CN107169499B - Risk identification method and device - Google Patents
Risk identification method and device Download PDFInfo
- Publication number
- CN107169499B CN107169499B CN201610126320.0A CN201610126320A CN107169499B CN 107169499 B CN107169499 B CN 107169499B CN 201610126320 A CN201610126320 A CN 201610126320A CN 107169499 B CN107169499 B CN 107169499B
- Authority
- CN
- China
- Prior art keywords
- view
- specific behavior
- data
- user
- matching
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000012512 characterization method Methods 0.000 claims description 7
- 230000006399 behavior Effects 0.000 description 195
- 230000009471 action Effects 0.000 description 22
- 230000008569 process Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 10
- 238000004590 computer program Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 6
- 230000008901 benefit Effects 0.000 description 5
- 238000012954 risk control Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 238000005259 measurement Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 230000002354 daily effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06V—IMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
- G06V10/00—Arrangements for image or video recognition or understanding
- G06V10/70—Arrangements for image or video recognition or understanding using pattern recognition or machine learning
- G06V10/74—Image or video pattern matching; Proximity measures in feature spaces
- G06V10/75—Organisation of the matching processes, e.g. simultaneous or sequential comparisons of image or video features; Coarse-fine approaches, e.g. multi-scale approaches; using context analysis; Selection of dictionaries
- G06V10/758—Involving statistics of pixels or of feature values, e.g. histogram matching
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Evolutionary Computation (AREA)
- Artificial Intelligence (AREA)
- Medical Informatics (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Multimedia (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application discloses a risk identification method and device, which are used for solving the problem that in the prior art, the risk existing in the specific behavior performed by an attacker pretending to be a user after the user account and the password of the user are leaked is difficult to identify. The method comprises the following steps: when the current specific behavior of a user is detected, acquiring current specific behavior data corresponding to the current specific behavior, wherein the specific behavior at least comprises a login behavior; obtaining view data generated according to historical specific behavior data of the user, wherein the view data reflects statistical characteristics of the historical specific behavior data from one or more dimensions; and matching the current specific behavior data with the view data, and identifying whether the current specific behavior of the user has risks according to a matching result.
Description
Technical Field
The present application relates to the field of network technology processing, and in particular, to a risk identification method and apparatus.
Background
With the rapid development and wide application of the internet and computer technology, networks have been closely related to the work and life of users, giving users a lot of convenience. However, at the same time, an attacker on the network also brings risks to the user, stealing a user account and a password (abbreviated as "stealing number") is one of the common attack methods, and the user account can be any account used by the user on the network and representing the identity of the user.
Generally, a normal user performs many specific actions on the network, and these specific actions are strongly related to the interests of the user, for example, the specific actions may be logging in to an application or a website, making a payment for a network transaction, performing instant messaging with other users, modifying personal information registered by the user, and the like. However, when the user account and the password of the user are leaked due to, for example, the number of the attacker, the user may be at a high risk, and specifically, the attacker may pretend to perform the above-mentioned specific behavior on the network, so that the benefit of the user may be damaged.
In the prior art, it is difficult to identify the risk that an attacker pretends to be a specific action performed by a user after the user account and the password of the user are leaked.
Disclosure of Invention
The embodiment of the application provides a risk identification method and device, which are used for solving the problem that in the prior art, it is difficult to identify the risk existing in the specific behavior performed by an attacker pretending to be the user after the user account and the password of the user are leaked.
The risk identification method provided by the embodiment of the application comprises the following steps:
when the current specific behavior of a user is detected, acquiring current specific behavior data corresponding to the current specific behavior, wherein the specific behavior at least comprises a login behavior;
obtaining view data generated from historical specific behavior data of the user, the view data reflecting statistical characteristics of the historical specific behavior data from one or more dimensions;
and matching the current specific behavior data with the view data, and identifying whether the current specific behavior of the user has risks according to a matching result.
The risk identification method and device provided by the embodiment of the application comprise the following steps:
the system comprises an acquisition module, a storage module and a display module, wherein the acquisition module is used for acquiring current specific behavior data corresponding to a current specific behavior when the current specific behavior of a user is detected, and the specific behavior at least comprises a login behavior;
a view module for obtaining view data generated from historical specific behavior data of the user, the view data reflecting statistical characteristics of the historical specific behavior data from one or more dimensions;
and the risk identification module is used for matching the current specific behavior data with the view data and identifying whether the current specific behavior of the user has risks or not according to a matching result.
According to the embodiment of the application, through at least one technical scheme, the view data can reflect the statistical characteristics of historical specific behavior data of the user, the statistical characteristics are habit expressions when the user performs specific behaviors, the current specific behavior data is matched with the view data, namely whether the behavior of the current behavior person accords with the habit of the user is determined, and an attacker generally has difficulty in completely performing specific behaviors according to the habit of the user, so that the current behavior person can be estimated to be a fake user or the user himself with a high probability, the risk that the attacker masquerades as the specific behaviors performed by the user after the user account and the password of the user are leaked can be identified, and the problems in the prior art are improved or solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a process of a risk identification method provided in an embodiment of the present application;
fig. 2 is a view generated according to historical login behavior data of a user in an actual application scenario according to an embodiment of the present application;
fig. 3 is a detailed process of a risk identification method for a login behavior in an actual application scenario according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a risk identification method and apparatus provided in an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
As described above, in the related art, it is difficult to identify a risk that an attacker pretends to be a specific action performed by a user after a user account and a password of the user are leaked.
Background art lists several specific actions, such as logging on an application or a website (login action), making a payment for an online transaction (payment action), making an instant communication with other users (communication action), modifying personal information registered by itself (information modification action), and so on. Generally, the above listed actions following the login action need to be performed after the login is successful, and after the user is stolen from the number, an attacker may begin by pretending the user to perform the login action and endanger the benefit of the user.
For ease of understanding, taking the specific behavior as an example of the login behavior, the problems of the prior art are specifically analyzed, so as to explain the scheme of the present application and the advantages of the scheme of the present application over the prior art later.
In the prior art, after an attacker steals a user account and a password of a certain user, the attacker can use the user account and the password to impersonate the user to log in a corresponding website or application (i.e., perform a login behavior), and a server of the website or application that the attacker logs in verifies the user account and the password submitted by the attacker, that is, the attacker logs in successfully. Or, the server may verify the user account and the password, and may also verify the login location or the device used for login, and when the current login location is different from the last login location, or when the device used for login is different from the device used for login, it may be determined that the current login behavior is at risk. However, this solution cannot cope with the case that the acquaintance does a crime, because the acquaintance of the user may be in the same place as the user and the acquaintance may steal the login behavior with the device of the user, and the acquaintance may pretend that the user is successfully logged in as an attacker.
The scheme of the application can solve the problems, and the main idea of the scheme of the application is as follows: obtaining view data capable of reflecting the behavior habit of the user based on historical specific behavior data of the user, determining whether the specific behavior performed by the behavior person who claims the identity of the behavior person as the identity of the user currently accords with the behavior habit of the user based on the generated view data, and further presuming whether the behavior person is the user himself or not, namely, identifying whether the specific behavior performed by the behavior person has risk or not.
The following describes the scheme of the present application.
Fig. 1 is a process of a risk identification method according to an embodiment of the present application, where an execution subject of the process may be a terminal or a server. The terminal includes but is not limited to: personal computers, cell phones, tablet computers, smart watches, vehicle-mounted mobile stations, and the like; the server includes but is not limited to: personal computers, large and medium sized computers, computer clusters, etc. as servers. The execution subject is not limited to the present application, and for convenience of description, the execution subject is exemplified as a server in the embodiments of the present application.
The process in fig. 1 may include the following steps:
s101: when the current specific behavior of the user is detected, current specific behavior data corresponding to the current specific behavior is obtained, and the specific behavior at least comprises login behavior.
In the embodiment of the present application, the specific behavior is not limited to the above-listed behaviors, and the specific behavior may be any behavior that an attacker may impersonate a user to possibly jeopardize the user's interest. In practical applications, a user or a server may specify a specific behavior for implementing the scheme of the present application in advance, for example, the server may set, by default, for all users: detecting specific behaviors such as login behavior, payment behavior and the like, and executing subsequent steps.
The user may be represented by a user account or other identifier, what the server sees is the user (for convenience of description, may also be referred to as an actor) represented by the user account or other identifier, and the actor actually performing the current specific behavior in step S101 may be the user himself or an attacker impersonating the user.
In the embodiment of the present application, the current specific behavior data may be any data related to the current specific behavior, for example, the current specific behavior data may be: the type, content, time, location, involved services, environmental information of the present specific behavior, etc.
Taking the specific behavior as an example of a login behavior, when the current login behavior of the user is detected (assuming that the account and the password of the user used for login are already verified, if the user is not verified, the user is sure to fail to login, and therefore, the subsequent steps are not required to be executed), the current specific behavior data corresponding to the current login behavior may be obtained, including but not limited to: the current login type (e.g., login from a website on a PC side, login from an application on a mobile side, login actively from a login entry, login performed after a passive jump to a login entry, etc.), the current login content (e.g., the content of login input, information on function modules for login behavior, different function modules may need to be logged in separately, etc.), the current login location, the current login related service (different function modules may have different services, and a user may be guided to the login entry by the service when performing different services), and the current login location environment information (e.g., information on devices used for login, operation information performed before login, etc.).
S102: obtaining view data generated from historical specific behavior data of the user, the view data reflecting statistical characteristics of the historical specific behavior data from one or more dimensions.
In the embodiment of the present application, the historical specific behavior data may be specific behaviors collected by the user device and/or the server when the user previously performed the specific behaviors in step S101. For example, when the specific behavior of the user in step S101 is the login behavior of the user to the server, the historical specific behavior data in step S102 is the historical login behavior data of the user to the server accordingly.
In the embodiment of the present application, the view data may be generated in advance or in real time according to historical specific behavior data of the user, the number and the belonging time interval of the historical specific behavior data used for generating the view data are not limited in the present application, and the historical specific behavior data used for generating the view data may be all historical specific behavior data of the user in the past or some historical specific behavior data of the user in the past.
Further, the view data may specifically contain one or more views. The view may be a two-dimensional view or a three-dimensional view, and the dimensions mentioned in step S102 may be represented by different coordinate axes in the view, and the dimensions may be a time dimension (e.g., a time when a specific action was previously performed), a space dimension (e.g., a place when a specific action was previously performed), a frequency dimension (e.g., a frequency when a specific action was previously performed), a business dimension (e.g., a business involved in previously performing a specific action), a behavior environment dimension (e.g., an environment where a specific action was previously performed), and the like.
In the embodiment of the application, when view data is generated according to historical specific behavior data of a user, specifically, each historical specific behavior of the user may be analyzed according to the historical specific behavior data of the user, so as to classify or cluster the historical specific behavior data, extract statistical features of the historical specific behavior data, and represent the statistical features in the form of a view. These statistical characteristics actually reflect the habit of the user himself/herself when performing a specific action, and generally, the larger the number of statistical characteristics, the more advantageous it is to identify whether the current actor is the user himself/herself or an attacker impersonating the user according to the statistical characteristics.
It should be noted that the form of the view is mainly used to improve the efficiency of subsequent data matching, because the similarity or matching degree between the data can be directly calculated on the view based on the spatial distance between the data. In the embodiment of the present application, it may be implemented to identify whether a specific behavior of a user is at risk in other forms than a view, but there may be a difference in efficiency.
In addition, in order to improve the implementation efficiency of the scheme of the present application, a data processing model which takes the historical specific behavior data of the user as input, is used for generating and outputting the view data, and/or is used for subsequent data matching can be constructed according to a preset rule.
S103: and matching the current specific behavior data with the view data, and identifying whether the current specific behavior of the user has risks according to a matching result.
In the embodiment of the present application, data matching may be performed after the current specific behavior data is represented in the view data, or one or more views may be separately generated from the current specific behavior data, and the generated views may be matched with the view data, and so on.
The current specific behavior data may reflect the current behavior habit of the actor performing the specific behavior, while the view data may reflect the habit of the user performing the specific behavior himself as described above, so the essence of the data matching here is: the habit of carrying out the specific behavior by the current actor is matched with the habit of carrying out the specific behavior by the user, when the matching (or the matching degree) is higher, the current actor can be presumed to be the user, otherwise, the current actor can be presumed not to be the user, and then the current actor can be judged to be an attacker, and the current specific behavior has risks.
By the method, the view data can reflect the statistical characteristics of the historical specific behavior data of the user, the statistical characteristics are the habit performance of the user when the user performs the specific behavior, the current specific behavior data is matched with the view data, namely whether the behavior of the current behavior person accords with the habit of the user is determined, and an attacker generally has difficulty in performing the specific behavior completely according to the habit of the user, so that whether the current behavior person is a fake user or the user himself/herself can be presumed with a high probability, the risk that the attacker pretends to be the specific behavior performed by the user after the user account and the password of the user are leaked can be identified, and the problems in the prior art are improved or solved.
Based on the above method, the examples of the present application also provide some specific embodiments of the above method, and further embodiments of the above method, which are described below.
In practical applications, the behavior of the user is generally periodic, and the period length may be one day or one week or one month, etc. The behavior of the same user in each of the periods has similarities, and therefore, the view data can be generated according to the history specific behavior data belonging to each period, respectively.
Specifically, for step S102, generating view data according to the historical specific behavior data of the user may include: acquiring historical specific behavior data of the user within a preset time period; dividing the preset time period into one or more time intervals according to a preset dividing mode; and respectively generating view data aiming at each divided time interval according to the acquired historical specific behavior data belonging to the time interval, wherein the view data reflects the statistical characteristics of the historical specific behavior data from one or more dimensions.
The length of the divided time interval is not limited, the length can be the period length, and the period length can be adjusted for different time intervals, for example, a period of week or month can be adopted for a time interval far away from the current time, and a period of day can be adopted for a time interval near the current time. The historical specific behavior data in a single time interval may not accurately reflect the user specific behavior habits, but when the time intervals are more, the commonalities of the historical specific behavior data in the multiple time intervals or the commonalities of the historical specific behavior data in most of the multiple time intervals may accurately reflect the specific behavior habits. For example, assuming that the length of the time interval is 1 day, assuming that it is determined that the user has logged in from 12 pm to 1 pm of each day for 9 days in the past 10 days according to some historical specific behavior data, and the user has logged in only in the evening for 1 day, the historical specific behavior data may reflect that the user is used to log in from 12 pm to 1 pm of each day.
In the embodiment of the present application, the view data may include a plurality of views, and the dimension may be a time dimension, a space dimension, a frequency dimension, a business dimension, a behavior environment dimension, and the like. Then, for step S102, generating view data according to the historical specific behavior data of the user may also include: generating a plurality of views as generated view data according to the historical specific behavior data of the user, wherein each view reflects the statistical characteristics of the historical specific behavior data from at least one dimension.
For convenience of understanding, the embodiment of the present application provides a view generated according to the historical login behavior data of the user in a practical application scenario, as shown in fig. 2.
According to the scheme of the application, a plurality of views can be formed in a fixed time period (such as 1 day) based on a large amount of normal historical login behavior data of a single user, each view forms a coordinate graph with two parameters as dimensions, then the coordinate graph is filled according to the historical login behavior data of the user to generate the views, and several relatively concentrated areas are formed in the coordinate graph and are formed by the user in daily login habits.
Specifically, fig. 2 is a view generated according to historical login data of a user for a certain shopping website, and an abscissa represents a time dimension, specifically 24 hours per day; the ordinate represents the login entries (which may belong to the business dimension), and specifically includes 6 types of login entries: the method comprises the following steps of master station login, mobile phone application login, trust login, external merchant quick login, wallet code scanning login and wallet authorization login.
In fig. 2, the black square area indicates that the user frequently (almost every day) makes a trusted login around 10 am; the gray square area indicates that the user has a master login at around 12 pm for most of the meetings (days); the grid squares indicate that the user occasionally makes an outside merchant quick login around 1 am. It can be seen that fig. 2 reflects the statistical characteristics of the historical login behavior data of the user from the time dimension, the business dimension, and the frequency dimension (how often the login is).
It should be noted that fig. 2 is only an example of the views in the present application, and the style and content of fig. 2 do not constitute a limitation to the present application. In practical application, the time dimension can be accurate to minutes, the action environment dimension can be increased, and the like.
In this embodiment of the present application, since the view data may include multiple views, and different views may represent different statistical characteristics of the historical specific behavior data from different dimensions, the data of different views may be relatively independent from each other, and accordingly, the process of matching the current specific behavior data with the view data may be: and matching all data or part of data in the current specific behavior data with each view contained in the view data respectively.
Specifically, for step S103, matching the current specific behavior data with the view data may include: respectively aiming at each view contained in the view data, executing: matching the current specific behavior data with the view to obtain a sub-characteristic value representing the matching degree of the current specific behavior data and the view; and taking each matching degree sub-characterization value obtained after the respective execution as a matching result of the current specific behavior data and the view data.
Further, matching the current specific behavior data with the view to obtain a sub-characterization value representing a matching degree of the current specific behavior data with the view may specifically include: obtaining data belonging to the dimension from the current specific behavior data according to the dimension corresponding to the view; and according to a preset rule, representing the acquired data in the view, and matching the acquired data represented in the view with other data represented in the view through the view to obtain a matching degree sub-characteristic value which is used for representing the matching degree of the current specific behavior data and the view.
The application does not limit the predetermined rule used to mean "data to be acquired in this view". For example, the acquired data may be plotted in the view in the form of coordinate points according to the meaning of coordinate axes in the view, and then the matching degree of the current specific behavior data with the view is determined by comprehensively measuring the distance between the coordinate point and one or more coordinate points in other coordinate points in the view (the distance between the coordinate point and other coordinate points may be set to different measurement weights) or the difference in other aspects except the distance (for convenience of description, in this embodiment of the present application, the matching degree is characterized by a matching degree sub-characterization value, and generally, the higher the matching degree is, the larger the corresponding matching degree sub-characterization value may be).
There are other matching schemes besides the scheme of representing the acquired data in this view and then matching the data. For example, one or more views may be generated according to the acquired data, and the generated views may be matched with views included in the view data, or the acquired data and data on the views included in the view data may be converted into data of any other form, and the converted data may be matched, and the like.
In the embodiment of the application, each obtained sub-feature value of the degree of matching is measured based on some dimension or some dimensions and based on some past data of some past time interval or some past time intervals, and therefore, the measurement result may have one-sidedness. The obtained sub-characteristic values of the matching degrees can be comprehensively considered to carry out secondary measurement so as to prevent the accuracy of risk identification from being influenced by the flakiness.
Specifically, as mentioned above, the matching result in step S103 may be each obtained sub-characteristic value of the matching degree, in this case, for step S103, identifying whether there is a risk in the current specific behavior of the user according to the matching result may include: determining a total matching degree characteristic value according to the obtained sub-characteristic values of the matching degrees and weights respectively set for the sub-characteristic values of the matching degrees; determining that the current specific behavior of the user is identified as risky when the overall characteristic value of the degree of matching is determined not to be greater than a predetermined threshold.
For example, assuming that the view data in step S102 includes N views in total, when matching is performed in step S103, the calculated matching degree sub-attribute value corresponding to the i-th view of the N views is denoted as piIs piThe weight set is denoted TiThen, the total matching degree characterization value can be calculated by using the following formula:
wherein, P is a total characteristic value of the matching degree; i is more than or equal to 1 and less than or equal to N, and i and N are positive integers.
The larger the total characteristic value of the matching degree is, the more likely the actor performing the current specific behavior is to be the user himself; conversely, the smaller the total characteristic value of the matching degree is, the more likely the actor performing the current specific behavior is not the user himself, that is, the more likely the current specific behavior is to have a risk.
The setting method for setting the weight for each matching degree sub-feature value is not limited in the present application. For example, each view may be weighted according to the amount of valid data included in each view (the more valid data, the greater the weight may be), or each view may be weighted according to the distance between the time zone corresponding to each view and the current time (the closer the time zone corresponding to each view is to the current time, the greater the weight may be), or each view may be randomly weighted, or the weight of the maximum and minimum matching degree sub-feature values may be set to 0, and the same weight may be set for the remaining matching degree sub-feature values, and so on.
In the embodiment of the present application, after step S103 is executed, assuming that it is recognized whether there is a risk in the current specific behavior of the user, it may be assumed that the actor performing the current specific behavior is not the user himself but an attacker impersonating the user, and further, a risk control measure may be taken to prevent the benefit of the user from being compromised. The risk control measures taken by the present application are not limited, and taking the specific action as the login action as an example, the risk control measures taken may be: the identity of the user is confirmed by means of secondary verification and the like except for user account and password verification, for example, pushing a message requires an actor to confirm in the application of a mobile phone, or requires the actor to send an uplink short message or a downlink short message for short message verification; even, the behavior person can be directly refused to log in so as to protect the security of the user account.
The scheme of the present application is explained in detail above. For convenience of understanding, based on the scheme of the present application, the embodiment of the present application further provides a detailed process of the risk identification method for login behavior in an actual application scenario, as shown in fig. 3, the detailed process may include the following steps:
s301: and successfully verifying the user account and the password submitted by the user when the user performs the current login behavior.
Given that the authentication fails in this step, the login can be directly rejected without performing subsequent steps.
S302: the method comprises the steps of obtaining current login behavior data of a user, wherein the current login behavior data can comprise specified data such as login time, entries, types, equipment, purposes and the like.
S303: and acquiring view data generated according to the historical specific behavior data of the user, wherein the view data comprises one or more views, and the dimension to which the specified data belongs reflects the statistical characteristics of the historical specific behavior data of the user.
S304: and respectively matching the current login behavior data with each view included in the view data, obtaining the sub-characteristic value of the matching degree of the current login behavior data and each view, and determining the total characteristic value of the matching degree of the current login behavior data and the view data according to the sub-characteristic values of the matching degree.
S305: and identifying whether the current specific behavior of the user has risks according to the determined total characteristic value of the matching degree, if so, executing a step S306, and otherwise, executing a step S307.
S306: and determining that the current login of the user is successful.
S307: and executing risk control measures aiming at the current login behavior of the user.
The risk control measures may be: and carrying out secondary verification on the current login behavior of the user, or directly rejecting the current login behavior of the user, determining the current login failure of the user, and the like.
Based on the same idea, the risk identification method provided in the embodiment of the present application further provides a corresponding risk identification method device, as shown in fig. 4.
Fig. 4 is a schematic structural diagram of a risk identification method device provided in an embodiment of the present application, which specifically includes:
an obtaining module 401, configured to obtain, when a current specific behavior of a user is detected, current specific behavior data corresponding to the current specific behavior, where the specific behavior at least includes a login behavior;
a view module 402 configured to obtain view data generated according to historical specific behavior data of the user, where the view data reflects statistical characteristics of the historical specific behavior data from one or more dimensions;
a risk identification module 403, configured to match the current specific behavior data with the view data, and identify whether a risk exists in the current specific behavior of the user according to a matching result.
By the device, the view data can reflect the statistical characteristics of the historical specific behavior data of the user, the statistical characteristics are the habit expressions of the user when the user performs the specific behaviors, the current specific behavior data is matched with the view data, namely whether the behavior of the current behavior person accords with the habit of the user is determined, and an attacker generally has difficulty in performing the specific behaviors completely according to the habit of the user, so that whether the current behavior person is a fake user or the user himself/herself can be estimated with a high probability, the risk that the attacker pretends to be the specific behavior performed by the user after the user account and the password of the user are leaked can be identified, and the problems in the prior art are improved or solved.
Optionally, the view module 402 is further configured to generate view data according to the historical specific behavior data of the user;
optionally, the view module 402 is specifically configured to: acquiring historical specific behavior data of the user within a preset time period; dividing the preset time period into one or more time intervals according to a preset dividing mode; and respectively generating view data aiming at each divided time interval according to the acquired historical specific behavior data belonging to the time interval, wherein the view data reflects the statistical characteristics of the historical specific behavior data from one or more dimensions.
Optionally, the dimension includes at least one of a time dimension, a space dimension, a frequency dimension, a business dimension, and a behavior environment dimension;
optionally, the view module 402 is specifically configured to: generating a plurality of views as generated view data according to the historical specific behavior data of the user, wherein each view reflects the statistical characteristics of the historical specific behavior data from at least one dimension.
Optionally, the risk identification module 403 is specifically configured to: respectively aiming at each view contained in the view data, executing: matching the current specific behavior data with the view to obtain a sub-characteristic value representing the matching degree of the current specific behavior data and the view; and taking each matching degree sub-characterization value obtained after the respective execution as a matching result of the current specific behavior data and the view data.
Optionally, the risk identification module 403 is specifically configured to: obtaining data belonging to the dimension from the current specific behavior data according to the dimension corresponding to the view; and according to a preset rule, representing the acquired data in the view, and matching the acquired data represented in the view with other data represented in the view through the view to obtain a matching degree sub-characteristic value which is used for representing the matching degree of the current specific behavior data and the view.
Optionally, the risk identification module 403 is specifically configured to: determining a total matching degree characteristic value according to the obtained sub-characteristic values of the matching degrees and weights respectively set for the sub-characteristic values of the matching degrees; determining that the current specific behavior of the user is identified as risky when the overall characteristic value of the degree of matching is determined not to be greater than a predetermined threshold.
The adoption of the view data matching mode can improve the identification efficiency of the risk existing in the current specific behavior of the user.
The specific device shown in fig. 4 may be located on a terminal or a server.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (6)
1. A method for risk identification, comprising:
when the current specific behavior of a user is detected, acquiring current specific behavior data corresponding to the current specific behavior, wherein the specific behavior at least comprises a login behavior;
generating a plurality of views as generated view data according to the historical specific behavior data of the user, wherein each view reflects the statistical characteristics of the historical specific behavior data from at least one dimension; the dimension comprises at least one of a time dimension, a space dimension, a frequency dimension, a business dimension and a behavior environment dimension;
respectively aiming at each view contained in the view data, executing: matching the current specific behavior data with the view to obtain a sub-characteristic value representing the matching degree of the current specific behavior data and the view;
determining a total matching degree characteristic value according to the obtained sub-characteristic values of the matching degrees and weights respectively set for the sub-characteristic values of the matching degrees;
determining that the current specific behavior of the user is identified as risky when the overall characteristic value of the degree of matching is determined not to be greater than a predetermined threshold.
2. The method of claim 1, wherein generating view data from the historical specific behavior data of the user specifically comprises:
acquiring historical specific behavior data of the user within a preset time period;
dividing the preset time period into one or more time intervals according to a preset dividing mode;
and respectively generating view data aiming at each divided time interval according to the acquired historical specific behavior data belonging to the time interval, wherein the view data reflects the statistical characteristics of the historical specific behavior data from one or more dimensions.
3. The method according to claim 1, wherein matching the current specific behavior data with the view to obtain a sub-characterization value of a degree of matching that characterizes a degree of matching of the current specific behavior data with the view includes:
obtaining data belonging to the dimension from the current specific behavior data according to the dimension corresponding to the view;
and according to a preset rule, representing the acquired data in the view, and matching the acquired data represented in the view with other data represented in the view through the view to obtain a matching degree sub-characteristic value which is used for representing the matching degree of the current specific behavior data and the view.
4. A risk identification device, comprising:
the system comprises an acquisition module, a storage module and a display module, wherein the acquisition module is used for acquiring current specific behavior data corresponding to a current specific behavior when the current specific behavior of a user is detected, and the specific behavior at least comprises a login behavior;
a view module for generating a plurality of views as generated view data according to the historical specific behavior data of the user, each view reflecting statistical characteristics of the historical specific behavior data from at least one dimension; the dimension comprises at least one of a time dimension, a space dimension, a frequency dimension, a business dimension and a behavior environment dimension;
a risk identification module, configured to perform, for each view included in the view data, respectively: matching the current specific behavior data with the view to obtain a sub-characteristic value representing the matching degree of the current specific behavior data and the view;
determining a total matching degree characteristic value according to the obtained sub-characteristic values of the matching degrees and weights respectively set for the sub-characteristic values of the matching degrees; determining that the current specific behavior of the user is identified as risky when the overall characteristic value of the degree of matching is determined not to be greater than a predetermined threshold.
5. The apparatus of claim 4, wherein the view module is further to generate view data from historical specific behavior data of the user;
the view module is specifically configured to: acquiring historical specific behavior data of the user within a preset time period; dividing the preset time period into one or more time intervals according to a preset dividing mode; and respectively generating view data aiming at each divided time interval according to the acquired historical specific behavior data belonging to the time interval, wherein the view data reflects the statistical characteristics of the historical specific behavior data from one or more dimensions.
6. The apparatus of claim 4, wherein the risk identification module is specifically configured to: obtaining data belonging to the dimension from the current specific behavior data according to the dimension corresponding to the view; and according to a preset rule, representing the acquired data in the view, and matching the acquired data represented in the view with other data represented in the view through the view to obtain a matching degree sub-characteristic value which is used for representing the matching degree of the current specific behavior data and the view.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610126320.0A CN107169499B (en) | 2016-03-07 | 2016-03-07 | Risk identification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610126320.0A CN107169499B (en) | 2016-03-07 | 2016-03-07 | Risk identification method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107169499A CN107169499A (en) | 2017-09-15 |
| CN107169499B true CN107169499B (en) | 2021-01-05 |
Family
ID=59848424
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610126320.0A Active CN107169499B (en) | 2016-03-07 | 2016-03-07 | Risk identification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107169499B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107679383B (en) * | 2017-09-30 | 2020-12-22 | 北京梆梆安全科技有限公司 | Identity verification method and device based on geographic position and touch area |
| CN107682336B (en) * | 2017-09-30 | 2020-12-15 | 北京梆梆安全科技有限公司 | Geographic position-based identity authentication method and device |
| CN107612922A (en) * | 2017-09-30 | 2018-01-19 | 北京梆梆安全科技有限公司 | User ID authentication method and device based on user operation habits and geographical position |
| CN108124197B (en) * | 2017-12-18 | 2020-09-18 | 广东省电信规划设计院有限公司 | Method and device for identifying terminal access behavior |
| CN108492112B (en) * | 2018-01-23 | 2020-06-23 | 阿里巴巴集团控股有限公司 | Method and device for judging false resource transfer and false transaction and electronic equipment |
| CN110120928A (en) * | 2018-02-05 | 2019-08-13 | 北京智明星通科技股份有限公司 | A kind of identity authentication method, device, server and computer-readable medium |
| CN110213199B (en) * | 2018-02-28 | 2022-05-13 | 中国移动通信集团有限公司 | Credential stuffing attack monitoring method, device, system and computer storage medium |
| CN109087106B (en) * | 2018-07-03 | 2020-12-08 | 创新先进技术有限公司 | Wind control model training and wind control method, device and equipment for recognizing fraudulent use of secondary number-paying account |
| CN109151518B (en) * | 2018-08-06 | 2021-02-02 | 武汉斗鱼网络科技有限公司 | Stolen account identification method and device and electronic equipment |
| CN109787970B (en) * | 2019-01-03 | 2020-11-17 | 创新先进技术有限公司 | Method, device and equipment for identifying risk object |
| CN110610070A (en) * | 2019-08-08 | 2019-12-24 | 全球能源互联网研究院有限公司 | A method and device for user identity recognition |
| CN111083141A (en) * | 2019-12-13 | 2020-04-28 | 广州市百果园信息技术有限公司 | Method, device, server and storage medium for identifying counterfeit account |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102325062A (en) * | 2011-09-20 | 2012-01-18 | 北京神州绿盟信息安全科技股份有限公司 | Abnormal login detecting method and device |
| US10225249B2 (en) * | 2012-03-26 | 2019-03-05 | Greyheller, Llc | Preventing unauthorized access to an application server |
| CN104426884A (en) * | 2013-09-03 | 2015-03-18 | 深圳市腾讯计算机系统有限公司 | Method for authenticating identity and device for authenticating identity |
| CN104519032B (en) * | 2013-09-30 | 2019-02-01 | 深圳市腾讯计算机系统有限公司 | A kind of security strategy and system of internet account number |
| CN104852886B (en) * | 2014-02-14 | 2019-05-24 | 腾讯科技(深圳)有限公司 | The guard method of user account number and device |
| CN104967594B (en) * | 2014-10-23 | 2017-03-22 | 腾讯科技(深圳)有限公司 | Stolen account identification method and apparatus |
-
2016
- 2016-03-07 CN CN201610126320.0A patent/CN107169499B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN107169499A (en) | 2017-09-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107169499B (en) | Risk identification method and device | |
| KR102197371B1 (en) | Identity verification method and device | |
| US10965668B2 (en) | Systems and methods to authenticate users and/or control access made by users based on enhanced digital identity verification | |
| US11855994B2 (en) | System and method for aggregating client data and cyber data for authentication determinations | |
| US10999311B2 (en) | Risk score generation for assets of an enterprise system utilizing user authentication activity | |
| US10250583B2 (en) | Systems and methods to authenticate users and/or control access made by users on a computer network using a graph score | |
| US9537843B2 (en) | Method, client, server and system of login verification | |
| EP2748781B1 (en) | Multi-factor identity fingerprinting with user behavior | |
| JP6609047B2 (en) | Method and device for application information risk management | |
| US20170331828A1 (en) | Systems and methods to authenticate users and/or control access made by users on a computer network using identity services | |
| US20180097790A1 (en) | Systems and methods to authenticate users and/or control access made by users on a computer network based on scanning elements for inspection according to changes made in a relation graph | |
| CN105471581B (en) | A kind of auth method and device | |
| CN109543373B (en) | Information identification method and device based on user behaviors | |
| CN111814064B (en) | Neo4 j-based abnormal user processing method, neo4 j-based abnormal user processing device, computer equipment and medium | |
| CN110268406B (en) | Password security | |
| CN104881667B (en) | A kind of extracting method and device of characteristic information | |
| CN105100029A (en) | Method and device for user identity verification | |
| CN112533209A (en) | Black product identification method and black product identification device | |
| CN109800560A (en) | A kind of device identification method and device | |
| US12052573B2 (en) | Systems and methods for mitigating fraud based on geofencing | |
| US10742642B2 (en) | User authentication based on predictive applications | |
| CN106559386A (en) | A kind of authentication method and device | |
| CN111680282B (en) | Node management method, device, equipment and medium based on block chain network | |
| CN109583177B (en) | System and method for identifying new devices during user interaction with banking services | |
| KR102498336B1 (en) | Method and system for managing user reputation based on blockchain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20200923 Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman, British Islands Applicant after: Innovative advanced technology Co.,Ltd. Address before: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman, British Islands Applicant before: Advanced innovation technology Co.,Ltd. Effective date of registration: 20200923 Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman, British Islands Applicant after: Advanced innovation technology Co.,Ltd. Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands Applicant before: Alibaba Group Holding Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |