WO2019001566A1 - Authentication method and device - Google Patents

Authentication method and device Download PDF

Info

Publication number
WO2019001566A1
WO2019001566A1 PCT/CN2018/093618 CN2018093618W WO2019001566A1 WO 2019001566 A1 WO2019001566 A1 WO 2019001566A1 CN 2018093618 W CN2018093618 W CN 2018093618W WO 2019001566 A1 WO2019001566 A1 WO 2019001566A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
parameter
authentication
user
server
Prior art date
Application number
PCT/CN2018/093618
Other languages
French (fr)
Chinese (zh)
Inventor
冯继强
Original Assignee
苏州锦佰安信息技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201710517649.4A external-priority patent/CN107294981B/en
Priority claimed from CN201710517666.8A external-priority patent/CN107330311A/en
Application filed by 苏州锦佰安信息技术有限公司 filed Critical 苏州锦佰安信息技术有限公司
Publication of WO2019001566A1 publication Critical patent/WO2019001566A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Definitions

  • the present invention relates to the field of authentication, and in particular to a method and device for authentication.
  • the present invention proposes a method and device for authentication, which further improves the security of the authentication and ensures the use of the user by verifying the multi-parameters, especially the user behavior characteristics in the multi-parameters. Experience.
  • the present invention proposes the following specific embodiments:
  • One embodiment of the present application provides a method for authentication implemented on a server, the server including at least one processor, a memory, and a communication platform connected to the network, the method comprising: acquiring at least one parameter of the terminal, The at least one parameter includes: a system operating environment of the terminal, a user behavior feature, and an identifier of the terminal; authenticating the at least one parameter by using a preset analysis model; and determining, according to the authentication result of the at least one parameter Whether the operator of the terminal is a preset user, and when the system running environment, the user behavior feature, and the verification of the terminal identifier in the at least one parameter are passed by the analysis model, the terminal is confirmed The operator is the default user itself and is authenticated.
  • the operating environment in the multivariate parameter, the user behavior feature, and the at least one verification of the identifier fail to pass the preset analysis model, determining that the authentication fails; and terminating the The process of certification.
  • the analysis model includes an identifier of the plurality of mobile terminals, a behavior characteristic of the preset user corresponding to the plurality of mobile terminals, and a security database that determines whether the operating environment is secure.
  • the method before acquiring the multi-parameter parameter of the terminal, the method further includes: receiving an authentication request of the terminal, where the authentication request includes information about the terminal; and matching the information based on the information of the terminal And transmitting a challenge authentication command to the terminal, so that the terminal uploads the at least one parameter to the server when receiving the challenge authentication command.
  • the method further includes: releasing a process corresponding to the authentication on the terminal.
  • the release command may be transmitted to the terminal, and the terminal releases the process corresponding to the authentication on the terminal after executing the release command.
  • the user behavior characteristic comprises sensor data generated by the terminal when operated by the operator.
  • the user behavior characteristic comprises at least one of the following sensor data: rotation data, force data, orientation data, screen operation data, and input device operation data.
  • An embodiment of the present application provides an authentication device, including: an obtaining module, configured to acquire at least one parameter of a terminal, where the at least one parameter includes: a system operating environment of the terminal, a user behavior feature, and An identifier of the terminal, the authentication module, configured to authenticate the at least one parameter by using a preset analysis model, and a determining module, configured to determine, according to the authentication result of the at least one parameter, whether an operator of the terminal is Determining the user, when the system running environment, the user behavior feature, and the verification of the terminal identifier in the at least one parameter are passed by the analysis model, confirming that the operator of the terminal is preset The user himself, and the certification passed.
  • the device further includes: a terminating module, configured to: when the at least one of the multi-parameters, the user behavior feature, and the identifier are not validated by a preset analysis model Determining that the authentication failed; and terminating the process of the authentication.
  • a terminating module configured to: when the at least one of the multi-parameters, the user behavior feature, and the identifier are not validated by a preset analysis model Determining that the authentication failed; and terminating the process of the authentication.
  • the analysis model includes an identifier of the plurality of mobile terminals, a behavior characteristic of the preset user corresponding to the plurality of mobile terminals, and a security database that determines whether the operating environment is secure.
  • the device further includes: a requesting module, configured to receive an authentication request of the terminal, where the authentication request includes information of the terminal; and a matching module, configured to be based on the terminal The information matches the terminal; and the challenge authentication module is configured to send a challenge authentication command to the terminal, so that the terminal uploads the at least one parameter to the server when receiving the challenge authentication command.
  • a requesting module configured to receive an authentication request of the terminal, where the authentication request includes information of the terminal
  • a matching module configured to be based on the terminal The information matches the terminal
  • the challenge authentication module is configured to send a challenge authentication command to the terminal, so that the terminal uploads the at least one parameter to the server when receiving the challenge authentication command.
  • the device further includes: a release module, configured to release a flow corresponding to the authentication on the terminal.
  • the release module may transmit a release command to the terminal, and after the terminal executes the release command, release the process corresponding to the authentication on the terminal.
  • the user behavior characteristic comprises sensor data generated by the terminal when operated by the operator.
  • the user behavior characteristic comprises at least one of the following sensor data: rotation data, force data, orientation data, screen operation data, or input device operation data.
  • An embodiment of the present application provides an apparatus for authentication, including a processor, where the processor is configured to: acquire at least one parameter of a terminal, where the at least one parameter includes: a system operating environment of the terminal Determining the at least one parameter by using a preset analysis model; and determining, according to the authentication result of the at least one parameter, whether the operator of the terminal is a preset user, When the system running environment, the user behavior feature, and the verification of the terminal identifier in the at least one parameter are passed by the analysis model, confirm that the operator of the terminal is the preset user itself, and authenticate by.
  • One embodiment of the present application provides a computer readable storage medium, where the storage medium stores computer instructions, and when the computer reads a computer instruction in the storage medium, the computer performs a method of authenticating, where the method includes: acquiring at least a terminal a parameter, the at least one parameter comprising: a system operating environment of the terminal, a user behavior feature, and an identifier of the terminal; authenticating the at least one parameter by a preset analysis model; and according to the at least one parameter The result of the authentication is determined whether the operator of the terminal is a preset user, and when the verification of the system operating environment, the user behavior feature, and the verification of the terminal identifier in the at least one parameter is passed by the analysis model Confirm that the operator of the terminal is the preset user itself and pass the authentication.
  • One embodiment of the present application provides a method for authentication implemented on a terminal, where the terminal includes at least one processor, a memory, and a communication platform connected to the network, the method comprising: acquiring at least one parameter and sending the parameter to the server, The at least one parameter includes: a system operating environment of the terminal, a user behavior characteristic, and an identifier of the terminal; receiving server information, and determining, according to the server, whether the operator of the terminal is determined based on the at least one parameter The default user's judgment result passes or fails the certification.
  • the user behavior characteristic comprises sensor data generated by the terminal when operated by the operator.
  • the system of the present application provides an authentication system, which includes: an obtaining module, where the acquiring module is configured to acquire at least one parameter and send it to a server, where the at least one parameter includes: a system operating environment of the terminal, a user behavior feature and an identifier of the terminal; a receiving module, the receiving module, configured to receive server information, and determine, according to the server, whether the operator of the terminal is a preset user according to the at least one parameter that is authenticated by the server The judgment result passes or does not pass the certification.
  • the user behavior characteristic comprises sensor data generated by the terminal when operated by the operator.
  • An embodiment of the present application provides an authentication terminal, including a processor, where the processor is configured to: acquire at least one parameter and send the parameter to a server, where the at least one parameter includes: a system operating environment of the terminal.
  • the user behavior characteristic and the identifier of the terminal receiving server information, and passing or not authenticating according to whether the operator of the terminal determined by the server based on the at least one parameter is the default user's judgment result.
  • One embodiment of the present application provides a computer readable storage medium storing computer instructions for performing a method of authentication after a computer reads a computer instruction in a storage medium, the method comprising: acquiring at least one parameter And sending to the server, the at least one parameter includes: a system operating environment of the terminal, a user behavior feature, and an identifier of the terminal; receiving server information, and determining, according to the at least one parameter, the terminal according to the server Whether the operator passes the authentication or not the authentication result of the preset user.
  • the embodiment of the invention also provides a method for authentication, including:
  • the multi-parameter parameter comprises: an operating environment, collected user behavior characteristics, and an identifier for uniquely determining the mobile terminal;
  • the multi-parameter parameter is authenticated by a preset intelligent analysis model
  • the user behavior feature and the verification of the identifier are all passed, confirming that the operator of the mobile terminal is the preset user itself, and the authentication is passed. .
  • the method before acquiring the multi-parameter parameters of the mobile terminal, the method further includes:
  • the method further includes:
  • the method further includes:
  • the flow corresponding to the authentication on the mobile terminal is released.
  • the smart analysis model stores an identifier of each mobile terminal, and a human behavior characteristic of the preset user corresponding to each mobile terminal, and a security database that determines whether the operating environment is secure;
  • the method also includes:
  • the multivariate data is stored in a database in the intelligent analysis model.
  • the embodiment of the invention further provides an authentication device, including:
  • An obtaining module configured to obtain a multi-parameter parameter of the mobile terminal, where the multi-parameter parameter includes: an operating environment, collected user behavior characteristics, and an identifier for uniquely determining the mobile terminal;
  • An authentication module configured to authenticate the multi-parameter parameter by using a preset intelligent analysis model
  • a determining module configured to confirm that an operator of the mobile terminal is a preset user when the operating environment of the multivariate parameter, the user behavior feature, and the verification of the identifier are passed by the intelligent analysis model Self, and passed the certification.
  • the device further includes:
  • a requesting module configured to receive an authentication request, where the authentication request includes information about the mobile terminal to be authenticated;
  • the device further includes:
  • a termination module configured to: when the operating environment in the multivariate parameter is passed through a preset intelligent analysis model, the user behavior feature and the verification of the identifier are not completely passed, the authentication fails, and the corresponding correspondence on the mobile terminal is terminated. The process of the certification.
  • the device further includes:
  • the release module is configured to release the process corresponding to the authentication on the mobile terminal.
  • the smart analysis model stores an identifier of each mobile terminal, and a human behavior characteristic of the preset user corresponding to each mobile terminal, and a security database that determines whether the operating environment is secure;
  • the device also includes:
  • a storage module configured to store the multivariate data in a database in the intelligent analysis model.
  • the embodiment of the present invention provides a method and device for authentication, where the method includes: acquiring multi-parameter parameters of the mobile terminal, where the multi-parameter parameters include: an operating environment, collected user behavior characteristics, and is used for uniquely determining The identifier of the mobile terminal; the multi-parameter parameter is authenticated by a preset intelligent analysis model; when the multi-parameter running environment, the user behavior feature, and the identifier are used by a preset intelligent analysis model When the verification is passed, it is confirmed that the operator of the mobile terminal is the preset user itself, and the authentication is passed. In this way, by verifying the multi-parameters, especially the user behavior characteristics in the multi-parameters, the user's instant behavior characteristics are dynamic and not easily stolen, further improving the security of the authentication and ensuring the user's experience.
  • FIG. 1 is a schematic flowchart of a method for authentication according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of a method for authentication according to an embodiment of the present invention.
  • FIG. 3 is a schematic structural diagram of an apparatus for authentication according to an embodiment of the present invention.
  • FIG. 4 is a schematic structural diagram of an apparatus for authentication according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of an apparatus for authentication according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of an apparatus for authentication according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of an apparatus for authentication according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of an application scenario of an authentication system according to an embodiment of the present invention.
  • the term “comprising” or “including” may be used in the various embodiments of the present disclosure to indicate the presence of the disclosed function, operation or element, and does not limit one or more functions, operations or elements. increase.
  • the terms “comprising,” “having,” “,” It should not be understood that the existence or addition of one or more features, numbers, steps, operations, components or components of one or more other features, numbers, steps, operations, components, components or combinations of the foregoing are excluded. Or the possibility of a combination of the foregoing.
  • the expression “or” or “at least one of A or / and B” includes any or all combinations of the simultaneously listed characters.
  • the expression “A or B” or “at least one of A or / and B” may include A, may include B, or may include both A and B.
  • Expressions used in various embodiments of the present disclosure may modify various constituent elements in various embodiments, but the corresponding constituent elements may not be limited.
  • the above statements do not limit the order and/or importance of the elements.
  • the above statements are only used for the purpose of distinguishing one element from another.
  • the first user device and the second user device indicate different user devices, although both are user devices.
  • a first element could be termed a second element, and a second element could be termed a first element, without departing from the scope of the various embodiments of the present disclosure.
  • the first constituent element can be directly connected to the second constituent element and can be “connected” between the first constituent element and the second constituent element.
  • the third component On the contrary, when a constituent element is “directly connected” to another constituent element, it is understood that there is no third constituent element between the first constituent element and the second constituent element.
  • the term "user” as used in various embodiments of the present disclosure may indicate a person using an electronic device or a device using an electronic device (for example, an artificial intelligence electronic device).
  • FIG. 8 is a schematic diagram of an application scenario of an authentication system (or an authentication device) according to some embodiments of the present application.
  • the authentication system 800 can be an online service platform for Internet services.
  • the authentication system 800 can be applied to any combination of one or more of a game platform, a shopping platform, an instant messaging platform, a trading platform, an entertainment platform, an educational platform, and the like.
  • the authentication system 800 can determine if the operating environment of the terminal is good (eg, is it secure enough to perform an authentication operation).
  • the authentication system 800 can identify whether the operator of a terminal is a preset user (eg, whether it is the owner of the terminal, whether it is a user of a particular account under an application, etc.).
  • the authentication system 800 can include a server 810, a network 820, a terminal 830, and a database 840.
  • the server 810 can include a processing device 812.
  • server 810 can be used to process information and/or data related to authentication.
  • Server 810 can be a standalone server or group of servers.
  • the server group can be centralized or distributed (e.g., server 810 can be a distributed system).
  • the server 810 can be regional or remote in some embodiments.
  • server 810 can access information and/or materials stored in terminal 830 and/or database 840 over network 820.
  • server 810 can interface directly with terminal 830 and/or database 840 to access information and/or materials stored therein.
  • server 810 can execute on a cloud platform.
  • the cloud platform may include one of a private cloud, a public cloud, a hybrid cloud, a community cloud, a distributed cloud, an internal cloud, and the like, or any combination thereof.
  • server 810 can include processing device 812.
  • the processing device 812 can process data and/or information related to authentication to implement one or more of the functions described in this application.
  • the processing device 812 can authenticate the multivariate parameters through a preset intelligent analysis model.
  • processing device 812 can include one or more sub-processing devices (eg, a single core processing device or a multi-core multi-core processing device).
  • processing device 812 may include a central processing unit (CPU), an application specific integrated circuit (ASIC), an application specific instruction processor (ASIP), a graphics processing unit (GPU), a physical processor (PPU), a digital signal processor ( DSP, Field Programmable Gate Array (FPGA), Editable Logic (PLD), Controller, Microcontroller Unit, Reduced Instruction Set Computer (RISC), microprocessor, etc., any combination of one or more.
  • the server 810 can also be one or more components of the terminal 830, the server 810 can communicate with the terminal 830 in the same program, or the server 810 can communicate with the terminal 830 between different programs.
  • server 810 can be implemented on a computing device having one or more modules as described in Figures 3-7 of the present application.
  • Network 820 can facilitate the exchange of data and/or information.
  • one or more components of authentication system 800 e.g., server 810, terminal 830, and database 840
  • server 810 can obtain user behavior characteristics from terminal 830 over network 820.
  • network 820 can be any type of wired or wireless network.
  • network 820 can include a cable network, a wired network, a fiber optic network, a telecommunications network, an internal network, an internet network, a regional network (LAN), a wide area network (WAN), a wireless area network (WLAN), a metropolitan area network (MAN).
  • LAN local area network
  • WAN wide area network
  • WLAN wireless area network
  • MAN metropolitan area network
  • network 820 can include one or more network access points.
  • network 820 can include wired or wireless network access points, such as base stations and/or internetwork exchange points 820-1, 820-2, ... through which one or more components of authentication system 800 can be connected. Network 820 is exchanged for data and/or information.
  • the terminal may be a mobile terminal (ie, a mobile terminal) or a fixed terminal, such as a mobile phone 830-1, a tablet 830-2, a notebook computer 830-3, an in-vehicle device 830-4, and a desktop. Computer, built-in computer, etc.
  • the terminal may also include a wearable device, a virtual reality device, and/or an augmented reality device, etc., or any combination thereof.
  • the wearable device can include a smart bracelet, smart footwear, smart glasses, smart helmet, smart watch, smart wear, smart backpack, smart accessory, and the like, or any combination thereof.
  • the virtual reality device and/or the augmented reality device may include a virtual reality helmet, virtual reality glasses, virtual reality eyewear, augmented reality helmet, augmented reality glasses, an augmented reality eye mask, and the like, or any combination thereof.
  • virtual reality devices and / or augmented reality device may include Google Glass TM, RiftCon TM, Fragments TM, Gear VR TM like.
  • the terminal and server may be integrated or the terminal may be one or more components of the server.
  • the terminal may be any device having one or more sensors that may be used to obtain user behavior characteristics, and the application does not limit the form of the terminal. In some embodiments, specifically, only the written terminal device is used in the present application.
  • Database 840 can store data and/or instructions. In some embodiments, database 840 can store material obtained from terminal 830. In some embodiments, database 840 can store information and/or instructions for execution or use by server 810 to perform the example methods described herein. For example, database 840 can store user behavior characteristics associated with the operation of the terminal from terminal 830. In some embodiments, database 840 can store data and/or instructions that server 810 uses to execute or use to perform the exemplary methods described herein. For example, database 840 can store instructions for authenticating multivariate parameters through a predetermined intelligent analysis model, which can be executed by processing device 812.
  • database 840 can include any combination of one or more of mass storage, removable storage, volatile read and write memory (eg, random access memory RAM), read only memory (ROM), and the like.
  • database 840 can be implemented on a cloud platform.
  • the cloud platform may include any combination of one or more of a private cloud, a public cloud, a hybrid cloud, a community cloud, a community cloud, a distributed cloud, an internal cloud, and the like.
  • database 840 can be coupled to network 820 to communicate with one or more components of authentication system 800 (eg, server 810, terminal 830, etc.). One or more components of authentication system 800 can access data or instructions stored in database 840 over network 820. In some embodiments, database 840 can interface or communicate directly with one or more components (e.g., server 810, terminal 830, etc.) in authentication system 800. In some embodiments, database 840 can be part of server 810. In some embodiments, one or more components (eg, server 810, terminal 830, etc.) in authentication system 800 may have access to database 840.
  • Embodiment 1 of the present invention discloses a method for authentication, as shown in FIG. 1, which includes the following steps:
  • Step 101 Obtain at least one parameter (also referred to as a multi-parameter parameter) of the terminal (such as a mobile terminal), and the following mainly uses a mobile phone as an example for description.
  • the at least one parameter may include: a system operating environment of the terminal, collected user behavior characteristics, and an identifier for uniquely determining the mobile terminal.
  • the multivariate parameter may be only one or two of them, for example, the multivariate parameter may be only the collected user behavior characteristics; and, for example, the multivariate parameter may include only the collected user behavior characteristics and for unique Determining an identity of the mobile terminal.
  • the multivariate parameter may also include other parameters, such as a user's biometric features (such as facial features, fingerprint features, etc.), user's linguistic features, user-entered information features (such as entered passwords, etc.), etc. There is no restriction on the application.
  • biometric features such as facial features, fingerprint features, etc.
  • user's linguistic features such as facial features, fingerprint features, etc.
  • user-entered information features such as entered passwords, etc.
  • the operating environment may include a network security environment when the mobile phone is running, such as whether there is a virus, whether malicious code is embedded, whether an environmental requirement for a secure operation is reached, or whether a high-risk website is accessed.
  • the operating environment can include a system security environment of the terminal. For example, whether the mobile terminal is open to root privileges, whether it is jailbroken (for example, Untethered Jailbreak, Tethered Jailbreak), and the like.
  • the operating environment may also include an externally detected secure environment. For example, whether the mobile terminal moves abnormally or the like.
  • the server (such as the server 810) can track and locate the mobile terminal by using a positioning system (such as GPS), if the mobile terminal moves from the location A to the distance in a short time (for example, 3 seconds, 5 seconds, etc.)
  • the remote location B (for example, the locations A and B are several hundred kilometers apart, several thousand kilometers, etc.), the mobile terminal can be considered as an abnormal movement, thereby judging that the mobile terminal operating environment is unsafe.
  • the operating environment may also include hardware and/or software parameters of the mobile terminal.
  • the hardware and/or software parameters of the mobile terminal may include one or more configuration parameters of a central processing unit (CPU), a memory, a screen resolution, a camera pixel, a battery capacity, and the like.
  • the server can determine whether the mobile terminal is modified or falsified by detecting whether the hardware and/or software parameters of the mobile terminal are changed (such as abnormal changes), thereby determining whether the operating environment is secure.
  • the security of the operating environment is an important condition for ensuring the security of subsequent authentication. Therefore, the authentication for the operating environment may take precedence over other authentications.
  • the user's behavioral characteristics may be data caused by the user's biological behavior when the user operates the mobile terminal, such as movement trajectory, pressing pressure, moving range, moving speed, moving frequency, moving angle, grip strength, pressing Frequency, posture, etc.
  • the user behavior characteristics may be embodied by the client's rotation data, the client's force data, the client's orientation data, the client's screen operation data, the client's input device operation data, the client's image-aware data, and the client's magnetic field. Any combination of one or more of perceptual data, infrared sensing data of the client, and the like.
  • the server can determine user behavior actions through sensor data.
  • the server can determine the behavioral characteristics such as the grip strength, the pressing force, the posture posture, the movement amplitude, the movement frequency, and the movement speed when the user operates the mobile terminal by rotating the data, the force data, the orientation data, and the like.
  • the user behavior feature can include sensor data that reflects at least one operational behavior of the operator to the terminal.
  • the sensor may include a GPS positioning device, a gyroscope, a position sensor, a speed sensor, an acceleration sensor, a torque sensor, a force sensor, a pressure sensor, a magnetometer, a camera, an acoustic sensor, a temperature sensor, a humidity sensor, a load cell, and a flow rate.
  • Sensor liquid level sensor, distance sensor, water immersion sensor, illuminance sensor, thermal sensor, light sensor, gas sensor, magnetic sensor, humidity sensor, sound sensor, radiation sensitive sensor, color sensor, taste sensor , resistive sensor, capacitive sensor, inductive sensor, piezoelectric sensor, electromagnetic sensor, magnetoresistive sensor, photoelectric sensor, piezoresistive sensor, thermoelectric sensor, nuclear radiation sensor, semiconductor sensor, etc. Any combination of species or multiples.
  • the sensor can be an embedded device of the mobile terminal. In some embodiments, the sensor can also be an external device of the mobile terminal. In some embodiments, the mobile terminal can acquire user behavior characteristics through the sensor.
  • the mobile terminal can acquire three-dimensional spatial component information (for example, numerical values and direction information in the x, y, and z directions) of rotation, force, and orientation through a gyroscope, an acceleration sensor, a magnetometer, or the like, and perform the above data. Further processing to obtain information such as rotation data, force data, and orientation data of the mobile terminal.
  • the mobile terminal can also obtain information such as the strength and orientation of the user's own magnetic field through a magnetometer, and acquire other user behavior characteristic data through a machine learning process.
  • the user behavior feature can also include non-sensor data.
  • the non-sensor data may include a habit of a user operating a screen or input using an input device such as a mouse, trackpad, keyboard, or the like.
  • the user inputs the field information through the keyboard of the mobile terminal, and the server can obtain the time difference of the user pressing each keyboard character in the process of inputting the field information and/or the total duration of inputting the complete field information, etc. as the user behavior feature.
  • the user can scan the nine-square grid input information in the touch screen of the mobile terminal, and the server can acquire the time interval of the user sliding through each point or the like as a user behavior feature.
  • the identity may be unique to determine the mobile terminal (e.g., cell phone) to avoid the risks (e.g., authentication errors) used on other handsets.
  • the mobile terminal identifier may be an International Mobile Equipment Identity (IMEI), a CDMA Mobile Equipment IDentifier, a Universally Unique Identifier (UUID), or a mobile phone network.
  • IMEI International Mobile Equipment Identity
  • UUID Universally Unique Identifier
  • MAC address MAC address
  • Bluetooth address hardware serial number, etc., or any combination thereof.
  • multiple parameters such as the operating environment, user behavior characteristics, and mobile terminal identification can be transmitted over the network to the server.
  • the multivariate parameters may be encrypted as they are transmitted.
  • algorithms for encrypting transmission of multivariate parameters may include digest algorithms (eg, MD5, SHA1, etc.), hash algorithms (eg, SM3, etc.), symmetric encryption algorithms (eg, AES, DES, IDEA, SSF33, SM1, SM4, SM7, etc.), any combination of one or more of asymmetric encryption algorithms (eg, SM2, SM9, RSA, etc.).
  • the multivariate parameter may be encrypted, and the encrypted multivariate parameter is transmitted to the server, and after receiving the encrypted multivariate parameter, the server may perform decryption and then The decrypted multivariate parameters are processed.
  • the server can obtain the multivariate parameter during the user login process. For example, when the user logs in to the mobile terminal and/or the application by inputting a password, the server can obtain multiple parameters such as an operating environment, a user behavior characteristic, and a mobile terminal identifier of the user during the login start to the login completion process. In some embodiments, the server may obtain the multivariate parameters described above during user operation. For example, when the user performs the password recovery operation, the server can acquire the above multivariate parameters of the user from the start of the operation to the end of the operation.
  • subsequent verification may verify whether the environment at runtime is secure, whether the behavior characteristic of the user is a preset user corresponding to the mobile terminal (eg, the owner of the mobile terminal), and whether the operation is performed on the designated mobile phone. of. In some embodiments, only all three of them are satisfied, and all verifications are passed, and the final verification will pass.
  • Step 102 Perform multi-parameter authentication by using a preset analysis model (such as an intelligent analysis model);
  • the smart analysis model stores an identifier of each terminal (such as a mobile terminal), a human behavior characteristic of the preset user corresponding to each mobile terminal, and a security database that determines whether the operating environment is secure;
  • the multivariate parameters can be effectively identified to determine whether the verification passes, and ultimately determine whether the operation corresponding to the authentication needs to be performed normally or should be aborted.
  • one mobile terminal may correspond to one or more users (eg, multiple users). In some embodiments, one user may also correspond to multiple mobile terminals.
  • multiple parameters such as the operating environment, user behavior characteristics, and mobile terminal identification can be authenticated simultaneously.
  • the server can simultaneously acquire multiple parameters such as the system operating environment, user behavior characteristics, and mobile terminal identification of the terminal and send them to the big data processing end.
  • the big data processing end can simultaneously analyze and authenticate the multivariate parameters and return the verification result. The analysis confirms the verification result and sends information to the mobile terminal, and the information can be used to prompt the success or failure of the current authentication.
  • the runtime environment, mobile terminal identification, and user behavior characteristics may be verified in turn.
  • the server may preferentially obtain the running environment parameter and send it to the big data processing end, and the big data processing end analyzes and authenticates the running environment parameter and returns the verification result.
  • the server may terminate the authentication operation and send information to the mobile terminal. For example, the server may prompt the authentication failure. And / or prompt the current operating environment is abnormal.
  • the server may continue to acquire the mobile terminal identity and user behavior characteristics and send the data to the big data processing end, and the big data processing end may be based on The mobile terminal identifier determines a human behavior characteristic of the preset user corresponding to the mobile terminal, and compares the user behavior feature with the human behavior characteristic of the preset user to confirm whether the user is a preset user of the mobile terminal.
  • the server may terminate the authentication operation and send information to the mobile terminal, for example, may prompt the authentication failure and/or prompt the current user behavior.
  • the feature is abnormal. If the user behavior feature and the verification result of the mobile terminal identity are successful, the server may send a message to the mobile terminal to prompt the current authentication success and/or release the current authentication operation.
  • the analysis model can include a deep learning model, a machine learning model, and the like.
  • the analysis model may include, but is not limited to, a deep neural network (DNN), a convolutional neural network (CNN), a cyclic neural network (RNN), a feature pyramid network (FPN), and the like.
  • the big data processing end can acquire the analysis model through training. Specifically, the big data processing end can acquire original multivariate parameters such as an operating environment, a user behavior feature, and a mobile terminal identifier.
  • the raw data of the user behavior feature may be behavior characteristic data when a specific user operates a specific terminal, behavior characteristic data when a specific user operates a different terminal, behavior characteristic data when a specific user operates a specific terminal, and the like.
  • the original multivariate parameters can be divided into training parameters and test parameters, wherein the training parameters can be used for model training, and the test parameters can be used to test the training effects of the intelligent analysis model to adjust and correct the intelligent analysis model. Parameters.
  • the analysis model can be a comprehensive model capable of authenticating the operating environment, user behavior characteristics, and mobile terminal identification.
  • the analysis model can also include multiple sub-models.
  • the analysis model may include an operating environment authentication model, a user behavior feature authentication model, and a mobile terminal identity authentication model for authenticating the operating environment, user behavior characteristics, and mobile terminal identification, respectively.
  • Step 103 When the running environment of the multivariate parameter, the user behavior feature, and the verification of the identifier are passed by the analysis model, confirm that the operator of the mobile terminal is the preset user itself, and Certification passed.
  • the server may set an authentication limit to avoid malicious authentication, machine authentication, and the like.
  • the server may limit the number of authentications (eg, 1 time, 3 times, 5 times, 10 times, etc.) of the same user per unit time (eg, 1 hour, half day, 1 day, 1 week, etc.).
  • the server can limit the number of authentications of different users in the same mobile terminal unit time.
  • the server can limit the number of users who can perform authentication operations on the same terminal per unit time (for example, 1 hour, half day, 1 day, 1 week, etc.) (for example, 1, 3, 5, 10) And the number of verifications of each of the users (eg, 1 time, 3 times, 5 times, 10 times, etc.).
  • the server and/or the mobile terminal may include a defense mechanism. For example, if the number of verification failures exceeds a preset number of times, the server and/or the mobile terminal may lock the mobile terminal within a preset time, so that the user only has The authentication operation can be performed again after the preset time.
  • the server may also send prompt information to the associated account of the mobile terminal. For example, if the verification fails and/or the number of failed verifications exceeds the preset number of times, the server may send a prompt message to the associated account, prompting login or authentication abnormality.
  • the associated account includes, but is not limited to, a mobile number, a mailbox account, an instant messaging account, etc., or any combination thereof.
  • the operating environment needs to be secured, or for example, the risk value is less than a preset value
  • the identifier needs to match the identifier in the security database
  • the user behavior feature needs to match the human behavior characteristic.
  • the method before acquiring the multi-parameter parameters of the mobile terminal, the method further includes:
  • the multi-parameter parameter can be obtained in various ways, for example, the behavior characteristics of the user can be, for example, a sensor on a mobile phone, such as a gyroscope, a GPS positioning device, a pressure sensor, a position sensor, a speed sensor, an acceleration sensor, a torque sensor, The force sensor, the magnetometer, or the like, or any combination thereof, is used for acquisition.
  • the operating environment may be acquired by, for example, network detection, and the identifier may be read from the information or identified by the preset information. In the character segment.
  • the method further includes:
  • the process corresponding to the authentication is, for example, payment
  • the process of the payment needs to be terminated, so as to ensure security and avoid risks.
  • the method when the authentication is passed, the method further includes:
  • the flow corresponding to the authentication on the mobile terminal is released.
  • the method further includes:
  • the multivariate data is stored in a database in the intelligent analysis model.
  • new data is continuously generated to generate multivariate data stored in a database in the intelligent analysis model, so that subsequent identification is more and more accurate.
  • a complete identity authentication process is as follows:
  • the authenticated service initiates an authentication request to the authentication processing server.
  • the mobile terminal may send an authentication request to the server.
  • the authentication request may include, but is not limited to, software and/or application account number, software development kit (SDK) unique identification, and the like.
  • the authentication request can be transmitted over the network to the server.
  • the transmission of the authentication request can be encrypted.
  • the authentication processing server matches the software and application programs in the mobile terminal and/or the mobile terminal corresponding to the mobile phone corresponding to the request.
  • one or more software development kits (SDKs), software and/or applications, etc. may be embedded in the handset.
  • SDK software development Kit
  • the Software Development Kit (SDK) can generate different unique identifiers for different software and/or application accounts, which can be associated with the one or more software and/or application accounts, respectively.
  • the authentication processing server sends challenge authentication to the user's mobile phone.
  • the server may send a challenge password to the mobile terminal according to the received authentication request, and the challenge password may include, but is not limited to, an authentication request, an authentication sequence number, random data, a server user name, and the like.
  • the mobile phone sends the current mobile phone environment, user behavior mode, mobile phone security and the like to the authentication processing server.
  • the authentication processing server sends the received information to the big data machine learning server.
  • a big data machine learning server can be used to analyze the runtime environment, mobile identity, and user behavior characteristics and their associated information and/or data.
  • the big data machine learning server analyzes whether the current user is the user, whether the environment is abnormal, etc. according to the model established in the user information collection process, and returns the verification result.
  • the authentication processing server and the big data machine learning server may be separate servers for separately processing the above functions.
  • the authentication processing server and the big data machine learning server may be the same server (eg, server 810).
  • the authentication processing server releases or rejects the service authentication request in the first step according to the verification result.
  • the authentication processing server can receive and confirm the verification results returned by the big data machine learning server. If the verification result is confirmed to be successful, the authentication processing server may send a prompt message to the mobile terminal (such as prompting that the authentication is successful) and release the service authentication request. In particular, the release operation can be performed by the release module 206. If the verification result fails to be confirmed, the authentication processing server may send a prompt message to the mobile terminal (such as prompting the authentication failure) and reject the service authentication request, and terminate the authentication operation. In particular, the termination operation can be performed by the termination module 205.
  • the authentication method of the scheme has the following characteristics:
  • the concept of safety certification is diversified, including three-factor authentication, that is, information that the user knows (mobile phone environment), the authentication facility held by the user (the mobile phone itself), and the user biometric (user behavior);
  • Sensitive data is encrypted to prevent data transmission and storage
  • Certification is mobile, diversified and unique. Mobileization is reflected in the use of mobile devices and other mobile device authentication. Diversification is the ability to add and delete authentication factors according to their own needs. The uniqueness is reflected in the fact that there is no authentication system similar to this product at present;
  • the back-end uses machine learning, big data analysis, and intelligent identification and analysis of data to accurately determine whether user authentication is legal;
  • Embodiment 2 of the present invention discloses an authentication device. As shown in FIG. 3, the device may include:
  • the obtaining module 201 is configured to obtain a multi-parameter parameter of the mobile terminal, where the multi-parameter parameter may include: an operating environment, the collected user behavior feature, and an identifier for uniquely determining the mobile terminal.
  • the authentication module 202 is configured to authenticate the multi-parameter through a preset intelligent analysis model.
  • the intelligent analysis model can be a deep learning model.
  • the intelligent analysis model may include, but is not limited to, a deep neural network (DNN), a convolutional neural network (CNN), a cyclic neural network (RNN), a feature pyramid network (FPN), and the like.
  • DNN deep neural network
  • CNN convolutional neural network
  • RNN cyclic neural network
  • FPN feature pyramid network
  • the runtime environment, user behavior characteristics, and mobile terminal identification can be verified simultaneously.
  • the runtime environment, mobile terminal identification, and user behavior characteristics may be verified in turn.
  • the determining module 203 is configured to confirm that the operator of the mobile terminal is a preset when the running environment of the multivariate parameter, the user behavior feature, and the verification of the identifier are passed by a preset intelligent analysis model The user himself, and the certification passed.
  • the device further includes:
  • the requesting module 204 is configured to receive an authentication request, where the authentication request includes information about the mobile terminal to be authenticated.
  • the authentication request may also include software and/or application related information in the mobile terminal to be authenticated.
  • a mobile terminal corresponding to the authentication request is matched based on the information; in some embodiments, this step can be performed by a matching module.
  • this step can be performed by a challenge authentication model.
  • the device further includes:
  • the termination module 205 is configured to: when the operating environment in the multivariate parameter is passed through a preset intelligent analysis model, the user behavior feature and the verification of the identifier are not completely passed, the authentication fails, and the mobile terminal is terminated. Corresponding to the process of the certification.
  • the device further includes:
  • the release module 206 is configured to release the process corresponding to the authentication on the mobile terminal.
  • the smart analysis model stores an identifier of each mobile terminal, and a behavioral human feature of the preset user corresponding to each mobile terminal, and a security database that determines whether the operating environment is secure;
  • the device further includes: a storage module 207, configured to store the multivariate data in a database in the intelligent analysis model.
  • the systems (e.g., devices) and their modules illustrated in Figures 3-7 can be implemented in a variety of ways.
  • the system and its modules can be implemented in hardware, software, or a combination of software and hardware.
  • the hardware portion can be implemented using dedicated logic; the software portion can be stored in memory and executed by a suitable instruction execution system, such as a microprocessor or dedicated design hardware.
  • processor control code such as a carrier medium such as a magnetic disk, CD or DVD-ROM, such as read-only memory (firmware)
  • processor control code such as a carrier medium such as a magnetic disk, CD or DVD-ROM, such as read-only memory (firmware)
  • Such code is provided on a programmable memory or on a data carrier such as an optical or electronic signal carrier.
  • the system of the present application and its modules can be implemented not only with hardware such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, etc., or programmable hardware devices such as field programmable gate arrays, programmable logic devices, and the like. It can also be implemented by, for example, software executed by various types of processors, or by a combination of the above-described hardware circuits and software (for example, firmware).
  • the above description of the authentication system and its modules is merely for convenience of description, and the present application is not limited to the scope of the embodiments. It will be understood that, after understanding the principles of the system, it is possible for those skilled in the art to arbitrarily combine the various modules or connect the other subsystems without departing from the principle.
  • the obtaining module 201, the authentication module 202, the determining module 203, the requesting module 204, the terminating module 205, the releasing module 206, and the storage module 207 may be different modules in one system, or may be implemented in one module.
  • the functions of the above two or more modules The above modules can be flexibly matched and combined as needed, and are not limited to several specific embodiments in the drawings of the specification.
  • the embodiment of the present invention provides a method and device for authentication, where the method includes: acquiring multi-parameter parameters of the mobile terminal, where the multi-parameter parameters include: an operating environment, collected user behavior characteristics, and is used for uniquely determining The identifier of the mobile terminal; the multi-parameter parameter is authenticated by a preset intelligent analysis model; when the multi-parameter running environment, the user behavior feature, and the identifier are used by a preset intelligent analysis model When the verification is passed, it is confirmed that the operator of the mobile terminal is the preset user itself, and the authentication is passed. In this way, by verifying the multi-parameters, especially the user behavior characteristics in the multi-parameters, the user's real-time behavior characteristics are dynamic and not easily stolen, further improving the security of the authentication and ensuring the user experience.
  • modules in the apparatus in the implementation scenario may be distributed in the apparatus for implementing the scenario according to the implementation scenario description, or may be correspondingly changed in one or more devices different from the implementation scenario.
  • the modules of the above implementation scenarios may be combined into one module, or may be further split into multiple sub-modules.

Abstract

Provided by the present application is an authentication method and device, the method comprising: acquiring a plurality of parameters for a mobile terminal, wherein the plurality of parameters comprises operating environment, collected user behavior characteristics and an identifier that is used for uniquely determining the mobile terminal; authenticating the plurality of parameters by means of a preset intelligent analysis model; when the operating environment, user behavior characteristics and identifier within the plurality of parameters all pass authentication by the preset intelligent analysis model, confirming that an operator of the mobile terminal is a preset user thereof, and passing authentication. Thus, by means of authenticating a plurality of parameters, in particular user behavior characteristics within the plurality of parameters, the real-time behavior characteristics of a user are dynamic and are difficult to steal, which further increases the security of authentication and ensures a good user experience.

Description

一种认证的方法和设备Method and device for authentication
交叉引用cross reference
本申请要求2017年6月29日提交的编号为CN201710517649.4的中国申请,以及2017年6月29日提交的编号为CN201710517666.8的中国申请的优先权。上述申请的内容以引用方式被包含于此。This application claims the priority of the Chinese application numbered CN201710517649.4, filed on June 29, 2017, and the priority of the Chinese application numbering CN201710517666.8, filed on June 29, 2017. The content of the above application is hereby incorporated by reference.
技术领域Technical field
本发明涉及认证领域,特别涉及一种认证的方法和设备。The present invention relates to the field of authentication, and in particular to a method and device for authentication.
背景技术Background technique
随着互联网的飞速发展,网络安全的形势日趋复杂多变,人们对网络安全日趋重视,身份认证无处不在,以往的身份认证方式已经不能很好的符合网络安全形势的发展。With the rapid development of the Internet, the situation of network security is becoming more and more complex and changing. People pay more and more attention to network security, and identity authentication is everywhere. The past identity authentication method can not meet the development of network security situation.
现有认证技术,例如传统字符密码、确认推送、PIN(Personal Identification Number,个人识别数字)码、短信、语音都存在被盗用,以至于安全性不够的缺点。Existing authentication technologies, such as traditional character passwords, confirmation pushes, PIN (Personal Identification Number) codes, text messages, and voices, are all stolen, resulting in insufficient security.
因此目前需要一种安全性更好的认证方案。Therefore, there is a need for a more secure authentication scheme.
发明内容Summary of the invention
针对现有技术中的缺陷,本发明提出了一种认证的方法和设备,通过对多元参数,特别是多元参数中的用户行为特征进行验证,进一步提高了认证的安全性,保证了用户的使用体验。Aiming at the defects in the prior art, the present invention proposes a method and device for authentication, which further improves the security of the authentication and ensures the use of the user by verifying the multi-parameters, especially the user behavior characteristics in the multi-parameters. Experience.
具体的,本发明提出了以下具体的实施例:Specifically, the present invention proposes the following specific embodiments:
本申请实施例之一提供一种在服务器上实现的认证的方法,所述服 务器包括至少一个处理器、存储器和连接到网络的通信平台,所述方法包括:获取终端的至少一个参数,所述至少一个参数包括:所述终端的系统运行环境、用户行为特征以及所述终端的标识;通过预设的分析模型对所述至少一个参数进行认证;以及根据所述至少一个参数的认证结果,确定所述终端的操作者是否为预设用户,当通过所述分析模型对所述至少一个参数中的系统运行环境、所述用户行为特征以及所述终端标识的验证都通过时,确认所述终端的操作者为预设的用户自身,并认证通过。One embodiment of the present application provides a method for authentication implemented on a server, the server including at least one processor, a memory, and a communication platform connected to the network, the method comprising: acquiring at least one parameter of the terminal, The at least one parameter includes: a system operating environment of the terminal, a user behavior feature, and an identifier of the terminal; authenticating the at least one parameter by using a preset analysis model; and determining, according to the authentication result of the at least one parameter Whether the operator of the terminal is a preset user, and when the system running environment, the user behavior feature, and the verification of the terminal identifier in the at least one parameter are passed by the analysis model, the terminal is confirmed The operator is the default user itself and is authenticated.
在一些实施例中,当通过预设的分析模型对所述多元参数中的运行环境,所述用户行为特征以及所述标识的至少一个验证不通过时,判定所述认证失败;以及终止所述认证的流程。In some embodiments, when the operating environment in the multivariate parameter, the user behavior feature, and the at least one verification of the identifier fail to pass the preset analysis model, determining that the authentication fails; and terminating the The process of certification.
在一些实施例中,所述分析模型中包括多个移动终端的标识、所述多个移动终端所对应的预设用户的行为特征、以及判断所述运行环境是否安全的安全数据库。In some embodiments, the analysis model includes an identifier of the plurality of mobile terminals, a behavior characteristic of the preset user corresponding to the plurality of mobile terminals, and a security database that determines whether the operating environment is secure.
在一些实施例中,在获取到终端的多元参数之前,还包括:接收所述终端的认证请求,其中,所述认证请求中包含有所述终端的信息;基于所述终端的信息匹配所述终端;以及向所述终端发送挑战认证指令,以使得所述终端接收到所述挑战认证指令时上传所述至少一个参数至服务器。In some embodiments, before acquiring the multi-parameter parameter of the terminal, the method further includes: receiving an authentication request of the terminal, where the authentication request includes information about the terminal; and matching the information based on the information of the terminal And transmitting a challenge authentication command to the terminal, so that the terminal uploads the at least one parameter to the server when receiving the challenge authentication command.
在一些实施例中,还包括:放行所述终端上对应所述认证的流程。具体的,可以向所述终端传输放行指令,所述终端执行所述放行指令后放行所述终端上对应所述认证的流程。In some embodiments, the method further includes: releasing a process corresponding to the authentication on the terminal. Specifically, the release command may be transmitted to the terminal, and the terminal releases the process corresponding to the authentication on the terminal after executing the release command.
在一些实施例中,所述用户行为特征包括所述终端在被所述操作者操作时产生的传感器数据。In some embodiments, the user behavior characteristic comprises sensor data generated by the terminal when operated by the operator.
在一些实施例中,所述用户行为特征包括以下传感器数据中的至少一个:旋转数据、受力数据、方位数据、屏幕操作数据以及输入设备操作数据。In some embodiments, the user behavior characteristic comprises at least one of the following sensor data: rotation data, force data, orientation data, screen operation data, and input device operation data.
本申请实施例之一提供一种认证的设备,其特征在于,包括:获取模块,用于获取终端的至少一个参数,所述至少一个参数包括:所述终端的系统运行环境、用户行为特征以及所述终端的标识;认证模块,用于通过预设的分析模型对所述至少一个参数进行认证;以及确定模块,用于根据所述至少一个参数的认证结果,确定所述终端的操作者是否为预设用户,当通过所述分析模型对所述至少一个参数中的系统运行环境、所述用户行为特征以及所述终端标识的验证都通过时,确认所述终端的操作者为预设的用户自身,并认证通过。An embodiment of the present application provides an authentication device, including: an obtaining module, configured to acquire at least one parameter of a terminal, where the at least one parameter includes: a system operating environment of the terminal, a user behavior feature, and An identifier of the terminal, the authentication module, configured to authenticate the at least one parameter by using a preset analysis model, and a determining module, configured to determine, according to the authentication result of the at least one parameter, whether an operator of the terminal is Determining the user, when the system running environment, the user behavior feature, and the verification of the terminal identifier in the at least one parameter are passed by the analysis model, confirming that the operator of the terminal is preset The user himself, and the certification passed.
在一些实施例中,所述设备还包括:终止模块,用于当通过预设的分析模型对所述多元参数中的运行环境,所述用户行为特征以及所述标识的至少一个验证不通过时,判定所述认证失败;以及终止所述认证的流程。In some embodiments, the device further includes: a terminating module, configured to: when the at least one of the multi-parameters, the user behavior feature, and the identifier are not validated by a preset analysis model Determining that the authentication failed; and terminating the process of the authentication.
在一些实施例中,所述分析模型中包括多个移动终端的标识、所述多个移动终端所对应的预设用户的行为特征、以及判断所述运行环境是否安全的安全数据库。In some embodiments, the analysis model includes an identifier of the plurality of mobile terminals, a behavior characteristic of the preset user corresponding to the plurality of mobile terminals, and a security database that determines whether the operating environment is secure.
在一些实施例中,所述设备还包括:请求模块,用于接收所述终端的认证请求,其中,所述认证请求中包含有所述终端的信息;匹配模块,用于基于所述终端的信息匹配所述终端;以及挑战认证模块,用于向所述终端发送挑战认证指令,以使得所述终端接收到所述挑战认证指令时上传所述至少一个参数至服务器。In some embodiments, the device further includes: a requesting module, configured to receive an authentication request of the terminal, where the authentication request includes information of the terminal; and a matching module, configured to be based on the terminal The information matches the terminal; and the challenge authentication module is configured to send a challenge authentication command to the terminal, so that the terminal uploads the at least one parameter to the server when receiving the challenge authentication command.
在一些实施例中,所述设备还包括:放行模块,用于放行所述终端上对应所述认证的流程。具体的,所述放行模块可以向所述终端传输放行指令,所述终端执行所述放行指令后放行所述终端上对应所述认证的流程。In some embodiments, the device further includes: a release module, configured to release a flow corresponding to the authentication on the terminal. Specifically, the release module may transmit a release command to the terminal, and after the terminal executes the release command, release the process corresponding to the authentication on the terminal.
在一些实施例中,所述用户行为特征包括所述终端在被所述操作者操作时产生的传感器数据。In some embodiments, the user behavior characteristic comprises sensor data generated by the terminal when operated by the operator.
在一些实施例中,所述用户行为特征包括以下传感器数据中的至少一个:旋转数据、受力数据、方位数据、屏幕操作数据或输入设备操作数据。In some embodiments, the user behavior characteristic comprises at least one of the following sensor data: rotation data, force data, orientation data, screen operation data, or input device operation data.
本申请实施例之一提供一种认证的装置,其特征在于,包括处理器,所述处理器被配置为:获取终端的至少一个参数,所述至少一个参数包括:所述终端的系统运行环境、用户行为特征以及所述终端的标识;通过预设的分析模型对所述至少一个参数进行认证;以及根据所述至少一个参数的认证结果,确定所述终端的操作者是否为预设用户,当通过所述分析模型对所述至少一个参数中的系统运行环境、所述用户行为特征以及所述终端标识的验证都通过时,确认所述终端的操作者为预设的用户自身,并认证通过。An embodiment of the present application provides an apparatus for authentication, including a processor, where the processor is configured to: acquire at least one parameter of a terminal, where the at least one parameter includes: a system operating environment of the terminal Determining the at least one parameter by using a preset analysis model; and determining, according to the authentication result of the at least one parameter, whether the operator of the terminal is a preset user, When the system running environment, the user behavior feature, and the verification of the terminal identifier in the at least one parameter are passed by the analysis model, confirm that the operator of the terminal is the preset user itself, and authenticate by.
本申请实施例之一提供一种计算机可读存储介质,所述存储介质存储计算机指令,当计算机读取存储介质中的计算机指令后,计算机执行认证的方法,所述方法包括:获取终端的至少一个参数,所述至少一个参数包括:所述终端的系统运行环境、用户行为特征以及所述终端的标识;通过预设的分析模型对所述至少一个参数进行认证;以及根据所述至少一个参数的认证结果,确定所述终端的操作者是否为预设用户,当通过所述分 析模型对所述至少一个参数中的系统运行环境、所述用户行为特征以及所述终端标识的验证都通过时,确认所述终端的操作者为预设的用户自身,并认证通过。One embodiment of the present application provides a computer readable storage medium, where the storage medium stores computer instructions, and when the computer reads a computer instruction in the storage medium, the computer performs a method of authenticating, where the method includes: acquiring at least a terminal a parameter, the at least one parameter comprising: a system operating environment of the terminal, a user behavior feature, and an identifier of the terminal; authenticating the at least one parameter by a preset analysis model; and according to the at least one parameter The result of the authentication is determined whether the operator of the terminal is a preset user, and when the verification of the system operating environment, the user behavior feature, and the verification of the terminal identifier in the at least one parameter is passed by the analysis model Confirm that the operator of the terminal is the preset user itself and pass the authentication.
本申请实施例之一提供一种在终端上实现的认证的方法,所述终端包括至少一个处理器、存储器和连接到网络的通信平台,所述方法包括:获取至少一个参数并发送给服务器,所述至少一个参数包括:终端的系统运行环境、用户行为特征以及所述终端的标识;接收服务器信息,并根据所述服务器基于认证所述至少一个参数而确定的所述终端的操作者是否为预设用户的判断结果通过或不通过认证。One embodiment of the present application provides a method for authentication implemented on a terminal, where the terminal includes at least one processor, a memory, and a communication platform connected to the network, the method comprising: acquiring at least one parameter and sending the parameter to the server, The at least one parameter includes: a system operating environment of the terminal, a user behavior characteristic, and an identifier of the terminal; receiving server information, and determining, according to the server, whether the operator of the terminal is determined based on the at least one parameter The default user's judgment result passes or fails the certification.
在一些实施例中,所述用户行为特征包括所述终端在被所述操作者操作时产生的传感器数据。In some embodiments, the user behavior characteristic comprises sensor data generated by the terminal when operated by the operator.
本申请实施例之一提供一种认证的系统,其特征在于,包括:获取模块,所述获取模块用于获取至少一个参数并发送给服务器,所述至少一个参数包括:终端的系统运行环境、用户行为特征以及所述终端的标识;接收模块,所述接收模块用于接收服务器信息,并根据所述服务器基于认证所述至少一个参数而确定的所述终端的操作者是否为预设用户的判断结果通过或不通过认证。The system of the present application provides an authentication system, which includes: an obtaining module, where the acquiring module is configured to acquire at least one parameter and send it to a server, where the at least one parameter includes: a system operating environment of the terminal, a user behavior feature and an identifier of the terminal; a receiving module, the receiving module, configured to receive server information, and determine, according to the server, whether the operator of the terminal is a preset user according to the at least one parameter that is authenticated by the server The judgment result passes or does not pass the certification.
在一些实施例中,所述用户行为特征包括所述终端在被所述操作者操作时产生的传感器数据。In some embodiments, the user behavior characteristic comprises sensor data generated by the terminal when operated by the operator.
本申请实施例之一提供一种认证的终端,其特征在于,包括处理器,所述处理器被配置为:获取至少一个参数并发送给服务器,所述至少一个参数包括:终端的系统运行环境、用户行为特征以及所述终端的标识;接 收服务器信息,并根据所述服务器基于认证所述至少一个参数而确定的所述终端的操作者是否为预设用户的判断结果通过或不通过认证。An embodiment of the present application provides an authentication terminal, including a processor, where the processor is configured to: acquire at least one parameter and send the parameter to a server, where the at least one parameter includes: a system operating environment of the terminal. The user behavior characteristic and the identifier of the terminal; receiving server information, and passing or not authenticating according to whether the operator of the terminal determined by the server based on the at least one parameter is the default user's judgment result.
本申请实施例之一提供一种计算机可读存储介质,所述存储介质存储计算机指令,当计算机读取存储介质中的计算机指令后,计算机执行认证的方法,所述方法包括:获取至少一个参数并发送给服务器,所述至少一个参数包括:终端的系统运行环境、用户行为特征以及所述终端的标识;接收服务器信息,并根据所述服务器基于认证所述至少一个参数而确定的所述终端的操作者是否为预设用户的判断结果通过或不通过认证。One embodiment of the present application provides a computer readable storage medium storing computer instructions for performing a method of authentication after a computer reads a computer instruction in a storage medium, the method comprising: acquiring at least one parameter And sending to the server, the at least one parameter includes: a system operating environment of the terminal, a user behavior feature, and an identifier of the terminal; receiving server information, and determining, according to the at least one parameter, the terminal according to the server Whether the operator passes the authentication or not the authentication result of the preset user.
本发明实施例还提出了一种认证的方法,包括:The embodiment of the invention also provides a method for authentication, including:
获取移动终端的多元参数,其中所述多元参数包括:运行环境,所收集的用户行为特征以及用于唯一确定所述移动终端的标识;Obtaining a multi-parameter parameter of the mobile terminal, where the multi-parameter parameter comprises: an operating environment, collected user behavior characteristics, and an identifier for uniquely determining the mobile terminal;
通过预设的智能分析模型对所述多元参数进行认证;The multi-parameter parameter is authenticated by a preset intelligent analysis model;
当通过所述智能分析模型对所述多元参数中的运行环境,所述用户行为特征以及所述标识的验证都通过时,确认所述移动终端的操作者为预设的用户自身,并认证通过。When the operating environment of the multivariate parameter is passed by the intelligent analysis model, the user behavior feature and the verification of the identifier are all passed, confirming that the operator of the mobile terminal is the preset user itself, and the authentication is passed. .
在一个具体的实施例中,在获取到移动终端的多元参数之前,还包括:In a specific embodiment, before acquiring the multi-parameter parameters of the mobile terminal, the method further includes:
接收认证请求;其中,所述认证请求中包含有待认证的移动终端的信息;Receiving an authentication request, where the authentication request includes information of the mobile terminal to be authenticated;
基于所述信息匹配与所述认证请求对应的移动终端;Matching the mobile terminal corresponding to the authentication request based on the information;
向所述移动终端发送挑战认证,以使得所述移动终端上报所述多元参数。Sending a challenge authentication to the mobile terminal, so that the mobile terminal reports the multi-parameter parameter.
在一个具体的实施例中,还包括:In a specific embodiment, the method further includes:
当通过预设的智能分析模型对所述多元参数中的运行环境,所述用户行为特征以及所述标识的验证不完全通过时,认证失败,并终止所述移动终端上对应所述认证的流程。When the running environment of the multivariate parameter is not passed through the preset intelligent analysis model, the user behavior feature and the verification of the identifier are not completely passed, the authentication fails, and the process corresponding to the authentication on the mobile terminal is terminated. .
在一个具体的实施例中,还包括:In a specific embodiment, the method further includes:
放行所述移动终端上对应所述认证的流程。The flow corresponding to the authentication on the mobile terminal is released.
在一个具体的实施例中,所述智能分析模型中存储有各移动终端的标识,以及各移动终端所对应的预设用户的人类行为特征,以及判断所述运行环境是否安全的安全数据库;In a specific embodiment, the smart analysis model stores an identifier of each mobile terminal, and a human behavior characteristic of the preset user corresponding to each mobile terminal, and a security database that determines whether the operating environment is secure;
该方法还包括:The method also includes:
将所述多元数据存储在所述智能分析模型中的数据库中。The multivariate data is stored in a database in the intelligent analysis model.
本发明实施例还提出了一种认证的设备,包括:The embodiment of the invention further provides an authentication device, including:
获取模块,用于获取移动终端的多元参数,其中所述多元参数包括:运行环境,所收集的用户行为特征以及用于唯一确定所述移动终端的标识;An obtaining module, configured to obtain a multi-parameter parameter of the mobile terminal, where the multi-parameter parameter includes: an operating environment, collected user behavior characteristics, and an identifier for uniquely determining the mobile terminal;
认证模块,用于通过预设的智能分析模型对所述多元参数进行认证;An authentication module, configured to authenticate the multi-parameter parameter by using a preset intelligent analysis model;
确定模块,用于当通过所述智能分析模型对所述多元参数中的运行环境,所述用户行为特征以及所述标识的验证都通过时,确认所述移动终端的操作者为预设的用户自身,并认证通过。a determining module, configured to confirm that an operator of the mobile terminal is a preset user when the operating environment of the multivariate parameter, the user behavior feature, and the verification of the identifier are passed by the intelligent analysis model Self, and passed the certification.
在一个具体的实施例中,该设备还包括:In a specific embodiment, the device further includes:
请求模块,用于接收认证请求;其中,所述认证请求中包含有待认证的移动终端的信息;a requesting module, configured to receive an authentication request, where the authentication request includes information about the mobile terminal to be authenticated;
基于所述信息匹配与所述认证请求对应的移动终端;Matching the mobile terminal corresponding to the authentication request based on the information;
向所述移动终端发送挑战认证,以使得所述移动终端上报所述多元参数。Sending a challenge authentication to the mobile terminal, so that the mobile terminal reports the multi-parameter parameter.
在一个具体的实施例中,该设备还包括:In a specific embodiment, the device further includes:
终止模块,用于当通过预设的智能分析模型对所述多元参数中的运行环境,所述用户行为特征以及所述标识的验证不完全通过时,认证失败,并终止所述移动终端上对应所述认证的流程。a termination module, configured to: when the operating environment in the multivariate parameter is passed through a preset intelligent analysis model, the user behavior feature and the verification of the identifier are not completely passed, the authentication fails, and the corresponding correspondence on the mobile terminal is terminated. The process of the certification.
在一个具体的实施例中,该设备还包括:In a specific embodiment, the device further includes:
放行模块,用于放行所述移动终端上对应所述认证的流程。The release module is configured to release the process corresponding to the authentication on the mobile terminal.
在一个具体的实施例中,所述智能分析模型中存储有各移动终端的标识,以及各移动终端所对应的预设用户的人类行为特征,以及判断所述运行环境是否安全的安全数据库;In a specific embodiment, the smart analysis model stores an identifier of each mobile terminal, and a human behavior characteristic of the preset user corresponding to each mobile terminal, and a security database that determines whether the operating environment is secure;
该设备还包括:The device also includes:
存储模块,用于将所述多元数据存储在所述智能分析模型中的数据库中。a storage module, configured to store the multivariate data in a database in the intelligent analysis model.
以此,本发明实施例提出了一种认证的方法和设备,其中该方法包括:获取移动终端的多元参数,其中所述多元参数包括:运行环境,所收集的用户行为特征以及用于唯一确定所述移动终端的标识;通过预设的智能分析模型对所述多元参数进行认证;当通过预设的智能分析模型对所述多元参数中的运行环境,所述用户行为特征以及所述标识的验证都通过时,确认所述移动终端的操作者为预设的用户自身,并认证通过。以此通过对多元参数,特别是多元参数中的用户行为特征进行验证,而用户的即时行为特征是动态的,不容易被盗用,进一步提高了认证的安全性,保证了用 户的使用体验。In this way, the embodiment of the present invention provides a method and device for authentication, where the method includes: acquiring multi-parameter parameters of the mobile terminal, where the multi-parameter parameters include: an operating environment, collected user behavior characteristics, and is used for uniquely determining The identifier of the mobile terminal; the multi-parameter parameter is authenticated by a preset intelligent analysis model; when the multi-parameter running environment, the user behavior feature, and the identifier are used by a preset intelligent analysis model When the verification is passed, it is confirmed that the operator of the mobile terminal is the preset user itself, and the authentication is passed. In this way, by verifying the multi-parameters, especially the user behavior characteristics in the multi-parameters, the user's instant behavior characteristics are dynamic and not easily stolen, further improving the security of the authentication and ensuring the user's experience.
附图说明DRAWINGS
为了更清楚地说明本发明实施例的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,应当理解,以下附图仅示出了本发明的某些实施例,因此不应被看作是对范围的限定,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他相关的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the embodiments will be briefly described below. It should be understood that the following drawings show only certain embodiments of the present invention, and therefore It should be seen as a limitation on the scope, and those skilled in the art can obtain other related drawings according to these drawings without any creative work.
图1为本发明实施例提出的一种认证的方法的流程示意图;1 is a schematic flowchart of a method for authentication according to an embodiment of the present invention;
图2为本发明实施例提出的一种认证的方法的示意图;2 is a schematic diagram of a method for authentication according to an embodiment of the present invention;
图3为本发明实施例提出的一种认证的设备的结构示意图;FIG. 3 is a schematic structural diagram of an apparatus for authentication according to an embodiment of the present invention;
图4为本发明实施例提出的一种认证的设备的结构示意图;4 is a schematic structural diagram of an apparatus for authentication according to an embodiment of the present invention;
图5为本发明实施例提出的一种认证的设备的结构示意图;FIG. 5 is a schematic structural diagram of an apparatus for authentication according to an embodiment of the present invention;
图6为本发明实施例提出的一种认证的设备的结构示意图;FIG. 6 is a schematic structural diagram of an apparatus for authentication according to an embodiment of the present invention;
图7为本发明实施例提出的一种认证的设备的结构示意图;FIG. 7 is a schematic structural diagram of an apparatus for authentication according to an embodiment of the present invention;
图8为本发明实施例提出的一种认证系统的应用场景示意图。FIG. 8 is a schematic diagram of an application scenario of an authentication system according to an embodiment of the present invention.
具体实施方式Detailed ways
在下文中,将更全面地描述本公开的各种实施例。本公开可具有各种实施例,并且可在其中做出调整和改变。然而,应理解:不存在将本公开的各种实施例限于在此公开的特定实施例的意图,而是应将本公开理解为涵盖落入本公开的各种实施例的精神和范围内的所有调整、等同物和/或可选方案。In the following, various embodiments of the present disclosure will be described more fully. The present disclosure can have various embodiments, and adjustments and changes can be made therein. It should be understood, however, that the present invention is not limited to the specific embodiments disclosed herein, but the invention is to be construed as being included within the spirit and scope of the various embodiments of the present disclosure. All adjustments, equivalents and/or alternatives.
在下文中,可在本公开的各种实施例中使用的术语“包括”或“可包括” 指示所公开的功能、操作或元件的存在,并且不限制一个或更多个功能、操作或元件的增加。此外,如在本公开的各种实施例中所使用,术语“包括”、“具有”及其同源词仅意在表示特定特征、数字、步骤、操作、元件、组件或前述项的组合,并且不应被理解为首先排除一个或更多个其它特征、数字、步骤、操作、元件、组件或前述项的组合的存在或增加一个或更多个特征、数字、步骤、操作、元件、组件或前述项的组合的可能性。In the following, the term "comprising" or "including" may be used in the various embodiments of the present disclosure to indicate the presence of the disclosed function, operation or element, and does not limit one or more functions, operations or elements. increase. In addition, the terms "comprising," "having," "," It should not be understood that the existence or addition of one or more features, numbers, steps, operations, components or components of one or more other features, numbers, steps, operations, components, components or combinations of the foregoing are excluded. Or the possibility of a combination of the foregoing.
在本公开的各种实施例中,表述“或”或“A或/和B中的至少一个”包括同时列出的文字的任何组合或所有组合。例如,表述“A或B”或“A或/和B中的至少一个”可包括A、可包括B或可包括A和B二者。In various embodiments of the present disclosure, the expression "or" or "at least one of A or / and B" includes any or all combinations of the simultaneously listed characters. For example, the expression "A or B" or "at least one of A or / and B" may include A, may include B, or may include both A and B.
在本公开的各种实施例中使用的表述(诸如“第一”、“第二”等)可修饰在各种实施例中的各种组成元件,不过可不限制相应组成元件。例如,以上表述并不限制所述元件的顺序和/或重要性。以上表述仅用于将一个元件与其它元件区别开的目的。例如,第一用户装置和第二用户装置指示不同用户装置,尽管二者都是用户装置。例如,在不脱离本公开的各种实施例的范围的情况下,第一元件可被称为第二元件,同样地,第二元件也可被称为第一元件。Expressions used in various embodiments of the present disclosure (such as "first", "second", etc.) may modify various constituent elements in various embodiments, but the corresponding constituent elements may not be limited. For example, the above statements do not limit the order and/or importance of the elements. The above statements are only used for the purpose of distinguishing one element from another. For example, the first user device and the second user device indicate different user devices, although both are user devices. For example, a first element could be termed a second element, and a second element could be termed a first element, without departing from the scope of the various embodiments of the present disclosure.
应注意到:如果描述将一个组成元件“连接”到另一组成元件,则可将第一组成元件直接连接到第二组成元件,并且可在第一组成元件和第二组成元件之间“连接”第三组成元件。相反地,当将一个组成元件“直接连接”到另一组成元件时,可理解为在第一组成元件和第二组成元件之间不存在第三组成元件。It should be noted that if the description "connects" one constituent element to another constituent element, the first constituent element can be directly connected to the second constituent element and can be "connected" between the first constituent element and the second constituent element. "The third component. On the contrary, when a constituent element is "directly connected" to another constituent element, it is understood that there is no third constituent element between the first constituent element and the second constituent element.
在本公开的各种实施例中使用的术语“用户”可指示使用电子装置的 人或使用电子装置的装置(例如,人工智能电子装置)。The term "user" as used in various embodiments of the present disclosure may indicate a person using an electronic device or a device using an electronic device (for example, an artificial intelligence electronic device).
在本公开的各种实施例中使用的术语仅用于描述特定实施例的目的并且并非意在限制本公开的各种实施例。如在此所使用,单数形式意在也包括复数形式,除非上下文清楚地另有指示。除非另有限定,否则在这里使用的所有术语(包括技术术语和科学术语)具有与本公开的各种实施例所属领域普通技术人员通常理解的含义相同的含义。所述术语(诸如在一般使用的词典中限定的术语)将被解释为具有与在相关技术领域中的语境含义相同的含义并且将不被解释为具有理想化的含义或过于正式的含义,除非在本公开的各种实施例中被清楚地限定。The terms used in the various embodiments of the present disclosure are only for the purpose of describing the specific embodiments and are not intended to limit the various embodiments of the present disclosure. As used herein, the singular forms " All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which the various embodiments of the present disclosure pertain, unless otherwise defined. The term (such as a term defined in a commonly used dictionary) will be interpreted as having the same meaning as the contextual meaning in the related art and will not be interpreted as having an idealized meaning or an overly formal meaning, Unless clearly defined in the various embodiments of the present disclosure.
图8所示为根据本申请一些实施例所示的认证系统(或认证装置)的应用场景示意图。该认证系统800可以是用于互联网服务的线上服务平台。例如,该认证系统800可以应用于游戏平台、购物平台、即时通讯平台、交易平台、娱乐平台、教育平台等一种或多种的任意组合。在一些实施例中,认证系统800可以确定终端的运行环境是否良好(如是否足够安全以执行认证操作)。在一些实施例中,认证系统800可以识别出某终端的操作者是否是预设用户(如是否是终端的拥有者、是否是某应用程序下某特定账号的用户等)。其可以实现的部分技术目的包括在保证认证环境安全的前提下,提升认证可靠性,同时保证用户体验。如图8所示,该认证系统800可以包含服务器810、网络820、终端830以及数据库840。该服务器810可包含处理设备812。FIG. 8 is a schematic diagram of an application scenario of an authentication system (or an authentication device) according to some embodiments of the present application. The authentication system 800 can be an online service platform for Internet services. For example, the authentication system 800 can be applied to any combination of one or more of a game platform, a shopping platform, an instant messaging platform, a trading platform, an entertainment platform, an educational platform, and the like. In some embodiments, the authentication system 800 can determine if the operating environment of the terminal is good (eg, is it secure enough to perform an authentication operation). In some embodiments, the authentication system 800 can identify whether the operator of a terminal is a preset user (eg, whether it is the owner of the terminal, whether it is a user of a particular account under an application, etc.). Some of the technical goals that can be implemented include improving the reliability of the authentication and ensuring the user experience while ensuring the security of the authentication environment. As shown in FIG. 8, the authentication system 800 can include a server 810, a network 820, a terminal 830, and a database 840. The server 810 can include a processing device 812.
在一些实施例中,服务器810可以用于处理与认证相关的信息和/或数据。服务器810可以是独立的服务器或者服务器组。该服务器组可以是 集中式的或者分布式的(如:服务器810可以是分布系统)。在一些实施例中该服务器810可以是区域的或者远程的。例如,服务器810可通过网络820访问存储于终端830和/或数据库840的信息和/或资料。在一些实施例中,服务器810可直接与终端830和/或数据库840连接以访问存储于其中的信息和/或资料。在一些实施例中,服务器810可在云平台上执行。例如,该云平台可包括私有云、公共云、混合云、社区云、分散式云、内部云等中的一种或其任意组合。In some embodiments, server 810 can be used to process information and/or data related to authentication. Server 810 can be a standalone server or group of servers. The server group can be centralized or distributed (e.g., server 810 can be a distributed system). The server 810 can be regional or remote in some embodiments. For example, server 810 can access information and/or materials stored in terminal 830 and/or database 840 over network 820. In some embodiments, server 810 can interface directly with terminal 830 and/or database 840 to access information and/or materials stored therein. In some embodiments, server 810 can execute on a cloud platform. For example, the cloud platform may include one of a private cloud, a public cloud, a hybrid cloud, a community cloud, a distributed cloud, an internal cloud, and the like, or any combination thereof.
在一些实施例中,服务器810可包含处理设备812。该处理设备812可处理与认证有关的数据和/或信息以实现一个或多个本申请中描述的功能。例如处理设备812可以通过预设的智能分析模型对多元参数进行认证。在一些实施例中,处理设备812可包含一个或多个子处理设备(如:单芯处理设备或多核多芯处理设备)。仅仅作为范例,处理设备812可包含中央处理器(CPU)、专用集成电路(ASIC)、专用指令处理器(ASIP)、图形处理器(GPU)、物理处理器(PPU)、数字信号处理器(DSP)、现场可编程门阵列(FPGA)、可编辑逻辑电路(PLD)、控制器、微控制器单元、精简指令集电脑(RISC)、微处理器等一种或以上任意组合。在一些实施例中,该服务器810还可以是终端830的一个或多个组件,服务器810可以与终端830在同一程序内部通信,或者服务器810可以与终端830在不同程序间通信。在一些实施例中,服务器810可以在本申请的图3-7中描述的具有一个或多个模块的计算设备上实施。In some embodiments, server 810 can include processing device 812. The processing device 812 can process data and/or information related to authentication to implement one or more of the functions described in this application. For example, the processing device 812 can authenticate the multivariate parameters through a preset intelligent analysis model. In some embodiments, processing device 812 can include one or more sub-processing devices (eg, a single core processing device or a multi-core multi-core processing device). By way of example only, processing device 812 may include a central processing unit (CPU), an application specific integrated circuit (ASIC), an application specific instruction processor (ASIP), a graphics processing unit (GPU), a physical processor (PPU), a digital signal processor ( DSP, Field Programmable Gate Array (FPGA), Editable Logic (PLD), Controller, Microcontroller Unit, Reduced Instruction Set Computer (RISC), microprocessor, etc., any combination of one or more. In some embodiments, the server 810 can also be one or more components of the terminal 830, the server 810 can communicate with the terminal 830 in the same program, or the server 810 can communicate with the terminal 830 between different programs. In some embodiments, server 810 can be implemented on a computing device having one or more modules as described in Figures 3-7 of the present application.
网络820可促进数据和/或信息的交换。在一些实施例中,认证系统800中的一个或多个组件(如:服务器810、终端830和数据库840)可通 过网络820发送数据和/或信息给认证系统800中的其他组件。例如,服务器810可以通过网络820从终端830中获取用户行为特征。在一些实施例中,网络820可以是任意类型的有线或无线网络。例如,网络820可包括缆线网络、有线网络、光纤网络、电信网络、内部网络、网际网络、区域网络(LAN)、广域网络(WAN)、无线区域网络(WLAN)、都会区域网络(MAN)、公共电话交换网络(PSTN)、蓝牙网络、ZigBee网络、近场通讯(NFC)网络等或以上任意组合。在一些实施例中,网络820可包括一个或多个网络进出点。例如,网络820可包含有线或无线网络进出点,如基站和/或网际网络交换点820-1、820-2、...,通过这些进出点,认证系统800的一个或多个组件可连接到网络820上以交换数据和/或信息。 Network 820 can facilitate the exchange of data and/or information. In some embodiments, one or more components of authentication system 800 (e.g., server 810, terminal 830, and database 840) can transmit data and/or information over network 820 to other components in authentication system 800. For example, server 810 can obtain user behavior characteristics from terminal 830 over network 820. In some embodiments, network 820 can be any type of wired or wireless network. For example, network 820 can include a cable network, a wired network, a fiber optic network, a telecommunications network, an internal network, an internet network, a regional network (LAN), a wide area network (WAN), a wireless area network (WLAN), a metropolitan area network (MAN). , public switched telephone network (PSTN), Bluetooth network, ZigBee network, near field communication (NFC) network, etc. or any combination of the above. In some embodiments, network 820 can include one or more network access points. For example, network 820 can include wired or wireless network access points, such as base stations and/or internetwork exchange points 820-1, 820-2, ... through which one or more components of authentication system 800 can be connected. Network 820 is exchanged for data and/or information.
在一些实施例中,终端可以为可移动的终端(也即移动终端)或者固定的终端,例如手机830-1、平板电脑830-2、笔记本电脑830-3、车载装置830-4,以及台式电脑、内置电脑等等。在一些实施例中,终端还可以包括可穿戴设备、虚拟现实设备和/或增强现实设备等,或其任意组合。在一些实施例中,可穿戴设备可以包括智能手镯、智能鞋袜、智能眼镜、智能头盔、智能手表、智能穿着、智能背包、智能附件等或其任意组合。在一些实施例中,虚拟现实设备和/或增强实境设备可包括虚拟现实头盔、虚拟现实眼镜、虚拟现实眼罩、增强实境头盔、增强实境眼镜、增强实境眼罩等或其任意组合。例如,虚拟现实装置和/或增强现实装置可以包括Google Glass TM,RiftCon TM,Fragments TM,Gear VR TM等。在一些实施例中,终端与服务器可以集成为一体,或者终端为服务器的一个或多个组件。在一些替代性实施例中,终端可以是具有一个或多个传感器的任意设备,该 一个或多个传感器可以用于获取用户行为特征,本申请对终端的形式不做限制。在一些实施例中,具体而言,本申请中只要是编写的终端设备即可。 In some embodiments, the terminal may be a mobile terminal (ie, a mobile terminal) or a fixed terminal, such as a mobile phone 830-1, a tablet 830-2, a notebook computer 830-3, an in-vehicle device 830-4, and a desktop. Computer, built-in computer, etc. In some embodiments, the terminal may also include a wearable device, a virtual reality device, and/or an augmented reality device, etc., or any combination thereof. In some embodiments, the wearable device can include a smart bracelet, smart footwear, smart glasses, smart helmet, smart watch, smart wear, smart backpack, smart accessory, and the like, or any combination thereof. In some embodiments, the virtual reality device and/or the augmented reality device may include a virtual reality helmet, virtual reality glasses, virtual reality eyewear, augmented reality helmet, augmented reality glasses, an augmented reality eye mask, and the like, or any combination thereof. For example, virtual reality devices and / or augmented reality device may include Google Glass TM, RiftCon TM, Fragments TM, Gear VR TM like. In some embodiments, the terminal and server may be integrated or the terminal may be one or more components of the server. In some alternative embodiments, the terminal may be any device having one or more sensors that may be used to obtain user behavior characteristics, and the application does not limit the form of the terminal. In some embodiments, specifically, only the written terminal device is used in the present application.
数据库840可存储资料和/或指令。在一些实施例中,数据库840可存储从终端830获取的资料。在一些实施例中,数据库840可存储供服务器810执行或使用的信息和/或指令,以执行本申请中描述的示例性方法。例如,数据库840可以存储从终端830获取与终端的操作相关的用户行为特征。在一些实施例中,数据库840可以储存服务器810用来执行或使用以完成本申请中描述的示例性方法的数据及/或指令。例如,数据库840可以存储用于通过预设的智能分析模型对多元参数进行认证的指令,该指令可以由处理设备812执行。在一些实施例中,数据库840可包括大容量存储器、可移动存储器、挥发性读写存储器(例如随机存取存储器RAM)、只读存储器(ROM)等一种或以上任意组合。在一些实施例中,数据库840可在云平台上实现。例如,该云平台可包括私有云、公共云、混合云、社区云、社区云、分散式云、内部云等一种或以上任意组合。 Database 840 can store data and/or instructions. In some embodiments, database 840 can store material obtained from terminal 830. In some embodiments, database 840 can store information and/or instructions for execution or use by server 810 to perform the example methods described herein. For example, database 840 can store user behavior characteristics associated with the operation of the terminal from terminal 830. In some embodiments, database 840 can store data and/or instructions that server 810 uses to execute or use to perform the exemplary methods described herein. For example, database 840 can store instructions for authenticating multivariate parameters through a predetermined intelligent analysis model, which can be executed by processing device 812. In some embodiments, database 840 can include any combination of one or more of mass storage, removable storage, volatile read and write memory (eg, random access memory RAM), read only memory (ROM), and the like. In some embodiments, database 840 can be implemented on a cloud platform. For example, the cloud platform may include any combination of one or more of a private cloud, a public cloud, a hybrid cloud, a community cloud, a community cloud, a distributed cloud, an internal cloud, and the like.
在一些实施例中,数据库840可与网络820连接以与认证系统800的一个或多个部件(如,服务器810、终端830等)通讯。认证系统800的一个或多个组件可通过网络820访问存储于数据库840中的资料或指令。在一些实施例中,数据库840可直接与认证系统800中的一个或多个组件(如,服务器810、终端830等)连接或通讯。在一些实施例中,数据库840可以是服务器810的一部分。在一些实施例中,认证系统800中的一个或多个组件(如,服务器810、终端830等)可具有访问数据库840的权限。In some embodiments, database 840 can be coupled to network 820 to communicate with one or more components of authentication system 800 (eg, server 810, terminal 830, etc.). One or more components of authentication system 800 can access data or instructions stored in database 840 over network 820. In some embodiments, database 840 can interface or communicate directly with one or more components (e.g., server 810, terminal 830, etc.) in authentication system 800. In some embodiments, database 840 can be part of server 810. In some embodiments, one or more components (eg, server 810, terminal 830, etc.) in authentication system 800 may have access to database 840.
实施例1Example 1
本发明实施例1公开了一种认证的方法,如图1所示,包括以下步骤:Embodiment 1 of the present invention discloses a method for authentication, as shown in FIG. 1, which includes the following steps:
步骤101、获取终端(如移动终端)的至少一个参数(亦可称为多元参数),在此以及后续主要以手机为例来进行说明。在一些实施例中,所述至少一个参数(多元参数)可以包括:终端的系统运行环境,所收集的用户行为特征以及用于唯一确定所述移动终端的标识。在一些实施例中,多元参数可以仅为其中的一个或两个,例如,多元参数可以仅为所收集的用户行为特征;又例如,多元参数可以仅包括所收集的用户行为特征以及用于唯一确定所述移动终端的标识。在一些实施例中,多元参数也可以包括其他参数,例如用户的生物特征(如脸部特征、指纹特征等)、用户的语言特征、用户输入的信息特征(如输入的密码等)等,本申请对此不作限制。Step 101: Obtain at least one parameter (also referred to as a multi-parameter parameter) of the terminal (such as a mobile terminal), and the following mainly uses a mobile phone as an example for description. In some embodiments, the at least one parameter (multiple parameter) may include: a system operating environment of the terminal, collected user behavior characteristics, and an identifier for uniquely determining the mobile terminal. In some embodiments, the multivariate parameter may be only one or two of them, for example, the multivariate parameter may be only the collected user behavior characteristics; and, for example, the multivariate parameter may include only the collected user behavior characteristics and for unique Determining an identity of the mobile terminal. In some embodiments, the multivariate parameter may also include other parameters, such as a user's biometric features (such as facial features, fingerprint features, etc.), user's linguistic features, user-entered information features (such as entered passwords, etc.), etc. There is no restriction on the application.
具体的,在一些实施例中,运行环境可以包括手机运行时的网络安全环境,例如是否有病毒、是否嵌入恶意代码、是否达到安全操作的环境要求、或者是否在访问高危网站等等。在一些实施例中,运行环境可以包括终端的系统安全环境。例如,移动终端是否开放root权限、是否越狱(例如,Untethered Jailbreak、Tethered Jailbreak)等。在一些实施例中,运行环境还可以包括外部检测的安全环境。例如,移动终端是否异常移动等。具体地,服务端(如服务器810)可以通过定位系统(如GPS)对移动终端进行跟踪定位,如果该移动终端在较短时间内(例如,3秒、5秒等)从地点A移动至距离较远的地点B(例如,地点A和B相距几百千米、几千千 米等),则该移动终端可以被认为是异常移动,从而判断该移动终端运行环境不安全。在一些实施例中,运行环境还可以包括移动终端的硬件和/或软件参数。具体的,移动终端的硬件和/或软件参数可以包括中央处理器(CPU)、内存、屏幕分辨率、摄像头像素、电池容量等一种或多种的配置参数。在一些实施例中,服务端可以通过检测上述移动终端的硬件和/或软件参数是否变更(如异常变更)判断移动终端是否被改动或是伪造,从而判断运行环境是否安全。在一些实施例中,运行环境的安全是保证后续认证安全的重要条件,因此,对于运行环境的认证可以优先于其他认证。Specifically, in some embodiments, the operating environment may include a network security environment when the mobile phone is running, such as whether there is a virus, whether malicious code is embedded, whether an environmental requirement for a secure operation is reached, or whether a high-risk website is accessed. In some embodiments, the operating environment can include a system security environment of the terminal. For example, whether the mobile terminal is open to root privileges, whether it is jailbroken (for example, Untethered Jailbreak, Tethered Jailbreak), and the like. In some embodiments, the operating environment may also include an externally detected secure environment. For example, whether the mobile terminal moves abnormally or the like. Specifically, the server (such as the server 810) can track and locate the mobile terminal by using a positioning system (such as GPS), if the mobile terminal moves from the location A to the distance in a short time (for example, 3 seconds, 5 seconds, etc.) The remote location B (for example, the locations A and B are several hundred kilometers apart, several thousand kilometers, etc.), the mobile terminal can be considered as an abnormal movement, thereby judging that the mobile terminal operating environment is unsafe. In some embodiments, the operating environment may also include hardware and/or software parameters of the mobile terminal. Specifically, the hardware and/or software parameters of the mobile terminal may include one or more configuration parameters of a central processing unit (CPU), a memory, a screen resolution, a camera pixel, a battery capacity, and the like. In some embodiments, the server can determine whether the mobile terminal is modified or falsified by detecting whether the hardware and/or software parameters of the mobile terminal are changed (such as abnormal changes), thereby determining whether the operating environment is secure. In some embodiments, the security of the operating environment is an important condition for ensuring the security of subsequent authentication. Therefore, the authentication for the operating environment may take precedence over other authentications.
在一些实施例中,用户的行为特征可以是用户操作移动终端时由用户生物行为所导致的数据,例如移动轨迹、按压压力、移动幅度、移动速度、移动频率、移动角度、手握力度、按压频率、姿势姿态等等。在一些实施例中,用户行为特征可以体现为客户端的旋转数据、客户端的受力数据、客户端的方位数据、客户端的屏幕操作数据、客户端的输入设备操作数据、客户端的图像感知数据、客户端的磁场感知数据、客户端的红外感知数据等一种或多种的任意组合。在一些实施例中,服务端可以通过传感器数据判断用户行为动作。例如,服务端可以通过旋转数据、受力数据、方位数据等判断用户在操作该移动终端时的手握力度、按压力度、姿势姿态、移动幅度、移动频率、移动速度等行为动作特征。在一些实施例中,用户行为特征可以包括反映操作者对终端的至少一个操作行为的传感器数据。其中,传感器可以包括GPS定位装置、陀螺仪、位置传感器、速度传感器、加速度传感器、力矩传感器、力敏传感器、压力传感器、磁力计、摄像头、声音传感器、温度传感器、湿度传感器、称重传感器、流量传感 器、液位传感器、距离传感器、水浸传感器、照度传感器、热敏传感器、光敏传感器、气敏传感器、磁敏传感器、湿敏传感器、声敏传感器、放射线敏感传感器、色敏传感器、味敏传感器、电阻式传感器、电容式传感器、电感式传感器、压电式传感器、电磁式传感器、磁阻式传感器、光电式传感器、压阻式传感器、热电式传感器、核辐射式传感器、半导体式传感器等一种或多种的任意组合。在一些实施例中,传感器可以是所述移动终端的内嵌设备。在一些实施例中,传感器还可以是所述移动终端的外接设备。在一些实施例中,移动终端可以通过所述传感器获取用户行为特征。例如,移动终端可以通过陀螺仪、加速度传感器、磁力计等获取旋转、受力、方位等的三维空间分量信息(例如,x,y,z方向的数值及方向信息),并通过对上述数据进行进一步处理以获取移动终端的旋转数据、受力数据、方位数据等信息。又例如,移动终端还可以通过磁力计获取用户自身磁场的强度、方位等信息,并通过机器学习过程获取其他用户行为特征数据。In some embodiments, the user's behavioral characteristics may be data caused by the user's biological behavior when the user operates the mobile terminal, such as movement trajectory, pressing pressure, moving range, moving speed, moving frequency, moving angle, grip strength, pressing Frequency, posture, etc. In some embodiments, the user behavior characteristics may be embodied by the client's rotation data, the client's force data, the client's orientation data, the client's screen operation data, the client's input device operation data, the client's image-aware data, and the client's magnetic field. Any combination of one or more of perceptual data, infrared sensing data of the client, and the like. In some embodiments, the server can determine user behavior actions through sensor data. For example, the server can determine the behavioral characteristics such as the grip strength, the pressing force, the posture posture, the movement amplitude, the movement frequency, and the movement speed when the user operates the mobile terminal by rotating the data, the force data, the orientation data, and the like. In some embodiments, the user behavior feature can include sensor data that reflects at least one operational behavior of the operator to the terminal. The sensor may include a GPS positioning device, a gyroscope, a position sensor, a speed sensor, an acceleration sensor, a torque sensor, a force sensor, a pressure sensor, a magnetometer, a camera, an acoustic sensor, a temperature sensor, a humidity sensor, a load cell, and a flow rate. Sensor, liquid level sensor, distance sensor, water immersion sensor, illuminance sensor, thermal sensor, light sensor, gas sensor, magnetic sensor, humidity sensor, sound sensor, radiation sensitive sensor, color sensor, taste sensor , resistive sensor, capacitive sensor, inductive sensor, piezoelectric sensor, electromagnetic sensor, magnetoresistive sensor, photoelectric sensor, piezoresistive sensor, thermoelectric sensor, nuclear radiation sensor, semiconductor sensor, etc. Any combination of species or multiples. In some embodiments, the sensor can be an embedded device of the mobile terminal. In some embodiments, the sensor can also be an external device of the mobile terminal. In some embodiments, the mobile terminal can acquire user behavior characteristics through the sensor. For example, the mobile terminal can acquire three-dimensional spatial component information (for example, numerical values and direction information in the x, y, and z directions) of rotation, force, and orientation through a gyroscope, an acceleration sensor, a magnetometer, or the like, and perform the above data. Further processing to obtain information such as rotation data, force data, and orientation data of the mobile terminal. For another example, the mobile terminal can also obtain information such as the strength and orientation of the user's own magnetic field through a magnetometer, and acquire other user behavior characteristic data through a machine learning process.
在一些实施例中,用户行为特征还可以包括非传感器数据。在一些实施例中,非传感器数据可以包括用户操作屏幕或者采用输入设备(如鼠标、触控板、键盘等)输入的习惯。例如,用户通过移动终端的键盘输入字段信息,服务端可以获取用户在输入所述字段信息过程中按压每个键盘字符的时间差和/或输入完整字段信息的总体时长等作为用户行为特征。又例如,用户通过在移动终端的触摸屏中滑动连接九宫格输入信息,服务端可以获取用户在滑动经过每个点的时间间隔等作为用户行为特征。In some embodiments, the user behavior feature can also include non-sensor data. In some embodiments, the non-sensor data may include a habit of a user operating a screen or input using an input device such as a mouse, trackpad, keyboard, or the like. For example, the user inputs the field information through the keyboard of the mobile terminal, and the server can obtain the time difference of the user pressing each keyboard character in the process of inputting the field information and/or the total duration of inputting the complete field information, etc. as the user behavior feature. For another example, the user can scan the nine-square grid input information in the touch screen of the mobile terminal, and the server can acquire the time interval of the user sliding through each point or the like as a user behavior feature.
在一些实施例中,标识(如移动终端标识)可以是唯一用来确定该移动终端(如手机)的,以避免在其他的手机上使用所产生的风险(如认 证错误)等。在一些实施例中,移动终端标识可以是国际移动设备身份码(International Mobile Equipment Identity,IMEI)、CDMA移动终端标识号(Mobile Equipment IDentifier)、全局唯一标识符(Universally Unique Identifier,UUID)、手机网络MAC地址、蓝牙地址、硬件序列号等或其任意组合。In some embodiments, the identity (e.g., mobile terminal identity) may be unique to determine the mobile terminal (e.g., cell phone) to avoid the risks (e.g., authentication errors) used on other handsets. In some embodiments, the mobile terminal identifier may be an International Mobile Equipment Identity (IMEI), a CDMA Mobile Equipment IDentifier, a Universally Unique Identifier (UUID), or a mobile phone network. MAC address, Bluetooth address, hardware serial number, etc., or any combination thereof.
在一些实施例中,运行环境、用户行为特征以及移动终端标识等多元参数可以通过网络传输至服务端。在一些实施例中,多元参数在传输时可以进行加密。在一些实施例中,对多元参数的传输进行加密的算法可以包括摘要算法(例如,MD5、SHA1等)、哈希算法(例如,SM3等)、对称加密算法(例如,AES、DES、IDEA、SSF33、SM1、SM4、SM7等)、非对称加密算法(例如,SM2、SM9、RSA等)等一种或多种的任意组合。在一些实施例中,在终端获取到多元参数之后,可以对该多元参数进行加密,并将加密后的多元参数传送给服务器,而服务器在接收到加密的多元参数之后,可以先进行解密再对解密后的多元参数进行处理。In some embodiments, multiple parameters such as the operating environment, user behavior characteristics, and mobile terminal identification can be transmitted over the network to the server. In some embodiments, the multivariate parameters may be encrypted as they are transmitted. In some embodiments, algorithms for encrypting transmission of multivariate parameters may include digest algorithms (eg, MD5, SHA1, etc.), hash algorithms (eg, SM3, etc.), symmetric encryption algorithms (eg, AES, DES, IDEA, SSF33, SM1, SM4, SM7, etc.), any combination of one or more of asymmetric encryption algorithms (eg, SM2, SM9, RSA, etc.). In some embodiments, after the terminal obtains the multivariate parameter, the multivariate parameter may be encrypted, and the encrypted multivariate parameter is transmitted to the server, and after receiving the encrypted multivariate parameter, the server may perform decryption and then The decrypted multivariate parameters are processed.
在一些实施例中,服务端可以在用户登录过程获取该多元参数。例如,用户通过输入密码登录移动终端和/或应用程序时,服务端可以获取用户在登录起始到登录结束过程中的运行环境、用户行为特征以及移动终端标识等多元参数。在一些实施例中,服务端可以在用户操作过程获取上述多元参数。例如,用户进行找回密码操作时,服务端可以获取用户在操作起始到操作结束过程中的上述多元参数。In some embodiments, the server can obtain the multivariate parameter during the user login process. For example, when the user logs in to the mobile terminal and/or the application by inputting a password, the server can obtain multiple parameters such as an operating environment, a user behavior characteristic, and a mobile terminal identifier of the user during the login start to the login completion process. In some embodiments, the server may obtain the multivariate parameters described above during user operation. For example, when the user performs the password recovery operation, the server can acquire the above multivariate parameters of the user from the start of the operation to the end of the operation.
在一些实施例中,后续的验证可以验证运行时的环境是否安全,用户的行为特征是否为该移动终端对应的预设用户(例如为移动终端的主人), 以及是否在该指定的手机上运行的。在一些具体实施例中,只有这三者全部都满足,都验证通过,最终的验证才会通过。In some embodiments, subsequent verification may verify whether the environment at runtime is secure, whether the behavior characteristic of the user is a preset user corresponding to the mobile terminal (eg, the owner of the mobile terminal), and whether the operation is performed on the designated mobile phone. of. In some embodiments, only all three of them are satisfied, and all verifications are passed, and the final verification will pass.
步骤102、通过预设的分析模型(如智能分析模型)对多元参数进行认证;Step 102: Perform multi-parameter authentication by using a preset analysis model (such as an intelligent analysis model);
具体的,所述智能分析模型中存储有各终端(如移动终端)的标识,以及各移动终端所对应的预设用户的人类行为特征,以及判断所述运行环境是否安全的安全数据库;以此可以对多元参数进行有效识别,以确定是否验证通过,并最终确定认证对应的操作是否需要正常执行还是应该被中止。在一些实施例中,一个移动终端可以对应一个或多个用户(例如多个使用者)。在一些实施例中,一个用户也可以对应多个移动终端。Specifically, the smart analysis model stores an identifier of each terminal (such as a mobile terminal), a human behavior characteristic of the preset user corresponding to each mobile terminal, and a security database that determines whether the operating environment is secure; The multivariate parameters can be effectively identified to determine whether the verification passes, and ultimately determine whether the operation corresponding to the authentication needs to be performed normally or should be aborted. In some embodiments, one mobile terminal may correspond to one or more users (eg, multiple users). In some embodiments, one user may also correspond to multiple mobile terminals.
在一些实施例中,运行环境、用户行为特征以及移动终端标识等多元参数可以同时进行认证。例如,服务端可以同时获取终端的系统运行环境、用户行为特征以及移动终端标识等多元参数并发送至大数据处理端,大数据处理端可以同时分析认证上述多元参数并返回校验结果,服务端分析确认所述校验结果并向移动终端发送信息,所述信息可以用于提示本次认证成功或失败。In some embodiments, multiple parameters such as the operating environment, user behavior characteristics, and mobile terminal identification can be authenticated simultaneously. For example, the server can simultaneously acquire multiple parameters such as the system operating environment, user behavior characteristics, and mobile terminal identification of the terminal and send them to the big data processing end. The big data processing end can simultaneously analyze and authenticate the multivariate parameters and return the verification result. The analysis confirms the verification result and sends information to the mobile terminal, and the information can be used to prompt the success or failure of the current authentication.
在一些实施例中,运行环境、移动终端标识以及用户行为特征可以依次验证。例如,服务端可以优先获取运行环境参数并发送至大数据处理端,大数据处理端分析认证所述运行环境参数并返回校验结果。在一些实施例中,如果运行环境校验结果失败(意味着终端的运行环境可能不安全),服务端可以终止此次认证操作并向移动终端发送信息,例如,服务端可以提示本次认证失败和/或提示当前运行环境异常。在一些实施例中,如果运 行环境校验结果成功(意味着终端的运行环境相对安全),服务端可以继续获取移动终端标识和用户行为特征并发送至大数据处理端,大数据处理端可以基于移动终端标识确定与该移动终端所对应的预设用户的人类行为特征,再将用户行为特征与该预设用户的人类行为特征作对比,以确认该用户是否为该移动终端的预设用户。在一些实施例中,如果用户行为特征与移动终端标识的校验结果失败,则服务端可以终止此次认证操作并向移动终端发送信息,例如可以提示本次认证失败和/或提示当前用户行为特征异常。如果用户行为特征与移动终端标识的校验结果成功,则服务端可以向移动终端发送信息提示本次认证成功和/或放行本次认证操作。In some embodiments, the runtime environment, mobile terminal identification, and user behavior characteristics may be verified in turn. For example, the server may preferentially obtain the running environment parameter and send it to the big data processing end, and the big data processing end analyzes and authenticates the running environment parameter and returns the verification result. In some embodiments, if the running environment check result fails (meaning that the operating environment of the terminal may be unsafe), the server may terminate the authentication operation and send information to the mobile terminal. For example, the server may prompt the authentication failure. And / or prompt the current operating environment is abnormal. In some embodiments, if the running environment check result is successful (meaning that the operating environment of the terminal is relatively safe), the server may continue to acquire the mobile terminal identity and user behavior characteristics and send the data to the big data processing end, and the big data processing end may be based on The mobile terminal identifier determines a human behavior characteristic of the preset user corresponding to the mobile terminal, and compares the user behavior feature with the human behavior characteristic of the preset user to confirm whether the user is a preset user of the mobile terminal. In some embodiments, if the user behavior feature and the verification result of the mobile terminal identity fail, the server may terminate the authentication operation and send information to the mobile terminal, for example, may prompt the authentication failure and/or prompt the current user behavior. The feature is abnormal. If the user behavior feature and the verification result of the mobile terminal identity are successful, the server may send a message to the mobile terminal to prompt the current authentication success and/or release the current authentication operation.
在一些实施例中,分析模型可以包括深度学习模型、机器学习模型等。具体的,分析模型可以包括但不限于深度神经网络(DNN)、卷积神经网络(CNN)、循环神经网络(RNN)、特征金字塔网络(FPN)等。在一些实施例中,大数据处理端可以通过训练获取所述分析模型。具体地,大数据处理端可以获取运行环境、用户行为特征以及移动终端标识等原始的多元参数。在一些实施例中,用户行为特征的原始数据可以为特定用户操作特定终端时的行为特征数据、特定用户操作不同终端时的行为特征数据、不同用户操作特定终端时的行为特征数据等。在一些实施例中,原始多元参数可以分为训练参数以及测试参数,其中,训练参数可以用于模型训练,测试参数可以用于测试所述智能分析模型的训练效果,以调整和修正智能分析模型的参数。在一些实施例中,分析模型可以是能够认证运行环境、用户行为特征和移动终端标识的综合模型。在一些实施例中,分析模型也可以包括多个子模型。例如,分析模型可以包括运行环境认证模型、用户 行为特征认证模型以及移动终端标识认证模型,以分别用于对运行环境、用户行为特征以及移动终端标识进行认证。In some embodiments, the analysis model can include a deep learning model, a machine learning model, and the like. Specifically, the analysis model may include, but is not limited to, a deep neural network (DNN), a convolutional neural network (CNN), a cyclic neural network (RNN), a feature pyramid network (FPN), and the like. In some embodiments, the big data processing end can acquire the analysis model through training. Specifically, the big data processing end can acquire original multivariate parameters such as an operating environment, a user behavior feature, and a mobile terminal identifier. In some embodiments, the raw data of the user behavior feature may be behavior characteristic data when a specific user operates a specific terminal, behavior characteristic data when a specific user operates a different terminal, behavior characteristic data when a specific user operates a specific terminal, and the like. In some embodiments, the original multivariate parameters can be divided into training parameters and test parameters, wherein the training parameters can be used for model training, and the test parameters can be used to test the training effects of the intelligent analysis model to adjust and correct the intelligent analysis model. Parameters. In some embodiments, the analysis model can be a comprehensive model capable of authenticating the operating environment, user behavior characteristics, and mobile terminal identification. In some embodiments, the analysis model can also include multiple sub-models. For example, the analysis model may include an operating environment authentication model, a user behavior feature authentication model, and a mobile terminal identity authentication model for authenticating the operating environment, user behavior characteristics, and mobile terminal identification, respectively.
步骤103、当通过所述分析模型对所述多元参数中的运行环境,所述用户行为特征以及所述标识的验证都通过时,确认所述移动终端的操作者为预设的用户自身,并认证通过。Step 103: When the running environment of the multivariate parameter, the user behavior feature, and the verification of the identifier are passed by the analysis model, confirm that the operator of the mobile terminal is the preset user itself, and Certification passed.
在一些实施例中,服务端可以设置认证次数限制,以避免恶意认证、机器认证等。例如,服务端可以限制同一用户在单位时间内(例如,1小时、半天、1天、1周等)的认证次数(例如,1次、3次、5次、10次等)。又例如,服务端可以限制不同用户在同一移动终端单位时间内的认证次数。具体地,服务端可以限制单位时间内(例如,1小时、半天、1天、1周等)在同一终端上可以进行认证操作的用户的数量(例如,1个、3个、5个、10个等)和/或每个所述用户的验证次数(例如,1次、3次、5次、10次等)。在一些实施例中,服务端和/或移动终端可以包括防御机制,例如,如果验证失败次数超出预设次数,服务端和/或移动终端可以在预设时间内锁定移动终端,从而用户只有在该预设时间之后才可以再次进行认证操作。在一些实施例中,服务端还可以向移动终端的关联账户发送提示信息。例如,如果验证失败和/或验证失败次数超出预设次数,服务端可以向该关联账户发送提示信息,提示登录或认证异常。在一些实施例中,关联账户包括但不限于手机号码、邮箱账号、即时通讯账号等或其任意组合。In some embodiments, the server may set an authentication limit to avoid malicious authentication, machine authentication, and the like. For example, the server may limit the number of authentications (eg, 1 time, 3 times, 5 times, 10 times, etc.) of the same user per unit time (eg, 1 hour, half day, 1 day, 1 week, etc.). For another example, the server can limit the number of authentications of different users in the same mobile terminal unit time. Specifically, the server can limit the number of users who can perform authentication operations on the same terminal per unit time (for example, 1 hour, half day, 1 day, 1 week, etc.) (for example, 1, 3, 5, 10) And the number of verifications of each of the users (eg, 1 time, 3 times, 5 times, 10 times, etc.). In some embodiments, the server and/or the mobile terminal may include a defense mechanism. For example, if the number of verification failures exceeds a preset number of times, the server and/or the mobile terminal may lock the mobile terminal within a preset time, so that the user only has The authentication operation can be performed again after the preset time. In some embodiments, the server may also send prompt information to the associated account of the mobile terminal. For example, if the verification fails and/or the number of failed verifications exceeds the preset number of times, the server may send a prompt message to the associated account, prompting login or authentication abnormality. In some embodiments, the associated account includes, but is not limited to, a mobile number, a mailbox account, an instant messaging account, etc., or any combination thereof.
具体的,运行环境需要保证安全,或者例如风险值小于预设值,标识需要与安全数据库中的标识匹配,用户行为特征需要与人类行为特征匹配。Specifically, the operating environment needs to be secured, or for example, the risk value is less than a preset value, the identifier needs to match the identifier in the security database, and the user behavior feature needs to match the human behavior characteristic.
在一个具体的实施例中,在获取到移动终端的多元参数之前,还包括:In a specific embodiment, before acquiring the multi-parameter parameters of the mobile terminal, the method further includes:
接收认证请求;其中,所述认证请求中包含有待认证的移动终端的信息;Receiving an authentication request, where the authentication request includes information of the mobile terminal to be authenticated;
基于所述信息匹配与所述认证请求对应的移动终端;Matching the mobile terminal corresponding to the authentication request based on the information;
向所述移动终端发送挑战认证,以使得所述移动终端上报所述多元参数。Sending a challenge authentication to the mobile terminal, so that the mobile terminal reports the multi-parameter parameter.
具体的,多元参数可以有各种方式来进行获取,例如用户的行为特征例如可以通过手机上的传感器,例如陀螺仪、GPS定位装置、压力传感器、位置传感器、速度传感器、加速度传感器、力矩传感器、力敏传感器、磁力计等或其任意组合来进行获取,其他的例如运行环境,则例如可以通过网络检测的方式来进行获取,标识则可以进行从信息中读取或者标识存储在预设的信息字符段中。Specifically, the multi-parameter parameter can be obtained in various ways, for example, the behavior characteristics of the user can be, for example, a sensor on a mobile phone, such as a gyroscope, a GPS positioning device, a pressure sensor, a position sensor, a speed sensor, an acceleration sensor, a torque sensor, The force sensor, the magnetometer, or the like, or any combination thereof, is used for acquisition. For example, the operating environment may be acquired by, for example, network detection, and the identifier may be read from the information or identified by the preset information. In the character segment.
在一个具体的实施例中,该方法还包括:In a specific embodiment, the method further includes:
当通过预设的智能分析模型对所述多元参数中的运行环境,所述用户行为特征以及所述标识的验证不完全通过时,认证失败,并终止所述移动终端上对应所述认证的流程。When the running environment of the multivariate parameter is not passed through the preset intelligent analysis model, the user behavior feature and the verification of the identifier are not completely passed, the authentication fails, and the process corresponding to the authentication on the mobile terminal is terminated. .
具体的,例如当对应认证的流程例如为支付,在此情况下,认证不通过,则需要终止该支付的流程,以便保证安全,避免风险。Specifically, for example, when the process corresponding to the authentication is, for example, payment, in this case, if the authentication fails, the process of the payment needs to be terminated, so as to ensure security and avoid risks.
在一个具体的实施例中,当认证通过时,该方法还包括:In a specific embodiment, when the authentication is passed, the method further includes:
放行所述移动终端上对应所述认证的流程。The flow corresponding to the authentication on the mobile terminal is released.
在一个具体的实施例中,该方法还包括:In a specific embodiment, the method further includes:
将所述多元数据存储在所述智能分析模型中的数据库中。The multivariate data is stored in a database in the intelligent analysis model.
具体的,不断产生的新数据,以生成多元数据存储在智能分析模型中的数据库中,使得后续的识别越来越准。Specifically, new data is continuously generated to generate multivariate data stored in a database in the intelligent analysis model, so that subsequent identification is more and more accurate.
以此,在一个具体的实施例中,如图2所示,一个完整的身份认证流程如下:Thus, in a specific embodiment, as shown in FIG. 2, a complete identity authentication process is as follows:
1、被认证的服务发起认证请求到认证处理服务端。具体地,移动终端可以向服务端发送认证请求。在一些实施例中,认证请求可以包括但不限于软件和/或应用程序账号、软件开发工具包(SDK)唯一标识等信息。在一些实施例中,认证请求可以通过网络传输至服务端。在一些实施例中,可以对认证请求的传输进行加密。1. The authenticated service initiates an authentication request to the authentication processing server. Specifically, the mobile terminal may send an authentication request to the server. In some embodiments, the authentication request may include, but is not limited to, software and/or application account number, software development kit (SDK) unique identification, and the like. In some embodiments, the authentication request can be transmitted over the network to the server. In some embodiments, the transmission of the authentication request can be encrypted.
2、认证处理服务端匹配此次请求对应的手机等移动终端和/或移动终端中的软件、应用程序。在一些实施例中,手机中可以嵌入一个或多个软件开发工具包(SDK)、软件和/或应用程序等。该软件开发工具包(SDK)可以针对不同软件和/或应用程序账号生成不同唯一标识,所述不同唯一标识可以分别与所述一个或多个软件和/或应用程序账号相关联。2. The authentication processing server matches the software and application programs in the mobile terminal and/or the mobile terminal corresponding to the mobile phone corresponding to the request. In some embodiments, one or more software development kits (SDKs), software and/or applications, etc., may be embedded in the handset. The Software Development Kit (SDK) can generate different unique identifiers for different software and/or application accounts, which can be associated with the one or more software and/or application accounts, respectively.
3、认证处理服务器向用户手机发送挑战认证。在一些实施例中,服务端可以根据接收到的认证请求向移动终端发送挑战口令,挑战口令可以包括但不限于认证请求、认证序列号、随机数据、服务端用户名等数据。3. The authentication processing server sends challenge authentication to the user's mobile phone. In some embodiments, the server may send a challenge password to the mobile terminal according to the received authentication request, and the challenge password may include, but is not limited to, an authentication request, an authentication sequence number, random data, a server user name, and the like.
4、手机把当前手机环境、用户行为模式、手机安全性等等信息发送到认证处理服务器。4. The mobile phone sends the current mobile phone environment, user behavior mode, mobile phone security and the like to the authentication processing server.
5、认证处理服务器把收到的信息发送到大数据机器学习服务器。在一些实施例中,大数据机器学习服务器可以用于分析所述运行环境、移动 标识以及用户行为特征及其相关信息和/或数据。5. The authentication processing server sends the received information to the big data machine learning server. In some embodiments, a big data machine learning server can be used to analyze the runtime environment, mobile identity, and user behavior characteristics and their associated information and/or data.
6、大数据机器学习服务器根据用户信息收集流程中建立的模型分析当前用户是否是本人、环境是否异常等等、并返回校验结果。在一些实施例中,认证处理服务器和大数据机器学习服务器可以是单独的服务器,用于分别处理上述功能。在一些实施例中,认证处理服务器和大数据机器学习服务器可以是同一个服务器(例如服务器810)。6. The big data machine learning server analyzes whether the current user is the user, whether the environment is abnormal, etc. according to the model established in the user information collection process, and returns the verification result. In some embodiments, the authentication processing server and the big data machine learning server may be separate servers for separately processing the above functions. In some embodiments, the authentication processing server and the big data machine learning server may be the same server (eg, server 810).
7、认证处理服务器根据校验结果放行或者拒绝第一步中的服务认证请求。在一些实施例中,认证处理服务器可以接收并确认大数据机器学习服务器返回的校验结果。如果校验结果确认成功,认证处理服务器可以向移动终端发送提示信息(如提示认证成功)并放行所述服务认证请求。具体地,该放行操作可以由放行模块206执行。如果校验结果确认失败,认证处理服务器可以向移动终端发送提示信息(如提示认证失败)并拒绝该服务认证请求,并终止认证操作。具体地,该终止操作可以由终止模块205执行。7. The authentication processing server releases or rejects the service authentication request in the first step according to the verification result. In some embodiments, the authentication processing server can receive and confirm the verification results returned by the big data machine learning server. If the verification result is confirmed to be successful, the authentication processing server may send a prompt message to the mobile terminal (such as prompting that the authentication is successful) and release the service authentication request. In particular, the release operation can be performed by the release module 206. If the verification result fails to be confirmed, the authentication processing server may send a prompt message to the mobile terminal (such as prompting the authentication failure) and reject the service authentication request, and terminate the authentication operation. In particular, the termination operation can be performed by the termination module 205.
以此,本方案的认证方法,具有以下特征:Therefore, the authentication method of the scheme has the following characteristics:
1、安全认证理念多样化,包含三因子认证,即用户所知道的信息(手机环境)、用户所持有的认证设施(手机本身)、用户生物特征(用户行为);1. The concept of safety certification is diversified, including three-factor authentication, that is, information that the user knows (mobile phone environment), the authentication facility held by the user (the mobile phone itself), and the user biometric (user behavior);
2、敏感数据采用加密技术,防止数据明文传输及存储;2. Sensitive data is encrypted to prevent data transmission and storage;
3、认证移动化、多样化、独有化。移动化体现在利用手机等移动设备认证,多样化则是可以根据自身需要对认证因子进行添加及删除,独有化体现在目前还未有类似此产品的认证体系;3. Certification is mobile, diversified and unique. Mobileization is reflected in the use of mobile devices and other mobile device authentication. Diversification is the ability to add and delete authentication factors according to their own needs. The uniqueness is reflected in the fact that there is no authentication system similar to this product at present;
4、后端采用机器学习、大数据分析高效、智能识别分析数据,准确 判定用户认证是否合法;4. The back-end uses machine learning, big data analysis, and intelligent identification and analysis of data to accurately determine whether user authentication is legal;
5、与目前世面上的人脸识别、指纹识别、声音识别、眨眼识别技术最大的不同便是三因子,并非单一的因子便可完成认证,而且每个因子复制模仿性都非常低。5. The biggest difference from the current face recognition, fingerprint recognition, voice recognition, and blink recognition technology is the three factors. Not a single factor can complete the certification, and each factor replication is very low.
6、简单易用、安全高效、与时俱进。6, easy to use, safe and efficient, keep pace with the times.
实施例2Example 2
本发明实施例2公开了一种认证的设备,如图3所示,该设备可以包括:Embodiment 2 of the present invention discloses an authentication device. As shown in FIG. 3, the device may include:
获取模块201,用于获取移动终端的多元参数,其中所述多元参数可以包括:运行环境,所收集的用户行为特征以及用于唯一确定所述移动终端的标识。The obtaining module 201 is configured to obtain a multi-parameter parameter of the mobile terminal, where the multi-parameter parameter may include: an operating environment, the collected user behavior feature, and an identifier for uniquely determining the mobile terminal.
认证模块202,用于通过预设的智能分析模型对所述多元参数进行认证。在一些实施例中,智能分析模型可以是深度学习模型。例如,该智能分析模型可以包括但不限于深度神经网络(DNN)、卷积神经网络(CNN)、循环神经网络(RNN)、特征金字塔网络(FPN)等。在一些实施例中,运行环境、用户行为特征以及移动终端标识可以同时验证。在一些实施例中,运行环境、移动终端标识以及用户行为特征可以依次验证。The authentication module 202 is configured to authenticate the multi-parameter through a preset intelligent analysis model. In some embodiments, the intelligent analysis model can be a deep learning model. For example, the intelligent analysis model may include, but is not limited to, a deep neural network (DNN), a convolutional neural network (CNN), a cyclic neural network (RNN), a feature pyramid network (FPN), and the like. In some embodiments, the runtime environment, user behavior characteristics, and mobile terminal identification can be verified simultaneously. In some embodiments, the runtime environment, mobile terminal identification, and user behavior characteristics may be verified in turn.
确定模块203,用于当通过预设的智能分析模型对所述多元参数中的运行环境,所述用户行为特征以及所述标识的验证都通过时,确认所述移动终端的操作者为预设的用户自身,并认证通过。The determining module 203 is configured to confirm that the operator of the mobile terminal is a preset when the running environment of the multivariate parameter, the user behavior feature, and the verification of the identifier are passed by a preset intelligent analysis model The user himself, and the certification passed.
在一个具体的实施例中,如图4所示,该设备还包括:In a specific embodiment, as shown in FIG. 4, the device further includes:
请求模块204,用于接收认证请求;其中,所述认证请求中包含有 待认证的移动终端的信息。在一些实施例中,认证请求中还可以包含待认证的移动终端中的软件和/或应用程序相关信息。The requesting module 204 is configured to receive an authentication request, where the authentication request includes information about the mobile terminal to be authenticated. In some embodiments, the authentication request may also include software and/or application related information in the mobile terminal to be authenticated.
基于所述信息匹配与所述认证请求对应的移动终端;在一些实施例中,此步骤可以由匹配模块执行。A mobile terminal corresponding to the authentication request is matched based on the information; in some embodiments, this step can be performed by a matching module.
向所述移动终端发送挑战认证,以使得所述移动终端上报所述多元参数。在一些实施例中,此步骤可以由挑战认证模型执行。Sending a challenge authentication to the mobile terminal, so that the mobile terminal reports the multi-parameter parameter. In some embodiments, this step can be performed by a challenge authentication model.
在一个具体的实施例中,如图5所示,该设备还包括:In a specific embodiment, as shown in FIG. 5, the device further includes:
终止模块205,用于当通过预设的智能分析模型对所述多元参数中的运行环境,所述用户行为特征以及所述标识的验证不完全通过时,认证失败,并终止所述移动终端上对应所述认证的流程。The termination module 205 is configured to: when the operating environment in the multivariate parameter is passed through a preset intelligent analysis model, the user behavior feature and the verification of the identifier are not completely passed, the authentication fails, and the mobile terminal is terminated. Corresponding to the process of the certification.
在一个具体的实施例中,如图6所示,该设备还包括:In a specific embodiment, as shown in FIG. 6, the device further includes:
放行模块206,用于放行所述移动终端上对应所述认证的流程。The release module 206 is configured to release the process corresponding to the authentication on the mobile terminal.
在一个具体的实施例中,所述智能分析模型中存储有各移动终端的标识,以及各移动终端所对应的预设用户的行为人类特征,以及判断所述运行环境是否安全的安全数据库;In a specific embodiment, the smart analysis model stores an identifier of each mobile terminal, and a behavioral human feature of the preset user corresponding to each mobile terminal, and a security database that determines whether the operating environment is secure;
在一个具体的实施例中,如图7所示,该设备还包括:存储模块207,用于将所述多元数据存储在所述智能分析模型中的数据库中。In a specific embodiment, as shown in FIG. 7, the device further includes: a storage module 207, configured to store the multivariate data in a database in the intelligent analysis model.
应当理解,图3-7所示的系统(如设备)及其模块可以利用各种方式来实现。例如,在一些实施例中,系统及其模块可以通过硬件、软件或者软件和硬件的结合来实现。其中,硬件部分可以利用专用逻辑来实现;软件部分则可以存储在存储器中,由适当的指令执行系统,例如微处理器或者专用设计硬件来执行。本领域技术人员可以理解上述的方法和系统可 以使用计算机可执行指令和/或包含在处理器控制代码中来实现,例如在诸如磁盘、CD或DVD-ROM的载体介质、诸如只读存储器(固件)的可编程的存储器或者诸如光学或电子信号载体的数据载体上提供了这样的代码。本申请的系统及其模块不仅可以有诸如超大规模集成电路或门阵列、诸如逻辑芯片、晶体管等的半导体、或者诸如现场可编程门阵列、可编程逻辑设备等的可编程硬件设备的硬件电路实现,也可以用例如由各种类型的处理器所执行的软件实现,还可以由上述硬件电路和软件的结合(例如,固件)来实现。It should be understood that the systems (e.g., devices) and their modules illustrated in Figures 3-7 can be implemented in a variety of ways. For example, in some embodiments, the system and its modules can be implemented in hardware, software, or a combination of software and hardware. The hardware portion can be implemented using dedicated logic; the software portion can be stored in memory and executed by a suitable instruction execution system, such as a microprocessor or dedicated design hardware. Those skilled in the art will appreciate that the methods and systems described above can be implemented using computer-executable instructions and/or embodied in processor control code, such as a carrier medium such as a magnetic disk, CD or DVD-ROM, such as read-only memory (firmware) Such code is provided on a programmable memory or on a data carrier such as an optical or electronic signal carrier. The system of the present application and its modules can be implemented not only with hardware such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, etc., or programmable hardware devices such as field programmable gate arrays, programmable logic devices, and the like. It can also be implemented by, for example, software executed by various types of processors, or by a combination of the above-described hardware circuits and software (for example, firmware).
需要注意的是,以上对于认证系统及其模块的描述,仅为描述方便,并不能把本申请限制在所举实施例范围之内。可以理解,对于本领域的技术人员来说,在了解该系统的原理后,可能在不背离这一原理的情况下,对各个模块进行任意组合,或者构成子系统与其他模块连接。例如,在一些实施例中,获取模块201、认证模块202、确定模块203、请求模块204、终止模块205、放行模块206、存储模块207可以是一个系统中的不同模块,也可以是一个模块实现上述的两个或两个以上模块的功能。以上的各模块可以根据需要进行灵活的搭配与组合,并不限于说明书附图中的几个具体的实施例。It should be noted that the above description of the authentication system and its modules is merely for convenience of description, and the present application is not limited to the scope of the embodiments. It will be understood that, after understanding the principles of the system, it is possible for those skilled in the art to arbitrarily combine the various modules or connect the other subsystems without departing from the principle. For example, in some embodiments, the obtaining module 201, the authentication module 202, the determining module 203, the requesting module 204, the terminating module 205, the releasing module 206, and the storage module 207 may be different modules in one system, or may be implemented in one module. The functions of the above two or more modules. The above modules can be flexibly matched and combined as needed, and are not limited to several specific embodiments in the drawings of the specification.
以此,本发明实施例提出了一种认证的方法和设备,其中该方法包括:获取移动终端的多元参数,其中所述多元参数包括:运行环境,所收集的用户行为特征以及用于唯一确定所述移动终端的标识;通过预设的智能分析模型对所述多元参数进行认证;当通过预设的智能分析模型对所述多元参数中的运行环境,所述用户行为特征以及所述标识的验证都通过时, 确认所述移动终端的操作者为预设的用户自身,并认证通过。以此通过对多元参数,特别是多元参数中的用户行为特征进行验证,而用户的即时行为特征是动态的,不容易被盗用,进一步提高了认证的安全性,保证了用户的使用体验。In this way, the embodiment of the present invention provides a method and device for authentication, where the method includes: acquiring multi-parameter parameters of the mobile terminal, where the multi-parameter parameters include: an operating environment, collected user behavior characteristics, and is used for uniquely determining The identifier of the mobile terminal; the multi-parameter parameter is authenticated by a preset intelligent analysis model; when the multi-parameter running environment, the user behavior feature, and the identifier are used by a preset intelligent analysis model When the verification is passed, it is confirmed that the operator of the mobile terminal is the preset user itself, and the authentication is passed. In this way, by verifying the multi-parameters, especially the user behavior characteristics in the multi-parameters, the user's real-time behavior characteristics are dynamic and not easily stolen, further improving the security of the authentication and ensuring the user experience.
本领域技术人员可以理解附图只是一个优选实施场景的示意图,附图中的模块或流程并不一定是实施本发明所必须的。A person skilled in the art can understand that the drawings are only a schematic diagram of a preferred implementation scenario, and the modules or processes in the drawings are not necessarily required to implement the invention.
本领域技术人员可以理解实施场景中的装置中的模块可以按照实施场景描述进行分布于实施场景的装置中,也可以进行相应变化位于不同于本实施场景的一个或多个装置中。上述实施场景的模块可以合并为一个模块,也可以进一步拆分成多个子模块。A person skilled in the art may understand that the modules in the apparatus in the implementation scenario may be distributed in the apparatus for implementing the scenario according to the implementation scenario description, or may be correspondingly changed in one or more devices different from the implementation scenario. The modules of the above implementation scenarios may be combined into one module, or may be further split into multiple sub-modules.
上述本发明序号仅仅为了描述,不代表实施场景的优劣。The above-mentioned serial numbers of the present invention are merely for description, and do not represent the advantages and disadvantages of the implementation scenario.
以上公开的仅为本发明的几个具体实施场景,但是,本发明并非局限于此,任何本领域的技术人员能思之的变化都应落入本发明的保护范围。The above disclosure is only a few specific implementation scenarios of the present invention, but the present invention is not limited thereto, and any changes that can be made by those skilled in the art should fall within the protection scope of the present invention.

Claims (22)

  1. 一种在服务器上实现的认证的方法,所述服务器包括至少一个处理器、存储器和连接到网络的通信平台,所述方法包括:A method of authentication implemented on a server, the server comprising at least one processor, a memory, and a communication platform connected to the network, the method comprising:
    获取终端的至少一个参数,所述至少一个参数包括:所述终端的系统运行环境、用户行为特征以及所述终端的标识;Acquiring at least one parameter of the terminal, where the at least one parameter includes: a system operating environment of the terminal, a user behavior feature, and an identifier of the terminal;
    通过预设的分析模型对所述至少一个参数进行认证;以及Authenticating the at least one parameter by a preset analysis model;
    根据所述至少一个参数的认证结果,确定所述终端的操作者是否为预设用户,当通过所述分析模型对所述至少一个参数中的系统运行环境、所述用户行为特征以及所述终端标识的验证都通过时,确认所述终端的操作者为预设的用户自身,并认证通过。Determining, according to the authentication result of the at least one parameter, whether an operator of the terminal is a preset user, when a system operating environment, the user behavior feature, and the terminal in the at least one parameter are used by the analysis model When the verification of the identification is passed, it is confirmed that the operator of the terminal is the preset user itself, and the authentication is passed.
  2. 根据权利要求1的方法,其特征在于,还包括:The method of claim 1 further comprising:
    当通过预设的分析模型对所述多元参数中的系统运行环境,所述用户行为特征以及所述终端标识的至少一个验证不通过时,判定所述认证失败;以及终止所述认证的流程。Determining the authentication failure when the system operating environment of the multivariate parameter is passed, the user behavior feature, and the at least one verification of the terminal identifier fail by a preset analysis model; and terminating the authentication process.
  3. 根据权利要求1的方法,其特征在于,所述分析模型中包括多个移动终端的标识、所述多个移动终端所对应的预设用户的行为特征以及判断所述系统运行环境是否安全的安全数据库。The method according to claim 1, wherein the analysis model comprises an identifier of a plurality of mobile terminals, a behavior characteristic of a preset user corresponding to the plurality of mobile terminals, and a security for determining whether the operating environment of the system is safe. database.
  4. 根据权利要求1的方法,其特征在于,在获取到终端的多元参数之前,还包括:The method of claim 1 further comprising: before acquiring the multivariate parameters of the terminal, further comprising:
    接收所述终端的认证请求,其中,所述认证请求中包含有所述终端的信息;Receiving an authentication request of the terminal, where the authentication request includes information about the terminal;
    基于所述终端的信息匹配所述终端;以及Matching the terminal based on information of the terminal;
    向所述终端发送挑战认证指令,以使得所述终端接收到所述挑战认证指令时上传所述至少一个参数至服务器。Sending a challenge authentication command to the terminal, so that the terminal uploads the at least one parameter to the server when receiving the challenge authentication command.
  5. 根据权利要求1的方法,其特征在于,还包括:放行所述终端上对应所述认证的流程。The method of claim 1, further comprising: releasing a flow corresponding to said authenticating on said terminal.
  6. 根据权利要求1的方法,其特征在于,所述用户行为特征包括所述终端在被所述操作者操作时产生的传感器数据。The method of claim 1 wherein said user behavior characteristic comprises sensor data generated by said terminal when operated by said operator.
  7. 根据权利要求6的方法,其特征在于,所述用户行为特征包括以下传感器数据中的至少一个:旋转数据、受力数据、方位数据、屏幕操作数据以及输入设备操作数据。The method of claim 6 wherein said user behavior characteristic comprises at least one of the following sensor data: rotation data, force data, orientation data, screen operation data, and input device operation data.
  8. 一种认证的设备,其特征在于,包括:An authentication device, comprising:
    获取模块,用于获取终端的至少一个参数,所述至少一个参数包括:所述终端的系统运行环境、用户行为特征以及所述终端的标识;An acquiring module, configured to acquire at least one parameter of the terminal, where the at least one parameter includes: a system operating environment of the terminal, a user behavior feature, and an identifier of the terminal;
    认证模块,用于通过预设的分析模型对所述至少一个参数进行认证;以及An authentication module, configured to authenticate the at least one parameter by using a preset analysis model;
    确定模块,用于根据所述至少一个参数的认证结果,确定所述终端的操作者是否为预设用户,当通过所述分析模型对所述至少一个参数中的系统运行环境、所述用户行为特征以及所述终端标识的验证都通过时,确认所述终端的操作者为预设的用户自身,并认证通过。a determining module, configured to determine, according to the authentication result of the at least one parameter, whether an operator of the terminal is a preset user, when a system operating environment, the user behavior in the at least one parameter is used by the analysis model When the feature and the verification of the terminal identifier are all passed, it is confirmed that the operator of the terminal is the preset user itself, and the authentication is passed.
  9. 根据权利要求8的设备,其特征在于,还包括:The device of claim 8 further comprising:
    终止模块,用于当通过预设的分析模型对所述多元参数中的系统运行环境,所述用户行为特征以及所述标识的至少一个验证不通过时,判 定所述认证失败;以及终止所述认证的流程。a termination module, configured to determine that the authentication fails when the system operating environment in the multivariate parameter is passed through a preset analysis model, the user behavior feature and at least one verification of the identifier fail; and terminating the termination The process of certification.
  10. 根据权利要求8的设备,其特征在于,所述分析模型中包括多个移动终端的标识、所述多个移动终端所对应的预设用户的行为特征、以及判断所述系统运行环境是否安全的安全数据库。The device according to claim 8, wherein the analysis model includes an identifier of the plurality of mobile terminals, a behavior characteristic of the preset user corresponding to the plurality of mobile terminals, and whether the operating environment of the system is safe. Security database.
  11. 根据权利要求8的设备,其特征在于,还包括:The device of claim 8 further comprising:
    请求模块,用于接收所述终端的认证请求,其中,所述认证请求中包含有所述终端的信息;a requesting module, configured to receive an authentication request of the terminal, where the authentication request includes information about the terminal;
    匹配模块,用于基于所述终端的信息匹配所述终端;以及a matching module, configured to match the terminal based on information of the terminal;
    挑战认证模块,用于向所述终端发送挑战认证指令,以使得所述终端接收到所述挑战认证指令时上传所述至少一个参数至服务器。And a challenge authentication module, configured to send a challenge authentication command to the terminal, so that the terminal uploads the at least one parameter to the server when receiving the challenge authentication command.
  12. 根据权利要求8的设备,其特征在于,还包括:The device of claim 8 further comprising:
    放行模块,用于放行所述终端上对应所述认证的流程。The release module is configured to release the process corresponding to the authentication on the terminal.
  13. 根据权利要求8的设备,其特征在于,所述用户行为特征包括所述终端在被所述操作者操作时产生的传感器数据。The device of claim 8 wherein said user behavior characteristic comprises sensor data generated by said terminal when operated by said operator.
  14. 根据权利要求13的设备,其特征在于,所述用户行为特征包括以下传感器数据中的至少一个:旋转数据、受力数据、方位数据、屏幕操作数据或输入设备操作数据。The device according to claim 13, wherein said user behavior characteristic comprises at least one of the following sensor data: rotation data, force data, orientation data, screen operation data, or input device operation data.
  15. 一种认证的装置,其特征在于,包括处理器,所述处理器被配置为:An authentication device, comprising a processor, the processor configured to:
    获取终端的至少一个参数,所述至少一个参数包括:所述终端的系统运行环境、用户行为特征以及所述终端的标识;Acquiring at least one parameter of the terminal, where the at least one parameter includes: a system operating environment of the terminal, a user behavior feature, and an identifier of the terminal;
    通过预设的分析模型对所述至少一个参数进行认证;以及Authenticating the at least one parameter by a preset analysis model;
    根据所述至少一个参数的认证结果,确定所述终端的操作者是否为预设用户,当通过所述分析模型对所述至少一个参数中的系统运行环境、所述用户行为特征以及所述终端标识的验证都通过时,确认所述终端的操作者为预设的用户自身,并认证通过。Determining, according to the authentication result of the at least one parameter, whether an operator of the terminal is a preset user, when a system operating environment, the user behavior feature, and the terminal in the at least one parameter are used by the analysis model When the verification of the identification is passed, it is confirmed that the operator of the terminal is the preset user itself, and the authentication is passed.
  16. 一种计算机可读存储介质,所述存储介质存储计算机指令,当计算机读取存储介质中的计算机指令后,计算机执行认证的方法,所述方法包括:A computer readable storage medium storing computer instructions for performing a method of authentication after a computer reads a computer instruction in a storage medium, the method comprising:
    获取终端的至少一个参数,所述至少一个参数包括:所述终端的系统运行环境、用户行为特征以及所述终端的标识;Acquiring at least one parameter of the terminal, where the at least one parameter includes: a system operating environment of the terminal, a user behavior feature, and an identifier of the terminal;
    通过预设的分析模型对所述至少一个参数进行认证;以及Authenticating the at least one parameter by a preset analysis model;
    根据所述至少一个参数的认证结果,确定所述终端的操作者是否为预设用户,当通过所述分析模型对所述至少一个参数中的系统运行环境、所述用户行为特征以及所述终端标识的验证都通过时,确认所述终端的操作者为预设的用户自身,并认证通过。Determining, according to the authentication result of the at least one parameter, whether an operator of the terminal is a preset user, when a system operating environment, the user behavior feature, and the terminal in the at least one parameter are used by the analysis model When the verification of the identification is passed, it is confirmed that the operator of the terminal is the preset user itself, and the authentication is passed.
  17. 一种在终端上实现的认证的方法,所述终端包括至少一个处理器、存储器和连接到网络的通信平台,所述方法包括:A method for authentication implemented on a terminal, the terminal comprising at least one processor, a memory, and a communication platform connected to the network, the method comprising:
    获取至少一个参数并发送给服务器,所述至少一个参数包括:终端的系统运行环境、用户行为特征以及所述终端的标识;Obtaining at least one parameter and sending the parameter to the server, where the at least one parameter comprises: a system operating environment of the terminal, a user behavior feature, and an identifier of the terminal;
    接收服务器信息,并根据所述服务器基于认证所述至少一个参数而确定的所述终端的操作者是否为预设用户的判断结果通过或不通过认证。Receiving server information, and passing or not authenticating according to whether the operator of the terminal determined by the server to determine the at least one parameter is a default user.
  18. 根据权利要求17的方法,其特征在于,所述用户行为特征包括所述终端在被所述操作者操作时产生的传感器数据。The method of claim 17 wherein said user behavior characteristic comprises sensor data generated by said terminal when operated by said operator.
  19. 一种认证的系统,其特征在于,包括:A system for authentication, comprising:
    获取模块,所述获取模块用于获取至少一个参数并发送给服务器,所述至少一个参数包括:终端的系统运行环境、用户行为特征以及所述终端的标识;An obtaining module, configured to acquire at least one parameter and send the parameter to the server, where the at least one parameter comprises: a system operating environment of the terminal, a user behavior feature, and an identifier of the terminal;
    接收模块,所述接收模块用于接收服务器信息,并根据所述服务器基于认证所述至少一个参数而确定的所述终端的操作者是否为预设用户的判断结果通过或不通过认证。And a receiving module, configured to receive server information, and pass or not authenticate according to whether the operator of the terminal determined by the server to determine the at least one parameter is a determination result of the preset user.
  20. 根据权利要求19的系统,其特征在于,所述用户行为特征包括所述终端在被所述操作者操作时产生的传感器数据。The system of claim 19 wherein said user behavior characteristic comprises sensor data generated by said terminal when operated by said operator.
  21. 一种认证的终端,其特征在于,包括处理器,所述处理器被配置为:An authenticated terminal, comprising a processor, the processor configured to:
    获取至少一个参数并发送给服务器,所述至少一个参数包括:终端的系统运行环境、用户行为特征以及所述终端的标识;Obtaining at least one parameter and sending the parameter to the server, where the at least one parameter comprises: a system operating environment of the terminal, a user behavior feature, and an identifier of the terminal;
    接收服务器信息,并根据所述服务器基于认证所述至少一个参数而确定的所述终端的操作者是否为预设用户的判断结果通过或不通过认证。Receiving server information, and passing or not authenticating according to whether the operator of the terminal determined by the server to determine the at least one parameter is a default user.
  22. 一种计算机可读存储介质,所述存储介质存储计算机指令,当计算机读取存储介质中的计算机指令后,计算机执行认证的方法,所述方法包括:A computer readable storage medium storing computer instructions for performing a method of authentication after a computer reads a computer instruction in a storage medium, the method comprising:
    获取至少一个参数并发送给服务器,所述至少一个参数包括:终端 的系统运行环境、用户行为特征以及所述终端的标识;Obtaining at least one parameter and sending the parameter to the server, where the at least one parameter comprises: a system operating environment of the terminal, a user behavior feature, and an identifier of the terminal;
    接收服务器信息,并根据所述服务器基于认证所述至少一个参数而确定的所述终端的操作者是否为预设用户的判断结果通过或不通过认证。Receiving server information, and passing or not authenticating according to whether the operator of the terminal determined by the server to determine the at least one parameter is a default user.
PCT/CN2018/093618 2017-06-29 2018-06-29 Authentication method and device WO2019001566A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201710517649.4A CN107294981B (en) 2017-06-29 2017-06-29 Authentication method and equipment
CN201710517666.8A CN107330311A (en) 2017-06-29 2017-06-29 A kind of method and apparatus of man-machine identification
CN201710517649.4 2017-06-29
CN201710517666.8 2017-06-29

Publications (1)

Publication Number Publication Date
WO2019001566A1 true WO2019001566A1 (en) 2019-01-03

Family

ID=64741153

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/CN2018/093618 WO2019001566A1 (en) 2017-06-29 2018-06-29 Authentication method and device
PCT/CN2018/093553 WO2019001558A1 (en) 2017-06-29 2018-06-29 Human and machine recognition method and device

Family Applications After (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/093553 WO2019001558A1 (en) 2017-06-29 2018-06-29 Human and machine recognition method and device

Country Status (1)

Country Link
WO (2) WO2019001566A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111241518A (en) * 2020-01-03 2020-06-05 北京字节跳动网络技术有限公司 User authentication method, device, equipment and medium
US11899765B2 (en) 2019-12-23 2024-02-13 Dts Inc. Dual-factor identification system and method with adaptive enrollment

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111723348B (en) * 2019-03-18 2023-07-07 腾讯科技(深圳)有限公司 Man-machine identification method, device, equipment and storage medium
CN112580596B (en) * 2020-12-30 2024-02-27 杭州网易智企科技有限公司 Data processing method and device
CN113900889B (en) * 2021-09-18 2023-10-24 百融至信(北京)科技有限公司 Method and system for intelligently identifying APP manual operation

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104703180A (en) * 2013-12-09 2015-06-10 江良洲 Implicit multiple authentication method based on mobile Internet and intelligent terminal
CN104778387A (en) * 2015-04-23 2015-07-15 西安交通大学 Cross-platform identity authentication system and method based on human-computer interaction behaviors
CN105049421A (en) * 2015-06-24 2015-11-11 百度在线网络技术(北京)有限公司 Authentication method based on use behavior characteristic of user, server, terminal, and system
CN105827406A (en) * 2015-01-05 2016-08-03 腾讯科技(深圳)有限公司 Identity verification method, identity verification device, and identity verification system
CN106790129A (en) * 2016-12-27 2017-05-31 中国银联股份有限公司 A kind of identity authentication method and device
US20170161478A1 (en) * 2015-08-12 2017-06-08 Kryptowire LLC Active Authentication of Users
CN107294981A (en) * 2017-06-29 2017-10-24 苏州锦佰安信息技术有限公司 A kind of method and apparatus of certification
CN107330311A (en) * 2017-06-29 2017-11-07 苏州锦佰安信息技术有限公司 A kind of method and apparatus of man-machine identification

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103678417B (en) * 2012-09-25 2017-11-24 华为技术有限公司 Human-machine interaction data treating method and apparatus
CN103530543B (en) * 2013-10-30 2017-11-14 无锡赛思汇智科技有限公司 A kind of user identification method and system of Behavior-based control feature
CN106155298B (en) * 2015-04-21 2019-11-08 阿里巴巴集团控股有限公司 The acquisition method and device of man-machine recognition methods and device, behavioural characteristic data
CN106487747B (en) * 2015-08-26 2019-10-08 阿里巴巴集团控股有限公司 User identification method, system, device and processing method, device
CN107491991A (en) * 2017-08-15 2017-12-19 上海精数信息科技有限公司 Based on the man-machine recognition methods rocked and apply its advertisement placement method and system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104703180A (en) * 2013-12-09 2015-06-10 江良洲 Implicit multiple authentication method based on mobile Internet and intelligent terminal
CN105827406A (en) * 2015-01-05 2016-08-03 腾讯科技(深圳)有限公司 Identity verification method, identity verification device, and identity verification system
CN104778387A (en) * 2015-04-23 2015-07-15 西安交通大学 Cross-platform identity authentication system and method based on human-computer interaction behaviors
CN105049421A (en) * 2015-06-24 2015-11-11 百度在线网络技术(北京)有限公司 Authentication method based on use behavior characteristic of user, server, terminal, and system
US20170161478A1 (en) * 2015-08-12 2017-06-08 Kryptowire LLC Active Authentication of Users
CN106790129A (en) * 2016-12-27 2017-05-31 中国银联股份有限公司 A kind of identity authentication method and device
CN107294981A (en) * 2017-06-29 2017-10-24 苏州锦佰安信息技术有限公司 A kind of method and apparatus of certification
CN107330311A (en) * 2017-06-29 2017-11-07 苏州锦佰安信息技术有限公司 A kind of method and apparatus of man-machine identification

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11899765B2 (en) 2019-12-23 2024-02-13 Dts Inc. Dual-factor identification system and method with adaptive enrollment
CN111241518A (en) * 2020-01-03 2020-06-05 北京字节跳动网络技术有限公司 User authentication method, device, equipment and medium
CN111241518B (en) * 2020-01-03 2023-03-24 北京字节跳动网络技术有限公司 User authentication method, device, equipment and medium

Also Published As

Publication number Publication date
WO2019001558A1 (en) 2019-01-03

Similar Documents

Publication Publication Date Title
US20220075856A1 (en) Identifying and authenticating users based on passive factors determined from sensor data
US11847199B2 (en) Remote usage of locally stored biometric authentication data
WO2019001566A1 (en) Authentication method and device
US9183365B2 (en) Methods and systems for fingerprint template enrollment and distribution process
US10032008B2 (en) Trust broker authentication method for mobile devices
US8955069B1 (en) Event-based biometric authentication using mobile device
JP5859953B2 (en) Biometric authentication system, communication terminal device, biometric authentication device, and biometric authentication method
US20160180068A1 (en) Technologies for login pattern based multi-factor authentication
US11194895B2 (en) Method and apparatus for authenticating biometric information
CN107113315A (en) Identity authentication method, terminal and server
US10122719B1 (en) Wearable device-based user authentication
CN108063750A (en) dynamic user identity verification method
JP2017530457A (en) Identity authentication method and apparatus, terminal and server
US10958639B2 (en) Preventing unauthorized access to secure information systems using multi-factor, hardware based and/or advanced biometric authentication
US20190268331A1 (en) Preventing Unauthorized Access to Secure Information Systems Using Multi-Factor, Hardware Based and/or Advanced Biometric Authentication
US10848309B2 (en) Fido authentication with behavior report to maintain secure data connection
US20150281214A1 (en) Information processing apparatus, information processing method, and recording medium
Yıldırım et al. Android based mobile application development for web login authentication using fingerprint recognition feature
CN113826135B (en) System, method and computer system for contactless authentication using voice recognition
US10936705B2 (en) Authentication method, electronic device, and computer-readable program medium
TW201544983A (en) Data communication method and system, client terminal and server
KR102633314B1 (en) method and apparatus for processing authentication information and user terminal including the same
KR101930319B1 (en) Method and apparatus for certifing of users in virtual reality devices by biometric
TWI604330B (en) Methods for dynamic user identity authentication
KR20160037520A (en) System and method for federated authentication based on biometrics

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18824947

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18824947

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 18824947

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 04.08.2020.)