Method, device, electronic equipment and storage medium for detecting password cracking attacks

By acquiring and analyzing the associated information and user behavior data of the login web page in real time, the system can automatically detect credential stuffing attacks, solving the problems of low efficiency and error-proneness in existing technologies and ensuring user account security.

CN119788360BActive Publication Date: 2026-07-03BEIJING QIYI CENTURY SCI & TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
BEIJING QIYI CENTURY SCI & TECH CO LTD
Filing Date
2024-12-19
Publication Date
2026-07-03

Smart Images

  • Figure CN119788360B_ABST
    Figure CN119788360B_ABST
Patent Text Reader

Abstract

The method, apparatus, electronic device, and storage medium for detecting credential stuffing attacks provided in this application include: real-time acquisition of multiple related information of a login webpage and user login behavior data; identification of conflicting information from the multiple related information and counting the total number of conflicts within a preset time period; determination of whether the conflicting information is abnormal based on the total number of conflicts; and, if the conflicting information is determined to be abnormal, detection of whether the login webpage is a credential stuffing attack based on the user login behavior data. The above technical solution can automatically detect credential stuffing attacks using multiple related information of a login webpage and user login behavior data. This detection process does not require manual intervention, effectively alleviating the inefficiency and error-prone nature of existing manual credential stuffing attack detection methods, ensuring user account security, and thus avoiding incalculable losses to users.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The embodiments of the present invention relate to the field of network security technology, and in particular to a method, apparatus, electronic device and storage medium for detecting credential stuffing attacks. Background Technology

[0002] With the rapid development of the internet, a large number of websites and mobile applications have emerged. Each user may have multiple accounts on multiple different websites, and for ease of remembering, users often use the same username and password for these accounts. This leads to serious security problems; when user data on one website or mobile application is leaked, it may result in the complete leakage of that user's information on other websites and mobile applications. In recent years, the impact of credential stuffing attacks on users has become increasingly significant.

[0003] In existing technologies, the detection of credential stuffing attacks mainly relies on manual analysis of network traffic volume. During the detection process, credential stuffing attacks may be overlooked due to small network traffic volume. Therefore, existing credential stuffing attack detection methods are inefficient, error-prone, and cannot guarantee user account security, causing incalculable losses to users. Summary of the Invention

[0004] In view of this, in order to effectively alleviate the problems of low efficiency and easy error caused by manual detection of credential stuffing attacks, the present invention provides a method, apparatus, electronic device and storage medium for detecting credential stuffing attacks.

[0005] In a first aspect, embodiments of the present invention provide a method for detecting credential stuffing attacks, the method comprising:

[0006] Real-time acquisition of multiple related information and user login behavior data from the login webpage;

[0007] Conflicting information is identified from multiple related information sources, and the total number of conflicts in the conflicting information is counted within a preset time period;

[0008] Determine whether conflict information is abnormal based on the total number of conflicts;

[0009] If the conflict information is found to be abnormal, the login web page is detected as a credential stuffing attack based on user login behavior data.

[0010] In one possible implementation, conflicting information is determined from multiple pieces of associated information, including:

[0011] Tag each piece of related information on the front end;

[0012] Conflict information is determined based on the front-end information corresponding to each related piece of information.

[0013] In one possible implementation, conflict information is determined based on the front-end information corresponding to each piece of associated information:

[0014] Inconsistent related information from the front end is identified as conflicting information.

[0015] In one possible implementation, determining whether conflict information is abnormal based on the total number of conflicts includes:

[0016] Obtain the predicted total number of conflicts for a preset time period from the output of a pre-trained conflict total number prediction model; wherein, the conflict total number prediction model is a prediction model obtained by training a time series model based on the historical conflict total number.

[0017] The anomaly of conflict information is determined based on the predicted total number of conflicts and the total number of conflicts.

[0018] In one possible implementation, determining whether the conflict information is abnormal based on the predicted total number of conflicts and the total number of conflicts includes:

[0019] The difference in quantity is determined based on the predicted total number of conflicts and the total number of conflicts.

[0020] Determine whether the quantity difference is greater than a preset quantity difference;

[0021] If the difference in quantity is greater than the preset difference in quantity, the conflict information is determined to be abnormal.

