CN113014566A

CN113014566A - Malicious registration detection method and device, computer readable medium and electronic device

Info

Publication number: CN113014566A
Application number: CN202110191589.8A
Authority: CN
Inventors: 金炼; 孙睿
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2021-02-19
Filing date: 2021-02-19
Publication date: 2021-06-22
Anticipated expiration: 2041-02-19
Also published as: CN113014566B

Abstract

The disclosure provides a malicious registration detection method and device, a computer readable medium and electronic equipment, and relates to the technical field. The method comprises the following steps: acquiring an account and network environment information in a target user registration request, and acquiring account characteristic information corresponding to the account and behavior information corresponding to the registration request, wherein the behavior information is the submission frequency of the registration request; comparing the behavior information with a preset frequency threshold, and determining a first risk result according to a comparison result; processing the account characteristic information and the network environment information through a risk model to obtain a second risk result; and determining a risk value corresponding to the registration request according to the first risk result and the second risk result, and judging whether the registration request is malicious registration according to the risk value. The method and the device can improve the efficiency and the accuracy of malicious registration detection and have high expansibility.

Description

Malicious registration detection method and device, computer readable medium and electronic device

Technical Field

The present disclosure relates to the field of artificial intelligence technologies, and in particular, to a malicious registration detection method, a malicious registration detection apparatus, a computer-readable medium, and an electronic device.

Background

With the development of e-commerce, more and more users are increasingly used to online shopping, online reading, online friend making, and the like. At present, most services based on the internet require a user to register an account number so as to ensure that the user can normally use the function of a platform, but the behavior of registering and using a malicious account number in grey and dark products inevitably exists, the order of the platform is seriously disturbed, and huge damage is caused to the internet services.

At present, a method for identifying malicious registration behaviors mainly utilizes user behaviors to audit and carries out policy optimization and logic optimization based on data judgment, and accordingly the method has the following problems that firstly, the user behaviors can be obtained after the malicious behaviors are generated, so that the malicious behaviors of cheating users cannot be resisted in advance due to post-audit, and secondly, the method belongs to an independent service audit mode for carrying out policy optimization and logic optimization based on data judgment, and further cannot comprehensively monitor the cheating users.

It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.

Disclosure of Invention

The embodiment of the disclosure provides a detection method for malicious registration, a detection device for malicious registration, a computer readable medium and an electronic device, so that the identification accuracy of malicious registration behaviors can be improved at least to a certain extent, and the cost of cheating on black products is improved.

Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.

According to an aspect of the embodiments of the present disclosure, there is provided a method for detecting malicious registration, including: acquiring an account and network environment information in a target user registration request, and acquiring account characteristic information corresponding to the account and behavior information corresponding to the registration request, wherein the behavior information is the submission frequency of the registration request; comparing the behavior information with a preset frequency threshold, and determining a first risk result according to a comparison result; processing the account characteristic information and the network environment information through a risk model to obtain a second risk result; and determining a risk value corresponding to the registration request according to the first risk result and the second risk result, and judging whether the registration request is malicious registration according to the risk value.

According to an aspect of the embodiments of the present disclosure, there is provided a device for detecting malicious registration, including: the information acquisition module is used for acquiring an account and network environment information in a target user registration request, and simultaneously acquiring account characteristic information corresponding to the account and behavior information corresponding to the registration request, wherein the behavior information is the submission frequency of the registration request; the behavior risk judging module is used for comparing the behavior information with a preset frequency threshold value and determining a first risk result according to a comparison result; the strategy risk judgment module is used for processing the account characteristic information and the network environment information through a risk model to obtain a second risk result; and the comprehensive risk determining module is used for determining a risk value corresponding to the registration request according to the first risk result and the second risk result, and judging whether the registration request is malicious registration according to the risk value.

In some embodiments of the present disclosure, based on the above scheme, the behavior risk determination module is configured to: when the behavior information is smaller than or equal to the preset frequency threshold, marking a first numerical value as the first risk result for the registration request; when the behavior information is larger than the preset frequency threshold, marking a second numerical value as the first risk result for the registration request; wherein the first value is different from the second value.

In some embodiments of the present disclosure, the risk model includes an account risk sub-model, an environmental risk sub-model, and a merged risk sub-model; based on the above scheme, the policy risk discrimination module is configured to: processing the account characteristic information through the account risk sub-model based on an account wind control strategy to obtain an account risk result; processing the network environment information through the environmental risk sub-model based on an environmental wind control strategy to obtain an environmental risk result; and determining the second risk result according to the account risk result and the environment risk result through the combined risk sub-model.

In some embodiments of the present disclosure, based on the above scheme, the apparatus for detecting malicious registration further includes: the system comprises a correlation account number acquisition module, a correlation account number acquisition module and a correlation account number acquisition module, wherein the correlation account number acquisition module is used for acquiring the account number and the network environment information, acquiring a cross-platform correlation account number correlated with the account number information, and acquiring correlation account number characteristic information according to the correlation account number; and the risk judgment module is used for processing the account characteristic information, the network environment information and the associated account characteristic information through the risk model so as to obtain a third risk result.

In some embodiments of the present disclosure, the risk model includes an account risk sub-model, an environmental risk sub-model, an associated account risk sub-model, and a merged risk sub-model; based on the above scheme, the risk discrimination module is configured to: processing the account characteristic information through the account risk sub-model based on an account wind control strategy to obtain an account risk result; processing the network environment information through the environmental risk sub-model based on an environmental wind control strategy to obtain an environmental risk result; processing the characteristic information of the associated account through the associated account risk sub-model based on the associated account wind control strategy to obtain an associated account risk result; and determining the third risk result according to the account risk result, the environment risk result and the associated account risk result through the combined risk sub-model.

In some embodiments of the present disclosure, based on the above, the integrated risk determination module is configured to: determining a risk grade corresponding to the risk value according to a risk grade division rule; when the risk value corresponds to a low risk level or a medium risk level, calling a verification tool to verify the legality of the target user, and judging whether the registration request is malicious registration according to a verification result; and when the risk value corresponds to a high risk level, judging that the registration request is malicious registration, and intercepting the registration request of the user.

In some embodiments of the present disclosure, based on the above scheme, the apparatus for detecting malicious registration further includes: the multi-modal characteristic acquisition module is used for acquiring information of a full amount of users in real time to construct a multi-modal characteristic set before the account information and the network environment information are processed through a risk model, wherein the multi-modal characteristic set comprises account active characteristics, network environment information and historical malicious behavior times of associated accounts of the users; a risk mark acquisition module, configured to acquire historical behavior information corresponding to an account of each user, and determine a risk mark corresponding to a registration behavior of each user according to the historical behavior information and a preset rule, so as to acquire a risk mark set; and the model training module is used for training a risk model to be trained according to the multi-modal feature set and the risk label set so as to obtain the risk model.

In some embodiments of the present disclosure, the risk model to be trained includes an account risk sub-model to be trained, an environmental risk sub-model to be trained, an associated account risk sub-model to be trained, and a combined risk sub-model to be trained; based on the above scheme, the model training module comprises: the first training unit is used for respectively training the account risk submodel to be trained, the environment risk submodel to be trained and the associated account risk submodel to be trained according to the multi-mode feature set and the risk mark set so as to obtain risk results output by the account risk submodel to be trained, the environment risk submodel to be trained and the associated account risk submodel to be trained; and the second training unit is used for training the combined risk sub-model to be trained according to the risk result and the risk label set so as to obtain the risk model.

In some embodiments of the present disclosure, based on the above scheme, the first training unit is configured to: respectively inputting the account active characteristics, the network environment information and the historical malicious behavior times of the associated account of each user as input information to the to-be-trained account risk sub-model, the to-be-trained environment risk sub-model and the to-be-trained associated account risk sub-model so as to obtain risk results output by the to-be-trained account risk sub-model, the to-be-trained environment risk sub-model and the to-be-trained associated account risk sub-model; determining a first loss function according to the risk result output by the to-be-trained account risk submodel, the to-be-trained environment risk submodel and the to-be-trained associated account risk submodel and the risk label corresponding to the account of each user in the risk label set; and optimizing the account risk submodel to be trained, the environment risk submodel to be trained and the associated account risk submodel to be trained according to the first loss function until the first loss function is minimum or the preset times of optimization is completed.

In some embodiments of the present disclosure, based on the above scheme, the second training unit is configured to: inputting the risk result as input information to the to-be-trained risk combining sub-model to obtain a risk result output by the to-be-trained risk combining sub-model; determining a second loss function according to the risk result output by the combined risk submodel to be trained and the risk marks corresponding to the account numbers of the users in the risk mark set; and optimizing the merged risk sub-model to be trained according to the second loss function until the second loss function is minimum or the optimization of preset times is completed.

In some embodiments of the present disclosure, based on the above scheme, the malicious registration detection apparatus is further configured to: acquiring a misjudgment result asynchronously returned by a calling party, wherein the misjudgment result comprises multi-mode characteristics of a misjudgment user and a risk mark corresponding to the misjudgment user; updating the multi-modal feature set according to the multi-modal features of the misjudged user, and updating the risk mark set according to the risk marks corresponding to the misjudged user; and retraining the risk model according to the updated multi-modal feature set and the risk mark set.

In some embodiments of the present disclosure, based on the above scheme, the malicious registration detection apparatus is further configured to: and storing the risk value corresponding to the target user registration request as persistent data.

According to an aspect of the embodiments of the present disclosure, there is provided a computer storage medium having a computer program stored thereon, wherein the program, when executed by a processor, implements the method for detecting malicious registration provided in the above-mentioned alternative implementation.

According to an aspect of an embodiment of the present disclosure, there is provided a computer program product or a computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device executes the detection method for malicious registration provided in the above-described alternative implementation.

According to an aspect of an embodiment of the present disclosure, there is provided an electronic device including: one or more processors; a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method provided in the above-described alternative implementations.

In the technical solutions provided in some embodiments of the present disclosure, after account characteristic information and network environment information corresponding to an account in a target user registration request and behavior information corresponding to a registration behavior of a target user are obtained, a first risk result is determined according to the behavior information and a preset frequency threshold, the account characteristic information and the network environment information are processed through a risk model to obtain a second risk result, and finally a risk value corresponding to the registration request is determined according to the first risk result and the second risk result. According to the technical scheme, on one hand, the detection efficiency and the detection accuracy of malicious registration can be improved, and the black product cheating cost is improved; on the other hand, the method and the device can detect the registration behavior of the account of multiple platforms in a cross-platform environment, and have high expansibility.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty. In the drawings:

fig. 1 shows a schematic diagram of an exemplary system architecture to which technical aspects of embodiments of the present disclosure may be applied;

fig. 2 schematically shows a flow diagram of a method of detection of malicious registrations according to one embodiment of the present disclosure;

FIG. 3 schematically shows a structural schematic of a risk model according to one embodiment of the present disclosure;

fig. 4 schematically illustrates a flowchart of determining whether a registration request is a malicious registration according to a risk value according to an embodiment of the present disclosure;

FIG. 5 schematically shows a flow diagram for obtaining a risk model according to one embodiment of the present disclosure;

fig. 6 schematically shows a flow diagram of a method of detection of malicious registrations according to one embodiment of the present disclosure;

fig. 7 schematically shows a block diagram of a detection apparatus of malicious registration according to one embodiment of the present disclosure;

FIG. 8 illustrates a schematic structural diagram of a computer system suitable for use in implementing the electronic device of an embodiment of the present disclosure.

Detailed Description

Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art.

Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the disclosure.

The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.

The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.

Fig. 1 shows a schematic diagram of an exemplary system architecture to which the technical solutions of the embodiments of the present disclosure may be applied.

As shown in fig. 1, system architecture 100 may include terminal device 101, network 102, and server 103. The terminal device 101 may specifically be a terminal device including a display screen, for example, a smart phone, a notebook, a tablet computer, a desktop computer, a portable computer, and the like, and is used for a user to register accounts of various platforms on line. The network 102 is a medium used for providing a communication link between the terminal device 101 and the server 103, and the network 102 may include various connection types, such as a wired communication link, a wireless communication link, and the like, and in the embodiment of the present disclosure, the network between the terminal device 101 and the server 103 may be a wireless communication link, and particularly may be a mobile network.

It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation. It is worth mentioning that the server in the present disclosure may be an independent server or a server cluster formed by a plurality of servers.

In an embodiment of the present disclosure, a user logs in a certain platform through a terminal device 101 to perform registration, after receiving a registration request of the user, the terminal device 101 may send the registration request to a server 103 through a network 102, and after receiving the registration request, the server 103 distributes data in the registration request to an identity verification unit and an aging verification unit through a load balancing unit, so as to verify the identity of a target user, obtain the frequency of submitting the registration request by the user, and then obtain account characteristic information and network environment information corresponding to an account in the registration request. Server 103 may then compare the behavior information to a preset frequency threshold to determine a first risk result and invoke a risk model to process the account characteristic information and the network environment information to obtain a second risk result. And finally, synthesizing the first risk result and the second risk result to obtain a risk value corresponding to the registration request, returning the risk value to the platform or judging whether the registration request is malicious registration according to the risk value, and returning the judgment result to the platform. Furthermore, the registration request and the risk value corresponding to the registration request or the judgment result of whether the registration request is malicious or not can be used as persistent data to be stored for subsequent data analysis.

In an embodiment of the present disclosure, the method for detecting malicious registration of the present disclosure may be applied to a cross-platform scenario, that is, account numbers of multiple platforms are associated, for example, a micro signal and a QQ number are associated, and may also be associated with an account number of a mobile phone, a mailbox, an account number of another platform, and the like, after an account number of a certain platform is obtained, associated account numbers of another platform may be obtained, and whether all account numbers are dark products is identified and determined, if any account number is abnormal, all account numbers are marked as abnormal.

It should be noted that the detection method for malicious registration provided by the embodiment of the present disclosure is generally executed by a server, and accordingly, the detection apparatus for malicious registration is generally disposed in the server. However, in other embodiments of the present disclosure, the terminal device may also perform the method for detecting malicious registration provided in the embodiments of the present disclosure.

In the related technology in the field, whether a target IP address exists is determined by analyzing an Internet Protocol (IP) address of a registration request sent by a user, and when the target IP address exists, registration flow corresponding to the IP address in a first preset time period is determined according to the target IP address; and if the flow corresponding to the IP address in the preset time period is larger than the preset flow value, processing the IP address according to a preset malicious registration processing strategy.

However, the related technology has corresponding problems, firstly, the user behavior is utilized to carry out auditing, the user account is separated, and the post-auditing mode cannot resist the malicious behavior of a cheating user in advance; in addition, the scheme carries out strategy optimization and logic optimization based on data judgment, the independent service audit cannot carry out comprehensive monitoring on cheating users, and the detection efficiency and the detection accuracy of malicious registration are poor. Meanwhile, the detection is only carried out according to the IP address, and the cross-platform account detection cannot be realized, so that the expansibility is poor.

In view of the problems in the related art, the embodiments of the present disclosure provide a method for detecting malicious registration, which is implemented based on machine learning, which is one of Artificial Intelligence (AI), which is a theory, method, technique, and application system that simulates, extends, and expands human Intelligence using a digital computer or a machine controlled by a digital computer, senses an environment, acquires knowledge, and obtains an optimal result using the knowledge. In other words, artificial intelligence is a comprehensive technique of computer science that attempts to understand the essence of intelligence and produce a new intelligent machine that can react in a manner similar to human intelligence. Artificial intelligence is the research of the design principle and the realization method of various intelligent machines, so that the machines have the functions of perception, reasoning and decision making.

The artificial intelligence technology is a comprehensive subject and relates to the field of extensive technology, namely the technology of a hardware level and the technology of a software level. The artificial intelligence infrastructure generally includes technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and the like.

Computer Vision technology (CV) Computer Vision is a science for researching how to make a machine "see", and further refers to that a camera and a Computer are used to replace human eyes to perform machine Vision such as identification, tracking and measurement on a target, and further image processing is performed, so that the Computer processing becomes an image more suitable for human eyes to observe or transmitted to an instrument to detect. As a scientific discipline, computer vision research-related theories and techniques attempt to build artificial intelligence systems that can capture information from images or multidimensional data. Computer vision technologies generally include image processing, image recognition, image semantic understanding, image retrieval, OCR, video processing, video semantic understanding, video content/behavior recognition, three-dimensional object reconstruction, 3D technologies, virtual reality, augmented reality, synchronous positioning, map construction, and other technologies, and also include common biometric technologies such as face recognition and fingerprint recognition.

Machine Learning (ML) is a multi-domain cross discipline, and relates to a plurality of disciplines such as probability theory, statistics, approximation theory, convex analysis, algorithm complexity theory and the like. The special research on how a computer simulates or realizes the learning behavior of human beings so as to acquire new knowledge or skills and reorganize the existing knowledge structure to continuously improve the performance of the computer. Machine learning is the core of artificial intelligence, is the fundamental approach for computers to have intelligence, and is applied to all fields of artificial intelligence. Machine learning and deep learning generally include techniques such as artificial neural networks, belief networks, reinforcement learning, transfer learning, inductive learning, and formal education learning.

With the research and progress of artificial intelligence technology, the artificial intelligence technology is developed and applied in a plurality of fields, such as common smart homes, smart wearable devices, virtual assistants, smart speakers, smart marketing, unmanned driving, automatic driving, unmanned aerial vehicles, robots, smart medical care, smart customer service, and the like.

As can be seen from the system architecture 100 shown in fig. 1, the system related to the embodiment of the present disclosure may be a distributed system formed by connecting a terminal device, a plurality of nodes (any form of computing devices in an access network, such as servers) through a network communication form.

Taking a distributed system as an example of a blockchain system, an optional structure of the distributed system applied To the blockchain system is formed by a plurality of nodes (any type of computing device in an access network, such as a server) and terminal devices, a Peer-To-Peer (P2P, Peer To Peer) network is formed between the nodes, and the P2P Protocol is an application layer Protocol running on top of a Transmission Control Protocol (TCP). In a distributed system, any machine such as a server and a terminal social security can be added to form a node, and the node comprises a hardware layer, a middle layer, an operating system layer and an application layer. The functions of each node in the blockchain system comprise:

1) routing, a basic function that a node has, is used to support communication between nodes.

2) The application is used for being deployed in a block chain, realizing specific services according to actual service requirements, recording data related to the realization functions to form recording data, carrying a digital signature in the recording data to represent a source of task data, and sending the recording data to other nodes in the block chain system, so that the other nodes add the recording data to a temporary block when the source and integrity of the recording data are verified successfully.

3) And the Block chain comprises a series of blocks (blocks) which are mutually connected according to the generated chronological order, new blocks cannot be removed once being added into the Block chain, and recorded data submitted by nodes in the Block chain system are recorded in the blocks.

In the block structure provided in the embodiment of the present disclosure, each block includes a hash value of the block storing the transaction record (hash value of the block) and a hash value of a previous block, and the blocks are connected by the hash value to form a block chain. The block may include information such as a time stamp at the time of block generation. A block chain (Blockchain), which is essentially a decentralized database, is a string of data blocks associated by using cryptography, and each data block contains related information for verifying the validity (anti-counterfeiting) of the information and generating a next block.

The scheme provided by the embodiment of the disclosure relates to an artificial intelligence machine learning technology, and is specifically explained by the following embodiment:

fig. 2 schematically shows a flow diagram of a method of detection of malicious registrations, which may be performed by a server, which may be the service 103 shown in fig. 1, according to one embodiment of the present disclosure. Referring to fig. 2, the method for detecting malicious registration at least includes steps S210 to S240, which are described in detail as follows:

in step S210, an account and network environment information in a target user registration request are obtained, and account characteristic information corresponding to the account and behavior information corresponding to the registration request are obtained at the same time, where the behavior information is a submission frequency of the registration request.

In an embodiment of the present disclosure, when a user wants to register an account of a certain platform, the platform may be downloaded and installed on a terminal device, and information may be filled in on a registration page to implement account registration. After the user completes information filling and clicks to submit registration, the server can acquire and detect the registration request to judge whether the registration request is malicious registration.

For a registration request submitted by a target user, the server may analyze the registration request, obtain an account and network environment information therein, and obtain account characteristic information corresponding to the account, where the account is an account filled in during user registration, and may be, for example, a mobile phone number, a mailbox, an identity card number, a micro signal, a QQ number, and the like, the account characteristic information may specifically be an online active characteristic of the account, such as online duration, whether to log in multiple times, whether to perform a specific behavior, and the like, and the network environment information is a network environment during registration, such as an IP address and the like. Meanwhile, the server can also detect the acquired behavior information corresponding to the registration request of the target user, wherein the behavior information is the number of times that the target user submits the registration request within a unit time range, namely the submission frequency, and whether the registration request is abnormal or not can be judged according to the submission frequency of the registration request.

In step S220, the behavior information is compared with a preset frequency threshold, and a first risk result is determined according to the comparison result.

In an embodiment of the present disclosure, after obtaining information of three dimensions, namely, an account number, network environment information, and behavior information, related to a registration request, detection may be performed according to the information of the three dimensions, and whether the registration request is malicious registration is determined.

In an embodiment of the present disclosure, a frequency threshold for submitting a registration request may be preset, and the behavior information is compared with the preset frequency threshold, so as to determine a first risk result according to a comparison result. Specifically, when the behavior information is less than or equal to the preset frequency threshold, which indicates that the registration request has a low risk in the behavior dimension, a first value may be marked as a first risk result for the registration request, for example, the first risk result is marked as 1, and so on; when the behavior information is greater than the preset frequency threshold, indicating that the registration request has a high risk in the behavior dimension, a second value different from the first value may be marked as a second risk result for the registration request, for example, the first risk result may be marked as 2, and so on.

In setting the preset frequency threshold, the setting may be based on a deviation from three times the standard deviation of the history data, where the history data is the number of submissions of registration requests within a preset time period, which may be one day, one hour, or the like. Of course, the preset frequency threshold may also be set according to actual needs, and this is not specifically limited in the embodiment of the present disclosure.

In step S230, the account characteristic information and the network environment information are processed by a risk model to obtain a second risk result.

In an embodiment of the present disclosure, whether the registration request is a malicious registration may also be detected according to information of two dimensions, namely, the account number and the network environment information in the registration request. In the embodiment of the disclosure, the risk model may be used to analyze the account characteristic information and the network environment information, and determine the risk corresponding to the account and the network environment information.

Fig. 3 shows a schematic structural diagram of a risk model, and as shown in fig. 3, the risk model 300 includes an account risk sub-model 301, an environmental risk sub-model 302, an associated account risk sub-model 303, and a combined risk sub-model 304, where the account risk sub-model 301, the environmental risk sub-model 302, and the associated account risk sub-model 303 are independent of each other and are all connected to the combined risk sub-model 304, and a second risk result is output through the combined risk sub-model 304.

When the risk model is used for carrying out risk detection on the account and the network environment information, the account characteristic information can be processed through the account risk sub-model 301 based on the account wind control strategy to obtain an account risk result; meanwhile, based on the environmental wind control strategy, the network environment information is processed through the environmental risk sub-model 302 to obtain an environmental risk result; and finally, outputting a second risk result according to the account risk result and the environmental risk result through the combined risk sub-model 304.

In an embodiment of the disclosure, in the design of the whole detection process, a plurality of wind control strategies are usually set, including an environment wind control strategy and an account wind control strategy, for example, the account wind control strategy may include 50 wind control strategies covering low-risk accounts, medium-risk accounts and high-risk accounts, after an account is obtained, an account risk sub-model may determine an account risk result according to the account wind control strategy hit by the account, and similarly, the environment risk sub-model may determine an environment risk result corresponding to network environment information according to the environment wind control strategy. And finally, inputting the account risk result and the environment risk result into a combined risk submodel, and outputting a final risk result through the combined risk submodel, wherein the risk result is a second risk result.

In an embodiment of the present disclosure, the method for detecting malicious registration of the present disclosure may also be applied to a cross-platform environment, that is, in addition to the account and the network environment information in the registration request submitted by the user, all associated accounts that are associated with the account and cross-platform may be obtained, for example, if the current account information is a micro signal, other accounts associated with the micro signal, for example, a QQ number, a mailbox, registered accounts of other platforms, and the like, may be obtained according to the micro signal, and associated account characteristic information may be obtained according to the associated account, where the associated account characteristic information may be the number of historical malicious behaviors of the associated account, and the like. Further, the account characteristic information, the network environment information and the associated account characteristic information can be processed through the risk model to obtain a third risk result, wherein the type of the third risk result is the same as that of the second risk result.

On the basis of obtaining the account risk result and the environment risk result according to the method in the above embodiment, similar to the way that the risk model processes the account and the network environment information, when the associated account feature information is processed by the risk model, the associated account feature information may be processed by the associated account risk sub-model 303 based on the associated account wind control policy to obtain the associated account risk result. Further, a final risk result may be output by the combined risk sub-model 304 according to the account risk result, the environmental risk result, and the associated account risk result, where the risk result is a third risk result.

In step S240, a risk value corresponding to the registration request is determined according to the first risk result and the second risk result, and whether the registration request is a malicious registration is determined according to the risk value.

In an embodiment of the present disclosure, after the first risk result and the second risk result are obtained, the first risk result and the second risk result may be integrated to obtain a risk value corresponding to the registration request of the target user. When the first risk result and the second risk result are integrated, a multi-strategy superposition and single-strategy weight calculation mode can be adopted, for example, different weights can be set for different strategies, and a final risk value can be obtained by superposition calculation according to the first risk result, the second risk result and the weights corresponding to all hit strategies. Furthermore, a decision model auxiliary judgment mode can be added on the basis of multi-strategy superposition and single-strategy weight calculation to determine a final risk value. Of course, the risk value corresponding to the registration request may also be determined according to other calculation methods, which are not described herein again.

Correspondingly, after the first risk fan and the third risk result are obtained, the first risk result and the third risk result can be synthesized according to the method to obtain the risk value corresponding to the registration request of the target user.

In an embodiment of the present disclosure, the risk value corresponding to the registration request may be a value interval set according to actual needs, for example, may be [0,4], where 0 represents no risk, 1-2 represents low risk, 3-4 represents high risk, and of course, 1-2 represents low risk, 3 represents medium risk, 4 represents high risk, and so on may also be set. After determining the risk value corresponding to the registration request, the risk value may be fed back to the platform, and the platform may determine whether the registration request is malicious registration according to the risk value and perform corresponding processing on the registration request, or may determine whether the registration request is malicious registration according to the risk value after determining the risk value corresponding to the registration request and feed back the determination result to the platform, so that the platform performs corresponding processing on the registration request according to the feedback result.

Fig. 4 is a schematic flowchart illustrating a process of determining whether a registration request is a malicious registration according to a risk value, as shown in fig. 4, in step S401, a risk level corresponding to the risk value is determined according to a risk level classification rule; in step S402, when the risk value corresponds to a low risk level or a medium risk level, a verification tool is invoked to verify the validity of the target user, and whether the registration request is malicious registration is determined according to the verification result; in step S403, when the risk value corresponds to a high risk level, it is determined that the registration request is malicious registration, and the registration request of the target user is intercepted. In step S402, the verification may be performed by image verification, short message verification code verification, and the like, and when the verification passes, it indicates that the target user is legal, the registration request submitted by the target user does not belong to malicious registration, and the registration may be continued, and when the verification does not pass, it indicates that the target user is illegal, and the registration request submitted by the target user is malicious registration and should be intercepted.

In an embodiment of the present disclosure, after determining that the registration request is a malicious registration, the offline environment information may be determined according to the network environment information in the registration request, that is, the offline address corresponding to the registration request, such as latitude and longitude, and a real offline address, is determined according to the IP address and the mapping relationship between the IP address and the offline address, and a blacklist is constructed according to the determined IP address and the offline environment information.

In an embodiment of the present disclosure, before processing an account, network environment information, and an associated account associated with the account in a registration request by using a risk model, the risk model to be trained needs to be trained to obtain a stable risk model.

Fig. 5 is a schematic flowchart illustrating a process of obtaining a risk model, and as shown in fig. 5, in step S501, information of a full number of users is collected in real time to construct a multi-modal feature set, where the multi-modal feature set includes account active features, network environment information, and historical malicious behavior times of associated accounts of each user; in step S502, obtaining historical behavior information corresponding to the account of each user, and determining a risk flag corresponding to the registration behavior of each user according to the historical behavior information and a preset rule to obtain a risk flag set; in step S503, the risk model to be trained is trained according to the multi-modal feature set and the risk label set to obtain a risk model.

The information of the user collected in step S501 is collected in real time for the full account on the platform, and after the full account is obtained, online active features of each account, such as online duration of the account, whether to log in for multiple times, whether to perform a specific action (purchase action), and the like, may be obtained. Meanwhile, a cross-platform associated account associated with the cross-platform associated account can be determined according to the account, and associated account information, such as the historical malicious behavior times of the associated account, can be acquired according to the associated account, and the historical malicious behavior times of the associated account can be matched and determined in a malicious behavior list stored in a database according to the associated account. The risk marker set obtained in step S502 may be implemented in an offline auditing manner, specifically, a large amount of online registration data within a preset time range from the current time may be randomly extracted, for example, about 100 ten thousand online registration data before 1 month is extracted, where the extracted registration data includes the registration data of the account number acquired in step S501; and then, the extracted follow-up behavior information of the registered account can be obtained, manual audit is carried out on the follow-up behavior information based on the rule model, and a risk mark set is formed by marking a risk mark for the registered behavior of the registered account. Taking a scenario that a user registers an applet and operates through a social platform as an example, the rule for manually auditing the annotation risk tag may be, for example: risk of 0 if there is consumption in the applet or the number of times the applet lands > X in the next N days, wherein N, X is a positive integer and X is less than or equal to N; no consumption behavior exists in the applet in the following N days, and the risk is 1 when the number of login days of the applet is [ M, X ], wherein M is a positive integer smaller than X; no consumption behavior in the applet in the next N days, and the risk is 2 when the number of login days of the applet is [0, M); within the follow-up N days, no consumption behavior exists in the small program, and the risk is 3 if the relevant behavior of bill swiping/black birth exists; the risk of being covered by the platform or complained by the applet operator in the next N days is 4. It should be noted that the risk flag may also be labeled according to other rules, and the range of the risk result is also not limited to 0-4, which is not described herein again in the embodiments of the present disclosure.

Corresponding to the structure of the risk model, the risk model to be trained comprises an account risk sub-model to be trained, an environment risk sub-model to be trained, an associated account risk sub-model to be trained and a combined risk sub-model to be trained. The machine learning algorithm adopted by the account risk submodel to be trained, the environment risk submodel to be trained and the associated account risk submodel to be trained can be an XGboost algorithm, and can also be algorithms such as a support vector machine, a random forest, a neural network and the like, and the algorithm adopted by the combined risk submodel to be trained can be a linear regression algorithm.

When the risk model to be trained is trained according to the multi-modal feature set and the risk label set, the method specifically includes the following steps: step S1: firstly, respectively training a risk submodel of an account to be trained, an environmental risk submodel to be trained and a risk submodel of an associated account to be trained according to a multi-mode feature set and a risk label set so as to obtain risk results output by the risk submodel of the account to be trained, the environmental risk submodel to be trained and the associated account risk submodel to be trained; step S2: and training the combined risk submodel to be trained according to the risk result and the risk label set output by each submodel to obtain a risk model.

In step S1, the multi-modal feature set includes multiple groups of multi-modal features, where the features related to each sub-model in each group of multi-modal features are input information of each risk sub-model, specifically, the account active feature is input information of an account risk sub-model to be trained, the network environment information is input information of an environment risk sub-model to be trained, and the number of historical malicious behaviors of the associated account is input information of an associated account risk sub-model to be trained; correspondingly, each risk submodel can process the input information input into the risk submodel to obtain a risk result corresponding to the input information, wherein the risk result is a predicted risk result; and marking the risk corresponding to each multi-modal feature in the risk marking set as a target risk result. Furthermore, the predicted risk result and the target risk result output by each sub-model may determine a first loss function, which may be any type of loss function, such as a cross entropy loss function, an absolute error loss function, and so on. Further, each risk submodel may be optimized according to the first loss function until the first loss function reaches a minimum or the optimization is completed for a preset number of times, and at this time, it may be considered that training of each risk submodel is completed.

Similarly, when the risk submodel to be trained is trained according to the risk result and the risk label set output by each risk submodel, the risk result output by each risk submodel can be input to the risk submodel to be trained as input information to obtain the risk information output by the risk submodel to be trained, and then a second loss function is determined according to the risk information output by the risk submodel to be trained and the risk labels corresponding to the account numbers of the users in the risk label set, wherein the second loss function can be the same as or different from the first loss function. And then optimizing the to-be-trained risk combining sub-model according to the second loss function until the second loss function is minimum or the preset times of optimization is completed, so as to obtain a stable risk combining sub-model and further obtain a stable risk model.

In an embodiment of the disclosure, before processing input information, each risk submodel may classify features in the multimodal feature set according to different wind control strategies, mark features that satisfy the wind control strategies as positive samples, mark features that do not satisfy the wind control strategies as negative samples, and train each risk submodel by using the positive samples and the negative samples to improve stability of each risk submodel.

After the training of the account risk submodel to be trained, the environmental risk submodel to be trained, the associated account risk submodel to be trained and the combined risk submodel to be trained is completed, a stable risk model can be obtained, and the risk model can be used for detecting the real-time registration request so as to obtain a risk value corresponding to the real-time registration request. The risk model in the embodiment of the disclosure is a cold start risk model, and the detection efficiency and accuracy of malicious registration can be improved.

In the embodiment of the disclosure, after the risk model detects the registration request to obtain the risk value, the detection result can be returned to the caller, the caller can distinguish the detection result, if the detection result is correct, the registration request is correspondingly processed, and if the detection result has a misjudgment, the misjudgment result is asynchronously returned to the server, so as to retrain the risk model according to the returned misjudgment result. Specifically, the misjudgment result includes the multi-modal features of the misjudgment user and the corresponding risk labels, the multi-modal feature set can be updated according to the multi-modal features of the misjudgment user, the risk label set can be updated according to the corresponding risk labels, and then the risk model can be retrained according to the updated multi-modal feature set and the risk label set.

Next, a scenario in which a user performs applet registration through a wechat platform is taken as an example, and an embodiment of the present disclosure is described in detail.

Fig. 6 is a schematic flowchart illustrating a method for detecting malicious registration, where as shown in fig. 6, in step S601, a user opens an applet in a wechat platform, enters a registration page of the applet, and clicks a registration button to submit a registration request after completing information filling; in step S602, after receiving the registration request, the applet service background invokes a wind control interface provided by the wechat platform, and transmits parameters in the registration request to a malicious registration detection device in the wechat platform through the wind control interface; in step S603, the malicious registration detection apparatus obtains an account and an IP address in the registration request, and obtains account characteristic information corresponding to the account and associated account characteristic information associated with the account and corresponding to a cross-platform associated account according to the account; simultaneously acquiring the submission frequency of the registration request; performing risk detection according to the submission frequency of the registration request, the account characteristic information, the IP address and the associated account characteristic information to acquire a risk value corresponding to the registration request; in step S604, the risk value is sent to the applet service background; in step S605, the applet service background determines whether the registration request is malicious registration according to the risk value, and performs a target operation on the registration request according to a determination result; and intercepting the registration request when the risk value corresponds to a high risk level, calling a verification tool to verify the user when the risk value corresponds to a medium risk level or a low risk level, and passing the registration request when the risk value corresponds to no risk or the user passes the verification.

By investigating data of various scenes using the detection device for malicious registration, the detection method for malicious registration can detect malicious registration more effectively and has low accidental injury rate. For example, in a social industry scenario, the coverage of a malicious sample is 40%, the accidental injury rate is only 1%, and the coverage of an industry competitive product is 32%, and the accidental injury rate is 3.4%; in an e-commerce industry scene, the accidental injury rate is 2.4%, and the accidental injury rate of an industry competitive product is 6.7%; in a fast-moving industry scenario, the coverage of malicious samples is 92.8%, while the coverage of industry bids is 83.7%.

The method for detecting malicious registration in the embodiment of the disclosure comprises the steps of firstly obtaining an account number and network environment information in a target user registration request, and simultaneously obtaining account number characteristic information corresponding to the account number and behavior information corresponding to the registration request, wherein the behavior information is the submission frequency of the registration request; then comparing the behavior information with a preset frequency threshold to determine a first risk result; then processing the account characteristic information and the network environment information through a risk model to obtain a second risk result; and finally, determining a risk value corresponding to the registration request according to the first risk result and the second risk result, and judging whether the registration request is malicious registration according to the risk value. Further, the embodiment of the disclosure may acquire, while acquiring the account in the registration request, a cross-platform associated account associated with the account, perform risk detection on the account and the associated account in the registration request, and mark all accounts as abnormal accounts when any account has a risk. Therefore, on one hand, the technical scheme of the disclosure can detect malicious registration based on the user account number, and can resist malicious behaviors of cheating users in advance; on the other hand, a data intercommunication channel can be established with a caller, an online data real-time optimization algorithm is realized, the stability and the precision of a risk model are improved, and the efficiency and the precision of malicious registration detection are further improved; on the other hand, the method can detect the registration request corresponding to the account of the full platform and has high expansibility.

The following describes an embodiment of an apparatus of the present disclosure, which may be used to perform a method for detecting malicious registration in the above-described embodiment of the present disclosure. For details that are not disclosed in the embodiments of the apparatus of the present disclosure, please refer to the embodiments of the method for detecting malicious registration described above in the present disclosure.

Fig. 7 schematically shows a block diagram of a detection apparatus of malicious registration according to one embodiment of the present disclosure.

Referring to fig. 7, an apparatus 700 for detecting malicious registration according to an embodiment of the present disclosure includes: an information acquisition module 701, a behavior risk judgment module 702, a strategy risk judgment module 703 and a comprehensive risk determination module 704.

The information acquisition module 701 is configured to acquire an account and network environment information in a target user registration request, and simultaneously acquire account characteristic information corresponding to the account and behavior information corresponding to the registration request, where the behavior information is a submission frequency of the registration request; a behavior risk discrimination module 702, configured to compare the behavior information with a preset frequency threshold, and determine a first risk result according to a comparison result; a policy risk judgment module 703, configured to process the account characteristic information and the network environment information through a risk model to obtain a second risk result; a comprehensive risk determining module 704, configured to determine a risk value corresponding to the registration request according to the first risk result and the second risk result, and determine whether the registration request is malicious registration according to the risk value.

In one embodiment of the present disclosure, the behavioral risk assessment module 702 is configured to: when the behavior information is smaller than or equal to the preset frequency threshold, marking a first numerical value as the first risk result for the registration request; when the behavior information is larger than the preset frequency threshold, marking a second numerical value as the first risk result for the registration request; wherein the first value is different from the second value.

In one embodiment of the present disclosure, the risk model includes an account risk sub-model, an environmental risk sub-model, and a combined risk sub-model; the policy risk discrimination module 703 is configured to: processing the account characteristic information through the account risk sub-model based on an account wind control strategy to obtain an account risk result; processing the network environment information through the environmental risk sub-model based on an environmental wind control strategy to obtain an environmental risk result; and determining the second risk result according to the account risk result and the environment risk result through the combined risk sub-model.

In an embodiment of the present disclosure, the apparatus 700 for detecting malicious registration further includes: the associated account acquisition module is used for acquiring the account and the network environment information, acquiring a cross-platform associated account associated with the account information, and acquiring associated account characteristic information according to the associated account; and the risk judgment module is used for processing the account characteristic information, the network environment information and the associated account characteristic information through the risk model so as to obtain a third risk result.

In one embodiment of the present disclosure, the risk model includes an account risk sub-model, an environmental risk sub-model, an associated account risk sub-model, and a combined risk sub-model; the risk discrimination module is configured to: processing the account characteristic information through the account risk sub-model based on an account wind control strategy to obtain an account risk result; processing the network environment information through the environmental risk sub-model based on an environmental wind control strategy to obtain an environmental risk result; processing the characteristic information of the associated account through the associated account risk sub-model based on the associated account wind control strategy to obtain an associated account risk result; and determining the third risk result according to the account risk result, the environment risk result and the associated account risk result through the combined risk sub-model.

In one embodiment of the present disclosure, the integrated risk determination module 704 is configured to: determining a risk grade corresponding to the risk value according to a risk grade division rule; when the risk value corresponds to a low risk level or a medium risk level, calling a verification tool to verify the legality of the target user, and judging whether the registration request is malicious registration according to a verification result; and when the risk value corresponds to a high risk level, judging that the registration request is malicious registration, and intercepting the registration request of the user.

In an embodiment of the present disclosure, the apparatus 700 for detecting malicious registration further includes: the multi-modal characteristic acquisition module is used for acquiring information of a full amount of users in real time to construct a multi-modal characteristic set before the account information and the network environment information are processed through a risk model, wherein the multi-modal characteristic set comprises account active characteristics, network environment information and historical malicious behavior times of associated accounts of the users; a risk mark acquisition module, configured to acquire historical behavior information corresponding to an account of each user, and determine a risk mark corresponding to a registration behavior of each user according to the historical behavior information and a preset rule, so as to acquire a risk mark set; and the model training module is used for training a risk model to be trained according to the multi-modal feature set and the risk label set so as to obtain the risk model.

In one embodiment of the disclosure, the risk model to be trained comprises an account risk sub-model to be trained, an environment risk sub-model to be trained, an associated account risk sub-model to be trained and a combined risk sub-model to be trained; the model training module comprises: the first training unit is used for respectively training the account risk submodel to be trained, the environment risk submodel to be trained and the associated account risk submodel to be trained according to the multi-mode feature set and the risk mark set so as to obtain risk results output by the account risk submodel to be trained, the environment risk submodel to be trained and the associated account risk submodel to be trained; and the second training unit is used for training the combined risk sub-model to be trained according to the risk result and the risk label set so as to obtain the risk model.

In one embodiment of the disclosure, the first training unit is configured to: respectively inputting the account active characteristics, the network environment information and the historical malicious behavior times of the associated account of each user as input information to the to-be-trained account risk sub-model, the to-be-trained environment risk sub-model and the to-be-trained associated account risk sub-model so as to obtain risk results output by the to-be-trained account risk sub-model, the to-be-trained environment risk sub-model and the to-be-trained associated account risk sub-model; determining a first loss function according to the risk result output by the to-be-trained account risk submodel, the to-be-trained environment risk submodel and the to-be-trained associated account risk submodel and the risk label corresponding to the account of each user in the risk label set; and optimizing the account risk submodel to be trained, the environment risk submodel to be trained and the associated account risk submodel to be trained according to the first loss function until the first loss function is minimum or the preset times of optimization is completed.

In one embodiment of the present disclosure, the second training unit is configured to: inputting the risk result as input information to the to-be-trained risk combining sub-model to obtain a risk result output by the to-be-trained risk combining sub-model; determining a second loss function according to the risk result output by the combined risk submodel to be trained and the risk marks corresponding to the account numbers of the users in the risk mark set; and optimizing the merged risk sub-model to be trained according to the second loss function until the second loss function is minimum or the optimization of preset times is completed.

In an embodiment of the present disclosure, the apparatus 700 for detecting malicious registration is further configured to: acquiring a misjudgment result asynchronously returned by a calling party, wherein the misjudgment result comprises multi-mode characteristics of a misjudgment user and a risk mark corresponding to the misjudgment user; updating the multi-modal feature set according to the multi-modal features of the misjudged user, and updating the risk mark set according to the risk marks corresponding to the misjudged user; and retraining the risk model according to the updated multi-modal feature set and the risk mark set.

In an embodiment of the present disclosure, the apparatus 700 for detecting malicious registration is further configured to: and storing the risk value corresponding to the target user registration request as persistent data.

It should be noted that the computer system 800 of the electronic device shown in fig. 8 is only an example, and should not bring any limitation to the functions and the scope of the application of the embodiments of the present disclosure.

As shown in fig. 8, a computer system 800 includes a Central Processing Unit (CPU)801 that can perform various appropriate actions and processes according to a program stored in a Read-Only Memory (ROM) 802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803, implementing the search string Processing method described in the above-described embodiment. In the RAM 803, various programs and data necessary for system operation are also stored. The CPU 801, ROM 802, and RAM 803 are connected to each other via a bus 804. An Input/Output (I/O) interface 805 is also connected to bus 804.

The following components are connected to the I/O interface 805: an input portion 806 including a keyboard, a mouse, and the like; an output section 807 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage portion 808 including a hard disk and the like; and a communication section 809 including a Network interface card such as a LAN (Local Area Network) card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. A drive 810 is also connected to the I/O interface 805 as necessary. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as necessary, so that a computer program read out therefrom is mounted on the storage section 808 as necessary.

In particular, the processes described below with reference to the flowcharts may be implemented as computer software programs, according to embodiments of the present disclosure. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 809 and/or installed from the removable medium 811. When the computer program is executed by a Central Processing Unit (CPU)801, various functions defined in the system of the present disclosure are executed.

It should be noted that the computer readable medium shown in the embodiments of the present disclosure may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM), a flash Memory, an optical fiber, a portable Compact Disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer-readable signal medium may include a propagated data signal with computer-readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The units described in the embodiments of the present disclosure may be implemented by software, or may be implemented by hardware, and the described units may also be disposed in a processor. Wherein the names of the elements do not in some way constitute a limitation on the elements themselves.

As another aspect, the present disclosure also provides a computer-readable medium, which may be contained in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by an electronic device, cause the electronic device to implement the method described in the above embodiments.

It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.

Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a touch terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.

Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains.

It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims

1. A method for detecting malicious registrations, comprising:

acquiring an account and network environment information in a target user registration request, and acquiring account characteristic information corresponding to the account and behavior information corresponding to the registration request, wherein the behavior information is the submission frequency of the registration request;

comparing the behavior information with a preset frequency threshold, and determining a first risk result according to a comparison result;

processing the account characteristic information and the network environment information through a risk model to obtain a second risk result;

and determining a risk value corresponding to the registration request according to the first risk result and the second risk result, and judging whether the registration request is malicious registration according to the risk value.

2. The method of claim 1, wherein comparing the behavior information to a preset frequency threshold and determining a first risk result based on the comparison comprises:

when the behavior information is smaller than or equal to the preset frequency threshold, marking a first numerical value as the first risk result for the registration request;

when the behavior information is larger than the preset frequency threshold, marking a second numerical value as the first risk result for the registration request;

wherein the first value is different from the second value.

3. The method of claim 1, wherein the risk model comprises an account risk sub-model, an environmental risk sub-model, and a combined risk sub-model;

the processing the account characteristic information and the network environment information through the risk model to obtain a second risk result includes:

processing the account characteristic information through the account risk sub-model based on an account wind control strategy to obtain an account risk result;

processing the network environment information through the environmental risk sub-model based on an environmental wind control strategy to obtain an environmental risk result;

and determining the second risk result according to the account risk result and the environment risk result through the combined risk sub-model.

4. The method of claim 1, further comprising:

acquiring a cross-platform associated account related to the account information while acquiring the account and the network environment information, and acquiring associated account characteristic information according to the associated account;

and processing the account characteristic information, the network environment information and the associated account characteristic information through the risk model to obtain a third risk result.

5. The method of claim 4, wherein the risk model comprises an account risk sub-model, an environmental risk sub-model, a correlation account risk sub-model, and a combined risk sub-model;

the processing the account characteristic information, the network environment information and the associated account characteristic information through the risk model to obtain a third risk result includes:

processing the characteristic information of the associated account through the associated account risk sub-model based on the associated account wind control strategy to obtain an associated account risk result;

and determining the third risk result according to the account risk result, the environment risk result and the associated account risk result through the combined risk sub-model.

6. The method of claim 1, wherein determining whether the registration request is a malicious registration based on the risk value comprises:

determining a risk grade corresponding to the risk value according to a risk grade division rule;

when the risk value corresponds to a low risk level or a medium risk level, calling a verification tool to verify the legality of the target user, and judging whether the registration request is malicious registration according to a verification result;

and when the risk value corresponds to a high risk level, judging that the registration request is malicious registration, and intercepting the registration request.

7. The method of claim 1, wherein prior to processing the account information and the network environment information by a risk model, the method further comprises:

collecting information of a full number of users in real time to construct a multi-mode feature set, wherein the multi-mode feature set comprises account number active features, network environment information and historical malicious behavior times of associated account numbers of the users;

acquiring historical behavior information corresponding to the account number of each user, and determining a risk mark corresponding to the registration behavior of each user according to the historical behavior information and a preset rule to acquire a risk mark set;

and training a risk model to be trained according to the multi-modal feature set and the risk label set to obtain the risk model.

8. The method of claim 7, wherein the risk model to be trained comprises an account risk sub-model to be trained, an environmental risk sub-model to be trained, an associated account risk sub-model to be trained, and a combined risk sub-model to be trained;

training a risk model to be trained according to the multi-modal feature set and the risk label set to obtain the risk model, including:

respectively training the risk submodel of the account to be trained, the environmental risk submodel to be trained and the risk submodel of the associated account to be trained according to the multi-mode feature set and the risk mark set so as to obtain risk results output by the risk submodel of the account to be trained, the environmental risk submodel to be trained and the associated account risk submodel to be trained;

and training the combined risk sub-model to be trained according to the risk result and the risk label set to obtain the risk model.

9. The method according to claim 8, wherein the training the account risk sub-model to be trained, the environmental risk sub-model to be trained and the associated account risk sub-model to be trained according to the multi-modal feature set and the risk label set comprises:

respectively inputting the account active characteristics, the network environment information and the historical malicious behavior times of the associated account of each user as input information to the to-be-trained account risk sub-model, the to-be-trained environment risk sub-model and the to-be-trained associated account risk sub-model so as to obtain risk results output by the to-be-trained account risk sub-model, the to-be-trained environment risk sub-model and the to-be-trained associated account risk sub-model;

determining a first loss function according to the risk result output by the to-be-trained account risk submodel, the to-be-trained environment risk submodel and the to-be-trained associated account risk submodel and the risk label corresponding to the account of each user in the risk label set;

and optimizing the account risk submodel to be trained, the environment risk submodel to be trained and the associated account risk submodel to be trained according to the first loss function until the first loss function is minimum or the preset times of optimization is completed.

10. The method of claim 8, wherein training the merged risk sub-model to be trained according to the risk result and the risk label set comprises:

inputting the risk result as input information to the to-be-trained risk combining sub-model to obtain a risk result output by the to-be-trained risk combining sub-model;

determining a second loss function according to the risk result output by the combined risk submodel to be trained and the risk marks corresponding to the account numbers of the users in the risk mark set;

and optimizing the merged risk sub-model to be trained according to the second loss function until the second loss function is minimum or the optimization of preset times is completed.

11. The method of claim 1, further comprising:

acquiring a misjudgment result asynchronously returned by a calling party, wherein the misjudgment result comprises multi-mode characteristics of a misjudgment user and a risk mark corresponding to the misjudgment user;

updating the multi-modal feature set according to the multi-modal features of the misjudged user, and updating the risk mark set according to the risk marks corresponding to the misjudged user;

and retraining the risk model according to the updated multi-modal feature set and the risk mark set.

12. The method of claim 1, further comprising:

and storing the risk value corresponding to the target user registration request as persistent data.

13. An apparatus for detecting malicious registration, comprising:

the information acquisition module is used for acquiring an account and network environment information in a target user registration request, and simultaneously acquiring account characteristic information corresponding to the account and behavior information corresponding to the registration request, wherein the behavior information is the submission frequency of the registration request;

the behavior risk judging module is used for comparing the behavior information with a preset frequency threshold value and determining a first risk result according to a comparison result;

the strategy risk judgment module is used for processing the account characteristic information and the network environment information through a risk model to obtain a second risk result;

and the comprehensive risk determining module is used for determining a risk value corresponding to the registration request according to the first risk result and the second risk result, and judging whether the registration request is malicious registration according to the risk value.

14. A computer-readable medium, on which a computer program is stored which, when being executed by a processor, carries out a method of detecting a malicious registration according to any one of claims 1 to 12.

15. An electronic device, comprising:

one or more processors;

storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement a method of detection of malicious registration as claimed in any one of claims 1 to 12.