WO2015032318A1

WO2015032318A1 - Exceptional account determination method and device

Info

Publication number: WO2015032318A1
Application number: PCT/CN2014/085815
Authority: WO
Inventors: 刘杰; 陆莉; 陈秋滢; 陈旺林
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2013-09-03
Filing date: 2014-09-03
Publication date: 2015-03-12
Anticipated expiration: 2016-03-03
Also published as: CN104426885B; CN104426885A

Abstract

Provided are an exceptional account determination method and device. The exceptional account determination method comprises the steps of: detecting an IP address of login accounts, and counting the number of accounts logged in using the IP address; determining whether the number of accounts logged in using the IP address exceeds a threshold value or not; and if the number of accounts logged in using the IP address exceeds the threshold value, determining whether the accounts are exceptional accounts or not according to frequently used login locations, frequently used login time and frequently used services of the accounts logged in using the IP address. Also provided is an exceptional account determination device. According to the exceptional account determination method and device, whether login accounts are stolen or not is detected via the number of accounts logged in using the same IP address and exceptional operations of corresponding login accounts.

Description

Abnormal account determination method and device

本申请要求于2013年9月3日提交中国专利局、申请号为201310396307.3、发明名称为“异常账号提供方法及装置”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 201310396307.3, the entire disclosure of which is hereby incorporated by reference.

Technical field

本发明涉及互联网领域，特别是涉及一种异常账号确定方法及装置。The present invention relates to the field of the Internet, and in particular, to an abnormal account determination method and apparatus.

Background technique

在互联网服务中，大部分服务都需要用户提供服务密码才能进入自己的应用。同时，也产生了各种盗号集团，通过各种方式盗取用户的服务密码以进入用户的应用并非法获利。In Internet services, most services require a user to provide a service password to access their own applications. At the same time, various hacking groups have also been created, which steal the user's service password in various ways to enter the user's application and illegally profit.

现在对于盗号的处理，一般是运营商接收被盗取服务密码的用户的投诉，然后根据投诉对该用户的账号进行一段时间的封号处理(以避免被恶意投诉)，如确认投诉无误后，再进行账号恢复操作或重新提供应用服务。但是上述的处理都是用户自身对账号进行投诉，具有较大的延迟性，可能在用户投诉时已经对用户造成了较大的、不可弥补的损失。Now, for the handling of hacking, the operator generally receives the complaint of the user who has stolen the service password, and then performs a period of time processing on the user's account according to the complaint (to avoid malicious complaints), such as confirming the complaint is correct, and then Perform account recovery or re-apply application services. However, the above-mentioned processing is that the user himself complains about the account, which has a large delay, and may cause a large and irreparable loss to the user when the user complains.

发明内容Summary of the invention

本发明的实施例的目的在于提供一种异常账号确定方法，以解决现有的异常账号由用户自身进行提供，具有较大的延迟性，可能会对用户造成较大的、不可弥补的损失的技术问题。The purpose of the embodiment of the present invention is to provide a method for determining an abnormal account, so as to solve the problem that the existing abnormal account is provided by the user itself, which has a large delay, and may cause a large Technical problems of irreparable damage.

本发明的实施例的目的还在于提供一种异常账号确定装置，以解决现有的异常账号由用户自身进行提供，具有较大的延迟性，可能会对用户造成较大的、不可弥补的损失的技术问题。The purpose of the embodiment of the present invention is to provide an abnormal account determining apparatus to solve the problem that the existing abnormal account is provided by the user itself, which has a large delay and may cause a large and irreparable loss to the user. Technical problem.

一方面，提供一种异常账号确定方法，其包括步骤：In one aspect, an abnormal account determination method is provided, which includes the steps of:

检测登录账号的IP(Internet Protocol，网络协议)地址，并统计以所述IP地址登录的账号数；Detecting an IP (Internet Protocol) address of the login account, and counting the number of accounts logged in with the IP address;

确定以所述IP地址登录的所述账号数是否超过阈值；以及Determining whether the number of the accounts logged in with the IP address exceeds a threshold;

如以所述IP地址登录的账号数超过所述阈值，则根据以所述IP地址的登录的账号的常用登录地点、常用登录时间以及常用业务，确定所述账号是否为异常账号。If the number of accounts logged in by the IP address exceeds the threshold, it is determined whether the account is an abnormal account according to a common login location, a common login time, and a common service of the account that is logged in by the IP address.

另一方面，还提供一种异常账号确定装置，其包括：In another aspect, an abnormal account determining apparatus is further provided, including:

统计模块，用于检测登录账号的IP地址，并统计以所述IP地址登录的账号数；a statistics module, configured to detect an IP address of the login account, and count the number of accounts logged in by the IP address;

异常检测模块，用于确定以所述IP地址登录的账号数是否超过阈值；以及An abnormality detecting module, configured to determine whether the number of accounts logged in by the IP address exceeds a threshold;

异常确定模块，用于如所述异常检测模块确定以所述IP地址登录的账号数超过所述阈值，则根据以所述IP地址登录的账号的常用登录地点、常用登录时间以及常用业务，确定所述登录账号是否为异常账号。The abnormality determining module is configured to determine, according to the abnormality detecting module, that the number of accounts logged in by the IP address exceeds the threshold, according to a common login location, a common login time, and a common service of an account that is logged in by using the IP address, Whether the login account is an abnormal account.

另一方面，还提供了一种计算机可读介质，用于存储一个或多个计算机程序，其中，所述计算机程序包括具有一个或多个存储器的计算机系统可运行的指令；该指令使计算机系统执行上述的异常账号确定方法。 In another aspect, a computer readable medium is provided for storing one or more computer programs, wherein the computer program includes computer system executable instructions having one or more memories; the instructions cause the computer system Execute the above abnormal account determination method.

相较于现有技术，本发明的异常账号确定方法及装置通过同一IP地址的登录账号数，以及相应登录账号的异常操作来检测登录账号是否被盗，解决了现有的异常账号由用户自身进行提供、具有较大的延迟性，可能会对用户造成较大的、不可弥补的损失的技术问题。Compared with the prior art, the abnormal account determining method and device of the present invention detects whether the login account is stolen by using the number of login accounts of the same IP address and the abnormal operation of the corresponding login account, and the existing abnormal account is solved by the user itself. The technical problem of providing large delays that may cause large, irreparable damage to the user.

DRAWINGS

图1为本发明实施例的异常账号确定装置的结构示意图；1 is a schematic structural diagram of an abnormal account determining apparatus according to an embodiment of the present invention;

图2为本发明实施例的异常账号确定方法的流程图；2 is a flowchart of a method for determining an abnormal account according to an embodiment of the present invention;

图3为本发明另一实施例的异常账号确定装置的结构示意图；FIG. 3 is a schematic structural diagram of an abnormal account determining apparatus according to another embodiment of the present invention; FIG.

图4为本发明另一实施例的异常账号确定方法的流程图；4 is a flowchart of a method for determining an abnormal account according to another embodiment of the present invention;

图5为本发明的异常账号确定方法的具体实施例的流程示意图；以及FIG. 5 is a schematic flowchart diagram of a specific embodiment of an abnormal account determining method according to the present invention;

图6为本发明的异常账号确定方法及装置所在电子设备的工作环境结构示意图。FIG. 6 is a schematic diagram of a working environment structure of an electronic device in which the abnormal account determining method and the device are located in the present invention.

detailed description

以下各实施例的说明是参考附加的图式，用以例示本发明可用以实施的特定实施例。The following description of the various embodiments is provided to illustrate the specific embodiments of the invention.

如本申请所使用的术语“组件”、“模块”、“系统”、“接口”等等一般地旨在指计算机相关实体：硬件、硬件和软件的组合、软件或执行中的软件。例如，组件可以是但不限于是运行在处理器上的进程、处理器、对象、可执行应用、执行的线程、程序和/或计算机。通过图示，运行在控制器上的应用和该控制器二者都可以是组件。一个或多个组件可以有在于执行的进程和/或线程内，并且组件可以位于一个计算机上和/或分布在两个或更多计算机之间。The terms "component," "module," "system," "interface," and the like, as used herein, are generally intended to refer to a computer-related entity: hardware, a combination of hardware and software, software, or software in execution. For example, a component can be, but is not limited to being, a process running on a processor, a processor, an object, an executable application, a thread of execution, a program, and/or a computer. By way of illustration, both an application running on a controller and the controller can be a component. One or more components may be within a process and/or thread of execution, And components can be located on one computer and/or distributed between two or more computers.

而且，要求保护的主题可以被实现为使用标准编程和/或工程技术产生软件、固件、硬件或其任意组合以控制计算机实现所公开的主题的方法、装置或制造品。本文所使用的术语“制造品”旨在包含可从任意计算机可读设备、载体或介质访问的计算机程序。当然，本领域技术人员将认识到可以对该配置进行许多修改，而不脱离要求保护的主题的范围或精神。Moreover, the claimed subject matter can be implemented as a method, apparatus, or article of manufacture that uses standard programming and/or engineering techniques to produce software, firmware, hardware, or any combination thereof, to control a computer to implement the disclosed subject matter. The term "article of manufacture" as used herein is intended to encompass a computer program accessible from any computer-readable device, carrier, or media. Of course, those skilled in the art will recognize that many modifications can be made to the configuration without departing from the scope or spirit of the claimed subject matter.

由于盗号者窃取用户密码后都会尝试登录用户账号，查看用户的隐私资料以及使用用户账号进行业务消费；并且盗号者极有可能同时对多个盗用账号同时进行上述操作。因此基于用户的行为具有一定的固定规律，可以依据用户登录账号的IP聚集情况来判断那些用户的账号已经被盗取，如某个IP地址的登录账号超过一阈值(即该IP地址的登录账号数量异常)，即可判断该IP地址上具有大量的异常账号操作，该异常账号操作可能是盗号者使用盗号软件频繁对被盗账号进行操作所造成的。本发明的异常账号确定方法及装置即基于上述的原理，可有效的向运营商提供异常账号以及向用户提醒账号异常操作。Since the hacker steals the user password, he will try to log in to the user account, view the user's private information and use the user account for business consumption; and the hacker is likely to perform the above operations on multiple pirated accounts at the same time. Therefore, based on the user's behavior has a certain fixed law, it can be determined according to the IP aggregation status of the user login account that the user's account has been stolen, such as the login account of an IP address exceeds a threshold (ie, the login account of the IP address) If the number is abnormal, it can be determined that there is a large number of abnormal account operations on the IP address. The abnormal account operation may be caused by the hacker using the hacking software to frequently operate the stolen account. The abnormal account determining method and device of the present invention is based on the above principle, and can effectively provide an abnormal account to the operator and remind the user of the abnormal operation of the account.

请参照图1，图1为本发明的异常账号确定装置的第一优选实施例的结构示意图。本优选实施例的异常账号确定装置10可设置在电子设备中。本优选实施例的异常账号确定装置10包括统计模块11、异常检测模块12以及异常确定模块13。该统计模块11用于检测登录账号的IP地址，并统计以该IP地址登录的账号数；异常检测模块12用于确定以该IP地址登录的账号数是否超过阈值；异常确定模块13用于如异常检测模块12确定以该IP地址登录的账号数超过阈值，则根据以该IP地址登录的账号的常用登录地点、常用登录时间以及常用业务，确定登录账号是否为异常账号。 Please refer to FIG. 1. FIG. 1 is a schematic structural diagram of a first preferred embodiment of an abnormal account determining apparatus according to the present invention. The abnormal account determining apparatus 10 of the preferred embodiment can be disposed in the electronic device. The abnormal account determining apparatus 10 of the preferred embodiment includes a statistic module 11, an abnormality detecting module 12, and an abnormality determining module 13. The statistic module 11 is configured to detect an IP address of the login account, and count the number of accounts logged in by the IP address; the abnormality detecting module 12 is configured to determine whether the number of accounts logged in by the IP address exceeds a threshold; the abnormality determining module 13 is used to The abnormality detecting module 12 determines whether the number of accounts logged in by the IP address exceeds a threshold, and determines whether the login account is an abnormal account according to a common login location, a common login time, and a common service of the account logged in by the IP address.

本优选实施例的异常账号确定装置20使用时，首先统计模块11检测所有登录账号的IP地址，从而可统计出以该IP地址登录的账号数。然后异常检测模块12检测以该IP地址登录的账号数是否超过阈值，该阈值可人为进行设定。该阈值可为以该IP地址登录的账号数的最大值的倍数；或以该IP地址登录的账号数的平均值的倍数。例如，在以某个IP地址登录的账号数突然增加至正常情况的十倍的情况下，异常检测模块12一般会认为以该IP地址登录的账号数已经超过了阈值。如IP地址的登录账号数没有超过阈值，则统计模块11继续对每个IP的登录账号数进行实时统计。When the abnormal account determining apparatus 20 of the preferred embodiment is used, the first counting module 11 detects the IP addresses of all the login accounts, so that the number of accounts registered with the IP address can be counted. Then, the abnormality detecting module 12 detects whether the number of accounts registered with the IP address exceeds a threshold, and the threshold can be manually set. The threshold may be a multiple of the maximum number of accounts registered with the IP address; or a multiple of the average of the number of accounts registered with the IP address. For example, if the number of accounts logged in with an IP address suddenly increases to ten times the normal situation, the abnormality detecting module 12 generally considers that the number of accounts logged in with the IP address has exceeded the threshold. If the number of login accounts of the IP address does not exceed the threshold, the statistics module 11 continues to perform real-time statistics on the number of login accounts of each IP.

随后，如异常检测模块12确定以该IP地址登录的账号数超过了阈值，则这里判断在该IP地址上可能存在异常账号操作。异常确定模块13调取该IP地址上登录的所有登录账号，以及所有登录账号的常用登录地点、常用登录时间以及常用业务；将登录账号的常用登录地点、常用登录时间以及常用业务与该登录账号的当前登录地点、当前登录时间以及当前使用业务进行比较，以确定登录账号是否为异常账号。Then, if the abnormality detecting module 12 determines that the number of accounts logged in with the IP address exceeds the threshold, it is determined here that there may be an abnormal account operation on the IP address. The abnormality determining module 13 retrieves all login accounts registered on the IP address, common login locations of all login accounts, common login times, and common services; common login locations, common login times, and common services of the login account and the login account. The current login location, current login time, and current usage of the service are compared to determine if the login account is an abnormal account.

在一个实施例中，如该IP地址上登录的所有登录账号数为A，其中X个登录账号的常用登录地点与当前登录地点不同，Y个登录账号的常用登录时间与当前登录时间不同，Z个登录账号的常用业务与当前使用业务不同，如X/A大于第一设定值，Y/A大于第二设定值，Z/A大于第三设定值，则确定该IP地址上登录的账号中同时满足未通过常用登录地点登录、未在常用登录时间登录以及未使用常用业务的账号为异常账号。这里的第一设定值、第二设定值以及第三设定值可人为进行设定，这样可以将由于用户自身原因或运营商原因导致的异常操作排除掉。当然这里也可不设定第一设定值、第二设定值以及第三设定值中的一个或几个，而直接将满足未通过常用登录地点登录、未在常用登录时间登录以及未使用常用业务的登录账号确定为异常账号。In one embodiment, if the number of login accounts registered on the IP address is A, where the common login location of the X login accounts is different from the current login location, the common login time of the Y login accounts is different from the current login time, Z. The common service of the login account is different from the current service. If X/A is greater than the first set value, Y/A is greater than the second set value, and Z/A is greater than the third set value, then the login is determined on the IP address. The accounts in the account that are not logged in through the common login location, not logged in at the usual login time, and unused common services are abnormal accounts. Here, the first set value, the second set value, and the third set value can be manually set, so that abnormal operations due to the user's own reasons or operator reasons can be excluded. Of course, the first set value, the second set value, and the third may not be set here. One or several of the set values, and the login account that does not log in through the common login location, does not log in at the usual login time, and does not use the common service is directly determined as an abnormal account.

这样即完成了本优选实施例的异常账号确定装置10的异常账号的确定过程。Thus, the process of determining the abnormal account number of the abnormal account determining apparatus 10 of the preferred embodiment is completed.

本优选实施例的异常账号确定装置通过同一IP地址的登录账号数，以及相应登录账号的异常操作来检测登录账号是否被盗，并可及时向用户和运营商提供相应的异常账号，可缩短确认异常账号的时间以及减小对正常用户带来的损失。The abnormal account determining apparatus of the preferred embodiment detects whether the login account is stolen by using the number of login accounts of the same IP address and the abnormal operation of the corresponding login account, and can provide the corresponding abnormal account to the user and the operator in time, thereby shortening the confirmation. The time of the abnormal account and the loss to the normal user.

请参照图1和图2，图2为根据本发明实施例的异常账号确定方法的流程图。本实施例的异常账号确定方法可使用上述实施例的异常账号确定装置进行实施，其包括：Please refer to FIG. 1 and FIG. 2. FIG. 2 is a flowchart of a method for determining an abnormal account according to an embodiment of the present invention. The abnormal account determining method of this embodiment may be implemented by using the abnormal account determining device of the foregoing embodiment, and includes:

步骤S201，检测登录账号的IP地址，并统计以该IP地址登录的账号数；Step S201, detecting an IP address of the login account, and counting the number of accounts registered by the IP address;

步骤S202，确定以该IP地址登录的账号数是否超过阈值；以及Step S202, determining whether the number of accounts logged in by the IP address exceeds a threshold;

步骤S203，根据以该IP地址登录的账号的常用登录地点、常用登录时间以及常用业务，确定该账号是否为异常账号。Step S203: Determine whether the account is an abnormal account according to a common login location, a common login time, and a common service of the account that is logged in by the IP address.

本优选实施例的异常账号确定方法结束于步骤S203。The abnormal account determination method of the preferred embodiment ends in step S203.

下面详细说明本优选实施例的异常账号确定方法的各步骤的具体流程。The specific flow of each step of the abnormal account determining method of the preferred embodiment will be described in detail below.

在步骤S201中，统计模块11检测所有登录账号的IP地址，从而可统计出每个IP地址的登录账号数，随后来到步骤S202。In step S201, the statistics module 11 detects the IP addresses of all the login accounts, so that the number of login accounts for each IP address can be counted, and then proceeds to step S202.

在步骤S202中，异常检测模块12检测每个IP地址的登录账号数是否超过阈值，该阈值可人为进行设定。阈值可为以该IP地址登录的账号数的最大值的倍数；或以该IP地址登录的账号数的平均值的倍数。如IP地址的登录账号数没有超过阈值，则返回步骤S201，统计模块11继续对每个IP的登录账号数进行实时统计，否则执行步骤S203。In step S202, the abnormality detecting module 12 detects whether the number of login accounts of each IP address exceeds a threshold, and the threshold can be manually set. The threshold may be a multiple of the maximum number of accounts logged in with the IP address; or a multiple of the average of the number of accounts logged in with the IP address. Such as the IP address of the account If the number does not exceed the threshold, the process returns to step S201, and the statistic module 11 continues to perform real-time statistics on the number of login accounts of each IP. Otherwise, step S203 is performed.

在步骤S203中，如异常检测模块12确定以该IP地址登录的账号数超过了阈值，则这里判断在该IP地址上可能存在异常账号操作。异常确定模块13调取以该IP地址登录的所有账号，以及这些账号的常用登录地点、常用登录时间以及常用业务；将登录账号的常用登录地点、常用登录时间以及常用业务与该登录账号的当前登录地点、当前登录时间以及当前使用业务进行比较，以确定登录账号是否为异常账号。In step S203, if the abnormality detecting module 12 determines that the number of accounts logged in with the IP address exceeds the threshold, it is determined here that there may be an abnormal account operation on the IP address. The abnormality determining module 13 retrieves all accounts registered with the IP address, common login locations, common login times, and common services of the accounts; common login locations, common login times, and common services of the login account and the current current accounts. The login location, the current login time, and the currently used service are compared to determine whether the login account is an abnormal account.

在一个实施例中，如该IP地址上登录的所有登录账号数为A，其中X个登录账号的常用登录地点与当前登录地点不同，Y个登录账号的常用登录时间与当前登录时间不同，Z个登录账号的常用业务与当前使用业务不同，如X/A大于第一设定值，Y/A大于第二设定值，Z/A大于第三设定值，则确定该IP地址上登录的账号中同时满足未通过常用登录地点登录、未在常用登录时间登录以及未使用常用业务的登录账号为异常账号。这里的第一设定值、第二设定值以及第三设定值可人为进行设定，这样可将由于用户自身原因或运营商原因导致的异常操作排除掉。当然这里也可不设定第一设定值、第二设定值以及第三设定值中的一个或几个，而直接将满足未通过常用登录地点登录、未在常用登录时间登录以及未使用常用业务的登录账号确定为异常账号。In one embodiment, if the number of login accounts registered on the IP address is A, where the common login location of the X login accounts is different from the current login location, the common login time of the Y login accounts is different from the current login time, Z. The common service of the login account is different from the current service. If X/A is greater than the first set value, Y/A is greater than the second set value, and Z/A is greater than the third set value, then the login is determined on the IP address. The account number of the account that is not logged in through the common login location, not logged in at the usual login time, and unused common service is an abnormal account. Here, the first set value, the second set value, and the third set value can be manually set, so that abnormal operations due to the user's own reasons or operator reasons can be excluded. Of course, one or several of the first set value, the second set value, and the third set value may not be set here, but directly meet the failure to log in through the common login location, not log in at the common login time, and not used. The login account of the common service is determined to be an abnormal account.

这样即完成了本优选实施例的异常账号确定方法的异常账号的确定过程。This completes the process of determining the abnormal account number of the abnormal account determining method of the preferred embodiment.

本优选实施例的异常账号确定方法通过同一IP地址的登录账号数，以及相应登录账号的异常操作来检测登录账号是否被盗，并可及时向用户和运营商提供相应的异常账号，可缩短确认异常账号的时间以及减小对正常用户带来的损失。The abnormal account determination method of the preferred embodiment detects whether the login account is stolen by using the number of login accounts of the same IP address and the abnormal operation of the corresponding login account, and can provide the corresponding abnormal account to the user and the operator in time, thereby shortening the confirmation. The time of the abnormal account and the reduction of the normal user loss.

请参照图3，图3为根据本发明另一实施例的异常账号确定装置的结构示意图。本优选实施例的异常账号确定装置30也可设置在电子设备中。在第一优选实施例的基础上，本优选实施例的异常账号确定装置30还包括常用登录地点确定模块35、常用登录时间确定模块36、常用业务确定模块37以及异常账号确定模块38。常用登录地点确定模块35用于将登录账号的所有登录地点中频率最高的L个登录地点作为登录账号的常用登录地点，L为大于1的正整数；常用登录时间确定模块36用于将登录账号的登陆时间段中频率最高的M个登录时间段作为登录账号的常用登录时间，M为大于1的正整数；常用业务确定模块37用于将登录账号的业务中使用频率最高的N个业务作为登录账号的常用业务，N为大于1的正整数；异常账号确定模块38用于对确认为异常账号的登录账号进行异常行为检测，并根据检测结果，提供异常账号。Please refer to FIG. 3. FIG. 3 is a schematic structural diagram of an abnormal account determining apparatus according to another embodiment of the present invention. The abnormal account determining means 30 of the preferred embodiment can also be provided in the electronic device. Based on the first preferred embodiment, the abnormal account determining apparatus 30 of the preferred embodiment further includes a common login location determining module 35, a common login time determining module 36, a common service determining module 37, and an abnormal account determining module 38. The common login location determining module 35 is configured to use the most frequently used L login locations among all the login locations of the login account as the common login location of the login account, L is a positive integer greater than 1; the common login time determination module 36 is configured to log in the login account. The M login time period with the highest frequency in the login time period is used as the common login time of the login account, and M is a positive integer greater than 1. The common service determination module 37 is configured to use the N services with the highest frequency of use in the login account. For the common service of the login account, N is a positive integer greater than 1. The abnormal account determination module 38 is configured to perform an abnormal behavior detection on the login account confirmed as an abnormal account, and provide an abnormal account according to the detection result.

本优选实施例的异常账号确定装置30使用时，首先统计模块11检测所有登录账号的IP地址，从而可统计出以该IP地址登录的账号数。然后异常检测模块12检测以该IP地址登录的账号数是否超过阈值，如以该IP地址登录的账号数没有超过阈值，则统计模块11继续对每个IP的登录账号数进行实时统计。When the abnormal account determining apparatus 30 of the preferred embodiment is used, the first counting module 11 detects the IP addresses of all the login accounts, so that the number of accounts registered with the IP address can be counted. Then, the abnormality detecting module 12 detects whether the number of accounts registered with the IP address exceeds a threshold. If the number of accounts registered with the IP address does not exceed the threshold, the statistics module 11 continues to perform real-time statistics on the number of login accounts of each IP.

如异常检测模块12确定以IP地址登录的账号数超过了阈值，则异常确定模块13调取以该IP地址登录的所有登录账号，以及所有登录账号的常用登录地点、常用登录时间以及常用业务；将登录账号的常用登录地点、常用登录时间以及常用业务与该登录账号的当前登录地点、当前登录时间以及当前使用业务进行比较，以确定登录账号是否为异常账号。具体的确定过程如上述的第一优选实施例中所述，具体请参见上述异常账号确定装置的第一优选实施例。If the abnormality detecting module 12 determines that the number of accounts logged in by the IP address exceeds the threshold, the abnormality determining module 13 retrieves all the login accounts logged in with the IP address, and common login locations, common login times, and common services of all the login accounts; The common login location of the login account, the common login time, and the common service are compared with the current login location of the login account, the current login time, and the currently used service to determine whether the login account is an abnormal account. The specific determination process is as described above first For details, refer to the first preferred embodiment of the abnormal account determining device.

在本优选实施例中，常用登录地点确定模块35将登录账号的所有登录地点中频率最高的L个(如5个等)登录地点作为登录账号的常用登录地点，L为大于1的正整数；常用登录时间确定模块36将登录账号的登录时间段中频率最高的M个登录时间段(如18点至19点、以及23点至24点等)作为登录账号的常用登录时间，M为大于1的正整数；常用业务确定模块37将登录账号的业务中使用频率最高的N个业务(如网络电话等)作为登录账号的常用业务，N为大于1的正整数。当然常用登录地点、常用登录时间以及常用业务的设置也可用其他统计方法进行设置，具体的常用登录地点、常用登录时间以及常用业务的设置方法并不限制本发明的异常账号确定装置的保护范围。In the preferred embodiment, the common login location determining module 35 uses the L (such as 5) login locations with the highest frequency among all the login locations of the login account as the common login location of the login account, and L is a positive integer greater than 1. The common login time determining module 36 uses the M login time periods (such as 18:00 to 19:00, and 23 to 24 points) with the highest frequency in the login time period of the login account as the common login time of the login account, and M is greater than 1. The normal service determination module 37 uses the N service (such as a network phone) having the highest frequency of use in the service of the login account as a common service of the login account, and N is a positive integer greater than 1. Of course, the common login location, common login time, and common service settings can also be set by other statistical methods. The specific common login location, common login time, and common service setting method do not limit the protection scope of the abnormal account determination apparatus of the present invention.

异常确定模块13确定异常账号后，异常账号确定模块38会对确认为异常账号的登录账号进行异常行为检测，并根据检测结果，提供异常账号。此处的异常行为检测包括检测登录账号是否被举报、检测登录账号是否发送过垃圾消息以及检测登录账号是否修改过密码中的至少其中一项。这里的垃圾消息包括广告消息以及色情消息等。如异常账号确定模块检测到上述任一的异常行为，则可认为该异常账号可被提供给相应的运营商立刻进行处理(封号等等)，以减小该异常账号对用户以及运营商造成的损失。After the abnormality determining module 13 determines the abnormal account, the abnormal account determining module 38 performs abnormal behavior detection on the login account confirmed as the abnormal account, and provides an abnormal account according to the detection result. The abnormal behavior detection here includes detecting whether the login account is reported, detecting whether the login account has sent a spam message, and detecting whether the login account has modified at least one of the passwords. Spam here includes advertising messages and pornographic messages. If the abnormal account determination module detects any of the abnormal behaviors described above, the abnormal account may be deemed to be provided to the corresponding operator for immediate processing (such as a title, etc.) to reduce the abnormal account to the user and the operator. loss.

本优选实施例的异常账号确定装置在第一优选实施例的基础上，通过常用登录地点模块、常用登录时间模块以及常用业务模块对异常账号的常用登录地点、常用登录时间以及常用业务进行确认，使得对异常账号的检测速度更快。同时通过异常账号确定模块的异常行为检测进一步优化了异常账号的提供。The abnormal account determining apparatus of the preferred embodiment confirms the common login location, common login time, and common service of the abnormal account by using the common login location module, the common login time module, and the common service module on the basis of the first preferred embodiment. Makes detection of abnormal accounts faster. At the same time, the abnormal account detection by the abnormal account determination module further optimizes the provision of the abnormal account.

请参照图3和图4，图4为根据本发明另一实施例的异常账号确定方法的流程图。本实施例的异常账号确定方法可使用上述根据本发明另一实施例的异常账号确定装置进行实施，其包括：Please refer to FIG. 3 and FIG. 4. FIG. 4 is a schematic diagram of an abnormal account determination method according to another embodiment of the present invention. flow chart. The abnormal account number determining method in this embodiment may be implemented by using the abnormal account determining device according to another embodiment of the present invention, which includes:

步骤S401，检测登录账号的IP地址，并统计以该IP地址登录的账号数；Step S401, detecting an IP address of the login account, and counting the number of accounts registered by the IP address;

步骤S402，确定以该IP地址登录的账号数是否超过阈值；Step S402, determining whether the number of accounts logged in by the IP address exceeds a threshold;

步骤S403，根据以该IP地址登录的账号的常用登录地点、常用登录时间以及常用业务，确定登录账号是否为异常账号；以及Step S403, determining whether the login account is an abnormal account according to a common login location, a common login time, and a common service of the account that is logged in by the IP address;

步骤S404，对确认异常账号的登陆账号进行异常行为检测，并根据检测结果，提供异常账号。Step S404, performing abnormal behavior detection on the login account for confirming the abnormal account, and providing an abnormal account according to the detection result.

本优选实施例的异常账号确定方法结束于步骤S404。The abnormal account determination method of the preferred embodiment ends in step S404.

在步骤S401中，统计模块11检测所有登录账号的IP地址，从而可统计出每个IP地址的登录账号数，随后来到步骤S402。In step S401, the statistics module 11 detects the IP addresses of all the login accounts, so that the number of login accounts for each IP address can be counted, and then proceeds to step S402.

在步骤S402中，异常检测模块12检测每个IP地址的登录账号数是否超过阈值，该阈值可人为进行设定。阈值可为以该IP地址登录的账号数的最大值的倍数；或以该IP地址登录的账号数的平均值的倍数。如IP地址的登录账号数没有超过阈值，则返回步骤S401，统计模块继续对每个IP的登录账号数进行实时统计；否则执行步骤S403。In step S402, the abnormality detecting module 12 detects whether the number of login accounts of each IP address exceeds a threshold, and the threshold can be manually set. The threshold may be a multiple of the maximum number of accounts logged in with the IP address; or a multiple of the average of the number of accounts logged in with the IP address. If the number of login accounts of the IP address does not exceed the threshold, the process returns to step S401, and the statistics module continues to perform real-time statistics on the number of login accounts of each IP; otherwise, step S403 is performed.

在步骤S403中，如异常检测模块12确定以该IP地址登录的账号数超过了阈值，则这里判断在该IP地址上可能存在异常账号操作。异常确定模块13调取以该IP地址登录的所有账号，以及所有账号的常用登录地点、常用登录时间以及常用业务；将登录账号的常用登录地点、常用登录时间以及常用业务与该登录账号的当前登录地点、当前登录时间以及当前使用业务进行比较，以确定登录账号是否为异常账号。In step S403, if the abnormality detecting module 12 determines that the number of accounts registered with the IP address exceeds the threshold, it is determined here that there may be an abnormal account operation on the IP address. The abnormality determining module 13 retrieves all accounts registered with the IP address, common login locations of all accounts, common login time, and common services; common login locations, common login times, and common services of the login account and the current current account Login location, current login time, and current usage comparisons to Determine if the login account is an abnormal account.

常用登录地点确定模块35将登录账号的所有登录地点中频率最高的L个(如5个等)登录地点作为登录账号的常用登录地点，L为大于1的正整数；常用登录时间确定模块36将登录账号的登录时间段中频率最高的M个登录时间段(如18点至19点、以及23点至24点等)作为登录账号的常用登录时间，M为大于1的正整数；常用业务确定模块37将登录账号的业务中使用频率最高的N个业务(如网络电话等)作为登录账号的常用业务，N为大于1的正整数。当然常用登录地点、常用登录时间以及常用业务的设置也可用其他统计方法进行设置，具体的常用登录地点、常用登录时间以及常用业务的设置方法并不限制本发明的异常账号确定装置的保护范围。随后执行步骤S404。The common login location determining module 35 uses the highest frequency L (such as 5) login locations among all the login locations of the login account as the common login location of the login account, L is a positive integer greater than 1; the common login time determination module 36 will The M login time period (such as 18:00 to 19:00 and 23:00 to 24:00) with the highest frequency in the login time range of the login account is used as the common login time of the login account, and M is a positive integer greater than 1; The module 37 uses the N services (such as network telephones) with the highest frequency of use in the service of the login account as the common service of the login account, and N is a positive integer greater than 1. Of course, the common login location, common login time, and common service settings can also be set by other statistical methods. The specific common login location, common login time, and common service setting method do not limit the protection scope of the abnormal account determination apparatus of the present invention. Step S404 is then performed.

在步骤S404中，异常确定模块13确定异常账号后，异常账号确定模块38会对确认为异常账号的登录账号进行异常行为检测，并根据检测结果，提供异常账号。此处的异常行为检测包括检测登录账号是否被举报、检测登录账号是否发送过垃圾消息以及检测登录账号是否修改过密码中的至少其中一项。这里的垃圾消息包括广告消息以及色情消息等。如异常账号确定模块检测到上述任一的异常行为，则可认为该异常账号可被提供给相应的运营商立刻进行处理(封号等等)，以减小该异常账号对用户以及运营商造成的损失。In step S404, after the abnormality determining module 13 determines the abnormal account, the abnormal account determining module 38 performs abnormal behavior detection on the login account confirmed as the abnormal account, and provides an abnormal account according to the detection result. The abnormal behavior detection here includes detecting whether the login account is reported, detecting whether the login account has sent a spam message, and detecting whether the login account has modified at least one of the passwords. Spam here includes advertising messages and pornographic messages. If the abnormal account determination module detects any of the abnormal behaviors described above, the abnormal account may be deemed to be provided to the corresponding operator for immediate processing (such as a title, etc.) to reduce the abnormal account to the user and the operator. loss.

本优选实施例的异常账号确定方法在第一实施例的基础上，通过常用登录地点模块、常用登录时间模块以及常用业务模块对异常账号的常用登录地点、常用登录时间以及常用业务进行确认，使得对异常账号的检测速度更快。同时通过异常账号确定模块的异常行为检测进一步优化了异常账号的提供。On the basis of the first embodiment, the abnormal login account determining method of the preferred embodiment confirms the common login location, common login time, and common service of the abnormal account by using the common login location module, the common login time module, and the common service module. Detection of abnormal accounts is faster. At the same time, the abnormal account detection by the abnormal account determination module further optimizes the provision of the abnormal account.

下面通过图5详细说明本发明的异常账号确定方法的具体工作原理。请参照图5，图5为本发明的异常账号确定方法的具体实施例的流程示意图。The specific working principle of the abnormal account determining method of the present invention will be described in detail below with reference to FIG. Please refer to FIG. 5 is a schematic flowchart diagram of a specific embodiment of an abnormal account determining method according to the present invention.

当用户进行了异常操作(比如修改密码或发生交易)后，根据本实施例的异常账号确定方法包括：对该用户操作行为实时记录51；并通过对用户的操作行为进行分析52和操作时间进行分析53，将用户的常用业务存储在常用业务确定模块54中，将用户的常用登录时间段存储在常用登录时间确定模块55中。After the user performs an abnormal operation (such as modifying a password or a transaction occurs), the abnormal account determining method according to the embodiment includes: recording the user operation behavior in real time 51; and performing analysis 52 on the user's operation behavior and operation time. The analysis 53 stores the user's common service in the common service determination module 54 and stores the user's common login time period in the common login time determination module 55.

当用户进行登录操作时，根据本实施例的异常账号确定方法包括：对用户的登录操作实时记录56，并通过对用户的登录操作进行分析，对用户的登录IP地址进行实时统计57和对用户登录地点进行统计58，将用户的登录地点存储在常用登录地点确定模块59中。When the user performs the login operation, the abnormal account determination method according to the embodiment includes: real-time recording 56 of the login operation of the user, and analyzing the login operation of the user, performing real-time statistics on the login IP address of the user 57 and the user The login location performs statistics 58, and the user's login location is stored in the common login location determination module 59.

当统计模块统计某个IP地址的登录用户超过阈值时，异常确定模块60会调用常用登录时间确定模块55、常用业务确定模块54以及常用登录地点确定模块59的数据以及相应的数学模型来确定异常账号，并将确定的异常账号确定给相应的运营商或用户。When the statistic module counts the logged-in user of an IP address exceeding the threshold, the abnormality determining module 60 invokes the data of the common login time determining module 55, the common service determining module 54, and the common login location determining module 59, and the corresponding mathematical model to determine the abnormality. Account number, and determine the determined abnormal account to the corresponding operator or user.

这样，即完成了本发明的异常账号确定方法及装置的异常账号确定过程。Thus, the abnormal account determination method and the abnormal account determination process of the device of the present invention are completed.

本发明的异常账号确定方法及装置通过同一IP地址的登录账号数，以及相应登录账号的异常操作来检测登录账号是否被盗，解决了现有的异常账号由用户自身进行提供、具有较大的延迟性，可能会对用户造成较大的、不可弥补的损失的技术问题。The abnormal account determining method and device of the present invention detects whether the login account is stolen by the number of login accounts of the same IP address and the abnormal operation of the corresponding login account, and solves the problem that the existing abnormal account is provided by the user itself and has a large Delayed, technical problems that may cause large, irreparable damage to users.

图6和随后的讨论提供了对实现本发明所述的异常账号确定装置所在电子设备的工作环境的简短、概括的描述。图6的工作环境仅仅是适当的工作环境的一个实例并且不旨在建议关于工作环境的用途或功能的范围的任何限制。实例电子设备612包括但不限于个人计算机、服务器计算机、手持式或膝上型设备、移动设备(比如移动电话、个人数字助理(PDA)、媒体播放器等等)、多处理器系统、消费型电子设备、小型计算机、大型计算机、包括上述任意系统或设备的分布式计算环境，等等。Figure 6 and the following discussion provide a brief, general description of the operating environment of the electronic device in which the abnormal account determination device of the present invention is implemented. The working environment of Figure 6 is only one example of a suitable working environment and is not intended to suggest any limitation as to the scope of use or function of the working environment. Example electronic device 612 includes, but is not limited to, a personal computer, a server computer, a handheld or laptop device, a mobile device (such as a mobile phone, a personal digital assistant (PDA), a media player, etc.), a multi-processor system, a consumer Electronic devices, small computers, mainframe computers, distributed computing environments including any of the above systems or devices, and the like.

尽管没有要求，但是在“计算机可读指令”被一个或多个电子设备执行的通用背景下描述实施例。计算机可读指令可以经由计算机可读介质来分布(下文讨论)。计算机可读指令可以实现为程序模块，比如执行特定任务或实现特定抽象数据类型的功能、对象、应用编程接口(API)、数据结构等等。典型地，该计算机可读指令的功能可以在各种环境中随意组合或分布。Although not required, embodiments are described in the general context in which "computer readable instructions" are executed by one or more electronic devices. Computer readable instructions may be distributed via computer readable media (discussed below). Computer readable instructions may be implemented as program modules, such as functions, objects, application programming interfaces (APIs), data structures, etc. that perform particular tasks or implement particular abstract data types. Typically, the functionality of the computer readable instructions can be combined or distributed at will in various environments.

图6图示了包括本发明的异常账号确定方法以及装置的一个或多个实施例的电子设备612的实例。在一种配置中，电子设备612包括至少一个处理单元616和存储器618。根据电子设备的配置和类型，存储器618可以是易失性的(比如RAM)、非易失性的(比如ROM、闪存等)或二者的某种组合。该配置在图1中由虚线614图示。FIG. 6 illustrates an example of an electronic device 612 that includes one or more embodiments of the abnormal account determination method and apparatus of the present invention. In one configuration, electronic device 612 includes at least one processing unit 616 and memory 618. Depending on the configuration and type of electronic device, memory 618 may be volatile (such as RAM), non-volatile (such as ROM, flash memory, etc.) or some combination of the two. This configuration is illustrated in Figure 1 by dashed line 614.

在其他实施例中，电子设备612可以包括附加特征和/或功能。例如，设备612还可以包括附加的存储装置(例如可移除和/或不可移除的)，其包括但不限于磁存储装置、光存储装置等等。这种附加存储装置在图6中由存储装置620图示。在一个实施例中，用于实现本文所提供的一个或多个实施例的计算机可读指令可以在存储装置620中。存储装置620还可以存储用于实现操作系统、应用程序等的其他计算机可读指令。计算机可读指令可以载入存储器618中由例如处理单元616执行。In other embodiments, electronic device 612 may include additional features and/or functionality. For example, device 612 may also include additional storage devices (eg, removable and/or non-removable) including, but not limited to, magnetic storage devices, optical storage devices, and the like. Such an additional storage device is illustrated by storage device 620 in FIG. In one embodiment, computer readable instructions for implementing one or more embodiments provided herein may be in storage device 620. Storage device 620 can also store other computer readable instructions for implementing an operating system, applications, and the like. Computer readable instructions may be loaded into memory 618 for execution by, for example, processing unit 616.

本文所使用的术语“计算机可读介质”包括计算机存储介质。计算机存储介质包括以用于存储诸如计算机可读指令或其他数据之类的信息的任何方法或技术实现的易失性和非易失性、可移除和不可移除介质。存储器618和存储装置620是计算机存储介质的实例。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字通用盘(DVD)或其他光存储装置、盒式磁带、磁带、磁盘存储装置或其他磁存储设备、或可以用于存储期望信息并可以被电子设备612访问的任何其他介质。任意这样的计算机存储介质可以是电子设备612的一部分。The term "computer readable medium" as used herein includes computer storage media. Computer storage Media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions or other data. Memory 618 and storage device 620 are examples of computer storage media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical storage device, magnetic tape cassette, magnetic tape, magnetic disk storage device or other magnetic storage device, Or any other medium that can be used to store desired information and that can be accessed by electronic device 612. Any such computer storage media may be part of the electronic device 612.

电子设备612还可以包括允许电子设备612与其他设备通信的通信连接626。通信连接626可以包括但不限于调制解调器、网络接口卡(NIC)、集成网络接口、射频发射器/接收器、红外端口、USB连接或用于将电子设备612连接到其他电子设备的其他接口。通信连接626可以包括有线连接或无线连接。通信连接626可以发射和/或接收通信媒体。Electronic device 612 may also include a communication connection 626 that allows electronic device 612 to communicate with other devices. Communication connection 626 may include, but is not limited to, a modem, a network interface card (NIC), an integrated network interface, a radio frequency transmitter/receiver, an infrared port, a USB connection, or other interface for connecting electronic device 612 to other electronic devices. Communication connection 626 can include a wired connection or a wireless connection. Communication connection 626 can transmit and/or receive communication media.

术语“计算机可读介质”可以包括通信介质。通信介质典型地包含计算机可读指令或诸如载波或其他传输机构之类的“己调制数据信号”中的其他数据，并且包括任何信息递送介质。术语“己调制数据信号”可以包括这样的信号：该信号特性中的一个或多个按照将信息编码到信号中的方式来设置或改变。The term "computer readable medium" can include a communication medium. Communication media typically embodies computer readable instructions or other data in "modulated data signals" such as carrier waves or other transport mechanisms, and includes any information delivery media. The term "modulated data signal" can include a signal that one or more of the signal characteristics are set or changed in such a manner as to encode the information into the signal.

电子设备612可以包括输入设备624，比如键盘、鼠标、笔、语音输入设备、触摸输入设备、红外相机、视频输入设备和/或任何其他输入设备。设备612中也可以包括输出设备622，比如一个或多个显示器、扬声器、打印机和/或任意其他输出设备。输入设备624和输出设备622可以经由有线连接、无线连接或其任意组合连接到电子设备612。在一个实施例中，来自另一个电子设备的输入设备或输出设备可以被用作电子设备612的输入设备624或输出设备622。The electronic device 612 can include an input device 624 such as a keyboard, mouse, pen, voice input device, touch input device, infrared camera, video input device, and/or any other input device. Output device 622 may also be included in device 612, such as one or more displays, speakers, printers, and/or any other output device. Input device 624 and output device 622 can be connected to electronic device 612 via a wired connection, a wireless connection, or any combination thereof. In one embodiment, an input device or output device from another electronic device can be used as the input device 624 or output device of the electronic device 612. Prepare 622.

电子设备612的组件可以通过各种互连(比如总线)连接。这样的互连可以包括外围组件互连(PCI)(比如快速PCI)、通用串行总线(USB)、火线(IEEE1394)、光学总线结构等等。在另一个实施例中，电子设备612的组件可以通过网络互连。例如，存储器618可以由位于不同物理位置中的、通过网络互连的多个物理存储器单元构成。The components of electronic device 612 can be connected by various interconnects, such as a bus. Such interconnects may include Peripheral Component Interconnect (PCI) (such as Fast PCI), Universal Serial Bus (USB), Firewire (IEEE 1394), optical bus architecture, and the like. In another embodiment, the components of electronic device 612 can be interconnected by a network. For example, memory 618 may be comprised of multiple physical memory units that are interconnected by a network located in different physical locations.

本领域技术人员将认识到，用于存储计算机可读指令的存储设备可以跨越网络分布。例如，可经由网络628访问的电子设备630可以存储用于实现本发明所提供的一个或多个实施例的计算机可读指令。电子设备612可以访问电子设备630并且下载计算机可读指令的一部分或所有以供执行。可替代地，电子设备612可以按需要下载多条计算机可读指令，或者一些指令可以在电子设备612处执行并且一些指令可以在电子设备630处执行。Those skilled in the art will recognize that storage devices for storing computer readable instructions may be distributed across a network. For example, electronic device 630 accessible via network 628 can store computer readable instructions for implementing one or more embodiments of the present disclosure. The electronic device 612 can access the electronic device 630 and download a portion or all of the computer readable instructions for execution. Alternatively, electronic device 612 can download a plurality of computer readable instructions as needed, or some of the instructions can be executed at electronic device 612 and some of the instructions can be executed at electronic device 630.

本文提供了实施例的各种操作。在一个实施例中，所述的一个或多个操作可以构成一个或多个计算机可读介质上存储的计算机可读指令，其在被电子设备执行时将使得计算设备执行所述操作。描述一些或所有操作的顺序不应当被解释为暗示这些操作必需是顺序相关的。本领域技术人员将理解具有本说明书的益处的可替代的排序。而且，应当理解，不是所有操作必需在本文所提供的每个实施例中存在。Various operations of the embodiments are provided herein. In one embodiment, the one or more operations may constitute computer readable instructions stored on one or more computer readable media that, when executed by an electronic device, cause the computing device to perform the operations. The order in which some or all of the operations are described should not be construed as implying that the operations must be sequential. Those skilled in the art will appreciate alternative rankings that have the benefit of this specification. Moreover, it should be understood that not all operations must be present in every embodiment provided herein.

而且，本文所使用的词语“优选的”意指用作实例、示例或例证。奉文描述为“优选的”任意方面或设计不必被解释为比其他方面或设计更有利。相反，词语“优选的”的使用旨在以具体方式提出概念。如本申请中所使用的术语“或” 旨在意指包含的“或”而非排除的“或”。即，除非另外指定或从上下文中清楚，“X使用A或B”意指自然包括排列的任意一个。即，如果X使用A；X使用B；或X使用A和B二者，则“X使用A或B”在前述任一示例中得到满足。Moreover, the word "preferred" as used herein is intended to serve as an example, instance, or illustration. Any aspect or design described as "preferred" by the text is not necessarily to be construed as being more advantageous than other aspects or designs. Instead, the use of the word "preferred" is intended to present a concept in a specific manner. The term "or" as used in this application It is intended to mean an "or" rather than an excluded "or". That is, unless otherwise specified or clear from the context, "X employs A or B" means naturally including any one of the permutations. That is, if X uses A; X uses B; or X uses both A and B, then "X uses A or B" is satisfied in any of the foregoing examples.

而且，尽管已经相对于一个或多个实现方式示出并描述了本公开，但是本领域技术人员基于对本说明书和附图的阅读和理解将会想到等价变型和修改。本公开包括所有这样的修改和变型，并且仅由所附权利要求的范围限制。特别地关于由上述组件(例如元件、资源等)执行的各种功能，用于描述这样的组件的术语旨在对应于执行所述组件的指定功能(例如其在功能上是等价的)的任意组件(除非另外指示)，即使在结构上与执行本文所示的本公开的示范性实现方式中的功能的公开结构不等同。此外，尽管本公开的特定特征已经相对于若干实现方式中的仅一个被公开，但是这种特征可以与如可以对给定或特定应用而言是期望和有利的其他实现方式的一个或多个其他特征组合。而且，就术语“包括”、“具有”、“含有”或其变形被用在具体实施方式或权利要求中而言，这样的术语旨在以与术语“包含”相似的方式包括。Rather, the present invention has been shown and described with respect to the embodiments of the present invention. The present disclosure includes all such modifications and variations, and is only limited by the scope of the appended claims. With particular regard to various functions performed by the above-described components (e.g., elements, resources, etc.), the terms used to describe such components are intended to correspond to performing the specified functions of the components (e.g., they are functionally equivalent). Any component (unless otherwise indicated) is not equivalent in structure to the disclosed structure for performing the functions in the exemplary implementations of the present disclosure as shown herein. Moreover, although certain features of the present disclosure have been disclosed with respect to only one of several implementations, such features may be combined with one or more other implementations as may be desired and advantageous for a given or particular application. Other feature combinations. Furthermore, the terms "comprising," "having," "having," or "include" or "comprising" are used in the particular embodiments or claims, and such terms are intended to be encompassed in a manner similar to the term "comprising."

本发明实施例中的各功能单元可以集成在一个处理模块中，也可以是各个单元单独物理存在，也可以两个或两个以上单元集成在一个模块中。上述集成的模块既可以采用硬件的形式实现，也可以采用软件功能模块的形式实现。所述集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时，也可以存储在一个计算机可读取存储介质中。上述提到的存储介质可以是只读存储器，磁盘或光盘等。上述的各装置或系统，可以执行相应方法实施例中的方法。 Each functional unit in the embodiment of the present invention may be integrated into one processing module, or each unit may exist physically separately, or two or more units may be integrated into one module. The above integrated modules can be implemented in the form of hardware or in the form of software functional modules. The integrated modules, if implemented in the form of software functional modules and sold or used as stand-alone products, may also be stored in a computer readable storage medium. The above mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like. Each of the above described devices or systems can perform the methods of the corresponding method embodiments.

综上所述，虽然本发明已以优选实施例揭露如上，但上述优选实施例并非用以限制本发明，本领域的普通技术人员，在不脱离本发明的精神和范围内，均可作各种更动与润饰，因此本发明的保护范围以权利要求界定的范围为准。 In the above, the present invention has been disclosed in the above preferred embodiments, but the preferred embodiments are not intended to limit the present invention, and those skilled in the art can make various modifications without departing from the spirit and scope of the invention. The invention is modified and retouched, and the scope of the invention is defined by the scope defined by the claims.

Claims

An abnormal account determination method, characterized in that the method comprises the steps of:

Detecting an internet protocol address of the login account, and counting the number of accounts logged in with the internet protocol address;

Determining whether the number of the accounts logged in with the Internet Protocol address exceeds a threshold;

If the number of the accounts that are logged in by the Internet Protocol address exceeds the threshold, it is determined whether the account is an abnormal account according to a common login location, a common login time, and a common service of the account that is logged in by the Internet Protocol address.

The abnormal account determination method according to claim 1, wherein the abnormal account is an account that is logged in with the Internet Protocol address, and is not logged in through a common login location, not logged in at a common login time, and not used. Business account number.

The method for determining an abnormal account according to claim 2, wherein the step of determining whether the login account is an abnormal account comprises:

If the number of login accounts of the Internet Protocol address exceeds the threshold, X account accounts of the Internet Protocol address are not logged in through a common login location, and Y accounts are in the login account of the Internet Protocol address. The login account of the Internet Protocol address has Z accounts that are not used for common services, and X/A is greater than the first set value, and Y/A is greater than the second set value, Z/A. If the value is greater than the third set value, where A is the number of login accounts of the Internet Protocol address, it is determined that the login account of the Internet Protocol address satisfies not logging in through the common login location, not logging in the common login time, and not using the commonly used login time. The login account of the service is the abnormal account.

The abnormal account determination method according to claim 1, wherein the abnormal account determination method further comprises the steps of:

The L most frequent login sites of all the login locations of the login account are used as common login sites of the login account, and L is a positive integer greater than 1.

The M login time period with the highest frequency in the login time period of the login account is used as the common login time of the login account, and M is a positive integer greater than 1;

The N service with the highest frequency of use in the service of the login account is used as a common service of the login account, and N is a positive integer greater than 1.

Performing abnormal behavior detection on the account identified as the abnormal account, and providing the abnormal account according to the detection result.

The abnormal account determination method according to claim 5, wherein the abnormal behavior detection comprises detecting whether the login account is reported, detecting whether the login account has sent a spam message, and detecting whether the login account has been modified. At least one of the passwords.

An abnormal account determining device, comprising:

a statistics module, configured to detect an internet protocol address of the login account, and count the number of accounts registered by using the internet protocol address;

An abnormality detecting module, configured to determine whether the number of accounts logged in by the Internet Protocol address exceeds a threshold;

An abnormality determining module, configured to: if the abnormality detecting module determines that the number of accounts logged in by the Internet Protocol address exceeds the threshold, according to a common login location of an account with the Internet Protocol address Point, common login time, and common service, determine whether the account is an abnormal account.

The abnormal account determining apparatus according to claim 7, wherein the abnormal account is a login account of the Internet Protocol address, and simultaneously fails to log in through a common login location, does not log in at a common login time, and does not use a common service. Account number.

The abnormal account determining apparatus according to claim 8, wherein if the abnormality detecting module determines that the number of login accounts of the Internet Protocol address exceeds the threshold, the abnormality determining module determines the Internet Protocol address. There are X accounts in the login account that are not logged in through the common login location. Among the login accounts of the Internet Protocol address, there are Y accounts that are not logged in at the common login time. There are Z accounts in the login account of the Internet Protocol address. The common service is not used, and X/A is greater than the first set value, Y/A is greater than the second set value, and Z/A is greater than the third set value, where A is the number of login accounts of the Internet Protocol address, and Further determining that the login account of the Internet Protocol address satisfies the abnormal account that does not log in through the common login location, does not log in at the common login time, and does not use the common service.

The abnormal account determining device according to claim 7, wherein the abnormal account determining device further comprises:

a common login location determining module, configured to use the L most frequent login locations of all the login locations of the login account as the common login location of the login account, where L is a positive integer greater than one;

a common login time determining module, configured to use M login time periods with the highest frequency in the login time period of the login account as the common login time of the login account, where M is a positive integer greater than 1;

The common service determining module is configured to use the N service with the highest frequency of use in the service of the login account as a common service of the login account, where N is a positive integer greater than 1.

The abnormal account determining module is configured to perform abnormal behavior detection on the account confirmed as the abnormal account, and provide the abnormal account according to the detection result.

The abnormal account determining apparatus according to claim 11, wherein the abnormal behavior detecting comprises detecting whether the login account is reported, detecting whether the login account has sent a spam message, and detecting whether the login account has been modified. At least one of the passwords.

A computer readable medium storing one or more computer programs, wherein the computer program comprises computer system executable instructions having one or more memories; the instructions causing a computer system to perform according to claims 1-6 The abnormal account determination method described in any one of the above.