[0022] If the quantity difference is less than or equal to the preset quantity difference, it is determined that there is no abnormality in the conflict information;

[0023] In one possible implementation, detecting whether a login webpage is a credential stuffing attack based on user login behavior data includes:

[0024] Obtain at least one credential stuffing attack characteristic from user login behavior data;

[0025] Detect whether a login webpage is a target of a credential stuffing attack based on at least one credential stuffing attack signature.

[0026] In one possible implementation, detecting whether a login webpage is a credential stuffing attack based on at least one credential stuffing attack characteristic data includes:

[0027] For each credential stuffing attack feature in at least one credential stuffing attack feature data, determine whether the credential stuffing attack feature data exceeds a preset data threshold;

[0028] If at least one data point indicating a credential stuffing attack exceeds a preset data threshold, the login webpage is detected as a credential stuffing attack.

[0029] In one possible implementation, the method further includes:

[0030] If the login webpage is detected as a credential stuffing attack, the login webpage will be restricted, and a password change prompt will be sent to the user.

[0031] Secondly, embodiments of the present invention provide an apparatus for detecting credential stuffing attacks, the apparatus comprising:

[0032] The acquisition module is used to acquire multiple related information and user login behavior data from the login web page in real time.

[0033] The determination and statistics module is used to identify conflicting information from multiple related information and to count the total number of conflicts within a preset time period;

[0034] The anomaly determination module is used to determine whether conflict information is abnormal based on the total number of conflicts.

[0035] The credential stuffing attack detection module is used to detect whether the login web page is a credential stuffing attack based on user login behavior data when abnormal conflict information is determined.

[0036] Thirdly, embodiments of the present invention provide an electronic device, comprising: a processor and a memory, wherein the processor is configured to execute a program for detecting credential stuffing attacks stored in the memory, so as to implement the above-described method for detecting credential stuffing attacks.

[0037] Fourthly, embodiments of the present invention provide a storage medium, wherein the storage medium stores one or more programs, which can be executed by one or more processors to implement the above-described method for detecting credential stuffing attacks.

[0038] The present invention provides a method, apparatus, electronic device, and storage medium for detecting credential stuffing attacks. The method includes: acquiring multiple related information items of a login webpage and user login behavior data in real time; identifying conflicting information from the multiple related information items and counting the total number of conflicts within a preset time period; determining whether the conflicting information is abnormal based on the total number of conflicts; and, if the conflicting information is determined to be abnormal, detecting whether the login webpage is a credential stuffing attack based on the user login behavior data. This technical solution can automatically detect credential stuffing attacks using multiple related information items of a login webpage and user login behavior data. This detection process does not require manual intervention, effectively alleviating the inefficiency and error-prone nature of existing manual credential stuffing attack detection methods, ensuring user account security, and thus avoiding incalculable losses to users. Attached Figure Description

[0039] Figure 1 A flowchart illustrating an embodiment of a method for detecting credential stuffing attacks provided by this invention;

[0040] Figure 2 A flowchart illustrating an embodiment of another method for detecting credential stuffing attacks provided by this invention;

[0041] Figure 3 A flowchart illustrating an embodiment of another method for detecting credential stuffing attacks provided by this invention;

[0042] Figure 4 A flowchart illustrating an embodiment of another method for detecting credential stuffing attacks provided by this invention;

[0043] Figure 5 A block diagram illustrating an embodiment of a credential stuffing attack detection device provided by an embodiment of the present invention;

[0044] Figure 6 This is a schematic diagram of the structure of an electronic device provided in an embodiment of the present invention. Detailed Implementation

[0045] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0046] To facilitate understanding of the embodiments of the present invention, further explanations and descriptions will be provided below with reference to the accompanying drawings and specific embodiments. These embodiments do not constitute a limitation on the embodiments of the present invention.

[0047] This invention provides a method for detecting credential stuffing attacks, which can be executed by a credential stuffing attack detection device. In this embodiment, the aforementioned credential stuffing attack detection device can be a computing device such as a desktop computer, laptop, handheld computer, or server, and this embodiment does not limit it.

[0048] See Figure 1 , Figure 1 This is a flowchart of an embodiment of a method for detecting credential stuffing attacks provided by an embodiment of the present invention. Figure 1 The process shown may include the following steps:

[0049] Step 101: Obtain multiple related information and user login behavior data from the login webpage in real time;

[0050] The aforementioned associated information and user behavior data are information related to logging into web pages. Associated information can be understood as information related to the login operation web page when logging into an application, webpage, or website based on an account and password. Multiple associated information items include, but are not limited to, terminal information identifying the web page type, device information identifying the login device, user agent information identifying the browser, and request header fields identifying web page links. User login behavior data can be understood as behavioral data related to the login operation, including but not limited to login frequency, number of failed login attempts, and number of successful login attempts.

[0051] Understandably, the webpage contains embedded code for collecting pre-defined information and data, which is used to collect associated information and user login behavior data related to logging into the aforementioned webpage. The automatic analysis of the acquired associated information and user login behavior data is used to detect whether logging into the webpage is a credential stuffing attack.

[0052] Step 102: Identify conflicting information from multiple related information sources, and count the total number of conflicts within a preset time period;

[0053] Conflict information can be understood as abnormal or contradictory information generated during the login process of a webpage. In practical applications, if the login to the aforementioned webpage is not a credential stuffing attack, the aforementioned multiple related information will not contain any abnormal or contradictory information, and can uniformly identify that the login webpage is from the user's normal login information. However, if the login to the aforementioned webpage is a credential stuffing attack, the aforementioned multiple related information will not contain any abnormal or contradictory information, and cannot uniformly identify that the login webpage is from the user's normal login information.

[0054] Continuing the previous example, let's consider endpoint information, device information, user agent information, and request header fields as multiple related information. If, in a single webpage login, endpoint information and device information are one set of conflicting information, and endpoint information and request header fields are another set of conflicting information, then the number of conflicts during this webpage login is 2. In this embodiment, if the preset time for counting the number of conflicts during webpage login is one hour, it can be understood as acquiring multiple related information for each login to the aforementioned webpage within one hour, determining the number of conflicts for each login, and then summing all the conflict counts within one hour to obtain the total number of conflicts. In specific implementation, the preset time can be set according to actual needs and is not limited here.

[0055] Step 103: Determine whether the conflict information is abnormal based on the total number of conflicts;

[0056] During the process of logging into a webpage, there may be conflicts between related information due to factors such as information retrieval errors or network failures. In such cases, it is normal for multiple related information to have conflicts, and the existence of conflicting information should not be considered an anomaly caused by a credential stuffing attack. Therefore, in order to identify whether the conflicting information is normal or abnormal information generated during the login process, this embodiment needs to determine whether the conflicting information is abnormal by using the total number of conflicts.

[0057] Step 104: If the conflict information is found to be abnormal, detect whether the login web page is a credential stuffing attack based on the user login behavior data.

[0058] During the login process, there may be instances where multiple automated login attempts result in abnormal conflict information. However, simply relying on abnormal conflict information to determine that logging into the aforementioned webpage constitutes a credential stuffing attack is somewhat inaccurate. Therefore, even when the conflict information is determined to be abnormal, it is necessary to further analyze user login behavior data to determine whether logging into the webpage constitutes a credential stuffing attack in order to ensure the accuracy of the detection.

[0059] The method for detecting credential stuffing attacks provided in this invention includes: acquiring multiple related information of a login webpage and user login behavior data in real time; identifying conflicting information from the multiple related information and counting the total number of conflicts within a preset time period; determining whether the conflicting information is abnormal based on the total number of conflicts; and, if the conflicting information is determined to be abnormal, detecting whether the login webpage is a credential stuffing attack based on the user login behavior data. This technical solution can automatically analyze and detect credential stuffing attacks using multiple related information of a login webpage and user login behavior data. This detection process requires no manual intervention, effectively alleviating the inefficiency and error-prone nature of existing manual credential stuffing attack detection methods, ensuring user account security, and thus avoiding incalculable losses to users.

[0060] like Figure 2 As shown, as an optional implementation, the method described above, step 102, which determines conflicting information from multiple pieces of associated information, includes the following steps:

[0061] Step 201: Tag each piece of related information with front-end information.

[0062] In this embodiment, the front-end information can be divided into five categories: WEB (World Wide Web), iOS H5 (Internetworking Operating System HyperText Markup Language 5.0), Android H5 (Android HyperText Markup Language 5.0), iOS, and Android. These categories are used to briefly identify each associated information. One associated information is labeled with one front-end information. This means that under normal circumstances when logging into the web page, the front-end information labeled for each associated information is the same. Therefore, by using the front-end information labeled for each associated information, it is possible to determine whether there is any conflicting information between multiple associated information.

[0063] To facilitate understanding of the tagging process, let's take user agent information as an example: user_agent => Mozilla / 5.0 (iPhone; CPU iPhone OS16_6 like Mac OS X) AppleWebKit / 605.1.15 (KHTML, like Gecko) CriOS / 129.0.1 Mobile / 15E148 Safari / 604.1 => This Mozilla / 5.0 (iPhone; CPU iPhone OS16_6 like Mac OS X): This indicates the logged-in device is an iPhone running iOS 16.6; CriOS / 129.0.1: CriOS represents the version information of Google Chrome for iOS, version 129.0.1; Overall, it indicates the source is the Google Chrome browser running on the iPhone device. The tag is iOS H5.

[0064] Step 202: Determine conflict information based on the front-end information corresponding to each associated information.

[0065] Specifically, inconsistencies in front-end information are identified as conflicting information. Continuing the previous example, for instance, if the terminal information is labeled as WEB, the device information as iOS H5, the user agent information as WEB, and the request header field information as Android, in this embodiment, the front-end information labeled with the terminal information is used as the comparison object. Then, inconsistencies in the front-end information labeled with the terminal information are identified as a set of conflicting information. That is, if the device information is inconsistent with the front-end information labeled with the terminal information, then the device information and the terminal information are identified as a set of conflicting information. Similarly, if the request header field information is inconsistent with the front-end information labeled with the terminal information, then the request header field information and the terminal information are identified as a set of conflicting information.

[0066] The method in this embodiment can quickly and accurately identify conflicting information among multiple related information when logging into the aforementioned web page by utilizing the front-end information tagged with various related information. This provides detection data for credential stuffing attacks, facilitates accurate detection of subsequent credential stuffing attacks, and improves the efficiency of credential stuffing attack detection.

[0067] like Figure 3 As shown, as an optional implementation, the method described above, step 103, which determines whether the conflict information is abnormal based on the total number of conflicts, includes the following steps:

[0068] Step 301: Obtain the predicted total number of conflicts for a preset time period from the output of the pre-trained conflict total number prediction model;

[0069] Among them, the total number of conflicts prediction model is a prediction model obtained by training the time series model based on the total number of historical conflicts; the time series model can be an autoregressive moving average model, an autoregressive integral moving average model, a vector autoregressive model, or an exponentially weighted moving average model, etc., without limitation here.

[0070] To facilitate understanding of the training and prediction process of the total conflict quantity prediction model, the exponentially weighted moving average model will be used as an example:

[0071] Step 1: Input a set of total conflict counts and the total conflict counts at 12:00 PM each day over the past week into the exponentially weighted moving average model. This will result in 7 sets of data. Let these data be: x_1, x_2, x_3, ..., x_7.

[0072] Step 2: Select a smoothing factor λ, typically between 0.2 and 0.3; λ represents the data weights, and different data weights have different effects on the model's sensitivity. Here, we set λ = 0.3. Define the initial mean S_0, which can be set as the total number of conflicts on the first day, S_0 = x_1.

[0073] Step 3: Calculate the exponentially weighted moving average series. For each time point, the exponentially weighted moving average, S_t, is calculated according to the following formula: [S_t=λx_t+(1-λ)S_{t-1}].

[0074] Step 4: Based on the calculation steps above, obtain the index-weighted moving average for the past week:

[0075] (S_1 = x_1);

[0076] (S_2=λx_2+(1-λ)S_1);

[0077] (S_3=λx_3+(1-λ)S_2);

[0078] This process continues until (S_7), where (S_7) is used as the total number of prediction conflicts for the next preset duration.

[0079] The training and prediction processes for other time series models will not be elaborated upon here.

[0080] Step 302: Determine whether the conflict information is abnormal based on the predicted total number of conflicts and the total number of conflicts.

[0081] Specifically, the implementation process of step 302 above is as follows: determine the quantity difference based on the predicted total number of conflicts and the total number of conflicts; determine whether the quantity difference is greater than the preset quantity difference; if the quantity difference is greater than the preset quantity difference, determine that the conflict information is abnormal; if the quantity difference is less than or equal to the preset quantity difference, determine that the conflict information is not abnormal.

[0082] In this embodiment, a preset quantity difference value L can be determined according to requirements. This threshold defines the maximum allowable error range between the total number of conflicts and the predicted total number of conflicts within the current preset time period. For example, L = 3σ, where σ is the standard deviation of the residuals. When |total number of conflicts - predicted total number of conflicts| > L, that is, the quantity difference is greater than the preset quantity difference value L, the conflict information is considered abnormal. Conversely, when the quantity difference is equal to or less than the preset quantity difference value L, the conflict information is considered normal.

[0083] like Figure 4 As shown, as an optional implementation, the method described above, step 104, which detects whether the login webpage is a credential stuffing attack based on user login behavior data, includes the following steps:

[0084] Step 401: Obtain at least one credential stuffing attack feature data from the user login behavior data;

[0085] This credential stuffing attack feature data can be understood as user login behavior data related to credential stuffing attacks. For example, the login frequency and number of failed login attempts can be obtained from user login behavior data as credential stuffing attack feature data.

[0086] Step 402: Detect whether the login webpage is a credential stuffing attack based on at least one credential stuffing attack feature data.

[0087] The specific step 402, determining whether it is a credential stuffing attack, is as follows: for each credential stuffing attack feature data in at least one credential stuffing attack feature data, it is determined whether the credential stuffing attack feature data exceeds a preset data threshold; if it is determined that at least one credential stuffing attack feature data exceeds the preset data threshold, the login web page is detected as a credential stuffing attack.

[0088] In practical applications, each credential stuffing attack characteristic is assigned a corresponding preset data threshold. Continuing the previous example, the preset data threshold for the login frequency credential stuffing attack characteristic is 100 times, and the preset data threshold for the login failure count credential stuffing attack characteristic is 150 times. Therefore, if the obtained login frequency exceeds 100 times and / or the login failure count exceeds 150 times, it is considered a credential stuffing attack. Conversely, if the login frequency does not exceed 100 times and the login failure count does not exceed 150 times, it is not considered a credential stuffing attack. The preset data thresholds for each credential stuffing attack characteristic can be set according to actual needs and are not limited here.

[0089] Typically, to protect user account security, if a credential stuffing attack is detected when logging into the webpage, access to the webpage can be restricted, and a password change prompt can be sent to the user.

[0090] Specifically, blocking IP addresses (Internet Protocol) can restrict access to web pages. Furthermore, password change prompts can be sent to the terminal devices used by the actual account holder to promptly remind users to change their account passwords and ensure account security.

[0091] See Figure 5 This is a block diagram illustrating an embodiment of a credential stuffing attack detection device provided by an embodiment of the present invention. Figure 5 As shown, the device includes:

[0092] The acquisition module 501 is used to acquire multiple related information and user login behavior data of the login web page in real time;

[0093] The statistics module 502 is used to identify conflicting information from multiple related information and to count the total number of conflicts within a preset time period.

[0094] Anomaly determination module 503 is used to determine whether conflict information is abnormal based on the total number of conflicts;

[0095] The credential stuffing attack detection module 504 is used to detect whether the login web page is a credential stuffing attack based on user login behavior data when the conflict information is determined to be abnormal.

[0096] The apparatus for detecting credential stuffing attacks provided in this invention includes: acquiring multiple related information of a login webpage and user login behavior data in real time; identifying conflicting information from the multiple related information and counting the total number of conflicts within a preset time period; determining whether the conflicting information is abnormal based on the total number of conflicts; and, if the conflicting information is determined to be abnormal, detecting whether the login webpage is a credential stuffing attack based on the user login behavior data. This technical solution can automatically detect credential stuffing attacks using multiple related information of a login webpage and user login behavior data. This detection process requires no manual intervention, effectively alleviating the inefficiency and error-prone nature of existing manual credential stuffing attack detection methods, ensuring user account security, and thus avoiding incalculable losses to users.

[0097] Figure 6 This is a schematic diagram of the structure of an electronic device provided in an embodiment of the present invention. Figure 6 The illustrated electronic device 1200 includes at least one processor 1201, a memory 1202, at least one network interface 1204, and other user interfaces 1203. The various components in the electronic device 1200 are coupled together via a bus system 1205. It is understood that the bus system 1205 is used to implement communication between these components. In addition to a data bus, the bus system 1205 also includes a power bus, a control bus, and a status signal bus. However, for clarity, ... Figure 6 The general labeled all buses as Bus System 1205.

[0098] The user interface 1203 may include a display, keyboard, or clicking device (e.g., mouse, trackball, touchpad, or touchscreen).

[0099] It is understood that the memory 1202 in the embodiments of the present invention can be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. The non-volatile memory can be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. The volatile memory can be random access memory (RAM), which is used as an external cache. By way of example, but not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), Synchronous DRAM (SDRAM), Double Data Rate Synchronous DRAM (DDRSDRAM), Enhanced Synchronous DRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), and Direct Rambus RAM (DRRAM). The memory 1202 described herein is intended to include, but is not limited to, these and any other suitable types of memory.

[0100] In some implementations, memory 1202 stores elements, executable units or data structures, or subsets thereof, or extended sets thereof: operating system 12021 and application program 12022.

[0101] The operating system 12021 includes various system programs, such as the framework layer, core library layer, and driver layer, used to implement various basic business functions and handle hardware-based tasks. The application program 12022 includes various applications, such as a media player and a browser, used to implement various application functions. The program implementing the method of this embodiment can be included in the application program 12022.

[0102] In this embodiment of the invention, by calling the program or instructions stored in the memory 1202, specifically the program or instructions stored in the application program 12022, the processor 1201 executes the method steps provided in each method embodiment, including, for example:

[0103] Real-time acquisition of multiple related information and user login behavior data from the login webpage;

[0104] Conflicting information is identified from multiple related information sources, and the total number of conflicts in the conflicting information is counted within a preset time period;

[0105] Determine whether conflict information is abnormal based on the total number of conflicts;

[0106] If the conflict information is found to be abnormal, the login web page is detected as a credential stuffing attack based on user login behavior data.

[0107] In one possible implementation, conflicting information is determined from multiple pieces of associated information, including:

[0108] Tag each piece of related information on the front end;

[0109] Conflict information is determined based on the front-end information corresponding to each related piece of information.

[0110] In one possible implementation, conflict information is determined based on the front-end information corresponding to each piece of associated information:

[0111] Inconsistent related information from the front end is identified as conflicting information.

[0112] In one possible implementation, determining whether conflict information is abnormal based on the total number of conflicts includes:

[0113] Obtain the predicted total number of conflicts for a preset time period from the output of a pre-trained conflict total number prediction model; wherein, the conflict total number prediction model is a prediction model obtained by training a time series model based on the historical conflict total number.

[0114] The anomaly of conflict information is determined based on the predicted total number of conflicts and the total number of conflicts.

[0115] In one possible implementation, determining whether the conflict information is abnormal based on the predicted total number of conflicts and the total number of conflicts includes:

[0116] The difference in quantity is determined based on the predicted total number of conflicts and the total number of conflicts.

[0117] Determine whether the quantity difference is greater than a preset quantity difference;

[0118] If the difference in quantity is greater than the preset difference in quantity, the conflict information is determined to be abnormal.

[0119] If the quantity difference is less than or equal to the preset quantity difference, it is determined that there is no abnormality in the conflict information;

[0120] In one possible implementation, detecting whether a login webpage is a credential stuffing attack based on user login behavior data includes:

[0121] Obtain at least one credential stuffing attack characteristic from user login behavior data;

[0122] Detect whether a login webpage is a target of a credential stuffing attack based on at least one credential stuffing attack signature.

[0123] In one possible implementation, detecting whether a login webpage is a credential stuffing attack based on at least one credential stuffing attack characteristic data includes:

[0124] For each credential stuffing attack feature in at least one credential stuffing attack feature data, determine whether the credential stuffing attack feature data exceeds a preset data threshold;

[0125] If at least one data point indicating a credential stuffing attack exceeds a preset data threshold, the login webpage is detected as a credential stuffing attack.

[0126] In one possible implementation, the method further includes:

[0127] If the login webpage is detected as a credential stuffing attack, the login webpage will be restricted, and a password change prompt will be sent to the user.

[0128] The methods disclosed in the above embodiments of the present invention can be applied to processor 1201, or implemented by processor 1201. Processor 1201 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method can be completed by the integrated logic circuit of the hardware in processor 1201 or by instructions in the form of software. The processor 1201 may be a general-purpose processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. It can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of the present invention. The general-purpose processor may be a microprocessor or any conventional processor. The steps of the methods disclosed in the embodiments of the present invention can be directly embodied in the execution of a hardware decoding processor, or executed by a combination of hardware and software units in the decoding processor. The software units may be located in random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, or other mature storage media in the art. The storage medium is located in memory 1202. Processor 1201 reads the information in memory 1202 and completes the steps of the above method in conjunction with its hardware.

[0129] It is understood that the embodiments described herein can be implemented in hardware, software, firmware, middleware, microcode, or a combination thereof. For hardware implementation, the processing unit can be implemented in one or more application-specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field-programmable gate arrays (FPGAs), general-purpose processors, controllers, microcontrollers, microprocessors, other electronic units for performing the functions described herein, or combinations thereof.

[0130] For software implementation, the techniques described herein can be implemented by units that perform the functions described herein. The software code can be stored in memory and executed by a processor. The memory can be implemented in the processor or external to the processor.

[0131] The electronic device provided in this embodiment may be as follows: Figure 6 The electronic device shown can perform the following: Figure 1-5 All steps of the method for detecting credential stuffing attacks, thereby achieving... Figure 1-5 For details on the technical effectiveness of the credential stuffing attack detection method shown, please refer to [link / reference]. Figure 1-2 The relevant descriptions are presented concisely and will not be elaborated upon here.

[0132] This invention also provides a storage medium (computer-readable storage medium). This storage medium stores one or more programs. The storage medium may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as read-only memory, flash memory, hard disk, or solid-state drive; the memory may also include combinations of the above types of memory.

[0133] The method described above for detecting credential stuffing attacks is implemented when one or more programs in the storage medium can be executed by one or more processors.

[0134] The processor is used to execute a program stored in memory for detecting credential stuffing attacks, in order to implement the following steps of the method for detecting credential stuffing attacks:

[0135] Real-time acquisition of multiple related information and user login behavior data from the login webpage;

[0136] Conflicting information is identified from multiple related information sources, and the total number of conflicts in the conflicting information is counted within a preset time period;

[0137] Determine whether conflict information is abnormal based on the total number of conflicts;

[0138] If the conflict information is found to be abnormal, the login web page is detected as a credential stuffing attack based on user login behavior data.

[0139] In one possible implementation, conflicting information is determined from multiple pieces of associated information, including:

[0140] Tag each piece of related information on the front end;

[0141] Conflict information is determined based on the front-end information corresponding to each related piece of information.

[0142] In one possible implementation, conflict information is determined based on the front-end information corresponding to each piece of associated information:

[0143] Inconsistent related information from the front end is identified as conflicting information.

[0144] In one possible implementation, determining whether conflict information is abnormal based on the total number of conflicts includes:

[0145] Obtain the predicted total number of conflicts for a preset time period from the output of a pre-trained conflict total number prediction model; wherein, the conflict total number prediction model is a prediction model obtained by training a time series model based on the historical conflict total number.

[0146] The anomaly of conflict information is determined based on the predicted total number of conflicts and the total number of conflicts.

[0147] In one possible implementation, determining whether the conflict information is abnormal based on the predicted total number of conflicts and the total number of conflicts includes:

[0148] The difference in quantity is determined based on the predicted total number of conflicts and the total number of conflicts.

[0149] Determine whether the quantity difference is greater than a preset quantity difference;

[0150] If the difference in quantity is greater than the preset difference in quantity, the conflict information is determined to be abnormal.

[0151] If the quantity difference is less than or equal to the preset quantity difference, it is determined that there is no abnormality in the conflict information;

[0152] In one possible implementation, detecting whether a login webpage is a credential stuffing attack based on user login behavior data includes:

[0153] Obtain at least one credential stuffing attack characteristic from user login behavior data;

[0154] Detect whether a login webpage is a target of a credential stuffing attack based on at least one credential stuffing attack signature.

[0155] In one possible implementation, detecting whether a login webpage is a credential stuffing attack based on at least one credential stuffing attack characteristic data includes:

[0156] For each credential stuffing attack feature in at least one credential stuffing attack feature data, determine whether the credential stuffing attack feature data exceeds a preset data threshold;

[0157] If at least one data point indicating a credential stuffing attack exceeds a preset data threshold, the login webpage is detected as a credential stuffing attack.

[0158] In one possible implementation, the method further includes:

[0159] If the login webpage is detected as a credential stuffing attack, the login webpage will be restricted, and a password change prompt will be sent to the user.

[0160] Those skilled in the art will further recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. To clearly illustrate the interchangeability of hardware and software, the components and steps of the various examples have been generally described in terms of functionality in the foregoing description. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementations should not be considered beyond the scope of this invention.

[0161] The steps of the methods or algorithms described in conjunction with the embodiments disclosed herein can be implemented in hardware, a software module executed by a processor, or a combination of both. The software module can be located in random access memory (RAM), main memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium known in the art.

[0162] The specific embodiments described above further illustrate the purpose, technical solution, and beneficial effects of the present invention. It should be understood that the above description is only a specific embodiment of the present invention and is not intended to limit the scope of protection of the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.

Claims

1. A method of brute force attack detection, the method comprising: The method includes: Real-time acquisition of multiple related information and user login behavior data from the login webpage; Conflicting information is determined from multiple sets of associated information, and the total number of conflicts of the conflicting information is counted within a preset time period; The step of determining conflict information from multiple pieces of associated information includes tagging each piece of associated information with front-end information, with one piece of associated information tagged with one piece of front-end information; and determining conflict information based on the front-end information corresponding to each piece of associated information. The step of determining conflict information based on the front-end information corresponding to each of the associated information includes: determining the associated information with inconsistent front-end information as conflict information; Determine whether the conflict information is abnormal based on the total number of conflicts; If the conflict information is determined to be abnormal, the system detects whether logging into the web page is a credential stuffing attack based on the user login behavior data.

2. The method of claim 1, wherein, Determining whether the conflict information is abnormal based on the total number of conflicts includes: Obtain the predicted total number of conflicts for the preset duration, output by a pre-trained conflict total number prediction model; wherein, the conflict total number prediction model is a prediction model obtained by training a time series model based on the historical conflict total number. The abnormality of the conflict information is determined based on the predicted total number of conflicts and the total number of conflicts.

3. The method of claim 2, wherein, The step of determining whether the conflict information is abnormal based on the predicted total number of conflicts and the total number of conflicts includes: The quantity difference is determined based on the predicted total number of conflicts and the total number of conflicts; Determine whether the quantity difference is greater than a preset quantity difference; If the quantity difference is determined to be greater than the preset quantity difference, the conflict information is determined to be abnormal. If the quantity difference is determined to be less than or equal to the preset quantity difference, it is determined that the conflict information is not abnormal.

4. The method of claim 1, wherein, The method of detecting whether logging into the web page based on the user login behavior data constitutes a credential stuffing attack includes: Obtain at least one credential stuffing attack feature from the user login behavior data; Detect whether logging into the web page is a credential stuffing attack based on at least one of the aforementioned credential stuffing attack feature data.

5. The method of claim 4, wherein, The step of detecting whether logging into the web page is a credential stuffing attack based on at least one of the aforementioned credential stuffing attack feature data includes: For each of the credential stuffing attack feature data in at least one of the credential stuffing attack feature data, determine whether the credential stuffing attack feature data exceeds a preset data threshold; If at least one of the aforementioned credential stuffing attack characteristic data exceeds a preset data threshold, logging into the web page is detected as a credential stuffing attack.

6. The method of claim 1, wherein, The method further includes: If the login to the webpage is detected as a credential stuffing attack, login to the webpage will be restricted, and a password change prompt will be sent to the user.

7. An apparatus for detecting a brute force attack, the apparatus comprising: The device includes: The acquisition module is used to acquire multiple related information and user login behavior data from the login web page in real time. The statistical module is used to determine conflict information from multiple related information and to count the total number of conflicts of the conflict information within a preset time period. The step of determining conflict information from multiple pieces of associated information includes tagging each piece of associated information with front-end information, with one piece of associated information matching one piece of front-end information; and determining conflict information based on the front-end information corresponding to each piece of associated information. The step of determining conflict information based on the front-end information corresponding to each of the associated information includes: determining the associated information with inconsistent front-end information as conflict information; An anomaly determination module is used to determine whether the conflict information is abnormal based on the total number of conflicts. The credential stuffing attack detection module is used to detect whether logging into the web page constitutes a credential stuffing attack based on the user login behavior data when the conflict information is determined to be abnormal.

8. An electronic device, characterized in that, include: A processor and a memory, the processor being configured to execute a program for detecting credential stuffing attacks stored in the memory, to implement the method for detecting credential stuffing attacks according to any one of claims 1 to 6.

9. A storage medium, characterized by The storage medium stores one or more programs, which can be executed by one or more processors to implement the method for detecting credential stuffing attacks as described in any one of claims 1 to 6.