A kind of IP address-based mail abnormal login detecting method and systemTechnical field
The present invention relates to Internet technical fields, more particularly to a kind of IP address-based mail abnormal login detection sideMethod, system, server and readable storage medium storing program for executing.
Background technique
Have the advantages that transmitting-receiving is convenient, fast based on E-mail address, it is essential that E-mail address has become modernOffice, means of communication.
But it since E-mail address user in part recognizes deficiency to privacy, safety of internet email etc., allowsCheat has bored gap, and the mail security event for making user suffer economic loss happens occasionally.Specifically, offender usually utilizesTrojan horse or fishing website implement network swindle and some network hackers from website after stealing the E-mail address account of enterpriseAfter stealing user information database, give user information profiteering, distribution to fishing company, the latter again by a variety of high-tech means implement intoThe swindle of one step.
Currently, the safety problem logged in extremely for mail account, common alarm detection mode direct local IP mostlyAddress judges whether to alert.But when being randomly assigned IP, when IP currently in use, changes frequent occurrence;And it usesInternet Service Provider where family has multiple network egresses, and can often change.It is changed due to there is the extraneous IP causedSituation is more, therefore often generates wrong report, and after reporting by mistake, it also needs user to carry out some security setting work, gives mail userBring many inconvenience.
In conclusion the problems such as how efficiently solving abnormal login Detection accuracy, is current those skilled in the artTechnical problem urgently to be solved.
Summary of the invention
The object of the present invention is to provide a kind of IP address-based mail abnormal login detecting method, system, server andReadable storage medium storing program for executing promotes user experience to improve abnormal login Detection accuracy.
In order to solve the above technical problems, the invention provides the following technical scheme:
A kind of IP address-based mail abnormal login detecting method, comprising:
The logging request of target user is received, and reads the history of the target user from default mail log-on message libraryLog in geographical location information;
The logging request is parsed, obtain the target user current IP address and the current IPThe corresponding target in location logs in geographical location;
Judge that the target logs in whether geographical location matches with the historical log geographical location information;
If judging result is no, it is determined that the logging request is abnormal login request, and is alerted.
Preferably, it is described judge the target log in geographical location and the historical log geographical location information whetherMatch, comprising:
From the historical log geographical location information, determine to log in geographical location and the nearest login recentlyThe corresponding nearest login time in geographical location;
Judge whether the nearest login time and the time interval of this login time are less than preset threshold;
If it is, judging that the target logs in geographical location and whether the nearest login geographical location is consistent.
Preferably, it is described judge the target log in geographical location and the historical log geographical location information whetherMatch, comprising:
Using the historical log geographical location information, the common login geographical location collection of the target user is determinedIt closes;
Judge that the target logs in whether geographical location belongs to the common login geographical location set.
Preferably, described to utilize the historical log geographical location information, determine the common login of the target userGeographical location set, comprising:
Clustering is carried out to the historical log geographical location information using K-Means clustering algorithm, obtains the meshMark the common login geographical location set of user.
Preferably, judging whether target login geographical location matches it with the historical log geographical location informationAfterwards, further includes:
The target is logged in geographical location, login time, the target logon account, whether successful login record is in instituteIt states in mail log-on message library.
Preferably, the logging request is parsed, obtain the current IP address of the target user and described worked asPreceding IP address corresponding target login geographical location, comprising:
Read the corresponding targeted mails agreement of the logging request;
The logging request is parsed using the targeted mails agreement, with obtaining the current IP of the target userLocation;
Dictionary is corresponded to using geographical location, determines that the corresponding target of the current IP address logs in geographical location.
Preferably, further includes:
Using traffic mirroring, flow information is obtained;
The flow information is parsed, mail log-on message is obtained;Wherein, the mail log-on message includes: postalWhether part logon account, mail log in IP, mail login time, successfully log in;
The target login record of the target user is determined from the mail log-on message, and logs in note using targetThe historical log geographical location information is determined in record.
A kind of IP address-based mail abnormal login detection system, comprising:
Logging request receiving module, for receiving the logging request of target user, and from default mail log-on message libraryRead the historical log geographical location information of the target user;
Target logs in geolocation determination module and obtains the target user for parsing to the logging requestCurrent IP address and the corresponding target of the current IP address log in geographical location;
Abnormal judgment module is for judging that the target logs in geographical location with the historical log geographical location informationNo matching;
Mail abnormality alarming module, if being no for judging result, it is determined that the logging request is abnormal login request,And it alerts.
A kind of IP address-based mail abnormal login detection service device, comprising:
Memory, for storing computer program;
Processor realizes above-mentioned IP address-based mail abnormal login detection side when for executing the computer programThe step of method.
A kind of readable storage medium storing program for executing is stored with computer program, the computer program quilt on the readable storage medium storing program for executingThe step of processor realizes above-mentioned IP address-based mail abnormal login detecting method when executing.
Using method provided by the embodiment of the present invention, the logging request of target user is received, and is logged in from default mailThe historical log geographical location information of target user is read in information bank;Logging request is parsed, obtains target user'sCurrent IP address and the corresponding target of current IP address log in geographical location;Judge that target logs in geographical location and steps on historyWhether record geographical location information matches;If judging result is no, it is determined that logging request is abnormal login request, and is alerted.
In view of most of Email Users are when using Email, will not usually be generated on logging in geographical locationBiggish variation.It in addition, belonging to open source dictionary because geographical location corresponds to dictionary again, can obtain, thus can pass through from public networkLogging request is parsed, and determines the current IP address of target user.It is corresponding from geographical location based on current IP addressIt can determine that the target of target user logs in geographical location, i.e. territorial scope where active user in dictionary.Then, by meshMark logs in geographical location and the historical log geographical location information for the target user being stored in advance in mail log-on message carries outWhether matching judgement can be determined this time to log in abnormal.That is, logging in geographical location and historical log geographical location in targetWhen information mismatches, it may be determined that go out and this time log in exception, i.e., the logging request is abnormal login request, can be alerted at this time.In this way, even if under the action of the IP address of target user is in the external world occur after, as long as the actual log geography position of target userSet and do not change, just will not outputting alarm, i.e., will not generate fault alarm because IP address changes, abnormal step on can be promotedThe accuracy rate of detection is recorded, user experience is promoted.
Correspondingly, the embodiment of the invention also provides opposite with above-mentioned IP address-based mail abnormal login detecting methodIP address-based mail abnormal login detection system, server and the readable storage medium storing program for executing answered, have above-mentioned technique effect,This is repeated no more.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show belowThere is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only thisSome embodiments of invention for those of ordinary skill in the art without creative efforts, can be withIt obtains other drawings based on these drawings.
Fig. 1 is a kind of implementation flow chart of IP address-based mail abnormal login detecting method in the embodiment of the present invention;
Fig. 2 is a kind of structural schematic diagram of IP address-based mail abnormal login detection system in the embodiment of the present invention;
Fig. 3 is a kind of structural representation of IP address-based mail abnormal login detection service device in the embodiment of the present inventionFigure;
Fig. 4 shows for the specific structure of IP address-based mail abnormal login detection service device a kind of in the embodiment of the present inventionIt is intended to.
Specific embodiment
In order to enable those skilled in the art to better understand the solution of the present invention, with reference to the accompanying drawings and detailed descriptionThe present invention is described in further detail.Obviously, described embodiments are only a part of the embodiments of the present invention, rather thanWhole embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not making creative work premiseUnder every other embodiment obtained, shall fall within the protection scope of the present invention.
Embodiment one:
Referring to FIG. 1, Fig. 1 is a kind of stream of IP address-based mail abnormal login detecting method in the embodiment of the present inventionCheng Tu, method includes the following steps:
S101, the logging request for receiving target user, and going through for target user is read from default mail log-on message libraryHistory logs in geographical location information.
In embodiments of the present invention, a mail log-on message library can be preset, and in the mail log-on message libraryThe log-on message of the middle each mail user of storage, such as the log-on message that historical log geographical location information, login time are common.It should be noted that wherein login IP of the historical log geographical location information based on user, and dictionary is corresponded to according to geographical locationWhat inquiry obtained.
Specifically, the log-on message in the mail log-on message library can specifically be obtained by executing following steps:
Step 1: obtaining flow information using traffic mirroring;
Step 2: parsing to flow information, mail log-on message is obtained;Wherein, mail log-on message includes: mailWhether logon account, mail log in IP, mail login time, successfully log in;
Step 3: determining the target login record of target user from mail log-on message, and note is logged in using targetHistorical log geographical location information is determined in record.
It is illustrated for ease of description, below combining above three step.
When mail server externally provides mail service, by way of traffic mirroring, acquisition flows through the mail serviceThe flow information of device.Specifically, can also match to mail server for the ease of obtaining flow information by way of traffic mirroringCorresponding information is set, mail server IP, serve port are such as configured.In addition, flow information referred to herein is to flow through mailThe various data packets of server.Using mail protocol, flow information is parsed, can get mail log-on message.ItsIn, whether mail log-on message includes mail logon account, mail login IP, mail login time, successfully logs in.Wherein, it solvesAnalyse flow information, specifically, due to mail agreement there are many, according to agreement difference, acquired mail server flow letterThe information and mark for being included in breath are different.Therefore flow information is parsed, first has to obtain mail server protocol.After obtaining mail server protocol, according to mail server protocol, obtains mail in flow information and logs in account number storage location,It further obtains mail and logs in account number;According to mail server protocol, obtains mail in flow information and log in IP storage location, intoOne step obtains mail and logs in IP;According to mail server protocol, mail landing time storage location in flow information is obtained, into oneStep obtains mail landing time.In addition, can also be determined whether successfully to log according to flow information.Complete the parsing to flow informationLater, the mail log-on message that parsing obtains is saved to mail log-on message library.That is, the postal saved in mail log-on message libraryPart log-on message includes but is not limited to following field: whether mail logs in account number, mail logs in IP, mail login time, succeedIt logs in.
Mail server receives the logging request that target user sends.The logging request is specifically as follows assists according to mailView, the packet that the request of transmission logs in.After receiving logging request, target is read from preset mail log-on message libraryThe historical log geographical location information of user.
S102, logging request is parsed, current IP address and the current IP address for obtaining target user are correspondingTarget logs in geographical location.
It is considered that normal users do not have biggish geographical diversity difference when using E-mail address.For example, if it existsOne account, the login geographical location before ten minutes is Shanghai, but just receives the logging request of same account ten minutes later,But this time logging in geographical location is Beijing.Obviously, a possibility that this login does not meet convention, is abnormal login is higher.Based on this, after receiving logging request, logging request can be parsed, obtain the current IP address of target user, withAnd the corresponding target of current IP address logs in geographical location.That is, can determine target user's from logging requestCurrent IP address and the corresponding target of current IP address log in geographical location, i.e. active user geographic location.Worked asThe mode that preceding IP address and target log in geographical location includes, but is not limited to following two mode:
Mode one:
It modifies to mail protocol, so that client is positioned when issuing logging request, and by IP address and determinesIn the information write-in logging request of position, in this way, mail server can directly be read according to mail protocol when receiving logging requestThe corresponding target of current IP address and current IP address in logging request is taken to log in geographical location.
Mode two:
IP address geographical location corresponding with IP address is stored in dictionary since geographical location corresponds to, and geographical location pairAnswer dictionary that can obtain from public network.Therefore, it can also be obtained without modifying to carry out parsing to logging request to mail protocolIt obtains IP address and target logs in geographical location.Implementing step includes:
Step 1: reading the corresponding targeted mails agreement of logging request;
Step 2: parsing using targeted mails agreement to logging request, the current IP address of target user is obtained;
Step 3: corresponding to dictionary using geographical location, determine that the corresponding target of current IP address logs in geographical location.
For ease of description, above three step is combined below and is illustrated.
That is, reading the corresponding targeted mails agreement of logging request first, logging request is carried out using targeted mails agreementParsing can get the current IP address of target, such as according to mail server protocol, obtain postal in the corresponding flow packet of logging requestPart logs in IP storage location, further obtains mail and logs in IP.Then, position corresponds in dictionary in the ground, determines current IPCorresponding target logs in geographical location.
After obtaining IP address and target login geographical location, the operation of step S103 can be performed.
S103, judge that target logs in whether geographical location matches with historical log geographical location information.
After obtaining the historical log geographical location information that target logs in geographical location and target user, judgement can be passed throughTarget logs in whether geographical location matches with historical log geographical location information, further determines that whether current logging request is differentOften.
Specifically, judge whether information matches, including but not limited to following two optional way:
Mode one is judged based on last login geographical location:
From historical log geographical location information, determine to log in geographical location recently, and log in geographical location recentlyCorresponding nearest login time;Judge whether nearest login time and the time interval of this login time are less than preset threshold;If it is, judging whether target logs in geographical location and nearest login geographical location consistent.
Wherein, preset threshold can be configured according to the demand of user, such as may be configured as 10 minutes, 1 hour or 1 day.That is, being determined from historical log geographical location information and logging in geographical location information and the geographical position of the nearest login recentlyConfidence ceases corresponding nearest login time.It is default to judge whether the time interval of nearest login time and current login time is less thanThreshold value.If it is not, then can be without operation;If so, based on this is logged under normal circumstances and login recently should meet user's loginGeographical location information is consistent.Therefore, can by judge target log in geographical location information and nearest login position information whether oneIt causes, and then determines whether and abnormal conditions.
Mode two is judged based on common login geographical location:
Most users log in the geographical location of mail mostly in office, family, school or relatively-stationary amusement and recreationPlace.That is, each logs in geographical location with corresponding one or more commonly use per family.It therefore, can be by judging that target logs in groundWhether reason position belongs to the mode in common geographical location, determines whether login is abnormal.Specifically, using historical log geography positionConfidence breath determines the common login geographical location set of target user;Judge that target logs in whether geographical location belongs to oftenGathered with geographical location is logged in.It, can be directly to historical log geography position when the common login position for determining target user is gatheredConfidence breath is counted, and the geographical login position for selecting frequency of occurrence to be greater than threshold value is determined as common login geographical location,Or statistical result is ranked up, take several geographical login positions in the top to be determined as common login geographical location.SoAfterwards, it will determine that common login position is added in common geographical location set, and judge that target logs in whether geographical location is returnedBelong to the common geography that logs in gather.
Preferably, when determining that common login geographical location is gathered, also using K-Means clustering algorithm to historical logGeographical location information carries out clustering, obtains the common login geographical location set of target user.Wherein, it is used for clusteringK value value can by K-Means clustering algorithm according to sample data difference, using K-Means clustering algorithm optimize after giveDetermine value suggestion, can also be adjusted by experience.For example, random K center of selection, with sample (i.e. historical logHistorical log geographical location in reason location information) subtract this central value respectively, the classification nearest apart from class center is obtained, is returnedFor the same cluster.Then, the central value of this cluster is classified as to the average value of all samples of this cluster, lays equal stress on and is multiplexed sample differenceSubtract this central value, obtain the classification nearest apart from class center, be classified as the operation of the same cluster, until the small Mr. Yu of class centerA threshold value i.e. termination condition.
It should be noted that above two judgment mode, can it is parallel, serializable, can use individually.If judging resultBe it is yes, that is, show that logging request belongs to normal logging request, then can handle the logging request according to conventional login process mode;If judging result be it is no, that is, show that the logging request may be what illegal user operated, belong to abnormal conditions, then can be performed stepThe operation of S104.
S104, it determines that logging request is requested for abnormal login, and alerts.
When the judgment result is No, logging request is determined as abnormal login request, exportable warning information is for example defeated at this timeAlarm prompt out.Certainly, can also identity multi verifying be carried out to target user, to ensure register for target user's sheetCarried out by people, such as user identity can be verified again by normal methods such as mobile phone short message verification, close guarantor's validation problems.AlsoUser's logging request can directly be refused, and require that server can be accessed after delay a period of time.
Using method provided by the embodiment of the present invention, the logging request of target user is received, and is logged in from default mailThe historical log geographical location information of target user is read in information bank;Logging request is parsed, obtains target user'sCurrent IP address and the corresponding target of current IP address log in geographical location;Judge that target logs in geographical location and steps on historyWhether record geographical location information matches;If judging result is no, it is determined that logging request is abnormal login request, and is alerted.
In view of most of Email Users are when using Email, will not usually be generated on logging in geographical locationBiggish variation.It in addition, belonging to open source dictionary because geographical location corresponds to dictionary again, can obtain, thus can pass through from public networkLogging request is parsed, and determines the current IP address of target user.It is corresponding from geographical location based on current IP addressIt can determine that the target of target user logs in geographical location, i.e. territorial scope where active user in dictionary.Then, by meshMark logs in geographical location and the historical log geographical location information for the target user being stored in advance in mail log-on message carries outWhether matching judgement can be determined this time to log in abnormal.That is, logging in geographical location and historical log geographical location in targetWhen information mismatches, it may be determined that go out and this time log in exception, i.e., the logging request is abnormal login request, can be alerted at this time.In this way, even if under the action of the IP address of target user is in the external world occur after, as long as the actual log geography position of target userSet and do not change, just will not outputting alarm, i.e., will not generate fault alarm because IP address changes, abnormal step on can be promotedThe accuracy rate of detection is recorded, user experience is promoted.
Preferably, after judging whether target login geographical location matches with historical log geographical location information, may be used alsoTarget is logged in geographical location, login time, target logon account, whether successful login record is in mail log-on message library.In this way, target user, when issuing logging request next time, mail server can ask login based on this mail log-on messageIt asks and is judged.
Embodiment two:
Corresponding to above method embodiment, the embodiment of the invention also provides a kind of IP address-based mails to step on extremelyRecord detection system, IP address-based mail abnormal login detection system described below with it is above-described IP address-basedMail abnormal login detecting method can correspond to each other reference.
Shown in Figure 2, which comprises the following modules:
Logging request receiving module 101, for receiving the logging request of target user, and from default mail log-on message libraryThe middle historical log geographical location information for reading target user;
Target logs in geolocation determination module 102 and obtains the current of target user for parsing to logging requestIP address and the corresponding target of current IP address log in geographical location;
Abnormal judgment module 103, for judge target log in geographical location and historical log geographical location information whetherMatch;
Mail abnormality alarming module 104, if being no for judging result, it is determined that logging request is abnormal login request,And it alerts.
Using system provided by the embodiment of the present invention, the logging request of target user is received, and is logged in from default mailThe historical log geographical location information of target user is read in information bank;Logging request is parsed, obtains target user'sCurrent IP address and the corresponding target of current IP address log in geographical location;Judge that target logs in geographical location and steps on historyWhether record geographical location information matches;If judging result is no, it is determined that logging request is abnormal login request, and is alerted.
In view of most of Email Users are when using Email, will not usually be generated on logging in geographical locationBiggish variation.It in addition, belonging to open source dictionary because geographical location corresponds to dictionary again, can obtain, thus can pass through from public networkLogging request is parsed, and determines the current IP address of target user.It is corresponding from geographical location based on current IP addressIt can determine that the target of target user logs in geographical location, i.e. territorial scope where active user in dictionary.Then, by meshMark logs in geographical location and the historical log geographical location information for the target user being stored in advance in mail log-on message carries outWhether matching judgement can be determined this time to log in abnormal.That is, logging in geographical location and historical log geographical location in targetWhen information mismatches, it may be determined that go out and this time log in exception, i.e., the logging request is abnormal login request, can be alerted at this time.In this way, even if under the action of the IP address of target user is in the external world occur after, as long as the actual log geography position of target userSet and do not change, just will not outputting alarm, i.e., will not generate fault alarm because IP address changes, abnormal step on can be promotedThe accuracy rate of detection is recorded, user experience is promoted.
In a kind of specific embodiment of the invention, abnormal judgment module 103 is specifically used for from historical log geography positionIt in confidence breath, determines to log in geographical location recently, and logs in the corresponding nearest login time in geographical location recently;Judgement is mostWhether the time interval of nearly login time and this login time is less than preset threshold;If it is, it is geographical to judge that target logs inWhether position and nearest login geographical location are consistent.
In a kind of specific embodiment of the invention, abnormal judgment module 103 is specifically used for geographical using historical logLocation information determines the common login geographical location set of target user;Judge that target logs in whether geographical location belongs toIt is common to log in geographical location set.
In a kind of specific embodiment of the invention, abnormal judgment module 103 is specifically used for clustering using K-MeansAlgorithm carries out clustering to historical log geographical location information, obtains the common login geographical location set of target user.
In a kind of specific embodiment of the invention, further includes:
Log-on message logging modle, for judge whether target logs in geographical location and historical log geographical location informationAfter matching, target is logged in geographical location, login time, target logon account, whether successful login record is in mail loginIn information bank.
In a kind of specific embodiment of the invention, target logs in geolocation determination module 102, is specifically used for readingThe corresponding targeted mails agreement of logging request;Logging request is parsed using targeted mails agreement, obtains target user'sCurrent IP address;Dictionary is corresponded to using geographical location, determines that the corresponding target of current IP address logs in geographical location.
In a kind of specific embodiment of the invention, further includes:
Historical geography location information logging modle obtains flow information for utilizing traffic mirroring;Flow information is carried outParsing obtains mail log-on message;Wherein, mail log-on message includes: mail logon account, mail logs in IP, mail logs inWhether the time successfully logs in;The target login record of target user is determined from mail log-on message, and is logged in using targetRecord determines historical log geographical location information.
Embodiment three:
Corresponding to above method embodiment, the embodiment of the invention also provides a kind of IP address-based mails to step on extremelyRecord detection service device, a kind of IP address-based mail abnormal login detection service device described below and above-described one kindIP address-based mail abnormal login detecting method can correspond to each other reference.
Shown in Figure 3, which includes:
Memory D1, for storing computer program;
Processor D2 realizes that the IP address-based mail of above method embodiment is abnormal when for executing computer programThe step of login detecting method.
Specifically, referring to FIG. 4, Fig. 4 is a kind of IP address-based mail abnormal login detection provided in this embodimentThe concrete structure schematic diagram of server, the IP address-based mail abnormal login detection service device can be different because of configuration or performanceAnd bigger difference is generated, it may include one or more processors (central processing units, CPU)322 (for example, one or more processors) and memory 332, one or more storage application programs 342 or data344 storage medium 330 (such as one or more mass storage servers).Wherein, memory 332 and storage medium330 can be of short duration storage or persistent storage.The program for being stored in storage medium 330 may include one or more modules(diagram does not mark), each module may include to the series of instructions operation in data processing server.Further, inCentral processor 322 can be set to communicate with storage medium 330, in IP address-based mail abnormal login detection service deviceThe series of instructions operation in storage medium 330 is executed on 301.
IP address-based mail abnormal login detection service device 301 can also include one or more power supplys 326,One or more wired or wireless network interfaces 350, one or more input/output interfaces 358, and/or, oneOr more than one operating system 341.For example, Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM,FreeBSDTM etc..
Step in IP address-based mail abnormal login detecting method as described above can be by being based on IP addressMail abnormal login detection service device structure realize.
Example IV:
Corresponding to above method embodiment, the embodiment of the invention also provides a kind of readable storage medium storing program for executing, are described belowA kind of readable storage medium storing program for executing can be corresponded to each other with a kind of above-described IP address-based mail abnormal login detecting methodReference.
A kind of readable storage medium storing program for executing is stored with computer program on readable storage medium storing program for executing, and computer program is held by processorThe step of IP address-based mail abnormal login detecting method of above method embodiment is realized when row.
The readable storage medium storing program for executing be specifically as follows USB flash disk, mobile hard disk, read-only memory (Read-Only Memory,ROM), the various program storage generations such as random access memory (Random Access Memory, RAM), magnetic or diskThe readable storage medium storing program for executing of code.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosureAnd algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware andThe interchangeability of software generally describes each exemplary composition and step according to function in the above description.TheseFunction is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.ProfessionTechnical staff can use different methods to achieve the described function each specific application, but this realization is not answeredThink beyond the scope of this invention.