Abnormal login identification method and system, storage medium and electronic equipment

Abstract

The invention provides an abnormal login identification method and system, a storage medium and electronic equipment. The method includes the following steps: receiving and extracting characteristic attributes carried in a real-time login request; judging whether an account of the real-time login request tries to log in to multiple third-party websites within a preset time and fails more than a preset number of times, and if yes, identifying the login as an abnormal login; traversing a blacklist library according to the extracted characteristic attributes, and assigning a first risk value based on a traversal result; assigning a second risk value according to the matching degree between an IP address of the real-time login request and a common IP attribution of a UID of the real-time loginrequest; comparing the number of login failures and the number of preset times of each characteristic attribute within the preset time, and assigning a third risk value according to a comparison result; and performing weighted calculation on the first, second and third risk values to obtain a risk reference value of the real-time login request, and identifying the login as the abnormal login whenthe risk reference value exceeds a risk threshold. According to the scheme of the invention, by combining the external anti-scanning identification and the internal multidimensional identification, abnormal login behaviors can be intercepted to a maximum extent.

Description

technical field [0001] The invention relates to the technical field of the Internet, in particular to an identification method, system, storage medium and electronic equipment for abnormal login. Background technique [0002] With the continuous development of the Internet industry, black attack incidents continue to occur. Crash library (or called account scanning) is a hacker who collects leaked user and password information on the Internet, generates corresponding dictionary tables, and tries to log in to other websites in batches. A list of users who can log in. Many users use the same account password on different websites, so hackers can try to log in to other websites such as B, C, and D by obtaining the user's account on A website, which can be understood as a credential stuffing attack. [0003] At present, the general defense methods against credentialing behaviors, including limiting the number of IP logins, verification code defense, etc., are all "passive" defe...

AI Technical Summary

Problems solved by technology

[0003] At present, the general defense methods against credentialing behaviors, including limiting the number of IP logins, verification code defense, etc., are all "passive" defenses, that is, waiting for the credentialing and scanning behavior to attack this website before defending, which is not effective enough , and will affect a large number of customers who use this website normally, and bring inconvenience to normal users logging in to the website

[0004] At the same time, single-dimensional defense rules are easily bypassed by attackers, which cannot achieve the purpose of defense. After being cracked, the consumption of manual intervention is relatively high.

Images