CN110378112A - A kind of user identification method and device - Google Patents

A kind of user identification method and device Download PDF

Info

Publication number
CN110378112A
CN110378112A CN201910609896.6A CN201910609896A CN110378112A CN 110378112 A CN110378112 A CN 110378112A CN 201910609896 A CN201910609896 A CN 201910609896A CN 110378112 A CN110378112 A CN 110378112A
Authority
CN
China
Prior art keywords
application software
user
behavioural characteristic
feature
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910609896.6A
Other languages
Chinese (zh)
Inventor
顾冬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Dajia Internet Information Technology Co Ltd
Original Assignee
Beijing Dajia Internet Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Dajia Internet Information Technology Co Ltd filed Critical Beijing Dajia Internet Information Technology Co Ltd
Priority to CN201910609896.6A priority Critical patent/CN110378112A/en
Publication of CN110378112A publication Critical patent/CN110378112A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/06Buying, selling or leasing transactions
    • G06Q30/0601Electronic shopping [e-shopping]
    • G06Q30/0609Buyer or seller confidence or verification

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Economics (AREA)
  • General Business, Economics & Management (AREA)
  • Strategic Management (AREA)
  • Marketing (AREA)
  • Development Economics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The disclosure is related to network technique field about a kind of user identification method and device, wherein the above method includes: to detect whether the running environment of application software itself is abnormal environment, if it is, the user of the application software will be used to be identified as fictitious users;If running environment is normal, the feature of behavior of the user using above-mentioned application software is obtained, and identifies whether the user is fictitious users according to feature obtained.It can be seen that can recognize that fictitious users using the scheme that the embodiment of the present disclosure provides, and then be conducive to obtain the installation of accurate real user.

