CN112445785B - Account blasting detection method and related device - Google Patents
Account blasting detection method and related device Download PDFInfo
- Publication number
- CN112445785B CN112445785B CN201910816740.5A CN201910816740A CN112445785B CN 112445785 B CN112445785 B CN 112445785B CN 201910816740 A CN201910816740 A CN 201910816740A CN 112445785 B CN112445785 B CN 112445785B
- Authority
- CN
- China
- Prior art keywords
- data
- time
- login
- detection
- login event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 161
- 238000005422 blasting Methods 0.000 title claims abstract description 102
- 238000012545 processing Methods 0.000 claims abstract description 43
- 238000004140 cleaning Methods 0.000 claims abstract description 22
- 238000003860 storage Methods 0.000 claims abstract description 13
- 238000000034 method Methods 0.000 claims description 40
- 238000004422 calculation algorithm Methods 0.000 claims description 23
- 238000004590 computer program Methods 0.000 claims description 10
- 238000004364 calculation method Methods 0.000 claims description 4
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 238000012549 training Methods 0.000 claims description 3
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 238000005516 engineering process Methods 0.000 description 7
- 238000004880 explosion Methods 0.000 description 7
- 238000005336 cracking Methods 0.000 description 6
- 230000002159 abnormal effect Effects 0.000 description 5
- 230000006399 behavior Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 230000000737 periodic effect Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 238000000586 desensitisation Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000013598 vector Substances 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000001228 spectrum Methods 0.000 description 1
- 238000012731 temporal analysis Methods 0.000 description 1
- 238000000700 time series analysis Methods 0.000 description 1
- 230000001131 transforming effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/21—Design, administration or maintenance of databases
- G06F16/215—Improving data quality; Data cleansing, e.g. de-duplication, removing invalid entries or correcting typographical errors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2458—Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
- G06F16/2474—Sequence data queries, e.g. querying versioned data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Quality & Reliability (AREA)
- Fuzzy Systems (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Software Systems (AREA)
- Computational Linguistics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses an account blasting detection method, which comprises the following steps: carrying out data cleaning treatment on the login event log according to a preset format to obtain standard login event data; carrying out serialization processing on each login event in the login event data according to the time information in the standard login event data to obtain time sequence data of all login events; and carrying out account blasting detection on the time sequence data to obtain a detection result. By converting the log-in event log into time-varying sequence data, the account blasting detection of longer time span is realized, and the detection accuracy is improved. The application also discloses an account blasting detection device, computer equipment and a computer readable storage medium, which have the beneficial effects.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to an account number explosion detection method, an account number explosion detection device, a computer device, and a computer readable storage medium.
Background
The technology for cracking account data in network security comprises an account blasting technology, namely that an attacker performs login attempt in a mode of enumerating possible account passwords, so that a correct network account and correct passwords are obtained. The cracking technology belongs to violent cracking, and not only affects account data after cracking, but also affects a server in the cracking process. Therefore, a related detection is required to find out whether the account blasting occurs in time.
One prior art is a statistical threshold detection method, which is also the most basic method. Detection is often performed using threshold rules with similar blasting frequencies, but this approach is ineffective for distributed or slow blasting.
Still another prior art is to identify the logging off-site from the perspective of logging IP and physical address, such as excessive physical, intermittent logging physical address anomalies, public cloud IP, etc., although not directly directed to the blasting situation, anomalies can be found if distributed blasting is employed, but relying on published IP geographic libraries and public cloud IP information.
In the prior art, the detection is carried out from the content of the logged-in password, the basic idea is to judge whether the attempted password is a weak password or a disclosed leaked password, and the method can timely detect the explosion risk, but needs to audit the login password plaintext and has lower security.
Therefore, the problem of missing report and false report still exists in the detection of account number blasting in the prior art, the effective degree and accuracy of the detection cannot be maintained, and the usability of the safety product is reduced.
Therefore, how to improve the accuracy of account blasting detection is a major concern for those skilled in the art.
Disclosure of Invention
The application aims to provide an account blasting detection method, an account blasting detection device, computer equipment and a computer readable storage medium, which are used for realizing account blasting detection of longer time span and improving detection accuracy by converting a log-in time log into time-varying sequence data.
In order to solve the technical problems, the application provides an account blasting detection method, which comprises the following steps:
carrying out data cleaning treatment on the login event log according to a preset format to obtain standard login event data;
Carrying out serialization processing on each login event in the login event data according to the time information in the standard login event data to obtain time sequence data of all login events;
and carrying out account blasting detection on the time sequence data to obtain a detection result.
Optionally, performing data cleaning processing on the login event log according to a preset format to obtain standard login event data, including:
determining corresponding decoding operation according to the attribute information of the login event log;
executing the decoding operation on the login event log to obtain decoded log data;
and reconstructing the decoded log data according to the preset format to obtain the standard login event data.
Optionally, the reconstructing the decoded log data according to the preset format to obtain the standard login event data includes:
desensitizing the decoded log data to obtain desensitized log data;
And reconstructing the desensitized log data according to the preset format to obtain the standard login event data.
Optionally, the serializing processing is performed on each login event in the login event data according to the time information in the standard login event data, so as to obtain time sequence data of all login events, including:
encoding information except time information of each login event in the standard login event data into a character string;
converting the time information corresponding to all the same character strings according to the time domain characteristics to obtain time domain characteristic data corresponding to each character string;
and taking the time domain characteristic data corresponding to all the character strings as the time sequence data of all the login events.
Optionally, performing account blasting detection on the time series data to obtain a detection result, including:
respectively carrying out data reconstruction processing on the time sequence data according to a plurality of time scales to obtain a login data sequence corresponding to each time scale;
Respectively carrying out statistical calculation processing on each login data sequence to obtain a statistical value corresponding to each time scale;
and comparing and detecting the statistical value corresponding to the threshold value corresponding to each time scale to obtain the detection result.
Optionally, performing account blasting detection on the time series data to obtain a detection result, including:
Performing frequency domain conversion on the time sequence data to obtain frequency domain data;
And comparing and detecting the frequency domain data through a frequency threshold value to obtain the detection result.
Optionally, performing account blasting detection on the time series data to obtain a detection result, including:
performing account blasting detection on the time series data through a detection model to obtain a detection result;
The detection model is obtained by training data processed based on a detection algorithm; the detection algorithm comprises a multi-scale statistical detection algorithm, a Fourier detection algorithm and a Markov detection algorithm.
The application also provides an account blasting detection device, which comprises:
The data cleaning module is used for performing data cleaning processing on the login event log according to a preset format to obtain standard login event data;
The time sequence coding module is used for carrying out serialization processing on each login event in the login event data according to the time information in the standard login event data to obtain time sequence data of all the login events;
And the account blasting detection module is used for carrying out account blasting detection on the time series data to obtain a detection result.
The present application also provides a computer device comprising:
A memory for storing a computer program;
And the processor is used for realizing the steps of the account blasting detection method when executing the computer program.
The present application also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor implements the steps of the account blasting detection method as described above.
The application provides an account blasting detection method, which comprises the following steps: carrying out data cleaning treatment on the login event log according to a preset format to obtain standard login event data; carrying out serialization processing on each login event in the login event data according to the time information in the standard login event data to obtain time sequence data of all login events; and carrying out account blasting detection on the time sequence data to obtain a detection result.
The obtained log of the login event is subjected to data cleaning to obtain standard log event data in a unified format, then the standard log event data is subjected to serialization processing in a time domain to obtain corresponding time sequence data, analysis on occurrence of the login event under a longer time scale is realized, finally account blasting detection is carried out on the time sequence data to obtain a detection result, rather than merely detecting statistical values of event occurrence in a single time range, periodic attributes of the login event can be observed more accurately, missing of account blasting operation with low frequency and long period is avoided, and detection precision and accuracy are improved.
The application also provides an account blasting detection device, computer equipment and a computer readable storage medium, which have the beneficial effects and are not described in detail herein.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a first method for detecting account blasting according to an embodiment of the present application;
fig. 2 is a flowchart of a second method for detecting account blasting according to an embodiment of the present application;
Fig. 3 is a flowchart of a third method for detecting account blasting according to an embodiment of the present application;
fig. 4 is a flowchart of a fourth method for detecting account blasting according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an account number explosion detection device according to an embodiment of the present application.
Detailed Description
The core of the application is to provide an account blasting detection method, an account blasting detection device, computer equipment and a computer readable storage medium, which can realize the account blasting detection of longer time span and improve the detection accuracy by converting a log-in time log into time-varying sequence data.
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In the prior art, whether a statistical threshold value is adopted, login address identification is adopted, or the content of login passwords is detected, or the detection is performed from the angle of comparing abnormal characteristics with historical baselines, different frequency calculation objects are switched only in a single time range. Each detection mode is very limited, a more comprehensive detection result cannot be obtained, and the conditions of false alarm and missing report often occur. The reason is that the time range for observation is too small, that is, the detection is not carried out by putting a larger time scale, and the periodicity of the account blasting and the low-frequency long-time characteristic of the account blasting cannot be well judged. The accuracy and precision of the detection are reduced.
Therefore, the application provides an account blasting detection method, which comprises the steps of firstly cleaning the acquired log of the login event to obtain standard login event data in a unified format, then carrying out serialization processing on the standard login event data in a time domain to obtain corresponding time sequence data, analyzing the occurrence of the login event under a longer time scale, finally carrying out account blasting detection on the time sequence data to obtain a detection result, and detecting the statistical value of the occurrence of the event in a single time range instead of only, so that the periodic attribute of the login event can be observed more accurately, omitting the account blasting operation with low frequency and long period, and improving the detection precision and accuracy.
Referring to fig. 1, fig. 1 is a flowchart of a first method for detecting account blasting according to an embodiment of the present application.
In this embodiment, the method may include:
S101, performing data cleaning processing on a login event log according to a preset format to obtain standard login event data;
This step aims to obtain standard login time data in a fixed format from logs of different formats. For a log of log events in a log-in environment, the log record format in the log of log events is generally consistent, but when performing account blasting detection, all data in the log is not useful, so that other useless data needs to be removed and arranged into a preset format, namely, data cleaning processing is performed.
On the other hand, the formats of the collected login event logs are different for different login environments. Therefore, not only is useless data removed, but also different event logs are required to be reconstructed according to a preset format so as to obtain standard login event data with uniform format.
Specifically, in this step, the type of the reserved data and the type of the unused log may be determined by a preset format, and the data format obtained finally. Further, since account burst detection is mainly performed in the time domain in the present embodiment, time information must be included in the outputted standard login event data. Therefore, the preset format in this step includes time information. It is conceivable that the preset format in this step may also include other kinds of information such as source IP, destination host information, login style, login authentication success, password for login use, user name for login use, etc. The specific selection of which information forms the preset format can be set through experience, the reserved information can be determined according to a detection algorithm selected in the subsequent step, and the reserved information can be determined through an acquired information set of the login event log.
Accordingly, in order to perform data cleaning processing on the log event log, the embodiment also needs to decode the obtained log event log, and perform corresponding data rejection processing on the decoded log data.
Therefore, optionally, performing data cleaning processing on the login event log according to the preset format, and obtaining the standard login event data may include: determining corresponding decoding operation according to the attribute information of the login event log; performing decoding operation on the login event log to obtain decoded log data; and carrying out reconstruction processing on the decoded log data according to a preset format to obtain standard login event data.
Wherein, since the formats of the login event logs collected from different service environments may be different, different decoding operations need to be determined according to the different login event logs. In this alternative, the determination is specifically based on the attribute information of the log of the login event, or may be determined by the source of the log of the login event. For example, the mail server may have a mail log; windows login event, which is recorded by windows safety log; the login log of linux is recorded in/var/log/secure.
The reconstruction process is to rearrange and sort the information in the decoded log data according to a preset format, then reject the rest of irrelevant information which is not contained in the preset format, and reconstruct the data in a new format, namely the standard login event data with a unified data format.
Further, to avoid theft of key information of the user. The present alternative may also include desensitizing the decoded log data, i.e., avoiding the transmission of the user name and password in the clear. Therefore, preferably, the reconstructing the decoded log data according to the preset format to obtain the standard login event data may include: desensitizing the decoded log data to obtain desensitized log data; and reconstructing the desensitized log data according to a preset format to obtain standard login event data.
The specific desensitization treatment may be any desensitization treatment method provided in the prior art, and is not specifically limited herein.
S102, carrying out serialization processing on each login event in login event data according to time information in standard login event data to obtain time sequence data of all login events;
on the basis of S101, this step aims at transforming discrete standard login event data into a time scale. That is, the login event data is processed in a serialization manner according to the time information of each login event, so as to obtain a time sequence of each login event, that is, time sequence data of all login events.
Generally, in the prior art, statistics is performed on login events corresponding to a specific data in login event data, so as to obtain the occurrence frequency in a certain time or the occurrence frequency in a certain time. And judging whether account blasting occurs or not through a threshold value. However, with the continuous development of detection technology, the technology of account blasting is also continuously changed. For example, by reducing the login times and prolonging the duration of the account blasting, each abnormal index of which the value is reduced cannot be detected in the existing account blasting detection technology, and thus whether the account blasting occurs cannot be detected. Therefore, in the prior art, the explosion detection is easy to generate the condition of missing report or false report.
However, no matter how the account number blasting changes, in order to realize effective violent cracking of the blasted account number, the expected number of attempts is unchanged, a large number of different account number password pairs are still required to log in actual operation, and meanwhile, because the data amount required to be tried is too large, automatic implementation of blasting attack is still required. And if more IP addresses are used to achieve the hacking, each IP will also be assigned a task amount that exceeds the number of normal logins. Therefore, the login event data can be distributed in time units to observe the waveform of the data change in the time axis, instead of simply calculating the statistical data to determine. When the login event data are displayed in the time axis, the periodicity of account blasting can be conveniently judged, namely whether the attack of account blasting occurs or not is judged through a certain periodicity rule.
The main purpose of this step is therefore to convert the discrete standard login event data, independent of each event, into time waveform data that is presented in the time axis, i.e. time series data in this step. The time information adopted is login occurrence time corresponding to each login event. In this embodiment, a login event having the same data except for time information is used as the same login event. For example, one login event is:
Another login event is:
the two login events are identical except for the login time, and the other data are integrated into the same login event. Therefore, all login events in the login event log and all time information corresponding to each login event can be searched through the step, and further all time information can be subjected to serialization processing to obtain time sequence data corresponding to each login event. Specifically, all time information corresponding to each login event is formed into corresponding waveform data within a certain time range according to a preset time unit.
Optionally, the step may include: encoding information except time information of each login event in the standard login event data into a character string; converting the time information corresponding to all the same character strings according to the time domain information to obtain time domain feature data corresponding to each character string; and taking the time domain characteristic data corresponding to all the character strings as time sequence data of all login events. The time domain feature data is a time sequence corresponding to each character string. The time series (or dynamic series) is a series of values of the same statistical index arranged according to the time sequence of occurrence. The main purpose of time series analysis is to predict the future from existing historical data. The time in the time series may be years, quarters, months or any other form of time, depending on the time of observation. Therefore, the change rule of the login event can be obtained by judging the time sequence, and the prediction processing can be performed.
Taking a login event as an example, the login event includes login time, source IP, destination IP, login method, success or failure, and user name. One login event is:
Firstly, a key value is generated by splicing a source IP, a destination IP, a login method, success or failure and a user name, and 200.200.158.56_200.200.158.74_3_admin is obtained. The key value is then mapped to a string of the same length by a hash algorithm, resulting in 032083b96512ec5b664ef3f333dd3589. All login times with the same key value are obtained, wherein the statistical maximum time is 1540799671.44, the corresponding minutes is 25679994, the minimum time is 1540799355.69, the corresponding minutes is 25679989, and the maximum minutes-minimum minutes are 5, so the length of the time sequence corresponding to the login event should be 6. The same number of times of login time is combined, and the number of times of the time point where the login time does not exist is set to 0. The time sequence of the login event is obtained as follows:
Wherein each number in the time series corresponds to the number of occurrences of that time point. The time waveform information of the login event can be obtained through the time sequence, so that the periodicity of the time can be conveniently judged.
It can be seen that the time series of each login event, that is, the time series data of all login events, can be acquired in the above manner. And the periodicity of the login event can be detected through the time sequence data, so that whether account blasting occurs or not is judged.
S103, performing account blasting detection on the time sequence data to obtain a detection result.
Based on S102, this step aims at performing account blasting detection on the time-series data to obtain a detection result. On the basis of the time sequence of the obtained longer scale period, the step can be processed by adopting any periodic judgment method provided by the prior art to obtain a detection result. The detection methods of the following examples may also be employed, and are not particularly limited herein.
In addition, in this embodiment, false alarm removal processing may be performed on the detection result. Specifically, the false alarm removing process mainly uses a pre-prepared white list to perform the false alarm removing process. When judging that certain index data in the login event is the same as data in the white list, the login event is judged to be false report, and the login event is removed from the detection result. The index data may be an IP address, a user name, or an IP address and a user name. The generation of the white list mainly depends on past login success information, namely, when a certain IP is successful in logging on a certain user name in a relatively small number of times, the IP address and the user name are added into the white list.
In summary, according to the embodiment, the obtained log of the login event is subjected to data cleaning to obtain standard login event data in a uniform format, then the standard login event data is subjected to serialization processing in a time domain to obtain corresponding time sequence data, analysis on occurrence of the login event under a longer time scale is realized, finally account blasting detection is performed on the time sequence data to obtain a detection result, rather than merely detecting a statistical value of event occurrence in a single time range, periodic attributes of the login event can be observed more accurately, missing of account blasting operation with low frequency and long period is avoided, and detection accuracy and accuracy are improved.
The following further describes how the serialization processing is performed in the account blasting detection method provided by the application through a more specific embodiment.
The present embodiment may include:
Firstly, a key value is generated by using a source IP, a destination IP, a login method, success or failure and user name splicing in login time.
Such as two login events in the example described above, an intermediate key value is generated. 200.200.158.56_200.200.158.74_3_admin. It is mapped by a hash algorithm into a string of uniform length 032083b 962512 ec5b664ef3f333dd3589. It is apparent that the same source IP, destination IP, login method and user name will generate the same key value.
Then, the sequence length is confirmed from the maximum value and the minimum value in the login time. The sequence length represents the number of minutes of the login event occurrence duration.
Specifically, since green george time represents a time 0 point from 1 month 1 day 1970, if seconds are taken as a unit, it may be converted into minutes first as an example. The time of use is divided by 60 and rounded down to give the number of minutes it takes, i.e. the number of minutes that have elapsed from 1.1.1.1.0 in 1970.
For each key a sequence of length n is generated, n representing the maximum number of minutes minus the minimum number of minutes. Each element in the sequence is an integer representing the number of times the same key value login event occurs. Initialized to 0.
And finally traversing all login events, calculating key values of the login events through description of the login events, finding positions of the events in the sequence through time, and executing addition operation on data of corresponding positions in the sequence corresponding to the key values to generate a time sequence corresponding to the login events.
The shape is as follows:
The method for detecting the account blasting is further described below through an embodiment.
Referring to fig. 2, fig. 2 is a flowchart of a second method for detecting account blasting according to an embodiment of the present application.
In this embodiment, the method may include:
s201, carrying out data cleaning processing on the login event log according to a preset format to obtain standard login event data;
S202, carrying out serialization processing on each login event in login event data according to time information in standard login event data to obtain time sequence data of all login events;
S203, respectively carrying out data reconstruction processing on the time sequence data according to a plurality of time scales to obtain a login data sequence corresponding to each time scale;
S204, respectively carrying out statistical calculation processing on each login data sequence to obtain a statistical value corresponding to each time scale;
S205, comparing and detecting the corresponding statistical value according to the threshold value corresponding to each time scale to obtain a detection result.
In short, the time series data are mainly analyzed in different time scales in the present embodiment. The scale is a common concept, and different information can be obtained through observing the same object with different scales. For example, in the process of observing a tree, the outline of the tree can be observed at the scale of meters, the details of leaves can be observed at the scale of centimeters, and further the details of cells can be observed at the scale of micrometers. Therefore, when the method is applied to account blasting detection, the account blasting detection can be performed by taking the time spans of different observation windows as different time scales.
The data reconstruction processing of the time series data is to convert time units of the time series. For example, the time units of time series data are minutes in nature, while the time scales on which processing is performed include the scale in hours and the scale in days. Therefore, it is necessary to convert the time units and merge the data in the same time unit to obtain the login data sequence corresponding to each reconstructed time scale. The statistics corresponding to each time scale are then calculated, which may include maximum, average, and consistency. And finally, comparing and detecting the statistical value of each time scale. The blasting event may be determined when the statistical value is greater than a preset threshold. The blasting event may be determined when the statistical value of the preset range is greater than a preset threshold value. The preset range may be a statistical value in a part of time scale, or may be a part of statistical value in a part of time scale.
In this embodiment, the login event data may be reconstructed by reconstructing other same index data. For example, the same destination IP, login method, and user name are merged, and the data at the corresponding positions in the time series are summed to obtain the login data series of the same destination IP, login method, and user name. It is also conceivable that the same source IP and registration method are merged, or that the same source IP is merged, and that the merging method is not limited specifically herein.
By reconstructing other identical index data, different observation angles are provided, detection from a single angle is avoided, account blasting detection is more comprehensive, and detection precision and accuracy are improved.
For the specific implementation of steps S201 and S202, reference may be made to the content of the foregoing embodiment, and no further description is given here.
The method for detecting the account blasting is further described below through an embodiment.
Referring to fig. 3, fig. 3 is a flowchart of a third method for detecting account blasting according to an embodiment of the present application.
In this embodiment, the method may include:
S301, performing data cleaning processing on the login event log according to a preset format to obtain standard login event data;
s302, carrying out serialization processing on each login event in login event data according to time information in standard login event data to obtain time sequence data of all login events;
S303, performing frequency domain conversion on the time sequence data to obtain frequency domain data;
S304, comparing and detecting the frequency domain data through the frequency threshold value to obtain a detection result.
It can be seen that in this embodiment, the time series data is mainly converted into the frequency domain, so that the spectrum mechanism and the change rule of the login event can be observed. Thereby more directly observing the periodicity of the logged event data and the high-energy response exhibited at a specific frequency. And finally, comparing and judging the frequency domain data with a frequency threshold value to obtain a detection result. Whether the frequency data is larger than the frequency threshold value or not can be directly judged, and if so, the existence of account blasting is judged.
Specifically, any frequency domain conversion method provided in the prior art may be used in this embodiment, which is not specifically limited herein.
For the specific implementation of steps S301 and S302, reference may be made to the content of the foregoing embodiment, and no further description is given here.
The method for detecting the account blasting is further described below through an embodiment.
Referring to fig. 4, fig. 4 is a flowchart of a fourth method for detecting account blasting according to an embodiment of the present application.
In this embodiment, the method may include:
S401, performing data cleaning processing on the login event log according to a preset format to obtain standard login event data;
S402, carrying out serialization processing on each login event in login event data according to time information in standard login event data to obtain time sequence data of all login events;
s403, performing account blasting detection on the time series data through a detection model to obtain a detection result.
In this embodiment, account blasting detection is performed on the time series data through a detection model. The detection model is a model obtained by training data processed based on a detection algorithm; the detection algorithm comprises a multi-scale statistical detection algorithm, a Fourier detection algorithm and a Markov detection algorithm. Thus, S403 may include performing detection processing by a plurality of detection algorithms to obtain a plurality of primary detection results. And processing the plurality of primary detection results into feature vectors, and inputting the feature vectors into a detection model for model identification to obtain the detection results.
The markov detection algorithm is a continuous analysis method for login behaviors of most of the IPs, and mainly comprises an HMM (Hidden Markov Model markov model) analysis method. By constructing the probability matrix, abnormal points in the login sequence are obtained, whether the login behavior is abnormal or not is confirmed according to the duty ratio of the abnormal points, and whether the login behavior is blasting behavior is further confirmed. The markov model assumes that the sequence data is related only to previous data, from which the probability distribution of the current state can be deduced. When a low frequency condition occurs, it is considered that an abnormality has occurred, which is further considered to be a potential blasting behavior.
Therefore, in the embodiment, the detection results of the multiple detection algorithms are fused, and finally the final detection result is analyzed and output through the machine learning model, so that the accuracy and precision of detection are further improved on the basis of adopting a time sequence for detection, and the conditions of missed detection and false detection are avoided.
For the specific implementation of steps S401 and S402, reference may be made to the content of the foregoing embodiment, and no further description is given here.
The following describes an account blasting detection device provided by the embodiment of the present application, and the account blasting detection device described below and the account blasting detection method described above may be referred to correspondingly.
Referring to fig. 5, fig. 5 is a schematic structural diagram of an account blasting detection device according to an embodiment of the present application.
In this embodiment, the apparatus may include:
The data cleaning module 100 is configured to perform data cleaning processing on the login event log according to a preset format to obtain standard login event data;
The time sequence encoding module 200 is configured to perform serialization processing on each login event in the login event data according to the time information in the standard login event data, so as to obtain time sequence data of all login events;
and the account blasting detection module 300 is used for performing account blasting detection on the time series data to obtain a detection result.
The embodiment of the application also provides a computer device, which comprises:
A memory for storing a computer program;
And the processor is used for realizing the steps of the account blasting detection method according to the embodiment when executing the computer program.
The embodiment of the application also provides a computer readable storage medium, which is characterized in that a computer program is stored on the computer readable storage medium, and the computer program realizes the steps of the account blasting detection method according to the embodiment when being executed by a processor.
The computer readable storage medium may include: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In the description, each embodiment is described in a progressive manner, and each embodiment is mainly described by the differences from other embodiments, so that the same similar parts among the embodiments are mutually referred. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The account number explosion detection method, the account number explosion detection device, the computer equipment and the computer readable storage medium provided by the application are described in detail. The principles and embodiments of the present application have been described herein with reference to specific examples, the description of which is intended only to facilitate an understanding of the method of the present application and its core ideas. It should be noted that it will be apparent to those skilled in the art that various modifications and adaptations of the application can be made without departing from the principles of the application and these modifications and adaptations are intended to be within the scope of the application as defined in the following claims.
Claims (9)
1. An account blasting detection method is characterized by comprising the following steps:
carrying out data cleaning treatment on the login event log according to a preset format to obtain standard login event data;
carrying out serialization processing on each login event in the login event data according to the time information in the standard login event data to obtain time sequence data of all login events; the method for obtaining the time sequence data of all login events specifically comprises the following steps of: encoding information except time information of each login event in the standard login event data into a character string; converting the time information corresponding to all the same character strings according to the time domain characteristics to obtain time domain characteristic data corresponding to each character string; taking the time domain characteristic data corresponding to all the character strings as the time sequence data of all the login events;
and carrying out account blasting detection on the time sequence data to obtain a detection result.
2. The account blasting detection method according to claim 1, wherein the step of performing data cleaning processing on the log of login events according to a preset format to obtain standard login event data comprises:
determining corresponding decoding operation according to the attribute information of the login event log;
executing the decoding operation on the login event log to obtain decoded log data;
and reconstructing the decoded log data according to the preset format to obtain the standard login event data.
3. The account blasting detection method according to claim 2, wherein the reconstructing the decoded log data according to the preset format to obtain the standard login event data includes:
desensitizing the decoded log data to obtain desensitized log data;
And reconstructing the desensitized log data according to the preset format to obtain the standard login event data.
4. The account blasting detection method according to claim 1, wherein performing account blasting detection on the time-series data to obtain a detection result comprises:
respectively carrying out data reconstruction processing on the time sequence data according to a plurality of time scales to obtain a login data sequence corresponding to each time scale;
Respectively carrying out statistical calculation processing on each login data sequence to obtain a statistical value corresponding to each time scale;
and comparing and detecting the statistical value corresponding to the threshold value corresponding to each time scale to obtain the detection result.
5. The account blasting detection method according to claim 1, wherein performing account blasting detection on the time-series data to obtain a detection result comprises:
Performing frequency domain conversion on the time sequence data to obtain frequency domain data;
And comparing and detecting the frequency domain data through a frequency threshold value to obtain the detection result.
6. The account blasting detection method according to claim 1, wherein performing account blasting detection on the time-series data to obtain a detection result comprises:
performing account blasting detection on the time series data through a detection model to obtain a detection result;
The detection model is obtained by training data processed based on a detection algorithm; the detection algorithm comprises a multi-scale statistical detection algorithm, a Fourier detection algorithm and a Markov detection algorithm.
7. An account number blasting detection device, characterized by comprising:
The data cleaning module is used for performing data cleaning processing on the login event log according to a preset format to obtain standard login event data;
The time sequence coding module is used for carrying out serialization processing on each login event in the login event data according to the time information in the standard login event data to obtain time sequence data of all the login events; the method for obtaining the time sequence data of all login events specifically comprises the following steps of: encoding information except time information of each login event in the standard login event data into a character string; converting the time information corresponding to all the same character strings according to the time domain characteristics to obtain time domain characteristic data corresponding to each character string; taking the time domain characteristic data corresponding to all the character strings as the time sequence data of all the login events;
And the account blasting detection module is used for carrying out account blasting detection on the time series data to obtain a detection result.
8. A computer device, comprising:
A memory for storing a computer program;
A processor for implementing the steps of the account blasting detection method according to any one of claims 1 to 6 when executing the computer program.
9. A computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, which when executed by a processor, implements the steps of the account blasting detection method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910816740.5A CN112445785B (en) | 2019-08-30 | 2019-08-30 | Account blasting detection method and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910816740.5A CN112445785B (en) | 2019-08-30 | 2019-08-30 | Account blasting detection method and related device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112445785A CN112445785A (en) | 2021-03-05 |
| CN112445785B true CN112445785B (en) | 2024-05-31 |
Family
ID=74734167
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910816740.5A Active CN112445785B (en) | 2019-08-30 | 2019-08-30 | Account blasting detection method and related device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112445785B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR102393183B1 (en) * | 2021-09-29 | 2022-05-02 | (주)로그스택 | Method, device and system for managing and processing log data of corporate server |
| CN114154058A (en) * | 2021-11-02 | 2022-03-08 | 支付宝(杭州)信息技术有限公司 | Account operator identity prediction method and device |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101565942B1 (en) * | 2014-05-29 | 2015-11-04 | 네이버 주식회사 | Method and Apparatus for detecting ID theft |
| CN105471819A (en) * | 2014-08-19 | 2016-04-06 | 腾讯科技(深圳)有限公司 | Account abnormity detection method and account abnormity detection device |
| CN106027577A (en) * | 2016-08-04 | 2016-10-12 | 四川无声信息技术有限公司 | Exception access behavior detection method and device |
| CN107659562A (en) * | 2017-09-08 | 2018-02-02 | 微梦创科网络科技(中国)有限公司 | A kind of method and device for excavating malice login account |
| CN107667370A (en) * | 2015-05-28 | 2018-02-06 | 微软技术许可有限责任公司 | Abnormal account is detected using event log |
| US10091221B1 (en) * | 2015-03-13 | 2018-10-02 | Snap Inc. | Systems and methods for IP-based intrusion detection |
| CN109936545A (en) * | 2017-12-18 | 2019-06-25 | 华为技术有限公司 | The detection method and relevant apparatus of Brute Force attack |
| CN109981647A (en) * | 2019-03-27 | 2019-07-05 | 北京百度网讯科技有限公司 | Method and apparatus for detecting Brute Force |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10037425B2 (en) * | 2015-08-26 | 2018-07-31 | Symantec Corporation | Detecting suspicious file prospecting activity from patterns of user activity |
| US10476896B2 (en) * | 2016-09-13 | 2019-11-12 | Accenture Global Solutions Limited | Malicious threat detection through time series graph analysis |
-
2019
- 2019-08-30 CN CN201910816740.5A patent/CN112445785B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101565942B1 (en) * | 2014-05-29 | 2015-11-04 | 네이버 주식회사 | Method and Apparatus for detecting ID theft |
| CN105471819A (en) * | 2014-08-19 | 2016-04-06 | 腾讯科技(深圳)有限公司 | Account abnormity detection method and account abnormity detection device |
| US10091221B1 (en) * | 2015-03-13 | 2018-10-02 | Snap Inc. | Systems and methods for IP-based intrusion detection |
| CN107667370A (en) * | 2015-05-28 | 2018-02-06 | 微软技术许可有限责任公司 | Abnormal account is detected using event log |
| CN106027577A (en) * | 2016-08-04 | 2016-10-12 | 四川无声信息技术有限公司 | Exception access behavior detection method and device |
| CN107659562A (en) * | 2017-09-08 | 2018-02-02 | 微梦创科网络科技(中国)有限公司 | A kind of method and device for excavating malice login account |
| CN109936545A (en) * | 2017-12-18 | 2019-06-25 | 华为技术有限公司 | The detection method and relevant apparatus of Brute Force attack |
| CN109981647A (en) * | 2019-03-27 | 2019-07-05 | 北京百度网讯科技有限公司 | Method and apparatus for detecting Brute Force |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112445785A (en) | 2021-03-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109164786B (en) | Abnormal behavior detection method, device and equipment based on time-dependent baseline | |
| CN111949803B (en) | Knowledge graph-based network abnormal user detection method, device and equipment | |
| CN112445785B (en) | Account blasting detection method and related device | |
| CN116747528B (en) | Game background user supervision method and system | |
| CN116366374B (en) | Security assessment method, system and medium for power grid network management based on big data | |
| CN110335144B (en) | Personal electronic bank account security detection method and device | |
| Allodi | The heavy tails of vulnerability exploitation | |
| CN110753038A (en) | Self-adaptive authority control system and method for anomaly detection | |
| CN112613599A (en) | Network intrusion detection method based on generation countermeasure network oversampling | |
| CN108306997B (en) | Domain name resolution monitoring method and device | |
| CN110839003A (en) | Method and device for identifying number stealing behavior, computer equipment and storage medium | |
| CN117478433B (en) | Network and information security dynamic early warning system | |
| CN117290803B (en) | Energy storage inverter remote fault diagnosis method, system and medium | |
| CN116611116B (en) | Data secure storage management method and system | |
| CN115664868B (en) | Security level determination method, device, electronic equipment and storage medium | |
| CN108701401B (en) | Alarm method, device and system and electronic equipment | |
| CN115391148A (en) | Anomaly detection method and apparatus | |
| CN113691552A (en) | Threat intelligence effectiveness evaluation method, device, system and computer storage medium | |
| Jiang et al. | An Enhanced EWMA for Alert Reduction and Situation Awareness in Industrial Control Networks | |
| Mihailescu et al. | Unveiling Threats: Leveraging User Behavior Analysis for Enhanced Cybersecurity | |
| CN113238971A (en) | Automatic penetration testing system and method based on state machine | |
| CN114866333B (en) | Intelligent identification method and device for violent cracking request, electronic equipment and medium | |
| CN117909912B (en) | Detection method and system for two-stage abnormal user behavior analysis | |
| US20220382860A1 (en) | Detecting anomalous events through application of anomaly detection models | |
| CN116089390A (en) | Database security audit method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |