Unlimited risk control with limited information
Business Security Technology Practice Series
Author: stir fried shredded potato
It is unacceptable to elaborate the risk control and defense strategies and technical means of our own system in an open level. However, there is still a certain space to discuss the basic principles of risk control technology. Sooner or later, we all know that if no one comes out to discuss the basic principles, we will not be able to promote the progress of the whole industry. If there is no special description, the risk control described in this paper belongs to the risk control technology under the scope of business security.
One
Business risk control of others
We have learned that there are some peers with first-class risk control technology at home and abroad, whose basic technical capabilities, historical data accumulation, fraud detection level and platform concurrency performance are not the same as those of ordinary enterprises.
Our little friends once lamented that they were not as skilled as people and were ashamed of themselves.
But when we have been in contact with them many times, we have a clearer understanding that the strength of the wind control of other people is strong, but we are also sparrows, although they are all small and dirty, and even have some advanced aspects.
We have the same development track and overall direction with each other, except that others think more deeply and broadly, invest more resources and time.
In an enterprise of our size, we can use our business data reasonably and effectively, and also do a good job in risk control.
Two
How to do your own business risk control?
Effective risk control measures depend on a strong risk control system, while the accuracy of risk control judgment depends on risk control parameters, rules and models. The more reference information the business system provides for the risk control system, the more accurate the risk control judgment and decision-making.
However, not every enterprise's risk control system grows with its business system. Many legacy systems do not have the ability to transmit key information to the risk control system. In most scenarios, risk control system can only rely on limited information for risk judgment.
So in this context, how can we effectively carry out risk control work? Here we introduce two ways of thinking:
- 2.1 multi angle perspective of known information
2.1 multi angle perspective of known information
- 2.2 insight into anomalies on the timeline
2.2 insight into anomalies on the timeline
2.1 multi angle perspective of known information
Taking IP address as an example, in the early stage of risk control platform construction, the risk control operation team has configured a large number of rules based on IP address in the background. Obviously, it is not because the platform only has the computing power of IP address dimension, but most business systems are not ready for real access to risk control, they only deliver IP address.
Based on the lack of long-term experience in business security confrontation, early team members can only configure hard rules based on IP address, such as: an IP address can only access a service 100 times a day, etc.
With the increase of our experience in the competition with you, the team members gradually realized that even the IP address is still something to do. Making good use of IP address can help us find and solve problems quickly and effectively.
For example: if you receive a request from an IP address of 8.8.8.8, in addition to applying some IP address rules immediately, we will consider changing the IP address, for example: 8.8.8. *, 8.8. *. *.
The reason for this extension is that in many cases, the IP addresses that make malicious requests to some businesses of the website in batches are aggregated, for example, from a certain server network segment or computer room.
Here we have completed the perspective analysis of two dimensions. Of course, we can also derive the existing IP information from the following perspectives:
geographic information
- Information of provinces, cities and counties
Information of provinces, cities and counties
- National Information
National Information
IDC attribute
- IDC service area
IDC service area
- Education Network
Education Network
- large enterprises
large enterprises
- Centralized export of operators
Centralized export of operators
Network attribute
- Fixed network IP
Fixed network IP
- 3G/4G network
3G/4G network
- Telecom / mobile / Unicom
Telecom / mobile / Unicom
apply property
- Proxy properties
Proxy properties
- VPN attribute
VPN attribute
Historical attribute
- Case record
Case record
- Attack record
Attack record
Is it suddenly clear? Originally, there was only one dimension of IP address, and more than ten attributes were added at once. The key is that these attributes can participate in risk calculation directly. Think about all the happiness, the ability of risk control has greatly increased!
2.1 insight into changes on the timeline
To judge whether a request behavior is abnormal, it is difficult to give a conclusion only by the current request frequency at a certain point. But if the time cycle of this kind of behavior is lengthened, especially compared with the historical data, the bad people's evil behavior will appear immediately.
Focusing on and analyzing the following abnormal monitoring latitudes can help to quickly identify potential risks:
Behavior trend
- Steep increase
Steep increase
- Drop pit
Drop pit
- Very straight curve
Very straight curve
- Zigzag curve
Zigzag curve
Historical synchronization
- Relative to last calendar day
Relative to last calendar day
- Compared with the same period last week
Compared with the same period last week
- Relative to last online activity
Relative to last online activity
Similar comparison
- Proportion of login and registration
Proportion of login and registration
- Proportion of successful login to successful registration
Proportion of successful login to successful registration
- Success ratio of domestic login and foreign login
Success ratio of domestic login and foreign login
The following is a very classic machine request behavior. After identifying the abnormal behavior, we will be more confident to take decisive measures of risk control and interception!
Look at problems from more perspectives, more dimensions, and more fine-grained ways to monitor and analyze problems. In the face of crazy requests from service interfaces (even those that have been blocked by risk control), we need to study the intentions of the users. In the process of work, thinking more and asking why more will help the risk control team to open up working thinking, expand imagination space, and finally discover the internal mystery!
Low key, risk control, sharing with heart
There are surprises in the contribution of wonderful articles!
Vsrc welcomes the contribution of original articles. Once the excellent articles are adopted and released, there will be a good gift (at least 500 yuan VIP card or cash) for you. Our rich prizes include but are not limited to: macbookair, vsrc customized umbrella, vsrc customized water cup and vsrc exquisite pillow! (the final interpretation right of the activity belongs to vsrc)
Click on the original text to read "e-commerce business security, what does the boss think?"? "