Description

A kind of user identification method and device
Technical field
This disclosure relates to network technique field more particularly to a kind of user identification method and device.
Background technique
With the fast development of network technology, more and more application software are devoted to market.In order to application software It is promoted, it is hoped that there will be more users for application software developer to install and use the application software, improve user installation amount.
It in the related technology, is to reach brush amount purpose there are user, using virtual technology, such as virtual machine, sandbox, batch is empty Vacation installation application software, since this kind of application software carries out simulated operation by machine, application software developer can not be from this True user is obtained in class user using data, and fictitious users are known as this kind of user.Due to the presence meeting of fictitious users Influence application software developer to the statistics of user installation amount, therefore, accurate real user installation in order to obtain, now urgently A kind of user identification method is needed, to identify fictitious users.
Summary of the invention
The disclosure provides a kind of user identification method and device, at least to solve not identifying fictitious users in the related technology The problem of.The technical solution of the disclosure is as follows:
According to the first aspect of the embodiments of the present disclosure, a kind of user identification method is provided, application software is applied to, comprising:
Whether the running environment for detecting the application software itself is abnormal environment;
If it is, the user of the application software will be used to be identified as fictitious users;
If it has not, the feature of behavior of the user using the application software is obtained, as the first behavioural characteristic, and root Identify whether the user is fictitious users according to the first behavioural characteristic obtained.
In one embodiment of the disclosure, the method also includes:
In the case where the running environment is abnormal environment, behavior of the user using the application software is obtained Feature is stored as the second behavioural characteristic, and by the second behavioural characteristic obtained to preset property data base;
It is described to identify whether the user is that fictitious users step includes: according to the first behavioural characteristic obtained
First behavioural characteristic obtained is matched with the feature in the property data base, and according to matching result Identify whether the user is fictitious users.
In one embodiment of the disclosure, the spy by the first behavioural characteristic obtained and the property data base Sign is matched, and identifies whether the user is that fictitious users step includes: according to matching result
For every one first behavioural characteristic obtained, judge whether first behavioural characteristic is located at first behavioural characteristic In corresponding detection range, wherein the corresponding detection range of every one first behavioural characteristic are as follows: according in the property data base with First behavioural characteristic characterizes the range of the distribution determination of the feature of same behavior;
Determine the quantity for the feature being located in corresponding detection range in the first behavioural characteristic obtained;
In the case where the quantity is not less than preset quantity threshold value, identify that the user is fictitious users.
It is described by the second behavioural characteristic obtained storage to preset property data base in one embodiment of the disclosure Step includes:
Determine the period that behavior of the user using the application software occurs;
According to the identified period, by the second behavioural characteristic obtained storage to preset property data base;
It is described to match the first behavioural characteristic obtained with the feature in the property data base, and according to matching As a result identify whether the user is that fictitious users step includes:
The period that the characterized behavior of the first behavioural characteristic obtained occurs is determined, as first time period;
Determine that behavior characterized in the property data base betides the feature of the first time period;
First behavioural characteristic obtained is matched with identified feature, and the use is identified according to matching result Whether family is fictitious users.
In one embodiment of the disclosure, whether the running environment of the detection application software itself is abnormal environment Step includes:
When meeting at least one of following situations, determine that the running environment of the application software itself is abnormal environment:
By hook operation intercepting to the default abnormal behaviour using the application software;
Detect that the application software has used abnormal agency service;
Detect that the address of the data buffer storage file of the application software is relocated;
Detect that the address of the optimization file of the application software is relocated;
Detect that there are abnormal address in process chained list PLT.
According to the second aspect of an embodiment of the present disclosure, a kind of customer identification device is provided, application software is applied to, comprising:
Context detection module, whether the running environment for being configured as detecting the application software itself is abnormal environment, if Be it is yes, then user's determining module is triggered, if it has not, then triggering feature recognition module;
User's determining module is configured as that fictitious users will be identified as using the user of the application software;
Feature recognition module is configured as obtaining the feature of behavior of the user using the application software, as the One behavioural characteristic, and identify whether the user is fictitious users according to the first behavioural characteristic obtained.
In one embodiment of the disclosure, described device further include:
Characteristic storage module is configured as in the case where context detection module detects that running environment is abnormal environment, The feature for obtaining behavior of the user using the application software, as the second behavioural characteristic, and by the second row obtained Storage is characterized to preset property data base;
The feature recognition module is configured specifically are as follows:
First behavioural characteristic obtained is matched with the feature in the property data base, and according to matching result Identify whether the user is fictitious users.
In one embodiment of the disclosure, the feature recognition module is configured specifically are as follows:
For every one first behavioural characteristic obtained, judge whether first behavioural characteristic is located at first behavioural characteristic In corresponding detection range, wherein the corresponding detection range of every one first behavioural characteristic are as follows: according in the property data base with First behavioural characteristic characterizes the range of the distribution determination of the feature of same behavior;
Determine the quantity for the feature being located in corresponding detection range in the first behavioural characteristic obtained;
In the case where the quantity is not less than preset quantity threshold value, identify that the user is fictitious users.
In one embodiment of the disclosure, the characteristic storage module is configured specifically are as follows:
Determine the period that behavior of the user using the application software occurs;
According to the identified period, by the second behavioural characteristic obtained storage to preset property data base;
The feature recognition module is configured specifically are as follows:
The period that the characterized behavior of the first behavioural characteristic obtained occurs is determined, as first time period;
Determine that behavior characterized in the property data base betides the feature of the first time period;
First behavioural characteristic obtained is matched with identified feature, and the use is identified according to matching result Whether family is fictitious users.
In one embodiment of the disclosure, the context detection module is configured specifically are as follows:
When meeting at least one of following situations, determine that the running environment of the application software itself is abnormal environment:
By hook operation intercepting to the default abnormal behaviour using the application software;
Detect that the application software has used abnormal agency service;
Detect that the address of the data buffer storage file of the application software is relocated;
Detect that the address of the optimization file of the application software is relocated;
Detect that there are abnormal address in process chained list PLT.
According to the third aspect of an embodiment of the present disclosure, a kind of electronic equipment is provided, comprising:
Processor;
For storing the memory of the processor-executable instruction;
Wherein, the processor is configured to executing described instruction, to realize the use as described in any one of first aspect Family recognition methods.
According to a fourth aspect of embodiments of the present disclosure, a kind of storage medium is provided, comprising:
When the instruction in the storage medium by electronic equipment processor execute when so that electronic equipment be able to carry out as User identification method described in any one of first aspect.
The technical scheme provided by this disclosed embodiment is at least brought following the utility model has the advantages that detecting application software itself first Running environment whether be abnormal environment, if it is, the user of the application software will be used to be identified as fictitious users;If fortune Row environment is normal, then obtains the feature of behavior of the user using above-mentioned application software, and should according to feature obtained identification Whether user is fictitious users.It can be seen that can recognize that fictitious users using the scheme that the embodiment of the present disclosure provides, in turn Be conducive to obtain the installation of accurate real user.
It should be understood that above general description and following detailed description be only it is exemplary and explanatory, not The disclosure can be limited.
Detailed description of the invention
The drawings herein are incorporated into the specification and forms part of this specification, and shows the implementation for meeting the disclosure Example, and together with specification for explaining the principles of this disclosure, do not constitute the improper restriction to the disclosure.
Fig. 1 is a kind of flow chart of user identification method shown according to an exemplary embodiment;
Fig. 2 is the flow chart of another user identification method shown according to an exemplary embodiment;
Fig. 3 is a kind of block diagram of customer identification device shown according to an exemplary embodiment;
Fig. 4 is the block diagram of another customer identification device shown according to an exemplary embodiment;
Fig. 5 is a kind of electronic equipment block diagram shown according to an exemplary embodiment.
Specific embodiment
In order to make ordinary people in the field more fully understand the technical solution of the disclosure, below in conjunction with attached drawing, to this public affairs The technical solution opened in embodiment is clearly and completely described.
It should be noted that the specification and claims of the disclosure and term " first " in above-mentioned attached drawing, " Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way Data be interchangeable under appropriate circumstances, so as to embodiment of the disclosure described herein can in addition to illustrating herein or Sequence other than those of description is implemented.Embodiment described in following exemplary embodiment does not represent and disclosure phase Consistent all embodiments.On the contrary, they are only and as detailed in the attached claim, the disclosure some aspects The example of consistent device and method.
Fig. 1 is a kind of flow chart of user identification method shown according to an exemplary embodiment, as shown in Figure 1, above-mentioned User identification method is applied to application software, specifically, above-mentioned application software can be video software, music software, social soft Part etc., above-mentioned user identification method include the following steps 101- step 103.
Step 101, whether the running environment for detecting application software itself is abnormal environment, if it is, thening follow the steps 102, if it has not, thening follow the steps 103.
Wherein, above-mentioned running environment is the environment that is operated in as the application software of executing subject of the embodiment of the present invention. Application software is usually all mounted in be run on electronic equipment, and electronic equipment can be mobile phone, tablet computer, desktop computer Deng.Above-mentioned electronic equipment provides running environment for application software.Above-mentioned abnormal environment is the environment inconsistent with normal environment.
In one embodiment of the disclosure, when meeting at least one of following situations A- situation E, determine that above-mentioned application is soft The running environment of part itself is abnormal environment:
Situation A: pass through hook operation intercepting to the default abnormal behaviour for using application software.
In one embodiment of the disclosure, application software is in the process of running, it may be necessary to this fortune of call operation system The system function that row environment provides executes various instructions.Some abnormal behaviours are also possible to that above system function can be called, mirror In this, it can be above system function setup hooking function, the behavior for calling above system function is detected by hooking function It whether is default abnormal behaviour.
Wherein, above-mentioned default abnormal behaviour can be modification registration table, modification IP address, strange land log in.
Situation B: detect that above-mentioned application software has used abnormal agency service.
In one embodiment of the disclosure, the communication service during self-operating can be examined by application software It surveys.Since application software usually will complete communication service by agency service, if detecting abnormal generation in communication service Reason service, then it is assumed that the running environment of the application software is abnormal environment.
Situation C: detect that the address of the data buffer storage file of above-mentioned application software is relocated.
Wherein, above-mentioned data buffer storage file is for storing the data cached file of application software, for example, data file Deng.
For application software, the storage address of data buffer storage file is all preset, and due to using virtually The application software of technology falseness installation does not have the permission of operation preset data cache file, therefore the application software of false installation Need to reset a data cache file.If detecting that the address of the data buffer storage file of application software changes, It is not above-mentioned preset storage address, it is believed that data buffer storage file is relocated, it may be considered that the application software Running environment be abnormal environment.
Situation D: detect that the address of the optimization file of above-mentioned application software is relocated.
Wherein, above-mentioned optimization file is the text that application software extracts generation to the execution file during self-operating Part.For example, in order to optimize the starting speed of application software, by application software can operating file classes.dex from deep layer It is extracted in catalogue, and generates odex file and individually stored, application software on startup, can be quick in this case Find can operating file, thus start quickly speed, the odex file of above-mentioned generation is to optimize file.
For application software, it is preset for optimizing the storage address of file, and due to empty using virtual technology The application software of vacation installation does not have the permission of the default optimization File of operation, therefore the application software of false installation needs weight One optimization file of new settings.It is no longer above-mentioned preparatory if detecting that the address of the optimization file of application software changes The storage address of setting, it is believed that optimization file is relocated, it may be considered that the running environment of the application software is abnormal Environment.
Situation E: detect that there are abnormal address in PLT (Procedure Linkage Table, process connection table).
Wherein, above-mentioned PLT table is for storing information relevant to that can call the address of system function, in calling system function When, it needs to search information relevant to the address of system function by PLT table, carries out function tune further according to the information found With.
Due to using virtual technology falseness installation application software can not calling system function, for the above-mentioned system of normal call System function needs voluntarily to generate above system function, then carries out to information relevant to the address of above system function in PLT table Modification, so that the information stored in PLT table is directed toward the above-mentioned function voluntarily generated.In this case, if it find that being deposited in PLT table The information of storage is changed, it may be considered that the running environment of the application software is abnormal environment.
Step 102, the user of above-mentioned application software will be used to be identified as fictitious users.
In the case where detecting the running environment of application software is abnormal environment, the application software will can be directly used User be identified as fictitious users.
Step 103, the feature for obtaining behavior of the user using above-mentioned application software, as the first behavioural characteristic, and according to First behavioural characteristic obtained identifies whether the user is fictitious users.
Wherein, above-mentioned behavior is behavior of user during using application software.For example, above-mentioned behavior can be starting Application software, viewing live streaming, click concern etc..
Since features described above is the feature of behavior of the user using application software, so, features described above is can to characterize use The data of family behavior.For example, features described above can be viewing duration, starting duration etc..Features described above is also possible to a certain behavior Occupied duration uses the ratio of all behavior total durations during application software relative to user, for example, soft for video For part, the behavior of user, which can be, to be seen live, sees short-sighted frequency, watches movie, if the when a length of 3h that user sees live, sees short-sighted The when a length of 2h of frequency, the when a length of 5h to watch movie, all behavior total durations are 10h, then the ratio that sees live of the user is 30%, See that short-sighted frequency ratio example is 20%, ratio of watching movie is 50%.Above-mentioned behavioural characteristic being retrieved as by user authorize and obtain.
In one embodiment of the disclosure, for every one first behavioural characteristic obtained, it can be determined that first behavior Whether feature is located in the corresponding default detection range of first behavioural characteristic, determines and is located in the first behavioural characteristic obtained The quantity of feature in corresponding detection range identifies the user for falseness in the case where quantity is not less than preset quantity threshold value User.
Wherein, above-mentioned default detection range is preset detection range.
For example, the first behavioural characteristic obtained is viewing duration, starting duration and sees live ratio, it is assumed that the sight of the user A length of 20min when seeing, starting duration 3min, the ratio that sees live is 90%, and watches the corresponding default detection range of duration and be 15min-30min, the corresponding default detection range of starting duration are 5min-8min, and seeing live the corresponding detection range of ratio is 80%-100%.From the foregoing, it can be seen that the quantity for the feature being located in corresponding detection range in feature obtained is 2, default In the case that amount threshold is 2, identify that the user is fictitious users.
As seen from the above, when carrying out user's identification using technical solution provided by the above embodiment, detection application first is soft Whether the running environment of part itself is abnormal environment, if it is, the user of the application software will be used to be identified as fictitious users; If running environment is normal, the feature of behavior of the user using above-mentioned application software is obtained, and according to feature obtained Identify whether the user is fictitious users.It can recognize that fictitious users using the scheme that embodiment disclosed above provides, in turn Be conducive to obtain the installation of accurate real user.
In one embodiment of the disclosure, as shown in Fig. 2, the user identification method that the disclosure provides can also include:
Step 104, in the case where running environment is abnormal environment, behavior of the user using above-mentioned application software is obtained Feature is stored as the second behavioural characteristic, and by the second behavioural characteristic obtained to preset property data base.
Since in the case where running environment is abnormal environment, above-mentioned user is identified as fictitious users, therefore, above-mentioned spy The feature stored in sign database is the feature of fictitious users.
In one embodiment of the disclosure, the fictitious users that above-mentioned steps 103 identify can also be stated in use and be answered With the feature of behavior in software, it is equally used as the second behavioural characteristic, and the second behavioural characteristic of above-mentioned user is stored to default Property data base in.
There are features described above database, above-mentioned steps 103 identify above-mentioned user according to feature obtained It whether is that fictitious users can be to be realized by following steps 103A.
Step 103A matches the first behavioural characteristic obtained with the feature in features described above database, and root Identify whether above-mentioned user is fictitious users according to matching result.
Due to stored in property data base be fictitious users feature, so if the first behavioural characteristic obtained with The matching degree of feature is higher than preset threshold in property data base, it may be considered that the user is fictitious users;If matching degree is not Higher than preset threshold, it may be considered that the user is not fictitious users.
It, can be using the behavioural characteristic of each user as a feature vector progress in one embodiment of the disclosure Match.Specifically, computational representation obtains in the vector and characteristic feature database of the first behavioural characteristic between the vector of feature Matching degree, in the case where matching degree is greater than preset matching degree threshold value, it is believed that above-mentioned user is fictitious users.For example, above-mentioned It can be cosine similarity with degree, be also possible to Euclidean distance etc..
In another embodiment of the disclosure, for every one first behavioural characteristic obtained, first behavior spy is judged Whether sign is located in the corresponding detection range of the first behavioural characteristic;It determines and is located at corresponding inspection in the first behavioural characteristic obtained Survey the quantity of the feature in range;In the case where above-mentioned quantity is greater than preset quantity threshold value, identify that above-mentioned user uses to be false Family.
Wherein, the corresponding detection range of every one first behavioural characteristic are as follows: according in features described above database with the first row It is characterized the determining range of the distribution of the feature of characterization same behavior.
Specifically, usually operated in the process by machine simulation due to fictitious users using application software, it is this kind of The feature distribution of the corresponding behavior of user is in the presence of rule.For example, the feature in database can be normal distribution.At this In the case of kind, the range of the feature integrated distribution of the behavior of fictitious users, the detection range as this feature are obtained.
Since in scheme provided by the above embodiment, detection range is point according to fictitious users feature in property data base What cloth obtained, as the feature stored in property data base is more, the rule of feature distribution will be more and more clear, obtained Detection range also will be more accurate, and then identify that the accuracy rate of fictitious users also will be enhanced.
In one embodiment of the disclosure, above-mentioned steps 104 can be incited somebody to action when storing the second behavioural characteristic according to the period Second behavioural characteristic obtained is stored to preset property data base.
Specifically, determine the period that the behavior of above-mentioned user using above-mentioned application software occurs, according to it is identified when Between section, by the second behavioural characteristic obtained storage to preset property data base.
Wherein, the above-mentioned period can be the period obtained according to user using the peak period of application software, for example, by It needs to go to work in the week most users, belong to using trough period, Saturday and Sunday user rest, belonging to application software makes The period is divided with peak period, therefore according to week, when can be divided into period on Monday, Sunday period ... on Tuesday Between section;Again due to daytime and late into the night most users to work and rest, belong to using trough period, noon and evening belong to using high The peak phase, thus can also according to 24 hours division periods, can be divided into the 0:00-2:00 period, the 2:00-8:00 period, 8:00-12:00 period, 12:00-14:00 period, 14:00-18:00 period, 18:00-24:00 period.
On the basis of the above, above-mentioned steps 103A, can be according to the period to obtained when carrying out feature identification One behavioural characteristic is matched.
Specifically, determine the period of the characterized behavior generation of the first behavioural characteristic obtained, as first time period, Determine that behavior characterized in features described above database betides the feature of above-mentioned first time period, the first behavior obtained is special Sign is matched with identified feature, and identifies whether above-mentioned user is fictitious users according to matching result.
For example, if the period that the behavior that the first behavioural characteristic obtained is characterized occurs is 18:00-24:00, then Determine that characterizing above-mentioned behavior equally occurs feature in the 18:00-24:00 period in property data base, it will be obtained The feature determined in feature and property data base is matched, and identifies whether above-mentioned user is false use according to matching result Family.
It, can be according to the period to institute when storing the second behavioural characteristic for step 104 in one embodiment of the disclosure The second behavioural characteristic obtained stores respectively, for example, the second behavioural characteristic storage of period on Monday is arrived together, by week The second behavioural characteristic storage of two periods is to together.When executing the identification of step 103A feature in this case, it is first determined First time period, then the feature in property data base in first time period is obtained, by the first behavioural characteristic and obtained characteristic It is matched according to the feature in library.
It, can also be to obtained when storing the second behavioural characteristic for step 104 in another embodiment of the disclosure Second behavioural characteristic is labeled, for example, according to the period that the characterized behavior of the second behavioural characteristic occurs, by the second behavior spy Sign mark is respectively period on Monday, period on Tuesday etc..It is first when executing the identification of step 103A feature in this case It first determines first time period, then searches the feature for being noted as first time period in property data base, by the first behavioural characteristic It is matched with the feature in the property data base found.
In scheme provided by the above embodiment, the period of behavior occurs according to user, it is corresponding according to different time sections Feature identifies user, and the accuracy rate of identification can be improved.
Corresponding with above-mentioned user identification method, the disclosure additionally provides a kind of customer identification device.
Fig. 3 is a kind of customer identification device block diagram shown according to an exemplary embodiment, is applied to application software.Reference Fig. 3, the device include following module 301- module 303.
Context detection module 301, whether the running environment for being configured as detecting above-mentioned application software itself is abnormal environment, If it has, then triggering user's determining module 302, if it has not, then triggering feature recognition module 303.
User's determining module 302 is configured as that fictitious users will be identified as using the user of above-mentioned application software.
Feature recognition module 303 is configured as obtaining the feature of behavior of the user using the application software, as First behavioural characteristic, and identify whether the user is fictitious users according to the first behavioural characteristic obtained.
In technical solution provided by the above embodiment, whether the running environment of detection application software itself first is abnormal ring Border, if it is, the user of the application software will be used to be identified as fictitious users;If running environment is normal, the use is obtained Family uses the feature of the behavior of above-mentioned application software, and identifies whether the user is fictitious users according to feature obtained.By This is as it can be seen that can recognize that fictitious users using the scheme that the embodiment of the present disclosure provides, and then be conducive to obtain accurately true The installation of user.
Referring to fig. 4, in one embodiment of the disclosure, above-mentioned customer identification device further include:
Characteristic storage module 304 is configured as detecting the case where running environment is abnormal environment in context detection module Under, the feature of behavior of the above-mentioned user using above-mentioned application software is obtained, as the second behavioural characteristic, and by obtained second Behavioural characteristic is stored to preset property data base.
Features described above identification module 303 is configured as:
Fisrt feature obtained is matched with the feature in features described above database, and is identified according to matching result Whether above-mentioned user is fictitious users.
In one embodiment of the disclosure, features described above identification module 303 is configured specifically are as follows:
For every one first behavioural characteristic obtained, judge whether first behavioural characteristic is located at first behavioural characteristic In corresponding detection range, wherein the corresponding detection range of every one first behavioural characteristic are as follows: according in features described above database with First behavioural characteristic characterizes the range of the distribution determination of the feature of same behavior, determines position in the first behavioural characteristic obtained Above-mentioned use is identified in the case where above-mentioned quantity is not less than preset quantity threshold value in the quantity of the feature in corresponding detection range Family is fictitious users.
In one embodiment of the disclosure, features described above memory module 304 is configured specifically are as follows:
Determine the period that behavior of the above-mentioned user using above-mentioned application software occurs, it, will according to the identified period Second behavioural characteristic obtained is stored to preset property data base.
Features described above identification module 303 is configured specifically are as follows:
The period that the characterized behavior of the first behavioural characteristic obtained occurs is determined, as first time period, in determination The feature that behavior characterized in property data base betides above-mentioned first time period is stated, by the first behavioural characteristic obtained and institute Determining feature is matched, and identifies whether above-mentioned user is fictitious users according to matching result.
In one embodiment of the disclosure, above-mentioned context detection module 301 is configured specifically are as follows:
When meeting at least one of following situations, determine that the running environment of above-mentioned application software itself is abnormal environment:
By hook operation intercepting to the default abnormal behaviour using above-mentioned application software;
Detect that above-mentioned application software has used abnormal agency service;
Detect that the address of the data buffer storage file of above-mentioned application software is relocated;
Detect that the address of the optimization file of above-mentioned application software is relocated;
Detect that there are abnormal address in process chained list PLT.
Fig. 5 is a kind of electronic equipment block diagram shown according to an exemplary embodiment, is applied to application software.Reference Fig. 5, The electronic equipment includes processor 501, communication interface 502, memory 503 and communication bus 504, wherein processor 501 leads to Believe that interface 502, memory 503 complete mutual communication by communication bus 504,
Memory 503, for storing computer program;
Processor 501 when for executing the program stored on memory 503, realizes user's identification that the disclosure provides Method.
The communication bus that above-mentioned electronic equipment is mentioned can be Peripheral Component Interconnect standard (Peripheral Component Interconnect, PCI) bus or expanding the industrial standard structure (Extended Industry Standard Architecture, EISA) bus etc..The communication bus can be divided into address bus, data/address bus, control bus etc..For just It is only indicated with a thick line in expression, figure, it is not intended that an only bus or a type of bus.
Communication interface is for the communication between above-mentioned electronic equipment and other equipment.
Memory may include random access memory (Random Access Memory, RAM), also may include non-easy The property lost memory (Non-Volatile Memory, NVM), for example, at least a magnetic disk storage.Optionally, memory may be used also To be storage device that at least one is located remotely from aforementioned processor.
Above-mentioned processor can be general processor, including central processing unit (Central Processing Unit, CPU), network processing unit (Network Processor, NP) etc.;It can also be digital signal processor (Digital Signal Processing, DSP), it is specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing It is field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete Door or transistor logic, discrete hardware components.
In the another embodiment that the disclosure provides, a kind of computer readable storage medium is additionally provided, which can It reads to be stored with computer program in storage medium, above-mentioned computer program realizes any of the above-described user's identification when being executed by processor The step of method.
In the another embodiment that the disclosure provides, a kind of computer program product comprising instruction is additionally provided, when it When running on computers, so that computer executes any user recognition methods in above-described embodiment.
As it can be seen that using electronic equipment provided by the above embodiment carry out user's identification when, execute it is provided by the above embodiment Run when the computer program stored in computer readable storage medium carries out user's identification and on computers above-mentioned implementation Computer program product that example provides and when carrying out user's identification, whether the running environment of detection application software itself first is different Normal environment, if it is, the user of the application software will be used to be identified as fictitious users;If running environment is normal, obtain The user uses the feature of the behavior of above-mentioned application software, and identifies whether the user is false use according to feature obtained Family.It can be seen that the embodiment of the present disclosure can recognize that fictitious users, and then obtain true user installation amount.
Electronic equipment, readable storage medium storing program for executing and computer program product provided by the above embodiment, can be quick and precisely User identification method provided in an embodiment of the present invention is realized on ground, compared with prior art, the side provided using the embodiment of the present disclosure Case can recognize that fictitious users, and then be conducive to obtain the installation of accurate real user.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or any combination thereof real It is existing.When implemented in software, it can entirely or partly realize in the form of a computer program product.The computer program Product includes one or more computer instructions.When loading on computers and executing the computer program instructions, all or It partly generates according to process or function described in the embodiment of the present invention.The computer can be general purpose computer, dedicated meter Calculation machine, computer network or other programmable devices.The computer instruction can store in computer readable storage medium In, or from a computer readable storage medium to the transmission of another computer readable storage medium, for example, the computer Instruction can pass through wired (such as coaxial cable, optical fiber, number from a web-site, computer, server or data center User's line (DSL)) or wireless (such as infrared, wireless, microwave etc.) mode to another web-site, computer, server or Data center is transmitted.The computer readable storage medium can be any usable medium that computer can access or It is comprising data storage devices such as one or more usable mediums integrated server, data centers.The usable medium can be with It is magnetic medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state hard disk Solid State Disk (SSD)) etc..
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device reality For applying example, electronic equipment embodiment, computer readable storage medium embodiment and computer program product embodiments, due to It is substantially similar to embodiment of the method, so being described relatively simple, related place is referring to the part explanation of embodiment of the method It can.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all Any modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present invention It is interior.

Claims (10)

1. a kind of user identification method, which is characterized in that be applied to application software, comprising:
Whether the running environment for detecting the application software itself is abnormal environment;
If it is, the user of the application software will be used to be identified as fictitious users;
If it has not, the feature of behavior of the user using the application software is obtained, as the first behavioural characteristic, and according to institute The first behavioural characteristic obtained identifies whether the user is fictitious users.
2. the method according to claim 1, wherein the method also includes:
In the case where the running environment is abnormal environment, the spy of behavior of the user using the application software is obtained Sign is stored as the second behavioural characteristic, and by the second behavioural characteristic obtained to preset property data base;
It is described to identify whether the user is that fictitious users step includes: according to the first behavioural characteristic obtained
First behavioural characteristic obtained is matched with the feature in the property data base, and is identified according to matching result Whether the user is fictitious users.
3. according to the method described in claim 2, it is characterized in that, described by the first behavioural characteristic obtained and the feature Feature in database is matched, and identifies whether the user is that fictitious users step includes: according to matching result
For every one first behavioural characteristic obtained, it is corresponding to judge whether first behavioural characteristic is located at first behavioural characteristic Detection range in, wherein the corresponding detection range of every one first behavioural characteristic are as follows: according in the property data base with this One behavioural characteristic characterizes the range of the distribution determination of the feature of same behavior;
Determine the quantity for the feature being located in corresponding detection range in the first behavioural characteristic obtained;
In the case where the quantity is not less than preset quantity threshold value, identify that the user is fictitious users.
4. according to the method described in claim 2, it is characterized in that, described store the second behavioural characteristic obtained to default Property data base step include:
Determine the period that behavior of the user using the application software occurs;
According to the identified period, by the second behavioural characteristic obtained storage to preset property data base;
It is described to match the first behavioural characteristic obtained with the feature in the property data base, and according to matching result Identify whether the user is that fictitious users step includes:
The period that the characterized behavior of the first behavioural characteristic obtained occurs is determined, as first time period;
Determine that behavior characterized in the property data base betides the feature of the first time period;
First behavioural characteristic obtained is matched with identified feature, and identifies that the user is according to matching result No is fictitious users.
5. method according to any of claims 1-4, which is characterized in that the detection application software itself Whether running environment is that abnormal environment step includes:
When meeting at least one of following situations, determine that the running environment of the application software itself is abnormal environment:
By hook operation intercepting to the default abnormal behaviour using the application software;
Detect that the application software has used abnormal agency service;
Detect that the address of the data buffer storage file of the application software is relocated;
Detect that the address of the optimization file of the application software is relocated;
Detect that there are abnormal address in process chained list PLT.
6. a kind of customer identification device is applied to application software characterized by comprising
Context detection module, whether the running environment for being configured as detecting the application software itself is abnormal environment, if it is, User's determining module is then triggered, if it has not, then triggering feature recognition module;
User's determining module is configured as that fictitious users will be identified as using the user of the application software;
Feature recognition module is configured as obtaining the feature of behavior of the user using the application software, as the first row It is characterized, and identifies whether the user is fictitious users according to the first behavioural characteristic obtained.
7. device according to claim 6, which is characterized in that described device further include:
Characteristic storage module is configured as obtaining in the case where context detection module detects that running environment is abnormal environment The user uses the feature of the behavior of the application software, as the second behavioural characteristic, and the second behavior obtained is special Preset property data base is arrived in sign storage;
The feature recognition module is configured specifically are as follows:
First behavioural characteristic obtained is matched with the feature in the property data base, and is identified according to matching result Whether the user is fictitious users.
8. device described in any one of according to claim 6 or 7, which is characterized in that the context detection module is specifically matched It is set to:
When meeting at least one of following situations, determine that the running environment of the application software itself is abnormal environment:
By hook operation intercepting to the default abnormal behaviour using the application software;
Detect that the application software has used abnormal agency service;
Detect that the address of the data buffer storage file of the application software is relocated;
Detect that the address of the optimization file of the application software is relocated;
Detect that there are abnormal address in process chained list PLT.
9. a kind of electronic equipment characterized by comprising
Processor;
For storing the memory of the processor-executable instruction;
Wherein, the processor is configured to executing described instruction, to realize the use as described in any one of claims 1 to 5 Family recognition methods.
10. a kind of storage medium, which is characterized in that when the instruction in the storage medium is executed by the processor of electronic equipment When, so that electronic equipment is able to carry out the user identification method as described in any one of claims 1 to 5.
CN201910609896.6A 2019-07-08 2019-07-08 A kind of user identification method and device Pending CN110378112A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910609896.6A CN110378112A (en) 2019-07-08 2019-07-08 A kind of user identification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910609896.6A CN110378112A (en) 2019-07-08 2019-07-08 A kind of user identification method and device

Publications (1)

Publication Number Publication Date
CN110378112A true CN110378112A (en) 2019-10-25

Family

ID=68252407

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910609896.6A Pending CN110378112A (en) 2019-07-08 2019-07-08 A kind of user identification method and device

Country Status (1)

Country Link
CN (1) CN110378112A (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104932966A (en) * 2015-06-19 2015-09-23 广东欧珀移动通信有限公司 Method and device for detecting false downloading times of application software
CN105824834A (en) * 2015-01-06 2016-08-03 腾讯科技(深圳)有限公司 Search traffic cheating behavior identification method and apparatus
CN106301979A (en) * 2015-05-27 2017-01-04 腾讯科技(北京)有限公司 The method and system of the abnormal channel of detection
CN106294508A (en) * 2015-06-10 2017-01-04 深圳市腾讯计算机***有限公司 A kind of brush amount tool detection method and device
US10009374B1 (en) * 2015-08-04 2018-06-26 Symantec Corporation Detecting URL scheme hijacking
CN109117250A (en) * 2018-07-27 2019-01-01 平安科技(深圳)有限公司 A kind of simulator recognition methods, identification equipment and computer-readable medium
CN109241343A (en) * 2018-07-27 2019-01-18 北京奇艺世纪科技有限公司 A kind of brush amount user identifying system, method and device
CN109408556A (en) * 2018-09-28 2019-03-01 中国平安人寿保险股份有限公司 Abnormal user recognition methods and device, electronic equipment, medium based on big data
CN109413103A (en) * 2018-12-11 2019-03-01 泰康保险集团股份有限公司 Processing method, device, equipment and the storage medium of fictitious users identification

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105824834A (en) * 2015-01-06 2016-08-03 腾讯科技(深圳)有限公司 Search traffic cheating behavior identification method and apparatus
CN106301979A (en) * 2015-05-27 2017-01-04 腾讯科技(北京)有限公司 The method and system of the abnormal channel of detection
CN106294508A (en) * 2015-06-10 2017-01-04 深圳市腾讯计算机***有限公司 A kind of brush amount tool detection method and device
CN104932966A (en) * 2015-06-19 2015-09-23 广东欧珀移动通信有限公司 Method and device for detecting false downloading times of application software
US10009374B1 (en) * 2015-08-04 2018-06-26 Symantec Corporation Detecting URL scheme hijacking
CN109117250A (en) * 2018-07-27 2019-01-01 平安科技(深圳)有限公司 A kind of simulator recognition methods, identification equipment and computer-readable medium
CN109241343A (en) * 2018-07-27 2019-01-18 北京奇艺世纪科技有限公司 A kind of brush amount user identifying system, method and device
CN109408556A (en) * 2018-09-28 2019-03-01 中国平安人寿保险股份有限公司 Abnormal user recognition methods and device, electronic equipment, medium based on big data
CN109413103A (en) * 2018-12-11 2019-03-01 泰康保险集团股份有限公司 Processing method, device, equipment and the storage medium of fictitious users identification

Similar Documents

Publication Publication Date Title
US10277480B2 (en) Method, apparatus, and system for determining a location corresponding to an IP address
CN105938448B (en) Method and apparatus for data duplication
CN109690548B (en) Computing device protection based on device attributes and device risk factors
CN105471935B (en) Information prompting method and device
US9645914B1 (en) Apps store with integrated test support
JP7389806B2 (en) Systems and methods for behavioral threat detection
CN105700819B (en) Method and system for network data storage
US11630851B2 (en) Systems and methods for providing predictions to applications executing on a computing device
US20190163901A1 (en) Computer device and method of identifying whether container behavior thereof is abnormal
CN104169902A (en) Synchronizing local and remote data
EP3201739A1 (en) Determining unintended touch rejection
CN110209925A (en) Using method for pushing, device, computer equipment and storage medium
CN115374426A (en) Access control method, device, equipment and storage medium
CN109117153A (en) Processing method, device, terminal and the storage medium of application program
CN109688094A (en) Suspicious IP configuration method, device, equipment and storage medium based on network security
CN111767270A (en) Data migration method, device, server and storage medium
CN106507192A (en) A kind of television shutdown control method and system based on eye recognition
CN110378112A (en) A kind of user identification method and device
CN111178942B (en) Advertisement shielding method, device, equipment and storage medium
CN106155736B (en) Software installation starts type detection method, apparatus and user terminal
US20210342755A1 (en) Verification of proof of work using computer vision and/or machine learning
CN112035201B (en) Device parameter display method and device, computer device and storage medium
KR20150007191A (en) Hacking Preventing Method on Communication Terminal, and Communication Terminal Thereof
CN113468541A (en) Operating environment recognition method and device, electronic equipment and storage medium
US10074103B2 (en) Method and system for identifying mobile device according to information feature of applications of mobile device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination