CN111865925A - Network traffic based fraud group identification method, controller and medium - Google Patents
Network traffic based fraud group identification method, controller and medium Download PDFInfo
- Publication number
- CN111865925A CN111865925A CN202010591185.3A CN202010591185A CN111865925A CN 111865925 A CN111865925 A CN 111865925A CN 202010591185 A CN202010591185 A CN 202010591185A CN 111865925 A CN111865925 A CN 111865925A
- Authority
- CN
- China
- Prior art keywords
- fraud
- accounts
- association degree
- data
- website
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 238000004364 calculation method Methods 0.000 claims description 14
- 238000004458 analytical method Methods 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 6
- 230000009193 crawling Effects 0.000 claims description 3
- 230000008595 infiltration Effects 0.000 claims description 3
- 238000001764 infiltration Methods 0.000 claims description 3
- 238000002347 injection Methods 0.000 description 3
- 239000007924 injection Substances 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4535—Network directories; Name-to-address mapping using an address exchange platform which sets up a session between two nodes, e.g. rendezvous servers, session initiation protocols [SIP] registrars or H.323 gatekeepers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a phishing group identification method based on network flow, a controller and a medium, wherein the method comprises the steps of obtaining the phishing flow of a plurality of accounts to be detected, and extracting phishing data corresponding to each account to be detected from the phishing flow; sequentially calculating the association degree of every two accounts to be detected in the plurality of accounts to be detected based on the phishing data to obtain a first association degree, and if the first association degree is greater than a first association degree threshold value, merging the corresponding accounts to be detected into a group to be identified; and calculating the association degree of the to-be-identified group and a preset historical existing group based on the phishing data to obtain a second association degree, and merging the to-be-identified group and the historical existing group into a phishing group if the second association degree is greater than a second association degree threshold value. The invention can quickly and accurately identify the phishing group, and can trace the identity of the phishing group.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a network traffic-based fraud group identification method, controller, and medium.
Background
Most of the existing fraud group identification technologies are based on Voice over internet protocol (VoIP). The information transmitted by the active VoIP platforms is acquired by scanning the global IP addresses, and the bill data of the VoIP network telephones initiated by the VoIP platforms is analyzed and confirmed, so that whether the VoIP platforms are used for initiating telephone fraud is judged, and the overseas telephone fraud is conveniently checked.
However, the existing techniques for identifying fraud groups based on VoIP generally cannot determine the real identity information of the real-time personnel in the fraud behaviors directly through VoIP information, and further cannot acquire the information of the fraud groups, so that the identification efficiency is low and the traceability is poor. In addition, the acts of fraud through the network, such as false loans, false investments, false shopping and the like, are not performed by using the VOIP telephone, but the investor's property is cheated directly through a fake website, and the acts of fraud through the network cannot be solved by identifying the group based on the VoIP.
Disclosure of Invention
The invention aims to provide a network flow-based fraud group identification method, a controller and a medium, which can quickly and accurately identify phishing groups and trace the identity of the phishing groups.
According to a first embodiment of the present invention, there is provided a network traffic-based fraud group identification method, including:
obtaining phishing traffic of a plurality of accounts to be tested, and extracting phishing data corresponding to each account to be tested from the phishing traffic;
sequentially calculating the association degree of every two accounts to be detected in the plurality of accounts to be detected based on the phishing data to obtain a first association degree, and if the first association degree is greater than a first association degree threshold value, merging the corresponding accounts to be detected into a group to be identified;
and calculating the association degree of the to-be-identified group and a preset historical existing group based on the phishing data to obtain a second association degree, and merging the to-be-identified group and the historical existing group into a phishing group if the second association degree is greater than a second association degree threshold value.
Further, the phishing data comprises fraud resource data and fraud account data, wherein,
the fraud resource data includes a fraud website domain name, a fraud website server IP, fraud website domain name registrant information,
the fraud account data comprises a fraud account, a password, a login IP, a login time and fraud account virtual identity information.
Further, extracting phishing data corresponding to each account to be tested from the phishing traffic, comprising:
obtaining fraud website information, fraud website access data and fraud website management data from the phishing traffic information;
crawling fraud websites based on the fraud website information fraud website access data and fraud website management data, obtaining the fraud resource data,
alternatively, the first and second electrodes may be,
and infiltrating fraud websites based on the fraud website information fraud website access data and the fraud website management data, and acquiring the fraud account data.
Further, said infiltrating a fraud website based on said fraud website information fraud website access data and fraud website management data, acquiring said fraud account data, comprising:
obtaining fraud website management authority through an automatic infiltration script;
inserting a preset counter code into the fraud website file;
triggering the counter code according to a website login instruction of a fraud website manager;
obtaining the fraud account data based on the counter code;
and encrypting the fraud account data back to an analysis server.
Further, if the fraud account data cannot be successfully acquired, the following steps are performed:
Acquiring account passwords of fraud website managers through the disguised links;
logging in a fraud website from the background based on the fraud website manager account password;
deploying the reverse-making code;
triggering the counter code according to a website login instruction of a fraud website manager;
obtaining fraud account data based on the counter code;
and encrypting the fraud account data back to an analysis server.
Further, the sequentially performing association degree calculation on every two to-be-detected account numbers in the multiple to-be-detected account numbers based on the phishing data to obtain a first association degree, including:
sequentially calculating the association degrees of every two accounts to be detected based on the fraud resource data to obtain a first sub-association degree;
sequentially calculating the association degrees of every two accounts to be detected based on the fraud account data to obtain a second sub-association degree;
determining the first degree of association based on the first and second degrees of sub-association.
Further, the sequentially performing association degree calculation on every two account numbers to be detected based on the fraud resource data to obtain a first sub-association degree, including:
judging whether the IP addresses of the servers accessed by the two current accounts in the same preset time period are consistent, if so, calculating the association degree of the two current accounts according to the time of the two current accounts accessing the IP addresses of the servers to obtain a third association degree;
Judging whether the domain names of the current two accounts in the same preset time period are consistent, if so, calculating the association degree of the current two accounts according to the time for accessing the domain names to obtain a fourth association degree;
judging whether the registration information of websites accessed by the current two accounts is consistent, if so, performing association calculation on the current two accounts according to the number of the same information to obtain a fifth association degree;
determining the first sub-relevance based on the third relevance, the fourth relevance, and the fifth relevance.
Further, the calculating the association degrees of every two accounts to be detected based on the fraud account data to obtain a second sub-association degree includes:
judging whether the similarity of the passwords of the fraud website administrators corresponding to the current two accounts is higher than a preset first similarity threshold value, if so, performing association calculation according to the similarity of the passwords of the fraud website administrators corresponding to the current two accounts to obtain a sixth association degree;
judging whether the similarity of the current two account numbers is higher than a preset second similarity threshold value, if so, performing correlation calculation on the current two account numbers according to the similarity of the current two account numbers to obtain a seventh correlation;
Judging whether the current two accounts adopt the same IP address to log in the same preset time period, if so, calculating the association degree of the current account according to the time of the current two accounts accessing the same IP address to obtain an eighth association degree;
determining the second sub-relevance based on the fifth relevance, the sixth relevance, and the seventh relevance.
According to a second embodiment of the invention, a controller is provided comprising a memory and a processor, the memory storing a computer program enabling the implementation of the steps of the method when the program is executed by the processor.
According to a third embodiment of the invention, a computer-readable storage medium is provided for storing a computer program, which when executed by a computer or processor, performs the steps of the method.
Compared with the prior art, the invention has obvious advantages and beneficial effects. By the technical scheme, the fraud group identification method, the controller and the medium based on the network flow can achieve considerable technical progress and practicability, have industrial wide utilization value and at least have the following advantages:
(1) The method and the system can rapidly and accurately process the phishing traffic, extract relevant fraud data and perform associated analysis.
(2) Under the condition of complete fraud data, the invention can directly associate related fraud groups and track and record fraud events of the fraud groups through the fraud group identification method.
(3) The invention can trace the identity of the fraud group through the obtained virtual identity information of the fraud staff.
The foregoing description is only an overview of the technical solutions of the present invention, and in order to make the technical means of the present invention more clearly understood, the present invention may be implemented in accordance with the content of the description, and in order to make the above and other objects, features, and advantages of the present invention more clearly understood, the following preferred embodiments are described in detail with reference to the accompanying drawings.
Drawings
Fig. 1 is a schematic diagram of a fraud group identification method based on network traffic according to an embodiment of the present invention.
Detailed Description
To further illustrate the technical means and effects of the present invention for achieving the predetermined objects, the following detailed description will be given with reference to the accompanying drawings and preferred embodiments of a network traffic-based fraud group identification method, controller and medium according to the present invention.
An embodiment of the present invention provides a network traffic-based fraud group identification method, as shown in fig. 1, including:
step S1, obtaining phishing traffic of the multiple accounts to be tested, and extracting phishing data corresponding to each account to be tested from the phishing traffic;
step S2, sequentially calculating the association degree of each two accounts to be detected in the plurality of accounts to be detected based on the phishing data to obtain a first association degree, and if the first association degree is greater than a first association degree threshold, merging the corresponding accounts to be detected into a group to be identified;
step S3, performing association calculation on the to-be-identified group and a preset historical existing group based on the phishing data to obtain a second association, and merging the to-be-identified group and the historical existing group into a fraud group if the second association is greater than a second association threshold.
After the fraud group is obtained, the fraud group can be output to be used in application scenes such as subsequent fraud group analysis or subsequent tracing.
As one example, the phishing data comprises fraud resource data and fraud account data, wherein the fraud resource data comprises a fraud website domain name, a fraud website server IP, a fraud website domain name registrant information, and the like. The fraud account data includes a fraud account, a password, a login IP, a login time, fraud account virtual identity information, and the like.
As an example, in step S1, the extracting phishing data corresponding to each account under test from phishing traffic comprises:
step S11, obtaining fraud website information, fraud website access data and fraud website management data from the phishing traffic information, and entering step S12 or step S13;
step S12, crawling fraud websites based on the fraud website information fraud website access data and fraud website management data, and obtaining the fraud resource data;
step S13, infiltrating fraud websites based on the fraud website information, fraud website access data and fraud website management data, and acquiring the fraud account data.
As an example, step S13 includes:
s131, acquiring fraud website management authority through an automatic infiltration script;
step S132, inserting a preset counter code into the fraud website file;
step S133, triggering the counter code according to a website login instruction of a fraud website manager;
step S134, obtaining the fraud account data based on the counter code.
In the step S134, the fraudulent account data may be encrypted and transmitted back to the analysis server for analysis in step S135.
If the fraud account data cannot be successfully acquired through the steps S131 to S134, the following steps are continued:
step S136, acquiring account passwords of fraud website managers through disguised links;
step S137, logging in a fraud website from a background based on the account password of the fraud website manager;
s138, deploying a reverse code;
step S139, triggering the counter code according to a website login instruction of a fraud website manager;
step S140, obtaining fraud account data based on the counter code.
After step S140, step S141 of encrypting the fraud account data back to the analysis server may be further performed.
For the websites that need to be penetrated, the steps S131 to S134 may be tried first, and if not successful, the fraud account data is obtained through the steps S136 to S140. The active penetration is realized by identifying the operation behavior of a fraud website manager and then performing JS injection on the manager, wherein the JS injection refers to JavaScript injection and refers to inputting a JS code in an address bar of a browser to change JS variables and content of page tags. The fraudster virtual identity information in the fraudster account data can be a QQ account, a Taobao account, a Baidu account, a Yiyi account, a weibo account and the like.
As an example, in step S2, the sequentially performing association calculation on every two account numbers to be tested in the plurality of account numbers to be tested based on the phishing data to obtain a first association degree, includes:
step S21, sequentially calculating the association degree of each two accounts to be detected based on the fraud resource data to obtain a first sub-association degree;
step S22, sequentially calculating the association degree of every two accounts to be detected based on the fraud account data to obtain a second sub-association degree;
step S23, determining the first degree of association based on the first degree of sub-association and the second degree of sub-association.
As an example, the first sub-relevance and the second sub-relevance may be superimposed to obtain the first relevance. However, it can be understood that the first sub-relevance degree and the second sub-relevance degree may be directly superimposed, or the first sub-relevance degree and the second sub-relevance degree may be given corresponding weights and then superimposed according to requirements.
As an example, step S21 may specifically include the following steps:
step S211, determining whether the IP addresses of the servers accessed by the current two accounts in the same preset time period are consistent, if so, calculating the association degree of the current two accounts according to the time of the current two accounts accessing the IP addresses of the servers to obtain a third association degree, where the closer the access time is, the higher the value of the third association degree is, in this embodiment, the lowest the third association degree is set to 10, and the highest the third association degree is set to 100;
Step S212, judging whether the domain names of the current two account numbers accessing the same preset time period are consistent, if so, calculating the association degree of the current two account numbers according to the domain name accessing time to obtain a fourth association degree, wherein the closer the access time is, the higher the fourth association degree value is, in the embodiment, the lowest the fourth association degree is set as 10, and the highest the fourth association degree is set as 100;
step S213, determining whether registration information (whois information) of websites accessed by the current two accounts is consistent, and if yes, performing association calculation on the current two accounts according to the amount of the same information to obtain a fifth association degree, where the more the same information is, the higher the fifth association degree is, in this embodiment, the lowest the fifth association degree is set to 10, and the highest the fifth association degree is set to 100;
step S214, determining the first sub-relevance based on the third relevance, the fourth relevance and the fifth relevance.
As an example, in step S214, the third degree of association, the fourth degree of association, and the fifth degree of association may be superimposed to obtain a first sub-degree of association. However, it is understood that the third degree of association, the fourth degree of association, and the fifth degree of association may be directly superimposed, or the third degree of association, the fourth degree of association, and the fifth degree of association may be given corresponding weights and then superimposed according to the requirement.
As an example, step S22 may specifically include the following steps:
step S221, determining whether the similarity of the passwords of the fraud website administrators corresponding to the current two accounts is higher than a preset first similarity threshold, if so, performing association calculation according to the similarity of the passwords of the fraud website administrators corresponding to the current two accounts to obtain a sixth association degree, where the higher the similarity of the passwords of the fraud website administrators corresponding to the current two accounts is, the higher the sixth association degree value is, in this embodiment, the sixth association degree is set to be 10 at the lowest and is set to be 100 at the highest;
step S222, determining whether the similarity of the current two account numbers is higher than a preset second similarity threshold, if yes, performing association calculation on the current two account numbers according to the similarity of the current two account numbers to obtain a seventh association degree, where the higher the similarity of the current two account numbers is, the higher the association reading value is, in this embodiment, the seventh association degree is set to be 10 at the lowest and is set to be 100 at the highest;
step S223, determining whether the current two accounts are logged in by using the same IP address within the same preset time period, if yes, performing association calculation on the current account according to the time when the current two accounts access the same IP address to obtain an eighth association degree, where the closer the access time is, the higher the association degree value is, in this embodiment, the eighth association degree is set to be 10 at the lowest and is set to be 100 at the highest;
Step S224, determining the second sub-relevance based on the fifth relevance, the sixth relevance and the seventh relevance.
As an example, in step S224, the fifth degree of association, the sixth degree of association, and the seventh degree of association may be superimposed to obtain a second sub-degree of association. However, it is understood that the fifth degree of association, the sixth degree of association, and the seventh degree of association may be directly superimposed, or the fifth degree of association, the sixth degree of association, and the seventh degree of association may be given corresponding weights and then superimposed as required.
It can be understood that the value range of each association degree, the first association degree threshold, and the second association degree threshold can be set according to the requirements of factors such as specific identification accuracy, as a specific example, each association degree value range is set to [10-100], the first association degree threshold and the second association degree threshold are both set to 100, when the first association degree is greater than 100, the corresponding account is merged into a to-be-detected group, and when the second association degree threshold is greater than 100, the corresponding to-be-detected group is merged into a fraud group.
According to the embodiment of the invention, by means of the overlapping of the relevance degrees of multiple dimensions of the fraud data, the fraud resources and fraud account numbers of the same group can be quickly and accurately identified from a large amount of fraud website data, so that the purposes of discovery and analysis of fraud groups are realized.
An embodiment of the present invention further provides a controller, which includes a memory and a processor, where the memory stores a computer program, and the program, when executed by the processor, can implement the steps of the method.
Embodiments of the present invention also provide a computer-readable storage medium for storing a computer program, which when executed by a computer or a processor implements the steps of the method.
The embodiment of the invention can rapidly and accurately process the phishing traffic, extract relevant fraud data and perform association analysis. Under the condition of complete fraud data, related fraud groups can be directly related through the fraud group identification method, and fraud events of the fraud groups can be tracked and recorded. In addition, the embodiment of the invention can trace the identity of the fraud group through the obtained virtual identity information of the fraud staff.
Although the present invention has been described with reference to a preferred embodiment, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. A network traffic based fraud group identification method, comprising:
obtaining phishing traffic of a plurality of accounts to be tested, and extracting phishing data corresponding to each account to be tested from the phishing traffic;
sequentially calculating the association degree of every two accounts to be detected in the plurality of accounts to be detected based on the phishing data to obtain a first association degree, and if the first association degree is greater than a first association degree threshold value, merging the corresponding accounts to be detected into a group to be identified;
and calculating the association degree of the to-be-identified group and a preset historical existing group based on the phishing data to obtain a second association degree, and merging the to-be-identified group and the historical existing group into a phishing group if the second association degree is greater than a second association degree threshold value.
2. Network traffic-based fraud group identification method according to claim 1,
the phishing data comprises fraud resource data and fraud account data, wherein,
the fraud resource data includes a fraud website domain name, a fraud website server IP, fraud website domain name registrant information,
the fraud account data comprises a fraud account, a password, a login IP, a login time and fraud account virtual identity information.
3. Network traffic-based fraud group identification method according to claim 2,
extracting phishing data corresponding to each account to be tested from the phishing traffic, comprising:
obtaining fraud website information, fraud website access data and fraud website management data from the phishing traffic information;
crawling fraud websites based on the fraud website information fraud website access data and fraud website management data, obtaining the fraud resource data,
alternatively, the first and second electrodes may be,
and infiltrating fraud websites based on the fraud website information fraud website access data and the fraud website management data, and acquiring the fraud account data.
4. A network traffic-based fraud group identification method according to claim 3,
said infiltrating a fraud website based on said fraud website information fraud website access data and fraud website management data, acquiring said fraud account data, comprising:
obtaining fraud website management authority through an automatic infiltration script;
inserting a preset counter code into the fraud website file;
triggering the counter code according to a website login instruction of a fraud website manager;
Obtaining the fraud account data based on the counter code;
and encrypting the fraud account data back to an analysis server.
5. Network traffic-based fraud group identification method according to claim 4,
if the fraud account data cannot be successfully acquired, the following steps are performed:
acquiring account passwords of fraud website managers through the disguised links;
logging in a fraud website from the background based on the fraud website manager account password;
deploying the reverse-making code;
triggering the counter code according to a website login instruction of a fraud website manager;
obtaining fraud account data based on the counter code;
and encrypting the fraud account data back to an analysis server.
6. Network traffic-based fraud group identification method according to claim 2,
sequentially calculating the association degree of every two accounts to be tested in the plurality of accounts to be tested based on the phishing data to obtain a first association degree, comprising:
sequentially calculating the association degrees of every two accounts to be detected based on the fraud resource data to obtain a first sub-association degree;
sequentially calculating the association degrees of every two accounts to be detected based on the fraud account data to obtain a second sub-association degree;
Determining the first degree of association based on the first and second degrees of sub-association.
7. Network traffic-based fraud group identification method according to claim 6,
sequentially calculating the association degrees of every two accounts to be detected based on the fraud resource data to obtain a first sub-association degree, comprising:
judging whether the IP addresses of the servers accessed by the two current accounts in the same preset time period are consistent, if so, calculating the association degree of the two current accounts according to the time of the two current accounts accessing the IP addresses of the servers to obtain a third association degree;
judging whether the domain names of the current two accounts in the same preset time period are consistent, if so, calculating the association degree of the current two accounts according to the time for accessing the domain names to obtain a fourth association degree;
judging whether the registration information of websites accessed by the current two accounts is consistent, if so, performing association calculation on the current two accounts according to the number of the same information to obtain a fifth association degree;
determining the first sub-relevance based on the third relevance, the fourth relevance, and the fifth relevance.
8. Network traffic-based fraud group identification method according to claim 6,
sequentially calculating the association degrees of every two accounts to be detected based on the fraud account data to obtain a second sub-association degree, wherein the second sub-association degree comprises the following steps:
judging whether the similarity of the passwords of the fraud website administrators corresponding to the current two accounts is higher than a preset first similarity threshold value, if so, performing association calculation according to the similarity of the passwords of the fraud website administrators corresponding to the current two accounts to obtain a sixth association degree;
judging whether the similarity of the current two account numbers is higher than a preset second similarity threshold value, if so, performing correlation calculation on the current two account numbers according to the similarity of the current two account numbers to obtain a seventh correlation;
judging whether the current two accounts adopt the same IP address to log in the same preset time period, if so, calculating the association degree of the current account according to the time of the current two accounts accessing the same IP address to obtain an eighth association degree;
determining the second sub-relevance based on the fifth relevance, the sixth relevance, and the seventh relevance.
9. A controller comprising a memory and a processor, characterized in that the memory stores a computer program which, when executed by the processor, is capable of carrying out the steps of the method of any one of claims 1 to 8.
10. A computer-readable storage medium for storing a computer program, characterized in that the program realizes the steps of the method according to any one of claims 1 to 8 when executed by a computer or processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010591185.3A CN111865925A (en) | 2020-06-24 | 2020-06-24 | Network traffic based fraud group identification method, controller and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010591185.3A CN111865925A (en) | 2020-06-24 | 2020-06-24 | Network traffic based fraud group identification method, controller and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111865925A true CN111865925A (en) | 2020-10-30 |
Family
ID=72988360
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010591185.3A Pending CN111865925A (en) | 2020-06-24 | 2020-06-24 | Network traffic based fraud group identification method, controller and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111865925A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112330347A (en) * | 2020-12-12 | 2021-02-05 | 国家计算机网络与信息安全管理中心江苏分中心 | Method and system for intelligently identifying fraud groups |
| CN113011884A (en) * | 2021-01-29 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Account feature extraction method, device and equipment and readable storage medium |
| CN113114669A (en) * | 2021-04-09 | 2021-07-13 | 厦门市美亚柏科信息股份有限公司 | GOIP gateway identification method, device, equipment and storage medium based on gateway data |
| CN113297840A (en) * | 2021-04-28 | 2021-08-24 | 百果园技术(新加坡)有限公司 | Malicious traffic account detection method, device, equipment and storage medium |
| CN113312560A (en) * | 2021-06-16 | 2021-08-27 | 百度在线网络技术(北京)有限公司 | Group detection method and device and electronic equipment |
| CN113452670A (en) * | 2021-04-30 | 2021-09-28 | 恒安嘉新(北京)科技股份公司 | Phishing blocking method, device, equipment and medium based on SDN network |
| CN114020985A (en) * | 2021-11-10 | 2022-02-08 | 深圳安巽科技有限公司 | Fraud countercheck interception method, system and storage medium |
| CN114222301A (en) * | 2021-12-13 | 2022-03-22 | 奇安盘古(上海)信息技术有限公司 | Fraud site processing method, device and storage medium |
| CN114499966A (en) * | 2021-12-27 | 2022-05-13 | 奇安盘古(上海)信息技术有限公司 | Fraud traffic aggregation analysis method and device, electronic equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102622552A (en) * | 2012-04-12 | 2012-08-01 | 焦点科技股份有限公司 | Detection method and detection system for fraud access to business to business (B2B) platform based on data mining |
| US8245282B1 (en) * | 2008-08-19 | 2012-08-14 | Eharmony, Inc. | Creating tests to identify fraudulent users |
| CN107733854A (en) * | 2012-04-01 | 2018-02-23 | 阿里巴巴集团控股有限公司 | A kind of risk control method and system of network virtual user |
| CN108133061A (en) * | 2018-02-01 | 2018-06-08 | 天津市国瑞数码安全***股份有限公司 | A kind of swindle Stock discrimination system |
| CN108429718A (en) * | 2017-02-13 | 2018-08-21 | 腾讯科技(深圳)有限公司 | Account recognition methods and device |
| CN109816519A (en) * | 2019-01-25 | 2019-05-28 | 宜人恒业科技发展(北京)有限公司 | A kind of recognition methods of fraud clique, device and equipment |
-
2020
- 2020-06-24 CN CN202010591185.3A patent/CN111865925A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8245282B1 (en) * | 2008-08-19 | 2012-08-14 | Eharmony, Inc. | Creating tests to identify fraudulent users |
| CN107733854A (en) * | 2012-04-01 | 2018-02-23 | 阿里巴巴集团控股有限公司 | A kind of risk control method and system of network virtual user |
| CN102622552A (en) * | 2012-04-12 | 2012-08-01 | 焦点科技股份有限公司 | Detection method and detection system for fraud access to business to business (B2B) platform based on data mining |
| CN108429718A (en) * | 2017-02-13 | 2018-08-21 | 腾讯科技(深圳)有限公司 | Account recognition methods and device |
| CN108133061A (en) * | 2018-02-01 | 2018-06-08 | 天津市国瑞数码安全***股份有限公司 | A kind of swindle Stock discrimination system |
| CN109816519A (en) * | 2019-01-25 | 2019-05-28 | 宜人恒业科技发展(北京)有限公司 | A kind of recognition methods of fraud clique, device and equipment |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112330347A (en) * | 2020-12-12 | 2021-02-05 | 国家计算机网络与信息安全管理中心江苏分中心 | Method and system for intelligently identifying fraud groups |
| CN113011884A (en) * | 2021-01-29 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Account feature extraction method, device and equipment and readable storage medium |
| CN113011884B (en) * | 2021-01-29 | 2023-08-04 | 腾讯科技(深圳)有限公司 | Account feature extraction method, device, equipment and readable storage medium |
| CN113114669B (en) * | 2021-04-09 | 2023-05-23 | 厦门市美亚柏科信息股份有限公司 | GOIP gateway identification method, device, equipment and storage medium based on gateway data |
| CN113114669A (en) * | 2021-04-09 | 2021-07-13 | 厦门市美亚柏科信息股份有限公司 | GOIP gateway identification method, device, equipment and storage medium based on gateway data |
| CN113297840A (en) * | 2021-04-28 | 2021-08-24 | 百果园技术(新加坡)有限公司 | Malicious traffic account detection method, device, equipment and storage medium |
| CN113297840B (en) * | 2021-04-28 | 2024-05-24 | 百果园技术(新加坡)有限公司 | Malicious traffic account detection method, device, equipment and storage medium |
| CN113452670A (en) * | 2021-04-30 | 2021-09-28 | 恒安嘉新(北京)科技股份公司 | Phishing blocking method, device, equipment and medium based on SDN network |
| CN113452670B (en) * | 2021-04-30 | 2023-07-28 | 恒安嘉新(北京)科技股份公司 | Phishing blocking method, device, equipment and medium based on SDN network |
| CN113312560A (en) * | 2021-06-16 | 2021-08-27 | 百度在线网络技术(北京)有限公司 | Group detection method and device and electronic equipment |
| CN113312560B (en) * | 2021-06-16 | 2023-07-25 | 百度在线网络技术(北京)有限公司 | Group detection method and device and electronic equipment |
| CN114020985B (en) * | 2021-11-10 | 2022-10-14 | 深圳安巽科技有限公司 | Fraud countercheck interception method, system and storage medium |
| CN114020985A (en) * | 2021-11-10 | 2022-02-08 | 深圳安巽科技有限公司 | Fraud countercheck interception method, system and storage medium |
| CN114222301A (en) * | 2021-12-13 | 2022-03-22 | 奇安盘古(上海)信息技术有限公司 | Fraud site processing method, device and storage medium |
| CN114222301B (en) * | 2021-12-13 | 2024-04-12 | 奇安盘古(上海)信息技术有限公司 | Fraud site processing method, fraud site processing device and storage medium |
| CN114499966A (en) * | 2021-12-27 | 2022-05-13 | 奇安盘古(上海)信息技术有限公司 | Fraud traffic aggregation analysis method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111865925A (en) | Network traffic based fraud group identification method, controller and medium | |
| US11722520B2 (en) | System and method for detecting phishing events | |
| CN105930727B (en) | Reptile recognition methods based on Web | |
| Pan et al. | Anomaly based web phishing page detection | |
| US20180309772A1 (en) | Method and device for automatically verifying security event | |
| US10484426B2 (en) | Auto-generated synthetic identities for simulating population dynamics to detect fraudulent activity | |
| CN104954372A (en) | Method and system for performing evidence acquisition and verification on phishing website | |
| CN109831459B (en) | Method, device, storage medium and terminal equipment for secure access | |
| CN110493181B (en) | User behavior detection method and device, computer equipment and storage medium | |
| CN107426148B (en) | Crawler-resisting method and system based on running environment feature recognition | |
| CN107800686B (en) | Phishing website identification method and device | |
| CN104956372A (en) | Determining coverage of dynamic security scans using runtime and static code analyses | |
| CN107733699B (en) | Internet asset security management method, system, device and readable storage medium | |
| CN104202291A (en) | Anti-phishing method based on multi-factor comprehensive assessment method | |
| WO2017063274A1 (en) | Method for automatically determining malicious-jumping and malicious-nesting offensive websites | |
| CN104852916A (en) | Social engineering-based webpage verification code recognition method and system | |
| US20220141252A1 (en) | System and method for data filtering in machine learning model to detect impersonation attacks | |
| CN108881271A (en) | A kind of the backward tracing source tracing method and device of proxy | |
| CN114244564A (en) | Attack defense method, device, equipment and readable storage medium | |
| CN109450880A (en) | Detection method for phishing site, device and computer equipment based on decision tree | |
| CN108270754B (en) | Detection method and device for phishing website | |
| CN112751804A (en) | Method, device and equipment for identifying counterfeit domain name | |
| CN108418809A (en) | Chat data processing method, device, computer equipment and storage medium | |
| CN113225343B (en) | Risk website identification method and system based on identity characteristic information | |
| CN109218332B (en) | Monitoring method for embedded point type phishing website |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201030 |
|
| RJ01 | Rejection of invention patent application after publication |