CN117972581A - Abnormal login early warning method, device, equipment and storage medium - Google Patents

Abstract

The present invention relates to the field of computers, and discloses an abnormal login warning method, device, equipment and storage medium. The method is used to adopt a method of real-time data reception and prediction based on an abnormal login detection model of Isolation Forest, which can quickly respond to abnormal login behavior and issue a warning in time. The method includes: constructing an abnormal login detection model based on Isolation Forest; receiving login request data in real time, and extracting feature data of the login request data; inputting the feature data into the abnormal login detection model, and obtaining the output result of the abnormal login detection model; judging whether there is an abnormality in the login request according to the output result, and if there is an abnormality, calling the warning strategy for processing; regularly collecting abnormal correction feedback data, and optimizing the abnormal login detection model according to the abnormal correction feedback data.

Description

Abnormal login warning method, device, equipment and storage medium

Technical Field

The present invention relates to the field of computer technology, and in particular to an abnormal login early warning method, device, equipment and storage medium.

Background technique

With the development of the Internet industry, more and more actual businesses have shifted from offline to online. For example, fixed asset management platforms, attendance processing platforms and other common business operations of enterprises have all been processed online. While saving resources and reducing manpower investment, it also brings many security risks.

Traditional abnormal login detection often defines login behavior based on certain rules, and judges abnormal login behavior by matching pre-specified rules. In some simple scenarios, similar rule pre-definition methods can be used to identify abnormal logins, but with the increase in data volume and the expansion of business scenarios, the definition and selection of rules will become more and more complicated, and the technical requirements for related abnormal detection personnel will also become higher and higher. Even because there are differences between login modes in different scenarios, developers need to design new rules every time a business scenario is changed, which greatly increases the difficulty and workload of development, and the development efficiency is low.

Therefore, the existing technology still needs to be improved and developed.

Summary of the invention

The present invention provides an abnormal login warning method, device, equipment and storage medium, which are used to quickly respond to abnormal login behavior and issue warnings in time by adopting a method of real-time data reception and abnormal login detection model prediction based on Isolation Forest.

The first aspect of the present invention provides an abnormal login early warning method, which includes: constructing an abnormal login detection model based on Isolation Forest; receiving login request data in real time and extracting feature data of the login request data; inputting the feature data into the abnormal login detection model to obtain the output result of the abnormal login detection model; judging whether there is an abnormality in the login request according to the output result, and if there is an abnormality, calling the early warning strategy for processing; regularly collecting abnormal correction feedback data, and optimizing the abnormal login detection model according to the abnormal correction feedback data

Optionally, in a first implementation method of the first aspect of the present invention, the construction of an abnormal login detection model based on IsolationForest includes: collecting login log data of historical accounts; preprocessing the login log data of the historical accounts to generate a login log data set; inputting the login log data set into an IsolationForest-based model for training to obtain an abnormal login detection model.

Optionally, in a second implementation of the first aspect of the present invention, the input of the login log data set is trained based on the Isolation Forest model to obtain an abnormal login detection model, including: dividing the login log data set into a first training set and a second training set, the first training set containing normal login samples and abnormal login samples, and the second training set only containing abnormal login samples; inputting the first training set into the Isolation Forest model for training to obtain an initial training model; inputting the second training set into the initial training model for training to obtain an abnormal login detection model.

Optionally, in a third implementation method of the first aspect of the present invention, the real-time receiving of login request data and extracting feature data of the login request data include: using Apache Spark in combination with Kafka to establish a stream processing framework to receive login request data in real time; parsing the login request data and dividing it into multiple fields; extracting feature data of the login request data from the multiple fields, the feature data including time features, geographic location features, device information features and login behavior features.

Optionally, in a fourth implementation method of the first aspect of the present invention, inputting the feature data into an abnormal login detection model to obtain an output result of the abnormal login detection model includes: obtaining a feature vector corresponding to each feature data; inputting the feature vector corresponding to each feature data into the abnormal login detection model; and obtaining the average leaf node height of the feature vector corresponding to each feature data output by the abnormal login detection model.

Optionally, in a fifth implementation method of the first aspect of the present invention, it is determined whether there is an abnormality in the login request based on the output result. If there is an abnormality, an early warning strategy is called for processing, including: comparing the average leaf node height of the feature vector corresponding to each of the feature data with a preset abnormality threshold. If the average leaf node height of the feature vector corresponding to each of the feature data is greater than the preset abnormality threshold, the login request is determined to be abnormal; when it is determined that the login request is abnormal, the difference between the average leaf node height of the feature vector corresponding to each of the feature data and the preset abnormality threshold is calculated, and the abnormality levels are divided according to the difference; and the early warning strategy of the corresponding level is called for processing according to the divided abnormality level.

Optionally, in a sixth implementation method of the first aspect of the present invention, the periodic collection of abnormal correction feedback data and the optimization of the abnormal login detection model based on the abnormal correction feedback data include: periodically collecting abnormal correction feedback data; analyzing the abnormal correction feedback data to obtain analysis results, wherein the analysis results include a false alarm rate and a missed alarm rate; optimizing the parameters of the abnormal login detection model based on the analysis results, and retraining the abnormal login detection model using the optimized parameters.

The second aspect of the present invention provides an abnormal login warning device, including: a model building module, used to build an abnormal login detection model based on Isolation Forest; an extraction module, used to receive login request data in real time and extract feature data of the login request data; an abnormality detection module, used to input the feature data into the abnormal login detection model and obtain the output result of the abnormal login detection model; an early warning module, used to determine whether there is an abnormality in the login request based on the output result, and if there is an abnormality, call the early warning strategy for processing; a model optimization module, used to regularly collect abnormal correction feedback data, and optimize the abnormal login detection model based on the abnormal correction feedback data.

Optionally, in a first implementation method of the second aspect of the present invention, the model building module includes: a first collection unit, used to collect login log data of historical accounts; a preprocessing unit, used to preprocess the login log data of the historical accounts to generate a login log data set; and a training unit, used to input the login log data set into an Isolation Forest model for training to obtain an abnormal login detection model.

Optionally, in a second implementation of the second aspect of the present invention, the extraction module includes: a real-time receiving unit, used to use Apache Spark in combination with Kafka to establish a stream processing framework to receive login request data in real time; a parsing unit, used to parse the login request data and divide it into multiple fields; an extraction unit, used to extract feature data of the login request data from the multiple fields, the feature data including time features, geographic location features, device information features and login behavior features.

Optionally, in a third implementation of the second aspect of the present invention, the anomaly detection module includes: a first acquisition unit, used to acquire a feature vector corresponding to each of the feature data; an anomaly detection unit, used to input the feature vector corresponding to each of the feature data into the abnormal login detection model; and a second acquisition unit, used to acquire the average leaf node height of the feature vector corresponding to each feature data output by the abnormal login detection model.

Optionally, in a fourth implementation method of the second aspect of the present invention, the early warning module includes: a comparison unit, used to compare the average leaf node height of the feature vector corresponding to each of the feature data with a preset abnormal threshold, if the average leaf node height of the feature vector corresponding to each of the feature data is greater than the preset abnormal threshold, then the login request is determined to be abnormal; a division unit, used to calculate the difference between the average leaf node height of the feature vector corresponding to each of the feature data and the preset abnormal threshold when the login request is determined to be abnormal, and divide it into different abnormal levels according to the difference; an early warning unit, used to call the early warning strategy of the corresponding level for processing according to the divided abnormal level.

Optionally, in a fifth implementation of the second aspect of the present invention, the model optimization module includes: a first collection unit, used to periodically collect abnormal correction feedback data; an analysis unit, used to analyze the abnormal correction feedback data to obtain analysis results, wherein the analysis results include false alarm rate and missed alarm rate; an optimization unit, used to optimize the parameters of the abnormal login detection model according to the analysis results, and retrain the abnormal login detection model using the optimized parameters.

The third aspect of the present invention provides an abnormal login warning device, comprising: a memory and at least one processor, the memory storing computer-readable instructions, the memory and the at least one processor being interconnected through lines; the at least one processor calling the computer-readable instructions in the memory so that the abnormal login warning device executes each step of the abnormal login warning method as described above.

A fourth aspect of the present invention provides a computer-readable storage medium, in which computer-readable instructions are stored. When the computer-readable storage medium is run on a computer, the computer executes each step of the abnormal login warning method described above.

In the technical solution provided by the present invention, the method of real-time data reception and abnormal login detection model prediction is adopted, which can quickly respond to abnormal login behavior and issue early warnings in time; and the abnormal login detection model is based on the IsolationForest algorithm to identify abnormal points, which can effectively process large-scale data and improve detection accuracy. In addition, it continuously optimizes the model by collecting abnormal correction feedback data to adapt it to new login behavior patterns, which can improve adaptability and accuracy.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a flow chart of a first abnormal login warning method provided by an embodiment of the present invention;

FIG2 is a second flow chart of the abnormal login warning method provided by an embodiment of the present invention;

FIG3 is a third flow chart of the abnormal login warning method provided by an embodiment of the present invention;

FIG4 is a fourth flow chart of the abnormal login warning method provided by an embodiment of the present invention;

FIG5 is a fifth flow chart of the abnormal login warning method provided by an embodiment of the present invention;

FIG6 is a sixth flow chart of the abnormal login warning method provided by an embodiment of the present invention;

7 is a schematic diagram of the structure of an abnormal login warning device provided by an embodiment of the present invention;

FIG8 is a schematic diagram of the structure of an abnormal login warning device provided in an embodiment of the present invention.

Detailed ways

The embodiment of the present invention provides an abnormal login warning method, device, equipment and storage medium. The method is used to adopt the method of real-time data reception and Isolation Forest-based abnormal login detection model prediction, which can quickly respond to abnormal login behavior and issue warnings in time. The method includes: constructing an abnormal login detection model based on Isolation Forest; receiving login request data in real time and extracting feature data of the login request data; inputting the feature data into the abnormal login detection model to obtain the output result of the abnormal login detection model; judging whether there is an abnormality in the login request according to the output result, and if there is an abnormality, calling the warning strategy for processing; regularly collecting abnormal correction feedback data, and optimizing the abnormal login detection model according to the abnormal correction feedback data.

The terms "first", "second", "third", "fourth", etc. (if any) in the specification and claims of the present invention and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence. It should be understood that the data used in this way can be interchanged where appropriate, so that the embodiments described herein can be implemented in an order other than that illustrated or described herein. In addition, the terms "including" or "having" and any variations thereof are intended to cover non-exclusive inclusions, for example, a process, method, system, product or device that includes a series of steps or units is not necessarily limited to those steps or units that are clearly listed, but may include other steps or units that are not clearly listed or inherent to these processes, methods, products or devices.

For ease of understanding, the specific process of the embodiment of the present invention is described below. Please refer to FIG1. The first embodiment of an abnormal login warning method in the embodiment of the present invention includes:

S101. Build an abnormal login detection model based on Isolation Forest.

It is understandable that the execution subject of the present invention may be an abnormal login warning device, or a terminal or a server, which is not limited here. The embodiment of the present invention is described by taking a server as the execution subject as an example.

It can be understood that Isolation Forest is a tree-based anomaly detection algorithm suitable for anomaly detection tasks in high-dimensional data sets. Its core idea is to achieve fast detection of outliers by constructing a randomly split binary tree.

Isolation Forest constructs an isolation tree by randomly selecting features and split values. This random partitioning method helps to quickly locate outliers. When building an abnormal login detection model based on Isolation Forest, its ability to quickly locate outliers can be used to identify abnormalities in login behavior.

In this embodiment, when building an abnormal login detection model based on Isolation Forest, it is necessary to collect training samples, extract meaningful features such as login time, geographic location, device information, etc., and convert them into a format that can be used by the model, and then train the Isolation Forest model.

During the training process, the cross-validation method can be used to evaluate the Isolation Forest model.

S102: Receive login request data in real time and extract feature data of the login request data.

In this embodiment, it is necessary to preset a data receiving endpoint, which may be an API endpoint or a message queue, for receiving real-time login request data.

Feature data includes login time, IP address, device information, login results and other data.

In this embodiment, stream processing technology (such as Apache Kafka Streams, Apache Flink, etc.) can be used for real-time feature processing and conversion, and features can be quickly extracted and processed after receiving the login request data.

In this embodiment, an asynchronous processing mechanism may be used to improve the concurrent performance and response speed of the system, ensuring that a large amount of real-time login request data can be processed in a timely manner even under high load conditions.

S103: Input the feature data into an abnormal login detection model to obtain an output result of the abnormal login detection model.

In this embodiment, before inputting the feature data into the abnormal login detection model, it is necessary to ensure that the feature data format obtained from the stream processing framework is consistent with the input format required by the abnormal login detection model, and perform necessary data preprocessing and conversion (such as standardization, normalization, etc.).

After the abnormal login detection model processes the feature data, it will get the corresponding output results, which usually include the abnormal score or abnormal probability of each sample. The output results can be used to determine whether the login request is an abnormal login.

S104. Determine whether there is an abnormality in the login request based on the output result. If there is an abnormality, call the early warning strategy for processing.

In this embodiment, multi-level warning rules can be set for abnormal login requests, for example, including low-risk warning, medium-risk warning and high-risk warning. Low-risk warning means that the login request may be abnormal, and an abnormal reminder is issued, including constructing the content of the warning information, determining the warning level, and specifying the receiving personnel. Medium-risk warning means that the login request is highly suspicious and requires manual review. High-risk warning means that the login request is highly suspicious and the account is directly locked.

If it is determined that there is no abnormality in the login request, no warning processing is required.

S105. Regularly collect abnormal correction feedback data, and optimize the abnormal login detection model based on the abnormal correction feedback data.

In this embodiment, a feedback system may be established to receive and record abnormality correction feedback data. The abnormality correction feedback data is abnormality correction information provided by a user or administrator, such as confirming that a login marked as abnormal is actually normal.

In this embodiment, the server collects information of the feedback system regularly, for example, every month, every quarter, or every six months. The specific time interval is set according to actual needs.

In this embodiment, the abnormal login detection model is retrained or fine-tuned in combination with the collected abnormal correction feedback data. The model performance can be optimized by adding new training samples or adjusting model parameters to reduce the false positive rate and the false negative rate.

This embodiment provides an abnormal login warning method, which adopts the method of real-time data reception and abnormal login detection model prediction, and can quickly respond to abnormal login behavior and issue warnings in time; and the abnormal login detection model is based on the Isolation Forest algorithm to identify abnormal points, which can effectively process large-scale data and improve detection accuracy. In addition, it continuously optimizes the model by collecting abnormal correction feedback data to adapt it to new login behavior patterns, which can improve adaptability and accuracy.

Please refer to FIG. 2 , a second embodiment of the abnormal login warning method according to the embodiment of the present invention includes:

S201. Collect login log data of historical accounts.

In this embodiment, login records, abnormal situation records and security event records can be collected.

In this embodiment, the login record includes data such as timestamp, user name, login IP address, login device information, etc.

Abnormal situation records include records of abnormal behaviors such as the number of failed logins exceeding the threshold, remote logins, and frequent logins.

In this embodiment, the collected login log data of historical accounts can be stored in a sample database as a data source for modeling and training anomaly detection models, helping to improve model performance and accuracy.

S202: Preprocess the login log data of historical accounts to generate a login log data set.

In this embodiment, preprocessing the login log data of historical accounts includes the following aspects:

Data cleaning: Identify and process missing values, duplicate values, outliers, etc. to ensure data quality.

Feature extraction: Extract useful features from raw log data, such as login time, IP address, device type, login result (success/failure), etc.

Feature conversion: convert or encode certain features, such as converting timestamps to date and time formats, and performing one-hot encoding on categorical features.

Mark anomalies: Based on known abnormal login situations, mark the corresponding samples as abnormal categories for subsequent model training.

S203: Input the login log data set into the Isolation Forest model for training to obtain an abnormal login detection model.

In this embodiment, the login log data set is input into the Isolation Forest model for training to obtain an abnormal login detection model, including: dividing the login log data set into a first training set and a second training set, the first training set contains normal login samples and abnormal login samples, and the second training set only contains abnormal login samples; the first training set is input into the Isolation Forest model for training to obtain an initial training model; the second training set is input into the initial training model for training to obtain an abnormal login detection model.

During the training process, the number of isolated trees, subsampling methods, segmentation strategies and other methods can be used to tune the parameters of the Isolation Forest model to further improve the model performance.

In this embodiment, by dividing the training set and training the model in stages, abnormal patterns can be better discovered, and the accuracy of abnormal detection can be improved. In addition, the abnormal login detection model can learn normal login samples through prior knowledge, thereby improving the ability to identify abnormal samples.

Please refer to FIG. 3 , a third embodiment of an abnormal login warning method in an embodiment of the present invention includes:

S301. Use Apache Spark in combination with Kafka to establish a stream processing framework to receive login request data in real time.

In this embodiment, Apache Spark and Kafka are pre-installed and configured; then a topic is created in Kafka to receive login request data; then a Spark Streaming job is created, which consumes the data stream from the Kafka topic; finally, the Spark Streaming job is submitted to the cluster for running, so as to receive and process the login request data from the Kafka topic in real time.

It is understandable that combining Kafka and Apache Spark can build a high-throughput and low-latency real-time data processing process that can quickly respond to and process a large amount of login request data. And as a message queue system, Kafka can support access to a variety of data sources, including application logs, sensor data, etc., making the entire system more flexible and versatile.

S302: Parse the login request data and divide it into multiple fields.

In this embodiment, the parsing process involves parsing of data formats (such as JSON, XML, CSV, etc.) and identification of specific tags or delimiters.

The parsed data is divided into multiple fields. Typical fields may include user name, login time, IP address, device information, and login result. User name refers to the user account involved in the login request. Login time refers to the timestamp or date and time information of the login request. IP address refers to the IP address that initiated the login request. Device information includes operating system, browser type, etc. Login result refers to the result of the login request, success or failure, etc.

S303. Extract feature data of the login request data from multiple fields, where the feature data includes time features, geographic location features, device information features, and login behavior features.

In this embodiment, the time feature is to extract time-related features from the login time field, including hours, minutes, day of the week, whether it is a working day, etc. These features can reflect the time pattern and periodicity of the login behavior.

The geographic location feature extracts geographic location information from the IP address field. The IP address library can be used to map the IP address to a specific geographic location, such as country, city, etc. This information can reveal the geographical distribution of login behavior.

Device information features are features about the device extracted from the device information field, such as operating system type, browser type, device brand, etc. This information helps to identify login behaviors of different device types.

Login behavior features are login behavior features extracted from the login result field, such as the number of successful logins, the number of failed logins, the number of account lockouts, etc. These features can reflect the login behavior characteristics of the account.

In this embodiment, when extracting the characteristic data of the login request data, a keyword matching algorithm may be used for extraction, or a regular expression may be used for extraction.

In this embodiment, Apache Spark and Kafka are combined to establish a stream processing framework to receive login request data in real time and perform feature extraction, which can effectively improve the efficiency and flexibility of real-time data processing and provide a reliable data foundation and feature support for the abnormal login detection system.

Please refer to FIG. 4 , a fourth embodiment of an abnormal login warning method according to an embodiment of the present invention includes:

S401, obtaining a feature vector corresponding to each feature data.

In this embodiment, different types of feature data (such as categorical type and numerical type) are subjected to appropriate encoding conversion, such as one-hot encoding, label encoding, numerical normalization, etc., so as to obtain a feature vector corresponding to each feature data. The obtained feature vector is converted into an appropriate data structure, such as DataFrame or Numpy array, etc., so as to facilitate the subsequent input of the abnormal login detection model.

S402: Input the feature vector corresponding to each feature data into the abnormal login detection model.

S403: Obtain the average leaf node height of the feature vector corresponding to each feature data output by the abnormal login detection model.

In this embodiment, the abnormal login detection model is loaded, and the feature vectors corresponding to each feature data are input into the loaded abnormal login detection model one by one. The abnormal login detection model infers and calculates the input feature vectors, and outputs the average leaf node height of the feature vector corresponding to each feature data, which is used to indicate the degree of abnormality of the feature data.

In this embodiment, the feature vector corresponding to each feature data is input into the abnormal login detection model. The use of feature vectors can achieve unified processing of different feature data, which helps to eliminate the scale differences between different feature data, making it easier for the anomaly detection model to capture abnormal patterns. Obtaining the average leaf node height of the feature vector corresponding to each feature data output by the anomaly detection model can more intuitively understand the judgment basis of the anomaly detection model for each feature data, thereby increasing the interpretability of the model output.

Please refer to FIG5 , a fifth embodiment of an abnormal login warning method in an embodiment of the present invention includes:

S501. Compare the average leaf node height of the feature vector corresponding to each feature data with the preset abnormal threshold. If the average leaf node height of the feature vector corresponding to each feature data is greater than the preset abnormal threshold, determine that the login request is abnormal.

S502: When it is determined that the login request is abnormal, the difference between the average leaf node height of the feature vector corresponding to each feature data and the preset abnormal threshold is calculated, and different abnormal levels are divided according to the difference.

In this embodiment, by comparing the average leaf node height of the feature vector corresponding to each feature data with the preset abnormality threshold, the system can perform fine-grained abnormality judgment on the login request. It can not only simply determine whether there is an abnormality, but also divide it into different abnormality levels according to the difference.

In this embodiment, the abnormality levels include level one abnormality, level two abnormality and level three abnormality. Level one abnormality indicates that the login request may be abnormal; level two abnormality indicates that the login request is strongly suspicious; level three abnormality indicates that the login request is highly suspicious. Level three abnormality has the highest degree of abnormality, level two abnormality has a medium degree of abnormality, and level one abnormality has the lowest degree of abnormality.

S503: Call the warning strategy of the corresponding level for processing according to the divided abnormal level.

In this embodiment, when the abnormality level is level one, the corresponding warning strategy is a low-risk warning strategy, when the abnormality level is level two, the corresponding warning strategy is a medium-risk warning strategy, and when the abnormality level is level three, the corresponding warning strategy is a high-risk warning strategy. The low-risk warning strategy includes sending prompt notifications to users, strengthening identity authentication, etc. The medium-risk warning strategy includes triggering multi-factor authentication, requiring users to confirm risks, etc. The high-risk warning strategy includes immediately locking the account, issuing an emergency alarm and initiating a security process, etc.

In this embodiment, when the average leaf node height of the feature vector corresponding to each feature data is not greater than the preset abnormal threshold, it is determined that the login request is normal and no early warning processing is required.

In this embodiment, when a login request is determined to be abnormal, the difference between the average leaf node height of the feature vector corresponding to each feature data and the preset abnormal threshold is calculated, and the system is divided into different abnormal levels according to the difference. The system can call the corresponding level of warning strategy for different levels of abnormalities, thereby realizing multi-level warning processing and responding to abnormal situations of different severity in a more targeted manner.

Please refer to FIG. 6 , a sixth embodiment of an abnormal login warning method in an embodiment of the present invention includes:

S601. Regularly collect abnormal correction feedback data.

In this embodiment, a feedback system may be pre-established to allow users or administrators to submit feedback information about abnormal login detection situations, which may include a feedback form on a website, a feedback function within an application, or a dedicated email address.

In this embodiment, feedback information on abnormal login detection situations is queried from the feedback system according to a preset period, and the feedback information on abnormal login detection situations is sorted to obtain abnormal correction feedback data.

S602: Analyze the abnormal correction feedback data to obtain analysis results, which include false alarm rate and missed alarm rate.

In this embodiment, the false alarm rate generated by the system is calculated by analyzing the situation where the system is marked as abnormal but the abnormal correction feedback data is marked as normal login. The missed alarm rate generated by the system is calculated by analyzing the situation where the system is not marked as abnormal but the abnormal correction feedback data is marked as abnormal login.

In this embodiment, the abnormal correction feedback data may also be grouped according to the warning level, and the actual abnormal situation at each warning level may be analyzed to determine whether there is an unreasonable division of the warning levels, and adjust the division of the warning levels.

S603. Optimize the parameters of the abnormal login detection model according to the analysis results, and retrain the abnormal login detection model using the optimized parameters.

In this embodiment, when optimizing the parameters of the abnormal login detection model according to the analysis results, the weights of various features in the abnormal login detection model may be adjusted according to the analysis results.

In this embodiment, verification and evaluation can also be performed on the optimized abnormal login detection model to ensure that the model has obvious performance improvement after modification. Specifically, methods such as cross-validation and AUC indicators can be used to evaluate model performance.

In this embodiment, by analyzing the false alarm rate, missed alarm rate and actual abnormal situations under different warning levels, the parameters of the abnormal login detection model can be adjusted in a targeted manner to improve its accuracy and robustness. Moreover, the abnormal login detection model can be optimized and retrained in time according to the analysis results of the abnormal correction feedback data, so that the system can quickly adapt to new security threats and attack methods.

The above describes the abnormal login warning method in the embodiment of the present invention. The following describes the device in the embodiment of the present invention. Please refer to Figure 7. The implementation method of the abnormal login warning device in the embodiment of the present invention includes:

A model building module 701 is used to build an abnormal login detection model based on Isolation Forest;

Extraction module 702, used to receive login request data in real time and extract feature data of the login request data;

Anomaly detection module 703, used to input the feature data into an abnormal login detection model to obtain an output result of the abnormal login detection model;

The early warning module 704 is used to determine whether there is an abnormality in the login request according to the output result, and if there is an abnormality, call the early warning strategy for processing;

The model optimization module 705 is used to regularly collect abnormal correction feedback data and optimize the abnormal login detection model according to the abnormal correction feedback data.

In this embodiment, the model building module 701 includes: a first collection unit 7011, used to collect login log data of historical accounts; a preprocessing unit 7012, used to preprocess the login log data of the historical accounts to generate a login log data set; a training unit 7013, used to input the login log data set into the Isolation Forest model for training to obtain an abnormal login detection model.

In this embodiment, the extraction module 702 includes: a real-time receiving unit 7021, which is used to use Apache Spark in combination with Kafka to establish a stream processing framework to receive login request data in real time; a parsing unit 7022, which is used to parse the login request data and divide it into multiple fields; an extraction unit 7023, which is used to extract feature data of the login request data from the multiple fields, and the feature data includes time features, geographic location features, device information features and login behavior features.

In this embodiment, the anomaly detection module 703 includes: a first acquisition unit 7031, used to obtain the feature vector corresponding to each of the feature data; an anomaly detection unit 7032, used to input the feature vector corresponding to each of the feature data into the abnormal login detection model; a second acquisition unit 7033, used to obtain the average leaf node height of the feature vector corresponding to each feature data output by the abnormal login detection model.

In this embodiment, the early warning module 704 includes: a comparison unit 7041, which is used to compare the average leaf node height of the feature vector corresponding to each of the feature data with a preset abnormal threshold. If the average leaf node height of the feature vector corresponding to each of the feature data is greater than the preset abnormal threshold, the login request is determined to be abnormal; a division unit 7042, which is used to calculate the difference between the average leaf node height of the feature vector corresponding to each of the feature data and the preset abnormal threshold when the login request is determined to be abnormal, and divide it into different abnormal levels according to the difference; an early warning unit, which is used to call the early warning strategy of the corresponding level for processing according to the divided abnormal level.

In this embodiment, the model optimization module 705 includes: a first collection unit 7051, which is used to regularly collect abnormal correction feedback data; an analysis unit 7052, which is used to analyze the abnormal correction feedback data to obtain analysis results, and the analysis results include false alarm rate and missed alarm rate; an optimization unit 7053, which is used to optimize the parameters of the abnormal login detection model according to the analysis results, and retrain the abnormal login detection model using the optimized parameters.

In this embodiment, the method of real-time data reception and abnormal login detection model prediction is adopted, which can quickly respond to abnormal login behavior and issue early warnings in time; and the abnormal login detection model is based on the Isolation Forest algorithm to identify abnormal points, which can effectively process large-scale data and improve detection accuracy. In addition, it continuously optimizes the model by collecting abnormal correction feedback data to adapt it to new login behavior patterns, which can improve adaptability and accuracy.

FIG. 7 above describes in detail the abnormal login warning device in the embodiment of the present invention from the perspective of modular functional entities, and the following describes in detail the abnormal login warning device in the embodiment of the present invention from the perspective of hardware processing.

8 is a schematic diagram of the structure of an abnormal login warning device provided by an embodiment of the present invention. The device 800 may have relatively large differences due to different configurations or performances, and may include one or more processors (central processing units, CPU) 810 (for example, one or more processors) and a memory 820, and one or more storage media 830 (for example, one or more mass storage devices) storing application programs 833 or data 832. Among them, the memory 820 and the storage medium 830 can be short-term storage or permanent storage. The program stored in the storage medium 830 may include one or more modules (not shown), and each module may include a series of instruction operations in the device 800. Furthermore, the processor 810 may be configured to communicate with the storage medium 830 and execute a series of instruction operations in the storage medium on the device 800.

The device 800 may also include one or more power supplies 840, one or more wired or wireless network interfaces 850, one or more input and output interfaces 860, and/or one or more operating systems 831, such as Windows Serve, Mac OS X, Unix, Linux, FreeBSD, etc.

An embodiment of the present invention also provides a computer-readable storage medium, which may be a non-volatile computer-readable storage medium or a volatile computer-readable storage medium. Instructions are stored in the computer-readable storage medium. When the instructions are executed on a computer, the computer executes the steps of the abnormal login warning method.

Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the system, device or unit described above can refer to the corresponding process in the aforementioned method embodiment and will not be repeated here.

If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention is essentially or the part that contributes to the prior art or all or part of the technical solution can be embodied in the form of a software product. The computer software product is stored in a storage medium, including a number of instructions to enable a computer device (which can be a personal computer, server, or network device, etc.) to perform all or part of the steps of the method described in each embodiment of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), disk or optical disk and other media that can store program codes.

As described above, the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit the same. Although the present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that the technical solutions described in the aforementioned embodiments may still be modified, or some of the technical features may be replaced by equivalents. However, these modifications or replacements do not deviate the essence of the corresponding technical solutions from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. An abnormal login early warning method, characterized in that the abnormal login early warning method comprises: Build an abnormal login detection model based on Isolation Forest; Receiving login request data in real time, and extracting feature data of the login request data; Inputting the feature data into an abnormal login detection model to obtain an output result of the abnormal login detection model; Determine whether there is an abnormality in the login request according to the output result, and if there is an abnormality, call the early warning strategy for processing; The abnormal correction feedback data is collected regularly, and the abnormal login detection model is optimized according to the abnormal correction feedback data. 2. The abnormal login early warning method according to claim 1 is characterized in that the construction of an abnormal login detection model based on IsolationForest comprises: Collect login log data of historical accounts; Preprocessing the login log data of the historical account to generate a login log data set; The login log data set is input into the Isolation Forest model for training to obtain an abnormal login detection model. 3. The abnormal login early warning method according to claim 2 is characterized in that the input of the login log data set is trained based on the Isolation Forest model to obtain an abnormal login detection model, comprising: Dividing the login log data set into a first training set and a second training set, wherein the first training set contains normal login samples and abnormal login samples, and the second training set contains only abnormal login samples; Inputting the first training set into the Isolation Forest model for training to obtain an initial training model; The second training set is input into the initial training model for training to obtain an abnormal login detection model. 4. The abnormal login early warning method according to claim 1 is characterized in that the real-time receiving of login request data and extracting characteristic data of the login request data comprises: Use Apache Spark combined with Kafka to build a stream processing framework to receive login request data in real time; Parsing the login request data and dividing it into multiple fields; Feature data of the login request data is extracted from the multiple fields, and the feature data includes time features, geographic location features, device information features, and login behavior features. 5. The abnormal login early warning method according to claim 1, characterized in that the step of inputting the characteristic data into an abnormal login detection model and obtaining an output result of the abnormal login detection model comprises: Obtaining a feature vector corresponding to each feature data; Inputting the feature vector corresponding to each of the feature data into the abnormal login detection model; The average leaf node height of the feature vector corresponding to each feature data output by the abnormal login detection model is obtained. 6. The abnormal login warning method according to claim 5 is characterized in that judging whether there is an abnormality in the login request according to the output result, and if there is an abnormality, calling the warning strategy for processing, comprises: Compare the average leaf node height of the feature vector corresponding to each of the feature data with the preset abnormal threshold, and if the average leaf node height of the feature vector corresponding to each of the feature data is greater than the preset abnormal threshold, determine that the login request is abnormal; When it is determined that the login request is abnormal, the difference between the average leaf node height of the feature vector corresponding to each of the feature data and the preset abnormal threshold is calculated, and different abnormal levels are divided according to the difference; According to the divided abnormal level, the corresponding level of warning strategy is called for processing. 7. The abnormal login early warning method according to claim 1 is characterized in that the periodic collection of abnormal correction feedback data and the optimization of the abnormal login detection model according to the abnormal correction feedback data include: Regularly collect anomaly correction feedback data; Analyze the abnormal correction feedback data to obtain analysis results, wherein the analysis results include a false alarm rate and a false alarm rate; The parameters of the abnormal login detection model are optimized according to the analysis results, and the abnormal login detection model is retrained using the optimized parameters. 8. An abnormal login warning device, characterized by comprising: Model building module, used to build an abnormal login detection model based on Isolation Forest; An extraction module, used to receive login request data in real time and extract feature data of the login request data; An anomaly detection module, used for inputting the feature data into an abnormal login detection model to obtain an output result of the abnormal login detection model; An early warning module is used to determine whether there is an abnormality in the login request according to the output result, and if there is an abnormality, call the early warning strategy for processing; The model optimization module is used to regularly collect anomaly correction feedback data and optimize the abnormal login detection model based on the anomaly correction feedback data. 9. An abnormal login warning device, characterized in that it includes a memory and at least one processor, wherein the memory stores computer-readable instructions; The at least one processor calls the computer-readable instructions in the memory to execute the various steps of the abnormal login warning method as described in any one of claims 1-7. 10. A computer-readable storage medium having computer-readable instructions stored thereon, wherein the computer-readable instructions, when executed by a processor, implement the various steps of the abnormal login warning method as described in any one of claims 1 to 7.