Unlock instant, AI-driven research and patent intelligence for your innovation.

Anomaly detection method, device and computer readable medium

An anomaly detection and anomaly technology, applied in the computer field, can solve the problems of few attack modes, difficulty in ensuring the detection accuracy of any account, and low accuracy

Active Publication Date: 2021-11-30
HUAWEI TECH CO LTD
View PDF8 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

In practical applications, the preset login threshold and success rate threshold are difficult to guarantee high detection accuracy for any account
[0004] However, this method can only detect credential stuffing attacks, few attack modes can be detected, and the accuracy is low

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Anomaly detection method, device and computer readable medium
  • Anomaly detection method, device and computer readable medium
  • Anomaly detection method, device and computer readable medium

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0101]An embodiment of the present invention provides a method for detecting common credential stuffing, which may include the following steps:

[0102] Step 1. Determine the first number of account logins, the first success rate of account logins, and the first number of account logins by the first IP within a first time period.

[0103] The login log to be detected includes a login log of the first account and a login log of the first IP. The aforementioned first time period may be 10 minutes, 20 minutes, 30 minutes and so on.

[0104] Step 2. When the first number is greater than a first threshold or the first number is greater than a second threshold, and the first success rate is less than a third threshold, determine that a credential stuffing attack has occurred on the first IP.

[0105] The above first threshold may be N1 times the average login times of the first IP included in the above login parameters, and N1 may be 1.1, 1.2, 1.3 and so on. The average login time...

Embodiment 2

[0110] An embodiment of the present invention provides a method for detecting covert credential stuffing, which may include the following steps:

[0111] Step 1. Determine the second number of account logins and the second success rate of account login by the second IP within a second time period.

[0112] The login log to be detected includes a login log of the second account and a login log of the second IP. The aforementioned second time period may be 12 hours, 24 hours, 48 ​​hours and so on.

[0113] Step 2. When the second number of times is greater than the fourth threshold and less than the fifth threshold, and the second success rate is less than the sixth threshold, determine that a credential stuffing attack has occurred on the second IP.

[0114] The above fourth threshold may be N4 times the average login times of the second IP contained in the above login parameters, and N4 may be 1.0, 1.1, 1.2, 1.3 and so on. The second average login times of the IP refers to t...

Embodiment 3

[0119] The embodiment of the present invention provides a method for detecting brute force cracking. If any of the following conditions are detected, it is determined that the account has been cracked by brute force. The specific conditions included are as follows:

[0120] (1) The number of login IPs of the third account within the third time period is greater than the seventh threshold.

[0121] (2) The number of login times of the above-mentioned third account within the fourth time period is greater than or equal to the eighth threshold.

[0122] (3) The above-mentioned case where the average login interval of N times of the third account is less than or equal to the ninth threshold.

[0123] The login log to be detected includes a login log of the third account. The aforementioned third time period may be 10 minutes, 20 minutes, 30 minutes and so on. The login IP of the third account in the third time period refers to the IP that has logged in the third account in the t...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The embodiment of the present invention relates to the field of computer technology, and discloses an abnormality detection method, device, and computer-readable medium. The method includes: screening out reference accounts that have no abnormal behavior from historical login logs; The parameter is to determine a reference parameter; the reference parameter is used to determine the abnormal situation contained in the login log; obtain the login log to be detected; and determine the abnormal situation contained in the login log to be detected according to the reference parameter. In this application, according to the reference parameters determined by the login parameters of the reference accounts that have no abnormal behavior in the historical login logs, the abnormal conditions included in the login logs to be detected are determined; abnormal behaviors of various accounts can be detected with high detection accuracy.

Description

technical field [0001] The present invention relates to the field of computer technology, in particular to an anomaly detection method, device and computer-readable medium. Background technique [0002] With the continuous development of the Internet, the challenges brought by network security are becoming more and more severe, and the protection of user privacy and account security needs to be solved urgently. Once the attacker steals the user's account number and password through phishing, fraud, or brute-force cracking, the user's personal information and even property will be seriously threatened. Therefore, discovering abnormal login behaviors in time is of great significance for protecting user privacy and property security. [0003] At present, for account theft initiated by attackers, an account anomaly detection method is often used as follows: the server counts the number of logins and the success rate of the same source IP address for the target IP address to be ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): H04L29/06
CPCH04L63/1425
Inventor 肖军李昀
Owner HUAWEI TECH CO LTD