Method and device for detecting and warning fake account, electronic equipment and storage medium
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SHANDONG BRANCH OF BEST TONE INFORMATION
- Filing Date
- 2022-12-12
- Publication Date
- 2026-07-14
AI Technical Summary
Existing methods for detecting fake user accounts are limited to the scope of the user's own account or the website's own account, and cannot proactively launch more targeted detection activities for fake user accounts across the entire Internet.
By acquiring characteristic information related to user accounts, a whitelist is generated. DPI technology is used to analyze user behavior traffic. Cosine similarity algorithm is used to calculate the risk of fake accounts, a risk threshold is set, and an alert is issued when the threshold is exceeded.
It enables rapid detection and early warning of fraudulent user account behavior across the entire internet, expanding the detection scope, improving targeting and effectiveness, and providing necessary early warning information before fraudulent activities occur.
Smart Images

Figure CN116488838B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of communications, and more specifically, to a method, apparatus, electronic device, and storage medium for detecting and issuing early warnings of fraudulent accounts in anti-fraud scenarios. Background Technology
[0002] User accounts in telecommunications are direct external markers of a citizen's identity. Due to the high degree of information asymmetry in the internet / mobile internet, users rarely realize their accounts have been impersonated (the user is in the open), while criminals exploit this lack of awareness to commit impersonation (the criminals are in the shadows). Anti-fraud agencies and victims lack effective countermeasures against these ongoing criminal preparatory actions because the impersonation of user accounts is difficult to detect, hindering prevention. Therefore, there is an urgent need to develop an effective method for detecting and issuing early warnings against impersonated user accounts.
[0003] Currently, there are two types of user account misuse, which can be distinguished by whether the user created the account themselves. Type 1: The user created the account themselves; this means the account was first stolen and then used under a false name. Type 2: The user did not create the account themselves; this means the account was first forged and then used under a false name.
[0004] Methods to prevent account misuse generally focus on two paths: "anti-theft" and "anti-counterfeiting."
[0005] First, “anti-theft”, which refers to the first type mentioned above (accounts created by the user), focuses on detecting whether the password for the user-created account has been leaked. Because if the account password has been leaked, the risk of being impersonated obviously increases.
[0006] Chinese Patent CN113411315B: "A Method for Detecting Account Password Leakage and an Account Password Manager." This method analyzes the domain name corresponding to a user's local account and compares it with a blacklist of domain names known to have leaked passwords, thereby alerting the user to the risk of account password leakage. Clearly, this method is limited to type one account misuse, i.e., the situation where the account is created by the user themselves, and is suitable for detecting whether accounts within the user's control have been leaked. It cannot detect whether someone has forged the user's account, i.e., type two. In other words, there are two main possibilities for account misuse by criminals: one is misuse due to password leakage; the other is that criminals maliciously forge and impersonate the user's account. For the latter, this method is completely inapplicable.
[0007] Second, "anti-counterfeiting" refers to the detection focus on the following aspects for the aforementioned type two (accounts not created by the user): during the account registration process, whether a newly registered account is counterfeited or misused based on existing user-created accounts; and whether an account has been counterfeited or misused based on the login behavior of existing accounts.
[0008] Chinese Patent CN105897727A: "Method and Apparatus for Preventing Account Information Theft." This method is characterized by comparing the similarity of different accounts during the new account registration process using information associated with the account, such as ID card number and phone number. If duplicates are found, it is determined as information leakage, and the second account is prevented from using the information of the first account, with a notification sent to the first account. This method is a countermeasure against type two, namely, impersonation where the account is not created by the user. However, this method is clearly only applicable to cases where user accounts are forged within the same website, and its scope for judging the similarity of user registration information is limited, only covering comparisons of user registration information within the same website. Furthermore, this method is only applicable to detection within a specific website; it cannot detect cases where user accounts are forged and impersonated across different websites and applications. From the user's perspective, this method cannot proactively detect impersonation across a wider range of the internet, thus presenting limitations.
[0009] Chinese Patent CN109922032B: "Method, Apparatus, Device, and Storage Medium for Determining the Risk of Login Accounts." This method targets fraudulent logins for user accounts on specific websites. Its principle is based on a model of the login behavior of stolen accounts to determine the risk of fraudulent login activity. However, this method is only applicable to risk control of user account login behavior within the same website, and can achieve a certain level of detection of forged or impersonated accounts. Similar to Patent CN109922032B, it cannot proactively detect fraudulent activities across the entire internet, exhibiting the same limitations.
[0010] In summary, current common methods for detecting the risk of user account impersonation primarily focus on detecting account leakage risks within the user's own account, or on detecting impersonation risks within the website's own account scope, or from the perspective of the entity managing the account. These methods are limited to a specific part of the entire chain of impersonated user accounts. In anti-fraud scenarios, there is an urgent need for a more proactive and effective method to detect impersonation of user accounts across the entire internet. Summary of the Invention
[0011] The technical problem this invention aims to solve is that current methods for detecting the risk of fake accounts are limited to a specific part of the entire chain of fake user accounts. For example, they mainly detect the risk of account leakage within the scope of the user's own account, or they start from the entity that manages the account, such as the website, within the scope of the website's own account. They cannot proactively launch more targeted and effective detection of fake user account behavior from the entire Internet.
[0012] To solve the above-mentioned technical problems, according to one aspect of the present invention, a method for detecting and warning of fake accounts is provided, comprising the following steps: S1, obtaining feature information related to a user account, including: user code, phone number, ID card number, bank card number, email address, social media account or name, the feature information being input by the user or by an anti-fraud agency based on case clues; S2, generating a whitelist of websites or applications normally accessed by the user, the whitelist of websites or applications normally accessed by the user is used to distinguish between genuine user access behavior and fake behavior in subsequent analysis of fake behavior; S3, DPI (Deep Packet) Inspection (Deep Packet Inspection) involves user behavior traffic extraction, mirroring mobile user internet traffic on the operator's backbone network, and importing it into a DPI device for analysis. DPI technology is used to extract user behavior logs from domains accessing blacklists and whitelists. User behavior matching user account characteristics generates risk behavior records and trusted behavior records. S4 involves cosine similarity algorithm analysis, calculating the cosine of the angle between two vectors and setting a risk threshold for spoofing accounts. S5 involves risk warning; if the cosine value calculated by cosine similarity exceeds the risk threshold, a risk warning table is output. Based on the information in the risk warning table, warnings are issued and sent to anti-fraud monitoring platforms or users.
[0013] According to an embodiment of the present invention, in step S2, the method for obtaining a whitelist of websites or applications normally accessed by the user may include one or more of the following methods: obtaining a whitelist of websites or applications normally accessed by the user based on data from telecommunications operators, using the fixed-line broadband linked to the phone number (mobile phone) or the base station location where the mobile phone number stays for a long time as a trusted location, using deep packet inspection (DPI) to find the traffic of specific websites or APP applications at the trusted location, establishing an association between the "phone number" and the domain name of the above website or APP application, and adding the domain name of the corresponding website or application to the whitelist; obtaining a whitelist of websites or applications normally accessed by the user through cooperation with website data, by cooperating with anti-fraud agencies and website or application data to obtain registered and active mobile phone numbers and accounts, establishing an association between the mobile phone number and the website or application, and identifying them as whitelists of websites or applications normally accessed by the user; the user inputs their own whitelist of websites or applications normally accessed, and the whitelist of websites or applications normally accessed by the user input includes: website / application domain name, user account, internet account, and geographical location.
[0014] According to an embodiment of the present invention, step S3 may include the following steps: S31, reading the blacklist of websites with a high incidence of fraud, obtaining a list of domain name databases of websites with a high incidence of fraud from relevant institutions, and forming a blacklist for key traffic detection; S32, traffic extraction, extracting the HTTP traffic of mobile users accessing the blacklisted domains for DPI analysis, extracting and analyzing its DPI data log information, the log information including user account, URL, cookie, user agent, and timestamp; extracting the records of account feature information listed in the user behavior logs of users accessing the blacklisted domains as risk behavior records, and providing the detection platform for further analysis after the risk behavior records are cleaned.
[0015] According to an embodiment of the present invention, step S4 may include the following steps: S41, encoding the features of risk behavior records to form a suspected impersonation behavior feature vector; S42, encoding the features of trusted behavior records to form a trusted behavior baseline feature vector; S43, cosine similarity comparison, when the primary keys of the trusted behavior baseline feature vector and the suspected impersonation feature vector are the same, the similarity is determined by the cosine value of the angle between the given suspected impersonation behavior feature vector and the trusted behavior baseline feature vector. The closer the angle between the two vectors is to 0, the closer the cosine value of the two vectors is to 1, and the more similar the directions of the two vectors are, the more similar the two vectors are; a risk threshold is set by the cosine value of the angle between the two vectors. When the cosine value of the angle between the two vectors is less than the risk threshold, it can be considered that the difference is large and that there is a risk of impersonation; S44, impersonation account behavior risk value calculation, further analyzing the feature values that exceed the threshold, the specific behavior of the suspected impersonation account and extracting the relevant information of the user who committed the impersonation behavior, including the user's identifier, access time period, frequency, and geographical location, so that the anti-fraud agency can further track its risk behavior.
[0016] According to an embodiment of the present invention, in step S41 or step S42, the feature encoding of risk behavior records or the feature encoding of trusted behavior records may include: city encoding, where city information is encoded using one-hot encoding, with the city location of the user's actual login account set to 1, and other city locations set to 0; UA (UserAgent) encoding, extracting terminal and operating system information from the UA, categorizing them into fixed and mobile terminals, and using sequential encoding; when encoding values, sequential encoding is performed after sorting the UA text information to ensure that the values of terminals of the same type are closer; finally, normalization processing is performed, limiting the value range to [0-1]; access time encoding, extracting the hour information / access time of the user's login account for encoding; normalization processing is performed, limiting the value range to [0-1]; access frequency encoding, the access frequency within a certain period of time, and grouped according to types including less, moderate, and more; website / application APP risk level encoding, based on the blacklist of domain name database lists of high-incidence fraud websites obtained from relevant institutions in step S31, if the website / APP application logged in by the user is matched, the encoding is 1, and if not matched, the encoding is 0.
[0017] According to an embodiment of the present invention, in step S43, the cosine similarity formula can be used as follows:
[0018]
[0019] Where a represents the suspected spoofing behavior feature vector, b represents the trusted behavior baseline feature vector; x1, x2, y1, y2 are vector dimensions, corresponding to the feature codes in the suspected spoofing behavior feature vector and the trusted behavior baseline feature vector.
[0020] According to an embodiment of the present invention, in step S43, the risk threshold can be set such that when the cosine of the angle between two vectors is less than 0, the difference is considered to be large, and the risk of a fake account is considered to exist.
[0021] According to a second aspect of the present invention, an apparatus for detecting and issuing early warnings of fraudulent accounts is provided, comprising: a feature information acquisition module for acquiring feature information related to a user account, the feature information including: user code, telephone number, ID card number, bank card number, email address, social media account, or name, the feature information being input by the user or by an anti-fraud agency based on case clues; a whitelist generation module for generating a whitelist of websites or applications normally accessed by the user, which, by acquiring the whitelist of websites or applications normally accessed by the user, can be used to distinguish between genuine user access behavior and fraudulent behavior during subsequent analysis of fraudulent behavior; and a traffic extraction module for extracting user behavior traffic through DPI. The system mirrors mobile user internet traffic on the operator's backbone network and imports it into a DPI device for analysis. Using DPI technology, it extracts user behavior logs from domains accessing blacklists and whitelists. User behavior matching the user account characteristics generates risk behavior records and trusted behavior records. A cosine similarity calculation module uses the cosine similarity algorithm to calculate the cosine of the angle between two vectors and sets a risk threshold for fraudulent accounts based on this cosine value. A risk warning module outputs a risk warning table if the cosine value calculated by the cosine similarity exceeds the risk threshold. This table is used to issue warnings to anti-fraud monitoring platforms or users.
[0022] According to a third aspect of the present invention, an electronic device is provided, comprising: a memory, a processor, and a program for detecting and warning of spoofed accounts stored in the memory and executable on the processor, wherein the program for detecting and warning of spoofed accounts, when executed by the processor, implements the steps of the method for detecting and warning of spoofed accounts described above.
[0023] According to a fourth aspect of the present invention, a computer storage medium is provided, wherein the computer storage medium stores a program for detecting and warning of fraudulent accounts, and when the program for detecting and warning of fraudulent accounts is executed by a processor, it implements the steps of the method for detecting and warning of fraudulent accounts described above.
[0024] Compared with the prior art, the technical solution provided by the embodiments of the present invention can achieve at least the following beneficial effects:
[0025] Compared to traditional technologies for preventing spoofing user accounts, this invention proposes a method that expands the detection points for spoofing user accounts from the usual user or website side to the operator's access side. It proposes using DPI (Deep Packet Inspection) technology to detect and analyze relevant characteristic variables in the online behavior of all users across the network. Spoofing user accounts are encoded using five characteristic values. "Suspected spoofing behavior feature vectors" and "trusted behavior baseline feature vectors" are generated using "blacklists" and "whitelists," respectively. Then, a cosine similarity algorithm is used to calculate the risk level of the two types of feature vectors. Behaviors matching the characteristics of spoofing accounts are assessed using the cosine similarity algorithm, and warnings are issued to relevant parties for spoofing account behavior exceeding a risk threshold. This method can quickly detect spoofing user account behavior exceeding the risk threshold and issue warnings to anti-fraud agencies and other relevant parties accordingly.
[0026] The method for detecting and warning of fake accounts provided by this invention has the advantage that its application scope is not limited to a certain part of the entire chain of fake user accounts, but can proactively initiate the detection of fake user accounts from the entire Internet, which is a more effective way to prevent fraud through fake accounts.
[0027] In the context of anti-fraud, this invention provides relevant anti-fraud agencies or citizens with a method for monitoring the behavior of impersonating user accounts with a wider scope and greater targeting. It detects the characteristic behaviors of impersonating user accounts across the entire network and quantitatively assesses the risks of these characteristic behaviors, thereby enabling users to receive necessary early warning information before fraudulent activities occur. Attached Figure Description
[0028] To more clearly illustrate the technical solutions of the embodiments of the present invention, the accompanying drawings of the embodiments will be briefly described below. Obviously, the drawings described below only relate to some embodiments of the present invention and are not intended to limit the present invention.
[0029] Figure 1 This is a flowchart illustrating a method for detecting and issuing warnings of fake accounts according to an embodiment of the present invention.
[0030] Figure 2 This is a schematic diagram illustrating the algorithm for detecting and issuing warnings of fake accounts according to an embodiment of the present invention. Detailed Implementation
[0031] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of the present invention. Based on the described embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0032] Unless otherwise defined, the technical or scientific terms used herein shall have the ordinary meaning as understood by one of ordinary skill in the art to which this invention pertains. The terms “first,” “second,” and similar terms used in the specification and claims of this patent application do not indicate any order, quantity, or importance, but are merely used to distinguish different components. Similarly, the terms “an” or “a” and similar terms do not indicate a limitation of quantity, but rather indicate the presence of at least one.
[0033] Figure 1 This is a flowchart illustrating a method for detecting and issuing warnings of fake accounts according to an embodiment of the present invention; Figure 2 This is a schematic diagram illustrating the algorithm for detecting and issuing warnings of fake accounts according to an embodiment of the present invention.
[0034] like Figure 1 and Figure 2 As shown, the method for detecting and issuing warnings of fake accounts includes the following steps:
[0035] S1. Obtain characteristic information related to the user account. The characteristic information includes, but is not limited to: user code (User_Number), phone number (Tele_Number), ID number (ID_Number), bank card number (CreditCard_Number), email address, social media account (SNS_Account, such as WeChat, QQ, etc.), name, or other information. The characteristic information is entered by the user or by the anti-fraud agency based on case clues.
[0036] S2. Generate a whitelist of websites or applications that users can access normally. By obtaining the whitelist of websites or applications that users can access normally, it can be used to distinguish between genuine user access behavior and fraudulent behavior in subsequent analysis of spoofing behavior.
[0037] S3 and DPI (Deep Packet Inspection) user behavior traffic extraction mirror mobile user internet traffic on the operator's backbone network and import it into DPI devices for analysis. By using DPI technology, user behavior logs for accessing domains in the blacklist and whitelist are extracted. User behavior that matches the user account characteristics generates risk behavior records and trusted behavior records.
[0038] S4. Cosine similarity algorithm analysis: The cosine similarity algorithm is used to calculate the cosine value of the angle between two vectors, and a risk threshold for fake accounts is set for the cosine value of the angle.
[0039] S5. Risk Warning: If the cosine value calculated by cosine similarity exceeds the risk threshold, a risk warning table is output. Based on the information in the risk warning table, a warning is issued and sent to the anti-fraud agency's monitoring platform or the user. The method of sending the warning information can vary depending on the risk level, and may include, but is not limited to, flash messages, SMS, telephone notifications, and emails.
[0040] Compared to traditional technologies for preventing spoofing user accounts, this invention proposes a method that expands the detection points from the typical user or website side to the operator's access side. It utilizes DPI (Deep Packet Inspection) technology to detect and analyze relevant characteristic variables in the online behavior of all users across the network. Spoofing user accounts are encoded using five characteristic values. "Suspected spoofing behavior feature vectors" and "trusted behavior baseline feature vectors" are generated using "blacklists" and "whitelists," respectively. Then, a cosine similarity algorithm is used to calculate the risk level of behaviors matching the characteristics of spoofing accounts. For spoofing account behaviors exceeding a risk threshold, a warning is issued to relevant parties. This method can quickly detect spoofing user account behaviors exceeding the risk threshold and issue warnings to anti-fraud agencies and other relevant parties accordingly.
[0041] According to one or more embodiments of the present invention, the method for obtaining the whitelist of websites or applications that the user normally accesses in step S2 includes one or more of the following methods:
[0042] This system obtains a whitelist of websites or applications that users normally access based on data from telecommunications operators. Trusted locations are identified by the fixed-line broadband linked to a phone number (mobile phone) or the base station location where the phone number remains for an extended period. Deep packet inspection (DPI) is used to locate traffic from specific websites or apps at these trusted locations. A link is established between the phone number and the domain names of these websites or apps, and the corresponding website or app domain names are then added to the whitelist.
[0043] By collaborating with website data providers, we obtain whitelists of websites or applications that users legitimately access. Through data collaboration between anti-fraud agencies and websites or applications, we acquire registered and active mobile phone numbers and accounts, establish a link between these phone numbers and websites or applications, and whitelist them as websites or applications that users legitimately access.
[0044] Users manually enter their whitelist of websites or applications they are authorized to access. This whitelist includes: website / application domain, user account, internet account, and geolocation. Examples of user whitelists are shown in the table below.
[0045]
[0046] According to one or more embodiments of the present invention, step S3 includes the following steps:
[0047] S31. Read the blacklist of websites with a high incidence of fraud, obtain the domain name database list of websites with a high incidence of fraud from relevant institutions, and form a blacklist for key traffic detection.
[0048] S32. Traffic Extraction: Extract HTTP traffic from mobile users accessing blacklisted domains and perform DPI analysis. Extract and analyze their DPI data log information, including but not limited to user account, URL, cookie, user agent, and timestamp. Extract the account feature information records listed in step S1 from the user behavior logs of users accessing blacklisted domains as risk behavior records. After cleaning, the risk behavior records are provided to the detection platform for further analysis.
[0049] According to one or more embodiments of the present invention, step S4 includes the following steps:
[0050] S41. The feature encoding of risk behavior records forms a feature vector of suspected fraudulent behavior.
[0051] S42. The feature encoding of trusted behavior records forms a trusted behavior baseline feature vector.
[0052] S43. Cosine similarity comparison: When the primary keys of the trusted behavior baseline feature vector and the suspected spoofing feature vector are the same, the similarity is determined by the cosine value of the angle between the given suspected spoofing behavior feature vector and the trusted behavior baseline feature vector. The closer the angle between the two vectors is to 0, the closer the cosine value of the two vectors is to 1. The more similar the directions of the two vectors are, the more similar the two vectors are. The risk threshold is set by the cosine value of the angle between the two vectors. When the cosine value of the angle between the two vectors is less than the risk threshold, it can be considered that the difference is large and that there is a risk of spoofing accounts.
[0053] S44. Calculate the risk value of impersonation behavior. Further analyze the feature values that exceed the threshold, identify the specific behaviors of suspected impersonation accounts, and extract relevant information of the users who carried out the impersonation behavior. The relevant information includes the user's identifier, access time period, frequency, and geographical location, so that anti-fraud agencies can further track them.
[0054] The risk warning table for its risky behavior is shown below:
[0055] Specifically: 1. The risk value ranges from 1 to 100, with higher values indicating greater risk. The formula is: Risk value = Cosine value * -100; 2. Primary and secondary risks are derived from the two dimensions with the greatest differences after comparison using the cosine similarity algorithm.
[0056]
[0057] According to one or more embodiments of the present invention, in step S41 or step S42, the feature encoding of risk behavior records or the feature encoding of trusted behavior records includes, but is not limited to: city encoding, sequential encoding after sorting by UA text information, access time encoding, access frequency encoding, and website / application APP risk level encoding.
[0058] City coding uses one-hot encoding, i.e., (city 1, city 2, ..., city n). The city location of the user's actual login account is assigned a value of 1, and other city locations are assigned a value of 0. UA (UserAgent) coding extracts terminal and operating system information from the UA, categorizing it into fixed and mobile terminals, i.e., fixed terminal type and mobile terminal type, using sequential encoding. During encoding, the UA text information is sorted before sequential encoding to ensure that values for terminals of the same type are more similar; finally, normalization is performed, limiting the value range to [0-1].
[0059] Access time encoding: Extract the hour information (i.e., access time) of the user's login account and encode it; perform normalization processing and limit the value range to [0-1].
