[go: up one dir, main page]

CN116488842A - Abnormal user access behavior detection method and device - Google Patents

Abnormal user access behavior detection method and device Download PDF

Info

Publication number
CN116488842A
CN116488842A CN202310064287.3A CN202310064287A CN116488842A CN 116488842 A CN116488842 A CN 116488842A CN 202310064287 A CN202310064287 A CN 202310064287A CN 116488842 A CN116488842 A CN 116488842A
Authority
CN
China
Prior art keywords
user
detected
abnormal
user access
user data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310064287.3A
Other languages
Chinese (zh)
Inventor
周艳华
侯凯
朱同道
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Gaimengda Industrial Products Co ltd
Original Assignee
Guangzhou Gaimengda Industrial Products Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Gaimengda Industrial Products Co ltd filed Critical Guangzhou Gaimengda Industrial Products Co ltd
Priority to CN202310064287.3A priority Critical patent/CN116488842A/en
Publication of CN116488842A publication Critical patent/CN116488842A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application relates to the technical field of network security and discloses a detection method and device for abnormal user access behaviors, wherein the method comprises the steps of obtaining user data to be detected; judging whether to perform man-machine recognition or not based on user data to be detected; if the man-machine identification is carried out, carrying out abnormal user access behavior detection on the user data to be detected by adopting a first strategy when the man-machine identification is carried out, and carrying out abnormal user access behavior detection on the user data to be detected by adopting a second strategy when the machine identification is carried out; if no man-machine identification is needed, detecting abnormal user access behaviors of the user data to be detected by directly adopting a first strategy; and when the first strategy is adopted to detect the abnormal user access behaviors and hit, adopting the second strategy to detect the abnormal user access behaviors of the user data to be detected. The method and the device have the effects of enabling the security detection mode to be more targeted and improving the access experience of the normal user.

Description

Abnormal user access behavior detection method and device
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method and an apparatus for detecting abnormal user access behavior.
Background
The business system has a large number of abnormal user access behaviors, has obvious data flow to be crawled, causes potential safety hazards and even economic losses, and needs to set safety detection measures.
At present, when a service system is detected based on a traditional security detection rule, the problem that experienced malicious access behaviors are difficult to detect and effective security protection measures are lacking exists; moreover, if all the access behaviors are detected in a unified way without distinction, the detection time is long, and the access experience of a normal user is easily affected.
Aiming at the related technology, the inventor finds that the existing security detection mode has the problems of lack of pertinence and influence on normal user access experience.
Disclosure of Invention
In order to make the security detection mode more targeted and improve the access experience of normal users, the application provides a detection method and device for abnormal user access behaviors.
In a first aspect, the present application provides a method for detecting abnormal user access behavior.
The application is realized by the following technical scheme:
a method for detecting abnormal user access behavior comprises the following steps,
acquiring user data to be detected;
judging whether to perform man-machine recognition or not based on the user data to be detected;
if the man-machine identification is carried out, carrying out abnormal user access behavior detection on the user data to be detected by adopting a first strategy when the man-machine identification is carried out, and carrying out abnormal user access behavior detection on the user data to be detected by adopting a second strategy when the machine identification is carried out;
if no man-machine identification is needed, the first strategy is directly adopted to detect abnormal user access behaviors of the user data to be detected;
and when the first strategy is adopted to detect the abnormal user access behaviors and hit, adopting the second strategy to detect the abnormal user access behaviors of the user data to be detected.
The present application may be further configured in a preferred example to: the step of employing the second policy for abnormal user access behavior detection includes,
pre-establishing an index library, wherein the index library comprises a SKU list and an access frequency;
analyzing the user data to be detected, and obtaining a user ID and a SKU number of the commodity to be accessed;
monitoring the reading quantity of the user ID in unit time of the same SKU number;
and if the SKU number is positioned in the SKU list and the reading quantity of the SKU number in unit time exceeds the access frequency, marking an abnormal identifier for the user ID in the user data to be detected.
The present application may be further configured in a preferred example to: the index library also comprises commodity attributes;
the method further comprises the step of,
determining commodity attributes of the accessed commodities according to the SKU numbers;
and if the commodity attribute is a confidential class, marking a suspected identifier for the user ID corresponding to the SKU number.
The present application may be further configured in a preferred example to: after the suspected identity is marked for the user ID corresponding to the SKU number, the method further comprises the following steps,
and if the times of accessing the same SKU number with the commodity attribute as the confidential class by the same user ID is monitored to be more than or equal to the preset times, marking an abnormal identifier for the user ID in the user data to be detected.
The present application may be further configured in a preferred example to: the method also comprises the following steps of,
if the commodity attribute is a discount class or a promotion class, acquiring the order quantity corresponding to the SKU number;
and marking an abnormal identifier for the user ID in the user data to be detected when the order quantity is larger than or equal to a preset order quantity.
The present application may be further configured in a preferred example to: the method also comprises the following steps of,
judging whether the price difference of the commodity corresponding to the SKU number, the commodity attribute of which is a discount class or a sales promotion class, in a preset period meets a preset condition or not;
if the commodity attribute is that the price difference of the commodity corresponding to the SKU number of the discount class or the sales promotion class in the preset period meets the preset condition, judging whether the profit value of the commodity corresponding to the SKU number is a negative value or not;
and if the profit value of the commodity corresponding to the SKU number is a negative value, sending an alarm instruction to the background.
The present application may be further configured in a preferred example to: the index library further comprises class numbers divided based on the SKU list;
the method further comprises the step of,
determining the class number of the accessed commodity according to the SKU number;
if the total reading quantity of the same user ID to the SKU number under the same product number in unit time exceeds the preset large-class threshold value, marking an abnormal identifier for the user ID in the user data to be detected.
The present application may be further configured in a preferred example to: the step of detecting abnormal user access behavior of the user data to be detected by adopting a first strategy comprises,
presetting a blacklist;
analyzing the user data to be detected to obtain a user ID;
judging whether the user ID is positioned in the blacklist or not;
if the user ID is in the blacklist, representing hit;
if the user ID is outside the blacklist, a miss is characterized.
The present application may be further configured in a preferred example to: the method also comprises the following steps of,
periodically evaluating the risk value of each user ID;
and executing a rejecting operation or an updating operation on the blacklist based on the risk value.
The present application may be further configured in a preferred example to: the method also comprises the following steps of,
after abnormal user access behaviors are detected, firstly, cold static operation, browser blocking operation, simulated data return operation, static data return operation or dynamic data return operation are adopted for the user ID identified as the abnormal user access behaviors, and the times that the corresponding user ID is continuously identified as abnormal are monitored.
The present application may be further configured in a preferred example to: the method also comprises the following steps of,
and if the number of times that the same user ID is continuously identified as abnormal reaches a threshold value, automatically taking wind control measures for the user ID.
The present application may be further configured in a preferred example to: the step of judging whether to perform man-machine recognition based on the user data to be detected includes,
analyzing the user data to be detected;
detecting whether an enterprise ID (identity) exists;
if no enterprise ID mark exists, man-machine identification is performed;
if the enterprise ID is identified, man-machine identification is not needed.
In a second aspect, the present application provides a detection apparatus for abnormal user access behavior.
The application is realized by the following technical scheme:
a detection device for abnormal user access behavior comprises,
the data module is used for acquiring user data to be detected;
the man-machine judging module is used for judging whether man-machine identification is carried out or not based on the user data to be detected;
the man-machine identification module is used for carrying out man-machine identification, adopting a first strategy to carry out abnormal user access behavior detection on the user data to be detected when the user data to be detected is identified as a person, and adopting a second strategy to carry out abnormal user access behavior detection on the user data to be detected when the user data to be detected is identified as a machine;
the rapid detection module is used for directly adopting the first strategy to detect abnormal user access behaviors of the user data to be detected when the man-machine identification is not needed;
and the supplementary detection module is used for detecting the abnormal user access behaviors by adopting the second strategy when the first strategy is adopted to detect the abnormal user access behaviors and hit the abnormal user access behaviors.
In a third aspect, the present application provides a computer device.
The application is realized by the following technical scheme:
a computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of any one of the above methods for detecting abnormal user access behaviour when the computer program is executed.
In a fourth aspect, the present application provides a computer-readable storage medium.
The application is realized by the following technical scheme:
a computer readable storage medium storing a computer program which, when executed by a processor, performs the steps of any one of the above methods of detecting abnormal user access behavior.
To sum up, compared with the prior art, the beneficial effects brought by the technical scheme provided by the application at least include:
user data to be detected are acquired to judge whether human-machine identification is carried out or not, suspicious user access behaviors are primarily screened out to carry out human-machine identification, further targeted identification by adopting detection measures is facilitated, and accuracy of safety detection results is improved; if man-machine identification is carried out, abnormal user access behavior detection is carried out according to a detected object person or machine by adopting a first strategy or a second strategy, so that the detection is more targeted, the detection is more suitable for actual service scenes, and the identification requirement of complex service scenes is met; if man-machine identification is not needed, the first strategy is directly adopted to detect abnormal user access behaviors of the user data to be detected, the detection speed is higher, and the access experience of a normal user is improved; when the first strategy is adopted to detect the abnormal user access behaviors and hit, namely the suspicious degree of the user access behaviors is increased, the second strategy is adopted to detect the abnormal user access behaviors of the user data to be detected, so that the condition that the machine disguised access behaviors bypass the machine detection is reduced; the security detection mode is more targeted, and the access experience of a normal user is improved.
Drawings
Fig. 1 is a main flowchart of a method for detecting abnormal user access behavior according to an exemplary embodiment of the present application.
Fig. 2 is a second policy detection flowchart of a method for detecting abnormal user access behavior according to still another exemplary embodiment of the present application.
Fig. 3 is a flowchart of a second strategy of a method for detecting abnormal user access behavior according to another exemplary embodiment of the present application, for detecting service of a business system with higher value.
FIG. 4 is a flowchart of a second strategy for detecting abnormal user access behavior for discounted or promoted merchandise in accordance with an exemplary embodiment of the present application.
Fig. 5 is a flowchart of a second strategy of a detection method for abnormal user access behavior according to an exemplary embodiment of the present application for detecting a large class of commodities.
Fig. 6 is a block diagram of a detection apparatus for abnormal user access behavior according to an exemplary embodiment of the present application.
Detailed Description
The present embodiment is merely illustrative of the present application and is not intended to be limiting, and those skilled in the art, after having read the present specification, may make modifications to the present embodiment without creative contribution as required, but is protected by patent laws within the scope of the claims of the present application.
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
In addition, the term "and/or" herein is merely an association relationship describing an association object, and means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. In this context, unless otherwise specified, the term "/" generally indicates that the associated object is an "or" relationship.
Embodiments of the present application are described in further detail below with reference to the drawings attached hereto.
Referring to fig. 1, an embodiment of the present application provides a method for detecting abnormal user access behaviors, and main steps of the method are described below.
S1, acquiring user data to be detected;
s2, judging whether to perform man-machine identification or not based on the user data to be detected;
s31, if the man-machine identification is carried out, carrying out abnormal user access behavior detection on the user data to be detected by adopting a first strategy when the man-machine identification is carried out, and carrying out abnormal user access behavior detection on the user data to be detected by adopting a second strategy when the machine identification is carried out;
s32, if man-machine identification is not needed, the first strategy is directly adopted to detect abnormal user access behaviors of the user data to be detected;
s4: and when the first strategy is adopted to detect the abnormal user access behaviors and hit, adopting the second strategy to detect the abnormal user access behaviors of the user data to be detected.
Specifically, when a user accesses the service system, after the user ID and the corresponding password are input to successfully log in, the user accesses the commodity through the keyword, and jumps to the target page to browse and place the commodity, and the background stores the user ID, the IP end source, the access frequency, the SKU number of the commodity accessed, the amount of the commodity placed and the like as user data to be detected.
And acquiring user data to be detected so as to judge whether the man-machine identification is performed or not. For example, judging whether to perform man-machine recognition according to the IP end source of the user; if the IP end source is unknown or the IP end source belongs to foreign countries, man-machine identification is carried out; if the IP end source does not find abnormality, man-machine identification is not needed. Or judging whether to perform man-machine identification according to the access frequency of the user; if the access frequency of the user exceeds a preset access frequency threshold, entering man-machine judgment; if the access frequency of the user is less than or equal to the access frequency threshold, man-machine identification is not needed. By judging whether to perform man-machine recognition, suspicious user access behaviors are primarily screened out to perform man-machine recognition, so that different detection measures can be adopted for a robot or a person aiming at an object to be recognized later, and the method has more pertinence.
If the man-machine identification is carried out, carrying out abnormal user access behavior detection on the user data to be detected by adopting a first strategy when the man-machine identification is carried out, carrying out abnormal user access behavior detection on the user data to be detected by adopting a second strategy when the man-machine identification is carried out, and carrying out abnormal user access behavior detection by adopting the first strategy or the second strategy according to the detected object man or the machine; the first strategy is designed for the user with the access behavior identified as the person, and the detection mode is simple and quick; the second strategy is designed for identifying the access behavior as the user of the machine, the detection precision is higher, the abnormal access behavior can be better detected, further, the detection of the method has pertinence, the method can be more suitable for actual service scenes, and the identification requirement of complex service scenes is met.
If man-machine identification is not needed, the first strategy is directly adopted to detect abnormal user access behaviors of the user data to be detected, the detection speed is higher, and the access experience of a normal user is improved.
And if the abnormal user access behavior is not detected by adopting the first strategy, the user access behavior corresponding to the user data to be detected is normal, and the user can continue to access the service system.
When the first strategy is adopted to detect abnormal user access behaviors and hit, namely the suspicious degree of the user access behaviors is increased, the second strategy is adopted to detect the abnormal user access behaviors of the user data to be detected, so that the condition that the machine disguised access behaviors bypass the machine detection is reduced.
In one embodiment, the step of employing the first policy to detect abnormal user access behavior of the user data to be detected includes,
presetting a blacklist;
analyzing the user data to be detected to obtain a user ID;
judging whether the user ID is positioned in the blacklist or not;
if the user ID is in the blacklist, representing hit;
if the user ID is outside the blacklist, a miss is characterized.
Because the first strategy aims at the object as a person, the abnormal access checking mode is relatively simple, the abnormal user ID is stored through a preset blacklist, and the user ID to be judged is obtained by analyzing the user data to be detected, so that the abnormal user access behavior is checked rapidly; if the user ID is in the blacklist, namely, the hit is represented, the suspicious degree of the user access behavior is increased; if the user ID is located outside the blacklist, namely the miss is represented, the user access behavior corresponding to the user data to be detected is normal, and the user can continue to access the service system.
In one embodiment, the method further comprises the following steps,
periodically evaluating the risk value of each user ID;
and executing a rejecting operation or an updating operation on the blacklist based on the risk value.
Specifically, a risk value evaluation formula for the user ID is preset, including,
risk value = (probability index risk level index)/unit time
Wherein, the probability index represents the probability of occurrence of the abnormal access behavior, the probability index sets a corresponding value according to the occurrence frequency of the abnormal access behavior, the larger the occurrence frequency is, the larger the corresponding value is, the risk level index represents the severity degree after the occurrence of the abnormal access behavior, the risk level index sets a corresponding value according to the influence degree of the occurrence result of the abnormal access behavior, the higher the corresponding value is, and the unit time represents the period of risk assessment.
In this embodiment, the probability indexes may be set to 10, 8, 6, 4, and 2, which characterize daily visit behaviors, visit behaviors within 1 month, visit behaviors within 3 months, visit behaviors within half year, and visit behaviors within 1 year, respectively.
The risk level index may be set to 5, 4, 3, 2, and 1, respectively, to characterize a high risk, a higher risk, a medium risk, a proper risk, and a low risk, wherein a high risk indicates that measures should be taken immediately after detecting the abnormal access behavior, a higher risk indicates that measures should be taken within 2 days after detecting the abnormal access behavior, a medium risk indicates that measures should be taken within 1 week after detecting the abnormal access behavior, a proper risk indicates that measures should be taken within 1 month after detecting the abnormal access behavior, and a low risk indicates that measures should be taken within three months after detecting the abnormal access behavior.
The unit time is the time length of the current evaluation date and the last evaluation date. The risk value of each user ID is evaluated in a periodic manner.
In an embodiment, the probability index and the risk level index can be corrected by machine learning to perform data calibration and combining a big data algorithm, so that the probability index and the risk level index can more accurately measure the risk of the user ID.
According to the estimated risk value, performing a rejection operation or an updating operation on the blacklist, and comparing the risk value with a preset risk threshold, for example, rejecting an abnormal user ID with the risk value lower than 0.2 in the blacklist, and performing the rejection operation to recover the normal access authority of the abnormal user ID to the service system; or adding the user ID with the risk value higher than 0.8 to the blacklist, and executing the updating operation; and further, the identification accuracy of the first strategy to the abnormal access behavior is improved.
Referring to fig. 2, in one embodiment, the step of employing the second policy for abnormal user access behavior detection S31 includes,
s311, pre-establishing an index library, wherein the index library comprises a SKU list and an access frequency;
s312, analyzing the user data to be detected, and obtaining a user ID and a SKU number of the commodity to be accessed;
s313, monitoring the reading quantity of the user ID in unit time of the same SKU number;
s314, if the SKU number is located in the SKU list and the read quantity per unit time of the SKU number exceeds the access frequency, the user ID mark in the user data to be detected is marked with an abnormal mark.
Specifically, according to the security detection historical data of the service system, an index library is pre-established for comprehensive pre-judgment.
The index library comprises a SKU list and an access frequency, wherein the SKU list is a set of SKU numbers of commodities, the access frequency is an anomaly detection threshold value set in combination with an actual application scene of the service system, and the detection precision can be adjusted according to actual requirements.
And analyzing the user data to be detected through the background, acquiring the user ID and the SKU number of the accessed commodity, and monitoring the reading quantity of the user ID in unit time of the same SKU number by the background to evaluate the access behavior risk condition of the user.
If the SKU number is located in the SKU list and the reading amount in unit time of the SKU number exceeds the access frequency, an abnormal identifier is marked for the user ID in the user data to be detected, wherein the unit time can be half a day or 1 day or set according to actual conditions, so that abnormal user access behaviors can be screened by means of comparing the SKU number of the access commodity and the reading amount in unit time of the same SKU number of the same user with an index library.
Referring to FIG. 3, in one embodiment, the index library further includes commodity attributes;
the method further comprises the step of,
s315, determining commodity attributes of the accessed commodities according to the SKU numbers;
s316, if the commodity attribute is a confidential class, a suspected identification is marked for the user ID corresponding to the SKU number.
By setting the attribute of the confidential commodity for the commodity provided by the service system with higher value and marking the suspected identifier for the user ID accessing the confidential commodity, the user access behavior focusing on the commodity with higher value is beneficial to early finding out the abnormal user access behavior so as to provide more effective safety protection measures for the service system with higher value.
In one embodiment, after marking the suspected identity for the user ID corresponding to the SKU number, S316 further comprises the steps of,
s317, if the times of accessing the same SKU number with the commodity attribute as the confidential class by the same user ID are more than or equal to the preset times, marking an abnormal identifier for the user ID in the user data to be detected.
The preset times are set according to human experiences, the preset times can be four times, user access behaviors of commodities with higher values are further monitored, after the times of accessing the same SKU number with the commodity attribute being confidential by the same user ID are greater than or equal to the preset times, the user access behaviors are defaulted to be excessive access, abnormal identifications are marked for the user ID in user data to be detected, abnormal user access behaviors aiming at service of the service system with higher values are effectively screened, and more effective safety protection measures are provided for service of the service system with higher values.
Referring to fig. 4, in one embodiment, further steps are included,
s318, if the commodity attribute is a discount class or a promotion class, acquiring an order quantity corresponding to the SKU number;
s319, marking abnormal marks for the user ID in the user data to be detected after the order quantity is larger than or equal to a preset order quantity.
The value of the preset quantity can be 100, and abnormal identification is marked for the user ID for accessing the discount or promotion commodity after the quantity of the preset quantity is larger than or equal to the preset quantity, so that abnormal user access behaviors aiming at the discount or promotion commodity are screened out early, malicious purchasing behaviors are reduced, and smooth purchase of normal users is guaranteed.
In one embodiment, the method further comprises the following steps,
judging whether the price difference of the commodity corresponding to the SKU number, the commodity attribute of which is a discount class or a sales promotion class, in a preset period meets a preset condition or not;
if the commodity attribute is that the price difference of the commodity corresponding to the SKU number of the discount class or the sales promotion class in the preset period meets the preset condition, judging whether the profit value of the commodity corresponding to the SKU number is a negative value or not;
and if the profit value of the commodity corresponding to the SKU number is a negative value, sending an alarm instruction to the background.
By monitoring discount or promotion commodities with obvious price drop in unit time, whether the price difference of the commodity corresponding to the SKU number of the discount or promotion commodity meets the preset condition or not is judged, and the preset condition can be that the price drop reaches or exceeds 50%, for example, when the commodity price is changed from 100 blocks to 50 blocks.
Judging whether the profit value of the commodity corresponding to the SKU number is negative or not so as to analyze the profit of the commodity, thereby being beneficial to early finding and correcting commodity pricing with serious error problem and reducing economic loss.
If the profit value of the commodity corresponding to the SKU number is a negative value, an alarm instruction is sent to the background to intuitively remind a manager to conduct timely treatment, so that the loss of the commodity with a mistake in discount or a mistake in sales promotion is reduced, the exposure risk of price-sensitive commodity is reduced, and the wool-out risk is reduced.
Referring to FIG. 5, in one embodiment, the metric library further includes category numbers divided based on the SKU list;
the method further comprises the step of,
s3101, determining the class number of the accessed commodity according to the SKU number;
s3102, if the fact that the total reading quantity of the same user ID to the SKU number under the same product number in unit time exceeds a preset large-class threshold value is monitored, the user ID in the user data to be detected is marked with an abnormal identifier.
By focusing the reading quantity of the same user for a certain large-class commodity in unit time, a detection means is set according to a data mining rule, when the fact that the total reading quantity of the same user ID for the SKU number under the same class number in unit time exceeds a preset large-class threshold value is monitored, abnormal identification is marked for the user ID in user data to be detected, so that abnormal user access behaviors with malicious access purposes are screened out, detection is more targeted, practical business scenes can be adapted more, and safety protection measures are more effective.
In one embodiment, the method further comprises the following steps,
after abnormal user access behaviors are detected, firstly, cold-stage operation is performed on the user IDs identified as the abnormal user access behaviors, and the times that the corresponding user IDs are continuously identified as abnormal are monitored.
By adopting a cold-static period operation on the user ID marked with the abnormal identification, for example, the abnormal identification is removed within 24 hours, so that the influence of identification errors on normal user access is reduced, an account which is firstly identified as abnormal user access is automatically unsealed after the cold-static period, and the number of times that the user ID is continuously identified as abnormal is monitored, so that the abnormal user account is continuously monitored, the condition that the abnormal user access is disguised to bypass a detection strategy is reduced, and the detection precision is improved.
In one embodiment, the method further comprises the following steps,
and if the number of times that the same user ID is continuously identified as abnormal reaches a threshold value, automatically taking wind control measures for the user ID.
By continuously monitoring the user account with abnormality, if the number of times that the same user ID is continuously identified as abnormal reaches a threshold value, namely the user access behavior is confirmed as abnormal user access behavior, at the moment, wind control measures are automatically taken on the user ID, including setting forbidden access rights or taking frozen account operation for large payment amount, particularly, regional access rights can be taken for abnormal user access behavior of foreign IP sources, such as allowing only abnormal user ID of foreign IP sources to access goods in a warehouse layout in foreign countries, and the automatic wind control measures are taken on the account confirmed as abnormal user access behavior to reduce loss.
In one embodiment, the step of determining whether to perform man-machine recognition based on the user data to be detected includes,
analyzing the user data to be detected;
detecting whether an enterprise ID (identity) exists;
if no enterprise ID mark exists, man-machine identification is performed;
if the enterprise ID is identified, man-machine identification is not needed.
Specifically, an operation code is pre-assigned to a user passing the audit, the operation code is used as an enterprise ID, when the user accesses the service system, the user can successfully log in after inputting the user ID, the corresponding password and the operation code, and meanwhile, the corresponding operation code is stored together to user data to be detected.
After the system acquires the operation code, the operation code is encrypted and then sent to the background for analysis, so that the leakage condition of the operation code is reduced.
And analyzing the user data to be detected, and acquiring an operation code in the user data to detect whether the enterprise ID identification exists.
If the enterprise ID is identified, namely the enterprise user identity is confirmed, and the enterprise user identity belongs to user access behaviors, man-machine identification is not needed; if no enterprise ID is identified, the machine disguises access behaviors, and man-machine identification is performed at the moment to conduct targeted identification.
In summary, in the method for detecting abnormal user access behaviors, the user data to be detected is acquired to judge whether to perform man-machine recognition, suspicious user access behaviors are primarily screened out to perform man-machine recognition, so that further targeted recognition by adopting detection measures is facilitated, and the accuracy of a safety detection result is improved; if man-machine identification is carried out, abnormal user access behavior detection is carried out according to a detected object person or machine by adopting a first strategy or a second strategy, so that the detection is more targeted, the detection is more suitable for actual service scenes, and the identification requirement of complex service scenes is met; if man-machine identification is not needed, the first strategy is directly adopted to detect abnormal user access behaviors of the user data to be detected, the detection speed is higher, and the access experience of a normal user is improved; when the first strategy is adopted to detect the abnormal user access behaviors and hit, namely the suspicious degree of the user access behaviors is increased, the second strategy is adopted to detect the abnormal user access behaviors of the user data to be detected, so that the condition that the machine disguised access behaviors bypass the machine detection is reduced; the security detection mode is more targeted, and the access experience of a normal user is improved.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic of each process, and should not limit the implementation process of the embodiment of the present application in any way.
Referring to fig. 6, the embodiment of the present application further provides a device for detecting an abnormal user access behavior, where the device for detecting an abnormal user access behavior corresponds to the method for detecting an abnormal user access behavior in the foregoing embodiment one by one. The detection means of abnormal user access behavior comprises,
the data module is used for acquiring user data to be detected;
the man-machine judging module is used for judging whether man-machine identification is carried out or not based on the user data to be detected;
the man-machine identification module is used for carrying out man-machine identification, adopting a first strategy to carry out abnormal user access behavior detection on the user data to be detected when the user data to be detected is identified as a person, and adopting a second strategy to carry out abnormal user access behavior detection on the user data to be detected when the user data to be detected is identified as a machine;
the rapid detection module is used for directly adopting the first strategy to detect abnormal user access behaviors of the user data to be detected when the man-machine identification is not needed;
and the supplementary detection module is used for detecting the abnormal user access behaviors by adopting the second strategy when the first strategy is adopted to detect the abnormal user access behaviors and hit the abnormal user access behaviors.
For a specific limitation of the detection device for abnormal user access behavior, reference may be made to the limitation of the detection method for abnormal user access behavior hereinabove, and the description thereof will not be repeated here. The above-mentioned various modules in the detection device for abnormal user access behavior may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by the processor, implements any of the above-described methods of detecting abnormal user access behavior.
In one embodiment, a computer readable storage medium is provided, comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the steps of when executing the computer program:
s1, acquiring user data to be detected;
s2, judging whether to perform man-machine identification or not based on the user data to be detected;
s31, if the man-machine identification is carried out, carrying out abnormal user access behavior detection on the user data to be detected by adopting a first strategy when the man-machine identification is carried out, and carrying out abnormal user access behavior detection on the user data to be detected by adopting a second strategy when the machine identification is carried out;
s32, if man-machine identification is not needed, the first strategy is directly adopted to detect abnormal user access behaviors of the user data to be detected;
s4: and when the first strategy is adopted to detect the abnormal user access behaviors and hit, adopting the second strategy to detect the abnormal user access behaviors of the user data to be detected.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the system is divided into different functional units or modules to perform all or part of the above-described functions.

Claims (15)

1. A method for detecting abnormal user access behaviors is characterized by comprising the following steps,
acquiring user data to be detected;
judging whether to perform man-machine recognition or not based on the user data to be detected;
if the man-machine identification is carried out, carrying out abnormal user access behavior detection on the user data to be detected by adopting a first strategy when the man-machine identification is carried out, and carrying out abnormal user access behavior detection on the user data to be detected by adopting a second strategy when the machine identification is carried out;
if no man-machine identification is needed, the first strategy is directly adopted to detect abnormal user access behaviors of the user data to be detected;
and when the first strategy is adopted to detect the abnormal user access behaviors and hit, adopting the second strategy to detect the abnormal user access behaviors of the user data to be detected.
2. The method of claim 1, wherein the step of employing the second policy to detect the abnormal user access behavior comprises,
pre-establishing an index library, wherein the index library comprises a SKU list and an access frequency;
analyzing the user data to be detected, and obtaining a user ID and a SKU number of the commodity to be accessed;
monitoring the reading quantity of the user ID in unit time of the same SKU number;
and if the SKU number is positioned in the SKU list and the reading quantity of the SKU number in unit time exceeds the access frequency, marking an abnormal identifier for the user ID in the user data to be detected.
3. The method for detecting abnormal user access behavior according to claim 2, wherein the index base further comprises commodity attributes;
the method further comprises the step of,
determining commodity attributes of the accessed commodities according to the SKU numbers;
and if the commodity attribute is a confidential class, marking a suspected identifier for the user ID corresponding to the SKU number.
4. The method for detecting an abnormal user access behavior according to claim 3, further comprising the step of, after labeling a suspected identity for said user ID corresponding to said SKU number,
and if the times of accessing the same SKU number with the commodity attribute as the confidential class by the same user ID is monitored to be more than or equal to the preset times, marking an abnormal identifier for the user ID in the user data to be detected.
5. The method for detecting an abnormal user access behavior according to claim 3, further comprising the step of,
if the commodity attribute is a discount class or a promotion class, acquiring the order quantity corresponding to the SKU number;
and marking an abnormal identifier for the user ID in the user data to be detected when the order quantity is larger than or equal to a preset order quantity.
6. The method for detecting an abnormal user access behavior according to claim 5, further comprising the step of,
judging whether the price difference of the commodity corresponding to the SKU number, the commodity attribute of which is a discount class or a sales promotion class, in a preset period meets a preset condition or not;
if the commodity attribute is that the price difference of the commodity corresponding to the SKU number of the discount class or the sales promotion class in the preset period meets the preset condition, judging whether the profit value of the commodity corresponding to the SKU number is a negative value or not;
and if the profit value of the commodity corresponding to the SKU number is a negative value, sending an alarm instruction to the background.
7. The method for detecting abnormal user access behavior according to claim 2, wherein the index base further includes category numbers divided based on the SKU list;
the method further comprises the step of,
determining the class number of the accessed commodity according to the SKU number;
if the total reading quantity of the same user ID to the SKU number under the same product number in unit time exceeds the preset large-class threshold value, marking an abnormal identifier for the user ID in the user data to be detected.
8. The method for detecting abnormal user access behavior according to claim 1, wherein said step of detecting abnormal user access behavior of said user data to be detected using a first policy comprises,
presetting a blacklist;
analyzing the user data to be detected to obtain a user ID;
judging whether the user ID is positioned in the blacklist or not;
if the user ID is in the blacklist, representing hit;
if the user ID is outside the blacklist, a miss is characterized.
9. The method for detecting abnormal user access behavior according to claim 8, further comprising the steps of,
periodically evaluating the risk value of each user ID;
and executing a rejecting operation or an updating operation on the blacklist based on the risk value.
10. The method for detecting abnormal user access behavior according to claim 1, further comprising the steps of,
after abnormal user access behaviors are detected, firstly, cold-stage operation is performed on the user IDs identified as the abnormal user access behaviors, and the times that the corresponding user IDs are continuously identified as abnormal are monitored.
11. The method for detecting abnormal user access behavior according to claim 10, further comprising the steps of,
and if the number of times that the same user ID is continuously identified as abnormal reaches a threshold value, automatically taking wind control measures for the user ID.
12. The method for detecting abnormal user access behavior according to any one of claims 1 to 11, wherein the step of determining whether to perform man-machine recognition based on the user data to be detected comprises,
analyzing the user data to be detected;
detecting whether an enterprise ID (identity) exists;
if no enterprise ID mark exists, man-machine identification is performed;
if the enterprise ID is identified, man-machine identification is not needed.
13. A detection device for abnormal user access behavior is characterized by comprising,
the data module is used for acquiring user data to be detected;
the man-machine judging module is used for judging whether man-machine identification is carried out or not based on the user data to be detected;
the man-machine identification module is used for carrying out man-machine identification, adopting a first strategy to carry out abnormal user access behavior detection on the user data to be detected when the user data to be detected is identified as a person, and adopting a second strategy to carry out abnormal user access behavior detection on the user data to be detected when the user data to be detected is identified as a machine;
the rapid detection module is used for directly adopting the first strategy to detect abnormal user access behaviors of the user data to be detected when the man-machine identification is not needed;
and the supplementary detection module is used for detecting the abnormal user access behaviors by adopting the second strategy when the first strategy is adopted to detect the abnormal user access behaviors and hit the abnormal user access behaviors.
14. A computer device comprising a memory, a processor and a computer program stored on the memory, the processor executing the computer program to perform the steps of the method of any one of claims 1 to 12.
15. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, implements the steps of the method of any one of claims 1 to 12.
CN202310064287.3A 2023-01-31 2023-01-31 Abnormal user access behavior detection method and device Pending CN116488842A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310064287.3A CN116488842A (en) 2023-01-31 2023-01-31 Abnormal user access behavior detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310064287.3A CN116488842A (en) 2023-01-31 2023-01-31 Abnormal user access behavior detection method and device

Publications (1)

Publication Number Publication Date
CN116488842A true CN116488842A (en) 2023-07-25

Family

ID=87214363

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310064287.3A Pending CN116488842A (en) 2023-01-31 2023-01-31 Abnormal user access behavior detection method and device

Country Status (1)

Country Link
CN (1) CN116488842A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140304797A1 (en) * 2013-04-03 2014-10-09 Alibaba Group Holding Limited Method and system for distinguishing humans from machines and for controlling access to network services
US20140373139A1 (en) * 2013-06-13 2014-12-18 Alibaba Group Holding Limited Method and system of distinguishing between human and machine
CN112351006A (en) * 2020-10-27 2021-02-09 杭州安恒信息技术股份有限公司 Website access attack interception method and related components

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140304797A1 (en) * 2013-04-03 2014-10-09 Alibaba Group Holding Limited Method and system for distinguishing humans from machines and for controlling access to network services
US20140373139A1 (en) * 2013-06-13 2014-12-18 Alibaba Group Holding Limited Method and system of distinguishing between human and machine
CN112351006A (en) * 2020-10-27 2021-02-09 杭州安恒信息技术股份有限公司 Website access attack interception method and related components

Similar Documents

Publication Publication Date Title
KR101708444B1 (en) Method for evaluating relation between keyword and asset value and Apparatus thereof
CN107943949B (en) Method and server for determining web crawler
CN109543096A (en) Data query method, apparatus, computer equipment and storage medium
KR20180013998A (en) Account theft risk identification method, identification device, prevention and control system
CN113489713A (en) Network attack detection method, device, equipment and storage medium
CN114386025B (en) Abnormality detection method, abnormality detection device, electronic device, and storage medium
CN110992135B (en) Risk identification method and device, electronic equipment and storage medium
KR102682907B1 (en) compliance management support system using hierarchical structure and method therefor
CN107302586A (en) A kind of Webshell detection methods and device, computer installation, readable storage medium storing program for executing
CN111131290A (en) Flow data processing method and device
CN118368083A (en) Digital resource sharing and access control method
KR102095022B1 (en) Method, device and program for trading stocks using articles analysis
CN116186691A (en) Threat information analysis method and device, electronic equipment and storage medium
CN116488842A (en) Abnormal user access behavior detection method and device
CN117670264B (en) Automatic flow processing system and method for accounting data
CN114168949B (en) Application software anomaly detection method and system applied to artificial intelligence
CN116342276A (en) Method, device and server for determining abnormal object
CN110580625A (en) circulating data supervision method and device, storage medium and terminal
CN114547640A (en) Method, device, electronic device and storage medium for determining sensitive operation behavior
CN114549193A (en) List screening method, apparatus, device, storage medium and program product
Lampe et al. Critical success factor for integration of cyber security in context of managed services
Rudolph et al. Security indicators–a state of the art survey public report
CN118333633B (en) Credit and debt standing book management system and method based on big data
CN116471131B (en) Processing method and processing device for logical link information asset
CN117436820B (en) Control method and system based on artificial intelligence

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination