阅读说明：本技术 一种结合风控系统检测设备指纹是否碰撞的方法及装置 (Method and device for detecting whether device fingerprints collide or not by combining wind control system ) 是由 杜威 张晓科 陈树华 于 2021-09-10 设计创作，主要内容包括：本发明公开了一种结合风控系统检测设备指纹是否碰撞的方法及装置,所述方法包括以下步骤：S1.互联网终端设备采集设备环境信息上报到设备指纹服务；S2.设备指纹系统将采集数据解密,解析好以后,将设备环境信息和网络环境信息一并发送给决策系统,所述设备环境信息和网络环境信息中包含若干特征；S3.决策系统计算并判断设备信息和网络环境信息中每个特征的重复率和空值率,对于重复率超出预设第一阈值或空值率超出预设第二阈值的特征标记为异常特征,设备指纹系统根据异常特征实时进行调整,以此避免指纹计算出现碰撞。(The invention discloses a method and a device for detecting whether equipment fingerprints collide or not by combining a wind control system, wherein the method comprises the following steps: s1, collecting equipment environment information by an internet terminal equipment and reporting the equipment environment information to an equipment fingerprint service; s2, the equipment fingerprint system decrypts the acquired data, and after the acquired data are analyzed, the equipment environment information and the network environment information are sent to a decision-making system together, wherein the equipment environment information and the network environment information comprise a plurality of characteristics; and S3, the decision system calculates and judges the repetition rate and the null value rate of each feature in the equipment information and the network environment information, the feature with the repetition rate exceeding a preset first threshold or the null value rate exceeding a preset second threshold is marked as an abnormal feature, and the equipment fingerprint system adjusts in real time according to the abnormal feature so as to avoid the collision in fingerprint calculation.)

1. A method for detecting whether device fingerprints collide in combination with a wind control system, the method comprising the steps of:

s1, the Internet terminal equipment collects the environmental information of the equipment and reports the information to the fingerprint service of the equipment;

s2, after the acquired data are decrypted and analyzed, the equipment fingerprint system sends the equipment environment information and the network environment information to the decision-making system, wherein the equipment environment information and the network environment information comprise a plurality of characteristics;

and S3, the decision system calculates and judges the repetition rate and the null value rate of each feature in the equipment information and the network environment information, the feature with the repetition rate exceeding a preset first threshold or the null value rate exceeding a preset second threshold is marked as an abnormal feature, and the equipment fingerprint system adjusts in real time according to the abnormal feature so as to avoid the collision in fingerprint calculation.

2. The method for detecting whether the fingerprints of the equipment collide with each other by combining the wind control system according to claim 1, wherein in the android system, the equipment environment information comprises imei, mac, a mobile phone model, an operating system version, android _ id, Bluetooth mac, cpu frequency, system startup time and system update time; the device environment information in the iOS system includes idfa, idfv, screen resolution, cpu frequency, battery information, and boot time.

3. The method for detecting whether the fingerprints of the equipment collide with each other by combining the wind control system according to claim 1 or 2, wherein the decision system comprises two functions of a rule engine and real-time calculation, the decision system is divided into a rule engine module and a real-time calculation module, the rule engine module is responsible for executing relevant strategies, and the real-time calculation module is responsible for executing various types of aggregation calculation.

4. The method for detecting whether the fingerprints of the equipment collide with the wind control system according to claim 3, wherein the real-time computing module is responsible for computing all indexes of the features related to fingerprint computation, and computing repetition rates and null values of the features under each equipment model and operating system version; and reading related repetition rate and null value rate data by the rule engine module, and carrying out rule judgment to obtain whether the repetition rate and the null value rate of each feature are within a preset threshold value.

5. The method for detecting whether the fingerprints of the equipment collide with the wind control system according to claim 4, wherein when the repetition rate of a certain characteristic exceeds a preset first threshold or the null rate exceeds a preset second threshold, the characteristic is marked as an abnormal characteristic, the rule engine module feeds back the abnormal condition of the abnormal characteristic to the equipment fingerprint system, and the equipment fingerprint system adjusts in real time according to the result fed back by the rule engine module, so as to reduce the calculation weight of the abnormal characteristic or not use the abnormal characteristic for calculation.

6. The method for detecting whether the fingerprints of the devices collide with each other by combining the wind control system according to claim 5, wherein the real-time computing module needs to distinguish whether the fingerprints belong to different devices or are reported by the same device in the computing process, and the distinguishing strategy is as follows: firstly, whether equipment is provided with cheating software is detected, if the detection result shows that the cheating software is not provided, the analyzed city is analyzed according to the GPS position and the ip address of the equipment, and if the equipment with the cheating software of a certain model and an operating system version is provided with equipment with different GPS positions, different cities, different system startup times and different system updating times, the fact that the mac address is repeated on the equipment of the model and the operating system version is found through calculation.

7. The method for detecting whether the fingerprints of the equipment collide with the wind control system according to claim 6, wherein the real-time calculation module performs related repetition rate and null rate calculation on all the characteristics related to calculation, and adopts an aggregation calculation mode to store and accumulate in redis, each mac address is used as a rediskey, and the value in the rediskey is the number of times of occurrence of the mac address on the same day and the number of associated ip, area and equipment models.

8. The method for detecting whether fingerprints of equipment collide in combination with the wind control system according to claim 6 or 7, wherein the equipment is a mobile phone.

9. The method for detecting whether the fingerprint of the device collides in combination with the wind control system as claimed in claim 6, wherein the method for detecting whether the device is installed with cheating software is to detect whether the characteristics of jail breaking, simulator and root code injection exist.

10. An apparatus for detecting whether device fingerprints collide with each other in combination with a wind control system, comprising an internet terminal, a device fingerprint system and a decision system, wherein the decision system comprises a rule engine module and a real-time computation module, and the apparatus is used for implementing the method for detecting whether device fingerprints collide with each other in combination with a wind control system according to any one of claims 1 to 9.

Technical Field

The invention relates to the field of computer and network communication, in particular to a method and a device for detecting whether equipment fingerprints collide or not by combining a wind control system.

Background

The equipment fingerprint technology is a common technology in the field of internet, is particularly common in the field of business security, and is a basic security service. The method is characterized in that a series of characteristic information of the equipment is collected and is uploaded to a server side, the server side generates a unique identifier for each equipment through algorithm analysis and matching, and the specific work flow is shown in figure 1.

The device fingerprint application has two core indexes, uniqueness and stability. Uniqueness is that different devices need to generate different fingerprints, and if different devices calculate the same fingerprint, a collision occurs. The stability is that the fingerprint of the device needs to be guaranteed not to change after some operations, such as installation, uninstallation, system upgrade, etc. The scheme mainly aims at the problem of uniqueness. The uniqueness problem that can meet at present is because the continuous tightening of permission of cell-phone firm and operating system provider leads to many characteristics collection rate to lower and lower, and what many characteristics were gathered is problematic moreover, for example mac address, android and ios are all the same that present new version was gathered, and field collection rates such as imei, idfa are also lower and lower. The consequence of the absence or repetition of the core features is that similar devices calculate the same fingerprint, i.e. a collision occurs. Fingerprint collision is a serious problem and directly affects the usability of the device fingerprint.

At present, aiming at the data abnormal condition caused by the new version, a manufacturer can avoid the large-scale collision of fingerprints only by updating the SDK and the application in time. In the prior art, no good method is provided for data acquisition abnormity brought by the release of the new-model mobile phone or the new-version system, the SDK and the background system can be updated immediately for evasion only after the situation occurs, and self-discovery and self-repair cannot be achieved.

Aiming at the problem, the scheme provides that a decision system is used for decision judgment in the fingerprint calculation process, and fingerprint calculation is carried out according to a decision result returned by decision. The decision-making system is responsible for calculating the null value rate and the repetition rate of all related features and the distribution condition of each mobile phone model operating system version, if a certain feature is judged to be abnormal, the decision-making system informs the equipment fingerprint system in time to reduce the calculation weight of the feature, so that the problem is avoided.

Disclosure of Invention

Aiming at the problems in the prior art, the invention mainly aims at the problem of fingerprint uniqueness, and the problem mainly comes from abnormal conditions of equipment information acquisition after mobile phone and operating system manufacturers update, and the data abnormality can influence the calculation result of the equipment fingerprint. The method and the device can automatically avoid the collision of the device fingerprint caused by abnormal features by combining the real-time decision making system to judge the calculation strategy in real time, thereby maximally reducing the influence.

The invention provides a method for detecting whether equipment fingerprints collide or not by combining a wind control system, which comprises the following steps:

s1, the Internet terminal equipment collects the environmental information of the equipment and reports the information to the fingerprint service of the equipment;

s2, after the acquired data are decrypted and analyzed, the equipment fingerprint system sends the equipment environment information and the network environment information to the decision-making system, wherein the equipment environment information and the network environment information comprise a plurality of characteristics;

and S3, the decision system calculates and judges the repetition rate and the null value rate of each feature in the equipment information and the network environment information, the feature with the repetition rate exceeding a preset first threshold or the null value rate exceeding a preset second threshold is marked as an abnormal feature, and the equipment fingerprint system adjusts in real time according to the abnormal feature so as to avoid the collision in fingerprint calculation.

Further, in the android system, the device environment information includes imei, mac, a mobile phone model, an operating system version, android _ id, bluetooth mac, cpu frequency, system boot time, and system update time; the device environment information in the iOS system includes idfa, idfv, screen resolution, cpu frequency, battery information, and boot time.

Furthermore, the decision system comprises two functions of a rule engine and real-time calculation, and is divided into a rule engine module and a real-time calculation module, wherein the rule engine module is responsible for executing relevant strategies, and the real-time calculation module is responsible for executing various aggregation calculations.

Further, the real-time computing module is responsible for computing all indexes of all features related to fingerprint computing, and computing repetition rates and null value rates of all features under each equipment model and operating system version; and reading related repetition rate and null value rate data by the rule engine module, and carrying out rule judgment to obtain whether the repetition rate and the null value rate of each feature are within a preset threshold value.

Further, when the repetition rate of a certain feature exceeds a preset first threshold or the null value rate exceeds a preset second threshold, the feature is marked as an abnormal feature, the rule engine module feeds back the abnormal condition of the abnormal feature to the equipment fingerprint system, and the equipment fingerprint system adjusts in real time according to the result fed back by the rule engine module, so that the calculation weight of the abnormal feature is reduced or the abnormal feature is not used for calculation.

Further, the real-time computation module needs to distinguish whether the report belongs to different devices or the report belongs to the same device in the computation process, and the strategy adopted by the distinguishing is as follows: firstly, whether equipment is provided with cheating software is detected, if the detection result shows that the cheating software is not provided, the analyzed city is analyzed according to the GPS position and the ip address of the equipment, and if the mac address is found to be repeated on the equipment of a certain model and an operating system version on the premise of characteristics such as different GPS positions, different cities, different system startup time, different system updating time and the like, the mac address is judged to be repeated on the equipment of the model and the operating system version.

Further, the real-time calculation module calculates all the characteristics related to calculation according to the related repetition rate and null rate, stores and accumulates in redis in a polymerization calculation mode, and takes each mac address as a rediskey, wherein the value in the rediskey is the number of times of occurrence of the mac address today and the number of the associated ip, area and equipment models.

Further, the device is a mobile phone.

Further, whether the equipment is provided with cheating software or not is detected by detecting whether the jail crossing, simulator and root code injection characteristics exist or not.

In another aspect, the invention provides a device for detecting whether a device fingerprint collides in combination with a wind control system, which comprises an internet terminal, a device fingerprint system and a decision system, wherein the decision system comprises a rule engine module and a real-time calculation module, and the device is used for implementing the method for detecting whether the device fingerprint collides in combination with the wind control system.

The method is based on the device fingerprint, combines a real-time decision system and a real-time calculation module to judge the data quality of all the characteristics, calculates the repetition rate and the null value rate of the characteristics, and immediately adjusts the calculation strategy once the index exceeds a set threshold. According to the scheme, the influence of mobile phone and operating system manufacturers on the strategy tightening of information acquisition can be automatically avoided, and the collision of equipment fingerprints caused by abnormal characteristics can be timely avoided, so that the influence on the normal operation of services is avoided.

Drawings

FIG. 1 illustrates a workflow diagram of a prior art device fingerprinting system;

fig. 2 shows a work flow diagram of a method and an apparatus for detecting whether a device fingerprint collides in combination with a wind control system according to the present invention.

Detailed Description

The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it should be understood that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.

In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.

The following detailed description of embodiments of the invention refers to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present invention, are given by way of illustration and explanation only, not limitation.

As shown in fig. 2, the apparatus for detecting whether a device fingerprint collides in combination with a wind control system according to the present invention includes an internet terminal device 1, a device fingerprint system 2, and a decision system 3, where the decision system 3 further includes a rule engine module 31 and a real-time computation module 32. The method for detecting whether the device fingerprints collide or not by combining the wind control system comprises the following steps:

s1, the Internet terminal equipment 1 collects equipment environment information and reports the equipment environment information to equipment fingerprint service. The internet terminal equipment is an electronic product such as a mobile phone or a computer. The equipment environment information in the android system comprises imei, mac, a mobile phone model, an operating system version, android _ id, Bluetooth mac, cpu frequency, system startup time and system updating time. The device environment information in the iOS system includes idfa, idfv, screen resolution, cpu frequency, battery information, and boot time. There may be many fields collected, and each platform may approach hundreds of features.

S2, the equipment fingerprint system 2 decrypts the acquired data, and sends the equipment information and the network environment information to the decision system 3 after the acquired data are analyzed. The device information reported by the client uses a symmetric encryption algorithm, such as national secret sm3, the server solves the problem after receiving the data, and the decrypted data is of a map structure, namely, the content is the related characteristics mentioned in S1.

S3, the decision system 3 comprises two functions of a rule engine and real-time calculation, correspondingly, the decision system 3 is provided with a rule engine module 31 and a real-time calculation module 32, the rule engine module 31 is responsible for executing relevant strategies, and the real-time calculation module 32 is responsible for executing various aggregation calculations. In this scenario, the real-time calculation module is responsible for calculating all indexes of features related to fingerprint calculation, such as a repetition rate related index and a null rate related index of each feature under each mobile phone model and operating system version.

And (3) calculating related indexes of the repetition rate: for example, the mac repetition rate, for example, one hundred thousand requests for reporting a day, is calculated as follows, how many macs are removed from the collected hundred thousand macs, which mac is the most repeated mac, the specific number of repetitions, whether the mac is associated with multiple mobile phone models, multiple mobile phone operating system versions, and multiple ip addresses. Whether mac abnormal duplication occurs is judged through the indexes.

The null rate is to determine how much the null value is in the batch of mac, and whether the null value mac appears in multiple mobile phone models or system versions.

The real-time computation module 32 needs to consider how to distinguish different device reports from the same device reports during computation, and adopts a strategy that if the device (such as a mobile phone) does not detect the characteristics of jail crossing, a simulator and root, codes are injected into the characteristics, so that the device is determined to be a normal device without cheating software, analysis is carried out according to the GPS position, ip address, analyzed city and the like where the device (the mobile phone) is located after the device is determined to be the normal device, for example, a characteristic mac address (other characteristics need to be similarly judged, such as idfa, idfv, imei and android _ id, and related characteristics related to fingerprint computation need to be carried out on the characteristic mac address), then it can be determined that the mac address is duplicated on this model and os version of the phone. For the same reason, if the value is null, the null rate is also increased.

In general, for example, idfa is not limited by apple, the idfa acquisition rate is relatively high, and in one hundred thousand requests, the idfa null rate is generally lower than 1%, but after the idfa is limited by the new ios version, the null rate rises significantly, for example, after ios14 is updated on a large scale, the null rate may reach more than 5%.

The real-time calculation module 32 performs related index calculation on all the characteristics related to calculation, and unifies the abnormal repetition rate and the null value rate of each characteristic. The calculation mode is aggregation calculation, and storage and accumulation are performed in redis, for example, each mac address is used as a rediskey, and the value in the rediskey is the number of times of occurrence of the mac address on the current day, the associated ip, the area and the number of mobile phone models.

The rule engine module 31 reads the relevant index data and performs rule judgment, and the repetition rate and the null value rate of each feature must be within a certain reasonable interval. Each feature is counted based on historical data, some baseline values are analyzed for relevant indexes of null rate and repetition rate under the condition that no abnormality occurs, specifically, each feature is provided with a separate repetition rate threshold and a null rate threshold, the repetition rate threshold is a first threshold, and the null rate threshold is a second threshold. For example, most feature repetition rates are set to within 1%, mac addresses are more restrictive, with repetition rates set to 40%, and idfa null rates set to 5%.

If a certain feature is abnormal, the rule engine module 32 feeds the abnormal condition of the feature back to the device fingerprint system 2, the device fingerprint system 2 adjusts in real time according to the result fed back by the rule engine module 31, and if the repetition rate of the certain feature exceeds the threshold value, the device fingerprint system 2 immediately reduces the calculation weight of the feature, so as to avoid uncontrollable collision in fingerprint calculation. The weight of the feature in fingerprint calculation is typically reduced, for example, idfa is originally weighted 10%, and after more nulls appear at ios14, the calculated weight of idfa at ios14 version is reduced to 1%, or calculated without idfa.

The method is based on the device fingerprint, combines a real-time decision system and a real-time calculation module to judge the data quality of all the characteristics, calculates the repetition rate and the null value rate of the characteristics, and immediately adjusts the calculation strategy once the index exceeds a set threshold. Through the scheme, the influence of mobile phone and operating system manufacturers on the strategy tightening of information acquisition can be automatically avoided, and the influence on the service caused by the collision of the device fingerprints due to characteristic abnormity can be timely avoided.

The equipment fingerprint system is combined with the rule engine and the real-time computing system to calculate various data quality indexes of equipment characteristics, is combined with set rules to judge, and feeds back the obtained judgment result to the equipment fingerprint.

The invention mainly aims at the problem of fingerprint uniqueness, which mainly comes from abnormal conditions of equipment information acquisition after mobile phone and operating system manufacturers update, and the data abnormality can influence the calculation result of the equipment fingerprint. And the real-time judgment of the calculation strategy is carried out by combining a real-time decision system, so that the influence can be automatically avoided or maximally reduced.

The data related index calculation of the equipment fingerprint acquisition does not need real-time calculation, and near-line or off-line batch calculation is also needed, because a period of time is needed for reaching a certain usage after the new equipment or the system is released. Therefore, real-time calculation is not needed, and the index characteristics have certain delay and cannot cause great influence.

The embodiment of the invention can be used for most computer readable storage media, the computer readable storage media are stored with computer programs, and the computer programs can realize each process of the embodiment of the high-strength encryption method for the hard disk based on the LUKS in the Linux system when being executed by a processor, and can achieve the same technical effect. The computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.