CN107483500A

CN107483500A - Risk identification method and device based on user behaviors and storage medium

Info

Publication number: CN107483500A
Application number: CN201710872955.XA
Authority: CN
Inventors: 申杰; 李琳; 周冰; 周效军
Original assignee: Migu Cultural Technology Co Ltd
Current assignee: Migu Cultural Technology Co Ltd
Priority date: 2017-09-25
Filing date: 2017-09-25
Publication date: 2017-12-15

Abstract

The invention discloses a risk identification method based on user behaviors, which comprises the following steps: receiving a service request initiated by an object to be identified; determining user behavior information corresponding to the service request according to the service request; determining the credibility of the object to be identified according to the information of the user behaviors, the preset weight value of the user credible behaviors, the historical accumulated times of the service request initiated by the object to be identified and the historical weight accumulated value of the user credible behaviors corresponding to the object to be identified, wherein the user credible behaviors comprise user behaviors used for representing real operations of users; and determining whether the object to be identified has risks or not according to the credibility of the object to be identified. The invention also discloses a risk identification device based on the user behavior and a storage medium.

Description

Risk identification method and device based on user behaviors and storage medium

Technical Field

The present invention relates to information processing technologies in the field of computers, and in particular, to a risk identification method and apparatus based on user behavior, and a storage medium.

Background

With the rapid development of the internet, especially the mobile internet, more and more users are using various internet products, resulting in an increasing competition among internet companies. In order to compete for user resources and achieve ideal user growth and user activity, internet companies usually perform various marketing activities, such as coupon, lottery, praise, card punch or comment, so that users obtain corresponding benefits, thereby increasing user activity.

However, the marketing activities may cause attacks of some malicious attackers, for example, a certain account is used to simulate a real user to perform an approval behavior for 100 times at the same time, so that the terminal sends 100 approval requests to the server to cheat the approval amount, and the behavior aiming at cheating the approval amount is called a flushing behavior.

In the related art, in order to avoid the traffic-brushing behavior of a malicious attacker, a generally adopted technical implementation scheme is as follows: the method comprises the following steps of performing risk control operation by using a wind control system at a background of an Internet product, wherein the risk control operation is mainly performed based on account dimension, equipment dimension or network Protocol (IP, Internet Protocol) dimension, and specifically:

and performing risk control based on account dimensions, namely counting and analyzing data of the account dimensions and limiting access frequency. For example, if it is detected that the number of praise times of the same account in a specified time period reaches a corresponding threshold, the server is notified to reject the access behavior of the account, that is, to reject to respond to a service request initiated by the account;

and performing risk control based on the equipment dimension, namely counting and analyzing data of the equipment parameter dimension and controlling access of single equipment. For example, if it is detected that the lottery frequency of a certain device with the unique identifier to the server reaches a corresponding threshold, the server is notified to reject the access behavior of the device, that is, to reject to respond to the service request initiated by the device;

and performing risk control based on IP dimension, namely counting access behaviors based on the same IP address, and limiting access frequency to avoid frequent traffic swiping behaviors by using different account numbers. For example, if it is detected that the card punching frequency of a certain IP address for the server reaches a corresponding threshold, the server is notified to reject the access behavior of the IP address, that is, to reject to respond to the service request initiated by the IP address.

However, the above technical solution still has the following problems:

aiming at risk control based on account dimensionality, an attacker can register a large number of different account numbers and carry out a volume swiping behavior by continuously switching the different account numbers so as to avoid the limitation on the access frequency of the account numbers;

for risk control based on device dimensions, an attacker can simulate device parameters, and continuously modify the parameters of the simulated device by using a simulator so as to avoid the control of the access frequency of a single device;

for risk control based on IP dimension, an attacker can continuously switch IP addresses through proxy IP and IP of a Virtual Private Network (VPN) so as to avoid control of access frequency of the same IP address.

In summary, the internet resources may be maliciously preempted due to the traffic flushing behavior, however, the risk control scheme in the related art cannot effectively identify the risk of the object to be identified (such as the user account, the device or the IP address) corresponding to the service request, and thus cannot effectively perform risk control.

Disclosure of Invention

In view of this, embodiments of the present invention are expected to provide a risk identification method, apparatus and storage medium based on user behavior, so as to solve the problem that it is difficult to effectively identify an object to be identified corresponding to a service request, which has a risk in the prior art.

In order to achieve the above purpose, the technical solution of the embodiment of the present invention is realized as follows:

the embodiment of the invention provides a risk identification method based on user behaviors, which comprises the following steps:

receiving a service request initiated by an object to be identified;

determining user behavior information corresponding to the service request according to the service request;

determining the credibility of the object to be identified according to the information of the user behaviors, the preset weight value of the user credible behaviors, the historical accumulated times of the service request initiated by the object to be identified and the historical weight accumulated value of the user credible behaviors corresponding to the object to be identified, wherein the user credible behaviors comprise user behaviors used for representing real operations of users;

and determining whether the object to be identified has risks or not according to the credibility of the object to be identified.

In the above scheme, the object to be identified includes a user account;

the receiving of the service request initiated by the object to be identified includes:

receiving a service request initiated by the user account through a client; or,

and receiving a service request initiated by the user account through a browser.

In the above solution, before the determining the credibility of the object to be identified, the method further includes:

analyzing the information of the user account from the service request;

and according to the information of the user account and the mapping relation between the information of each pre-stored user account and the historical accumulated times of the initiated service request and the historical weight accumulated value of the user credible behavior, determining the historical accumulated times of the service request mapped with the information of the user account as the historical accumulated times of the service request initiated by the object to be identified, and determining the historical weight accumulated value of the user credible behavior mapped with the information of the user account as the historical weight accumulated value of the user credible behavior corresponding to the object to be identified.

In the foregoing solution, the determining the reliability of the object to be recognized according to the information of the user behavior, a preset weight value of the user trusted behavior, a historical accumulated number of times of a service request initiated by the object to be recognized, and a historical weight accumulated value of the user trusted behavior corresponding to the object to be recognized includes:

determining a weight value corresponding to the user behavior according to the information of the user behavior and a preset weight value of the user credible behavior;

determining a current weight accumulated value of the user credible behavior corresponding to the service request initiated by the object to be identified according to the weight value corresponding to the user behavior and the historical weight accumulated value of the user credible behavior corresponding to the object to be identified;

determining the current accumulated times of the service requests initiated by the object to be identified according to the number of the received service requests and the historical accumulated times of the service requests initiated by the object to be identified;

and determining the ratio of the current weight accumulated value to the current accumulated times as the credibility of the object to be identified.

In the foregoing solution, after determining the historical accumulated number of service requests mapped to the information of the user account as the historical accumulated number of service requests initiated by the object to be recognized, and determining the historical weighted accumulated value of the user trusted behavior mapped to the information of the user account as the historical weighted accumulated value of the user trusted behavior corresponding to the object to be recognized, the method further includes:

updating the historical accumulated times of the service requests initiated by the object to be identified according to the number of the service requests received this time;

and updating the historical weight accumulated value of the user credible behavior corresponding to the object to be identified according to the weight value of the user credible behavior corresponding to the service request received this time.

In the above scheme, the service request includes encrypted user behavior information;

the determining, according to the service request, information of a user behavior corresponding to the service request includes:

analyzing the encrypted user behavior information from the service request;

and decrypting the encrypted user behavior information to obtain the decrypted user behavior information, and determining the decrypted user behavior information as the user behavior information corresponding to the service request.

In the above scheme, the degree of reliability is inversely related to the degree of the risk of the object to be identified; then

The determining whether the object to be identified has a risk according to the credibility of the object to be identified includes:

when the credibility of the object to be identified is determined to be smaller than a preset credibility threshold, judging that the object to be identified has a risk;

the method further comprises the following steps:

after the object to be identified is judged to have risks, determining a corresponding risk control strategy according to the credibility of the object to be identified, and performing risk control on the object to be identified according to the risk control strategy.

In the above scheme, the determining a corresponding risk control policy according to the credibility of the object to be identified includes:

determining a credibility range to which the credibility of the object to be identified belongs according to the credibility of the object to be identified;

and matching the risk control strategy corresponding to the credibility range to which the credibility of the object to be identified belongs according to the corresponding relation between the preset credibility range and the risk control strategy.

In the above solution, the service request initiated by the object to be identified includes: the object to be identified sends a service request through a client;

the information of the user behavior corresponding to the service request comprises at least one of the following information:

information of an operation performed for a display interface of the client;

information of the pressing degree of a touch screen of the terminal equipment corresponding to the client;

the electric quantity change information of the terminal equipment;

information of a closing or triggering operation performed with respect to the advertisement information displayed by the client.

The embodiment of the invention provides a risk identification device based on user behaviors, which comprises: a receiving module and a determining module; wherein,

the receiving module is used for receiving a service request initiated by an object to be identified;

the determining module is used for determining the user behavior information corresponding to the service request according to the service request; and the credibility of the object to be identified is determined according to the information of the user behaviors, the preset weight value of the user credible behaviors, the historical accumulated times of the service request initiated by the object to be identified and the historical weight accumulated value of the user credible behaviors corresponding to the object to be identified, wherein the user credible behaviors comprise the user behaviors used for representing the real operations of the user, and whether the object to be identified has risks is determined according to the credibility of the object to be identified.

In the above scheme, the object to be identified includes a user account;

the receiving module is specifically configured to: receiving a service request initiated by the user account through a client; or,

In the above scheme, the apparatus further comprises: the analysis module is used for analyzing the information of the user account from the service request before the determining module determines the credibility of the object to be identified;

the determining module is further configured to determine, according to the information of the user account and mapping relationships between the information of each pre-stored user account and the historical accumulated times of the initiated service request and the historical weighted accumulated values of the user trusted behaviors, the historical accumulated times of the service request mapped with the information of the user account as the historical accumulated times of the service request initiated by the object to be recognized, and the historical weighted accumulated values of the user trusted behaviors mapped with the information of the user account as the historical weighted accumulated values of the user trusted behaviors corresponding to the object to be recognized.

In the foregoing solution, the determining module is specifically configured to:

In the above scheme, the apparatus further comprises: the updating module is used for updating the historical accumulated times of the service requests initiated by the object to be identified according to the quantity of the service requests received this time after the determining module determines the historical accumulated times of the service requests mapped with the information of the user account as the historical accumulated times of the service requests initiated by the object to be identified and determines the historical weight accumulated value of the user credible behaviors mapped with the information of the user account as the historical weight accumulated value of the user credible behaviors corresponding to the object to be identified;

the determining module is specifically configured to: analyzing the encrypted user behavior information from the service request;

The determining module is specifically configured to: when the credibility of the object to be identified is determined to be smaller than a preset credibility threshold, judging that the object to be identified has a risk;

the determining module is further configured to determine a corresponding risk control strategy according to the reliability of the object to be identified after the object to be identified is judged to have a risk;

the device further comprises: and the control module is used for carrying out risk control on the object to be identified according to the risk control strategy.

An embodiment of the present invention provides a storage medium, on which an executable program is stored, where the executable program, when executed by a processor, implements the steps of any of the risk identification methods based on user behavior described above.

The embodiment of the invention also provides a risk identification device based on user behaviors, which comprises a memory, a processor and an executable program which is stored on the memory and can be run by the processor, wherein the processor executes the steps of any one of the risk identification methods based on the user behaviors when running the executable program.

By adopting at least one technical scheme provided by the embodiment of the invention, because the fact that an attacker who occupies internet resources in the prior art can successfully send a service request is considered, but the real user behavior (namely the credible user behavior) made by the user when sending the service request is difficult to simulate is difficult, the information of the user behavior corresponding to the service request initiated by the object to be identified, the preset weight value of the user credible behavior, the historical weight cumulative value of the user credible behavior corresponding to the object to be identified and the like are introduced to serve as the basis for identifying whether the object to be identified has risks, and therefore whether the object to be identified has risks or not can be effectively identified.

Drawings

Fig. 1 is a schematic flow chart illustrating an implementation of a risk identification method based on user behavior according to an embodiment of the present invention;

fig. 2 is a schematic system architecture diagram of a risk identification method based on user behavior according to an embodiment of the present invention;

fig. 3 is a schematic interaction diagram of a specific implementation of the risk identification method based on user behavior according to the embodiment of the present invention;

fig. 4 is a functional structure diagram of a risk identification apparatus based on user behavior according to an embodiment of the present invention;

fig. 5 is a schematic hardware structure diagram of a risk identification apparatus based on user behavior according to an embodiment of the present invention.

Detailed Description

So that the manner in which the features and aspects of the embodiments of the present invention can be understood in detail, a more particular description of the embodiments of the invention, briefly summarized above, may be had by reference to the embodiments, some of which are illustrated in the appended drawings.

Fig. 1 is a schematic flow chart illustrating an implementation process of a risk identification method based on user behavior according to an embodiment of the present invention, where the method is applied to a server side; as shown in fig. 1, an implementation process of the risk identification method based on user behavior in the embodiment of the present invention includes the following steps:

step 101: and receiving a service request initiated by the object to be identified.

Here, the object to be recognized may include not only the user account, but also the terminal device having the unique identifier and the IP address of the terminal device. The specific object to be identified may be any one or more of a user account, a terminal device, or an IP address, which may be determined according to actual requirements, and is not limited in the embodiments of the present invention.

In this embodiment of the present invention, for the same user account, the receiving a service request initiated by an object to be identified specifically includes: receiving a service request initiated by the user account through a client; or receiving a service request initiated by the user account through a browser. Therefore, the service request is considered from the client side or the browser side, and whether the object to be identified has risk or not can be judged comprehensively, accurately and objectively.

Step 102: and determining the user behavior information corresponding to the service request according to the service request.

Here, the service request includes encrypted user behavior information;

this step 102 specifically includes: analyzing the encrypted user behavior information from the service request;

Preferably, the encrypted user behavior information may be user behavior information encrypted by a pre-stored key in a key database. Therefore, the safety of the information of the user behavior can be effectively ensured.

Here, taking the object to be identified as the user account as an example, when the service request is initiated by the user account through the browser, the information of the user behavior of the user account on the Web/Wap platform is mainly collected by a collection script such as a JS script running on the user terminal. The user behavior may include, but is not limited to, user behavior of changing browser size, mouse swipe, page scroll, mouse click, and so forth.

In the embodiment of the invention, the user account is operated on the Web/Wap platform displayed by the personal terminal equipment, and at least one user behavior of operations such as 'mouse click', 'mouse slide', 'window size change' and the like representing the user account is generated. For example, if a user account wants to register a new user on a Web page, the user account needs to perform a series of operations, such as "click a new user name input box with a mouse", "click a password input box with a mouse", "slide a mouse to move a cursor to a proper position", and "click a determination button with a mouse", to complete the new user registration process. The information representing the series of operations and the user behavior at the time of occurrence of the operations may be collected by a collection script such as a JS script running on the personal terminal device. In addition, the JS script can also collect attribute information of the Web page, such as browser version, operating system version, encoding format, browser language, and the like.

The JS script is an executable file written according to a certain format using a specific descriptive language, and can be temporarily called and executed by an application program. The JS script is launched with the browser launch, however, once the JS script is launched, it begins recording information characterizing the user's behavior. If the JS script detects that the user initiates a service request to a specified server, such as a server corresponding to an applied official webpage, the information of all user behaviors recorded currently can be sent to the server, then the locally stored information of the user behaviors is cleared, and the information of the user behaviors is recorded again, and the steps are repeated in a circulating way.

Here, after the JS script collects the information about the user behavior, the information about the user behavior may be subjected to character string combination, and the combined information about the user behavior may be encrypted according to a key pre-stored in the key database. Of course, the JS script may directly transmit the collected information on the user behavior to the server without encrypting the information on the user behavior. In addition, in order to enable the server to know which user account or user accounts, terminal equipment or data corresponding to the IP addresses the user behavior information belongs to, the JS script of the Web/Wap platform can also acquire the information of the user accounts, the identification information of the terminal equipment and the IP address information of the terminal equipment and send the information to the server; meanwhile, the JS script of the Web/Wap platform also sends data representing the type of the service request triggered by the user behavior to the server.

Here, still taking the object to be identified as the user account as an example, when the service request is initiated by the user account through the client, the information of the user behavior of the user account at the terminal device is mainly collected through a Software Development Kit (SDK), where the information of the user behavior may include a type of the user behavior or a time when the user behavior is generated; the terminal device may include, but is not limited to, an electronic device such as a smart phone, a tablet computer, a palm computer, etc.

Wherein the SDK is started with the start of an application, such as a reading-class application, however, once the SDK is started, recording of information characterizing the user's behavior is started. If the SDK detects that the user initiates a service request to a specified server, such as a server corresponding to an applied official webpage, the SDK can send the information of all user behaviors recorded currently to the server, then clear the information of the user behaviors stored locally, and restart to record the information of the user behaviors, and the steps are repeated in a circulating way.

Similar to the processing of the service request initiated by the browser, after the SDK collects the information of the user behavior, the SDK may also perform string combination on the information of the user behavior, and perform encryption processing on the combined information of the user behavior according to a key pre-stored in the key database. Of course, the SDK may also directly send the collected information of the user behavior to the server without encrypting the information of the user behavior. In addition, in order to enable the server to know which user account or user accounts, terminal equipment or data corresponding to the IP address the user behavior information belongs to, the SDK can also acquire the information of the user accounts, the identification information of the terminal equipment and the IP address information of the terminal equipment and send the information to the server; meanwhile, the SDK also sends data representing the type of the service request triggered by the user behavior to the server.

Here, the service request initiated by the object to be identified includes: the object to be identified sends a service request through a client;

information of an operation performed for a display interface of the client;

the electric quantity change information of the terminal equipment;

Here, the information of the operation performed on the display interface of the client is operation information performed on a screen of a terminal device where the client is located, such as a slide. In practical application, in order to compete for user resources, some malicious attackers may use the simulator to simulate a user terminal such as a mobile phone to perform a large amount of traffic refreshing behaviors, for example, a comment in a reading application is approved by an SDK, however, the electric quantity of the mobile phone simulated by the simulator does not change in the process, and the electric quantity is always kept in a full state. Here, the trigger operation performed on the advertisement information displayed by the client may be, for example, an operation of loading the advertisement information by scrolling through a scroll bar, so that the advertisement is called after the loading is completed.

The information of the user behavior corresponding to the service request can be recorded in a system log of the server, that is, corresponding system log data is generated according to the received information of the user behavior.

Step 103: and determining the credibility of the object to be identified according to the information of the user behaviors, the preset weight value of the user credible behaviors, the historical accumulated times of the service request initiated by the object to be identified and the historical weight accumulated value of the user credible behaviors corresponding to the object to be identified, wherein the user credible behaviors comprise user behaviors used for representing the real operations of the user.

In this embodiment of the present invention, before executing this step 103, the method further includes:

analyzing the information of the user account from the service request;

Here, the information of the user account may include not only a login account of the user, but also a type of a user behavior corresponding to the user account, where, for the data of the user behavior uploaded by the JS script, the type of the user behavior may be a mouse click, a browser size change, a mouse slide, and the like; for the data of the user behavior uploaded by the SDK, the type of the user behavior may be screen sliding, page turning on the interface, pressing force degree on the interface, closing an advertisement, and the like. In addition, the information of the user account may further include a time range of occurrence of the user behavior, such as 12 pm to 1 pm, or a time of occurrence of the user behavior, and an action interval of the user behavior, such as 1 action behavior occurring every 1 s.

Here, after the determining the historical accumulated number of service requests mapped to the information of the user account as the historical accumulated number of service requests initiated by the object to be recognized, and determining the historical weighted accumulated value of the user trusted behavior mapped to the information of the user account as the historical weighted accumulated value of the user trusted behavior corresponding to the object to be recognized, the method further includes:

In the embodiment of the present invention, step 103 specifically includes: determining a weight value corresponding to the user behavior according to the information of the user behavior and a preset weight value of the user credible behavior;

Here, the following formula may be employed to represent the degree of reliability of the object to be recognized:

credibility is the current weight accumulation value of user credibility behavior/current accumulation times of service request

Wherein the degree of reliability is inversely related to the degree of the possibility that the object to be identified has the risk; that is, the greater the confidence value, the less the likelihood that the object to be identified is at risk, i.e., the less the risk that the object to be identified is at risk; conversely, the smaller the confidence value, the greater the probability that the object to be identified is at risk, i.e., the greater the risk that the object to be identified is at risk. It should be noted that the service request in the above formula is not limited to a service request initiated by a client or a service request initiated by a browser. For example, for a certain user account, the user may log in a web page to send a service request, or log in a client to send a service request, that is, the reliability of the user account may be calculated by using the reliability calculation formula.

Here, the preset weight value of the user trusted behavior may be stored in a rule table, as shown in table 1, table 1 gives a weight rule table of the trusted behavior of a single service request, and by referring to table 1, the weight value of the trusted behavior corresponding to the information of the user behavior derived from the JS script or the SDK may be obtained. It should be noted that the general setting principle of the weight values in table 1 is: the more the behavior of the real operation of the user can be reflected, the larger the weight value is set, and otherwise, the smaller the weight value is set. Table 1 only gives the weight values corresponding to some trusted behaviors, and there may be weight values corresponding to other trusted behaviors according to the actual situation. Of course, for different applications, the contents of the trusted behavior weight rule table corresponding to a single service request are different, and are not described in detail here.

TABLE 1

For example, if a service request initiated by a certain user account at this time is a 5 th service request, determining a weight value of the user behavior at this time according to information of the user behavior corresponding to the service request and a preset weight value of the user trusted behavior, determining the weight value of the user behavior at this time and a saved weight value of a historical weight cumulative value of the user trusted behavior corresponding to the user account as a current weight cumulative value of the user trusted behavior corresponding to the initiated service request, where a reliability of an object to be recognized (for convenience of description, it is assumed that the reliability of the object to be recognized is X5) is equal to the current weight cumulative value/5 of the user trusted behavior corresponding to the initiated service request. For convenience of description, the numerator may be denoted as Q5 and the denominator as S5, such that X5 is Q5/S5. The server may determine which user account or user accounts the service request is initiated by according to the information of the user accounts analyzed from the service request.

The reliability of the object to be identified is calculated by adopting the formula, and the wind control strategy judgment can be carried out by comprehensively considering the user behaviors of the user at the client or the browser respectively, so that whether the risk exists in the object to be identified can be judged comprehensively, accurately and objectively. If the service request initiated by a certain user account this time is a 6 th service request, the reliability of the object to be identified (for convenience of description, it is assumed that the reliability of the object to be identified is X6) ═ current weight cumulative value/6 of the user trusted behavior corresponding to the initiated service request (Q5+ weight value of the user behavior corresponding to the 6 th service request)/(S5 +1), where Q5 is the historical weight cumulative value of the user trusted behavior corresponding to the user account, and S5 is the historical cumulative number of times of the service request initiated by the user account. It can be predicted that if the weight value of the user behavior corresponding to the 6 th service request is 0, X5> X6 is inevitably caused, and thus it is known that the credibility of the object to be identified is reduced.

Similarly, if the service request is a 100 th service request initiated by a certain terminal device with a unique identifier, the reliability of the terminal device is equal to the current weight cumulative value/100 of the user credible behavior corresponding to the initiated service request; if the service request is a 1000 th service request initiated by an IP address of a certain terminal device, the reliability of the IP address is the current weight accumulated value/1000 of the user credible behavior corresponding to the initiated service request. The server may determine, according to the identifier information or the IP address information of the terminal device analyzed from the service request, which terminal device or IP address the information of the user behavior corresponding to the service request originates from.

A specific example is given below to illustrate how to calculate the weight cumulative value of the user's trusted behavior. For example, when a normal user initiates a single service request to perform a login behavior, at least two screen sliding operations are performed, such as opening a screen, pulling down the screen, and four mouse click operations, such as opening, inputting a user name, inputting a password, and clicking a login button, and it can be known from the lookup table 1 that a weight value corresponding to one screen sliding operation is +2, and when the mouse click number e [4, 10], the corresponding weight value is +2, so that the weight cumulative value of the user credible behavior corresponding to the service request initiated this time is 2 × 2+2 — 6, and the reliability is 6/1 if the number is 1.

It should be noted that, a normal user may have a small weight value corresponding to a few operation behaviors, but the number of user behaviors performed on a page by the normal user is far greater than the number of times of initiating a service request, and a user may generate a few normal behaviors by a user with a brush amount, but as the number of service requests is larger and larger, the reliability becomes smaller and smaller because the weight value corresponding to the user behavior is fixed.

Step 104: and determining whether the object to be identified has risks or not according to the credibility of the object to be identified.

In the embodiment of the present invention, this step 104 specifically includes: and when the credibility of the object to be identified is determined to be smaller than a preset credibility threshold, judging that the object to be identified has a risk.

Here, the method further includes: after the object to be identified is judged to have risks, determining a corresponding risk control strategy according to the credibility of the object to be identified, and performing risk control on the object to be identified according to the risk control strategy.

Wherein, the determining a corresponding risk control strategy according to the credibility of the object to be identified comprises:

Here, the correspondence between the predetermined confidence level range and the risk control policy may be saved in a storage table, and table 2 gives the correspondence between the confidence level range and the risk control policy, as shown in table 2:

confidence range	Risk control strategy
		[0，1)	Forbidding access
[1，3]	Performing voice secondary verification
		[4，6]	Performing short message secondary verification
[7，12]	Performing secondary verification of picture

TABLE 2

It should be noted that table 2 only shows an exemplary correspondence between the confidence level range and the risk control policy, and there may be other risk control policies and correspondences between the confidence level range and the risk control policy according to actual situations.

The following describes in detail a specific implementation process of the risk identification method based on user behavior according to the embodiment of the present invention, taking an object to be identified as a user account as an example.

Fig. 2 is a schematic diagram of a system architecture for implementing the risk identification method based on user behaviors according to the embodiment of the present invention, and as shown in fig. 2, the service request is a service request initiated by an SDK of a client or a service request initiated by a JS on a user terminal, and both of the service requests send the initiated service requests to a service platform, where the service request carries information of a user behavior corresponding to the service request; the service platform synchronizes the information of the user behavior to the wind control system, the wind control system analyzes the user behavior in real time according to the received information of the user behavior, and returns the analysis result to the service platform through the interface, and then the service platform determines which risk control strategy is adopted for the user account according to the analysis result.

Based on the system architecture shown in fig. 2, fig. 3 is a schematic diagram showing a specific implementation interaction of the risk identification method based on user behavior according to the embodiment of the present invention, and as shown in fig. 3, the method includes the following steps:

step 301: the user account operates the JS on the user terminal;

step 302: the JS collects the information of the user behavior of the user account on the Web/Wap platform;

here, the information of the user behavior of the user account on the Web/Wap platform may include, but is not limited to, information of changing a browser size, mouse sliding, page scrolling, mouse clicking, and the like of the user behavior. The user account operates on a Web/Wap platform displayed by personal terminal equipment, and at least one user behavior of operations such as 'mouse click', 'mouse sliding', 'window size change' and the like representing the user account is generated; that is, information of user behavior is collected by a JS script running on the Web/Wap platform.

Step 303: the JS encrypts the collected information of the user behavior;

here, the JS may encrypt the information of the user behavior according to a key pre-stored in the key database.

Step 304: the JS carries the encrypted user behavior information in a service request and initiates the service request to a service platform;

step 305: the user account operates the SDK of the client;

step 306: the SDK acquires the user behavior information of the user account at the mobile terminal;

here, the information about the user behavior of the user account at the mobile terminal may include at least one of the following information:

information of an operation performed for a display interface of the client;

the electric quantity change information of the terminal equipment;

The information of the operation executed aiming at the display interface of the client is operation information executed on a screen of a terminal device where the client is located, such as sliding and the like; the trigger operation executed for the advertisement information displayed by the client may be, for example, an operation of loading the advertisement information by scrolling through a scroll bar, so as to call the advertisement after the loading is completed.

Step 307: the SDK encrypts the collected user behavior information;

similarly, the SDK may encrypt the information about the user behavior according to a key pre-stored in the key database.

Step 308: the SDK carries the encrypted user behavior information in a service request and initiates the service request to a service platform;

it should be noted that, for the same user account, the service request may be initiated to the service platform through steps 301 to 304, or the service request may be initiated to the service platform through steps 305 to 308, which are used alternatively, and the embodiment of the present invention is not limited herein.

Step 309: the service platform receives a service request initiated by an SDK (software development kit) of a client or a JS (JavaScript) initiated by a user terminal, and generates log data from the information of user behavior;

here, the information of the user behavior is generated into log data and recorded into a system log of the service platform, so that the information of the user behavior is synchronized to the wind control system.

Step 310: the service platform synchronizes the log data to the wind control system;

step 311: the wind control system decrypts the log data, analyzes the decrypted log data, calculates the credibility of the log data to determine whether the user account has risks and determines a corresponding risk control strategy;

here, the information of the user account may be analyzed from the service request, and the historical accumulated number of the service request mapped with the information of the user account may be determined as the historical accumulated number of the service request initiated by the user account and the historical weighted accumulated value of the user trusted behavior mapped with the information of the user account may be determined as the historical weighted accumulated value of the user trusted behavior corresponding to the user account according to the information of the user account and the mapping relationship between the information of each user account and the historical accumulated number of the initiated service request and the historical weighted accumulated value of the user trusted behavior respectively stored in advance. Thus, according to the weight value of the user credible behavior and the information of the user behavior preset in the table 1, the weight value corresponding to the user behavior is determined, and according to the weight value corresponding to the user behavior and the historical weight accumulated value of the user credible behavior corresponding to the user account, the current weight accumulated value is determined; and determining the ratio of the current weight accumulated value to the accumulated times of the service request initiated by the user account as the credibility of the user account. For specific examples, reference may be made to the description of the foregoing embodiments, which are not repeated herein.

Here, when the calculated reliability is smaller than the preset reliability threshold, it may be determined that the user account has a risk, and according to the calculated reliability, which range the reliability belongs to is queried from table 2, so as to match a corresponding risk control policy. For example, if the calculated reliability is 2, it can be known from table 2 that the risk control policy corresponding to the reliability range [1, 3] is a control policy for performing voice secondary authentication, and then the control policy for performing voice secondary authentication on the user account is executed.

Step 312: the wind control system returns the analysis result to the service platform through the interface;

step 313: if the service request is initiated by the SDK of the client, the service platform returns the analysis result to the SDK;

step 314: the SDK returns the analysis result to the user account;

if the user account is judged to have no risk, returning normal business data to the user; and if the user account is judged to have risks, prompting the user to execute a corresponding risk control strategy according to the risk identification.

Step 315: if the service request is initiated by JS on the user terminal, the service platform returns an analysis result to the JS;

step 316: and the JS returns the analysis result to the user account.

In order to realize the risk identification method based on the user behavior, the embodiment of the invention also provides a risk identification device based on the user behavior, and the device is applied to the server side; as shown in fig. 4, the apparatus includes a receiving module 401 and a determining module 402; wherein,

the receiving module 401 is configured to receive a service request initiated by an object to be identified;

the determining module 402 is configured to determine, according to the service request, information of a user behavior corresponding to the service request;

the determining module 402 is further configured to determine the credibility of the object to be recognized according to the information of the user behavior, a preset weight value of the user credible behavior, a historical accumulated number of times of the service request initiated by the object to be recognized, and a historical weighted accumulated value of the user credible behavior corresponding to the object to be recognized, where the user credible behavior includes a user behavior used for representing a real operation of a user;

the determining module 402 is further configured to determine whether the object to be identified has a risk according to the reliability of the object to be identified.

Wherein the object to be identified comprises a user account;

the receiving module 401 is specifically configured to: receiving a service request initiated by the user account through a client; or,

It should be noted that the object to be identified herein may include not only a user account, but also a terminal device with a unique identifier and an IP address of the terminal device. The specific object to be identified may be any one or more of a user account, a terminal device, or an IP address, which may be determined according to actual requirements, and is not limited in the embodiments of the present invention.

Here, the apparatus further includes: the analyzing module 403 is configured to analyze the information of the user account from the service request before the determining module 402 determines the credibility of the object to be identified;

the determining module 402 is further configured to determine, according to the information of the user account and mapping relationships between the information of each pre-stored user account and the historical accumulated times of the initiated service request and the historical weighted accumulated values of the user trusted behaviors, the historical accumulated times of the service request mapped with the information of the user account as the historical accumulated times of the service request initiated by the object to be recognized, and the historical weighted accumulated values of the user trusted behaviors mapped with the information of the user account as the historical weighted accumulated values of the user trusted behaviors corresponding to the object to be recognized.

The determining module 402 is specifically configured to: determining a weight value corresponding to the user behavior according to the information of the user behavior and a preset weight value of the user credible behavior;

Here, the apparatus further includes: an updating module 404, configured to update the historical accumulated times of the service requests initiated by the object to be identified according to the number of the service requests received this time after the determining module 402 determines the historical accumulated times of the service requests mapped with the information of the user account as the historical accumulated times of the service requests initiated by the object to be identified, and determines the historical weighted accumulated value of the user trusted behavior mapped with the information of the user account as the historical weighted accumulated value of the user trusted behavior corresponding to the object to be identified;

Here, the service request includes encrypted user behavior information;

the determining module 402 is specifically configured to: analyzing the encrypted user behavior information from the service request;

Preferably, the encrypted user behavior information may be user behavior information encrypted by a pre-stored key in a key database.

Here, the magnitude of the degree of reliability is inversely related to the magnitude of the possibility that the object to be identified is at risk; then

The determining module 402 is specifically configured to: when the credibility of the object to be identified is determined to be smaller than a preset credibility threshold, judging that the object to be identified has a risk;

the determining module 402 is further configured to determine, after the determination that the object to be identified has a risk, a corresponding risk control policy according to the reliability of the object to be identified;

the device further comprises: and the control module 405 is configured to perform risk control on the object to be identified according to the risk control policy.

The determining module 402 is specifically configured to:

information of an operation performed for a display interface of the client;

the electric quantity change information of the terminal equipment;

In practical applications, the receiving module 401, the determining module 402, the analyzing module 403, the updating module 404 and the control module 405 may be implemented by a Central Processing Unit (CPU), a MicroProcessor Unit (MPU), a Digital Signal Processor (DSP), a Field Programmable Gate Array (FPGA), or the like.

It should be noted that: in the risk identification device based on user behavior provided in the above embodiment, when performing risk identification on an object to be identified, only the division of each program module is illustrated, and in practical applications, the processing may be allocated to be completed by different program modules according to needs, that is, the internal structure of the device is divided into different program modules, so as to complete all or part of the processing described above. In addition, the risk identification device based on the user behavior provided by the above embodiment and the risk identification method based on the user behavior belong to the same concept, and the specific implementation process is detailed in the method embodiment and is not described herein again.

In order to implement the risk identification method based on user behaviors, an embodiment of the present invention further provides a risk identification device based on user behaviors, where the risk identification device based on user behaviors includes a memory, a processor, and an executable program stored in the memory and capable of being executed by the processor, and when the processor executes the executable program, the risk identification method based on user behaviors provided by the embodiment of the present invention is executed, for example, the risk identification method based on user behaviors shown in fig. 1 or fig. 3.

A user behavior based risk identification apparatus, which may be implemented in the form of a server such as a cloud server, implementing an embodiment of the present invention will now be described with reference to the accompanying drawings. In the following, the hardware structure of the risk identification device based on user behavior according to the embodiment of the present invention is further described, it is to be understood that fig. 5 only shows an exemplary structure of the risk identification device based on user behavior, and not a whole structure, and a part of or the whole structure shown in fig. 5 may be implemented as needed.

Referring to fig. 5, fig. 5 is a schematic diagram of a hardware structure of a risk identification apparatus based on user behavior according to an embodiment of the present invention, which may be applied to the aforementioned server running an application program in practical application, and the risk identification apparatus 500 based on user behavior shown in fig. 5 includes: at least one processor 501, memory 502, a user interface 503, and at least one network interface 504. The various components of the user behavior based risk identification apparatus 500 are coupled together by a bus system 505. It will be appreciated that the bus system 505 is used to enable communications among the components of the connection. The bus system 505 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 505 in FIG. 5.

The user interface 503 may include a display, a keyboard, a mouse, a trackball, a click wheel, a key, a button, a touch pad, a touch screen, or the like, among others.

It will be appreciated that the memory 502 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory.

The memory 502 in the embodiment of the present invention is used to store various types of data to support the operation of the risk identification means 500 based on user behavior. Examples of such data include: any computer program for operating on the user behavior based risk identification apparatus 500, such as an executable program 5021 and an operating system 5022, may be included in the executable program 5021 to implement the user behavior based risk identification method according to the embodiment of the present invention.

The risk identification method based on the user behavior disclosed by the embodiment of the invention can be applied to the processor 501, or can be realized by the processor 501. The processor 501 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the risk identification method based on user behavior may be implemented by integrated logic circuits of hardware in the processor 501 or instructions in the form of software. The processor 501 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. Processor 501 may implement or perform the methods, steps, and logic blocks provided in embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the risk identification method based on the user behavior provided by the embodiment of the invention can be directly embodied as the execution of a hardware decoding processor, or the combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 502, and the processor 501 reads the information in the memory 502, and completes the steps of the risk identification method based on user behavior provided by the embodiment of the present invention in combination with hardware thereof.

In an exemplary embodiment, an embodiment of the present invention further provides a storage medium, on which an executable program 5021 is stored, and when the executable program 5021 is executed by a processor 501 in a risk identification device 500 based on user behaviors, the risk identification method based on user behaviors provided by the embodiment of the present invention is implemented, for example, the risk identification method based on user behaviors shown in fig. 1 or fig. 3. The storage medium provided by the embodiment of the invention can be a storage medium such as an optical disk, a flash memory or a magnetic disk, and can be selected as a non-instantaneous storage medium.

In summary, with the at least one technical solution provided in the embodiments of the present invention, it is considered that although an attacker who seizes internet resources in the prior art can successfully send a service request, it is difficult to simulate a real user behavior (i.e., a trusted user behavior) that a user does when sending the service request, so that information of the user behavior corresponding to the service request initiated by an object to be identified, a preset weight value of the user trusted behavior, a historical weight cumulative value of the user trusted behavior corresponding to the object to be identified, and the like are introduced as a basis for identifying whether the object to be identified has a risk, and thus whether the object to be identified has a risk can be effectively identified.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or executable program product. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of an executable program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.

The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and executable program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by executable program instructions. These executable program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor with reference to a programmable data processing apparatus to produce a machine, such that the instructions, which execute via the computer or processor with reference to the programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These executable program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These executable program instructions may also be loaded onto a computer or reference programmable data processing apparatus to cause a series of operational steps to be performed on the computer or reference programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or reference programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

The above description is only exemplary of the present invention and should not be taken as limiting the scope of the present invention, and any modifications, equivalents, improvements, etc. that are within the spirit and principle of the present invention should be included in the present invention.

Claims

1. A risk identification method based on user behavior is characterized by comprising the following steps:

receiving a service request initiated by an object to be identified;

2. The user behavior-based risk identification method according to claim 1, wherein the object to be identified comprises a user account;

receiving a service request initiated by the user account through a client; or,

3. The user behavior-based risk identification method according to claim 2, wherein before the determining the trustworthiness of the object to be identified, the method further comprises:

analyzing the information of the user account from the service request;

4. The user behavior-based risk identification method according to claim 3, wherein the determining the reliability of the object to be identified according to the information of the user behavior, a preset weight value of a user credible behavior, a historical accumulated number of service requests initiated by the object to be identified, and a historical weight accumulated value of a user credible behavior corresponding to the object to be identified comprises:

5. The user behavior-based risk identification method according to claim 3, wherein after determining the historical accumulated number of service requests mapped to the information of the user account as the historical accumulated number of service requests initiated by the object to be identified, and determining the historical weighted accumulated value of the user trusted behavior mapped to the information of the user account as the historical weighted accumulated value of the user trusted behavior corresponding to the object to be identified, the method further comprises:

6. The method according to claim 1, wherein the service request includes encrypted user behavior information;

analyzing the encrypted user behavior information from the service request;

7. The user behavior-based risk identification method according to claim 1, wherein the degree of reliability is inversely related to the degree of the risk of the object to be identified; then

the method further comprises the following steps:

8. The risk identification method based on user behavior according to claim 7, wherein the determining a corresponding risk control policy according to the credibility of the object to be identified comprises:

9. The risk identification method based on user behavior according to claim 1, wherein the service request initiated by the object to be identified comprises: the object to be identified sends a service request through a client;

information of an operation performed for a display interface of the client;

the electric quantity change information of the terminal equipment;

10. A risk identification apparatus based on user behavior, the apparatus comprising: a receiving module and a determining module; wherein,

11. The user behavior-based risk identification apparatus according to claim 10, wherein the object to be identified comprises a user account;

12. The apparatus for risk identification based on user behavior of claim 11, further comprising: the analysis module is used for analyzing the information of the user account from the service request before the determining module determines the credibility of the object to be identified;

13. The user behavior-based risk identification apparatus according to claim 12, wherein the determination module is specifically configured to:

14. The apparatus for risk identification based on user behavior of claim 12, further comprising: the updating module is used for updating the historical accumulated times of the service requests initiated by the object to be identified according to the quantity of the service requests received this time after the determining module determines the historical accumulated times of the service requests mapped with the information of the user account as the historical accumulated times of the service requests initiated by the object to be identified and determines the historical weight accumulated value of the user credible behaviors mapped with the information of the user account as the historical weight accumulated value of the user credible behaviors corresponding to the object to be identified;

15. The apparatus according to claim 10, wherein the service request includes encrypted information of the user behavior;

16. The user behavior-based risk identification apparatus according to claim 10, wherein the degree of reliability is inversely related to the degree of the possibility that the object to be identified is at risk; then

17. The user-behavior-based risk identification apparatus according to claim 16, wherein the determination module is specifically configured to:

18. The risk identification device based on user behavior according to claim 10, wherein the service request initiated by the object to be identified comprises: the object to be identified sends a service request through a client;

information of an operation performed for a display interface of the client;

the electric quantity change information of the terminal equipment;

19. A storage medium having stored thereon an executable program, wherein the executable program, when executed by a processor, performs the steps of the method for risk identification based on user behavior according to any of claims 1 to 9.

20. A risk identification device based on user behavior, comprising a memory, a processor and an executable program stored on the memory and capable of being executed by the processor, wherein the processor executes the executable program to perform the steps of the risk identification method based on user behavior according to any one of claims 1 to 9.