[go: up one dir, main page]

CN114465977B - Mailbox login abnormality detection method, device, equipment and storage medium - Google Patents

Mailbox login abnormality detection method, device, equipment and storage medium Download PDF

Info

Publication number
CN114465977B
CN114465977B CN202210013302.7A CN202210013302A CN114465977B CN 114465977 B CN114465977 B CN 114465977B CN 202210013302 A CN202210013302 A CN 202210013302A CN 114465977 B CN114465977 B CN 114465977B
Authority
CN
China
Prior art keywords
login
trusted
records
list
mailbox
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210013302.7A
Other languages
Chinese (zh)
Other versions
CN114465977A (en
Inventor
林延中
潘庆峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Yingshi Computer Technology Co ltd
Original Assignee
Guangdong Yingshi Computer Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Yingshi Computer Technology Co ltd filed Critical Guangdong Yingshi Computer Technology Co ltd
Priority to CN202210013302.7A priority Critical patent/CN114465977B/en
Publication of CN114465977A publication Critical patent/CN114465977A/en
Application granted granted Critical
Publication of CN114465977B publication Critical patent/CN114465977B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a method, a device, equipment and a storage medium for detecting mailbox login abnormality, which comprise the following steps: acquiring all login records of a user mailbox, and establishing a trusted IP list and a standard user portrait according to a normal mail preset in the user mailbox; acquiring longitude and latitude of a region corresponding to each login record according to a preset geographic information base of the login IP; wherein each login record comprises a login IP and a login time; according to the login time, sequentially calculating the switching speed of longitude and latitude of the region corresponding to each two adjacent login records, and screening suspicious login records according to a preset speed threshold; and according to the trusted IP list and the standard user portrait, performing rejection operation on the suspicious login record, and taking the suspicious login record after the rejection operation as an abnormal record. The method and the device solve the technical problem of low login abnormality detection accuracy of login area switching in the prior art.

Description

一种邮箱登录异常的检测方法、装置、设备及存储介质A method, device, equipment and storage medium for detecting abnormal mailbox login

技术领域Technical Field

本发明涉及网络信息技术安全领域,尤其涉及一种邮箱登录异常的检测方法、装置、设备及存储介质。The present invention relates to the field of network information technology security, and in particular to a method, device, equipment and storage medium for detecting mailbox login anomalies.

背景技术Background technique

电子邮箱的非授权登录检测是邮件安全领域的重要应用。电子邮箱的应用非常广泛,企业邮箱的安全性更关乎公司、企业等的利益,绝大多数企业、政府部门、科研单位等采用企业邮件进行公文传递、修改和审批,许多高度机密的数据都包含在其中。但是电子邮件在传输过程中,需要在不同的邮件服务器上进行转发,这就给攻击者带来了可乘之机。电子邮箱的密码泄露途径非常多,包括但不限于钓鱼邮件(骗取用户点击邮件中的不明链接URL到一个非法登录页面并盗取用户的账号密码),暴力破解(使用大量的IP快速的尝试大量账号的大量密码,有一定的概率能破解一些简单密码的邮箱账号),木马(通过邮件或者其他下载途径在客户机器安装木马并偷取用户账号密码),撞库(用户的账号密码在多个网站共用,导致其中一个网站后台被攻陷账号密码被盗后,能用同一个密码登录其他系统或者对应的邮件系统)。由于攻击方法层出不穷,所以只能认为肯定有用户因为上述某些原因被盗走了对应的邮箱账号密码,因此需要一个办法判别当前登录的是用户自己还是其他非授权的用户。Unauthorized login detection of e-mail is an important application in the field of email security. E-mail is widely used, and the security of corporate email is more related to the interests of companies and enterprises. Most enterprises, government departments, scientific research institutions, etc. use corporate email to transmit, modify and approve official documents, and many highly confidential data are included in it. However, during the transmission process, e-mails need to be forwarded on different mail servers, which gives attackers an opportunity to take advantage of them. There are many ways to leak e-mail passwords, including but not limited to phishing emails (deceiving users to click on unknown links in emails to an illegal login page and stealing users' accounts and passwords), brute force cracking (using a large number of IPs to quickly try a large number of passwords of a large number of accounts, with a certain probability of cracking some email accounts with simple passwords), Trojans (installing Trojans on client machines through emails or other download methods and stealing user accounts and passwords), and database collision (users' accounts and passwords are shared by multiple websites, resulting in the backend of one website being compromised and the account password being stolen, and the same password can be used to log in to other systems or corresponding email systems). Since there are endless attack methods, we can only assume that some users have had their corresponding email account and password stolen due to some of the above reasons. Therefore, we need a way to determine whether the current logged-in user is the user himself or another unauthorized user.

目前,绝大多数的邮箱账号登录风险控制的安全检测都是针对于某一个特定泄漏途径,例如,通过聚类等方法获得攻击者的使用IP,最终确定可疑邮箱的共同登录IP确定攻击者,但对于有大量代理可疑从不同IP登录被盗账号的攻击者,或者针对少量高价值账号的低频持续监控攻击,基于共同登录IP的方法不一定能够捕获这类异常登录;对于暴力破解,对于同一个IP尝试大量不同的账号,大量不同密码的,设定一定阈值;对于异地登录风险控制,需额外对登录的用户做双因子认证,但对于用户可能使用VPN等代理,切换对应地理位置时,或基于不同的IP地理未知信息库,有一定的概率返回错误的IP对应地理位置,导致登录过程复杂,甚至失败。At present, most of the security detection of email account login risk control is aimed at a specific leakage path. For example, the attacker's IP address is obtained through clustering and other methods, and the common login IP address of the suspicious email address is finally determined to identify the attacker. However, for attackers with a large number of suspected agents logging into stolen accounts from different IP addresses, or low-frequency continuous monitoring attacks against a small number of high-value accounts, the method based on the common login IP address may not be able to capture such abnormal logins. For brute force cracking, a certain threshold is set for trying a large number of different accounts and a large number of different passwords with the same IP address. For remote login risk control, two-factor authentication is required for logged-in users. However, for users who may use VPN and other agents, when switching corresponding geographical locations, or based on different IP geographical unknown information libraries, there is a certain probability of returning the wrong IP corresponding geographical location, which makes the login process complicated or even fails.

因此,目前亟需一种对于企业邮箱的登录异常进行检测的策略,以解决现有技术中用户使用代理导致登录地区切换引起误报,使得检测不准确的情况。Therefore, there is an urgent need for a strategy to detect abnormal logins to corporate mailboxes to solve the problem in the prior art that users use proxies to cause login region switching, resulting in false alarms and inaccurate detection.

发明内容Summary of the invention

本发明提供了一种邮箱登录异常的检测方法、装置、设备及存储介质,以解决现有技术中登录地区切换的登录异常检测准确性低的技术问题。The present invention provides a method, device, equipment and storage medium for detecting abnormal login of a mailbox, so as to solve the technical problem of low accuracy of detecting abnormal login when switching login regions in the prior art.

为了解决上述技术问题,本发明实施例提供了一种邮箱登录异常的检测方法,包括:In order to solve the above technical problems, an embodiment of the present invention provides a method for detecting abnormal mailbox login, comprising:

获取用户邮箱的所有登录记录,并根据所述用户邮箱中预设的正常邮件,建立可信IP列表和标准用户画像;Obtain all login records of the user's mailbox, and establish a trusted IP list and standard user portrait based on the normal emails preset in the user's mailbox;

根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度;其中,每一个登录记录包含一个登录IP和一个登录时间;According to the preset geographic information database of the login IP, the longitude and latitude of the region corresponding to each login record are obtained; wherein each login record includes a login IP and a login time;

根据所述登录时间,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出可疑登录记录;According to the login time, the switching speed of the longitude and latitude of the area corresponding to each two adjacent login records is calculated in sequence, and the suspicious login records are screened out according to a preset speed threshold;

根据所述可信IP列表和所述标准用户画像,对所述可疑登录记录进行剔除操作,并将剔除操作后的可疑登录记录作为异常记录。The suspicious login records are eliminated according to the trusted IP list and the standard user portrait, and the suspicious login records after the elimination operation are regarded as abnormal records.

作为优选方案,在所述将剔除操作后的可疑登录记录作为异常记录之后,还包括:As a preferred solution, after removing the suspicious login records after the operation as abnormal records, the method further includes:

响应于当前用户的邮箱登录操作,生成第一登录记录,根据所述可信IP列表和所述标准用户画像,判断所述第一登录记录是否正常;In response to the current user's mailbox login operation, generate a first login record, and determine whether the first login record is normal according to the trusted IP list and the standard user portrait;

若所述第一登录记录正常,则保存该登录记录;If the first login record is normal, save the login record;

若所述第一登录记录不正常,则触发双因子认证,以使所述当前用户确认登录。If the first login record is abnormal, two-factor authentication is triggered to enable the current user to confirm the login.

作为优选方案,在所述响应于当前用户的邮箱登录操作,生成第一登录记录,根据所述可信IP列表和所述标准用户画像,判断所述第一登录记录是否正常之后,还包括:As a preferred solution, after generating a first login record in response to the current user's mailbox login operation, and judging whether the first login record is normal according to the trusted IP list and the standard user portrait, the method further includes:

记录在第一预设时间段内生成的登录记录的数量,若所述生成的登录记录的数量大于预设的第一阈值,则封禁所述当前用户的邮箱。The number of login records generated within a first preset time period is recorded, and if the number of the generated login records is greater than a preset first threshold, the mailbox of the current user is blocked.

作为优选方案,在所述根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度之后,还包括:As a preferred solution, after obtaining the longitude and latitude of the region corresponding to each login record according to the preset geographic information database of the login IP, the method further includes:

获取第二预设时间段内所有登录失败的登录记录,根据预设的暴力破解规则,对所述所有登录失败的登录记录进行分类操作,获得暴力破解记录和非暴力破解记录;Obtaining all failed login records within a second preset time period, and classifying all failed login records according to a preset brute force cracking rule to obtain brute force cracking records and non-brute force cracking records;

若所述暴力破解记录超过预设的第二阈值,则将所述暴力破解记录中的所有登录IP进行标记,作为暴力破解IP列表;If the brute force cracking record exceeds a preset second threshold, all login IPs in the brute force cracking record are marked as a brute force cracking IP list;

根据符合所述暴力破解IP列表的登录IP所对应的登录记录,更新所述异常记录。The exception record is updated according to the login record corresponding to the login IP that matches the brute force IP list.

作为优选方案,所述获取用户邮箱的所有登录记录,根据所述用户邮箱中预设的正常邮件,建立可信IP列表和标准用户画像,具体为:As a preferred solution, all login records of the user mailbox are obtained, and a trusted IP list and a standard user profile are established according to normal emails preset in the user mailbox, specifically:

获取用户的邮箱中所有预设的正常邮件的IP所对应的唯一发信人的数量,将所述唯一发信人的数量大于第三阈值的IP作为可信IP种子,并将所有发自所述可信IP的邮件的客户端ID作为可信ID列表;其中,每个登录记录还包含一个客户端ID;Obtain the number of unique senders corresponding to all preset normal email IPs in the user's mailbox, use the IP whose number of unique senders is greater than a third threshold as a trusted IP seed, and use the client IDs of all emails sent from the trusted IP as a trusted ID list; wherein each login record also includes a client ID;

根据所述可信IP种子和所述可信ID列表,将每个所述可信IP种子作为一个顶点,每个所述顶点的权值为每个所述可信IP种子所对应的唯一发信人的数量,从而构建信誉传输图,对所述信誉传输图进行迭代生长与传播,直至迭代次数达到预设值,获得迭代后每个顶点的权值,并根据所述迭代后每个顶点的权值,获得可信IP列表;According to the trusted IP seeds and the trusted ID list, each of the trusted IP seeds is taken as a vertex, and the weight of each vertex is the number of unique senders corresponding to each trusted IP seed, so as to construct a reputation transmission graph, iteratively grow and propagate the reputation transmission graph until the number of iterations reaches a preset value, obtain the weight of each vertex after the iteration, and obtain the trusted IP list according to the weight of each vertex after the iteration;

根据所述可信IP列表,计算得到标准用户画像。Based on the trusted IP list, a standard user profile is calculated.

作为优选方案,所述根据所述可信IP,计算得到标准用户画像,具体为:As a preferred solution, the standard user profile is calculated based on the trusted IP, specifically:

获取所述用户的邮箱的所有登录记录,根据所述可信IP列表,筛选出符合所述可信IP列表的登录记录;Obtain all login records of the user's mailbox, and filter out login records that match the trusted IP list according to the trusted IP list;

根据所述符合所述可信IP列表的登录记录,计算出所述用户的特征向量,作为标准用户画像。Based on the login records that match the trusted IP list, a feature vector of the user is calculated as a standard user portrait.

作为优选方案,所述根据所述登录时间,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出可疑登录记录,具体为:As a preferred solution, according to the login time, the switching speed of the longitude and latitude of the area corresponding to each two adjacent login records is calculated in sequence, and suspicious login records are screened out according to a preset speed threshold, specifically:

根据所述登录时间,对所有登录记录进行排序,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出大于所述预设的速度阈值的切换速度所对应的相邻两次登录记录,作为可疑登录记录。According to the login time, all login records are sorted, and the switching speeds of the longitude and latitude of the areas corresponding to each two adjacent login records are calculated in turn, and according to a preset speed threshold, the two adjacent login records corresponding to the switching speed greater than the preset speed threshold are screened out as suspicious login records.

相应地,本发明还提供一种邮箱登录异常的检测装置,包括:列表画像模块、地区位置模块、可疑登录模块和异常记录模块;Accordingly, the present invention also provides a detection device for abnormal mailbox login, comprising: a list portrait module, a regional location module, a suspicious login module and an abnormal recording module;

所述列表画像模块,用于获取用户邮箱的所有登录记录,并根据所述用户邮箱中预设的正常邮件,建立可信IP列表和标准用户画像;The list portrait module is used to obtain all login records of the user mailbox and establish a trusted IP list and a standard user portrait based on the normal emails preset in the user mailbox;

所述地区位置模块,用于根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度;其中,每一个登录记录包含一个登录IP和一个登录时间;The regional location module is used to obtain the longitude and latitude of the region corresponding to each login record according to the preset geographic information database of the login IP; wherein each login record includes a login IP and a login time;

所述可疑登录模块,用于根据所述登录时间,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出可疑登录记录;The suspicious login module is used to calculate the switching speed of the longitude and latitude of the area corresponding to each two adjacent login records according to the login time, and filter out the suspicious login records according to a preset speed threshold;

所述异常记录模块,用于根据所述可信IP列表和所述标准用户画像,对所述可疑登录记录进行剔除操作,并将剔除操作后的可疑登录记录作为异常记录。The abnormal record module is used to remove the suspicious login records according to the trusted IP list and the standard user portrait, and use the suspicious login records after the removal operation as abnormal records.

相应地,本发明还提供一种终端设备,包括处理器、存储器以及存储在所述存储器中且被配置为由所述处理器执行的计算机程序,所述处理器在执行所述计算机程序时实现如上任一项所述的邮箱登录异常的检测方法。Correspondingly, the present invention also provides a terminal device, including a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, wherein the processor implements the method for detecting an abnormal mailbox login as described in any one of the above items when executing the computer program.

相应地,本发明还提供一种计算机可读存储介质,所述计算机可读存储介质包括存储的计算机程序;其中,所述计算机程序在运行时控制所述计算机可读存储介质所在的设备执行如上任一项所述的邮箱登录异常的检测方法。Correspondingly, the present invention also provides a computer-readable storage medium, which includes a stored computer program; wherein, when the computer program is running, it controls the device where the computer-readable storage medium is located to execute the method for detecting mailbox login anomalies as described in any of the above items.

相比于现有技术,本发明实施例具有如下有益效果:Compared with the prior art, the embodiments of the present invention have the following beneficial effects:

本发明的技术方案获取用户邮箱的所有登录记录,根据所述用户邮箱中预设的正常邮件,来建立可信IP列表和标准用户画像,以实现从用户的使用邮箱的习惯来对邮箱登录异常进行检测,提高了对登录异常检测的准确性,根据相邻两次登录记录所对应地区的经纬度的切换速度进行计算,从而筛选出可疑登录记录,提高了对两次登录记录的筛选精准度,根据所述可信IP列表和所述标准用户画像,对所述可疑登录记录进行剔除,避免了现有技术中使用代理后登录地区切换后导致的检测异常出现误报,提升了用户使用邮箱的体验感以及提高了对邮箱登录异常的检测准确性。The technical solution of the present invention obtains all login records of the user's mailbox, and establishes a trusted IP list and a standard user portrait according to normal emails preset in the user's mailbox, so as to detect mailbox login anomalies based on the user's mailbox usage habits, thereby improving the accuracy of login anomaly detection, and calculating the switching speed of the longitude and latitude of the area corresponding to two adjacent login records, so as to screen out suspicious login records, thereby improving the screening accuracy of the two login records, and eliminating the suspicious login records according to the trusted IP list and the standard user portrait, thereby avoiding the false alarm of detection anomalies caused by switching the login area after using a proxy in the prior art, improving the user experience of using the mailbox and improving the accuracy of detecting mailbox login anomalies.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1:为本发明实施例所提供的一种邮箱登录异常的检测方法的步骤流程图;FIG1 is a flowchart of a method for detecting abnormal mailbox login provided by an embodiment of the present invention;

图2:为本发明实施例所提供的一种邮箱登录异常的检测方法中初始状态下的IP信誉传播图;FIG2 is a diagram of IP reputation propagation in an initial state in a method for detecting abnormal mailbox login provided by an embodiment of the present invention;

图3:为本发明实施例所提供的一种邮箱登录异常的检测方法中IP1的信誉传播示意图;FIG3 is a schematic diagram of reputation propagation of IP1 in a method for detecting abnormal mailbox login provided by an embodiment of the present invention;

图4:为本发明实施例所提供的一种邮箱登录异常的检测方法中IP2的信誉传播示意图;FIG4 is a schematic diagram of reputation propagation of IP2 in a method for detecting abnormal mailbox login provided by an embodiment of the present invention;

图5:为本发明实施例所提供的一种邮箱登录异常的检测方法中IP3的信誉传播示意图;FIG5 is a schematic diagram of reputation propagation of IP3 in a method for detecting abnormal mailbox login provided by an embodiment of the present invention;

图6:为本发明实施例所提供的一种邮箱登录异常的检测装置的结构示意图。FIG6 is a schematic diagram of the structure of a device for detecting abnormal mailbox login provided by an embodiment of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will be combined with the drawings in the embodiments of the present invention to clearly and completely describe the technical solutions in the embodiments of the present invention. Obviously, the described embodiments are only part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.

实施例一Embodiment 1

请参照图1,为本发明实施例提供的一种邮箱登录异常的检测方法,包括一下步骤:Please refer to FIG. 1 , which is a method for detecting abnormal mailbox login provided by an embodiment of the present invention, comprising the following steps:

S101:获取用户邮箱的所有登录记录,并根据所述用户邮箱中预设的正常邮件,建立可信IP列表和标准用户画像。S101: Obtain all login records of the user mailbox, and establish a trusted IP list and a standard user portrait based on normal emails preset in the user mailbox.

具体地,获取用户的邮箱中所有预设的正常邮件的IP所对应的唯一发信人的数量,将所述唯一发信人的数量大于第三阈值的IP作为可信IP种子,并将所有发自所述可信IP的邮件的客户端ID作为可信ID列表;其中,每个登录记录还包含一个客户端ID;根据所述可信IP种子和所述可信ID列表,将每个所述可信IP种子作为一个顶点,每个所述顶点的权值为每个所述可信IP种子所对应的唯一发信人的数量,从而构建信誉传输图,对所述信誉传输图进行迭代生长与传播,直至迭代次数达到预设值,获得迭代后每个顶点的权值,并根据所述迭代后每个顶点的权值,获得可信IP列表;根据所述可信IP列表,计算得到标准用户画像。Specifically, the number of unique senders corresponding to the IP addresses of all preset normal emails in the user's mailbox is obtained, and the IP addresses whose number of unique senders is greater than a third threshold are used as trusted IP seeds, and the client IDs of all emails sent from the trusted IP addresses are used as a trusted ID list; wherein each login record also includes a client ID; according to the trusted IP seeds and the trusted ID list, each of the trusted IP seeds is used as a vertex, and the weight of each vertex is the number of unique senders corresponding to each trusted IP seed, thereby constructing a reputation transmission graph, iteratively growing and propagating the reputation transmission graph until the number of iterations reaches a preset value, obtaining the weight of each vertex after the iteration, and obtaining the trusted IP list based on the weight of each vertex after the iteration; according to the trusted IP list, a standard user portrait is calculated.

需要说明的是,预设的正常邮件为:发件箱中收信人与发送人之间有过多次互相收发沟通关系的邮件。通过预设的正常邮件,可以保证发送该正常邮件时的IP为用户本人操作时的IP,从而可以确保生成精准、具有可信价值的可信IP列表和用户画像。对用户的邮箱中所有预设的正常邮件的IP所对应的唯一发信人的数量进行获取,将唯一发信人的数量大于第三阈值的IP作为可信IP种子,优选地,在实践过程中,对于企业邮箱,一般会发现这些IP多数为公司办公室的共同出口IP。其中,正常邮件的IP所对应的唯一发信人的数量,可以理解为,每封正常邮件均有一个IP,统计出对应于同一个IP下的唯一发信人的数量。It should be noted that the preset normal emails are emails in the outbox in which the recipient and the sender have had multiple exchanges of communication. Through the preset normal emails, it can be ensured that the IP when sending the normal email is the IP of the user himself, so as to ensure the generation of accurate and trustworthy trusted IP lists and user portraits. The number of unique senders corresponding to the IPs of all preset normal emails in the user's mailbox is obtained, and the IPs with a number of unique senders greater than the third threshold are used as trusted IP seeds. Preferably, in practice, for corporate mailboxes, it is generally found that most of these IPs are common export IPs of the company's office. Among them, the number of unique senders corresponding to the IP of normal emails can be understood as each normal email has an IP, and the number of unique senders corresponding to the same IP is counted.

在本实施例中,获取用户的邮箱中所有正常邮件的IP所对应的唯一发信人的数量后,将所述唯一发信人的数量大于第三阈值的IP作为可信IP种子,剔除唯一发信人数量过少的IP,并将所有发自所述可信IP的邮件的客户端ID作为可信ID列表,以可信IP种子为顶点,顶点的权重为对应IP的唯一发信人数量,即信誉大小,可信ID列表为每个顶点之间的边线,构建初始的信誉传播图。随后,对信誉传输图进行迭代生长与传播,直至迭代次数达到预设值,获得迭代后每个顶点的权值,并根据所述迭代后每个顶点的权值,获得可信IP列表。In this embodiment, after obtaining the number of unique senders corresponding to the IPs of all normal emails in the user's mailbox, the IPs whose number of unique senders is greater than the third threshold are used as trusted IP seeds, and the IPs whose number of unique senders is too small are eliminated. The client IDs of all emails sent from the trusted IPs are used as trusted ID lists, and the trusted IP seeds are used as vertices. The weight of the vertices is the number of unique senders of the corresponding IP, that is, the reputation size, and the trusted ID list is the edge between each vertex to construct an initial reputation propagation graph. Subsequently, the reputation transmission graph is iteratively grown and propagated until the number of iterations reaches a preset value, and the weight of each vertex after the iteration is obtained, and the trusted IP list is obtained according to the weight of each vertex after the iteration.

作为本实施例的优选方案,请参阅图2,其为初始状态下的信誉传播图。在本优选方案中,共获得四个IP,分别为IP1、IP2、IP3和IP4,其中IP1有100个唯一发信人,初始信誉为100,共有100个可信ID,即100条边线,与IP2连接7条边线,即与IP2有7个共同ID,与IP3连接3条边线,即与IP3有3个共同ID;IP2有10个唯一发信人,初始信誉为10,共有10个可信ID,即10条边,与IP1连接7条边线,剩下3条边线与外部其他IP相连;IP3有0个唯一发信人,初始信誉为0,仅与IP1连接3条边线;IP4无唯一发信人,初始信誉为0,且与IP1、IP2和IP3无共同客户端,因此IP4不存在信誉传播。对IP1、IP2和IP3分别进行信誉传播,每一次传播的信誉大小根据与每个IP的边线连接数量的比例来进行传播,每个IP均进行一次信誉传播为一次迭代过程。优选地,请参阅图3,其为IP1传播信誉至IP2和IP3的信誉传播示意图,IP2获得IP1传来的100*(7/100)=7信誉,即IP2当前信誉17,IP3获得IP1传来的100*(3/100)=3信誉,即IP3当前信誉3;请参阅图4,其为IP2传播信誉至IP1的信誉传播示意图,IP1获得IP2传来的17*(7/10)=11.9信誉,即IP1当前信誉111.9;请参阅图5,其为IP3传播信誉至IP1的信誉传播示意图,IP1获得IP3传来的3*(3/3)=3信誉,即IP1当前信誉114.9;在本优选实施例中,所有IP均完成一次信誉传播,即进行了一次信誉计算的迭代过程。As a preferred solution of this embodiment, please refer to Figure 2, which is a reputation propagation diagram in the initial state. In this preferred solution, a total of four IPs are obtained, namely IP1, IP2, IP3 and IP4, among which IP1 has 100 unique senders, an initial reputation of 100, a total of 100 trusted IDs, i.e., 100 edges, 7 edges connected to IP2, i.e., 7 common IDs with IP2, and 3 edges connected to IP3, i.e., 3 common IDs with IP3; IP2 has 10 unique senders, an initial reputation of 10, a total of 10 trusted IDs, i.e., 10 edges, 7 edges connected to IP1, and the remaining 3 edges are connected to other external IPs; IP3 has 0 unique senders, an initial reputation of 0, and only 3 edges connected to IP1; IP4 has no unique sender, an initial reputation of 0, and no common client with IP1, IP2 and IP3, so IP4 does not have reputation propagation. Reputation propagation is performed for IP1, IP2, and IP3 respectively. The size of the reputation propagated each time is propagated according to the ratio of the number of edge connections with each IP. The reputation propagation performed once for each IP is an iterative process. Preferably, please refer to Figure 3, which is a schematic diagram of reputation propagation from IP1 to IP2 and IP3. IP2 obtains 100*(7/100)=7 reputation from IP1, i.e., IP2's current reputation is 17, and IP3 obtains 100*(3/100)=3 reputation from IP1, i.e., IP3's current reputation is 3; please refer to Figure 4, which is a schematic diagram of reputation propagation from IP2 to IP1. IP1 obtains 17*(7/10)=11.9 reputation from IP2, i.e., IP1's current reputation is 111.9; please refer to Figure 5, which is a schematic diagram of reputation propagation from IP3 to IP1. IP1 obtains 3*(3/3)=3 reputation from IP3, i.e., IP1's current reputation is 114.9; in this preferred embodiment, all IPs complete a reputation propagation, i.e., an iterative process of reputation calculation is performed.

优选地,迭代次数达到4次,每个IP的信誉值大小排名基本稳定收敛,对信誉值排名最大的前80%的IP进行保留,作为可信任IP列表。Preferably, the number of iterations reaches 4, the ranking of the reputation value of each IP is basically stable and converged, and the top 80% of the IPs with the largest reputation values are retained as a trusted IP list.

通过信誉传递过程,能够将可信IP的信誉值传播至其他可信IP,包括但不限于用户使用网络代理等改变IP的情况,即可得到相对可信的IP列表,为了避免主观因素等潜在的作弊过程,仅保留信誉传播后的信誉值排名靠前的IP,将信誉较低的IP进行剔除,其中保留的比例根据实际情况需求确定。Through the reputation transfer process, the reputation value of a trusted IP can be propagated to other trusted IPs, including but not limited to situations where users change their IPs by using network proxies, etc., so that a relatively trusted IP list can be obtained. In order to avoid potential cheating processes such as subjective factors, only IPs with high reputation values after reputation propagation are retained, and IPs with lower reputations are eliminated. The retention ratio is determined based on actual needs.

具体地,获取所述用户的邮箱的所有登录记录,根据所述可信IP列表,筛选出符合所述可信IP列表的登录记录;根据所述符合所述可信IP列表的登录记录,计算出所述用户的特征向量,作为标准用户画像。Specifically, all login records of the user's mailbox are obtained, and according to the trusted IP list, the login records that meet the trusted IP list are screened out; according to the login records that meet the trusted IP list, the feature vector of the user is calculated as a standard user portrait.

需要说明的是,登录记录还包括登录时间、登录国家、登录城市、登录IP的C段和登录客户端ID,根据所述符合所述可信IP列表的登录记录,优选地,通过item2vec的方法,计算出用户的特征向量,作为标准用户画像。It should be noted that the login record also includes the login time, login country, login city, C segment of the login IP and the login client ID. According to the login record that conforms to the trusted IP list, preferably, the user's feature vector is calculated through the item2vec method as a standard user portrait.

S102:根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度;其中,每一个登录记录包含一个登录IP和一个登录时间。S102: According to the preset geographic information database of the login IP, the longitude and latitude of the area corresponding to each login record are obtained; wherein each login record includes a login IP and a login time.

作为本实施例的优选方案,在所述根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度之后,还包括:获取第二预设时间段内所有登录失败的登录记录,根据预设的暴力破解规则,对所述所有登录失败的登录记录进行分类操作,获得暴力破解记录和非暴力破解记录;若所述暴力破解记录超过预设的第二阈值,则将所述暴力破解记录中的所有登录IP进行标记,作为暴力破解IP列表;根据符合所述暴力破解IP列表的登录IP所对应的登录记录,更新所述异常记录。As a preferred solution of this embodiment, after obtaining the longitude and latitude of the area corresponding to each login record according to the preset geographic information database of the login IP, it also includes: obtaining all login records of failed logins within a second preset time period, and classifying all the login records of failed logins according to the preset brute force cracking rules to obtain brute force cracking records and non-brute force cracking records; if the brute force cracking record exceeds a preset second threshold, marking all the login IPs in the brute force cracking record as a brute force cracking IP list; and updating the abnormal record according to the login record corresponding to the login IP that meets the brute force cracking IP list.

优选地,预设的暴力破解规则将所有登录失败的登录记录进行分类操作,共分为四种情况,第一种情况a:黑客可能用少量IP用大量的不同密码破解相同的账号,会有大量的失败记录;第二种情况b:黑可能用少量IP用同一个密码尝试破解大量的不同账号,会有大量的失败记录;第三种情况c:黑客可能会用少量IP用大量的不同密码破解大量不同的账号,会有大量的失败记录;第四种情况d:正常用户有可能在修改邮箱密码之后忘记修改自己的邮件客户端的密码,导致会出现单一IP用同样的密码尝试同一个账号,并有部分失败记录的情况。预设的暴力破解规则将a、b和c分类为暴力破解记录,d为非暴力破解记录。当暴力破解记录a、b或c超过了第二阈值,则将暴力破解记录a、b或c所对应的IP进行标记,作为暴力破解IP列表,从而根据暴力破解IP列表,来对所有的登录IP进行分析,将与暴力破解IP列表所对应IP的登录记录作为新的异常记录,来更新步骤S104中所得到的异常记录。Preferably, the preset brute force cracking rules classify all login records of failed logins into four situations. The first situation a: hackers may use a small number of IPs to crack the same account with a large number of different passwords, and there will be a large number of failure records; the second situation b: hackers may use a small number of IPs to try to crack a large number of different accounts with the same password, and there will be a large number of failure records; the third situation c: hackers may use a small number of IPs to crack a large number of different accounts with a large number of different passwords, and there will be a large number of failure records; the fourth situation d: normal users may forget to change their email client passwords after changing their email passwords, resulting in a single IP trying the same account with the same password and some failure records. The preset brute force cracking rules classify a, b and c as brute force cracking records, and d as non-brute force cracking records. When the brute force cracking record a, b or c exceeds the second threshold, the IP corresponding to the brute force cracking record a, b or c is marked as a brute force cracking IP list, so that all login IPs are analyzed according to the brute force cracking IP list, and the login record of the IP corresponding to the brute force cracking IP list is used as a new abnormal record to update the abnormal record obtained in step S104.

S103:根据所述登录时间,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出可疑登录记录。S103: According to the login time, the switching speed of the longitude and latitude of the area corresponding to each two adjacent login records is calculated in sequence, and suspicious login records are screened out according to a preset speed threshold.

具体地,根据所述登录时间,对所有登录记录进行排序,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出大于所述预设的速度阈值的切换速度所对应的相邻两次登录记录,作为可疑登录记录。Specifically, all login records are sorted according to the login time, and the switching speeds of the longitude and latitude of the areas corresponding to each two adjacent login records are calculated in turn. According to a preset speed threshold, two adjacent login records corresponding to a switching speed greater than the preset speed threshold are screened out as suspicious login records.

需要说明的是,预设的速度阈值为最大合理移动速度,优选地,该速度阈值为800km/h,即飞机的平均速度,若相邻两次登录记录所对应地区的经纬度的切换速度大于速度阈值,则将该两次登录记录作为可疑登录记录。相邻两次登录记录所对应地区的经纬度的切换速度通过经纬度之间地理的差值和两次登录时间差值之比求得。It should be noted that the preset speed threshold is the maximum reasonable moving speed. Preferably, the speed threshold is 800 km/h, that is, the average speed of an airplane. If the switching speed of the longitude and latitude of the area corresponding to two adjacent login records is greater than the speed threshold, the two login records are regarded as suspicious login records. The switching speed of the longitude and latitude of the area corresponding to two adjacent login records is obtained by the ratio of the geographical difference between the longitude and latitude and the time difference between the two logins.

S104:根据所述可信IP列表和所述标准用户画像,对所述可疑登录记录进行剔除操作,并将剔除操作后的可疑登录记录作为异常记录。S104: According to the trusted IP list and the standard user portrait, the suspicious login records are eliminated, and the suspicious login records after the elimination operation are used as abnormal records.

作为本实施例的优选方案,在所述将剔除操作后的可疑登录记录作为异常记录之后,还包括:响应于当前用户的邮箱登录操作,生成第一登录记录,根据所述可信IP列表和所述标准用户画像,判断所述第一登录记录是否正常;若所述第一登录记录正常,则保存该登录记录;若所述第一登录记录不正常,则触发双因子认证,以使所述当前用户确认登录。As a preferred solution of this embodiment, after removing the suspicious login records after the operation as abnormal records, it also includes: generating a first login record in response to the current user's email login operation, and judging whether the first login record is normal based on the trusted IP list and the standard user portrait; if the first login record is normal, saving the login record; if the first login record is abnormal, triggering two-factor authentication to enable the current user to confirm the login.

需要说明的是,响应于当前用户的邮箱登录操作,所生成得第一登录记录为当前用户进行邮箱登录操作的登录记录,在登录过程中,会根据当前用户的可信IP列表和标准用户画像,来对第一登录记录进行判断是否正常;若不正常,则会触发双因子认证,双因子认证的方式包括但不限于手机验证码、电话语音验证。It should be noted that in response to the current user's email login operation, the first login record generated is the login record of the current user's email login operation. During the login process, the first login record will be judged whether it is normal based on the current user's trusted IP list and standard user portrait; if it is abnormal, it will trigger two-factor authentication. The two-factor authentication methods include but are not limited to mobile phone verification code and telephone voice verification.

作为本实施例的优选方案,在所述响应于当前用户的邮箱登录操作,生成第一登录记录,根据所述可信IP列表和所述标准用户画像,判断所述第一登录记录是否正常之后,还包括:记录在第一预设时间段内生成的登录记录的数量,若所述生成的登录记录的数量大于预设的第一阈值,则封禁所述当前用户的邮箱。As a preferred scheme of this embodiment, after generating a first login record in response to the current user's email login operation and judging whether the first login record is normal based on the trusted IP list and the standard user portrait, it also includes: recording the number of login records generated within a first preset time period, and if the number of generated login records is greater than a preset first threshold, banning the current user's email.

需要说明的是,在每一次进行登录操作后,会对第一预设时间段内生成的登录记录的数量进行记录与检测,第一预设时间段和预设的第一阈值均根据实际需求的情况来确定,若在第一预设时间段内生成的登录记录的数量大于预设的第一阈值,即在第一预设时间段内存在多次登录记录,则会封禁当前用户的邮箱,直到当前用户使用双因子认证的方式取回并修改密码后才被允许使用该邮箱。It should be noted that after each login operation, the number of login records generated within the first preset time period will be recorded and detected. The first preset time period and the preset first threshold are determined according to actual needs. If the number of login records generated within the first preset time period is greater than the preset first threshold, that is, there are multiple login records within the first preset time period, the current user's mailbox will be blocked until the current user uses two-factor authentication to retrieve and modify the password and is allowed to use the mailbox.

实施本发明实施例,具备如下效果:The implementation of the present invention has the following effects:

本发明实施例获取用户邮箱的所有登录记录,根据所述用户邮箱中预设的正常邮件,来建立可信IP列表和标准用户画像,并通过信誉传播图的方式,来对可信IP列表进行迭代计算,提高了可信IP列表的准确性以及可信度,并实现从用户的使用邮箱的习惯来对邮箱登录异常进行检测,提高了对登录异常检测的准确性,根据相邻两次登录记录所对应地区的经纬度的切换速度进行计算,从而筛选出可疑登录记录,对所述可疑登录记录进行剔除,提升了用户使用邮箱的体验感以及提高了对邮箱登录异常的检测准确性。The embodiment of the present invention obtains all login records of the user mailbox, establishes a trusted IP list and a standard user portrait according to normal emails preset in the user mailbox, and iteratively calculates the trusted IP list by means of a reputation propagation graph, thereby improving the accuracy and credibility of the trusted IP list, and realizing the detection of mailbox login anomalies based on the user's mailbox usage habits, thereby improving the accuracy of login anomaly detection, and calculating the switching speed of the longitude and latitude of the area corresponding to two adjacent login records, thereby screening out suspicious login records, and eliminating the suspicious login records, thereby improving the user experience of using the mailbox and improving the accuracy of mailbox login anomaly detection.

实施例二Embodiment 2

相应地,请参阅图6,其为本发明还提供一种邮箱登录异常的检测装置,包括:列表画像模块201、地区位置模块202、可疑登录模块203和异常记录模块204。Correspondingly, please refer to FIG. 6 , which shows that the present invention also provides a device for detecting abnormal mailbox login, including: a list portrait module 201 , a regional location module 202 , a suspicious login module 203 and an abnormal record module 204 .

所述列表画像模块201,用于获取用户邮箱的所有登录记录,并根据所述用户邮箱中预设的正常邮件,建立可信IP列表和标准用户画像。The list portrait module 201 is used to obtain all login records of the user mailbox, and establish a trusted IP list and a standard user portrait based on normal emails preset in the user mailbox.

作为本实施例的优选方案,所述获取用户邮箱的所有登录记录,根据所述用户邮箱中预设的正常邮件,建立可信IP列表和标准用户画像,具体为:As a preferred solution of this embodiment, the method of obtaining all login records of the user mailbox and establishing a trusted IP list and a standard user portrait according to normal emails preset in the user mailbox is specifically as follows:

获取用户的邮箱中所有预设的正常邮件的IP所对应的唯一发信人的数量,将所述唯一发信人的数量大于第三阈值的IP作为可信IP种子,并将所有发自所述可信IP的邮件的客户端ID作为可信ID列表;其中,每个登录记录还包含一个客户端ID;根据所述可信IP种子和所述可信ID列表,将每个所述可信IP种子作为一个顶点,每个所述顶点的权值为每个所述可信IP种子所对应的唯一发信人的数量,从而构建信誉传输图,对所述信誉传输图进行迭代生长与传播,直至迭代次数达到预设值,获得迭代后每个顶点的权值,并根据所述迭代后每个顶点的权值,获得可信IP列表;根据所述可信IP列表,计算得到标准用户画像。Obtain the number of unique senders corresponding to the IP addresses of all preset normal emails in the user's mailbox, use the IP addresses whose number of unique senders is greater than a third threshold as trusted IP seeds, and use the client IDs of all emails sent from the trusted IP addresses as a trusted ID list; wherein each login record also includes a client ID; based on the trusted IP seeds and the trusted ID list, use each of the trusted IP seeds as a vertex, and the weight of each vertex is the number of unique senders corresponding to each trusted IP seed, thereby constructing a reputation transmission graph, iteratively grow and propagate the reputation transmission graph until the number of iterations reaches a preset value, obtain the weight of each vertex after the iteration, and obtain the trusted IP list based on the weight of each vertex after the iteration; based on the trusted IP list, calculate and obtain a standard user portrait.

作为本实施例的优选方案,所述根据所述可信IP,计算得到标准用户画像,具体为:As a preferred solution of this embodiment, the standard user portrait is calculated based on the trusted IP, specifically:

获取所述用户的邮箱的所有登录记录,根据所述可信IP列表,筛选出符合所述可信IP列表的登录记录;根据所述符合所述可信IP列表的登录记录,计算出所述用户的特征向量,作为标准用户画像。Obtain all login records of the user's mailbox, and filter out login records that match the trusted IP list based on the trusted IP list; calculate the user's feature vector based on the login records that match the trusted IP list as a standard user portrait.

所述地区位置模块202,用于根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度;其中,每一个登录记录包含一个登录IP和一个登录时间。The regional location module 202 is used to obtain the longitude and latitude of the region corresponding to each login record according to the preset geographic information library of the login IP; wherein each login record includes a login IP and a login time.

作为本实施例的优选方案,在所述根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度之后,还包括:As a preferred solution of this embodiment, after obtaining the longitude and latitude of the region corresponding to each login record according to the preset geographic information database of the login IP, the method further includes:

获取第二预设时间段内所有登录失败的登录记录,根据预设的暴力破解规则,对所述所有登录失败的登录记录进行分类操作,获得暴力破解记录和非暴力破解记录;若所述暴力破解记录超过预设的第二阈值,则将所述暴力破解记录中的所有登录IP进行标记,作为暴力破解IP列表;根据符合所述暴力破解IP列表的登录IP所对应的登录记录,更新所述异常记录。Obtain all failed login records within a second preset time period, and classify all the failed login records according to the preset brute force cracking rules to obtain brute force cracking records and non-brute force cracking records; if the brute force cracking record exceeds a preset second threshold, mark all login IPs in the brute force cracking record as a brute force cracking IP list; update the exception record according to the login record corresponding to the login IP that meets the brute force cracking IP list.

所述可疑登录模块203,用于根据所述登录时间,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出可疑登录记录。The suspicious login module 203 is used to calculate the switching speed of the longitude and latitude of the area corresponding to each two adjacent login records according to the login time, and filter out suspicious login records according to a preset speed threshold.

作为本实施例的优选方案,所述根据所述登录时间,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出可疑登录记录,具体为:As a preferred solution of this embodiment, the switching speed of the longitude and latitude of the area corresponding to each two adjacent login records is calculated in sequence according to the login time, and suspicious login records are screened out according to a preset speed threshold, specifically:

根据所述登录时间,对所有登录记录进行排序,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出大于所述预设的速度阈值的切换速度所对应的相邻两次登录记录,作为可疑登录记录。According to the login time, all login records are sorted, and the switching speeds of the longitude and latitude of the areas corresponding to each two adjacent login records are calculated in turn, and according to a preset speed threshold, the two adjacent login records corresponding to the switching speed greater than the preset speed threshold are screened out as suspicious login records.

所述异常记录模块204,用于根据所述可信IP列表和所述标准用户画像,对所述可疑登录记录进行剔除操作,并将剔除操作后的可疑登录记录作为异常记录。The abnormal record module 204 is used to remove the suspicious login records according to the trusted IP list and the standard user portrait, and use the suspicious login records after the removal operation as abnormal records.

作为本实施例的优选方案,在所述将剔除操作后的可疑登录记录作为异常记录之后,还包括:As a preferred solution of this embodiment, after removing the suspicious login records after the operation as abnormal records, the method further includes:

响应于当前用户的邮箱登录操作,生成第一登录记录,根据所述可信IP列表和所述标准用户画像,判断所述第一登录记录是否正常;若所述第一登录记录正常,则保存该登录记录;若所述第一登录记录不正常,则触发双因子认证,以使所述当前用户确认登录。In response to the current user's email login operation, a first login record is generated, and whether the first login record is normal is determined based on the trusted IP list and the standard user portrait; if the first login record is normal, the login record is saved; if the first login record is abnormal, two-factor authentication is triggered to enable the current user to confirm the login.

作为本实施例的优选方案,在所述响应于当前用户的邮箱登录操作,生成第一登录记录,根据所述可信IP列表和所述标准用户画像,判断所述第一登录记录是否正常之后,还包括:As a preferred solution of this embodiment, after generating a first login record in response to the mailbox login operation of the current user, and judging whether the first login record is normal according to the trusted IP list and the standard user portrait, the method further includes:

记录在第一预设时间段内生成的登录记录的数量,若所述生成的登录记录的数量大于预设的第一阈值,则封禁所述当前用户的邮箱。The number of login records generated within a first preset time period is recorded, and if the number of the generated login records is greater than a preset first threshold, the mailbox of the current user is blocked.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的装置的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the device described above can refer to the corresponding process in the aforementioned method embodiment, and will not be repeated here.

实施以上实施例,具有如下效果:Implementing the above embodiments has the following effects:

本发明实施例获取用户邮箱的所有登录记录,根据所述用户邮箱中预设的正常邮件,来建立可信IP列表和标准用户画像,并通过信誉传播图的方式,来对可信IP列表进行迭代计算,提高了可信IP列表的准确性以及可信度,并实现从用户的使用邮箱的习惯来对邮箱登录异常进行检测,提高了对登录异常检测的准确性,根据相邻两次登录记录所对应地区的经纬度的切换速度进行计算,从而筛选出可疑登录记录,对所述可疑登录记录进行剔除,对当前用户的登录操作进行检测,只在出现可疑登录记录的情况下才会触发双因子认证,避免了现有技术中每次登录都需进行双因子认证,从而降低用户使用体验的情况。The embodiment of the present invention obtains all login records of the user mailbox, establishes a trusted IP list and a standard user portrait according to normal emails preset in the user mailbox, and iteratively calculates the trusted IP list by means of a reputation propagation graph, thereby improving the accuracy and credibility of the trusted IP list, and realizing the detection of mailbox login anomalies based on the user's mailbox usage habits, thereby improving the accuracy of login anomaly detection, and calculating the switching speed of the longitude and latitude of the area corresponding to two adjacent login records, thereby screening out suspicious login records, eliminating the suspicious login records, and detecting the login operation of the current user, and triggering two-factor authentication only when a suspicious login record occurs, thereby avoiding the situation in the prior art where two-factor authentication is required for each login, thereby reducing the user experience.

实施例三Embodiment 3

本发明实施例还提供了一种终端设备,所述终端设备包括处理器、存储器以及存储在所述存储器中且被配置为由所述处理器执行的计算机程序,所述处理器在执行所述计算机程序时实现上述任一实施例所述的邮箱登录异常的检测方法。An embodiment of the present invention also provides a terminal device, which includes a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, and the processor implements the method for detecting mailbox login anomalies described in any of the above embodiments when executing the computer program.

优选地,所述计算机程序可以被分割成一个或多个模块/单元(如计算机程序、计算机程序),所述一个或者多个模块/单元被存储在所述存储器中,并由所述处理器执行,以完成本发明。所述一个或多个模块/单元可以是能够完成特定功能的一系列计算机程序指令段,该指令段用于描述所述计算机程序在所述终端设备中的执行过程。Preferably, the computer program can be divided into one or more modules/units (such as computer program, computer program), and the one or more modules/units are stored in the memory and executed by the processor to complete the present invention. The one or more modules/units can be a series of computer program instruction segments that can complete specific functions, and the instruction segments are used to describe the execution process of the computer program in the terminal device.

所述处理器可以是中央处理单元(Central Processing Unit,CPU),还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等,通用处理器可以是微处理器,或者所述处理器也可以是任何常规的处理器,所述处理器是所述终端设备的控制中心,利用各种接口和线路连接所述终端设备的各个部分。The processor may be a central processing unit (CPU), or other general-purpose processors, digital signal processors (DSP), application-specific integrated circuits (ASIC), field-programmable gate arrays (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor, or the processor may be any conventional processor. The processor is the control center of the terminal device, and various parts of the terminal device are connected using various interfaces and lines.

所述存储器主要包括程序存储区和数据存储区,其中,程序存储区可存储操作系统、至少一个功能所需的应用程序等,数据存储区可存储相关数据等。此外,所述存储器可以是高速随机存取存储器,还可以是非易失性存储器,例如插接式硬盘,智能存储卡(SmartMedia Card,SMC)、安全数字(Secure Digital,SD)卡和闪存卡(Flash Card)等,或所述存储器也可以是其他易失性固态存储器件。The memory mainly includes a program storage area and a data storage area, wherein the program storage area can store an operating system, an application required for at least one function, etc., and the data storage area can store related data, etc. In addition, the memory can be a high-speed random access memory, or a non-volatile memory, such as a plug-in hard disk, a smart memory card (SmartMedia Card, SMC), a secure digital (Secure Digital, SD) card, and a flash card (Flash Card), etc., or the memory can also be other volatile solid-state storage devices.

需要说明的是,上述终端设备可包括,但不仅限于,处理器、存储器,本领域技术人员可以理解,上述终端设备仅仅是示例,并不构成对终端设备的限定,可以包括更多或更少的部件,或者组合某些部件,或者不同的部件。It should be noted that the above-mentioned terminal device may include, but is not limited to, a processor and a memory. Those skilled in the art will understand that the above-mentioned terminal device is merely an example and does not constitute a limitation on the terminal device. It may include more or fewer components, or a combination of certain components, or different components.

实施例四Embodiment 4

本发明实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质包括存储的计算机程序;其中,所述计算机程序在运行时控制所述计算机可读存储介质所在的设备执行上述任一实施例所述的邮箱登录异常的监测方法。An embodiment of the present invention also provides a computer-readable storage medium, which includes a stored computer program; wherein, when the computer program is running, it controls the device where the computer-readable storage medium is located to execute the method for monitoring mailbox login anomalies described in any of the above embodiments.

以上所述的具体实施例,对本发明的目的、技术方案和有益效果进行了进一步的详细说明,应当理解,以上所述仅为本发明的具体实施例而已,并不用于限定本发明的保护范围。特别指出,对于本领域技术人员来说,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The specific embodiments described above further illustrate the purpose, technical solutions and beneficial effects of the present invention. It should be understood that the above description is only a specific embodiment of the present invention and is not intended to limit the scope of protection of the present invention. It is particularly pointed out that for those skilled in the art, any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the scope of protection of the present invention.

Claims (9)

1.一种邮箱登录异常的检测方法,其特征在于,包括:1. A method for detecting abnormal mailbox login, characterized by comprising: 获取用户邮箱的所有登录记录,并根据所述用户邮箱中预设的正常邮件,建立可信IP列表和标准用户画像;获取用户的邮箱中所有预设的正常邮件的IP所对应的唯一发信人的数量,将所述唯一发信人的数量大于第三阈值的IP作为可信IP种子,并将所有发自所述可信IP的邮件的客户端ID作为可信ID列表;其中,每个登录记录还包含一个客户端ID;根据所述可信IP种子和所述可信ID列表,将每个所述可信IP种子作为一个顶点,每个所述顶点的权值为每个所述可信IP种子所对应的唯一发信人的数量,从而构建信誉传输图,对所述信誉传输图进行迭代生长与传播,直至迭代次数达到预设值,获得迭代后每个顶点的权值,并根据所述迭代后每个顶点的权值,获得可信IP列表;根据所述可信IP列表,计算得到标准用户画像;Obtain all login records of the user's mailbox, and establish a trusted IP list and a standard user portrait based on the normal emails preset in the user's mailbox; obtain the number of unique senders corresponding to the IPs of all preset normal emails in the user's mailbox, use the IPs whose number of unique senders is greater than a third threshold as trusted IP seeds, and use the client IDs of all emails sent from the trusted IPs as a trusted ID list; wherein each login record also contains a client ID; based on the trusted IP seeds and the trusted ID list, use each trusted IP seed as a vertex, and the weight of each vertex is the number of unique senders corresponding to each trusted IP seed, thereby constructing a reputation transmission graph, iteratively growing and propagating the reputation transmission graph until the number of iterations reaches a preset value, obtain the weight of each vertex after the iteration, and obtain the trusted IP list based on the weight of each vertex after the iteration; calculate the standard user portrait based on the trusted IP list; 根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度;其中,每一个登录记录包含一个登录IP和一个登录时间;According to the preset geographic information database of the login IP, the longitude and latitude of the region corresponding to each login record are obtained; wherein each login record includes a login IP and a login time; 根据所述登录时间,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出可疑登录记录;According to the login time, the switching speed of the longitude and latitude of the area corresponding to each two adjacent login records is calculated in sequence, and the suspicious login records are screened out according to a preset speed threshold; 根据所述可信IP列表和所述标准用户画像,对所述可疑登录记录进行剔除操作,并将剔除操作后的可疑登录记录作为异常记录。The suspicious login records are eliminated according to the trusted IP list and the standard user portrait, and the suspicious login records after the elimination operation are regarded as abnormal records. 2.如权利要求1所述的一种邮箱登录异常的检测方法,其特征在于,在所述将剔除操作后的可疑登录记录作为异常记录之后,还包括:2. A method for detecting abnormal mailbox login according to claim 1, characterized in that after removing the suspicious login records after the operation as abnormal records, it also includes: 响应于当前用户的邮箱登录操作,生成第一登录记录,根据所述可信IP列表和所述标准用户画像,判断所述第一登录记录是否正常;In response to the current user's mailbox login operation, generate a first login record, and determine whether the first login record is normal according to the trusted IP list and the standard user portrait; 若所述第一登录记录正常,则保存该登录记录;If the first login record is normal, save the login record; 若所述第一登录记录不正常,则触发双因子认证,以使所述当前用户确认登录。If the first login record is abnormal, two-factor authentication is triggered to enable the current user to confirm the login. 3.如权利要求2所述的一种邮箱登录异常的检测方法,其特征在于,在所述响应于当前用户的邮箱登录操作,生成第一登录记录,根据所述可信IP列表和所述标准用户画像,判断所述第一登录记录是否正常之后,还包括:3. A method for detecting an abnormal mailbox login as claimed in claim 2, characterized in that after generating a first login record in response to the mailbox login operation of the current user, and judging whether the first login record is normal according to the trusted IP list and the standard user portrait, it further comprises: 记录在第一预设时间段内生成的登录记录的数量,若所述生成的登录记录的数量大于预设的第一阈值,则封禁所述当前用户的邮箱。The number of login records generated within a first preset time period is recorded, and if the number of the generated login records is greater than a preset first threshold, the mailbox of the current user is blocked. 4.如权利要求1所述的一种邮箱登录异常的检测方法,其特征在于,在所述根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度之后,还包括:4. A method for detecting abnormal mailbox login according to claim 1, characterized in that after obtaining the longitude and latitude of the area corresponding to each login record from the preset geographic information database according to the login IP, it also includes: 获取第二预设时间段内所有登录失败的登录记录,根据预设的暴力破解规则,对所述所有登录失败的登录记录进行分类操作,获得暴力破解记录和非暴力破解记录;Obtaining all failed login records within a second preset time period, and classifying all failed login records according to a preset brute force cracking rule to obtain brute force cracking records and non-brute force cracking records; 若所述暴力破解记录超过预设的第二阈值,则将所述暴力破解记录中的所有登录IP进行标记,作为暴力破解IP列表;If the brute force cracking record exceeds a preset second threshold, all login IPs in the brute force cracking record are marked as a brute force cracking IP list; 根据符合所述暴力破解IP列表的登录IP所对应的登录记录,更新所述异常记录。The exception record is updated according to the login record corresponding to the login IP that matches the brute force IP list. 5.如权利要求1所述的一种邮箱登录异常的检测方法,其特征在于,所述根据所述可信IP,计算得到标准用户画像,具体为:5. A method for detecting abnormal mailbox login according to claim 1, characterized in that the standard user portrait is calculated based on the trusted IP, specifically: 获取所述用户的邮箱的所有登录记录,根据所述可信IP列表,筛选出符合所述可信IP列表的登录记录;Obtain all login records of the user's mailbox, and filter out login records that match the trusted IP list according to the trusted IP list; 根据所述符合所述可信IP列表的登录记录,计算出所述用户的特征向量,作为标准用户画像。Based on the login records that match the trusted IP list, a feature vector of the user is calculated as a standard user portrait. 6.如权利要求1所述的一种邮箱登录异常的检测方法,其特征在于,所述根据所述登录时间,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出可疑登录记录,具体为:6. A method for detecting abnormal mailbox login according to claim 1, characterized in that the switching speed of the longitude and latitude of the area corresponding to each two adjacent login records is calculated in sequence according to the login time, and suspicious login records are screened out according to a preset speed threshold, specifically: 根据所述登录时间,对所有登录记录进行排序,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出大于所述预设的速度阈值的切换速度所对应的相邻两次登录记录,作为可疑登录记录。According to the login time, all login records are sorted, and the switching speeds of the longitude and latitude of the areas corresponding to each two adjacent login records are calculated in turn, and according to a preset speed threshold, the two adjacent login records corresponding to the switching speed greater than the preset speed threshold are screened out as suspicious login records. 7.一种邮箱登录异常的检测装置,其特征在于,包括:列表画像模块、地区位置模块、可疑登录模块和异常记录模块;7. A detection device for abnormal mailbox login, characterized by comprising: a list portrait module, a regional location module, a suspicious login module and an abnormal record module; 所述列表画像模块,用于获取用户邮箱的所有登录记录,并根据所述用户邮箱中预设的正常邮件,建立可信IP列表和标准用户画像;获取用户的邮箱中所有预设的正常邮件的IP所对应的唯一发信人的数量,将所述唯一发信人的数量大于第三阈值的IP作为可信IP种子,并将所有发自所述可信IP的邮件的客户端ID作为可信ID列表;其中,每个登录记录还包含一个客户端ID;根据所述可信IP种子和所述可信ID列表,将每个所述可信IP种子作为一个顶点,每个所述顶点的权值为每个所述可信IP种子所对应的唯一发信人的数量,从而构建信誉传输图,对所述信誉传输图进行迭代生长与传播,直至迭代次数达到预设值,获得迭代后每个顶点的权值,并根据所述迭代后每个顶点的权值,获得可信IP列表;根据所述可信IP列表,计算得到标准用户画像;The list portrait module is used to obtain all login records of the user's mailbox, and establish a trusted IP list and a standard user portrait based on the normal emails preset in the user's mailbox; obtain the number of unique senders corresponding to the IPs of all preset normal emails in the user's mailbox, use the IPs whose number of unique senders is greater than a third threshold as trusted IP seeds, and use the client IDs of all emails sent from the trusted IPs as a trusted ID list; wherein each login record also contains a client ID; based on the trusted IP seeds and the trusted ID list, use each of the trusted IP seeds as a vertex, and the weight of each vertex is the number of unique senders corresponding to each trusted IP seed, thereby constructing a reputation transmission graph, iteratively growing and propagating the reputation transmission graph until the number of iterations reaches a preset value, obtain the weight of each vertex after the iteration, and obtain the trusted IP list based on the weight of each vertex after the iteration; calculate the standard user portrait based on the trusted IP list; 所述地区位置模块,用于根据登录IP的预设地理信息库,获取每个登录记录对应地区的经纬度;其中,每一个登录记录包含一个登录IP和一个登录时间;The regional location module is used to obtain the longitude and latitude of the region corresponding to each login record according to the preset geographic information database of the login IP; wherein each login record includes a login IP and a login time; 所述可疑登录模块,用于根据所述登录时间,依次计算每相邻两次登录记录所对应地区的经纬度的切换速度,并根据预设的速度阈值,筛选出可疑登录记录;The suspicious login module is used to calculate the switching speed of the longitude and latitude of the area corresponding to each two adjacent login records according to the login time, and filter out the suspicious login records according to a preset speed threshold; 所述异常记录模块,用于根据所述可信IP列表和所述标准用户画像,对所述可疑登录记录进行剔除操作,并将剔除操作后的可疑登录记录作为异常记录。The abnormal record module is used to remove the suspicious login records according to the trusted IP list and the standard user portrait, and use the suspicious login records after the removal operation as abnormal records. 8.一种终端设备,其特征在于,包括处理器、存储器以及存储在所述存储器中且被配置为由所述处理器执行的计算机程序,所述处理器在执行所述计算机程序时实现如权利要求1-6中任一项所述的邮箱登录异常的检测方法。8. A terminal device, comprising a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, wherein the processor implements the mailbox login anomaly detection method according to any one of claims 1 to 6 when executing the computer program. 9.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质包括存储的计算机程序;其中,所述计算机程序在运行时控制所述计算机可读存储介质所在的设备执行如权利要求1-6中任一项所述的邮箱登录异常的检测方法。9. A computer-readable storage medium, characterized in that the computer-readable storage medium includes a stored computer program; wherein, when the computer program is running, it controls the device where the computer-readable storage medium is located to execute the mailbox login anomaly detection method according to any one of claims 1 to 6.
CN202210013302.7A 2022-01-05 2022-01-05 Mailbox login abnormality detection method, device, equipment and storage medium Active CN114465977B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210013302.7A CN114465977B (en) 2022-01-05 2022-01-05 Mailbox login abnormality detection method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210013302.7A CN114465977B (en) 2022-01-05 2022-01-05 Mailbox login abnormality detection method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114465977A CN114465977A (en) 2022-05-10
CN114465977B true CN114465977B (en) 2024-07-16

Family

ID=81409958

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210013302.7A Active CN114465977B (en) 2022-01-05 2022-01-05 Mailbox login abnormality detection method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114465977B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118611984B (en) * 2024-08-06 2024-11-05 浙江无界矩阵科技有限责任公司 A vehicle network security terminal threat intrusion detection system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102664877A (en) * 2012-03-30 2012-09-12 北京千橡网景科技发展有限公司 Method and device for exception handling in login process
CN103457923A (en) * 2012-06-05 2013-12-18 阿里巴巴集团控股有限公司 Method, device and system for controlling different-place login
CN111400357A (en) * 2020-02-21 2020-07-10 中国建设银行股份有限公司 Method and device for identifying abnormal login

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102325062A (en) * 2011-09-20 2012-01-18 北京神州绿盟信息安全科技股份有限公司 Abnormal login detecting method and device
CN103023718B (en) * 2012-11-29 2015-12-23 北京奇虎科技有限公司 A kind of user logs in monitoring equipment and method
CN107172104B (en) * 2017-07-17 2019-12-27 顺丰科技有限公司 Login abnormity detection method, system and equipment
CN108768943B (en) * 2018-04-26 2020-06-26 腾讯科技(深圳)有限公司 Method and device for detecting abnormal account and server
CN109067802A (en) * 2018-10-08 2018-12-21 安徽艾可信网络科技有限公司 A kind of identity authorization system of electric business platform account
CN109862029A (en) * 2019-03-01 2019-06-07 论客科技(广州)有限公司 A kind of method and system of the reply Brute Force behavior using big data analysis
CN114258662A (en) * 2019-11-04 2022-03-29 深圳市欢太科技有限公司 User behavior data processing method and device, server and storage medium
US11652844B2 (en) * 2020-05-01 2023-05-16 Adobe Inc. Utilizing clustering to identify IP addresses used by a botnet
CN111988278B (en) * 2020-07-23 2022-07-29 微梦创科网络科技(中国)有限公司 A kind of abnormal user determination method and device based on user geographical location log
CN113378127A (en) * 2021-06-09 2021-09-10 中国工商银行股份有限公司 Abnormal login identification method, abnormal login identification device and electronic equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102664877A (en) * 2012-03-30 2012-09-12 北京千橡网景科技发展有限公司 Method and device for exception handling in login process
CN103457923A (en) * 2012-06-05 2013-12-18 阿里巴巴集团控股有限公司 Method, device and system for controlling different-place login
CN111400357A (en) * 2020-02-21 2020-07-10 中国建设银行股份有限公司 Method and device for identifying abnormal login

Also Published As

Publication number Publication date
CN114465977A (en) 2022-05-10

Similar Documents

Publication Publication Date Title
US12184662B2 (en) Message security assessment using sender identity profiles
US11019094B2 (en) Methods and systems for malicious message detection and processing
US10715543B2 (en) Detecting computer security risk based on previously observed communications
US10911467B2 (en) Targeted attack protection from malicious links in messages using predictive sandboxing
US10616272B2 (en) Dynamically detecting abnormalities in otherwise legitimate emails containing uniform resource locators (URLs)
CN110620753B (en) System and method for countering attacks on a user's computing device
US9413716B2 (en) Securing email communications
WO2019118838A1 (en) Using a measure of influence of sender in determining a security risk associated with an electronic message
US8713674B1 (en) Systems and methods for excluding undesirable network transactions
US20230362142A1 (en) Network action classification and analysis using widely distributed and selectively attributed sensor nodes and cloud-based processing
US20230283641A1 (en) Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement
US12341788B2 (en) Network security systems for identifying attempts to subvert security walls
US8170978B1 (en) Systems and methods for rating online relationships
CN114465977B (en) Mailbox login abnormality detection method, device, equipment and storage medium
EP3195140B1 (en) Malicious message detection and processing
US20250097263A1 (en) Systems and methods for detecting and mitigating threats in electronic messages

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant