second attribute, and the blockchain node can determine that the attribute value of the second attribute in each transaction log meets the second abnormal condition preset for the second attribute.
  • the number of transaction logs in the transaction log collection According to the proportion of the total number of transaction logs, determine the risk score of the second attribute.
  • the blockchain node can determine the first attribute in the transaction log. Whether the attribute value of the second attribute meets the second abnormal condition corresponding to the second attribute. If the attribute value of the second attribute in the transaction log meets the second abnormal condition corresponding to the second attribute, the blockchain node can determine that the transaction log is the target transaction log. Then, the blockchain node can count the number of target transaction logs. After the blockchain node obtains the number of target transaction logs, it can further determine the ratio of the number of target transaction logs to the total number of transaction logs in the transaction log set, and determine the risk score of the second attribute according to the ratio. Among them, for different target attributes, the abnormal conditions corresponding to the target attributes are different.
  • the embodiments of this specification provide several examples of determining the risk scores of the target attributes, which are specifically as follows:
  • Example 1 The second attribute is the transaction status, and the process of determining the risk score of the second attribute by the blockchain node is: determining the number of transaction logs whose transaction status is failed in each transaction log accounts for the total number of transaction logs in the transaction log set The risk score for the transaction status is determined as the product of the second score preset for the transaction status and the ratio.
  • the blockchain node after the blockchain node obtains the transaction log set corresponding to the target account, it can determine the proportion of the number of transaction logs whose transaction status is failed in each transaction log to the total number of transaction logs in the transaction log set. Then, the blockchain node can determine the risk score of the transaction state as the product of the second score corresponding to the transaction state and the ratio.
  • Example 2 The second attribute is the transaction amount.
  • the process of determining the risk score of the second attribute by the blockchain node is: determining that the number of transaction logs in each transaction log whose transaction amount is greater than the preset transaction amount threshold accounts for the transaction log collection The proportion of the total number of transaction logs, and the risk score for the transaction amount is determined as the proportion.
  • the transaction amount threshold may be pre-stored in the blockchain node.
  • the transaction amount threshold can be set by a technician based on experience. After the block chain node obtains the transaction log set corresponding to the target account, it can determine the proportion of the number of transaction logs in each transaction log whose transaction amount is greater than the preset transaction amount threshold to the total number of transaction logs in the transaction log set, and compare the transaction The risk score of the amount is determined as a ratio.
  • the transaction amount threshold is 3000.
  • the transaction amount of transaction 5 (5000) and the transaction amount (8000) of transaction 6 are both greater than the transaction amount threshold (3000), and the transaction amount is greater than the preset transaction amount threshold
  • the preset transaction amount threshold may be determined according to the average value of the transaction amount of each transaction log in the transaction log set.
  • preset coefficients can be pre-stored in the blockchain node.
  • the preset coefficient can be set by a technician based on experience.
  • the blockchain node can determine the product of the average value of the transaction amount of each transaction log in the transaction log set and the preset coefficient as the transaction amount threshold.
  • the preset coefficient is 1.2.
  • the transaction amount threshold is:
  • Step 204 Determine the total risk score of the transaction log set according to the risk score of each target attribute in the transaction log set.
  • the blockchain node determines the risk score of each target attribute, it can further calculate the sum of the risk scores of each target attribute, and use the sum as the total risk score of the transaction log collection.
  • the blockchain node may weighted and sum the risk scores of each target attribute according to a weight coefficient preset for each target attribute to obtain the total risk score of the transaction log set.
  • the corresponding relationship between the target attribute and the weight coefficient may be pre-stored in the blockchain node.
  • the corresponding relationship between the target attribute and the weight coefficient can be set by the technician based on experience.
  • Table 3 shows the corresponding relationship between the target attributes and the weight coefficients stored in the blockchain nodes.
  • the risk score of each target attribute can be weighted and summed to obtain the total risk score of the transaction log collection.
  • the risk score of the transaction time is 0, the risk score of the IP address is 10, the risk score of the transaction status is 40, and the risk score of the transaction amount is 20.
  • Step 205 If the total risk score is greater than the preset score threshold, it is determined that the target account is an abnormal account.
  • the score threshold may be pre-stored in the blockchain node. Among them, the score threshold can be set by a technician based on experience. After the blockchain node obtains the total risk score of the transaction log collection, it can further determine whether the total risk score is greater than or equal to the preset score threshold. If the total risk score is greater than or equal to the preset score threshold, it means that the account has been stolen by hackers, and the blockchain node can determine that the target account is an abnormal account. If the total risk score is less than the preset score threshold, the account is normal, and the blockchain node can determine that the target account is a normal account.
  • the blockchain node can determine that the target account is an abnormal account if the preset score threshold is 60 and the total risk score of the transaction log collection is 70, then the total risk score (70) is greater than the preset score threshold (60), then the blockchain node can determine that the target account is an abnormal account if the preset score threshold is 60 and the total risk score of the transaction log collection is 70, then the total risk score (70) is greater than the preset score threshold (60), then the blockchain node can determine that the target account is an abnormal account .
  • the blockchain node may also send alarm information to the user terminal logging in to the target account when it detects that the target account is logged in.
  • the blockchain node after the blockchain node determines that the target account is an abnormal account, it can send alarm information to the user terminal logging in to the target account when it detects that the target account is logged in to remind the user that the target account may be stolen by hackers.
  • the blockchain node can also send a text message to the mobile phone number bound to the target account to remind the user, or send an email to the mailbox bound to the target account to remind the user, and other methods can also be used to remind the user.
  • This manual implements The examples are not limited.
  • the embodiment of this specification provides a method for detecting abnormal accounts.
  • the blockchain node obtains the target block whose time stamp belongs to the preset time range according to the timestamp of each block in the blockchain, and obtains it from the transaction log contained in the target block
  • the transaction log collection corresponding to the target account.
  • the transaction log collection includes multiple transaction logs initiated by the target account, each transaction log has multiple target attributes, and the target attributes are transaction time, Internet Protocol IP address, transaction status, or transaction amount.
  • the blockchain node determines the target attribute in the transaction log collection at least according to the attribute value of the target attribute in each transaction log and the abnormal conditions preset for the target attribute. Risk score.
  • the blockchain node determines the total risk score of the transaction log set according to the risk score of each target attribute in the transaction log set. If the total risk score is greater than the preset score threshold, the blockchain node determines that the target account is an abnormal account. In this way, the blockchain node can detect whether the target account is an abnormal account by analyzing the transaction log in the transaction log collection of the target account.
  • an embodiment of this specification also provides an abnormal account detection device, which is applied to a blockchain node in a blockchain network, and the device includes:
  • the first obtaining module 310 is configured to obtain the target block whose time stamp belongs to the preset time range according to the time stamp of each block in the blockchain when the preset sampling period is reached;
  • the second obtaining module 320 is configured to obtain a transaction log set corresponding to the target account from the transaction log contained in the target block.
  • the transaction log set includes multiple transaction logs initiated by the target account, and each transaction log has multiple Target attribute, target attribute is transaction time, Internet Protocol IP address, transaction status or transaction amount;
  • the first determining module 330 is configured to determine, for each target attribute in the transaction log set, the target attribute in the transaction log set at least according to the attribute value of the target attribute in each transaction log and the abnormal condition preset for the target attribute The risk score of the attribute;
  • the second determining module 340 is configured to determine the total risk score of the transaction log set according to the risk score of each target attribute in the transaction log set;
  • the third determining module 350 is configured to determine that the target account is an abnormal account if the total risk score is greater than the preset score threshold.
  • the multiple target attributes include a first attribute
  • the first determining module 330 is specifically configured to:
  • the risk score for the first attribute is determined as the first score preset for the first attribute, and the first score Indicates that the first attribute is an abnormal attribute;
  • the risk score for the first attribute is determined to be zero.
  • the multiple target attributes include a second attribute
  • the first determining module 330 is specifically configured to:
  • the first attribute is transaction time
  • the first determining module 330 is specifically used for:
  • the risk score for the transaction time is determined as the first score preset for the transaction time.
  • the first attribute is an IP address
  • the first determining module 330 is specifically configured to:
  • the risk score for the IP address is determined as the first score preset for the IP address.
  • the first attribute is the transaction status
  • the first determining module 330 is specifically configured to:
  • the risk score for the transaction status is determined as the first score preset for the transaction status.
  • the first attribute is the transaction amount
  • the first determining module 330 is specifically used for:
  • the risk score for the transaction amount is determined as the first score preset for the transaction amount.
  • the second attribute is the transaction status
  • the first determining module 330 is specifically configured to:
  • the second attribute is the transaction amount
  • the first determining module 330 is specifically used for:
  • the preset transaction amount threshold is determined according to the average value of the transaction amount of each transaction log in the transaction log set.
  • the second determining module 340 is specifically configured to:
  • the weighted sum of the risk scores of each target attribute is obtained to obtain the total risk score of the transaction log collection.
  • the device further includes:
  • the sending module 360 is configured to send alarm information to the user terminal logging in to the target account when the target account login is detected.
  • the embodiment of this specification provides an abnormal account detection device.
  • the blockchain node obtains the target block whose time stamp belongs to the preset time range according to the timestamp of each block in the blockchain, and obtains it from the transaction log contained in the target block
  • the transaction log collection corresponding to the target account.
  • the transaction log collection includes multiple transaction logs initiated by the target account, each transaction log has multiple target attributes, and the target attributes are transaction time, Internet Protocol IP address, transaction status, or transaction amount.
  • the blockchain node determines the target attribute in the transaction log collection at least according to the attribute value of the target attribute in each transaction log and the abnormal conditions preset for the target attribute. Risk score.
  • the blockchain node determines the total risk score of the transaction log set according to the risk score of each target attribute in the transaction log set. If the total risk score is greater than the preset score threshold, the blockchain node determines that the target account is an abnormal account. In this way, the blockchain node can detect whether the target account is an abnormal account by analyzing the transaction log in the transaction log collection of the target account.
  • the embodiments of this specification also provide a blockchain node, including a memory and a processor, and executable code is stored in the memory.
  • executable code is stored in the memory.
  • the embodiments of this specification also provide a computer-readable storage medium on which a computer program is stored.
  • the computer program is executed in a computer, the computer is caused to execute the method executed by the blockchain node.

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Computer Security & Cryptography (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé et un appareil de détection de compte anormal, ayant trait au domaine technique des ordinateurs. Le procédé est appliqué à un nœud de chaîne de blocs dans un réseau à chaîne de blocs, et comprend : tout d'abord, lorsqu'une période d'échantillonnage prédéfinie est atteinte, l'acquisition, en fonction d'un horodatage de chaque bloc dans une chaîne de blocs, d'un bloc cible avec un horodatage appartenant à une plage de temps prédéfinie (S201) ; l'acquisition, à partir de journaux de transactions inclus dans le bloc cible, d'un ensemble de journaux de transactions correspondant à un compte cible (S202) ; puis, pour chaque attribut cible dans l'ensemble de journaux de transactions, au moins la détermination, par le nœud de chaîne de blocs, en fonction d'une valeur d'attribut de l'attribut cible dans chaque journal de transactions et d'une condition anormale prédéfinie pour l'attribut cible, d'un score de risque de l'attribut cible dans l'ensemble de journaux de transactions (S203) ; la détermination ultérieure d'un score de risque total de l'ensemble de journaux de transactions en fonction du score de risque de chaque attribut cible dans l'ensemble de journaux de transactions (S204) ; et si le score de risque total est supérieur à une valeur seuil de score prédéfini, la détermination, par le nœud de chaîne de blocs, que le compte cible est un compte anormal (S205). Le procédé peut détecter un compte anormal.
PCT/CN2020/082440 2019-06-12 2020-03-31 Procédé et appareil de détection de compte anormal WO2020248658A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910507875.3A CN110414985A (zh) 2019-06-12 2019-06-12 一种异常账户的检测方法及装置
CN201910507875.3 2019-06-12

Publications (1)

Publication Number Publication Date
WO2020248658A1 true WO2020248658A1 (fr) 2020-12-17

Family

ID=68358970

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/082440 WO2020248658A1 (fr) 2019-06-12 2020-03-31 Procédé et appareil de détection de compte anormal

Country Status (3)

Country Link
CN (1) CN110414985A (fr)
TW (1) TW202046206A (fr)
WO (1) WO2020248658A1 (fr)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110414985A (zh) * 2019-06-12 2019-11-05 阿里巴巴集团控股有限公司 一种异常账户的检测方法及装置
CN111275348A (zh) * 2020-02-05 2020-06-12 张�浩 电子订单信息处理方法、服务器及电子订单信息处理系统
CN111506895A (zh) * 2020-04-17 2020-08-07 支付宝(杭州)信息技术有限公司 一种应用登录图的构建方法及装置
CN111667267B (zh) * 2020-05-29 2023-04-18 中国工商银行股份有限公司 一种区块链交易风险识别方法及装置
JP2021196792A (ja) * 2020-06-12 2021-12-27 富士通株式会社 検出プログラム、検出方法および検出装置
CN112907263B (zh) * 2021-03-22 2022-01-18 北京太火红鸟科技有限公司 异常订单量检测方法、装置、设备及存储介质
CN116611829B (zh) * 2023-07-21 2023-11-14 山东美丽乡村云计算有限公司 一种基于区块链的消费监管系统
CN117745288B (zh) * 2024-02-20 2024-05-14 中国信息通信研究院 区块链交易数据的可视化方法和装置、设备和介质

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106327220A (zh) * 2016-08-31 2017-01-11 无锡雅座在线科技发展有限公司 异常账户的确定方法和装置
CN107230084A (zh) * 2017-05-03 2017-10-03 同济大学 一种基于大数据的用户行为认证方法及系统
CN108122114A (zh) * 2017-12-25 2018-06-05 同济大学 针对异常重复交易欺诈检测方法、系统、介质及设备
CN108985553A (zh) * 2018-06-05 2018-12-11 中国平安人寿保险股份有限公司 一种异常用户的识别方法及设备
WO2019072300A2 (fr) * 2018-12-21 2019-04-18 Alibaba Group Holding Limited Protection de données de chaîne de blocs basée sur un modèle de compte générique et un chiffrement homomorphique
CN109872151A (zh) * 2017-12-04 2019-06-11 万事达卡国际公司 用于对匿名交易进行风险评分的方法和系统
CN110414985A (zh) * 2019-06-12 2019-11-05 阿里巴巴集团控股有限公司 一种异常账户的检测方法及装置

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104751566B (zh) * 2013-12-30 2018-11-27 中国银联股份有限公司 监测伪卡风险的方法和实现该方法的交易处理系统
CN106295349B (zh) * 2015-05-29 2020-06-05 阿里巴巴集团控股有限公司 账号被盗的风险识别方法、识别装置及防控系统
CN108133373A (zh) * 2018-01-04 2018-06-08 交通银行股份有限公司 探寻涉机器行为的风险账户的方法及装置
CN108876102B (zh) * 2018-05-04 2023-08-22 创新先进技术有限公司 一种风险交易挖掘方法、装置及设备
CN109151518B (zh) * 2018-08-06 2021-02-02 武汉斗鱼网络科技有限公司 一种被盗账号的识别方法、装置及电子设备

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106327220A (zh) * 2016-08-31 2017-01-11 无锡雅座在线科技发展有限公司 异常账户的确定方法和装置
CN107230084A (zh) * 2017-05-03 2017-10-03 同济大学 一种基于大数据的用户行为认证方法及系统
CN109872151A (zh) * 2017-12-04 2019-06-11 万事达卡国际公司 用于对匿名交易进行风险评分的方法和系统
CN108122114A (zh) * 2017-12-25 2018-06-05 同济大学 针对异常重复交易欺诈检测方法、系统、介质及设备
CN108985553A (zh) * 2018-06-05 2018-12-11 中国平安人寿保险股份有限公司 一种异常用户的识别方法及设备
WO2019072300A2 (fr) * 2018-12-21 2019-04-18 Alibaba Group Holding Limited Protection de données de chaîne de blocs basée sur un modèle de compte générique et un chiffrement homomorphique
CN110414985A (zh) * 2019-06-12 2019-11-05 阿里巴巴集团控股有限公司 一种异常账户的检测方法及装置

Also Published As

Publication number Publication date
TW202046206A (zh) 2020-12-16
CN110414985A (zh) 2019-11-05

Similar Documents

Publication Publication Date Title
WO2020248658A1 (fr) Procédé et appareil de détection de compte anormal
US11621953B2 (en) Dynamic risk detection and mitigation of compromised customer log-in credentials
US10771497B1 (en) Using IP address data to detect malicious activities
JP7199775B2 (ja) スマートコントラクトに基づくデータ処理方法、データ処理装置、ノード機器、及びコンピュータプログラム
CN108768943B (zh) 一种检测异常账号的方法、装置及服务器
US10853812B2 (en) Blockchain transaction safety
CN110798472B (zh) 数据泄露检测方法与装置
US9462009B1 (en) Detecting risky domains
US11710195B2 (en) Detection and prevention of fraudulent activity on social media accounts
US8732472B2 (en) System and method for verification of digital certificates
JP2019070912A (ja) セキュリティ評価システムおよびセキュリティ評価方法
WO2015043491A1 (fr) Procédé et système pour réaliser une vérification de sécurité sur une connexion à un compte internet
US20200244676A1 (en) Detecting outlier pairs of scanned ports
US11558420B2 (en) Detection of malicious activity within a network
CN104519018A (zh) 一种防止针对服务器的恶意请求的方法、装置和系统
US20200244684A1 (en) Malicious port scan detection using source profiles
US9942255B1 (en) Method and system for detecting abusive behavior in hosted services
CN110417747B (zh) 一种暴力破解行为的检测方法及装置
US20210281609A1 (en) Rating organization cybersecurity using probe-based network reconnaissance techniques
EP3970038B1 (fr) Système siem et procédés d'exfiltration de données d'événement
US20200244683A1 (en) Port scan detection using destination profiles
US20200244675A1 (en) Malicious port scan detection using port profiles
EP3796613A1 (fr) Techniques d'authentification répétée
WO2020258102A1 (fr) Procédé et appareil de pousser de contenu, terminal mobile et support d'enregistrement
WO2014152076A1 (fr) File d'attente de communication synchronisée inter-plateformes à capacité de relance et de copie instantanée

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20823066

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20823066

Country of ref document: EP

Kind code of ref document: A1