CN110378112A - A kind of user identification method and device - Google Patents
A kind of user identification method and device Download PDFInfo
- Publication number
- CN110378112A CN110378112A CN201910609896.6A CN201910609896A CN110378112A CN 110378112 A CN110378112 A CN 110378112A CN 201910609896 A CN201910609896 A CN 201910609896A CN 110378112 A CN110378112 A CN 110378112A
- Authority
- CN
- China
- Prior art keywords
- application software
- user
- behavioural characteristic
- feature
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/06—Buying, selling or leasing transactions
- G06Q30/0601—Electronic shopping [e-shopping]
- G06Q30/0609—Buyer or seller confidence or verification
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Accounting & Taxation (AREA)
- Finance (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- Economics (AREA)
- General Business, Economics & Management (AREA)
- Strategic Management (AREA)
- Marketing (AREA)
- Development Economics (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The disclosure is related to network technique field about a kind of user identification method and device, wherein the above method includes: to detect whether the running environment of application software itself is abnormal environment, if it is, the user of the application software will be used to be identified as fictitious users;If running environment is normal, the feature of behavior of the user using above-mentioned application software is obtained, and identifies whether the user is fictitious users according to feature obtained.It can be seen that can recognize that fictitious users using the scheme that the embodiment of the present disclosure provides, and then be conducive to obtain the installation of accurate real user.
Description
Technical field
This disclosure relates to network technique field more particularly to a kind of user identification method and device.
Background technique
With the fast development of network technology, more and more application software are devoted to market.In order to application software
It is promoted, it is hoped that there will be more users for application software developer to install and use the application software, improve user installation amount.
It in the related technology, is to reach brush amount purpose there are user, using virtual technology, such as virtual machine, sandbox, batch is empty
Vacation installation application software, since this kind of application software carries out simulated operation by machine, application software developer can not be from this
True user is obtained in class user using data, and fictitious users are known as this kind of user.Due to the presence meeting of fictitious users
Influence application software developer to the statistics of user installation amount, therefore, accurate real user installation in order to obtain, now urgently
A kind of user identification method is needed, to identify fictitious users.
Summary of the invention
The disclosure provides a kind of user identification method and device, at least to solve not identifying fictitious users in the related technology
The problem of.The technical solution of the disclosure is as follows:
According to the first aspect of the embodiments of the present disclosure, a kind of user identification method is provided, application software is applied to, comprising:
Whether the running environment for detecting the application software itself is abnormal environment;
If it is, the user of the application software will be used to be identified as fictitious users;
If it has not, the feature of behavior of the user using the application software is obtained, as the first behavioural characteristic, and root
Identify whether the user is fictitious users according to the first behavioural characteristic obtained.
In one embodiment of the disclosure, the method also includes:
In the case where the running environment is abnormal environment, behavior of the user using the application software is obtained
Feature is stored as the second behavioural characteristic, and by the second behavioural characteristic obtained to preset property data base;
It is described to identify whether the user is that fictitious users step includes: according to the first behavioural characteristic obtained
First behavioural characteristic obtained is matched with the feature in the property data base, and according to matching result
Identify whether the user is fictitious users.
In one embodiment of the disclosure, the spy by the first behavioural characteristic obtained and the property data base
Sign is matched, and identifies whether the user is that fictitious users step includes: according to matching result
For every one first behavioural characteristic obtained, judge whether first behavioural characteristic is located at first behavioural characteristic
In corresponding detection range, wherein the corresponding detection range of every one first behavioural characteristic are as follows: according in the property data base with
First behavioural characteristic characterizes the range of the distribution determination of the feature of same behavior;
Determine the quantity for the feature being located in corresponding detection range in the first behavioural characteristic obtained;
In the case where the quantity is not less than preset quantity threshold value, identify that the user is fictitious users.
It is described by the second behavioural characteristic obtained storage to preset property data base in one embodiment of the disclosure
Step includes:
Determine the period that behavior of the user using the application software occurs;
According to the identified period, by the second behavioural characteristic obtained storage to preset property data base;
It is described to match the first behavioural characteristic obtained with the feature in the property data base, and according to matching
As a result identify whether the user is that fictitious users step includes:
The period that the characterized behavior of the first behavioural characteristic obtained occurs is determined, as first time period;
Determine that behavior characterized in the property data base betides the feature of the first time period;
First behavioural characteristic obtained is matched with identified feature, and the use is identified according to matching result
Whether family is fictitious users.
In one embodiment of the disclosure, whether the running environment of the detection application software itself is abnormal environment
Step includes:
When meeting at least one of following situations, determine that the running environment of the application software itself is abnormal environment:
By hook operation intercepting to the default abnormal behaviour using the application software;
Detect that the application software has used abnormal agency service;
Detect that the address of the data buffer storage file of the application software is relocated;
Detect that the address of the optimization file of the application software is relocated;
Detect that there are abnormal address in process chained list PLT.
According to the second aspect of an embodiment of the present disclosure, a kind of customer identification device is provided, application software is applied to, comprising:
Context detection module, whether the running environment for being configured as detecting the application software itself is abnormal environment, if
Be it is yes, then user's determining module is triggered, if it has not, then triggering feature recognition module;
User's determining module is configured as that fictitious users will be identified as using the user of the application software;
Feature recognition module is configured as obtaining the feature of behavior of the user using the application software, as the
One behavioural characteristic, and identify whether the user is fictitious users according to the first behavioural characteristic obtained.
In one embodiment of the disclosure, described device further include:
Characteristic storage module is configured as in the case where context detection module detects that running environment is abnormal environment,
The feature for obtaining behavior of the user using the application software, as the second behavioural characteristic, and by the second row obtained
Storage is characterized to preset property data base;
The feature recognition module is configured specifically are as follows:
First behavioural characteristic obtained is matched with the feature in the property data base, and according to matching result
Identify whether the user is fictitious users.
In one embodiment of the disclosure, the feature recognition module is configured specifically are as follows:
For every one first behavioural characteristic obtained, judge whether first behavioural characteristic is located at first behavioural characteristic
In corresponding detection range, wherein the corresponding detection range of every one first behavioural characteristic are as follows: according in the property data base with
First behavioural characteristic characterizes the range of the distribution determination of the feature of same behavior;
Determine the quantity for the feature being located in corresponding detection range in the first behavioural characteristic obtained;
In the case where the quantity is not less than preset quantity threshold value, identify that the user is fictitious users.
In one embodiment of the disclosure, the characteristic storage module is configured specifically are as follows:
Determine the period that behavior of the user using the application software occurs;
According to the identified period, by the second behavioural characteristic obtained storage to preset property data base;
The feature recognition module is configured specifically are as follows:
The period that the characterized behavior of the first behavioural characteristic obtained occurs is determined, as first time period;
Determine that behavior characterized in the property data base betides the feature of the first time period;
First behavioural characteristic obtained is matched with identified feature, and the use is identified according to matching result
Whether family is fictitious users.
In one embodiment of the disclosure, the context detection module is configured specifically are as follows:
When meeting at least one of following situations, determine that the running environment of the application software itself is abnormal environment:
By hook operation intercepting to the default abnormal behaviour using the application software;
Detect that the application software has used abnormal agency service;
Detect that the address of the data buffer storage file of the application software is relocated;
Detect that the address of the optimization file of the application software is relocated;
Detect that there are abnormal address in process chained list PLT.
According to the third aspect of an embodiment of the present disclosure, a kind of electronic equipment is provided, comprising:
Processor;
For storing the memory of the processor-executable instruction;
Wherein, the processor is configured to executing described instruction, to realize the use as described in any one of first aspect
Family recognition methods.
According to a fourth aspect of embodiments of the present disclosure, a kind of storage medium is provided, comprising:
When the instruction in the storage medium by electronic equipment processor execute when so that electronic equipment be able to carry out as
User identification method described in any one of first aspect.
The technical scheme provided by this disclosed embodiment is at least brought following the utility model has the advantages that detecting application software itself first
Running environment whether be abnormal environment, if it is, the user of the application software will be used to be identified as fictitious users;If fortune
Row environment is normal, then obtains the feature of behavior of the user using above-mentioned application software, and should according to feature obtained identification
Whether user is fictitious users.It can be seen that can recognize that fictitious users using the scheme that the embodiment of the present disclosure provides, in turn
Be conducive to obtain the installation of accurate real user.
It should be understood that above general description and following detailed description be only it is exemplary and explanatory, not
The disclosure can be limited.
Detailed description of the invention
The drawings herein are incorporated into the specification and forms part of this specification, and shows the implementation for meeting the disclosure
Example, and together with specification for explaining the principles of this disclosure, do not constitute the improper restriction to the disclosure.
Fig. 1 is a kind of flow chart of user identification method shown according to an exemplary embodiment;
Fig. 2 is the flow chart of another user identification method shown according to an exemplary embodiment;
Fig. 3 is a kind of block diagram of customer identification device shown according to an exemplary embodiment;
Fig. 4 is the block diagram of another customer identification device shown according to an exemplary embodiment;
Fig. 5 is a kind of electronic equipment block diagram shown according to an exemplary embodiment.
Specific embodiment
In order to make ordinary people in the field more fully understand the technical solution of the disclosure, below in conjunction with attached drawing, to this public affairs
The technical solution opened in embodiment is clearly and completely described.
It should be noted that the specification and claims of the disclosure and term " first " in above-mentioned attached drawing, "
Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way
Data be interchangeable under appropriate circumstances, so as to embodiment of the disclosure described herein can in addition to illustrating herein or
Sequence other than those of description is implemented.Embodiment described in following exemplary embodiment does not represent and disclosure phase
Consistent all embodiments.On the contrary, they are only and as detailed in the attached claim, the disclosure some aspects
The example of consistent device and method.
Fig. 1 is a kind of flow chart of user identification method shown according to an exemplary embodiment, as shown in Figure 1, above-mentioned
User identification method is applied to application software, specifically, above-mentioned application software can be video software, music software, social soft
Part etc., above-mentioned user identification method include the following steps 101- step 103.
Step 101, whether the running environment for detecting application software itself is abnormal environment, if it is, thening follow the steps
102, if it has not, thening follow the steps 103.
Wherein, above-mentioned running environment is the environment that is operated in as the application software of executing subject of the embodiment of the present invention.
Application software is usually all mounted in be run on electronic equipment, and electronic equipment can be mobile phone, tablet computer, desktop computer
Deng.Above-mentioned electronic equipment provides running environment for application software.Above-mentioned abnormal environment is the environment inconsistent with normal environment.
In one embodiment of the disclosure, when meeting at least one of following situations A- situation E, determine that above-mentioned application is soft
The running environment of part itself is abnormal environment:
Situation A: pass through hook operation intercepting to the default abnormal behaviour for using application software.
In one embodiment of the disclosure, application software is in the process of running, it may be necessary to this fortune of call operation system
The system function that row environment provides executes various instructions.Some abnormal behaviours are also possible to that above system function can be called, mirror
In this, it can be above system function setup hooking function, the behavior for calling above system function is detected by hooking function
It whether is default abnormal behaviour.
Wherein, above-mentioned default abnormal behaviour can be modification registration table, modification IP address, strange land log in.
Situation B: detect that above-mentioned application software has used abnormal agency service.
In one embodiment of the disclosure, the communication service during self-operating can be examined by application software
It surveys.Since application software usually will complete communication service by agency service, if detecting abnormal generation in communication service
Reason service, then it is assumed that the running environment of the application software is abnormal environment.
Situation C: detect that the address of the data buffer storage file of above-mentioned application software is relocated.
Wherein, above-mentioned data buffer storage file is for storing the data cached file of application software, for example, data file
Deng.
For application software, the storage address of data buffer storage file is all preset, and due to using virtually
The application software of technology falseness installation does not have the permission of operation preset data cache file, therefore the application software of false installation
Need to reset a data cache file.If detecting that the address of the data buffer storage file of application software changes,
It is not above-mentioned preset storage address, it is believed that data buffer storage file is relocated, it may be considered that the application software
Running environment be abnormal environment.
Situation D: detect that the address of the optimization file of above-mentioned application software is relocated.
Wherein, above-mentioned optimization file is the text that application software extracts generation to the execution file during self-operating
Part.For example, in order to optimize the starting speed of application software, by application software can operating file classes.dex from deep layer
It is extracted in catalogue, and generates odex file and individually stored, application software on startup, can be quick in this case
Find can operating file, thus start quickly speed, the odex file of above-mentioned generation is to optimize file.
For application software, it is preset for optimizing the storage address of file, and due to empty using virtual technology
The application software of vacation installation does not have the permission of the default optimization File of operation, therefore the application software of false installation needs weight
One optimization file of new settings.It is no longer above-mentioned preparatory if detecting that the address of the optimization file of application software changes
The storage address of setting, it is believed that optimization file is relocated, it may be considered that the running environment of the application software is abnormal
Environment.
Situation E: detect that there are abnormal address in PLT (Procedure Linkage Table, process connection table).
Wherein, above-mentioned PLT table is for storing information relevant to that can call the address of system function, in calling system function
When, it needs to search information relevant to the address of system function by PLT table, carries out function tune further according to the information found
With.
Due to using virtual technology falseness installation application software can not calling system function, for the above-mentioned system of normal call
System function needs voluntarily to generate above system function, then carries out to information relevant to the address of above system function in PLT table
Modification, so that the information stored in PLT table is directed toward the above-mentioned function voluntarily generated.In this case, if it find that being deposited in PLT table
The information of storage is changed, it may be considered that the running environment of the application software is abnormal environment.
Step 102, the user of above-mentioned application software will be used to be identified as fictitious users.
In the case where detecting the running environment of application software is abnormal environment, the application software will can be directly used
User be identified as fictitious users.
Step 103, the feature for obtaining behavior of the user using above-mentioned application software, as the first behavioural characteristic, and according to
First behavioural characteristic obtained identifies whether the user is fictitious users.
Wherein, above-mentioned behavior is behavior of user during using application software.For example, above-mentioned behavior can be starting
Application software, viewing live streaming, click concern etc..
Since features described above is the feature of behavior of the user using application software, so, features described above is can to characterize use
The data of family behavior.For example, features described above can be viewing duration, starting duration etc..Features described above is also possible to a certain behavior
Occupied duration uses the ratio of all behavior total durations during application software relative to user, for example, soft for video
For part, the behavior of user, which can be, to be seen live, sees short-sighted frequency, watches movie, if the when a length of 3h that user sees live, sees short-sighted
The when a length of 2h of frequency, the when a length of 5h to watch movie, all behavior total durations are 10h, then the ratio that sees live of the user is 30%,
See that short-sighted frequency ratio example is 20%, ratio of watching movie is 50%.Above-mentioned behavioural characteristic being retrieved as by user authorize and obtain.
In one embodiment of the disclosure, for every one first behavioural characteristic obtained, it can be determined that first behavior
Whether feature is located in the corresponding default detection range of first behavioural characteristic, determines and is located in the first behavioural characteristic obtained
The quantity of feature in corresponding detection range identifies the user for falseness in the case where quantity is not less than preset quantity threshold value
User.
Wherein, above-mentioned default detection range is preset detection range.
For example, the first behavioural characteristic obtained is viewing duration, starting duration and sees live ratio, it is assumed that the sight of the user
A length of 20min when seeing, starting duration 3min, the ratio that sees live is 90%, and watches the corresponding default detection range of duration and be
15min-30min, the corresponding default detection range of starting duration are 5min-8min, and seeing live the corresponding detection range of ratio is
80%-100%.From the foregoing, it can be seen that the quantity for the feature being located in corresponding detection range in feature obtained is 2, default
In the case that amount threshold is 2, identify that the user is fictitious users.
As seen from the above, when carrying out user's identification using technical solution provided by the above embodiment, detection application first is soft
Whether the running environment of part itself is abnormal environment, if it is, the user of the application software will be used to be identified as fictitious users;
If running environment is normal, the feature of behavior of the user using above-mentioned application software is obtained, and according to feature obtained
Identify whether the user is fictitious users.It can recognize that fictitious users using the scheme that embodiment disclosed above provides, in turn
Be conducive to obtain the installation of accurate real user.
In one embodiment of the disclosure, as shown in Fig. 2, the user identification method that the disclosure provides can also include:
Step 104, in the case where running environment is abnormal environment, behavior of the user using above-mentioned application software is obtained
Feature is stored as the second behavioural characteristic, and by the second behavioural characteristic obtained to preset property data base.
Since in the case where running environment is abnormal environment, above-mentioned user is identified as fictitious users, therefore, above-mentioned spy
The feature stored in sign database is the feature of fictitious users.
In one embodiment of the disclosure, the fictitious users that above-mentioned steps 103 identify can also be stated in use and be answered
With the feature of behavior in software, it is equally used as the second behavioural characteristic, and the second behavioural characteristic of above-mentioned user is stored to default
Property data base in.
There are features described above database, above-mentioned steps 103 identify above-mentioned user according to feature obtained
It whether is that fictitious users can be to be realized by following steps 103A.
Step 103A matches the first behavioural characteristic obtained with the feature in features described above database, and root
Identify whether above-mentioned user is fictitious users according to matching result.
Due to stored in property data base be fictitious users feature, so if the first behavioural characteristic obtained with
The matching degree of feature is higher than preset threshold in property data base, it may be considered that the user is fictitious users;If matching degree is not
Higher than preset threshold, it may be considered that the user is not fictitious users.
It, can be using the behavioural characteristic of each user as a feature vector progress in one embodiment of the disclosure
Match.Specifically, computational representation obtains in the vector and characteristic feature database of the first behavioural characteristic between the vector of feature
Matching degree, in the case where matching degree is greater than preset matching degree threshold value, it is believed that above-mentioned user is fictitious users.For example, above-mentioned
It can be cosine similarity with degree, be also possible to Euclidean distance etc..
In another embodiment of the disclosure, for every one first behavioural characteristic obtained, first behavior spy is judged
Whether sign is located in the corresponding detection range of the first behavioural characteristic;It determines and is located at corresponding inspection in the first behavioural characteristic obtained
Survey the quantity of the feature in range;In the case where above-mentioned quantity is greater than preset quantity threshold value, identify that above-mentioned user uses to be false
Family.
Wherein, the corresponding detection range of every one first behavioural characteristic are as follows: according in features described above database with the first row
It is characterized the determining range of the distribution of the feature of characterization same behavior.
Specifically, usually operated in the process by machine simulation due to fictitious users using application software, it is this kind of
The feature distribution of the corresponding behavior of user is in the presence of rule.For example, the feature in database can be normal distribution.At this
In the case of kind, the range of the feature integrated distribution of the behavior of fictitious users, the detection range as this feature are obtained.
Since in scheme provided by the above embodiment, detection range is point according to fictitious users feature in property data base
What cloth obtained, as the feature stored in property data base is more, the rule of feature distribution will be more and more clear, obtained
Detection range also will be more accurate, and then identify that the accuracy rate of fictitious users also will be enhanced.
In one embodiment of the disclosure, above-mentioned steps 104 can be incited somebody to action when storing the second behavioural characteristic according to the period
Second behavioural characteristic obtained is stored to preset property data base.
Specifically, determine the period that the behavior of above-mentioned user using above-mentioned application software occurs, according to it is identified when
Between section, by the second behavioural characteristic obtained storage to preset property data base.
Wherein, the above-mentioned period can be the period obtained according to user using the peak period of application software, for example, by
It needs to go to work in the week most users, belong to using trough period, Saturday and Sunday user rest, belonging to application software makes
The period is divided with peak period, therefore according to week, when can be divided into period on Monday, Sunday period ... on Tuesday
Between section;Again due to daytime and late into the night most users to work and rest, belong to using trough period, noon and evening belong to using high
The peak phase, thus can also according to 24 hours division periods, can be divided into the 0:00-2:00 period, the 2:00-8:00 period,
8:00-12:00 period, 12:00-14:00 period, 14:00-18:00 period, 18:00-24:00 period.
On the basis of the above, above-mentioned steps 103A, can be according to the period to obtained when carrying out feature identification
One behavioural characteristic is matched.
Specifically, determine the period of the characterized behavior generation of the first behavioural characteristic obtained, as first time period,
Determine that behavior characterized in features described above database betides the feature of above-mentioned first time period, the first behavior obtained is special
Sign is matched with identified feature, and identifies whether above-mentioned user is fictitious users according to matching result.
For example, if the period that the behavior that the first behavioural characteristic obtained is characterized occurs is 18:00-24:00, then
Determine that characterizing above-mentioned behavior equally occurs feature in the 18:00-24:00 period in property data base, it will be obtained
The feature determined in feature and property data base is matched, and identifies whether above-mentioned user is false use according to matching result
Family.
It, can be according to the period to institute when storing the second behavioural characteristic for step 104 in one embodiment of the disclosure
The second behavioural characteristic obtained stores respectively, for example, the second behavioural characteristic storage of period on Monday is arrived together, by week
The second behavioural characteristic storage of two periods is to together.When executing the identification of step 103A feature in this case, it is first determined
First time period, then the feature in property data base in first time period is obtained, by the first behavioural characteristic and obtained characteristic
It is matched according to the feature in library.
It, can also be to obtained when storing the second behavioural characteristic for step 104 in another embodiment of the disclosure
Second behavioural characteristic is labeled, for example, according to the period that the characterized behavior of the second behavioural characteristic occurs, by the second behavior spy
Sign mark is respectively period on Monday, period on Tuesday etc..It is first when executing the identification of step 103A feature in this case
It first determines first time period, then searches the feature for being noted as first time period in property data base, by the first behavioural characteristic
It is matched with the feature in the property data base found.
In scheme provided by the above embodiment, the period of behavior occurs according to user, it is corresponding according to different time sections
Feature identifies user, and the accuracy rate of identification can be improved.
Corresponding with above-mentioned user identification method, the disclosure additionally provides a kind of customer identification device.
Fig. 3 is a kind of customer identification device block diagram shown according to an exemplary embodiment, is applied to application software.Reference
Fig. 3, the device include following module 301- module 303.
Context detection module 301, whether the running environment for being configured as detecting above-mentioned application software itself is abnormal environment,
If it has, then triggering user's determining module 302, if it has not, then triggering feature recognition module 303.
User's determining module 302 is configured as that fictitious users will be identified as using the user of above-mentioned application software.
Feature recognition module 303 is configured as obtaining the feature of behavior of the user using the application software, as
First behavioural characteristic, and identify whether the user is fictitious users according to the first behavioural characteristic obtained.
In technical solution provided by the above embodiment, whether the running environment of detection application software itself first is abnormal ring
Border, if it is, the user of the application software will be used to be identified as fictitious users;If running environment is normal, the use is obtained
Family uses the feature of the behavior of above-mentioned application software, and identifies whether the user is fictitious users according to feature obtained.By
This is as it can be seen that can recognize that fictitious users using the scheme that the embodiment of the present disclosure provides, and then be conducive to obtain accurately true
The installation of user.
Referring to fig. 4, in one embodiment of the disclosure, above-mentioned customer identification device further include:
Characteristic storage module 304 is configured as detecting the case where running environment is abnormal environment in context detection module
Under, the feature of behavior of the above-mentioned user using above-mentioned application software is obtained, as the second behavioural characteristic, and by obtained second
Behavioural characteristic is stored to preset property data base.
Features described above identification module 303 is configured as:
Fisrt feature obtained is matched with the feature in features described above database, and is identified according to matching result
Whether above-mentioned user is fictitious users.
In one embodiment of the disclosure, features described above identification module 303 is configured specifically are as follows:
For every one first behavioural characteristic obtained, judge whether first behavioural characteristic is located at first behavioural characteristic
In corresponding detection range, wherein the corresponding detection range of every one first behavioural characteristic are as follows: according in features described above database with
First behavioural characteristic characterizes the range of the distribution determination of the feature of same behavior, determines position in the first behavioural characteristic obtained
Above-mentioned use is identified in the case where above-mentioned quantity is not less than preset quantity threshold value in the quantity of the feature in corresponding detection range
Family is fictitious users.
In one embodiment of the disclosure, features described above memory module 304 is configured specifically are as follows:
Determine the period that behavior of the above-mentioned user using above-mentioned application software occurs, it, will according to the identified period
Second behavioural characteristic obtained is stored to preset property data base.
Features described above identification module 303 is configured specifically are as follows:
The period that the characterized behavior of the first behavioural characteristic obtained occurs is determined, as first time period, in determination
The feature that behavior characterized in property data base betides above-mentioned first time period is stated, by the first behavioural characteristic obtained and institute
Determining feature is matched, and identifies whether above-mentioned user is fictitious users according to matching result.
In one embodiment of the disclosure, above-mentioned context detection module 301 is configured specifically are as follows:
When meeting at least one of following situations, determine that the running environment of above-mentioned application software itself is abnormal environment:
By hook operation intercepting to the default abnormal behaviour using above-mentioned application software;
Detect that above-mentioned application software has used abnormal agency service;
Detect that the address of the data buffer storage file of above-mentioned application software is relocated;
Detect that the address of the optimization file of above-mentioned application software is relocated;
Detect that there are abnormal address in process chained list PLT.
Fig. 5 is a kind of electronic equipment block diagram shown according to an exemplary embodiment, is applied to application software.Reference Fig. 5,
The electronic equipment includes processor 501, communication interface 502, memory 503 and communication bus 504, wherein processor 501 leads to
Believe that interface 502, memory 503 complete mutual communication by communication bus 504,
Memory 503, for storing computer program;
Processor 501 when for executing the program stored on memory 503, realizes user's identification that the disclosure provides
Method.
The communication bus that above-mentioned electronic equipment is mentioned can be Peripheral Component Interconnect standard (Peripheral Component
Interconnect, PCI) bus or expanding the industrial standard structure (Extended Industry Standard
Architecture, EISA) bus etc..The communication bus can be divided into address bus, data/address bus, control bus etc..For just
It is only indicated with a thick line in expression, figure, it is not intended that an only bus or a type of bus.
Communication interface is for the communication between above-mentioned electronic equipment and other equipment.
Memory may include random access memory (Random Access Memory, RAM), also may include non-easy
The property lost memory (Non-Volatile Memory, NVM), for example, at least a magnetic disk storage.Optionally, memory may be used also
To be storage device that at least one is located remotely from aforementioned processor.
Above-mentioned processor can be general processor, including central processing unit (Central Processing Unit,
CPU), network processing unit (Network Processor, NP) etc.;It can also be digital signal processor (Digital Signal
Processing, DSP), it is specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing
It is field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete
Door or transistor logic, discrete hardware components.
In the another embodiment that the disclosure provides, a kind of computer readable storage medium is additionally provided, which can
It reads to be stored with computer program in storage medium, above-mentioned computer program realizes any of the above-described user's identification when being executed by processor
The step of method.
In the another embodiment that the disclosure provides, a kind of computer program product comprising instruction is additionally provided, when it
When running on computers, so that computer executes any user recognition methods in above-described embodiment.
As it can be seen that using electronic equipment provided by the above embodiment carry out user's identification when, execute it is provided by the above embodiment
Run when the computer program stored in computer readable storage medium carries out user's identification and on computers above-mentioned implementation
Computer program product that example provides and when carrying out user's identification, whether the running environment of detection application software itself first is different
Normal environment, if it is, the user of the application software will be used to be identified as fictitious users;If running environment is normal, obtain
The user uses the feature of the behavior of above-mentioned application software, and identifies whether the user is false use according to feature obtained
Family.It can be seen that the embodiment of the present disclosure can recognize that fictitious users, and then obtain true user installation amount.
Electronic equipment, readable storage medium storing program for executing and computer program product provided by the above embodiment, can be quick and precisely
User identification method provided in an embodiment of the present invention is realized on ground, compared with prior art, the side provided using the embodiment of the present disclosure
Case can recognize that fictitious users, and then be conducive to obtain the installation of accurate real user.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or any combination thereof real
It is existing.When implemented in software, it can entirely or partly realize in the form of a computer program product.The computer program
Product includes one or more computer instructions.When loading on computers and executing the computer program instructions, all or
It partly generates according to process or function described in the embodiment of the present invention.The computer can be general purpose computer, dedicated meter
Calculation machine, computer network or other programmable devices.The computer instruction can store in computer readable storage medium
In, or from a computer readable storage medium to the transmission of another computer readable storage medium, for example, the computer
Instruction can pass through wired (such as coaxial cable, optical fiber, number from a web-site, computer, server or data center
User's line (DSL)) or wireless (such as infrared, wireless, microwave etc.) mode to another web-site, computer, server or
Data center is transmitted.The computer readable storage medium can be any usable medium that computer can access or
It is comprising data storage devices such as one or more usable mediums integrated server, data centers.The usable medium can be with
It is magnetic medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state hard disk
Solid State Disk (SSD)) etc..
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device reality
For applying example, electronic equipment embodiment, computer readable storage medium embodiment and computer program product embodiments, due to
It is substantially similar to embodiment of the method, so being described relatively simple, related place is referring to the part explanation of embodiment of the method
It can.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all
Any modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present invention
It is interior.
Claims (10)
1. a kind of user identification method, which is characterized in that be applied to application software, comprising:
Whether the running environment for detecting the application software itself is abnormal environment;
If it is, the user of the application software will be used to be identified as fictitious users;
If it has not, the feature of behavior of the user using the application software is obtained, as the first behavioural characteristic, and according to institute
The first behavioural characteristic obtained identifies whether the user is fictitious users.
2. the method according to claim 1, wherein the method also includes:
In the case where the running environment is abnormal environment, the spy of behavior of the user using the application software is obtained
Sign is stored as the second behavioural characteristic, and by the second behavioural characteristic obtained to preset property data base;
It is described to identify whether the user is that fictitious users step includes: according to the first behavioural characteristic obtained
First behavioural characteristic obtained is matched with the feature in the property data base, and is identified according to matching result
Whether the user is fictitious users.
3. according to the method described in claim 2, it is characterized in that, described by the first behavioural characteristic obtained and the feature
Feature in database is matched, and identifies whether the user is that fictitious users step includes: according to matching result
For every one first behavioural characteristic obtained, it is corresponding to judge whether first behavioural characteristic is located at first behavioural characteristic
Detection range in, wherein the corresponding detection range of every one first behavioural characteristic are as follows: according in the property data base with this
One behavioural characteristic characterizes the range of the distribution determination of the feature of same behavior;
Determine the quantity for the feature being located in corresponding detection range in the first behavioural characteristic obtained;
In the case where the quantity is not less than preset quantity threshold value, identify that the user is fictitious users.
4. according to the method described in claim 2, it is characterized in that, described store the second behavioural characteristic obtained to default
Property data base step include:
Determine the period that behavior of the user using the application software occurs;
According to the identified period, by the second behavioural characteristic obtained storage to preset property data base;
It is described to match the first behavioural characteristic obtained with the feature in the property data base, and according to matching result
Identify whether the user is that fictitious users step includes:
The period that the characterized behavior of the first behavioural characteristic obtained occurs is determined, as first time period;
Determine that behavior characterized in the property data base betides the feature of the first time period;
First behavioural characteristic obtained is matched with identified feature, and identifies that the user is according to matching result
No is fictitious users.
5. method according to any of claims 1-4, which is characterized in that the detection application software itself
Whether running environment is that abnormal environment step includes:
When meeting at least one of following situations, determine that the running environment of the application software itself is abnormal environment:
By hook operation intercepting to the default abnormal behaviour using the application software;
Detect that the application software has used abnormal agency service;
Detect that the address of the data buffer storage file of the application software is relocated;
Detect that the address of the optimization file of the application software is relocated;
Detect that there are abnormal address in process chained list PLT.
6. a kind of customer identification device is applied to application software characterized by comprising
Context detection module, whether the running environment for being configured as detecting the application software itself is abnormal environment, if it is,
User's determining module is then triggered, if it has not, then triggering feature recognition module;
User's determining module is configured as that fictitious users will be identified as using the user of the application software;
Feature recognition module is configured as obtaining the feature of behavior of the user using the application software, as the first row
It is characterized, and identifies whether the user is fictitious users according to the first behavioural characteristic obtained.
7. device according to claim 6, which is characterized in that described device further include:
Characteristic storage module is configured as obtaining in the case where context detection module detects that running environment is abnormal environment
The user uses the feature of the behavior of the application software, as the second behavioural characteristic, and the second behavior obtained is special
Preset property data base is arrived in sign storage;
The feature recognition module is configured specifically are as follows:
First behavioural characteristic obtained is matched with the feature in the property data base, and is identified according to matching result
Whether the user is fictitious users.
8. device described in any one of according to claim 6 or 7, which is characterized in that the context detection module is specifically matched
It is set to:
When meeting at least one of following situations, determine that the running environment of the application software itself is abnormal environment:
By hook operation intercepting to the default abnormal behaviour using the application software;
Detect that the application software has used abnormal agency service;
Detect that the address of the data buffer storage file of the application software is relocated;
Detect that the address of the optimization file of the application software is relocated;
Detect that there are abnormal address in process chained list PLT.
9. a kind of electronic equipment characterized by comprising
Processor;
For storing the memory of the processor-executable instruction;
Wherein, the processor is configured to executing described instruction, to realize the use as described in any one of claims 1 to 5
Family recognition methods.
10. a kind of storage medium, which is characterized in that when the instruction in the storage medium is executed by the processor of electronic equipment
When, so that electronic equipment is able to carry out the user identification method as described in any one of claims 1 to 5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910609896.6A CN110378112A (en) | 2019-07-08 | 2019-07-08 | A kind of user identification method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910609896.6A CN110378112A (en) | 2019-07-08 | 2019-07-08 | A kind of user identification method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110378112A true CN110378112A (en) | 2019-10-25 |
Family
ID=68252407
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910609896.6A Pending CN110378112A (en) | 2019-07-08 | 2019-07-08 | A kind of user identification method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110378112A (en) |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104932966A (en) * | 2015-06-19 | 2015-09-23 | 广东欧珀移动通信有限公司 | Method and device for detecting false downloading times of application software |
CN105824834A (en) * | 2015-01-06 | 2016-08-03 | 腾讯科技(深圳)有限公司 | Search traffic cheating behavior identification method and apparatus |
CN106301979A (en) * | 2015-05-27 | 2017-01-04 | 腾讯科技(北京)有限公司 | The method and system of the abnormal channel of detection |
CN106294508A (en) * | 2015-06-10 | 2017-01-04 | 深圳市腾讯计算机***有限公司 | A kind of brush amount tool detection method and device |
US10009374B1 (en) * | 2015-08-04 | 2018-06-26 | Symantec Corporation | Detecting URL scheme hijacking |
CN109117250A (en) * | 2018-07-27 | 2019-01-01 | 平安科技(深圳)有限公司 | A kind of simulator recognition methods, identification equipment and computer-readable medium |
CN109241343A (en) * | 2018-07-27 | 2019-01-18 | 北京奇艺世纪科技有限公司 | A kind of brush amount user identifying system, method and device |
CN109408556A (en) * | 2018-09-28 | 2019-03-01 | 中国平安人寿保险股份有限公司 | Abnormal user recognition methods and device, electronic equipment, medium based on big data |
CN109413103A (en) * | 2018-12-11 | 2019-03-01 | 泰康保险集团股份有限公司 | Processing method, device, equipment and the storage medium of fictitious users identification |
-
2019
- 2019-07-08 CN CN201910609896.6A patent/CN110378112A/en active Pending
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105824834A (en) * | 2015-01-06 | 2016-08-03 | 腾讯科技(深圳)有限公司 | Search traffic cheating behavior identification method and apparatus |
CN106301979A (en) * | 2015-05-27 | 2017-01-04 | 腾讯科技(北京)有限公司 | The method and system of the abnormal channel of detection |
CN106294508A (en) * | 2015-06-10 | 2017-01-04 | 深圳市腾讯计算机***有限公司 | A kind of brush amount tool detection method and device |
CN104932966A (en) * | 2015-06-19 | 2015-09-23 | 广东欧珀移动通信有限公司 | Method and device for detecting false downloading times of application software |
US10009374B1 (en) * | 2015-08-04 | 2018-06-26 | Symantec Corporation | Detecting URL scheme hijacking |
CN109117250A (en) * | 2018-07-27 | 2019-01-01 | 平安科技(深圳)有限公司 | A kind of simulator recognition methods, identification equipment and computer-readable medium |
CN109241343A (en) * | 2018-07-27 | 2019-01-18 | 北京奇艺世纪科技有限公司 | A kind of brush amount user identifying system, method and device |
CN109408556A (en) * | 2018-09-28 | 2019-03-01 | 中国平安人寿保险股份有限公司 | Abnormal user recognition methods and device, electronic equipment, medium based on big data |
CN109413103A (en) * | 2018-12-11 | 2019-03-01 | 泰康保险集团股份有限公司 | Processing method, device, equipment and the storage medium of fictitious users identification |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10277480B2 (en) | Method, apparatus, and system for determining a location corresponding to an IP address | |
CN105938448B (en) | Method and apparatus for data duplication | |
CN109690548B (en) | Computing device protection based on device attributes and device risk factors | |
CN105471935B (en) | Information prompting method and device | |
US9645914B1 (en) | Apps store with integrated test support | |
JP7389806B2 (en) | Systems and methods for behavioral threat detection | |
CN105700819B (en) | Method and system for network data storage | |
US11630851B2 (en) | Systems and methods for providing predictions to applications executing on a computing device | |
US20190163901A1 (en) | Computer device and method of identifying whether container behavior thereof is abnormal | |
CN104169902A (en) | Synchronizing local and remote data | |
EP3201739A1 (en) | Determining unintended touch rejection | |
CN110209925A (en) | Using method for pushing, device, computer equipment and storage medium | |
CN115374426A (en) | Access control method, device, equipment and storage medium | |
CN109117153A (en) | Processing method, device, terminal and the storage medium of application program | |
CN109688094A (en) | Suspicious IP configuration method, device, equipment and storage medium based on network security | |
CN111767270A (en) | Data migration method, device, server and storage medium | |
CN106507192A (en) | A kind of television shutdown control method and system based on eye recognition | |
CN110378112A (en) | A kind of user identification method and device | |
CN111178942B (en) | Advertisement shielding method, device, equipment and storage medium | |
CN106155736B (en) | Software installation starts type detection method, apparatus and user terminal | |
US20210342755A1 (en) | Verification of proof of work using computer vision and/or machine learning | |
CN112035201B (en) | Device parameter display method and device, computer device and storage medium | |
KR20150007191A (en) | Hacking Preventing Method on Communication Terminal, and Communication Terminal Thereof | |
CN113468541A (en) | Operating environment recognition method and device, electronic equipment and storage medium | |
US10074103B2 (en) | Method and system for identifying mobile device according to information feature of applications of mobile device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |