CN112437034B - False terminal detection method and device, storage medium and electronic device - Google Patents

False terminal detection method and device, storage medium and electronic device Download PDF

Info

Publication number
CN112437034B
CN112437034B CN201910791889.2A CN201910791889A CN112437034B CN 112437034 B CN112437034 B CN 112437034B CN 201910791889 A CN201910791889 A CN 201910791889A CN 112437034 B CN112437034 B CN 112437034B
Authority
CN
China
Prior art keywords
value
terminal
detected
data
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910791889.2A
Other languages
Chinese (zh)
Other versions
CN112437034A (en
Inventor
范小龙
李文
杨正朋
张谋辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201910791889.2A priority Critical patent/CN112437034B/en
Publication of CN112437034A publication Critical patent/CN112437034A/en
Application granted granted Critical
Publication of CN112437034B publication Critical patent/CN112437034B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a false terminal detection method and device, a storage medium and an electronic device. Wherein, the method comprises the following steps: acquiring data to be detected of a terminal to be detected, wherein the data to be detected comprises at least one of the following data: hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected; performing integration analysis on the data to be detected to obtain a target abnormal value of the terminal to be detected; and determining the terminal to be detected as a false terminal under the condition that the target abnormal value is greater than a preset threshold value. The invention solves the technical problem of low accuracy of false terminal detection in the related technology.

Description

False terminal detection method and device, storage medium and electronic device
Technical Field
The invention relates to the field of computers, in particular to a false terminal detection method and device, a storage medium and an electronic device.
Background
In the related art, in the process of detecting the false terminal, the detection is mainly realized by a front-end buried point, protocol verification and the like, for example, various verification state bits are added in a communication protocol, or an encrypted ID is used for realizing the detection.
However, these protocols are broken quickly in the frequent black-yielding access attack requests every day, and the embedded points of the protocols are infinitely circulated to the countermeasure, so that the countermeasure cost is very high.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a false terminal detection method and device, a storage medium and an electronic device, which at least solve the technical problem of low false terminal detection accuracy in the related technology.
According to an aspect of an embodiment of the present invention, a method for detecting a false terminal is provided, including: acquiring data to be detected of a terminal to be detected, wherein the data to be detected comprises at least one of the following data: the account behavior data is used for logging in the account of the terminal to be detected, the hardware data of the terminal to be detected, the network environment data of the terminal to be detected and the associated account data of the account of the terminal to be detected; performing integration analysis on the data to be detected to obtain a target abnormal value of the terminal to be detected; and determining the terminal to be detected as a false terminal under the condition that the target abnormal value is greater than a preset threshold value.
According to another aspect of the embodiments of the present invention, there is provided a false terminal detection apparatus, including: the terminal comprises an acquisition unit, a detection unit and a processing unit, wherein the acquisition unit is used for acquiring data to be detected of a terminal to be detected, and the data to be detected comprises at least one of the following data: the account behavior data is used for logging in the account of the terminal to be detected, the hardware data of the terminal to be detected, the network environment data of the terminal to be detected and the associated account data of the account of the terminal to be detected; the analysis unit is used for performing integrated analysis on the data to be detected to obtain a target abnormal value of the terminal to be detected; and the determining unit is used for determining the terminal to be detected as a false terminal under the condition that the target abnormal value is greater than a preset threshold value.
As an optional implementation, the analysis unit includes: the first acquisition module is used for acquiring a first abnormal value matched with the hardware data; the second acquisition module is used for acquiring a second abnormal value matched with the network environment data; the third acquisition module is used for acquiring a third abnormal value matched with the account behavior data; the fourth acquisition module is used for acquiring a fourth abnormal value matched with the associated account data; and the calculation module is used for performing weighted summation on the first abnormal value, the second abnormal value, the third abnormal value and the fourth abnormal value to obtain the target abnormal value.
As an optional implementation manner, the first obtaining module includes: the first obtaining sub-module is used for obtaining a white list corresponding to the hardware data of the terminal to be detected, wherein the white list comprises the hardware data of the entity terminal; the first determining submodule is used for determining the first abnormal value as a first target value under the condition that the white list is detected not to include the hardware data of the terminal to be detected.
As an optional implementation manner, the network environment data of the terminal to be detected includes: the second acquiring module includes: the second determining submodule is used for determining the first abnormal sub-value as a second target value when the protocol version number is different from the standard version number; a third determining submodule, configured to determine a second abnormal sub-value as a third target value when the number of terminals under the IP where the terminal to be detected is located is greater than the first threshold; a fourth determining sub-module, configured to determine, when the network reported data is abnormal, that a third exception sub-value is a fourth target value; a fifth determining submodule, configured to determine that the fourth abnormal sub-value is a fifth target value when the number of requests of the terminal to be detected is greater than the second threshold; and the first calculation submodule is used for fusing the first abnormal sub-value, the second abnormal sub-value, the third abnormal sub-value and the fourth abnormal sub-value to obtain the second abnormal value.
As an optional implementation manner, the account behavior data includes a login time period, a login position, and an operation scenario of the account that logs in the terminal to be detected, and the third obtaining module includes: a sixth determining submodule, configured to determine, when the login time period is not within a range of a common login time period, a fifth abnormal sub-value as a sixth target value; a seventh determining submodule, configured to determine a sixth abnormal sub-value as a seventh target value when the login position is different from the common login position; an eighth determining submodule, configured to determine a seventh exception sub-value as an eighth target value when the operation scenario is different from a common operation scenario; and the second calculation submodule is used for fusing the fifth abnormal sub-value, the sixth abnormal sub-value and the seventh abnormal sub-value to obtain the third abnormal value.
As an optional implementation manner, the associated account data includes an account associated with an account logged in the terminal to be detected, and the fourth obtaining module includes: and the ninth determining submodule is used for determining the fourth abnormal value as a ninth target value under the condition that the terminal logged by the account related to the account logged in the terminal to be detected is a false terminal.
According to still another aspect of the embodiments of the present invention, there is also provided a storage medium having a computer program stored therein, wherein the computer program is configured to execute the above false terminal detection method when running.
According to another aspect of the embodiments of the present invention, there is provided an electronic apparatus, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the above-mentioned false terminal detection method through the computer program.
In the embodiment of the present invention, data to be detected of a terminal to be detected is obtained, where the data to be detected includes at least one of the following data: the method comprises the steps of logging account behavior data of an account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected, performing integration analysis on the data to be detected to obtain a target abnormal value of the terminal to be detected, and determining the terminal to be detected to be a false terminal under the condition that the target abnormal value is larger than a preset threshold.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a schematic diagram of an application environment of an alternative false terminal detection method according to an embodiment of the present invention;
FIG. 2 is a flow chart diagram illustrating an alternative false terminal detection method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an alternative false terminal detection method according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of an alternative false terminal detection apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an alternative electronic device according to an embodiment of the invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
According to an aspect of the embodiments of the present invention, a false terminal detection method is provided, and optionally, as an optional implementation manner, the false terminal detection method may be applied to, but is not limited to, the environment shown in fig. 1.
User device 102 in fig. 1 may interact with server 106 via network 104. The server 106 includes a database 108 for storing interaction data and a processing engine 110 for processing the interaction data.
The server 106 may obtain data to be detected of the user device 102, where the data to be detected includes at least one of: account behavior data for the account of the logged-in user device 102, hardware data of the user device 102, network environment data of the user device 102, and associated account data of the account of the logged-in user device 102. After acquiring the data to be detected, the server may analyze the data to be detected to obtain a result for determining whether the user equipment 102 is a null hypothesis device.
According to the scheme, any one of the account behavior data of the terminal to be detected, the hardware data of the terminal to be detected, the network environment data of the terminal to be detected and the associated account data of the account of the terminal to be detected is acquired, and then the data to be detected is analyzed to obtain a result of whether the terminal to be detected is a false terminal, so that the accuracy of detection of the terminal to be detected is improved.
Alternatively, the network may include, but is not limited to, a wireless network or a wired network. Wherein, this wireless network includes: bluetooth, WIFI, and other networks that enable wireless communication. Such wired networks may include, but are not limited to: wide area networks, metropolitan area networks, and local area networks. The server may include, but is not limited to, any hardware device capable of performing calculations.
Optionally, as an optional implementation manner, as shown in fig. 2, the false terminal detection method includes:
s202, acquiring data to be detected of the terminal to be detected, wherein the data to be detected comprises at least one of the following data: the system comprises account behavior data used for logging in an account of a terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected;
s204, integrating and analyzing the data to be detected to obtain a target abnormal value of the terminal to be detected;
and S206, determining the terminal to be detected as a false terminal under the condition that the target abnormal value is greater than the preset threshold value.
Optionally, the device to be detected in the present solution may be, but is not limited to, an automaton. If a plurality of different accounts of the same type are logged on the automaton, behaviors of refreshing praise, commenting and the like can be realized through the different accounts. A large amount of false traffic can be produced for related Internet platforms by setting and realizing large-scale batch operation of a small number of devices.
Alternatively, the above false terminal detection method can be applied, but not limited to, in the field of false traffic detection. For example, for an account number of a login client application, detecting whether a terminal logged in by the account number is an automaton, and taking the terminal logged in by the account number as a terminal to be detected to obtain data to be detected of the terminal to be detected, wherein the data to be detected comprises at least one of the following data: the system comprises account behavior data used for logging in an account of a terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected; performing integration analysis on data to be detected to obtain a target abnormal value of the terminal to be detected; and determining the terminal to be detected as a false terminal under the condition that the target abnormal value is greater than a preset threshold value. The dummy terminal may be an automaton.
According to the scheme, any one of account behavior data of the terminal to be detected, which is used for logging in the account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected is acquired, and then the data to be detected is analyzed to obtain a result of whether the terminal to be detected is a false terminal, so that the accuracy of detection of the terminal to be detected is improved.
Optionally, in the present scheme, during the process of analyzing and detecting the terminal to be detected, the terminal to be detected may be analyzed according to one or a combination of multiple kinds of data to be detected in the number of lines, so as to determine whether the terminal to be detected is a false terminal. For example, whether the terminal to be detected is a false terminal is determined by using account behavior data for logging in an account of the terminal to be detected and hardware data of the terminal to be detected. Or determining whether the terminal to be detected is a false terminal according to the account behavior data of the account of the terminal to be detected, the network environment data of the terminal to be detected and the associated account data of the account of the terminal to be detected.
Optionally, it may be determined whether the terminal to be detected is a false terminal by using account behavior data for logging in an account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected, and associated account data of the account of the terminal to be detected. In the process of determining whether the terminal to be detected is a false terminal by using the four data to be detected, the data to be detected can be integrated and analyzed to obtain a target abnormal value of the terminal to be detected.
Optionally, each of the four types of data to be detected corresponds to an abnormal value. Acquiring a first abnormal value matched with the hardware data; acquiring a second abnormal value matched with the network environment data; acquiring a third abnormal value matched with the account behavior data; acquiring a fourth abnormal value matched with the associated account data; and carrying out weighted summation on the first abnormal value, the second abnormal value, the third abnormal value and the fourth abnormal value to obtain a target abnormal value.
Optionally, the obtaining the first outlier matched with the hardware data comprises: acquiring a white list corresponding to hardware data of a terminal to be detected, wherein the white list comprises the hardware data of an entity terminal; and under the condition that the white list is detected not to include the hardware data of the terminal to be detected, determining the first abnormal value as a first target value.
For example, a white list is preset, and hardware data of normal terminal devices are stored in the white list. The type of the terminal device may be included in the hardware data. After the hardware data of the terminal to be detected is obtained, the hardware data can be searched from the white list, and whether the hardware data of the terminal to be detected is contained in the white list is searched. If not included in the white list, determining the first abnormal value as a first target value. The first outlier may be zero and the first target value is a value greater than the first outlier. The first target value may be any value.
Optionally, the network environment data of the terminal to be detected includes: the method comprises the following steps of obtaining a second abnormal value matched with network environment data, wherein the second abnormal value comprises the following steps of: when the protocol version number is different from the standard version number, determining the first abnormal sub-value as a second target value; determining the second abnormal sub-value as a third target value under the condition that the number of the terminals under the IP of the terminal to be detected is greater than the first threshold value; determining the third anomaly value as a fourth target value under the condition of data report abnormality on the network; determining a fourth abnormal sub-value as a fifth target value under the condition that the request number of the terminal to be detected is greater than a second threshold value; and fusing the first abnormal sub-value, the second abnormal sub-value, the third abnormal sub-value and the fourth abnormal sub-value to obtain a second abnormal value.
Alternatively, the second abnormal value may be a sum of the first abnormal sub-value through the fourth abnormal sub-value. For example, when the first abnormal sub-value is determined, it is determined whether the protocol version number of the terminal to be detected is a standard version number. And if the protocol version number of the terminal to be detected is not the standard version number, determining the first abnormal sub-value as a second target value. The second target value is greater than the first exception sub-value. When the second abnormal sub-value is determined, the number of the terminals under the IP of the terminal to be detected can be detected. If the number is too large, the probability that the terminal to be detected is a false terminal is high. At this time, the second abnormal sub-value is determined as the third target value. The third target value may be a value greater than the second outlier.
Optionally, after the first abnormal sub-value to the fourth abnormal sub-value are determined, the first abnormal sub-value to the fourth abnormal sub-value are subjected to weighted summation to obtain a second abnormal value.
Optionally, the account behavior data includes a login time period, a login position, and an operation scene of the account that logs in the terminal to be detected, and calculating the third anomaly of the terminal to be detected according to the account behavior data includes: determining the fifth abnormal sub-value as a sixth target value when the login time period is not within the range of the common login time period; determining a sixth abnormal sub-value as a seventh target value under the condition that the login position is different from the common login position; determining a seventh exception sub-value as an eighth target value under the condition that the operation scene is different from the common operation scene; and fusing the fifth exception sub-value, the sixth exception sub-value and the seventh exception sub-value to obtain a third exception value.
For example, taking the first account number of the client to be detected as an example, the first account number usually logs in the first application client from seven pm to 9 pm every day. And if the account logs in the first application client at 8 am on a certain day, determining that the account logs in within the login time period which is not commonly used any more. If the account is normally logged in the sea, and sometime the account is logged in on sand, the account is considered to be not logged in at the common login location. If a certain account usually watches videos after logging in, and publishes videos after logging in on a certain day, the account is considered not to use a common operation scene.
Optionally, after the fifth to seventh exception sub-values are determined, weighted summation may be performed on the fifth to seventh exception sub-values to obtain a third exception value.
Optionally, the associated account data includes an account associated with an account logged in the terminal to be detected, and calculating a fourth abnormal value of the terminal to be detected according to the associated account data includes: and determining the fourth abnormal value as a ninth target value under the condition that the terminal logged by the account related to the account logged in the terminal to be detected is a false terminal.
For example, if a friend who logs in the account of the terminal to be detected or a terminal logged in by another account in the address book is a false terminal, the fourth abnormal value of the terminal to be detected is the ninth target value. The ninth target value is greater than the fourth outlier.
Optionally, the data to be detected for determining the first abnormal value to the fourth abnormal value in the scheme can be flexibly combined. For example, when the first and second abnormal values are determined, the determination may be performed by the above-described method. And when the third anomaly value is determined, it may be determined according to an operation performed by the terminal to be detected. At this time, the terminal to be detected may not log in the account, and the terminal to be detected may perform an action. Such as registering, viewing videos, browsing web pages, etc. Such as registration, video or traffic generation, and login, click, like, forward, and browse duration in different scenarios. And determining a third abnormal value of the terminal to be detected through the behaviors. For example, the various behaviors include normal behavior and abnormal behavior. The abnormal behavior may be an excessive number of operations performed within a predetermined period of time. The number of operations such as login, click, like clicking in a predetermined time period is huge. The third anomaly value needs to be determined as a higher value. If the behaviors of the terminal to be detected are normal, the third abnormal value may be a lower value or zero. And when the fourth abnormal value is determined, the fourth abnormal value can be determined according to the attribute of the account which logs in the terminal to be detected. For example, according to the user age of the account, the account level, whether to bind a mobile phone/real name authentication, whether to register different lengths, whether to have multiple illegal operations, and the like. If the data of the account number meet the requirements and no abnormal operation is performed, the value of the fourth abnormal value is smaller or zero. If the attributes of the account do not meet the predetermined requirements and the account performs the violation operation multiple times, the fourth abnormal value is larger and larger according to the number of the violation operation and the abnormal data.
The following description is made with reference to a specific example. As shown in fig. 3, fig. 3 is a diagram illustrating that after data to be detected of a terminal to be detected is acquired, the data to be detected is analyzed item by item to obtain corresponding abnormal values, and finally, the target abnormal values are judged to determine whether the terminal to be detected is a false terminal.
The process in the embodiment mainly comprises three modules, namely basic data, feature mining and virtual hypothesis recognition. The basic data module mainly realizes the collection and collection of basic equipment attribute characteristics and equipment operation behavior data, and the equipment basic data comprises: software hardware attribute data; the environmental operational data includes: operating IP/time/associated account/protocol version, etc.; the behavior data includes: operation time, business scene and other trajectory data, historical behavior in the scene, common behavior and the like. The characteristic mining model is mainly used for cleaning and digitizing the acquired data, establishing a perfect equipment portrait and providing basic characteristics for a plurality of subsequent analyses. The process of feature mining involves data cleaning. The cleaning is mainly to remove collected error data, such as IP is not collected and device core ID data is removed, such as insufficient collected behavior data and the like are also required to be removed. Digitizing, which is mainly to convert the original pipeline behavior data, such as difference operation of time stamps of click operations of multiple sequences, into difference numerical characteristics; such as software version/hardware ID/network card, etc., into category-value features. The equipment portrait (established according to historical data) mainly establishes an equipment ID and an IP/area/time/user binding relationship, a common login area of the equipment, a common IP, common behavior habits (such as login/use frequency every day), a common use time period, common users and the like; this establishes the historic representation characteristics of the device. The false hypothesis recognition is established based on mass device data and related scene behavior data, the whole data volume is billions of a day +, the model is updated regularly every day, and the detection result of false malicious devices can be updated and calculated regularly and dynamically to deal with the change of device attributes.
When the basic data module collects data to be detected, the basic data module mainly collects related equipment behavior data recorded by a front end and a background, and can be specifically divided into 4 categories of original basic data: direct behavior class: the operation behavior track of the associated user on the device comprises service scene ID records of registration, login, message sending, praise refreshing and the like, and violation operation records in a plurality of scenes, wherein the commonly used behavior records are as follows: including common time/IP/region/software version, etc.; the software information class: the method mainly comprises the steps of system information, virtual machine identification, special process ID identification and the like on a current terminal; hardware information class: CPU, storing ID, network card ID, etc.; the acquisition method is different from platform to platform, but the data is uniform in category. The environmental information class: client IP, client version, client protocol, etc.; in the acquisition process, desensitization processing is carried out on relevant sensitive information, and numeralization and redundant data filtering processing are carried out on partial detection data.
During feature mining, the method mainly integrates mass data such as equipment attributes, application program materials, registration and login of equipment, social behaviors and the like, and deeply extracts multi-dimensional effective features including core basic features such as active days, black birth and bad time, common APP rate, social activity, use days, login days and the like, wherein the feature number is 200-dimensional +, and can be continuously expanded according to scenes. The feature mining module is used for preprocessing the data, mainly performing feature conversion extraction on the data and performing filtering and completion processing on the noise data. Such as: and performing version time, new and old version and other feature conversion on the client version, performing time sequence difference feature extraction and modeling on the keyboard timestamp, and performing filtering processing on the repeated interference data.
The false terminal identification part is mainly used for establishing a multi-latitude false hypothesis comprehensive discrimination model aiming at various extracted data, and the false terminal identification part can be mainly divided into four categories. And (3) abnormal detection of the terminal: and detecting equipment attribute tampering/root/hook/simulator through detection data reported by the multi-platform terminal program, and outputting a first abnormal value. Checking an environmental protocol: the method mainly detects the abnormality of the network and the protocol environment used by the equipment, and counts the number of users/equipment/clients under the same IP, the number of users/requests under the same equipment and the like to obtain a second abnormal value according to the protocol version number, the equipment aggregation degree on the IP and whether the network reported data is normal. Analyzing a behavior track: the method mainly aims at analyzing the track of the common behaviors used by the equipment, establishes a common use time period, a common use place, a common use service scene and other characteristic images, finally outputs a third abnormal value, and identifies whether the equipment has multiple illegal abnormal operations. And (3) social behavior association checking: the method is characterized in that a batch group operating device group is analyzed and a highly malicious device group is excavated by utilizing historical operating behaviors of users associated with the device and direct association relations of the users, such as a social network consisting of IP login/address list/friend attributes and the like, and the fourth abnormal value of the device is comprehensively output. And finally, comprehensively weighting the first abnormal value to the fourth abnormal value to obtain a final target abnormal value. And judging the target abnormal value so as to judge whether the terminal to be detected is a false terminal.
For the malicious and normal sample mining part of the abnormal classification model, unsupervised and semi-supervised algorithms are mainly performed offline for analysis, for example, a plurality of category groups are distinguished through a clustering algorithm, a malicious virtual hypothesis group is extracted through related abnormal features to serve as a false malicious sample, and then a normal sample is sampled from other categories. Non- (semi-) supervised analysis algorithms include kmeans, PCA, LPA, etc.
The supervised classification model method used by the abnormal classification model is not limited to the traditional machine learning method, but also can be realized by using logistic regression, random forests, gradient lifting trees and the like, or a deep learning model, a convolutional neural network and the like, and each sub-model can be realized by adopting one or more methods for combined weighting.
According to the embodiment, any one of account behavior data of the terminal to be detected, which is used for logging in the account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected is acquired, and then the data to be detected is analyzed to obtain a result of whether the terminal to be detected is a false terminal, so that the accuracy of detection of the terminal to be detected is improved.
As an optional implementation scheme, performing integration analysis on the data to be detected to obtain a target abnormal value of the terminal to be detected includes:
s1, acquiring a first abnormal value matched with hardware data;
s2, acquiring a second abnormal value matched with the network environment data;
s3, acquiring a third abnormal value matched with the account behavior data;
s4, acquiring a fourth abnormal value matched with the associated account data;
and S5, carrying out weighted summation on the first abnormal value, the second abnormal value, the third abnormal value and the fourth abnormal value to obtain a target abnormal value.
Optionally, in the scheme, in the process of determining whether the terminal to be detected is a false terminal, whether the terminal to be detected is the false terminal is determined by using a combination of four data, namely account behavior data for logging in an account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected, so that the effect of improving the detection accuracy of the terminal to be detected is achieved.
As an alternative embodiment, obtaining the first outlier that matches the hardware data comprises:
s1, acquiring a white list corresponding to hardware data of a terminal to be detected, wherein the white list comprises the hardware data of an entity terminal;
and S2, under the condition that the white list is detected not to include the hardware data of the terminal to be detected, determining the first abnormal value as a first target value.
Optionally, in the scheme, whether the hardware data of the terminal to be detected is in the white list is detected, so that if the terminal to be detected is an automaton or other terminal, the white list does not include the hardware data of the automaton, and the effect of accurately acquiring the first abnormal value of the terminal to be detected is achieved.
As an optional implementation, the network environment data of the terminal to be detected includes: the method comprises the following steps that the protocol version number used by the terminal to be detected, the number of terminals under the IP of the terminal to be detected, the reported data of the terminal to be detected and the number of requests of the terminal to be detected are obtained, and the step of obtaining a second abnormal value matched with the network environment data comprises the following steps:
s1, when the protocol version number is different from the standard version number, determining a first abnormal sub-value as a second target value;
s2, under the condition that the number of the terminals under the IP of the terminal to be detected is larger than a first threshold value, determining a second abnormal sub-value as a third target value;
s3, determining the third anomaly value as a fourth target value under the condition of reporting data anomaly on the network;
s4, determining a fourth abnormal sub-value as a fifth target value under the condition that the request number of the terminal to be detected is greater than a second threshold value;
and S5, fusing the first abnormal sub-value, the second abnormal sub-value, the third abnormal sub-value and the fourth abnormal sub-value to obtain a second abnormal value.
Optionally, in this scheme, the terminal to be detected may be a false terminal when the protocol version number of the terminal to be detected is not the standard version number. There may be multiple terminals under the IP of the terminal to be detected. If the number of the terminals is large, the terminal to be detected is probably a false terminal. And if the data reported by the terminal to be detected is abnormal, the terminal to be detected may be a false terminal. And if the number of the requests of the terminal to be detected in the preset time is large, the terminal to be detected is probably a false terminal.
The second abnormal value is determined by determining the first abnormal sub-value to the fourth abnormal sub-value, so that the accuracy of determining the second abnormal value is improved.
As an optional implementation scheme, the account behavior data includes a login time period, a login position, and an operation scenario for logging in an account of the terminal to be detected, and calculating a third anomaly of the terminal to be detected according to the account behavior data includes:
s1, determining a fifth abnormal sub-value as a sixth target value under the condition that the login time period is not within the range of the common login time period;
s2, under the condition that the login position is different from the common login position, determining a sixth abnormal sub-value as a seventh target value;
s3, determining a seventh abnormal sub-value as an eighth target value under the condition that the operation scene is different from the common operation scene;
and S4, fusing the fifth abnormal sub-value, the sixth abnormal sub-value and the seventh abnormal sub-value to obtain a third abnormal value.
By the embodiment, the third anomaly value is determined by the method, so that the third anomaly value of the account which is not used in the common operation scene and is registered at the common time of the common place can be increased. The accuracy of determining the third anomaly is improved.
As an optional implementation scheme, the associated account data includes an account associated with an account logged in the terminal to be detected, and calculating a fourth abnormal value of the terminal to be detected according to the associated account data includes:
s1, determining a fourth abnormal value as a ninth target value under the condition that a terminal logged by an account related to an account logged in a terminal to be detected is a false terminal.
According to the embodiment, whether the false terminal is logged in according to the associated account of the account logged in the terminal to be detected or not is used for determining the height of the fourth abnormal value of the terminal to be detected, so that the effect of improving the accuracy of determination of the fourth abnormal value is achieved.
As an optional implementation, after acquiring the data to be detected of the terminal to be detected, the method further includes:
s1, sensitive data in the data to be detected are deleted, wherein the sensitive data are privacy data of an account number of a terminal to be detected.
Through the embodiment, the privacy security of the user is protected by deleting the sensitive data in the data to be detected.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
According to another aspect of the embodiments of the present invention, there is also provided a false terminal detection apparatus for implementing the above false terminal detection method. As shown in fig. 4, the apparatus includes:
(1) An obtaining unit 402, configured to obtain data to be detected of a terminal to be detected, where the data to be detected includes at least one of the following: the system comprises account behavior data used for logging in an account of a terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected;
(2) The analysis unit 404 is configured to perform integration analysis on the data to be detected to obtain a target abnormal value of the terminal to be detected;
(3) A determining unit 406, configured to determine that the terminal to be detected is a false terminal if the target abnormal value is greater than the predetermined threshold.
Optionally, the device to be detected in the present scheme may be, but is not limited to, an automaton. If a plurality of different accounts of the same type are logged on the automaton, behaviors of refreshing praise, commenting and the like can be realized through the different accounts. A large amount of false traffic can be produced for related Internet platforms by setting and realizing large-scale batch operation of a small number of devices.
Alternatively, the above false terminal detection method can be applied, but not limited to, in the field of false traffic detection. For example, for an account number of a login client application, whether a terminal logged in by the account number is an automaton is detected, the terminal logged in by the account number is used as a terminal to be detected, and data to be detected of the terminal to be detected is acquired, wherein the data to be detected comprises at least one of the following data: the system comprises account behavior data used for logging in an account of a terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected; performing integration analysis on data to be detected to obtain a target abnormal value of the terminal to be detected; and determining the terminal to be detected as a false terminal under the condition that the target abnormal value is greater than a preset threshold value. The dummy terminal may be an automaton.
According to the scheme, any one of the account behavior data of the terminal to be detected, the hardware data of the terminal to be detected, the network environment data of the terminal to be detected and the associated account data of the account of the terminal to be detected is acquired, and the data to be detected is analyzed to obtain the result of whether the terminal to be detected is a false terminal, so that the detection accuracy of the terminal to be detected is improved.
Optionally, in the present scheme, during the process of analyzing and detecting the terminal to be detected, the terminal to be detected may be analyzed according to one or a combination of multiple kinds of data to be detected in the number of lines, so as to determine whether the terminal to be detected is a false terminal. For example, whether the terminal to be detected is a false terminal is determined by using account behavior data for logging in an account of the terminal to be detected and hardware data of the terminal to be detected. Or determining whether the terminal to be detected is a false terminal according to the account behavior data of the account of the terminal to be detected, the network environment data of the terminal to be detected and the associated account data of the account of the terminal to be detected.
Optionally, it may be determined whether the terminal to be detected is a false terminal by using account behavior data for logging in an account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected, and associated account data of the account of the terminal to be detected. In the process of determining whether the terminal to be detected is a false terminal by using the four data to be detected, the data to be detected can be integrated and analyzed to obtain a target abnormal value of the terminal to be detected.
Optionally, each of the four types of data to be detected corresponds to an abnormal value. Acquiring a first abnormal value matched with the hardware data; acquiring a second abnormal value matched with the network environment data; acquiring a third abnormal value matched with the account behavior data; acquiring a fourth abnormal value matched with the associated account data; and carrying out weighted summation on the first abnormal value, the second abnormal value, the third abnormal value and the fourth abnormal value to obtain a target abnormal value.
Optionally, the obtaining the first outlier matched with the hardware data comprises: acquiring a white list corresponding to hardware data of a terminal to be detected, wherein the white list comprises the hardware data of an entity terminal; and under the condition that the white list is detected not to include the hardware data of the terminal to be detected, determining the first abnormal value as a first target value.
For example, a white list is preset, and hardware data of normal terminal devices are stored in the white list. The type of the terminal device may be included in the hardware data. After the hardware data of the terminal to be detected is obtained, the hardware data can be searched from the white list, and whether the hardware data of the terminal to be detected is contained in the white list is searched. If not included in the white list, determining the first abnormal value as a first target value. The first outlier may be zero and the first target value is a value greater than the first outlier. The first target value may be any value.
Optionally, the network environment data of the terminal to be detected includes: the method comprises the following steps that the protocol version number used by the terminal to be detected, the number of terminals under the IP of the terminal to be detected, the reported data of the terminal to be detected and the number of requests of the terminal to be detected are obtained, and the step of obtaining a second abnormal value matched with the network environment data comprises the following steps: when the protocol version number is different from the standard version number, determining the first abnormal sub-value as a second target value; determining the second abnormal sub-value as a third target value under the condition that the number of the terminals under the IP of the terminal to be detected is greater than the first threshold value; determining the third anomaly value as a fourth target value under the condition of data report abnormality on the network; determining a fourth abnormal sub-value as a fifth target value under the condition that the request number of the terminal to be detected is greater than a second threshold value; and fusing the first abnormal sub-value, the second abnormal sub-value, the third abnormal sub-value and the fourth abnormal sub-value to obtain a second abnormal value.
Alternatively, the second abnormal value may be a sum of the first abnormal sub-value through the fourth abnormal sub-value. For example, when the first abnormal sub-value is determined, it is determined whether the protocol version number of the terminal to be detected is a standard version number. And if the protocol version number of the terminal to be detected is not the standard version number, determining the first abnormal sub-value as a second target value. The second target value is greater than the first exception sub-value. When the second abnormal sub-value is determined, the number of the terminals under the IP where the terminal to be detected is located can be detected. If the number is too large, the probability that the terminal to be detected is a false terminal is high. At this time, the second anomaly sub-value is determined as the third target value. The third target value may be a value greater than the second outlier.
Optionally, after the first abnormal sub-value to the fourth abnormal sub-value are determined, the first abnormal sub-value to the fourth abnormal sub-value are subjected to weighted summation to obtain a second abnormal value.
Optionally, the account behavior data includes a login time period, a login position, and an operation scene of a login of the account of the terminal to be detected, and calculating the third anomaly value of the terminal to be detected according to the account behavior data includes: determining a fifth abnormal sub-value as a sixth target value when the login time period is not within the range of the common login time period; determining a sixth abnormal sub-value as a seventh target value under the condition that the login position is different from the common login position; determining a seventh exception sub-value as an eighth target value under the condition that the operation scene is different from the common operation scene; and fusing the fifth exception sub-value, the sixth exception sub-value and the seventh exception sub-value to obtain a third exception value.
For example, taking the first account number of the client to be detected as an example, the first account number usually logs in the first application client from seven pm to 9 pm every day. And if the account logs in the first application client at 8 am on a certain day, determining that the account logs in within the login time period which is not commonly used any more. If the account is normally logged in the sea, and sometime the account is logged in on sand, the account is considered to be not logged in at the common login location. If a certain account usually watches videos after logging in, and the account publishes videos after logging in at a certain day, the account is considered not to use a common operation scene.
Optionally, after the fifth to seventh abnormal sub-values are determined, the fifth to seventh abnormal sub-values may be subjected to weighted summation to obtain the third abnormal value.
Optionally, the associated account data includes an account associated with an account logged in the terminal to be detected, and calculating a fourth abnormal value of the terminal to be detected according to the associated account data includes: and determining the fourth abnormal value as a ninth target value under the condition that the terminal logged by the account related to the account logged in the terminal to be detected is a false terminal.
For example, if a friend who logs in an account of the terminal to be detected or a terminal logged in by another account in the address book is a false terminal, the fourth abnormal value of the terminal to be detected is a ninth target value. The ninth target value is greater than the fourth outlier.
According to the embodiment, any one of account behavior data of the terminal to be detected, which is used for logging in the account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected is acquired, and then the data to be detected is analyzed to obtain a result of whether the terminal to be detected is a false terminal, so that the accuracy of detection of the terminal to be detected is improved.
As an alternative embodiment, the analysis unit comprises:
(1) The first acquisition module is used for acquiring a first abnormal value matched with the hardware data;
(2) The second acquisition module is used for acquiring a second abnormal value matched with the network environment data;
(3) The third acquisition module is used for acquiring a third abnormal value matched with the account behavior data;
(4) The fourth acquisition module is used for acquiring a fourth abnormal value matched with the associated account data;
(5) And the calculation module is used for performing weighted summation on the first abnormal value, the second abnormal value, the third abnormal value and the fourth abnormal value to obtain a target abnormal value.
Optionally, in the present scheme, in the process of determining whether the terminal to be detected is a false terminal, whether the terminal to be detected is a false terminal is determined by using a combination of four data, namely account behavior data for logging in an account of the terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected, and associated account data of the account of the terminal to be detected, so that the effect of improving the detection accuracy of the terminal to be detected is achieved.
As an optional implementation, the first obtaining module includes:
(1) The first acquisition submodule is used for acquiring a white list corresponding to the hardware data of the terminal to be detected, wherein the white list comprises the hardware data of the entity terminal;
(2) And the first determining submodule is used for determining the first abnormal value as the first target value under the condition that the white list is detected not to include the hardware data of the terminal to be detected.
Optionally, in the scheme, whether the hardware data of the terminal to be detected is in the white list is detected, so that if the terminal to be detected is an automaton or other terminal, the white list does not include the hardware data of the automaton, and the effect of accurately acquiring the first abnormal value of the terminal to be detected is achieved.
As an optional implementation, the network environment data of the terminal to be detected includes: the second acquisition module comprises a protocol version number used by the terminal to be detected, the number of terminals under the IP of the terminal to be detected, the reported data of the terminal to be detected and the number of requests of the terminal to be detected, and the second acquisition module comprises:
(1) The second determining submodule is used for determining the first abnormal sub-value as a second target value when the protocol version number is different from the standard version number;
(2) The third determining submodule is used for determining the second abnormal sub-value as a third target value under the condition that the number of the terminals under the IP where the terminal to be detected is located is larger than the first threshold value;
(3) The fourth determining submodule is used for determining the third anomaly value as a fourth target value under the condition of reporting data anomaly on the network;
(4) The fifth determining submodule is used for determining the fourth abnormal sub-value as a fifth target value under the condition that the request number of the terminal to be detected is larger than the second threshold value;
(5) And the first calculation sub-module is used for fusing the first abnormal sub-value, the second abnormal sub-value, the third abnormal sub-value and the fourth abnormal sub-value to obtain a second abnormal value.
Optionally, in this scheme, the terminal to be detected may be a false terminal when the protocol version number of the terminal to be detected is not the standard version number. There may be multiple terminals under the IP of the terminal to be detected. If the number of the terminals is large, the terminal to be detected is probably a false terminal. And if the data reported by the terminal to be detected is abnormal, the terminal to be detected may be a false terminal. And if the number of the requests of the terminal to be detected in the preset time is large, the terminal to be detected is probably a false terminal.
The second abnormal value is determined by determining the first abnormal sub-value to the fourth abnormal sub-value, so that the accuracy of determining the second abnormal value is improved.
As an optional implementation scheme, the account behavior data includes a login time period, a login position, and an operation scenario of a login of an account of the terminal to be detected, and the third obtaining module includes:
(1) A sixth determining submodule, configured to determine that the fifth abnormal sub-value is the sixth target value when the login time period is not within the range of the common login time period;
(2) A seventh determining submodule, configured to determine the sixth abnormal sub-value as a seventh target value when the login position is different from the common login position;
(3) The eighth determining submodule is used for determining the seventh exception sub-value as an eighth target value under the condition that the operation scene is different from the common operation scene;
(4) And the second calculation submodule is used for fusing the fifth abnormal sub-value, the sixth abnormal sub-value and the seventh abnormal sub-value to obtain a third abnormal value.
By the embodiment, the third anomaly value is determined by the method, so that the third anomaly value of the account which is not used in the common operation scene and is registered at the common time of the common place can be increased. The accuracy of determining the third anomaly is improved.
As an optional implementation, the associated account data includes an account associated with an account logged in the terminal to be detected, and the fourth obtaining module includes:
(1) And the ninth determining submodule is used for determining the fourth abnormal value as the ninth target value under the condition that the terminal logged by the account related to the account logged in the terminal to be detected is a false terminal.
According to the embodiment, whether the false terminal is logged in according to the associated account of the account logged in the terminal to be detected or not is determined, so that the accuracy of determining the fourth abnormal value is improved.
As an alternative embodiment, the above apparatus further comprises:
(1) The deleting unit is used for deleting sensitive data in the data to be detected after the data to be detected of the terminal to be detected are obtained, wherein the sensitive data are privacy data of an account number of the terminal to be detected.
According to the embodiment, the privacy and the safety of the user are protected by deleting the sensitive data in the data to be detected.
According to another aspect of the embodiments of the present invention, there is also provided an electronic device for implementing the above-mentioned false terminal detection method, as shown in fig. 5, the electronic device includes a memory 502 and a processor 504, the memory 502 stores a computer program therein, and the processor 504 is configured to execute the steps in any one of the above-mentioned method embodiments through the computer program.
Optionally, in this embodiment, the electronic apparatus may be located in at least one network device of a plurality of network devices of a computer network.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, acquiring data to be detected of a terminal to be detected, wherein the data to be detected comprises at least one of the following data: the system comprises account behavior data used for logging in an account of a terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected;
s2, integrating and analyzing the data to be detected to obtain a target abnormal value of the terminal to be detected;
and S3, determining that the terminal to be detected is a false terminal under the condition that the target abnormal value is larger than a preset threshold value.
Alternatively, it can be understood by those skilled in the art that the structure shown in fig. 5 is only an illustration, and the electronic device may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 5 is a diagram illustrating a structure of the electronic device. For example, the electronic device may also include more or fewer components (e.g., network interfaces, etc.) than shown in FIG. 5, or have a different configuration than shown in FIG. 5.
The memory 502 may be used to store software programs and modules, such as program instructions/modules corresponding to the false terminal detection method and apparatus in the embodiments of the present invention, and the processor 504 executes various functional applications and data processing by running the software programs and modules stored in the memory 502, that is, the false terminal detection method described above is implemented. The memory 502 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 502 may further include memory located remotely from the processor 504, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof. The memory 502 may be, but is not limited to, used for storing information such as data to be detected. As an example, as shown in fig. 5, the memory 502 may include, but is not limited to, the acquiring unit 402, the analyzing unit 404, and the determining unit 406 of the false terminal detecting device. In addition, other module units in the above false terminal detection device may also be included, but are not limited to this, and are not described in detail in this example.
Optionally, the transmission device 506 is used for receiving or sending data via a network. Examples of the network may include a wired network and a wireless network. In one example, the transmission device 506 includes a Network adapter (NIC) that can be connected to a router via a Network cable and other Network devices to communicate with the internet or a local area Network. In one example, the transmission device 506 is a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
In addition, the electronic device further includes: a display 508 for displaying the determination result; and a connection bus 510 for connecting the respective module parts in the above-described electronic apparatus.
According to a further aspect of an embodiment of the present invention, there is also provided a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps in any of the method embodiments described above when executed.
Alternatively, in the present embodiment, the storage medium may be configured to store a computer program for executing the steps of:
s1, acquiring data to be detected of a terminal to be detected, wherein the data to be detected comprises at least one of the following data: the system comprises account behavior data used for logging in an account of a terminal to be detected, hardware data of the terminal to be detected, network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected;
s2, integrating and analyzing the data to be detected to obtain a target abnormal value of the terminal to be detected;
and S3, determining that the terminal to be detected is a false terminal under the condition that the target abnormal value is larger than a preset threshold value.
Alternatively, in this embodiment, a person skilled in the art may understand that all or part of the steps in the methods of the foregoing embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, read-Only memories (ROMs), random Access Memories (RAMs), magnetic or optical disks, and the like.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be essentially or partially contributed by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes several instructions for causing one or more computer devices (which may be personal computers, servers, or network devices, etc.) to execute all or part of the steps of the method according to the embodiments of the present invention.
In the above embodiments of the present invention, the description of each embodiment has its own emphasis, and reference may be made to the related description of other embodiments for parts that are not described in detail in a certain embodiment.
In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other ways. The above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one type of logical functional division, and other divisions may be implemented in practice, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and amendments can be made without departing from the principle of the present invention, and these modifications and amendments should also be considered as the protection scope of the present invention.

Claims (7)

1. A false terminal detection method is characterized by comprising the following steps:
acquiring data to be detected of a terminal to be detected, wherein the data to be detected comprises: the software data of the terminal to be detected, the account behavior data for logging in the account of the terminal to be detected, the hardware data of the terminal to be detected, the network environment data of the terminal to be detected and the associated account data of the account of the terminal to be detected, wherein the network environment data comprises: the number of the terminals under the IP of the terminal to be detected and the protocol version number used by the terminal to be detected;
when the protocol version number is different from the standard version number, determining that the first abnormal sub-value is a second target value; determining a second abnormal sub-value as a third target value under the condition that the number of the terminals under the IP of the terminal to be detected is greater than a first threshold value; determining a third anomaly value as a fourth target value under the condition that the network reported data of the terminal to be detected is abnormal; determining a fourth abnormal sub-value as a fifth target value under the condition that the request number of the terminal to be detected is greater than a second threshold value;
fusing the first abnormal sub-value, the second abnormal sub-value, the third abnormal sub-value and the fourth abnormal sub-value to obtain a second abnormal value;
performing weighted summation on a first abnormal value, the second abnormal value, a third abnormal value and a fourth abnormal value to obtain a target abnormal value, wherein the first abnormal value is a value matched with the hardware data, the third abnormal value is a value matched with the account behavior data, and the fourth abnormal value is a value matched with the associated account data;
and under the condition that the target abnormal value is larger than a preset threshold value, determining that the terminal to be detected is a false terminal controlled by automaton software, and deleting sensitive data in the data to be detected, wherein the sensitive data is privacy data of an account number logged in the terminal to be detected.
2. The method of claim 1, further comprising, prior to the weighted summing of the first, second, third, and fourth outliers resulting in the target outlier:
acquiring a white list corresponding to the hardware data of the terminal to be detected, wherein the white list comprises the hardware data of the entity terminal;
and under the condition that the white list is detected not to include the hardware data of the terminal to be detected, determining the first abnormal value as a first target value.
3. The method according to claim 1, wherein the account behavior data includes a login time period, a login position, and an operation scenario for logging in the account of the terminal to be detected, and before the weighted summation of the first abnormal value, the second abnormal value, the third abnormal value, and the fourth abnormal value to obtain the target abnormal value, the method further includes:
determining a fifth abnormal sub-value as a sixth target value when the login time period is not within the range of the common login time period;
determining a sixth abnormal sub-value as a seventh target value under the condition that the login position is different from the common login position;
determining a seventh exception sub-value as an eighth target value under the condition that the operation scene is different from the common operation scene;
and fusing the fifth exception sub-value, the sixth exception sub-value and the seventh exception sub-value to obtain the third exception value.
4. The method according to claim 1, wherein the associated account data includes an account associated with an account registered in the terminal to be detected, and before the weighted summation of the first abnormal value, the second abnormal value, the third abnormal value, and the fourth abnormal value to obtain the target abnormal value, the method further includes:
and determining the fourth abnormal value as a ninth target value under the condition that the terminal logged by the account related to the account logged in the terminal to be detected is a false terminal.
5. A false terminal detection apparatus, comprising:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring data to be detected of a terminal to be detected, and the data to be detected comprises: the method comprises the following steps of obtaining software data of a terminal to be detected, account behavior data for logging in an account of the terminal to be detected, hardware data of the terminal to be detected, and network environment data of the terminal to be detected and associated account data of the account of the terminal to be detected, wherein the network environment data comprises: the number of the terminals under the IP of the terminal to be detected and the protocol version number used by the terminal to be detected;
the device is further configured to determine, when the protocol version number is different from a standard version number, that the first abnormal sub-value is a second target value; determining a second abnormal sub-value as a third target value under the condition that the number of the terminals under the IP of the terminal to be detected is greater than a first threshold value; determining a third anomaly value as a fourth target value under the condition that the network reported data of the terminal to be detected is abnormal; determining a fourth abnormal sub-value as a fifth target value under the condition that the number of the requests of the terminal to be detected is greater than a second threshold value; fusing the first abnormal sub-value, the second abnormal sub-value, the third abnormal sub-value and the fourth abnormal sub-value to obtain a second abnormal value; performing weighted summation on a first abnormal value, the second abnormal value, a third abnormal value and a fourth abnormal value to obtain a target abnormal value, wherein the first abnormal value is a value matched with the hardware data, the third abnormal value is a value matched with the account behavior data, and the fourth abnormal value is a value matched with the associated account data;
and the determining unit is used for determining that the terminal to be detected is a false terminal controlled by automaton software and deleting sensitive data in the data to be detected under the condition that the target abnormal value is greater than a preset threshold value, wherein the sensitive data is privacy data of an account number for logging in the terminal to be detected.
6. A storage medium storing a computer program, characterized in that the computer program executes the method of any of claims 1 to 4 when running.
7. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to execute the method of any of claims 1 to 4 by means of the computer program.
CN201910791889.2A 2019-08-26 2019-08-26 False terminal detection method and device, storage medium and electronic device Active CN112437034B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910791889.2A CN112437034B (en) 2019-08-26 2019-08-26 False terminal detection method and device, storage medium and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910791889.2A CN112437034B (en) 2019-08-26 2019-08-26 False terminal detection method and device, storage medium and electronic device

Publications (2)

Publication Number Publication Date
CN112437034A CN112437034A (en) 2021-03-02
CN112437034B true CN112437034B (en) 2022-11-22

Family

ID=74689856

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910791889.2A Active CN112437034B (en) 2019-08-26 2019-08-26 False terminal detection method and device, storage medium and electronic device

Country Status (1)

Country Link
CN (1) CN112437034B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113271315A (en) * 2021-06-08 2021-08-17 工银科技有限公司 Virtual private network abnormal use detection method and device and electronic equipment
CN113676480B (en) * 2021-08-20 2023-11-14 北京顶象技术有限公司 Equipment fingerprint tampering detection method and device
CN114697079B (en) * 2022-02-28 2023-08-11 山东赤子城网络技术有限公司 Method and system for detecting illegal user of application client

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105975379A (en) * 2016-05-25 2016-09-28 北京比邻弘科科技有限公司 False mobile device recognition method and system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9565203B2 (en) * 2014-11-13 2017-02-07 Cyber-Ark Software Ltd. Systems and methods for detection of anomalous network behavior
WO2016182156A1 (en) * 2015-05-14 2016-11-17 디투이모션 주식회사 Mobile terminal for detecting abnormal activity and system including same
CN108171519A (en) * 2016-12-07 2018-06-15 阿里巴巴集团控股有限公司 The processing of business datum, account recognition methods and device, terminal
CN106657062B (en) * 2016-12-22 2020-03-20 珠海市魅族科技有限公司 User identification method and device
CN108512980A (en) * 2018-02-13 2018-09-07 维沃移动通信有限公司 A kind of detection method and mobile terminal of mobile terminal

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105975379A (en) * 2016-05-25 2016-09-28 北京比邻弘科科技有限公司 False mobile device recognition method and system

Also Published As

Publication number Publication date
CN112437034A (en) 2021-03-02

Similar Documents

Publication Publication Date Title
CN110177108B (en) Abnormal behavior detection method, device and verification system
EP3622402B1 (en) Real time detection of cyber threats using behavioral analytics
CN112437034B (en) False terminal detection method and device, storage medium and electronic device
US11496495B2 (en) System and a method for detecting anomalous patterns in a network
CN106469276B (en) Type identification method and device of data sample
CN113489713B (en) Network attack detection method, device, equipment and storage medium
CN108334758B (en) Method, device and equipment for detecting user unauthorized behavior
CN111786950A (en) Situation awareness-based network security monitoring method, device, equipment and medium
CN109547426B (en) Service response method and server
CN113706100B (en) Real-time detection and identification method and system for Internet of things terminal equipment of power distribution network
CN107409134A (en) Method card analysis
CN110675252A (en) Risk assessment method and device, electronic equipment and storage medium
CN110457601B (en) Social account identification method and device, storage medium and electronic device
CN110162957B (en) Authentication method and device for intelligent equipment, storage medium and electronic device
CN115827379A (en) Abnormal process detection method, device, equipment and medium
CN117391214A (en) Model training method and device and related equipment
CN112866295B (en) Big data crawler-prevention processing method and cloud platform system
CN114760140A (en) APT attack tracing graph analysis method and device based on cluster analysis
CN114329449A (en) System security detection method and device, storage medium and electronic device
CN113254672A (en) Abnormal account identification method, system, equipment and readable storage medium
CN111160738A (en) Event processing method and device, storage medium and electronic device
CN112580089A (en) Information leakage early warning method, device and system, storage medium and electronic device
EP4254241A1 (en) Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same
CN114816964B (en) Risk model construction method, risk detection device and computer equipment
CN111930995B (en) Data processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant