CN103942489A - Attack detection method and system on basis of cursor hidden scene - Google Patents
Attack detection method and system on basis of cursor hidden scene Download PDFInfo
- Publication number
- CN103942489A CN103942489A CN201410127741.6A CN201410127741A CN103942489A CN 103942489 A CN103942489 A CN 103942489A CN 201410127741 A CN201410127741 A CN 201410127741A CN 103942489 A CN103942489 A CN 103942489A
- Authority
- CN
- China
- Prior art keywords
- cursor
- module
- user
- scene
- hiding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/316—User authentication by observing the pattern of computer usage, e.g. typical user behaviour
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Social Psychology (AREA)
- User Interface Of Digital Computer (AREA)
Abstract
The invention relates to an attack detection method and system on basis of a cursor hidden scene. The method comprises the steps of (1) monitoring operation behaviors of users, and sending trigger instructions when suspicious behaviors are found; (2) achieving cursor hiding through the method of establishing a transparent form and sticking the transparent form, and enabling the users to enter the cursor hidden scene; (3) recording operation data of the users on a cursor under the cursor hidden scene; (4) judging whether the operation data recorded by a current data acquisition module reach a preset value or whether the time value of the cursor hidden scene reaches a preset time value, executing the next step if the operation data recorded by the current data acquisition module reach the preset value or the time value of the cursor hidden scene reaches the preset time value, and otherwise executing the step (3); (5) obtaining cursor feature values through feature extraction, and generating cursor feature vectors; (6) carrying out classification on the basis of the cursor feature vectors and characteristic model files; (7) judging the users as normal users or malicious users. According to the attack detection method and system on the basis of the cursor hidden scene, on the premise that accuracy is guaranteed, collection time of training data is short, and identity authentication time is short.
Description
Technical field
The present invention relates to a kind of attack detection method and system of hiding scene based on cursor, belong to inside threat detection field.
Background technology
The popularizing in each fields such as global commerce, society, government, military affairs along with informationization technology and computer network, it is more and more serious that inside threat becomes, and has been subjected to the great attention of each side.Organize and often can detect and control the outside world of attempting obtaining sensitive information, alleviate or avoid external staff to steal and organize secret threat.But the internal user of malice is because also can utilize rational authority by regular flow implementation crime in organization internal, is therefore difficult to detected and takes precautions against.Meanwhile, network topology structure and the security mechanism of internal staff to organization internal is more familiar, can bring the consequence more serious than external attack.
Identity theft is a kind of modal method in inside threat.In this method, malicious user is entered built-in system or is entered other people computing machine by various means by other people authority of steal and obtains company information.For this attack means, present stage comparatively effectively prevents and detection means is exactly identity identifying technology.Existing identity identifying technology can be divided three classes.The first kind is the authentication method based on the existing information of user, and as password and PIN code detection, it can play good effect in the time that preventing malice user logins.But shortcoming is assailant can obtain user account information (as modes such as the Brute Force of weak password and system vulnerability utilizations) through various channels, once the account that malicious user utilization is stolen is logined into system, this authentication method has just lost effect.Equations of The Second Kind is the detection method that has article based on user, and as ID card or token, the identity documents in this method neither Portable belt is easily lost again, and also cannot improve first kind method can not provide the shortcoming of real-time authentication.So people start to attempt the 3rd class methods, the i.e. identity identifying technology based on biological characteristic.This class technology specifically can be divided into again two classes: physics biological identification technology and behavior biological identification technology.Physics biological identification technology passes through people's physiological characteristic as fingerprint, and iris and palmmprint detection etc. is identified user.These features are difficult to be imitated, and have higher security, but need special hardware supported.Meanwhile, this method also can only be carried out login authentication.Behavior biological identification technology is that the different behavioural habits that show while handling computer according to different user carry out identity discriminating to user, he does not only need extra hardware device support, and can provide continuation identification verification function, be that a kind of effective monitoring defence identity puppet is emitted the technological means of attack, therefore more and more paid close attention to.
The existing behavior biometric discrimination method for computer user's authentication is mainly based on keystroke behavior with based on cursor behavior.Identity recognizing technology based on keystroke behavior mainly utilizes the singly-bound button time, and the behavioural characteristics such as two thump key time intervals and order line use habit are carried out modeling to user, has obtained certain achievement in research both at home and abroad.But along with the popularization of graphic user interface is with universal, people's keystroke behavior reduces relatively, and then has affected the practicality of the method.Identity recognizing technology based on cursor behavior utilizes the moving direction of cursor, translational speed and knock the features such as time user is carried out to identity discriminating.In recent years, proposed again successively, based on curvature, authentication method based on behavioural characteristics such as file manipulation tracks, all to have obtained higher accuracy rate.But these authentication methods based on cursor behavior all exist some to fix as scene, the shortcoming that the collecting training data time is long and authenticated time is grown, do not possess practical can practicality.
Summary of the invention
Technical matters to be solved by this invention is, fix for prior art scene, the shortcoming that the collecting training data time is long and authenticated time is long, a kind of attack detection method and system based on the hiding scene of cursor of efficiently and accurately computing machine active user being carried out authentication of realizing is provided, detects and take precautions against identity puppet and emit attack.
The technical scheme that the present invention solves the problems of the technologies described above is as follows: a kind of attack detection method of hiding scene based on cursor, specifically comprises the following steps:
Step 1: monitoring operational module monitor user ' operation behavior, while finding suspicious actions, sends triggering command and hide module to cursor;
Step 2: cursor is hidden module according to the control of triggering command, the method for employing establishment transparent form top set realizes cursor and hides, and makes user enter cursor and hides scene;
Step 3: data acquisition module recording user is hidden the cursor behavioral data under scene at cursor;
Step 4: judge module judges whether the service data of current data acquisition module record reaches preset value, or whether the hiding scene time value of cursor reaches Preset Time value; If so, carry out next step; Otherwise, execution step 3;
Step 5: characteristic extracting module is carried out feature extraction to the service data of data acquisition module transmission, extracts the cursor eigenwert obtaining under the hiding scene of cursor, generates cursor proper vector;
Step 6: sort module, by cursor proper vector and the characteristic model file being kept in data file are compared, is used svm sorting algorithm, and cursor proper vector is classified;
Step 7: according to the classification results of cursor proper vector, can judge that user is as normal users or malicious user.
The invention has the beneficial effects as follows: major advantage of the present invention is that scene limitation is little, the random time section that can handle computer user is triggered; Ensureing that under the prerequisite of accuracy rate, the collecting training data time is shorter, the authentication time is short; It is less that user when user is normally used to computing machine experiences impact.
On the basis of technique scheme, the present invention can also do following improvement.
Further, in described step 3, data acquisition module, at recording user when cursor is hidden under scene the service data of cursor, is gone back the progress information of the current operation of recording user.
Further, also comprise step 8: judge whether active user is malicious user, if so, execution step 9; Otherwise, execution step 1;
Step 9: carry out digital evidence obtaining and obtain the progress information of current operation, progress information is analyzed and collected evidence, and open Initiative Defense function, interrupt user's all operations, finish.
Further, described step 1 comprises following two kinds of situations:
Monitoring operational module adopts existing abnormality detection software, in the time suspicious situation having been detected, sends triggering command and hides module to cursor;
Or monitoring operational module monitors whether specific program starts or whether specific file is opened, if so, send triggering command and hide module to cursor.
Further, the cursor eigenwert that in described step 5, characteristic extracting module is extracted service data comprises the eigenwerts such as displacement, translational speed and the travel frequency of the different moving directions of cursor under the hiding scene of cursor, generates cursor proper vector.
Further, the construction method of the characteristic model file in described step 6 comprises the following steps:
Step 6.1: the cursor movement behavioral data that data acquisition module is hidden under scene at cursor normal users gathers;
Step 6.2: the behavioral data collecting is carried out to feature extraction, extract cursor in eigenwerts such as displacement, translational speed and the travel frequencies of different directions, build behavioural characteristic model file.
The technical scheme that the present invention solves the problems of the technologies described above is as follows: a kind of attack detection system of hiding scene based on cursor, comprising: monitoring operational module, cursor are hidden module, data acquisition module, judge module, characteristic extracting module, sort module and determination module;
Described monitoring operational module monitor user ' operation behavior, while finding suspicious actions, sends triggering command and hides module to cursor;
Described cursor is hidden module according to the control of triggering command, realizes cursor hide by the method for establishment transparent form top set, makes user enter cursor and hides scene;
Described data acquisition module recording user is hidden the service data to cursor under scene at cursor;
Whether described judge module reaches preset value for the service data that judges current data acquisition module record, or whether the hiding scene time value of cursor reaches Preset Time value;
Described characteristic extracting module is carried out feature extraction to the service data of data acquisition module transmission, extracts the cursor eigenwert obtaining under the hiding scene of cursor, generates cursor proper vector;
Described sort module is based on cursor proper vector and be kept at the characteristic model file in data file, uses svm sorting algorithm, and cursor proper vector is classified;
Described determination module, for according to the classification results of cursor proper vector, can judge that user is as normal users or malicious user.
On the basis of technique scheme, the present invention can also do following improvement.
Further, described data acquisition module when cursor is hidden under scene the service data of cursor, is gone back the progress information of the current operation of recording user at recording user.
Further, also comprise digital evidence obtaining module, described digital evidence obtaining module is in the time that active user is malicious user, carry out digital evidence obtaining and obtain the progress information of current operation, progress information is analyzed and collected evidence, and open Initiative Defense function, interrupt user's all operations, finish.
Further, described monitoring operational module detection user behavior comprises following two kinds of situations extremely:
Monitoring operational module adopts existing abnormality detection software, in the time suspicious situation having been detected, sends triggering command and hides module to cursor;
Or monitoring operational module monitors whether specific program starts or whether specific file is opened, if so, send triggering command and hide module to cursor.
Further, the cursor eigenwert that described characteristic extracting module is extracted service data comprises the eigenwerts such as displacement, translational speed and the travel frequency of the different moving directions of cursor under the hiding scene of cursor, generates cursor proper vector.
Further, the constructing system of described characteristic model file comprises: collection apparatus module and model construction module;
The cursor movement behavioral data that described collection apparatus module can be hidden under scene at cursor normal users in the time of modeling gathers;
Described model construction module is for carrying out feature extraction to the behavioral data collecting, and extracts cursor in eigenwerts such as displacement, translational speed and the travel frequencies of different directions, builds behavioural characteristic model file.
Brief description of the drawings
Fig. 1 is a kind of attack detection method process flow diagram of hiding scene based on cursor of the present invention;
Fig. 2 is the construction method process flow diagram of characteristic model file of the present invention;
Fig. 3 is a kind of attack detection system structured flowchart of hiding scene based on cursor of the present invention;
Fig. 4 is the constructing system structured flowchart of characteristic model file of the present invention;
Fig. 5 is that in the embodiment of the present invention, moving direction of cursor is divided schematic diagram.
In accompanying drawing, the list of parts of each label representative is as follows:
1, monitoring operational module, 2, cursor hides module, 3, data acquisition module, 4, judge module, 5, characteristic extracting module, 6, sort module, 7, determination module, 8, digital evidence obtaining module, 6.1, collection apparatus module, 6.2, model construction module.
Embodiment
Below in conjunction with accompanying drawing, principle of the present invention and feature are described, example, only for explaining the present invention, is not intended to limit scope of the present invention.
As shown in Figure 1, a kind of attack detection method of hiding scene based on cursor, specifically comprises the following steps:
Step 1: monitoring operational module monitor user ' operation behavior, while finding suspicious actions, sends triggering command and hide module to cursor;
Step 2: cursor is hidden module according to the control of triggering command, the method that creates transparent form top set realizes cursor and hides, and realizes user and hides scene in cursor;
Step 3: data acquisition module recording user is hidden the service data to cursor under scene at cursor;
Step 4: judge module judges whether the service data of current data acquisition module record reaches preset value, or whether the hiding scene time value of cursor reaches Preset Time value; If so, carry out next step; Otherwise, execution step 3;
Step 5: characteristic extracting module is carried out feature extraction to the service data of data acquisition module transmission, extracts the cursor eigenwert obtaining under the hiding scene of cursor, generates cursor proper vector;
Step 6: sort module is based on cursor proper vector and be kept at the characteristic model file in data file, uses svm sorting algorithm, and cursor proper vector is classified;
Step 7: according to the classification results of cursor proper vector, can judge that user is as normal users or malicious user;
Step 8: judge whether active user is malicious user, if so, execution step 9; Otherwise, execution step 1;
Step 9: carry out digital evidence obtaining and obtain the progress information of current operation, progress information is analyzed and collected evidence, and open Initiative Defense function, interrupt user's all operations, finish.
In described step 3, data acquisition module recording user is hidden the service data to cursor under scene at cursor, goes back the progress information of the current operation of recording user.
Described step 1 comprises following two kinds of situations:
Monitoring operational module adopts existing abnormality detection software, in the time suspicious situation having been detected, sends triggering command and hides module to cursor;
Or monitoring operational module monitors whether specific program starts or whether specific file is opened, if so, send triggering command and hide module to cursor.
The cursor eigenwert that in described step 5, characteristic extracting module is extracted service data comprises the eigenwerts such as displacement, translational speed and the travel frequency of the different moving directions of cursor under the hiding scene of cursor, generates cursor proper vector.
As shown in Figure 2, the construction method of the characteristic model file in described step 6 comprises the following steps:
Step 6.1: the cursor movement behavioral data that data acquisition module is hidden under scene at cursor normal users gathers;
Step 6.2: the behavioral data collecting is carried out to feature extraction, extract cursor in eigenwerts such as displacement, translational speed and the travel frequencies of different directions, build behavioural characteristic model file.
As shown in Figure 3, a kind of attack detection system of hiding scene based on cursor, comprising: monitoring operational module 1, cursor are hidden module 2, data acquisition module 3, judge module 4, characteristic extracting module 5, sort module 6 and determination module 7;
Described monitoring operational module 1 monitor user ' operation behavior, while finding suspicious actions, sends triggering command and hides module to cursor;
Described cursor is hidden module 2 according to the control of triggering command, realizes cursor hide by the method for establishment transparent form top set, makes user enter cursor and hides scene;
Described data acquisition module 3 recording users are hidden the service data to cursor under scene at cursor;
Whether described judge module 4 reaches preset value for the service data that judges current data acquisition module record, or whether the hiding scene time value of cursor reaches Preset Time value;
Described characteristic extracting module 5 is carried out feature extraction to the service data of data acquisition module transmission, extracts the cursor eigenwert obtaining under the hiding scene of cursor, generates cursor proper vector;
Described sort module 6 is based on cursor proper vector and be kept at the characteristic model file in data file, uses svm sorting algorithm, and cursor proper vector is classified;
Described determination module 7, for according to the classification results of cursor proper vector, can judge that user is as normal users or malicious user.
Described data acquisition module 3, when recording user cursor is hidden under scene the service data of cursor, is gone back the progress information of the current operation of recording user.
Also comprise digital evidence obtaining module 8, described digital evidence obtaining module, in the time that active user is malicious user, is carried out digital evidence obtaining and is obtained the progress information of current operation, progress information is analyzed and collected evidence, and open Initiative Defense function, and interrupt user's all operations, finish.
Described monitoring operational module 1 detects user behavior and extremely comprises following two kinds of situations:
Monitoring operational module 1 adopts existing abnormality detection software, in the time suspicious situation having been detected, sends triggering command and hides module to cursor;
Or monitoring operational module 1 monitors whether specific program starts or whether specific file is opened, if so, send triggering command and hide module to cursor.
The cursor eigenwert that described characteristic extracting module 5 is extracted service data comprises the eigenwerts such as displacement, translational speed and the travel frequency of the different moving directions of cursor under the hiding scene of cursor, generates cursor proper vector.
As shown in Figure 4, the constructing system of described characteristic model file comprises: collection apparatus module 6.1 and model construction module 6.2;
The cursor movement behavioral data that described collection apparatus module 6.1 is hidden under scene at cursor normal users gathers;
Described model construction module 6.2 is for the behavioral data collecting is carried out to feature extraction, extracts cursor in eigenwerts such as displacement, translational speed and the travel frequencies of different directions, builds behavioural characteristic model file.
In order to realize efficiently and accurately, computing machine active user is carried out to authentication, detecting and take precautions against inside threat attacks, the invention provides a kind of real-time identity authentication method of hiding scene based on cursor, mainly comprise three steps: the cursor movement behavioural information of 1) normal users being hidden under scene at cursor is carried out data acquisition; 2) carry out feature extraction according to the user behavior data collecting, and set up user behavior characteristic model; 3), according to characteristic model, utilize sorting algorithm to carry out real-time identity authentication to the current user of computing machine.Wherein the extraction of the collection of cursor information and user behavior feature is data acquisition and pretreatment stage; It is to emit attack to detect to identity puppet that active user is carried out to authentication.Core of the present invention is mainly that cursor is hidden the proposition of scene and the user behavior modeling method under this scene, and applies it to real-time identity authentication field.
The setting that we hide scene to cursor is in the time suspicious user having been detected, our program can initiatively make cursor on display screen hide a period of time, it is not seen user, and according to the cursor movement feature of user in during this period of time, current user is carried out to identity discriminating.Its theoretical foundation is to have individual difference as everyone subconscious the first reaction when in the face of accident, different user behavior in the situation that cursor suddenly disappears also there are differences, such as somebody can show tranquiler, somebody can frequently rock cursor, all has obvious individual difference in the moving direction of its cursor and translational speed.
The present invention mainly comprises the content of four aspects:
(1) cursor is hidden the proposition of scene.Hide under scene and have individual difference at cursor by analyzing different user, we have proposed the hiding scene of cursor and have been used for carrying out authenticating user identification, under windows operating system, realize cursor and hidden scene, and verified by experiment its accuracy and experimental.
(2) cursor is hidden the data acquisition under scene.Design at cursor and hidden the data acquisition strategy under scene, except the collection to the data of cursor own, also progress information that can the current operation of user is carried out to collection and monitor, for information accumulation has been done in later attack intension analysis and the realization of attacking on-the-spot electronic evidence-collecting.
(3) cursor is hidden the feature selecting under scene.By the different cursor behavioural characteristic collecting under this scene is classified, combined authentication with different dimensions, we have selected average and the variance of the displacement on the different moving directions of cursor, and the dimensions such as the average of translational speed and variance and mobile number of times distribution are as our proper vector.
(4) cursor is hidden under scene and carried out user behavior modeling, and in conjunction with svm sorting algorithm, current computer user is carried out to real-time identity authentication.
The present invention is gathered and is analyzed by the cursor data that user is hidden under this burst scene at cursor, and moving direction to user's cursor, the behavioural characteristics such as speed and distance are extracted and modeling, finally in conjunction with svm sorting algorithm, current computer user is carried out to identity identifying and authenticating, detect and prevent identity puppet to emit the effect of attack thereby reach, alleviating enterprises and threaten.The major advantage of method is that scene limitation is little, and the random time section that can handle computer user is triggered; Ensureing that under the prerequisite of accuracy rate, the collecting training data time is shorter, the authentication time is short; It is less that user when user is normally used to computing machine experiences impact.Experimental result shows, this method has good detection effect.
Embodiment:
For the accuracy of our method of more clear and intuitive proof, we have done some and have reasonably supposed in experiment.
Suppose 1: suppose that the mood of user in the time using computer tends towards stability, and can not produce very large fluctuation.Because the existing people's of experimental results show that mood can affect its cursor behavioural characteristic showing, as in anxiety or irascible in the situation that, can there is significant change in man-machine interaction frequency, have larger difference with user's cursor behavior characteristic model under normal circumstances.
Suppose 2: the hardware device of computer user remains unchanged after modeling completes.Because cursor sensitivity, the hardware factors such as shape-designing all can affect user's cursor behavior.And under normal circumstances, identity emits user can not carry out corresponding replacing by the hardware such as cursor or display to computer in the shorter time.
We carry out analysis and modeling by the cursor movement information that user is hidden under scene at cursor, in conjunction with svm sorting algorithm, current computer user's identity are carried out to real-time authentication.In experimental situation, hardware environment limits in table 1.
Table 1 Experimental Hardware environment
The present invention includes seven steps:
1. in order to reduce the impact that user is experienced as far as possible, data acquisition strategy is set as following two kinds by we: the one, in conjunction with existing abnormality detection software, detecting after the message of suspicious situation, enter cursor and hide checking scene, this scene is mainly improved existing abnormality detection technology; The 2nd, monitor specific program and start opening of (logining program as long-range, insider information system client etc.) or specific file, once hide scene just there is this generic operation to enter cursor.
2. realize cursor and hide scene, realize cursor hide by the method for establishment transparent form top set, make cursor invisible to user, guiding subscriber's meter reveals the cursor behavioural characteristic under this scene.
3. be recorded under this scene, user finds the cursor operations data that produce in cursor process with personal habits.Overall cursor hook in the Hook Mechanism that windows system that what our collecting method mainly utilized here is provides.
4. after of short duration a few data acquisition work in second, carry out on procedure turn backstage, and it is normal that cursor recovers, and recovers user's use scenes.
5. in the model training stage, data can be deposited in data file, in the time that data volume reaches required size, active user's normal cursor behavioural characteristic are carried out to modeling, generating feature model file.At detection-phase, the data that collect are carried out to feature extraction, analyze respectively the displacement that extracts the different moving directions of cursor (dividing method is shown in Fig. 5) under the hiding scene of cursor, translational speed, the features such as travel frequency, generating feature vector.
6. utilize svm classifier algorithm, by proper vector and user's cursor behavior tag file are classified to comparison active user.
7. utilize the classification results drawing in step 6, active user's identity characteristic is judged.If be judged to be malicious user, carry out the operation of digital evidence obtaining and Initiative Defense.
In above-mentioned steps, in step 1, cursor is hidden to the proposition of scene and the design of realization and range of application, choosing method to user's cursor behavioural characteristic in feature scene in step 5 is core of the present invention to user identity identification checking and corresponding digital evidence obtaining in 7.
In step 1, learning principle according to biological characteristic, there is individual difference in the cursor behavioural characteristic in the short period of people after cursor suddenly disappears, and has proposed cursor and has hidden scene.Can affect to a certain extent user because cursor is hiding and experience, we wish to reduce as much as possible this impact, have therefore proposed two kinds of scene activation strategies, have also reached the effect that reduces the system consumption of data acquisition simultaneously.
In step 5 according to actual experiment effect data, we have finally selected the displacement on the different moving directions of cursor, the average of translational speed and travel frequency and variance, as our user characteristics vector, have reached good classifying quality, and corresponding comparison result sees below.
The result drawing according to classification in step 7, we have realized the real-time authentication to active user's identity, and are detecting that abnormal in the situation that, the process relevant information that Real-time Collection is arrived, carries out correlation analysis and evidence obtaining.
Good effect
In experiment, we are keeping under the prerequisite that hardware specification is consistent, and some behavioural characteristic differences of first different user being hidden under scene at cursor have been carried out experimental verification.Next, we have carried out corresponding setting to different dimensions and classifier parameters, have calculated respectively corresponding classification accuracy.Table 2 has provided parameter s in libsvm and has been made as 0, t and is made as in 3 situation, FAR and the FRR of the authenticating user identification of different dimensions under setting.
| Dimension | FAR | FRR |
| 17 | 17.3% | 5.3% |
| 25 | 6% | 5.3% |
| 49 | 2.6% | 3.3% |
The contrast of table 2 different dimensions experimental result
From experimental result, the method testing result that the present invention proposes is accurate, is applicable to user to carry out real-time identity authentication.Also there is the real-time verification time short simultaneously, without additional hardware support, the feature that anti-interference is good.Have higher can practicality.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any amendment of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (12)
1. an attack detection method of hiding scene based on cursor, is characterized in that, specifically comprises the following steps:
Step 1: monitoring operational module monitor user ' operation behavior, while finding suspicious actions, sends triggering command and hide module to cursor;
Step 2: cursor is hidden module according to the control of triggering command, the method for employing establishment transparent form top set realizes cursor and hides, and makes user enter cursor and hides scene;
Step 3: data acquisition module recording user is hidden under scene cursor behavioral data at cursor;
Step 4: judge module judges whether the service data of current data acquisition module record reaches preset value, or whether the hiding scene time value of cursor reaches Preset Time value; If so, carry out next step; Otherwise, execution step 3;
Step 5: characteristic extracting module is carried out feature extraction to the service data of data acquisition module transmission, extracts the cursor eigenwert obtaining under the hiding scene of cursor, generates cursor proper vector;
Step 6: sort module, by cursor proper vector and the characteristic model file being kept in data file are compared, is used svm sorting algorithm, and cursor proper vector is classified;
Step 7: according to the classification results of cursor proper vector, can judge that user is as normal users or malicious user.
2. a kind of attack detection method of hiding scene based on cursor according to claim 1, it is characterized in that, in described step 3, data acquisition module, at recording user when cursor is hidden under scene the service data of cursor, is gone back the progress information of the current operation of recording user.
3. a kind of attack detection method of hiding scene based on cursor according to claim 2, is characterized in that, also comprises step 8: judge whether active user is malicious user, if so, execution step 9; Otherwise, execution step 1;
Step 9: carry out digital evidence obtaining and obtain the progress information of current operation, progress information is analyzed and collected evidence, and open Initiative Defense function, interrupt user's all operations, finish.
4. a kind of attack detection method of hiding scene based on cursor according to claim 3, is characterized in that, described step 1 comprises following two kinds of situations:
Monitoring operational module adopts existing abnormality detection software, in the time suspicious situation having been detected, sends triggering command and hides module to cursor;
Or monitoring operational module monitors whether specific program starts or whether specific file is opened, if so, send triggering command and hide module to cursor.
5. according to a kind of attack detection method of hiding scene based on cursor described in claim 1-4 any one, it is characterized in that, the cursor eigenwert that in described step 5, characteristic extracting module is extracted service data comprises displacement, translational speed and the travel frequency eigenwert of the different moving directions of cursor under the hiding scene of cursor, generates cursor proper vector.
6. a kind of attack detection method of hiding scene based on cursor according to claim 1, is characterized in that, the construction method of the characteristic model file in described step 6 comprises the following steps:
Step 6.1: the cursor movement behavioral data that data acquisition module is hidden under scene at cursor normal users gathers;
Step 6.2: the behavioral data collecting is carried out to feature extraction, extract displacement, translational speed and the travel frequency eigenwert of cursor at different directions, build behavioural characteristic model file.
7. an attack detection system of hiding scene based on cursor, is characterized in that, comprising: monitoring operational module, cursor are hidden module, data acquisition module, judge module, characteristic extracting module, sort module and determination module;
Described monitoring operational module monitor user ' operation behavior, while finding suspicious actions, sends triggering command and hides module to cursor;
Described cursor is hidden module according to the control of triggering command, realizes the hiding method of cursor by the method that creates transparent form top set, makes user enter cursor and hides scene;
Described data acquisition module recording user is hidden the service data to cursor under scene at cursor;
Whether described judge module reaches preset value for the service data that judges current data acquisition module record, or whether the hiding scene time value of cursor reaches Preset Time value;
Described characteristic extracting module is carried out feature extraction to the service data of data acquisition module transmission, extracts the cursor eigenwert obtaining under the hiding scene of cursor, generates cursor proper vector;
Described sort module, by cursor proper vector and the comparison that is kept at the characteristic model file in data file, is used svm sorting algorithm, and cursor proper vector is classified;
Described determination module, for according to the classification results of cursor proper vector, can judge that user is as normal users or malicious user.
8. a kind of attack detection system of hiding scene based on cursor according to claim 7, it is characterized in that, described data acquisition module recording user, when cursor is hidden under scene the service data of cursor, is gone back the progress information of the current operation of recording user.
9. a kind of attack detection system of hiding scene based on cursor according to claim 8, it is characterized in that, also comprise digital evidence obtaining module, described digital evidence obtaining module is in the time that active user is malicious user, carry out digital evidence obtaining and obtain the progress information of current operation, progress information is analyzed and collected evidence, and open Initiative Defense function, interrupt user's all operations, finish.
10. a kind of attack detection system of hiding scene based on cursor according to claim 9, is characterized in that, described monitoring operational module detects user behavior and extremely comprises following two kinds of situations:
Monitoring operational module adopts existing abnormality detection software, in the time suspicious situation having been detected, sends triggering command and hides module to cursor;
Or monitoring operational module monitors whether specific program starts or whether specific file is opened, if so, send triggering command and hide module to cursor.
11. according to a kind of attack detection system of hiding scene based on cursor described in claim 7-10 any one, it is characterized in that, the cursor eigenwert that described characteristic extracting module is extracted service data comprises displacement, translational speed and the travel frequency eigenwert of the different moving directions of cursor under the hiding scene of cursor, generates cursor proper vector.
12. a kind of attack detection systems of hiding scene based on cursor according to claim 7, is characterized in that, the constructing system of described characteristic model file comprises: collection apparatus module and model construction module;
The cursor movement behavioral data that described collection apparatus module can be hidden under scene at cursor normal users in the time of modeling gathers;
Described model construction module, for the behavioral data collecting is carried out to feature extraction, is extracted displacement, translational speed and the travel frequency eigenwert of cursor at different directions, builds behavioural characteristic model file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410127741.6A CN103942489A (en) | 2014-03-31 | 2014-03-31 | Attack detection method and system on basis of cursor hidden scene |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410127741.6A CN103942489A (en) | 2014-03-31 | 2014-03-31 | Attack detection method and system on basis of cursor hidden scene |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103942489A true CN103942489A (en) | 2014-07-23 |
Family
ID=51190156
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410127741.6A Pending CN103942489A (en) | 2014-03-31 | 2014-03-31 | Attack detection method and system on basis of cursor hidden scene |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103942489A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107220530A (en) * | 2016-03-21 | 2017-09-29 | 北大方正集团有限公司 | Turing test method and system based on customer service behavioural analysis |
| CN107911338A (en) * | 2017-10-13 | 2018-04-13 | 深圳市迅雷网络技术有限公司 | A kind of data verification method, relevant device and system |
| CN108052543A (en) * | 2017-11-23 | 2018-05-18 | 北京工业大学 | A kind of similar account detection method of microblogging based on map analysis cluster |
| CN109525541A (en) * | 2017-09-20 | 2019-03-26 | 华中科技大学 | A kind of user behavior characteristics personal identification method and system |
| CN111241535A (en) * | 2020-01-20 | 2020-06-05 | 北京北信源软件股份有限公司 | Violation evidence obtaining processing method and device, electronic equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070271466A1 (en) * | 2006-05-18 | 2007-11-22 | Genevieve Mak | Security or authentication system and method using manual input measurements, such as via user manipulation of a computer mouse |
| JP2010108413A (en) * | 2008-10-31 | 2010-05-13 | Konami Digital Entertainment Co Ltd | Authentication device, authentication method and program |
| CN101833619A (en) * | 2010-04-29 | 2010-09-15 | 西安交通大学 | Method for judging identity based on keyboard-mouse crossed certification |
| CN102509044A (en) * | 2011-10-17 | 2012-06-20 | 镇江金钛软件有限公司 | Mouse behavior characteristic-based password authentication method |
| CN103218566A (en) * | 2013-01-25 | 2013-07-24 | 江南大学 | Active defense system based on Android platform software behavior detection |
| CN103530540A (en) * | 2013-09-27 | 2014-01-22 | 西安交通大学 | User identity attribute detection method based on man-machine interaction behavior characteristics |
| CN103530546A (en) * | 2013-10-25 | 2014-01-22 | 东北大学 | Identity authentication method based on mouse behaviors of user |
-
2014
- 2014-03-31 CN CN201410127741.6A patent/CN103942489A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070271466A1 (en) * | 2006-05-18 | 2007-11-22 | Genevieve Mak | Security or authentication system and method using manual input measurements, such as via user manipulation of a computer mouse |
| JP2010108413A (en) * | 2008-10-31 | 2010-05-13 | Konami Digital Entertainment Co Ltd | Authentication device, authentication method and program |
| CN101833619A (en) * | 2010-04-29 | 2010-09-15 | 西安交通大学 | Method for judging identity based on keyboard-mouse crossed certification |
| CN102509044A (en) * | 2011-10-17 | 2012-06-20 | 镇江金钛软件有限公司 | Mouse behavior characteristic-based password authentication method |
| CN103218566A (en) * | 2013-01-25 | 2013-07-24 | 江南大学 | Active defense system based on Android platform software behavior detection |
| CN103530540A (en) * | 2013-09-27 | 2014-01-22 | 西安交通大学 | User identity attribute detection method based on man-machine interaction behavior characteristics |
| CN103530546A (en) * | 2013-10-25 | 2014-01-22 | 东北大学 | Identity authentication method based on mouse behaviors of user |
Non-Patent Citations (1)
| Title |
|---|
| WEI ZICHENG ET AL: ""A Real-Time Authentication Method Based on Cursor-hidden Scene"", 《INTERNATIONAL WORKSHOP ON CLOUD COMPUTING AND INFORMATION SECURITY》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107220530A (en) * | 2016-03-21 | 2017-09-29 | 北大方正集团有限公司 | Turing test method and system based on customer service behavioural analysis |
| CN109525541A (en) * | 2017-09-20 | 2019-03-26 | 华中科技大学 | A kind of user behavior characteristics personal identification method and system |
| CN107911338A (en) * | 2017-10-13 | 2018-04-13 | 深圳市迅雷网络技术有限公司 | A kind of data verification method, relevant device and system |
| CN108052543A (en) * | 2017-11-23 | 2018-05-18 | 北京工业大学 | A kind of similar account detection method of microblogging based on map analysis cluster |
| CN108052543B (en) * | 2017-11-23 | 2021-02-26 | 北京工业大学 | Microblog similar account detection method based on graph analysis clustering |
| CN111241535A (en) * | 2020-01-20 | 2020-06-05 | 北京北信源软件股份有限公司 | Violation evidence obtaining processing method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Song et al. | Multi-touch authentication using hand geometry and behavioral information | |
| Feher et al. | User identity verification via mouse dynamics | |
| Kambourakis et al. | Introducing touchstroke: keystroke‐based authentication system for smartphones | |
| Xu et al. | Towards continuous and passive authentication via touch biometrics: An experimental study on smartphones | |
| Feng et al. | Continuous mobile authentication using virtual key typing biometrics | |
| Shahzad et al. | Secure unlocking of mobile touch screen devices by simple gestures: You can see it but you can not do it | |
| Yang et al. | Unlocking smart phone through handwaving biometrics | |
| Gascon et al. | Continuous authentication on mobile devices by analysis of typing motion behavior | |
| US9275345B1 (en) | System level user behavior biometrics using feature extraction and modeling | |
| WO2014205148A1 (en) | Continuous authentication tool | |
| Shen et al. | Touch-interaction behavior for continuous user authentication on smartphones | |
| CN103942489A (en) | Attack detection method and system on basis of cursor hidden scene | |
| Mahadi et al. | A survey of machine learning techniques for behavioral-based biometric user authentication | |
| Lin et al. | A new non-intrusive authentication approach for data protection based on mouse dynamics | |
| CN111625789A (en) | Multi-core learning fusion mouse and keyboard behavior feature-based user identification method | |
| Wang et al. | Insider threat detection using characterizing user behavior | |
| Teh et al. | Recognizing your touch: Towards strengthening mobile device authentication via touch dynamics integration | |
| CN115086029A (en) | Network intrusion detection method based on two-channel space-time feature fusion | |
| Buriro et al. | SWIPEGAN: swiping data augmentation using generative adversarial networks for smartphone user authentication | |
| Wu et al. | It's All in the Touch: Authenticating Users with HOST Gestures on Multi-Touch Screen Devices | |
| Rybnicek et al. | A roadmap to continuous biometric authentication on mobile devices | |
| CN113111322B (en) | Intelligent mobile phone auxiliary authentication method based on multi-mode fusion | |
| EP2490149A1 (en) | System for verifying user identity via mouse dynamics | |
| Wang et al. | What is more important for touch dynamics based mobile user authentication? | |
| Stanić | Continuous user verification based on behavioral biometrics using mouse dynamics |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140723 |
|
| RJ01 | Rejection of invention patent application after publication |