[go: up one dir, main page]

CN119603029A - A network attack behavior detection method based on fingerprint, and computer equipment - Google Patents

A network attack behavior detection method based on fingerprint, and computer equipment Download PDF

Info

Publication number
CN119603029A
CN119603029A CN202411721932.5A CN202411721932A CN119603029A CN 119603029 A CN119603029 A CN 119603029A CN 202411721932 A CN202411721932 A CN 202411721932A CN 119603029 A CN119603029 A CN 119603029A
Authority
CN
China
Prior art keywords
attribute
fingerprint
conversion frequency
preset period
browser
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411721932.5A
Other languages
Chinese (zh)
Inventor
周思承
樊荣
万立
王庆年
黄哲
李�瑞
张勋臣
王江涛
周浩宇
郭磊
李剑
黄秀
汪沛然
罗章琪
李晨琪
高照
王湘波
李杨
高子轩
田宵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Ship Communication Research Institute 722 Research Institute Of China Shipbuilding Corp
Original Assignee
Wuhan Ship Communication Research Institute 722 Research Institute Of China Shipbuilding Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Ship Communication Research Institute 722 Research Institute Of China Shipbuilding Corp filed Critical Wuhan Ship Communication Research Institute 722 Research Institute Of China Shipbuilding Corp
Priority to CN202411721932.5A priority Critical patent/CN119603029A/en
Publication of CN119603029A publication Critical patent/CN119603029A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/1396Protocols specially adapted for monitoring users' activity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/535Tracking the activity of the user
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to the technical field of network security, and discloses a network attack behavior detection method, computer equipment and a computer readable storage medium based on fingerprints, which aim to solve the problem that the existing network attack behavior detection method has coarse granularity on the utilization of browser fingerprints. The method comprises the steps of obtaining information collected by at least one of IP attribute fingerprints, browser attribute fingerprints, hardware attribute fingerprints and software attribute fingerprints when the same account is logged in a set time period, respectively determining IP conversion frequency, browser attribute fingerprint conversion frequency and software attribute fingerprint conversion frequency in a preset period according to the information collected by the IP attribute fingerprints, the browser attribute fingerprints and the software attribute fingerprints, determining screen resolution, standard deviation of a Canvas hash value and an audio hash value of the preprocessed Canvas according to the information collected by the hardware attribute fingerprints, and further detecting abnormal logging behavior of the account. By adopting the method, the accuracy of detecting the account suffering from network attack can be improved.