[0060] Access frequency coding (e.g., within the last month) indicates the frequency of access within a certain period of time, and is grouped into categories including less (less than 10 times, assigned a value of 0), moderate (10 to 100 times, assigned a value of 0.5), and more (more than 100 times).
[0061] The risk level coding for websites / apps is based on the blacklist of domain name databases of websites with a high incidence of fraud obtained from relevant institutions in step S31. If the website / app that the user logs into is matched, the code is 1; otherwise, the code is 0.
[0062] By encoding the above five types of data features, a suspected impersonation feature vector is formed after merging them. The format is (City 1, City 2, ..., City n, Fixed terminal type, Mobile terminal type, Access time, Access frequency, Website / APP risk level).
[0063] Furthermore, by implementing a cosine similarity algorithm to compare the credible behavioral baseline feature vector and the suspected spoofing feature vector, the detection of spoofing user account behavior is completed.
[0064] According to one or more embodiments of the present invention, in step S43, the cosine similarity formula is used as follows:
[0065]
[0066] Where a represents the suspected spoofing behavior feature vector, b represents the trusted behavior baseline feature vector; x1, x2, y1, y2 are vector dimensions, corresponding to the feature codes in the suspected spoofing behavior feature vector and the trusted behavior baseline feature vector.
[0067] Similarity can be determined by the cosine of the angle between two given vectors. The closer the angle between two vectors is to 0, the closer the cosine of the two vectors is to 1, indicating that the two vectors are more similar in direction and therefore more similar.
[0068] Compared to cosine distance, Euclidean distance is suitable for low-dimensional data; while Hamming distance is suitable for high-dimensional data, it doesn't consider actual numerical values and is therefore unsuitable for this approach. Cosine similarity, however, is suitable for high-dimensional data and is insensitive to absolute values, focusing more on distinguishing differences in direction. It can detect impersonation based on directional differences. Therefore, the cosine similarity algorithm is more suitable for detecting and issuing warnings about impersonating users.
[0069] According to one or more embodiments of the present invention, the feature information related to the user account is the primary key (including but not limited to phone number, ID card number, bank card number, email address, social media account, and name). When the primary keys of the trusted behavior benchmark feature vector and the suspected spoofing feature vector are the same, the cosine similarity algorithm can be used to compare the differences between the two vectors. In step S43, the risk threshold is set such that when the cosine value of the angle between the two vectors is less than 0, the difference is considered large, and the risk of spoofing an account is considered to exist.
[0070] The method for detecting and warning of fake accounts provided by this invention has the advantage that its application scope is not limited to a certain part of the entire chain of fake user accounts, but can proactively initiate the detection of fake user accounts from the entire Internet, which is a more effective way to prevent fraud through fake accounts.
[0071] According to a second aspect of the present invention, an apparatus for detecting and issuing early warnings of fraudulent accounts is provided, comprising: a feature information acquisition module for acquiring feature information related to a user account, the feature information including: user code, telephone number, ID card number, bank card number, email address, social media account, or name, the feature information being input by the user or by an anti-fraud agency based on case clues; a whitelist generation module for generating a whitelist of websites or applications normally accessed by the user, which, by acquiring the whitelist of websites or applications normally accessed by the user, can be used to distinguish between genuine user access behavior and fraudulent behavior during subsequent analysis of fraudulent behavior; and a traffic extraction module for extracting user behavior traffic through DPI. The system mirrors mobile user internet traffic on the operator's backbone network and imports it into a DPI device for analysis. Using DPI technology, it extracts user behavior logs from domains accessing blacklists and whitelists. User behavior matching the user account characteristics generates risk behavior records and trusted behavior records. A cosine similarity calculation module uses the cosine similarity algorithm to calculate the cosine of the angle between two vectors and sets a risk threshold for fraudulent accounts based on this cosine value. A risk warning module outputs a risk warning table if the cosine value calculated by the cosine similarity exceeds the risk threshold. This table is used to issue warnings to anti-fraud monitoring platforms or users.
[0072] In the context of anti-fraud, this invention provides relevant anti-fraud agencies or citizens with a method for monitoring the behavior of impersonating user accounts with a wider scope and greater targeting. It detects the characteristic behaviors of impersonating user accounts across the entire network and quantitatively assesses the risks of these characteristic behaviors, thereby enabling users to receive necessary early warning information before fraudulent activities occur.
[0073] According to another aspect of the present invention, an apparatus for detecting and warning of spoofed accounts is provided, comprising: a memory, a processor, and a program for detecting and warning of spoofed accounts stored in the memory and executable on the processor, wherein the program for detecting and warning of spoofed accounts, when executed by the processor, implements the steps of the method for detecting and warning of spoofed accounts described above.
[0074] The present invention also provides a computer storage medium.
[0075] The computer storage medium stores a program for detecting and warning of fake accounts. When the program is executed by the processor, it implements the steps of the method for detecting and warning of fake accounts described above.
[0076] The method implemented when the program for detecting and warning of fake accounts running on the processor is executed can be referred to in various embodiments of the method for detecting and warning of fake accounts of the present invention, and will not be repeated here.
[0077] The present invention also provides a computer program product.
[0078] The computer program product of the present invention includes a program for detecting and warning of fake accounts. When the program for detecting and warning of fake accounts is executed by a processor, it implements the steps of the method for detecting and warning of fake accounts as described above.
[0079] The method implemented when the program for detecting and warning of fake accounts running on the processor is executed can be referred to in various embodiments of the method for detecting and warning of fake accounts of the present invention, and will not be repeated here.
[0080] Through the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus necessary general-purpose hardware platforms. Of course, they can also be implemented by hardware, but in many cases the former is a better implementation method. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product is stored in a storage medium (such as ROM / RAM, magnetic disk, optical disk) as described above, and includes several instructions to cause a terminal device (which may be a mobile phone, computer, server, air conditioner, or network device, etc.) to execute the methods described in the various embodiments of the present invention.
[0081] The above description is merely an exemplary embodiment of the present invention and is not intended to limit the scope of protection of the present invention, which is determined by the appended claims.
Claims
1. A method for detecting and issuing early warnings of fake accounts, comprising the following steps: S1. Obtain feature information related to the user account, the feature information including: User ID, phone number, ID card number, bank card number, email address, social media account or name; the aforementioned characteristic information is entered by the user or by the anti-fraud agency based on case clues. S2. Generate a whitelist of websites or applications that users can access normally. By obtaining the whitelist of websites or applications that users can access normally, it can be used to distinguish between genuine user access behavior and fraudulent behavior in subsequent analysis of spoofing behavior. S3. By extracting user behavior traffic through DPI, mobile user internet traffic is mirrored on the operator's backbone network and imported into the DPI device for analysis. By using DPI technology, user behavior logs for accessing domains in the blacklist and whitelist are extracted respectively. Among them, user behavior that matches the user account characteristic information generates risk behavior records and trusted behavior records. S4. Cosine similarity algorithm analysis: The cosine similarity algorithm is used to calculate the cosine value of the angle between two vectors, and a risk threshold for fake accounts is set for the cosine value of the angle. S5. Risk Warning: If the cosine value calculated by the cosine similarity exceeds the risk threshold, a risk warning table is output. Based on the information in the risk warning table, a warning is issued and sent to the anti-fraud agency's monitoring platform or the user. Step S3 includes the following steps: S31. Read the blacklist of websites with a high incidence of fraud, obtain the domain name database list of websites with a high incidence of fraud from relevant security agencies, and form a blacklist for key traffic detection. S32. Traffic extraction: Extract the HTTP traffic of mobile users accessing blacklisted domains and perform DPI analysis; extract and analyze the DPI data log information, including user account, URL, cookie, user agent, and timestamp; extract the records of account feature information listed in the user behavior logs of users accessing blacklisted domains as risk behavior records, which are cleaned and provided to the detection platform for further analysis. Step S4 includes the following steps: S41. Encode the features of the risk behavior records to form a suspected impersonation behavior feature vector; S42. Encode the features of the trusted behavior record to form a trusted behavior baseline feature vector; S43. Cosine similarity comparison: When the primary keys of the trusted behavior baseline feature vector and the suspected spoofing feature vector are the same, the similarity is determined by the cosine value of the angle between the given suspected spoofing behavior feature vector and the trusted behavior baseline feature vector. The closer the angle between the two vectors is to 0, the closer the cosine value of the two vectors is to 1. The more similar the directions of the two vectors are, the more similar the two vectors are. A risk threshold is set by the cosine value of the angle between the two vectors. When the cosine value of the angle between the two vectors is less than the risk threshold, it can be considered that the difference is large and that there is a risk of spoofing accounts. S44. Calculation of risk value for spoofing account behavior: For feature values exceeding the threshold, further analysis is performed to analyze the specific behaviors of suspected spoofing accounts and extract relevant information about the users who committed the spoofing behavior. This relevant information includes the user's identifier, access time period, frequency, and geographical location, so that anti-fraud agencies can further track their risky behavior. In step S43, the cosine similarity formula is used as follows: Where 'a' represents the suspected spoofing behavior feature vector, and 'b' represents the trusted behavior baseline feature vector; x1, x2, y1, y2 are vector dimensions, corresponding to the feature codes in the suspected spoofing behavior feature vector and the trusted behavior baseline feature vector, respectively. In step S41 or step S42, the feature encoding of the risk behavior record or the feature encoding of the trustworthy behavior record includes: City coding: City information uses one-hot encoding. The city location where the user actually logs in is set to 1, and other city locations are set to 0. UA encoding extracts terminal and operating system information from the UA, distinguishing between fixed and mobile terminals, and using sequential encoding. When encoding values, the UA text information is sorted and then sequentially encoded to ensure that the values of terminals of the same type are closer. Finally, normalization is performed to limit the value range to [0-1]. Access time encoding involves extracting the user's login account's hour information and access time, then encoding it; normalization is performed, limiting the value range to [0-1]. Access frequency coding: the frequency of access within a certain period of time, and grouped into categories including less frequent, moderate, and frequent access. The risk level coding for websites / apps is based on the blacklist of domain name databases of websites with a high incidence of fraud obtained from relevant security agencies as described in step S31. If the website / app that the user logs in is matched, the coding is 1; otherwise, the coding is 0.
2. The method as described in claim 1, wherein, In step S2, the methods for obtaining the whitelist of websites or applications that the user normally accesses include one or more of the following: Based on data from telecommunications operators, a whitelist of websites or applications that users normally access is obtained. The location of the fixed-line broadband linked to the phone number or the base station where the mobile number stays for a long time is identified as a trusted location. Through deep packet inspection (DPI), the traffic of specific websites or apps in the trusted locations is found. The association between the phone number and the domain name of the above website or app is established, and the domain name of the corresponding website or app is added to the whitelist. By cooperating with website data to obtain a whitelist of websites or applications that users normally access, and by cooperating with anti-fraud agencies with websites or applications to obtain registered and active mobile phone numbers and accounts, the association between mobile phone numbers and websites or applications is established and they are identified as whitelisted websites or applications that users normally access. Users manually enter their whitelist of websites or applications that they can access. The whitelist includes: website / application domain name, user account, internet account, and geographical location.
3. The method as described in claim 1, wherein, In step S43, the risk threshold is set to 0. When the cosine of the angle between two vectors is less than 0, it can be considered that the difference is large and that there is a risk of fake accounts.
4. An apparatus for detecting and issuing early warnings of spoofed accounts, used to implement the method for detecting and issuing early warnings of spoofed accounts as described in any one of claims 1-3, wherein the apparatus for detecting and issuing early warnings of spoofed accounts comprises: The feature information acquisition module is used to acquire feature information related to user accounts. The feature information includes: user code, phone number, ID card number, bank card number, email address, social media account or name. The feature information is entered by the user or by the anti-fraud agency based on case clues. The whitelist generation module is used to generate a whitelist of websites or applications that users can access normally. By obtaining the whitelist of websites or applications that users can access normally, it can be used to distinguish between genuine user access behavior and fraudulent behavior in subsequent analysis of spoofing behavior. The traffic extraction module extracts user behavior traffic through DPI, mirrors mobile user internet traffic on the operator's backbone network, and imports it into the DPI device for analysis. By using DPI technology, it extracts user behavior logs for accessing domains in the blacklist and whitelist respectively. Among them, user behavior that matches the user account characteristic information generates risk behavior records and trusted behavior records. The cosine similarity calculation module is used for cosine similarity algorithm analysis. It uses the cosine similarity algorithm to calculate the cosine value of the angle between two vectors and sets the risk threshold for fake accounts based on the cosine value of the angle. The risk warning module outputs a risk warning table if the cosine value of the cosine similarity calculation exceeds the risk threshold. This table is used to issue warnings and send warning information to the anti-fraud agency's monitoring platform or users.
5. An electronic device, comprising: The system includes a memory, a processor, and a program for detecting and warning of fraudulent accounts stored in the memory and executable on the processor, wherein the program, when executed by the processor, implements the steps of the method for detecting and warning of fraudulent accounts as described in any one of claims 1 to 3.
6. A computer storage medium, wherein, The computer storage medium stores a program for detecting and warning of fake accounts. When the program is executed by the processor, it implements the steps of the method for detecting and warning of fake accounts as described in any one of claims 1 to 3.