Method and system of distinguishing between human and machine

US 10,356,114 B2
Filed: 11/22/2016
Issued: 07/16/2019
Est. Priority Date: 06/13/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

recording, when a request for accessing a designated network service is received, information of the request which includes a time of receiving the request and information of an access object that sends the request;

identifying whether the access object comprises a user or a terminal;

computing a statistical value of the requests sent by the access object based on a record and on the identification of the access object, the statistical value of the requests including multiple request frequency values;

determining that the access object is operated by a malicious computer program in response to the statistical value of the requests sent by the access object falling outside a predetermined normal range; and

upon determining the access object is operated by a malicious computer program, if the access object has not been isolated, excluding one or more requests sent from the access object prior to a current instance of anomaly when computing the statistical value of the requests sent from the access object in real time to avoid false negatives.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a system of distinguishing between a human and a machine are disclosed. The method includes: when a request for accessing a designated network service is received, recording information of the request which include a time of receiving the request and information of an access object that sends the request; computing a statistical value of requests sent by the access object in real time based on a record; and determining the access object to be abnormal when the statistical value of the requests sent by the access object falls outside a predetermined normal range. The disclosed system of distinguishing between a human and a machine includes a recording module, a computation module and a determination module. Identification between humans and machines using the disclosed scheme is difficult to be cracked down and can improve an accuracy rate of human-machine identification.

21 Citations

21 Claims

1. A method comprising:
- recording, when a request for accessing a designated network service is received, information of the request which includes a time of receiving the request and information of an access object that sends the request;
  
  identifying whether the access object comprises a user or a terminal;
  
  computing a statistical value of the requests sent by the access object based on a record and on the identification of the access object, the statistical value of the requests including multiple request frequency values;
  
  determining that the access object is operated by a malicious computer program in response to the statistical value of the requests sent by the access object falling outside a predetermined normal range; and
  
  upon determining the access object is operated by a malicious computer program, if the access object has not been isolated, excluding one or more requests sent from the access object prior to a current instance of anomaly when computing the statistical value of the requests sent from the access object in real time to avoid false negatives.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein:
    - the statistical value of the access object falls outside the predetermined normal range when a request frequency value thereof is greater than a corresponding request frequency threshold.
  - 3. The method of claim 2, wherein:
    - a request frequency value is represented as a number of requests sent within a time window that has a configured time duration, a time of receiving a most recent request sent from the access object being set as an end time of the time window;
      
      or the request frequency value is represented as a time duration used by a configured number of requests that are consecutively sent, and the configured number of requests includes the most recent request sent from the access object; and
      
      the request frequency values correspond to different configured time durations or different configured numbers of times, and respective number-of-times thresholds or time duration thresholds are accordingly different.
  - 4. The method of claim 1, wherein:
    - when the access object comprises a terminal, the information of the request includes information of the terminal and a user associated with sending the request;
      
      the statistical value of the requests sent by the terminal includes a value for a frequency of user appearance and/or a value for a frequency of user switching obtained from an analysis of users who send the requests via the terminal; and
      
      the statistical value of the requests sent by the terminal falls outside the predetermined normal range when the value for the frequency of user appearance is greater than a first threshold for the frequency of user appearance, and/or the value for the frequency of user switching is greater than a second threshold for the frequency of user switching.
  - 5. The method of claim 4, wherein:
    - the value for the frequency of user appearance is represented as a number of different users who send one or more requests via the terminal within a time window having a configured time duration, and the value for the frequency of user switching is represented as a number of times that the users who send the one or more requests via the terminal are switched within the time window having the configured time duration, wherein an end time of the time window is a time of receiving a most recent request sent from the terminal.
  - 6. The method of claim 1, wherein:
    - when the access object comprises a user, the information of the request includes information of a terminal and the user associated with sending the request;
      
      the statistical value of the requests sent by the user includes a value for a frequency of terminal appearance and/or a value for a frequency of terminal switching obtained from an analysis of terminals that are used by the user when sending the requests;
      
      the statistical value of the requests sent by the user falls outside the predetermined normal range when the value for the frequency of terminal appearance is greater than a first threshold for the frequency of terminal appearance, and/or the value for the frequency of terminal switching is greater than a second threshold for the frequency of terminal switching.
  - 7. The method of claim 6, wherein:
    - the value for the frequency of terminal appearance is represented as a number of different terminals used by the user to send one or more requests within a time window that has a configured time duration; and
      
      the value for the frequency of terminal switching is represented as a number of times that the user switch the terminals to send a plurality of requests within the time window that has the configured time duration, wherein an end time of the time window is a time of receiving a most recent request sent by the user.
  - 8. The method of claim 1, wherein:
    - the statistical value of the requests sent by the access request includes a value for a time interval between consecutive requests sent by the access object; and
      
      the statistical value falls outside the predetermined normal range when the value for the time interval is less than a corresponding time interval threshold.
  - 9. The method of claim 8, wherein:
    - the consecutive requests sent by the access object are classified into different types based on whether the consecutive requests are sent by a same access object and/or whether the consecutive requests correspond to requests for a same network service, wherein a time interval threshold is individually set up for each different type of consecutive requests.
  - 10. The method of claim 1, further comprising:
    - when the access object is a terminal, isolating the terminal, refraining from receiving a request from the terminal, and stopping to compute the statistical value of the requests sent from the terminal upon determining that a number of anomalies associated with the terminal reaches a predetermined number of anomalies, M, wherein M=1 or M>
      
      1; and
      
      when the access object is a user, isolating the user, refraining from receiving a request from the user, and stopping to compute the statistical value of the requests sent from the user upon determining that a number of anomalies associated with the user reaches a predetermined number of anomalies, N, wherein N=1 or N>
      
      1.

11. A method comprising:
- recording, when a request for accessing a designated network service is received, information of the request which includes a time of receiving the request and information of an access object that sends the request;
  
  identifying whether the access object comprises a user or a machine;
  
  computing a statistical value of the requests sent by the access object based on a record and on the identification of the access object, the statistical value of the requests including multiple request frequency values,in response to identifying that the access object comprises a user;
  
  the information of the request includes information of a terminal and the user associated with sending the request,the statistical value of the requests sent by the user includes a value for a frequency of terminal switching obtained from an analysis of terminals that are used by the user when sending the requests, andthe statistical value of the requests sent by the user falls outside the predetermined normal range when the value for the frequency of terminal switching is greater than a threshold for the frequency of terminal switching;
  
  determining that the access object is operated by a malicious computer program in response to the statistical value of the requests sent by the access object falling outside a predetermined normal range; and
  
  upon determining the access object is operated by a malicious computer program, if the access object has not been isolated, excluding one or more requests sent from the access object prior to a current instance of anomaly when computing the statistical value of the requests sent from the access object in real time to avoid false negatives.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein:
    - the statistical value of the access object falls outside the predetermined normal range when a request frequency value thereof is greater than a corresponding request frequency threshold.
  - 13. The method of claim 12, wherein:
    - a request frequency value is represented as a number of requests sent within a time window that has a configured time duration, a time of receiving a most recent request sent from the access object being set as an end time of the time window;
      
      or the request frequency value is represented as a time duration used by a configured number of requests that are consecutively sent, and the configured number of requests includes the most recent request sent from the access object; and
      
      the request frequency values correspond to different configured time durations or different configured numbers of times, and respective number-of-times thresholds or time duration thresholds are accordingly different.
  - 14. The method of claim 11, wherein in response to determining that the access object is a terminal:
    - the information of the request includes information of the terminal and a user associated with sending the request;
      
      the statistical value of the requests sent by the terminal includes a value for a frequency of user appearance and/or a value for a frequency of user switching obtained from an analysis of users who sent the requests via the terminal; and
      
      the statistical value of the requests sent by the terminal falls outside the predetermined normal range when the value for the frequency of user appearance is greater than a first threshold for the frequency of user appearance, and/or the value for the frequency of user switching is greater than a second threshold for the frequency of user switching.
  - 15. The method of claim 14, wherein:
    - the value for the frequency of user appearance is represented as a number of different users who send one or more requests via the terminal within a time window having a configured time duration, and the value for the frequency of user switching is represented as a number of times that the users who send the one or more requests via the terminal are switched within the time window having the configured time duration, wherein an end time of the time window is a time of receiving a most recent request sent from the terminal.
  - 16. The method of claim 11, wherein in response to determining that the access object is a user:
    - the statistical value of the requests sent by the user further includes a value for a frequency of terminal appearance obtained from an analysis of terminals that are used by the user when sending the requests; and
      
      the statistical value of the requests sent by the user falls outside the predetermined normal range when the value for the frequency of terminal appearance is greater than a threshold for the frequency of terminal appearance.
  - 17. The method of claim 16, wherein:
    - the value for the frequency of terminal appearance is represented as a number of different terminals used by the user to send one or more requests within a time window that has a configured time duration; and
      
      the value for the frequency of terminal switching is represented as a number of times that the user switch the terminals to send a plurality of requests within the time window that has the configured time duration, wherein an end time of the time window is a time of receiving a most recent request sent by the user.
  - 18. The method of claim 11, wherein:
    - the statistical value of the requests sent by the access request includes a value for a time interval between consecutive requests sent by the access object; and
      
      the statistical value falls outside the predetermined normal range when the value for the time interval is less than a corresponding time interval threshold.
  - 19. The method of claim 18, wherein:
    - the consecutive requests sent by the access object are classified into different types based on whether the consecutive requests are sent by a same access object and/or whether the consecutive requests correspond to requests for a same network service, wherein a time interval threshold is individually set up for each different type of consecutive requests.
  - 20. The method of claim 11, further comprising:
    - in response to determining that the access object is a terminal, isolating the terminal, refraining from receiving a request from the terminal, and stopping to compute the statistical value of the requests sent from the terminal upon determining that a number of anomalies associated with the terminal reaches a predetermined number of anomalies, M, wherein M=1 or M>
      
      1; and
      
      in response to determining that the access object is a user, isolating the user, refraining from receiving a request from the user, and stopping to compute the statistical value of the requests sent from the user upon determining that a number of anomalies associated with the user reaches a predetermined number of anomalies, N, wherein N=1 or N>
      
      1.

21. A method comprising:
- recording, when a request for accessing a designated network service is received, information of the request which includes a time of receiving the request and information of an access object that sends the request, the access object including a user and at least one terminal associated with the user;
  
  computing a statistical value of the requests sent by the access object based on a frequency of terminal switching associated with the user when sending the requests, the statistical value of the requests including multiple request frequency values;
  
  determining that the access object is operated by a malicious computer program in response to the statistical value falling outside a predetermined normal range; and
  
  upon determining the access object is operated by a malicious computer program, if the access object has not been isolated, excluding one or more requests sent from the access object prior to a current instance of anomaly when computing the statistical value of the requests sent from the access object in real time to avoid false negatives.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alibaba Group Holding Ltd.
Original Assignee
Alibaba Group Holding Ltd.
Inventors
Fu, Yingfang, Zhang, Yudong, Zhang, Zhenyuan, Liu, Jian
Primary Examiner(s)
Colin, Carl G
Assistant Examiner(s)
Little, Vance M

Application Number

US15/358,604
Publication Number

US 20170078318A1
Time in Patent Office

966 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 2221/034   Test or assess a computer o...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

Method and system of distinguishing between human and machine

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system of distinguishing between human and machine

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links