Description

Fingerprint-based network attack behavior detection method and computer equipment
Technical Field
The present application relates to the field of network security technologies, and in particular, to a fingerprint-based network attack behavior detection method, a computer device, and a computer readable storage medium.
Background
At present, the browser fingerprint identification technology is mainly aimed at improving fingerprint collection, the application of the fingerprint technology is mainly in the field of identifying the same equipment and intelligent advertisement pushing, and aiming at some network attack behaviors in the current Internet, such as malicious bill brushing, malicious ticket purchasing, malicious media attack, malicious propaganda and the like, the application based on the browser fingerprint is less involved. For the detection of business behaviors requiring account login access, the network attack behaviors generally have two expression modes, one is to switch different IP or platforms for login operation by the same account, and the other is to simultaneously log in a plurality of accounts for operation by the same platform by using a virtual technology.
The existing network attack behavior detection method rarely utilizes fingerprints, the utilization granularity of the browser fingerprints is relatively coarse, and the fingerprint attribute use is narrow.
Disclosure of Invention
In order to solve the problems that the existing network attack behavior detection method has coarse granularity of utilization of browser fingerprints and narrow use of fingerprint attributes, the invention provides a network attack behavior detection method based on fingerprints, computer equipment and a computer readable storage medium, and the aim of improving the accuracy of network attack behavior detection of accounts is fulfilled.
To achieve the above object, according to a first aspect of the present invention, there is provided a fingerprint-based network attack behavior detection method, including:
Acquiring information acquired by at least one of IP attribute fingerprints, browser attribute fingerprints, hardware attribute fingerprints and software attribute fingerprints when the same account logs in within a set time period, wherein the information acquired by the IP attribute fingerprints comprises a real IP address and an IP attribution, the information acquired by the browser attribute fingerprints comprises a terminal platform type, a browser type or an application software version, and the terminal platform type is an operating system type;
according to the information collected by the IP attribute fingerprint, determining the IP conversion frequency in a preset period;
according to the information collected by the browser attribute fingerprint, determining the browser attribute fingerprint conversion frequency in a preset period;
According to the information acquired by the hardware attribute fingerprint, determining screen resolution and standard deviation of the Canvas hash value and the audio hash value of the preprocessed Canvas;
Determining the software attribute fingerprint conversion frequency in a preset period according to the information acquired by the software attribute fingerprint;
Detecting abnormal login behavior of an account according to at least one of IP conversion frequency in a preset period, browser attribute fingerprint conversion frequency in the preset period, screen resolution, standard deviation of a preprocessed Canvas hash value and an audio hash value and software attribute fingerprint conversion frequency in the preset period.
Further, according to at least one of IP conversion frequency in a preset period, browser attribute fingerprint conversion frequency in the preset period, screen resolution and standard deviation of preprocessed Canvas hash value and audio hash value, and software attribute fingerprint conversion frequency in the preset period, detecting account abnormal login behavior, including weighting the IP conversion frequency in the preset period, browser attribute fingerprint conversion frequency in the preset period, screen resolution and standard deviation of preprocessed Canvas hash value and audio hash value, software attribute fingerprint conversion frequency in the preset period, wherein the weighting of the IP conversion frequency in the preset period is not less than the screen resolution and the standard deviation of preprocessed Canvas hash value and audio hash value, the weighting of the screen resolution and the standard deviation of preprocessed Canvas hash value is not less than the weighting of the browser attribute fingerprint conversion frequency in the preset period, and determining whether the weights of the browser attribute fingerprint conversion frequency in the preset period are not less than the standard deviation of the preset Canvas hash value and the software attribute fingerprint conversion frequency in the preset period, and the software attribute fingerprint conversion frequency in the preset period is integrated according to the preset value, and the integrated fingerprint conversion frequency in the preset period is determined.
Further, according to information collected by IP attribute fingerprints, determining IP conversion frequency in a preset period, including determining whether to cross regions, provinces or cross countries when the IP addresses are switched according to IP attribution, recording the switching times of the IP addresses when the IP addresses are in the same region, taking the switching times of the IP addresses as the IP region conversion frequency, recording the switching times of different regions when the IP addresses are cross regions but in the same province, multiplying the switching times of different regions by 10 and then adding the IP region conversion frequency in each region to obtain the IP cross region conversion frequency, recording the switching times of different provinces when the IP addresses are cross provinces but in the same country, multiplying the switching times of different provinces by 20 and then adding the IP cross province conversion frequency in each province to obtain the IP cross province conversion frequency, recording the switching times of different countries when the IP addresses are cross province, multiplying the switching times of different countries by 50 and then adding the IP cross province conversion frequency in each country to obtain the IP cross province conversion frequency, and obtaining the IP cross province conversion frequency in the corresponding period of the corresponding to the IP region conversion, the IP region conversion frequency and the cross province conversion frequency in each country.
Further, according to the information collected by the browser attribute fingerprint, determining the browser attribute fingerprint conversion frequency in a preset period, wherein the browser attribute fingerprint conversion frequency comprises recording the conversion times of the type of an operating system, recording the conversion times of the type of the browser or the version of application software, multiplying the conversion times of the type of the operating system by 10 and adding the conversion times of the type of the browser or the version of the application software to obtain the browser attribute fingerprint conversion frequency, and dividing the browser attribute fingerprint conversion frequency by the corresponding preset period to obtain the browser attribute fingerprint conversion frequency in the preset period.
Further, according to the information collected by the hardware attribute fingerprint, determining the screen resolution and standard deviation of the preprocessed Canvas hash value and the preprocessed audio hash value, wherein the method comprises the steps of preprocessing the Canvas hash value and the preprocessed audio hash value respectively, and calculating the screen resolution and the standard deviation of the preprocessed Canvas hash value and the preprocessed audio hash value respectively.
Further, according to the information collected by the software attribute fingerprint, determining the software attribute fingerprint conversion frequency in a preset period, wherein the software attribute fingerprint conversion frequency comprises the conversion times of recording time zone information, the conversion times of recording language system information, the conversion times of multiplying the time zone information by 20, the conversion times of the language system information by 10, and then summing to obtain the software attribute fingerprint conversion frequency, and dividing the software attribute fingerprint conversion frequency by the corresponding preset period to obtain the software attribute fingerprint conversion frequency in the preset period.
Further, the fingerprint-based network attack behavior detection method further comprises the steps of obtaining information of IP attribute fingerprint collection when a plurality of accounts log in by using the same fingerprint in a set time period, wherein the information of IP attribute fingerprint collection comprises a host IP and a real IP address, screening out a subset with the same host IP from an account set formed by a plurality of accounts with the same real IP address under the condition that the number of the accounts with the same real IP address exceeds an account threshold value, and determining that at least one account in the subset has abnormal login behavior under the condition that the number of the accounts contained in the subset exceeds the account threshold value.
The network attack behavior detection method based on the fingerprints further comprises the steps of acquiring information acquired by hardware attribute fingerprints when a plurality of accounts log in by using the same fingerprint in a set time period, wherein the information acquired by the hardware attribute fingerprints comprises Canvas hash values, audio hash values, screen resolution and screen color information, forming accounts with the same Canvas hash values, audio hash values, screen resolution and screen color information into an account set, and determining that abnormal login behavior exists in at least one account in the account set under the condition that the number of the accounts contained in the account set exceeds an account threshold value.
According to a second aspect of the present invention there is also provided a computer device comprising a memory, a processor and a computer program stored on the memory, the processor executing the computer program to carry out the steps of any of the methods described above.
According to a third aspect of the present invention there is also provided a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of any of the methods described above.
In general, the above technical solutions conceived by the present invention, compared with the prior art, enable the following beneficial effects to be obtained:
(1) The network attack behavior detection method based on fingerprints is used for determining screen resolution and standard deviation of preprocessed Canvas hash values and audio hash values according to information acquired by the hardware attribute fingerprints, determining software attribute fingerprint conversion frequency in a preset period according to the information acquired by the software attribute fingerprints, and then detecting abnormal login behavior of accounts according to at least one of the standard deviation of the IP conversion frequency in the preset period, the browser attribute fingerprint conversion frequency in the preset period, the screen resolution and the preprocessed Canvas hash values and the audio hash values, and further achieving the purpose of improving the detection accuracy of network attack behavior according to the IP conversion frequency in the preset period, the standard deviation of the software attribute fingerprint conversion frequency in the preset period, the screen resolution and the preprocessed Canvas hash values in the preset period.
(2) According to the network attack behavior detection method based on the fingerprint, provided by the invention, aiming at the condition that the same platform simultaneously logs in a plurality of accounts to operate by applying a virtual technology, the abnormal login behavior of the accounts is judged through the IP attribute fingerprint and the hardware attribute fingerprint, and the accounts such as malicious bill swiping, malicious ticket purchasing, malicious media attack and malicious propaganda can be effectively positioned, so that specific malicious behaviors are positioned.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a network attack behavior detection method based on fingerprint according to an embodiment of the present application;
fig. 2 is a schematic diagram of an internal structure of a computer device according to an embodiment of the present application.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention. In addition, the technical features of the embodiments of the present invention described below may be combined with each other as long as they do not collide with each other.
The terms first, second, third and the like in the description and in the claims and in the above drawings, are used for distinguishing between different objects and not necessarily for describing a particular sequential or chronological order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus.
As shown in fig. 1, a fingerprint-based network attack behavior detection method is provided, which may be performed by a terminal or by a server in communication with the terminal through a network. The terminal may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, and the like. The server may be a stand-alone server or implemented using a server cluster composed of a plurality of servers. The method is applied to a terminal for illustration, and comprises the following steps:
step 101, acquiring information acquired by at least one of IP attribute fingerprint, browser attribute fingerprint, hardware attribute fingerprint and software attribute fingerprint when the same account is logged in a set time period.
The information collected by the IP attribute fingerprint comprises a real IP address and an IP attribution. The information collected by the browser attribute fingerprint comprises a terminal platform type, a browser type or an application software version, wherein the terminal platform type is an operating system type. The information collected by the hardware attribute fingerprint comprises Canvas hash value, audio hash value, screen resolution, CPU model, main board chip model, memory size and model, hard disk size and type and the like. The information collected by the software attribute fingerprint comprises time zone information and language system information.
In one embodiment, the terminal collects fingerprint related information when a user logs in within a set time period by using the same account in a mode of SDK (Software Development Kit ), wherein the fingerprint related information comprises at least one kind of fingerprint related information of IP attribute fingerprint, browser attribute fingerprint, hardware attribute fingerprint and software attribute fingerprint.
In one embodiment, the terminal is in communication connection with a user side (such as a pc side, a mobile phone or a tablet), the user side collects fingerprint related information when a user logs in a set time period by using the same account in an SDK (Software Development Kit, a software development kit) manner, and the collected fingerprint related information of the user is sent to the terminal.
Step 102, determining the IP conversion frequency in a preset period according to the information collected by the IP attribute fingerprint.
And step 103, determining the conversion frequency of the browser attribute fingerprint in a preset period according to the information collected by the browser attribute fingerprint.
And 104, determining screen resolution and standard deviation of the preprocessed Canvas hash value and the preprocessed audio hash value according to the information acquired by the hardware attribute fingerprint.
And 105, determining the software attribute fingerprint conversion frequency in a preset period according to the information acquired by the software attribute fingerprint.
And 106, detecting abnormal login behavior of the account according to at least one of IP conversion frequency in a preset period, browser attribute fingerprint conversion frequency in the preset period, screen resolution, standard deviation of the preprocessed Canvas hash value and the preprocessed audio hash value and software attribute fingerprint conversion frequency in the preset period.
The terminal sets a corresponding threshold according to the actual service condition under the condition that the IP conversion frequency in the preset period, the browser attribute fingerprint conversion frequency in the preset period, the screen resolution, the standard deviation of the preprocessed Canvas hash value and the audio hash value or the software attribute fingerprint conversion frequency in the preset period are obtained, and if the IP conversion frequency in the preset period exceeds the corresponding threshold, the browser attribute fingerprint conversion frequency in the preset period exceeds the corresponding threshold, the screen resolution exceeds the corresponding threshold, the preprocessed Canvas hash value exceeds the corresponding threshold, the standard deviation of the preprocessed audio hash value exceeds the corresponding threshold or the software attribute fingerprint conversion frequency in the preset period exceeds the corresponding threshold, abnormal login behavior exists in the account.
Under the condition that the IP conversion frequency in the preset period, the browser attribute fingerprint conversion frequency in the preset period, the screen resolution and the standard deviation of the preprocessed Canvas hash value and the audio hash value and the software attribute fingerprint conversion frequency in the preset period are obtained at the same time, the terminal is the IP conversion frequency in the preset period, the browser attribute fingerprint conversion frequency in the preset period, the screen resolution and the standard deviation of the preprocessed Canvas hash value and the software attribute fingerprint conversion frequency in the preset period, the weight of the IP conversion frequency in the preset period is not smaller than the weight of the standard deviation of the screen resolution and the preprocessed Canvas hash value, the weight of the standard deviation of the screen resolution and the preprocessed Canvas hash value is not smaller than the weight of the browser attribute fingerprint conversion frequency in the preset period, the weight of the software attribute fingerprint conversion frequency in the preset period is not smaller than the weight of the software Canvas hash value and the audio hash value in the preset period, the software attribute fingerprint conversion frequency in the preset period is determined according to the preset fingerprint conversion frequency, and the integrated fingerprint conversion frequency after the preset value and the audio hash value is obtained, and the fingerprint conversion frequency in the preset period is obtained, and the fingerprint conversion frequency is obtained according to the integrated with the preset fingerprint conversion frequency.
According to the network attack behavior detection method based on fingerprints, under the condition that different IP or platforms are switched for the same account to carry out login operation, the IP conversion frequency in a preset period is determined according to the information acquired by the fingerprints of four attributes when the same account is logged in a set time period, the browser attribute fingerprint conversion frequency in the preset period is determined according to the information acquired by the fingerprints of the browser attribute, the screen resolution and standard deviation of a preprocessed Canvas hash value and an audio hash value are determined according to the information acquired by the fingerprints of the hardware attribute, the software attribute fingerprint conversion frequency in the preset period is determined according to the information acquired by the fingerprints of the software attribute, and then abnormal account login behavior is detected according to the IP conversion frequency in the preset period, the standard deviation of the browser attribute fingerprint conversion frequency in the preset period, the screen resolution and the preprocessed Canvas hash value and at least one of the software attribute fingerprint conversion frequency in the preset period, so that the account is subjected to detection of network attack behavior can be improved.
In one embodiment, for business behavior detection requiring account login access, the primary detected fingerprint types include (one) an IP attribute fingerprint, (two) a browser attribute fingerprint, (three) a hardware attribute fingerprint, and (four) a software attribute fingerprint. The monitoring of the single account is to monitor the transformation frequency or fluctuation of fingerprints in a period of time to judge the abnormal login behavior of the account, and further judge whether the behaviors such as malicious bill brushing, malicious ticket purchasing, malicious media attack, malicious propaganda and the like exist.
For the IP attribute fingerprint, acquiring information acquired by the IP attribute fingerprint when the same account logs in a certain time period, wherein the information comprises a WebRTC (Web Real-Time Communications, web instant messaging) external Real IP address (namely a non-proxy IP address and an IP address distributed by a router), IP attribution (comprising country, province, city or region where the IP is located), longitude and latitude, and login time.
According to the information collected by the IP attribute fingerprint, determining the IP conversion frequency in a preset period, comprising the following steps:
1) Determining whether the IP addresses are crossed when the IP addresses are switched when the same account is logged in a certain time period according to the IP attribution;
2) When the IP addresses are in the same area, such as a city or administrative area, recording the switching times (one accumulated for one switching time) N1 of the IP addresses, and taking the switching times of the IP addresses as the conversion frequency of the IP area;
3) When the IP addresses are cross-regional but in the same province or state county, recording switching times N2 of different regions, multiplying the switching times N2 of the different regions by 10, and adding the conversion frequency of the IP regions in each region to obtain the conversion frequency of the IP cross-regional;
4) When the IP address crosses provinces but is in the same country, recording switching times N3 of different provinces, multiplying the switching times N3 of different provinces by 20, and adding the IP cross-regional conversion frequency in each province to obtain the IP cross-province conversion frequency;
5) When the IP address crosses a country, recording switching times N4 of different countries, multiplying the switching times N4 of different countries by 50, and adding the IP cross-provincial conversion frequency number in each country to obtain the IP cross-country conversion frequency number;
6) Dividing the calculated IP regional transformation frequency, IP trans-provincial transformation frequency or IP trans-national transformation frequency by a corresponding preset period T to obtain IP transformation frequency in the corresponding preset period T;
7) Comparing the IP conversion frequency in the preset period T with a frequency threshold value set by a user according to actual conditions, and if the frequency threshold value is exceeded, indicating that the account has abnormal login behavior of maliciously switching the IP.
And (II) for the browser attribute fingerprint, acquiring information acquired by the browser attribute fingerprint when the same account logs in a certain time period, wherein the information comprises a terminal platform type, a browser type (such as Chrome 20.3 and Firefox16.2) or an application software app version (such as Weibo 6.0), and the terminal platform type is an operating system type (such as windows 10 and linux ubuntu 16.16.16). These two types of information are used to record the running environment when the user logs in, where the operating system type is used for coarse classification, and the browser type or application software app version is used for fine classification.
When the operating system type changes, the device is judged to be replaced when the user logs in the account, and when the operating system type does not change but the browser type or the application software version changes, the device is judged to be replaced by the user or the application software version is judged to be replaced (such as the app is upgraded or uninstalled and reinstalled with other versions).
According to the information collected by the browser attribute fingerprint, determining the conversion frequency of the browser attribute fingerprint in a preset period, comprising the following steps:
1) Recording the conversion times N1 of the type of the operating system, and accumulating 1 by converting once N1;
2) Recording the conversion times N2 of browser types or application software versions, and converting once N2 accumulation 1;
3) Multiplying the conversion times of the type of the operating system by 10 and adding the conversion times of the type of the browser or the version of the application software to obtain the fingerprint conversion frequency of the attribute of the browser, namely 10 x N1+N2;
4) Dividing the browser attribute fingerprint conversion frequency by a corresponding preset period T to obtain browser attribute fingerprint conversion frequency in the preset period T, namely M= (10×N1+N2)/T;
5) And comparing the fingerprint conversion frequency M of the browser attribute in the preset period T with a frequency threshold value set by a user according to actual conditions, and if the frequency M exceeds the frequency threshold value, indicating that the account has abnormal login behaviors of malicious switching equipment or a browser and malicious updating of app versions.
And thirdly, acquiring information acquired by the hardware attribute fingerprint when the same account logs in within a certain time period, wherein the information comprises Canvas hash values, audio hash values, screen resolution and screen color information.
According to the information collected by the hardware attribute fingerprint, determining the screen resolution and the standard deviation of the preprocessed Canvas hash value and the preprocessed audio hash value, wherein the method comprises the following steps of:
1) Respectively preprocessing Canvas hash values and audio hash values of Canvas hash values, namely taking the middle 4-8 byte values of the Canvas hash values and the audio hash values;
2) Respectively calculating the standard deviation (denoted as P1) of the preprocessed Canvas hash value, the standard deviation (denoted as P2) of the preprocessed audio hash value and the standard deviation (denoted as P3) of the screen resolution;
3) And when one of the P1, the P2 and the P3 fluctuates beyond the standard deviation threshold value set by the user according to the actual situation, the account is indicated to have abnormal login behavior.
And fourthly, acquiring information acquired by the software attribute fingerprint when the same account logs in a certain time period, wherein the information comprises time zone information and language system information.
According to the information collected by the software attribute fingerprint, determining the software attribute fingerprint conversion frequency in a preset period, comprising the following steps:
1) Recording the conversion times N1 of the time zone information, and accumulating 1 by converting once N1;
2) Recording the conversion times N2 of the language system information, and accumulating 1 after one conversion of N2;
3) Multiplying the conversion times of the time zone information by 20, multiplying the conversion times of the language system information by 10, and then summing to obtain a software attribute fingerprint conversion frequency, namely 20 x N1+10 x N2;
4) Dividing the software attribute fingerprint conversion frequency by a corresponding preset period T to obtain software attribute fingerprint conversion frequency in the preset period T, wherein M= (20 x N1+10 x N2)/T;
5) If M is larger than the threshold value set by the user according to the actual situation, the account is indicated to have abnormal login behavior.
When the abnormal logging behaviors of the four types of accounts are monitored simultaneously, in order to reduce the false alarm rate, weights can be allocated to fingerprint transformation frequencies or standard differences of the abnormal logging behaviors of the four types of accounts, then weighted summation is carried out, and then whether the abnormal logging behaviors of the accounts exist or not is judged.
Regarding the weight assignment, IP attribute fingerprint > =hardware attribute fingerprint > =browser attribute fingerprint > =software attribute fingerprint, for example, divided by a 10-division ratio, the weight assignment may be 3.5:2.5:2:2.
Regarding the threshold setting, different threshold settings in the service field are different, for example, a service system supporting login of a plurality of devices with the same account needs to set the threshold to be high, and a system only aiming at mobile phone platform service can set the threshold to be low.
In the case of monitoring the condition that a plurality of accounts log in under the same fingerprint, the condition that a user operates a plurality of accounts simultaneously is described, and then the service content monitoring is combined with the service end, so that whether the plurality of accounts have malicious behaviors or not can be judged, for example, the plurality of accounts simultaneously release the same content, and the plurality of accounts log in under the same IP attribute fingerprint and the same hardware attribute fingerprint, and then the plurality of accounts are judged to be malicious behaviors.
In one embodiment, the account abnormal login behavior of simultaneously logging in a plurality of accounts for operation by using a virtual technology aiming at the same platform, the fingerprint-based network attack behavior detection method further comprises the following steps:
1) Acquiring information acquired by IP attribute fingerprints when a plurality of accounts log in by using the same fingerprint in a set time period, wherein the information acquired by the IP attribute fingerprints comprises a host IP and a WebRTC external real IP address;
2) Setting An account threshold N according to service characteristics, counting accounts with the same real IP address in the same time period, and screening out subsets with the same host IP from An account set formed by a plurality of accounts with the same real IP address under the condition that the number of the accounts with the same real IP address exceeds the account threshold, namely, counting the account set with a plurality of accounts larger than the account threshold as A1-An and counting the set of A1-An as R;
3) And under the condition that the number of the accounts contained in the subsets B1-Bn exceeds an account threshold N, determining that at least one account in the subsets has abnormal login behaviors.
In one embodiment, the account abnormal login behavior of simultaneously logging in a plurality of accounts for operation by using a virtual technology aiming at the same platform, the fingerprint-based network attack behavior detection method further comprises the following steps:
1) Acquiring information acquired by hardware attribute fingerprints when a plurality of accounts log in by using the same fingerprint in a set time period, wherein the information acquired by the hardware attribute fingerprints comprises Canvas hash values, audio hash values, screen resolution and screen color information;
2) Setting An account threshold N according to service characteristics, counting Canvas hash values, audio hash values, screen resolutions and screen color information of each account, and taking account groups with the same Canvas hash values, audio hash values, screen resolutions and screen color information as An account set A1-An, wherein the set of A1-An is recorded as R;
3) And under the condition that the number of the accounts contained in the account set R exceeds an account threshold value N, determining that at least one account in the account set has abnormal login behavior.
In this embodiment, for the behavior that the same platform logs in a plurality of accounts simultaneously by using a virtual technology to operate, the abnormal logging behavior of the accounts is judged by the IP attribute fingerprint and the hardware attribute fingerprint, so that the accounts such as malicious bill swiping, malicious ticket purchasing, malicious media attack and malicious propaganda can be effectively positioned, and further, specific malicious behaviors are positioned, thereby bringing convenience to evidence collection.
The application also provides a computer device, the internal structure of which can be shown in fig. 2. The computer device includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input means. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program, when executed by a processor, implements a fingerprint-based network attack behavior detection method.
It will be appreciated by persons skilled in the art that the architecture shown in fig. 2 is merely a block diagram of some of the architecture relevant to the present inventive arrangements and is not limiting as to the computer device to which the present inventive arrangements are applicable, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
As shown in fig. 2, the present application further provides a computer device, which includes a memory, a processor, and a computer program stored on the memory, where the processor executes the computer program to implement the steps in the above-mentioned method embodiments.
The application also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the method embodiments described above. The computer-readable storage medium may include, among other things, any type of disk including floppy disks, optical disks, DVDs, CD-ROMs, micro-drives, and magneto-optical disks, ROM, RAM, EPROM, EEPROM, DRAM, VRAM, flash memory devices, magnetic or optical cards, nanosystems (including molecular memory ICs), or any type of media or device suitable for storing instructions and/or data.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present application is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present application.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to related descriptions of other embodiments.
The foregoing is merely exemplary embodiments of the present disclosure and is not intended to limit the scope of the present disclosure. That is, equivalent changes and modifications are contemplated by the teachings of this disclosure, which fall within the scope of the present disclosure. Embodiments of the present disclosure will be readily apparent to those skilled in the art from consideration of the specification and practice of the disclosure herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a scope and spirit of the disclosure being indicated by the claims.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
It will be readily appreciated by those skilled in the art that the foregoing description is merely a preferred embodiment of the invention and is not intended to limit the invention, but any modifications, equivalents, improvements or alternatives falling within the spirit and principles of the invention are intended to be included within the scope of the invention.

Claims (10)

1. A fingerprint-based network attack behavior detection method, comprising:
Acquiring information acquired by at least one of IP attribute fingerprints, browser attribute fingerprints, hardware attribute fingerprints and software attribute fingerprints when the same account logs in within a set time period, wherein the information acquired by the IP attribute fingerprints comprises a real IP address and an IP attribution, the information acquired by the browser attribute fingerprints comprises a terminal platform type, a browser type or an application software version, and the terminal platform type is an operating system type;
according to the information collected by the IP attribute fingerprint, determining the IP conversion frequency in a preset period;
according to the information collected by the browser attribute fingerprint, determining the browser attribute fingerprint conversion frequency in a preset period;
According to the information acquired by the hardware attribute fingerprint, determining the screen resolution and standard deviation of the Canvas hash value and the audio hash value of the preprocessed Canvas;
Determining the software attribute fingerprint conversion frequency in a preset period according to the information acquired by the software attribute fingerprint;
Detecting account abnormal login behavior according to at least one of IP conversion frequency in the preset period, browser attribute fingerprint conversion frequency in the preset period, screen resolution, standard deviation of preprocessed Canvas hash values and audio hash values and software attribute fingerprint conversion frequency in the preset period.
2. The method of claim 1, wherein detecting account abnormal login behavior based on at least one of an IP transformation frequency within the preset period, a browser attribute fingerprint transformation frequency within the preset period, the screen resolution, and standard deviation of preprocessed Canvas hash values and audio hash values, a software attribute fingerprint transformation frequency within the preset period, comprises:
Assigning weights to the IP conversion frequency in the preset period, the browser attribute fingerprint conversion frequency in the preset period, the screen resolution, the standard deviation of the preprocessed Canvas hash value and the preprocessed audio hash value, and the software attribute fingerprint conversion frequency in the preset period,
The weight of the IP conversion frequency in the preset period is not smaller than the weight of the screen resolution and the standard deviation of the preprocessed Canvas hash value and the preprocessed audio hash value, the weight of the screen resolution and the standard deviation of the preprocessed Canvas hash value and the preprocessed audio hash value is not smaller than the weight of the browser attribute fingerprint conversion frequency in the preset period, and the weight of the browser attribute fingerprint conversion frequency in the preset period is not smaller than the weight of the software attribute fingerprint conversion frequency in the preset period;
According to the assigned weights, carrying out weighted summation on the IP conversion frequency in the preset period, the browser attribute fingerprint conversion frequency in the preset period, the screen resolution, the standard deviation of the preprocessed Canvas hash value and the preprocessed audio hash value and the software attribute fingerprint conversion frequency in the preset period to obtain the comprehensive conversion frequency;
and determining whether an account abnormal login behavior exists according to the comprehensive transformation frequency.
3. The method of claim 1, wherein determining the IP conversion frequency in the predetermined period based on the information collected by the IP attribute fingerprint comprises:
determining whether the IP address is crossed in the same account or not when the IP address is switched according to the IP attribution;
when the IP addresses are in the same area, recording the switching times of the IP addresses, and taking the switching times of the IP addresses as the conversion frequency of the IP area;
When the IP addresses are cross-regional but in the same province, recording the switching times of different regions, multiplying the switching times of the different regions by 10, and adding the conversion frequency of the IP regions in each region to obtain the conversion frequency of the IP cross-regional;
When the IP address crosses provinces but is in the same country, recording switching times of different provinces, multiplying the switching times of the different provinces by 20, and adding the IP cross-regional conversion frequency in each province to obtain the IP cross-province conversion frequency;
When the IP address crosses a country, recording switching times of different countries, multiplying the switching times of the different countries by 50, and adding the IP cross-provincial conversion frequency in each country to obtain the IP cross-country conversion frequency;
Dividing the IP regional transformation frequency number, the IP trans-provincial transformation frequency number or the IP trans-national transformation frequency number by a corresponding preset period to obtain the IP transformation frequency in the corresponding preset period.
4. The method of claim 1, wherein determining the browser attribute fingerprint transformation frequency within the preset period based on the information collected by the browser attribute fingerprint comprises:
recording the conversion times of the type of the operating system;
recording the conversion times of browser type or application software version;
multiplying the conversion times of the operating system type by 10 and adding the conversion times of the browser type or the application software version to obtain the browser attribute fingerprint conversion frequency;
Dividing the browser attribute fingerprint conversion frequency by a corresponding preset period to obtain the browser attribute fingerprint conversion frequency in the preset period.
5. The method of claim 1, wherein determining the screen resolution and standard deviation of the preprocessed Canvas hash value and audio hash value from the hardware attribute fingerprinting information comprises:
preprocessing the Canvas hash value and the audio hash value of the Canvas;
And respectively calculating the screen resolution, the preprocessed Canvas hash value and the standard deviation of the audio hash value.
6. The method of claim 1, wherein determining the software attribute fingerprint transformation frequency within the predetermined period based on the information collected by the software attribute fingerprint comprises:
recording the conversion times of the time zone information;
Recording the conversion times of language system information;
Multiplying the conversion times of the time zone information by 20, multiplying the conversion times of the language system information by 10, and then summing to obtain a software attribute fingerprint conversion frequency;
Dividing the software attribute fingerprint conversion frequency by a corresponding preset period to obtain the software attribute fingerprint conversion frequency in the preset period.
7. The method of claim 1, wherein the method further comprises:
acquiring information collected by IP attribute fingerprints when a plurality of accounts use the same fingerprint for login in a set time period, wherein the information collected by the IP attribute fingerprints comprises a host IP and a real IP address;
Screening a subset with the same host IP from an account set formed by a plurality of accounts with the same real IP address under the condition that the number of the accounts with the same real IP address exceeds an account threshold value;
and determining that at least one account in the subset has abnormal login behavior under the condition that the number of the accounts contained in the subset exceeds the account threshold value.
8. The method of claim 1, wherein the method further comprises:
Acquiring information acquired by hardware attribute fingerprints when a plurality of accounts use the same fingerprint for login in a set time period, wherein the information acquired by the hardware attribute fingerprints comprises Canvas hash values, audio hash values, screen resolution and screen color information;
forming accounts with the same Canvas hash value, audio hash value, screen resolution and screen color information into an account set;
And under the condition that the number of the accounts contained in the account set exceeds an account threshold value, determining that at least one account in the account set has abnormal login behavior.
9. A computer device comprising a memory, a processor and a computer program stored on the memory, the processor executing the computer program to perform the steps of the method of any of claims 1-8.
10. A computer-readable storage medium, characterized in that a computer program is stored thereon, which computer program, when being executed by a processor, realizes the steps of the method according to any of claims 1-8.
CN202411721932.5A 2024-11-28 2024-11-28 A network attack behavior detection method based on fingerprint, and computer equipment Pending CN119603029A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411721932.5A CN119603029A (en) 2024-11-28 2024-11-28 A network attack behavior detection method based on fingerprint, and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411721932.5A CN119603029A (en) 2024-11-28 2024-11-28 A network attack behavior detection method based on fingerprint, and computer equipment

Publications (1)

Publication Number Publication Date
CN119603029A true CN119603029A (en) 2025-03-11

Family

ID=94831992

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411721932.5A Pending CN119603029A (en) 2024-11-28 2024-11-28 A network attack behavior detection method based on fingerprint, and computer equipment

Country Status (1)

Country Link
CN (1) CN119603029A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119850218A (en) * 2025-03-20 2025-04-18 青岛农村商业银行股份有限公司 Bank abnormal transaction detection method based on multi-mode data fusion

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111478892A (en) * 2020-04-02 2020-07-31 广州锦行网络科技有限公司 Attacker portrait multi-dimensional analysis method based on browser fingerprints
CN113923048A (en) * 2021-11-09 2022-01-11 中国联合网络通信集团有限公司 Network attack behavior identification method, device, equipment and storage medium
CN117040899A (en) * 2023-09-05 2023-11-10 杭州安恒信息技术股份有限公司 Webpage attacker identification method, device, equipment and storage medium
CN117828586A (en) * 2023-11-28 2024-04-05 国网山东省电力公司电力科学研究院 A method and system for tracking and tracing power data attacks
CN118278006A (en) * 2024-04-10 2024-07-02 中国建设银行股份有限公司 Abnormality processing method, abnormality processing device, electronic equipment and computer readable medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111478892A (en) * 2020-04-02 2020-07-31 广州锦行网络科技有限公司 Attacker portrait multi-dimensional analysis method based on browser fingerprints
CN113923048A (en) * 2021-11-09 2022-01-11 中国联合网络通信集团有限公司 Network attack behavior identification method, device, equipment and storage medium
CN117040899A (en) * 2023-09-05 2023-11-10 杭州安恒信息技术股份有限公司 Webpage attacker identification method, device, equipment and storage medium
CN117828586A (en) * 2023-11-28 2024-04-05 国网山东省电力公司电力科学研究院 A method and system for tracking and tracing power data attacks
CN118278006A (en) * 2024-04-10 2024-07-02 中国建设银行股份有限公司 Abnormality processing method, abnormality processing device, electronic equipment and computer readable medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119850218A (en) * 2025-03-20 2025-04-18 青岛农村商业银行股份有限公司 Bank abnormal transaction detection method based on multi-mode data fusion

Similar Documents

Publication Publication Date Title
CN111614690B (en) Abnormal behavior detection method and device
CN107895011B (en) Method, system, storage medium and electronic device for processing session information
WO2017101606A1 (en) System and method for collecting and analyzing data
CN104836781A (en) Method distinguishing identities of access users, and device
CN114095567B (en) Data access request processing method and device, computer equipment and medium
CN110348471B (en) Abnormal object identification method, device, medium and electronic equipment
CN111314326B (en) Method, device, equipment and medium for confirming HTTP vulnerability scanning host
Yazji et al. Efficient location aware intrusion detection to protect mobile devices
CN108156141B (en) Real-time data identification method and device and electronic equipment
CN112347457A (en) Abnormal account detection method and device, computer equipment and storage medium
CN108985048B (en) Simulator identification method and related device
CN106651580B (en) Method and device for judging whether financial account is malicious or not and computing device
CN111611519B (en) Method and device for detecting personal abnormal behaviors
CN110866831A (en) Asset activity level determination method and device and server
CN119603029A (en) A network attack behavior detection method based on fingerprint, and computer equipment
CN109711656B (en) Multisystem association early warning method, device, equipment and computer readable storage medium
CN113194474B (en) Method, device, electronic device and readable storage medium for positioning pseudo base station
CN111612085B (en) Method and device for detecting abnormal points in peer-to-peer group
CN111158926B (en) Service request analysis method, device and equipment
CN117097571A (en) Method, system, device and medium for detecting network transmission sensitive data
CN108234454A (en) A kind of identity identifying method, server and client device
CN105978722A (en) User attribute mining method and device
CN111400174B (en) Method, device and server for determining application performance of data source
CN111447082A (en) Determination method and device for associated account number and method for determination of associated data object
CN119886793A (en) Enterprise credit information evaluation system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination