CN104301286B - User log-in authentication method and device - Google Patents

User log-in authentication method and device Download PDF

Info

Publication number
CN104301286B
CN104301286B CN201310295620.8A CN201310295620A CN104301286B CN 104301286 B CN104301286 B CN 104301286B CN 201310295620 A CN201310295620 A CN 201310295620A CN 104301286 B CN104301286 B CN 104301286B
Authority
CN
China
Prior art keywords
user
input
behavior
data set
probability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310295620.8A
Other languages
Chinese (zh)
Other versions
CN104301286A (en
Inventor
李冰
顾健
王雅文
李宏昌
迟建德
付载国
李佳记
于志卓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Group Heilongjiang Co Ltd
Original Assignee
China Mobile Group Heilongjiang Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Group Heilongjiang Co Ltd filed Critical China Mobile Group Heilongjiang Co Ltd
Priority to CN201310295620.8A priority Critical patent/CN104301286B/en
Publication of CN104301286A publication Critical patent/CN104301286A/en
Application granted granted Critical
Publication of CN104301286B publication Critical patent/CN104301286B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Abstract

The invention discloses a kind of user log-in authentication method and device.Wherein this method includes:While user inputs log-on message, the input behavior characteristic of user is caught according to default user behavior index;Judge whether user behavior is abnormal according to input behavior characteristic;When user behavior is normal, log-on message is verified;When user behavior exception, authentication is carried out to the user of login, determines whether the register that legitimate user himself is carried out;When being the register of legitimate user himself's progress, log-on message is verified;When not being the register of legitimate user himself's progress, sent a warning message to legitimate user himself.The present invention also provides a kind of user log-in authentication device for being used to realize the above method.

Description

User log-in authentication method and device
Technical field
The present invention relates to business support technical field, more particularly to a kind of user log-in authentication method and device.
Background technology
Heilungkiang movement is to comprehensive customer service system(CRM), the office automation system(OA)There is provided mutually Deng enterprise's application Networking VPN access interfaces, enterprises user, nearly 15000 people of third party user, login authentication pattern mainly use static password The double factor authentication pattern that+dynamic short message password is combined.
As shown in figure 1, prior art handling process is described below:
1st, user is by accessing Web page https://vpn.hl.chinamobile.com login systems, Firepass4300VPN access gatewaies return to SSLVPN system login pages after receiving user's request.
2nd, user inputs user name and static password in login page, submits and waiting system is verified.
3rd, password triggering server receives user name and static password inside the province, and is sent to group's Radius authentication services Device;
4th, group Radius certificate servers are by the user name received, static password and user's management platform database User profile checking is compared, be proved to be successful, triggering dynamic password generation;Authentication failed, return to prompt message, it is desirable to use User name and static password are re-entered in family.
5th, after SMAP dynamic passwords generation server generates random 6 dynamic passwords, the dynamic password of generation is returned to Group's Radius certificate servers are stored, while are triggered short message server and sent dynamic password to user.
6th, user carries out secondary login authentication using the dynamic password received.
7th, password triggering server receives user name and dynamic password and is sent to group's Radius servers inside the province.
8th, group Radius carries out user name and verifying dynamic password, is proved to be successful, user's Successful login application system;Test Card failure, returns to prompt message, it is desirable to which user re-enters dynamic password and carries out secondary login authentication.
As shown in Fig. 2 the SSLVPN systems in existing system topological structure use the dynamic short message mouth based on static password Order is authenticated to user, and the hardware configuration of Verification System is 3 Firepass4300, wherein being matched somebody with somebody by 2 firepass4300 Fault-tolerant pair put and the 3rd is configured to cluster mode of operation.
In summary, current login system authentication mode is that user name code data matches certification, is primarily present following Technology drawback:
1. traditional Verification System can not be monitored analysis to whole verification process, and then authentication result can not be carried out Effectively judge.After traditional certificate server is verified to user profile, enter system if checking logins successfully, otherwise step on Record page will prompt the user with the information of " user name or code error ".The shortcomings that this authentication techniques, is:1. disabled user will When Bad user name or password carries out repeatedly input exploration, system will be carried out freezing to handle to the user name, then be caused normal Login user also will be unable to use immediately.2. if validated user is stolen by others when have input correct username and password, Disabled user can imitate validated user and carry out system login, and so as to steal its capsule information, thus security assurance level is relatively low.
2. the illegal login of generation or log-on message are stolen, keeper can only carry out passive maintenance.Due to existing skill The conventional authentication method of art application is relatively easy to the mode of user's checking, causes system login threshold relatively low, and potential safety hazard is many It is more, easily utilized by the criminal or hacker clique that grasp certain crime means.Once generation is illegally logged in or stepped on When being stolen, system manager can not be had found record information in the very first time by prior art, can only by the feedback of user come Passive maintenance is carried out, and has now had resulted in the safety leakage of system information, so this drawback urgently improves.
The content of the invention
In order to solve illegally to log in the prior art or log-on message it is stolen cause Information Security reduce technology ask Topic, the present invention propose a kind of user log-in authentication method and device.
One aspect of the present invention, there is provided a kind of user log-in authentication method, including:
While user inputs log-on message, the input behavior feature of user is caught according to default user behavior index Data;
Judge whether user behavior is abnormal according to input behavior characteristic;
When user behavior is normal, log-on message is verified;When user behavior exception, the user of login is carried out Authentication, determine whether the register that legitimate user himself is carried out;
When being the register of legitimate user himself's progress, log-on message is verified;When not being validated user sheet During the register that people is carried out, sent a warning message to legitimate user himself.
Another aspect of the present invention, there is provided a kind of user log-in authentication device, including:
Capture module, for while user inputs log-on message, user to be caught according to default user behavior index Input behavior characteristic;
Characteristics analysis module, for judging whether user behavior is abnormal according to input behavior characteristic;
Authentication module, when user behavior exception, authentication is carried out to the user of login, it is legal to determine whether The register that user is carried out;
Login authentication module, for when user behavior is normal, being verified to log-on message;When being legitimate user himself During the register of progress, log-on message is verified;
Alarm module, for when not being the register of legitimate user himself's progress, sending and accusing to legitimate user himself Alert information.
The user log-in authentication method and device of the present invention, input behavior during by being logged in user are analyzed, sentenced It is disconnected whether be user's progress input operation.Realize the profound behavior based on user characteristics custom when user logs in Analysis detection, further improves logging in system by user safe class, to ensure Operational Visit quality, improve user experience. Meanwhile system security maintenance cost is reduced, reduce fault rate.
Brief description of the drawings
Fig. 1 is prior art login method schematic flow sheet;
Fig. 2 is prior art login system structural representation;
Fig. 3 is the flow chart of user log-in authentication embodiment of the method for the present invention;
Fig. 4 is the dependence schematic diagram between user behavior index of the present invention;
Fig. 5 is the flow chart of user behavior anomaly analysis embodiment of the present invention;
Fig. 6 is the flow chart that the present invention calculates user behavior exception probability embodiment;
Fig. 7 is the structure chart of the user log-in authentication device embodiment of the present invention;
Fig. 8 is the structure chart of the capture module embodiment of the present invention;
Fig. 9 is the structure chart of the characteristics analysis module embodiment of the present invention;
Figure 10 is the structural representation of the login system of the present invention;
Figure 11 is the schematic flow sheet of the login method of the present invention.
Embodiment
Below in conjunction with accompanying drawing, the present invention is described in detail.
As shown in figure 3, the user log-in authentication embodiment of the method for the present invention comprises the following steps:
Step 302, while user inputs log-on message, the input of user is caught according to default user behavior index Behavioural characteristic data;
Step 304, judge whether user behavior is abnormal according to input behavior characteristic;When user behavior is normal, hold Row step 308;When user behavior exception, step 306 is performed;
Step 306, authentication is carried out to the user of login, determines whether the login behaviour that legitimate user himself is carried out Make;When being the register of legitimate user himself's progress, step 308 is performed;When the login for not being legitimate user himself's progress During operation, step 310 is performed;
Step 308, log-on message is verified;
Step 310, sent a warning message to legitimate user himself.
User behavior index of the present invention mainly includes following four:
(1)Input character time interval index
It is a time range to input character time interval index, may be defined as login user in input login username and One average value of time interval during multiple characters such as static password.Say to a certain extent, the index can be used as a kind of use Family is judged the user name set and a kind of of static password familiarity, thus has actual application value.
(2)Input alphabet time index
It is a period to input alphabet time index, is that user carries out the input operation time in whole login process The critical field of summation, be defined as since user click on input through keyboard operation untill last character has been inputted when Between.The index can be used for weighing qualification of the user to logon operation.
(3)Button frequency index
Button frequency index is the summation of all touch potentials in the whole login process of user, and the beginning and ending time is that input is complete Portion's character time scope, include all touch potentials such as correct, mistake and rollback.The index can be used for weighing user to logging in The qualification of operation.
(4)Change number index
Summation of the number index for the rollback touch potential in the whole login process of user is changed, the beginning and ending time is complete for input Portion's character time scope.The index can be used for weighing qualification of the user to logon operation.
Above four indices are all the desired value of the normal register acquisition of user's progress in certain period of time by product Tired, analysis and refine and formed, there is very strong data validity and actual operability.
In the present invention, mainly for input character time interval, input alphabet time, the button frequency and change time This four user behavior indexs of number are caught, and have been fully taken into account user's issuable input in practical operation and have more been changed one's profession For this key character, the input alphabet time has been allowed also for, the button frequency this two has obvious personal characteristics Have the important indicator value of summation attribute concurrently, and the not very big secondary index of key time durations this meanings is desalinated, so as to more Rationally, comprehensively to catch the importance of user behavior feature.User's input habit and style are entered by the form of index Row record is put on record, and it is transparent unaware to user to catch action process, the service application experience of client will not be caused any Inconvenience.
When the input behavior characteristic captured includes the input character time interval, the input alphabet that capture Between, the button frequency and change number numerical value.
Above-mentioned steps 302, the concrete mode for catching the input behavior characteristic of user are as follows:
When detecting that user positions a cursor in input field and push button, it is determined as that user's input starts, records defeated Enter initial time Time_InputBegin and user key-press time Time_Press;
When detect user press " logging in " key carry out data submission, be determined as user input be fully completed, record input Time Time_InputEnd is terminated, and button frequency Num_Sum is entered as 1;
The progress data submission of " logging in " key is pressed when being not detected by user, is determined as that user continues in input state, user The button once in addition to " logging in " key is often pressed, button frequency Num_Sum numerical value is incrementally added 1;
When detecting user often by the button that once retracts, the numerical value for changing times N um_Change is incrementally added 1;
Calculating input alphabet time Time_Sum=Time_ time is terminated according to input initial time and input InputEnd-Time_InputBegin;
Input character time interval Time_ is calculated according to input alphabet time, user key-press time and the button frequency Dwell=(Time_Sum-Time_Press*Num_Sum)/(Num_Sum-1);
So far, algorithm is caught to terminate.According to the four indices numerical value got:User inputs character time interval Time_ Dwell, user input alphabet time Time_Sum, user key-press frequency Num_Sum, user's change times N um_Change Carry out the processing of subsequent step.
According to the present invention relates to the data target characteristic of business, Bayesian Classification Arithmetic can be used to carry out user behavior point Analysis.
Bayesian Classification Arithmetic is a kind of Statistical Classification method classified using probability statistics knowledge, huge at its Method system in, naive Bayesian (Naive Bayesian, NB) sorting algorithm is can be with decision tree and neutral net point The basic algorithm that what class algorithm compared favourably be widely adopted, the algorithm can be applied in large database, and method it is simple, point Class accuracy rate is high, speed is fast.
But because Bayes' theorem assumes value of influence of the property value to given class independently of other attributes, and this is false If invalid, especially various data targets in practical problem to be dealt with the present invention are often in a practical situation Feature Dependence relation is stronger, and independence is relatively weak to each other, and its classification accuracy can be caused to decline.Therefore, this hair More meet a kind of Bayesian Classification Arithmetic of reduction independence assumption of practical problem in the bright system using Bayesian Classification Arithmetic: TAN (Tree Augmented Bayes Network) algorithm.
TAN algorithms by the dependence between finding attribute pair reduce in NB between any attribute it is independent it is assumed that It is to increase association (side) between attribute pair on the basis of the NB network structures come what is realized
As shown in figure 4, node represents attribute, the dependence between representing attribute with directed edge, attribute Ai and Aj in figure Between side mean that influences of the attribute Ai to class variable C additionally depends on attribute Aj value, class variable C is normal herein Class users object and abnormal class user object.
As shown in figure 5, above-mentioned steps 304, judge the whether abnormal specific bag of user behavior according to input behavior characteristic Include:
Step 502, the abnormal user and the input behavior characteristic of normal users history caught generates exception respectively Behavioral data collection and normal behaviour data set, input behavior characteristic when user is inputted every time is as a behavioural characteristic Character string(Hereinafter referred to as TOKEN goes here and there), for example, input character time interval Time_Dwell=0.8s, input alphabet time Time_Sum=15s, button frequency Num_Sum=16, change times N um_Change=2 etc. are gone here and there as a TOKEN;
Step 504, one or more TOKEN string is obtained from capturing the current input behavior characteristic of user;
Step 506, TOKEN strings are calculated in normal behaviour data set and the probability of occurrence P of abnormal behaviour data set1(ti) and P2(ti);
Step 508, according to P1(ti) and P2(ti) calculate user behavior exception probability P (A/ti);
Step 510, by P (A/ti) compared with default probability threshold value, as P (A/ti) when exceeding probability threshold value, judge The user is abnormal user.
As shown in fig. 6, above-mentioned steps 508 specifically include:
Step 602, length L1, L2 of Hash table corresponding to normal behaviour data set and abnormal behaviour data set is calculated;
Step 604, occurrence number F1, F2 of the TOKEN strings in normal behaviour data set and abnormal behaviour data set is counted;
Step 606, probability of occurrence of the TOKEN strings in normal behaviour data set is calculated:P1(ti)=F1/L1;TOKEN strings exist The probability of occurrence of abnormal behaviour data set:P2(ti)=F2/L2.
Step 608, user behavior exception probability is calculated:
Wherein, A represents active user for abnormal event, tiRepresent behavioural characteristic Character string, it is to work as P (A/t from useri) before input behavior characteristic obtain behavioural characteristic character string tiWhen, the user behavior Abnormal probability, P1(ti) for behavioural characteristic character string in the probability of occurrence of normal behaviour data set, P2(ti) it is behavioural characteristic character The probability of occurrence gone here and there in abnormal behaviour data set;Or
P(A/t1,t2,...tn)=P (A/t1)*P(A/t2)*...P(A/tn)/
{P(A/t1)*P(A/t2)*...P(A/tn)+[1-P(A/t1)]*[1-P(A/t2)]*...[1-P(A/tn)] its In, P (A/t1,t2,...tn) it is to obtain n behavioural characteristic character string t from the current input behavior characteristic of user1,t2, ...tnWhen, the user behavior exception probability.
It is above-mentioned that TAN algorithms are employed to user behavior analysis, when having fully taken into account input character in user behavior feature Between interval, input alphabet time, the specific object of the button frequency and the multinomial data target of input change number etc. rely on and close System so that more accurate to user behavior analysis.
For the input behavior characteristic captured normal behaviour data set or different is arrived according to the storage of behavioural analysis result Normal behavioral data is concentrated, the foundation as subsequent analysis.
When it is operation that legitimate user himself is carried out to be determined after above-mentioned steps 306, line of input that this user is logged in It is characterized data and includes normal behaviour data set.User can not possibly be unalterable as living nature nature individual human, behavioural characteristic, Will necessarily at a time, a certain period there is situation about fluctuating, in view of the changeability and fluctuation feature, it is directed to improve The applicability of the data set of foundation, it is necessary to the data value comprising wave characteristic is included into data set scope in time, after participating in the lump Continuous behavioural analysis.Such as:User A days forget during register wear a pair of spectacles and visually unclear, causes its to input user Slow many than usual when name and password, this will directly affect seizure value of the user behavior capture module to its four indices and deviates from Normal data scope when its is usual then triggers abnormal behaviour audit, and the fluctuation data under analogue are received in time After entering the analysis of its data set scope participative behavior, it can avoid triggering abnormal behaviour for the second time when analogue occurs for user A Audit, then improves Consumer's Experience.
Based on same inventive concept, the present invention also provides a kind of user log-in authentication device, as shown in fig. 7, the device bag Include:Capture module 71, characteristics analysis module 72, authentication module 73, login authentication module 74 and alarm module 75.
Capture module catches the input of user according to default user behavior index while user inputs log-on message Behavioural characteristic data.Characteristics analysis module judges whether user behavior is abnormal according to input behavior characteristic.Work as user behavior When abnormal, authentication module carries out authentication to the user of login, determines whether the login that legitimate user himself is carried out Operation.When user behavior is normal, login authentication module is verified to log-on message;When be legitimate user himself carry out step on During record operation, login authentication module is verified to log-on message.When not being the register of legitimate user himself's progress, accuse Alert module sends a warning message to legitimate user himself.
As shown in figure 8, the concrete structure of capture module includes:Detection sub-module 81, timing submodule 82, counting submodule 83 and calculating sub module 84.
Detection sub-module detection user positions a cursor over the behavior in input field and pushed button, and user presses " logging in " Key carries out the behavior of data submission, and user presses the behavior of the button in addition to " logging in " key, and user presses the row of rollback button For.
When detecting that user positions a cursor in input field and push button, it is determined as that user's input starts, timing Module record input initial time and user key-press time;When detect user press " logging in " key carry out data submission, judge It is fully completed for user's input, the record input of timing submodule terminates the time.
When detecting that user presses " logging in " key and carry out data submission, the button frequency is entered as 1 by counting submodule;When not Detect that user presses " logging in " key and carries out data submission, user often presses the once button in addition to " logging in " key, counts submodule The numerical value of the button frequency is incrementally added 1 by block;When detecting user often by the button that once retracts, counting submodule will change number Numerical value incrementally adds 1.
Calculating sub module terminates calculating input alphabet time time according to input initial time and input;According to input Alphabet time, user key-press time and the button frequency calculate input character time interval.
As shown in figure 9, the concrete structure of characteristics analysis module includes:Data set generation submodule 91, text string generation Module 92, calculating sub module 93 and comparison sub-module 94.
The abnormal behaviour for the user that data set generation submodule catches history and the input behavior feature of normal behaviour Data generate abnormal behaviour data set and normal behaviour data set respectively, input behavior characteristic when user is inputted every time As a behavioural characteristic character string;
Text string generation submodule obtains one or more behaviors from the current input behavior characteristic of user is captured Feature string;
It is general in the appearance of normal behaviour data set and abnormal behaviour data set that calculating sub module calculates behavioural characteristic character string Rate, and user behavior is calculated in the probability of occurrence of normal behaviour data set and abnormal behaviour data set according to behavioural characteristic character string Abnormal probability;
Comparison sub-module by user behavior exception probability compared with default probability threshold value, when user behavior is extremely general When rate exceedes probability threshold value, judge the user for abnormal user.
As shown in Figure 10, during specific implementation, the present invention changes to what the login system residing for user log-in authentication device was carried out Enter as follows:
The 1st, front end processor region is set before Firepass4300 working clusters, in region initial stage it is tentative set two it is preposition Machine:Wherein a front end processor is Web load-balanced servers, is responsible for web load balancing traffic distributions;Another front end processor is province Interior password triggers server, is responsible for, to group's Radius servers transmission user name and static password, obtaining Radius servers Proofing state, show a series of functions such as proofing state information in time.
2nd, two user behavior capture servers are set up, real-time capture login user inputs the words such as user name, static password The four indices data of symbol, then complete the record to user's Entered state, behavioural characteristic.The server requirement possesses high stable Property and high robustness.
3rd, a user feature analysis Modeling Server is set up, finishing analysis are carried out to the desired value of seizure, then completed The foundation of user behavior characteristic model.The server requirement possesses the high efficiency in terms of operational performance.
4th, to abnormal behaviour audit and warning information trigger module re-optimization, Consumer's Experience is lifted.
As shown in figure 11, during specific implementation, the handling process of login system is as follows:
1st, user is by accessing Web page https://vpn.hl.chinamobile.com login systems.
2nd, access of the Web load-balanced servers in front end processor region to the user carries out traffic distribution.
3rd, Firepass4300VPN access gatewaies return to SSLVPN system login pages after receiving user's request.
4th, user inputs user name and static password in login page, submits and waiting system is verified;Meanwhile user behavior The indices of capture server real-time capture user inputs character.
5th, user feature analysis Modeling Server logs in behavior indices to user's whole process and is arranged and analyzed, after And according to modeling standard, confirmation modeling property.If meeting modeling standard, enter the 6th step and continue flow;If modeling is not met Standard, directly trigger abnormal behaviour audit server and authentication is carried out to this operator:If it is determined that it is legitimate user himself The operation of progress, then this user can be logged in behavioural characteristic and include its model data scope, then user feature analysis models Server updates legitimate value according to indices aggregate-value(User's custom value)Scope, so as to update modeling standard, require simultaneously User re-enters user name and static password, submits and waiting system is verified;If it is determined that it is not that legitimate user himself is carried out Operation, then it can send short message alarm prompting to legitimate user himself rapidly, it is desirable to which whether it check oneself account-related information Through leakage.
6th, user feature analysis Modeling Server establishes personal behavior model according to above-mentioned analysis result, meanwhile, it is close inside the province Code triggering server receives user name and static password and is sent to group's Radius servers.
7th, group Radius certificate servers are by the user name received, static password and user's management platform database User profile checking is compared, be proved to be successful, triggering dynamic password generation, while the result returned into password inside the province Triggering server is judged:If the match is successful, inform that user " has triggered dynamic password, please receive short message!", if matching is lost Lose, inform that " user name code error, is please logged in user again.", that is, return to prompt message, it is desirable to which user re-enters user name And static password.
8th, after SMAP dynamic passwords generation server generates random 6 dynamic passwords, the dynamic password of generation is returned to Group's Radius certificate servers are stored, while are triggered short message server and sent dynamic password to user.
9th, user carries out secondary login authentication using the dynamic password received.Password triggering server receives user inside the province Name and dynamic password are simultaneously sent to group's Radius servers.Group's Radius servers carry out user name and dynamic password is tested Card, is proved to be successful, user's Successful login application system;Authentication failed, return to prompt message, it is desirable to which user re-enters dynamic mouth Order carries out secondary login authentication.
The user log-in authentication method and device embodiment of the present invention, input behavior during by being logged in user are divided Analysis, determine whether the input operation that user is carried out.Realize the deep layer based on user characteristics custom when user logs in Secondary behavioural analysis detection, further improves logging in system by user safe class, is used with ensureing Operational Visit quality, improving user Experience.Meanwhile human resources have been saved, system security maintenance cost is reduced, reduces fault rate.
It should be noted that:Only to illustrate rather than limitation, the present invention is also not limited to above-mentioned above example Citing, all do not depart from the technical scheme of the spirit and scope of the present invention and its improvement, and it all should cover the right in the present invention In claimed range.

Claims (11)

  1. A kind of 1. user log-in authentication method, it is characterised in that including:
    While user inputs log-on message, the input behavior characteristic of user is caught according to default user behavior index According to;
    Judge whether the user behavior is abnormal according to the input behavior characteristic;
    When the user behavior is normal, the log-on message is verified;When the user behavior exception, stepped on to described The user of record carries out authentication, determines whether the register that legitimate user himself is carried out;
    When being the register of legitimate user himself's progress, the log-on message is verified;When not being validated user sheet During the register that people is carried out, sent a warning message to the legitimate user himself.
  2. 2. according to the method for claim 1, it is characterised in that the user behavior index includes:
    Input character time interval, input alphabet time, the button frequency and change number;
    Input character time interval that the input behavior characteristic includes capturing, input alphabet time, button The numerical value of the frequency and change number.
  3. 3. according to the method for claim 2, it is characterised in that while user inputs log-on message, according to default The input behavior characteristic that user behavior index catches user includes:
    When detecting that user positions a cursor in input field and push button, it is determined as that user's input starts, record inputs Begin time and user key-press time;
    When detect user press " logging in " key carry out data submission, be determined as user input be fully completed, record input terminate Time, and the button frequency is entered as 1;
    The progress data submission of " logging in " key is pressed when being not detected by user, is determined as that user continues in input state, user often presses The once button in addition to " logging in " key, the numerical value of the button frequency is incrementally added 1;
    When detecting user often by the button that once retracts, the numerical value for changing number is incrementally added 1;
    The time calculating input alphabet time is terminated according to the input initial time and input, it is complete according to the input Portion's character time, the user key-press time and the button frequency calculate the input character time interval.
  4. 4. according to the method in claim 2 or 3, it is characterised in that according to judging the input behavior characteristic Whether user behavior includes extremely:
    The abnormal behaviour of the user and the input behavior characteristic of normal behaviour that history is caught generate abnormal behaviour respectively Data set and normal behaviour data set, input behavior characteristic when user is inputted every time is as a behavioural characteristic character String;
    One or more behavioural characteristic character strings are obtained from the current input behavior characteristic of user is captured;
    Behavioural characteristic character string is calculated in the normal behaviour data set and the probability of occurrence of abnormal behaviour data set, according to described Behavioural characteristic character string calculates user behavior exception in the probability of occurrence of the normal behaviour data set and abnormal behaviour data set Probability;
    When the user behavior exception probability exceedes default probability threshold value, judge the user for abnormal behavior user.
  5. 5. according to the method for claim 4, it is characterised in that calculate behavioural characteristic character string in the normal behaviour data The probability of occurrence of collection and abnormal behaviour data set includes:
    Calculate the length of Hash table corresponding to the normal behaviour data set and abnormal behaviour data set;
    Count occurrence number of the behavioural characteristic character string in the normal behaviour data set and abnormal behaviour data set;
    It is the behavioural characteristic character string that the behavioural characteristic character string, which is calculated, in the probability of occurrence of the normal behaviour data set The length of Hash table corresponding to occurrence number divided by normal behaviour data set in the normal behaviour data set;
    It is the behavioural characteristic character string that the behavioural characteristic character string, which is calculated, in the probability of occurrence of the abnormal behaviour data set The length of Hash table corresponding to occurrence number divided by abnormal behaviour data set in the abnormal behaviour data set.
  6. 6. according to the method for claim 5, it is characterised in that according to the behavioural characteristic character string in the normal behaviour The probability of occurrence of data set and abnormal behaviour data set, which calculates user behavior exception probability, to be included:
    Wherein, A represents the event of active user's abnormal behavior, tiRepresent behavioural characteristic word Symbol string, P (A/ti) it is to obtain behavioural characteristic character string t from the current input behavior characteristic of useriWhen, the user behavior is different Normal probability, P1(ti) for the behavioural characteristic character string in the probability of occurrence of the normal behaviour data set, P2(ti) it is the row It is characterized probability of occurrence of the character string in the abnormal behaviour data set;
    Or
    P(A/t1,t2,...tn)=P (A/t1)*P(A/t2)*...P(A/tn)/{P(A/t1)*P(A/t2)*...P(A/tn)+[1- P(A/t1)]*[1-P(A/t2)]*...[1-P(A/tn)] wherein, P (A/t1,t2,...tn) it is from the current input behavior of user Characteristic obtains n behavioural characteristic character string t1,t2,...tnWhen, the user behavior exception probability.
  7. A kind of 7. user log-in authentication device, it is characterised in that including:
    Capture module, for while user inputs log-on message, the defeated of user to be caught according to default user behavior index Enter behavioural characteristic data;
    Characteristics analysis module, for judging whether the user behavior is abnormal according to the input behavior characteristic;
    Authentication module, when the user behavior exception, authentication is carried out to the user of the login, determined whether The register that legitimate user himself is carried out;
    Login authentication module, for when the user behavior is normal, being verified to the log-on message;When being validated user During the register that I is carried out, the log-on message is verified;
    Alarm module, for when not being the register of legitimate user himself's progress, sending and accusing to the legitimate user himself Alert information.
  8. 8. device according to claim 7, it is characterised in that the user behavior index includes:Input between character time Every, input the alphabet time, the button frequency and change number;The input behavior characteristic includes the input captured Character time interval, input alphabet time, the button frequency and the numerical value for changing number;
    The capture module includes:
    Detection sub-module, the behavior in input field and pushed button is positioned a cursor over for detecting user, user, which presses, " to step on Land " key carries out the behavior of data submission, and user presses the behavior of the button in addition to " logging in " key, and user presses rollback button Behavior;
    Timing submodule, for when detect that user positions a cursor in input field and push button, being determined as that user inputs Start, record input initial time and user key-press time;When detect user press " logging in " key carry out data submission, judge It is fully completed for user's input, record input terminates the time;
    Counting submodule, detect that user presses " logging in " key and carries out data submission for working as, the button frequency is entered as 1;The progress data submission of " logging in " key is pressed when being not detected by user, user often presses the once button in addition to " logging in " key, will The numerical value of the button frequency incrementally adds 1;When detecting that often by the button that once retracts, the numerical value for changing number is incrementally added user 1;
    Calculating sub module, the time calculating input alphabet time is terminated according to the input initial time and input;Root The input character time interval is calculated according to input alphabet time, the user key-press time and the button frequency.
  9. 9. device according to claim 7, it is characterised in that the characteristics analysis module includes:
    Data set generation submodule, for the abnormal behaviour of the user and the input behavior feature of normal behaviour for catching history Data generate abnormal behaviour data set and normal behaviour data set respectively, input behavior characteristic when user is inputted every time As a behavioural characteristic character string;
    Text string generation submodule, for obtaining one or more behaviors from capturing the current input behavior characteristic of user Feature string;
    Calculating sub module, for calculating behavioural characteristic character string going out in the normal behaviour data set and abnormal behaviour data set Existing probability, and according to the behavioural characteristic character string in the normal behaviour data set and the probability of occurrence of abnormal behaviour data set Calculate user behavior exception probability;
    Comparison sub-module, for by the user behavior exception probability compared with default probability threshold value, as the user When abnormal behavior probability exceedes the probability threshold value, judge the user for abnormal user.
  10. 10. device according to claim 9, it is characterised in that the calculating sub module, for calculating the normal behaviour The length of Hash table corresponding to data set and abnormal behaviour data set;The behavioural characteristic character string is counted in the normal behaviour The occurrence number of data set and abnormal behaviour data set;The behavioural characteristic character string is calculated in the normal behaviour data set Probability of occurrence is occurrence number divided by normal behaviour data set of the behavioural characteristic character string in the normal behaviour data set The length of corresponding Hash table;The probability of occurrence that the behavioural characteristic character string is calculated in the abnormal behaviour data set is described Hash table corresponding to occurrence number divided by abnormal behaviour data set of the behavioural characteristic character string in the abnormal behaviour data set Length.
  11. 11. device according to claim 9, it is characterised in that the calculating sub module, for calculating user behavior exception Probability is as follows:
    Wherein, A represents the event of active user's abnormal behavior, tiRepresent behavioural characteristic word Symbol string, P (A/ti) it is to obtain behavioural characteristic character string t from the current input behavior characteristic of useriWhen, the user behavior is different Normal probability, P1(ti) for the behavioural characteristic character string in the probability of occurrence of the normal behaviour data set, P2(ti) it is the row It is characterized probability of occurrence of the character string in the abnormal behaviour data set;
    Or
    P(A/t1,t2,...tn)=P (A/t1)*P(A/t2)*...P(A/tn)/{P(A/t1)*P(A/t2)*...P(A/tn)+[1- P(A/t1)]*[1-P(A/t2)]*...[1-P(A/tn)] wherein, P (A/t1,t2,...tn) it is from the current input behavior of user Characteristic obtains n behavioural characteristic character string t1,t2,...tnWhen, the user behavior exception probability.
CN201310295620.8A 2013-07-15 2013-07-15 User log-in authentication method and device Active CN104301286B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310295620.8A CN104301286B (en) 2013-07-15 2013-07-15 User log-in authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310295620.8A CN104301286B (en) 2013-07-15 2013-07-15 User log-in authentication method and device

Publications (2)

Publication Number Publication Date
CN104301286A CN104301286A (en) 2015-01-21
CN104301286B true CN104301286B (en) 2018-03-23

Family

ID=52320858

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310295620.8A Active CN104301286B (en) 2013-07-15 2013-07-15 User log-in authentication method and device

Country Status (1)

Country Link
CN (1) CN104301286B (en)

Families Citing this family (39)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104980279A (en) * 2014-10-16 2015-10-14 腾讯科技(深圳)有限公司 Identity authentication method, and related equipment and system
CN106155298B (en) 2015-04-21 2019-11-08 阿里巴巴集团控股有限公司 The acquisition method and device of man-machine recognition methods and device, behavioural characteristic data
CN106453205B (en) * 2015-08-07 2019-12-10 阿里巴巴集团控股有限公司 identity verification method and device
CN106817342A (en) * 2015-11-30 2017-06-09 北京计算机技术及应用研究所 Active identity authorization system based on user behavior feature recognition
CN105306496B (en) * 2015-12-02 2020-04-14 中国科学院软件研究所 User identity detection method and system
CN106888090B (en) * 2015-12-16 2020-01-21 阿里巴巴集团控股有限公司 User verification method, device and system
CN106919816A (en) * 2015-12-24 2017-07-04 北京搜狗科技发展有限公司 A kind of user authen method and device, a kind of device for user authentication
CN105577692A (en) * 2016-02-03 2016-05-11 杭州朗和科技有限公司 Website login authentication method and device
RU2626337C1 (en) 2016-02-18 2017-07-26 Акционерное общество "Лаборатория Касперского" Method of detecting fraudulent activity on user device
CN106127400A (en) * 2016-06-29 2016-11-16 北京奇虎科技有限公司 Work behavior analyzes method and device
CN107786349B (en) * 2016-08-24 2021-06-25 腾讯科技(深圳)有限公司 Security management method and device for user account
CN106372470B (en) * 2016-08-30 2019-04-12 维沃移动通信有限公司 A kind of method and mobile terminal for reminding input password
CN106656978A (en) * 2016-10-19 2017-05-10 广东欧珀移动通信有限公司 Account login method and server
CN106650350B (en) * 2016-10-21 2020-02-07 中国银联股份有限公司 Identity authentication method and system
CN106878323A (en) * 2017-03-13 2017-06-20 山东浪潮云服务信息科技有限公司 A kind of identity identifying method, device and system
CN107104973A (en) * 2017-05-09 2017-08-29 北京潘达互娱科技有限公司 The method of calibration and device of user behavior
CN107330128B (en) * 2017-07-24 2020-12-08 上海众人网络安全技术有限公司 Authentication abnormity judgment method and device
CN108011863B (en) * 2017-08-23 2020-12-15 北京车和家信息技术有限责任公司 Method and device for identifying brute force cracking
CN107612922A (en) * 2017-09-30 2018-01-19 北京梆梆安全科技有限公司 User ID authentication method and device based on user operation habits and geographical position
CN107657156B (en) * 2017-09-30 2021-03-19 北京梆梆安全科技有限公司 User identity authentication method and device based on user operation habit and touch area
CN107623696B (en) * 2017-09-30 2020-11-24 北京梆梆安全科技有限公司 User identity verification method and device based on user behavior characteristics
CN107657157B (en) * 2017-09-30 2021-06-29 北京梆梆安全科技有限公司 Identity verification method and device based on input time interval
CN107632722A (en) * 2017-09-30 2018-01-26 北京梆梆安全科技有限公司 A kind of various dimensions user ID authentication method and device
CN108711013A (en) * 2018-05-24 2018-10-26 深圳市买买提信息科技有限公司 Abnormal behaviour determines method, apparatus, equipment and storage medium
CN112352408B (en) 2018-06-29 2022-07-22 华为云计算技术有限公司 Intruder detection method and device
CN108965291B (en) * 2018-07-11 2021-04-16 平安科技(深圳)有限公司 Registration login method and system of hybrid application program and computer equipment
CN109660453A (en) * 2019-01-24 2019-04-19 太仓红码软件技术有限公司 A kind of safety monitoring method and its system
CN109889507B (en) * 2019-01-24 2021-08-06 印象(山东)大数据有限公司 Monitoring method and system for monitoring mailbox operation safety
CN109873813B (en) * 2019-01-28 2022-01-14 平安科技(深圳)有限公司 Text input abnormity monitoring method and device, computer equipment and storage medium
CN110427971A (en) * 2019-07-05 2019-11-08 五八有限公司 Recognition methods, device, server and the storage medium of user and IP
CN110781487A (en) * 2019-09-27 2020-02-11 广西英腾教育科技股份有限公司 Safety auxiliary verification method, system, medium and equipment
CN111209551B (en) * 2020-01-15 2022-10-14 国网河北省电力有限公司信息通信分公司 Identity authentication method and device
CN111491300B (en) * 2020-03-11 2023-04-28 中移(杭州)信息技术有限公司 Risk detection method, apparatus, device and storage medium
CN111416809B (en) * 2020-03-13 2022-09-30 国网河北省电力有限公司信息通信分公司 Continuous authentication method and device based on keystroke recognition
CN111737668B (en) * 2020-08-18 2020-12-11 广东睿江云计算股份有限公司 Security authentication method and system based on user input behavior characteristics
CN112037818A (en) * 2020-08-30 2020-12-04 北京嘀嘀无限科技发展有限公司 Abnormal condition determining method and forward matching formula generating method
CN112699369A (en) * 2021-01-12 2021-04-23 安芯网盾(北京)科技有限公司 Method and device for detecting abnormal login through stack backtracking
CN113179281A (en) * 2021-05-26 2021-07-27 中国银行股份有限公司 Method, device, equipment and storage medium for determining database collision attack
CN113641971A (en) * 2021-08-20 2021-11-12 武汉极意网络科技有限公司 Exception handling system based on behavior verification

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1957355A (en) * 2004-04-01 2007-05-02 道夫·雅各布森 Mouse performance identification
CN101159715A (en) * 2007-11-16 2008-04-09 腾讯科技(深圳)有限公司 Safety information checking method and safety information checking device and client terminal
CN101557287A (en) * 2008-04-07 2009-10-14 冀连有 Method for identity identification according to characteristics of user keystroke
CN101674184A (en) * 2009-10-19 2010-03-17 北京微通新成网络科技有限公司 Identity recognition method based on user keystroke characteristic
CN101833619A (en) * 2010-04-29 2010-09-15 西安交通大学 Method for judging identity based on keyboard-mouse crossed certification
CN102509044A (en) * 2011-10-17 2012-06-20 镇江金钛软件有限公司 Mouse behavior characteristic-based password authentication method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0201232D0 (en) * 2002-01-19 2002-03-06 Queen Mary & Westfield College Authentication systems

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1957355A (en) * 2004-04-01 2007-05-02 道夫·雅各布森 Mouse performance identification
CN101159715A (en) * 2007-11-16 2008-04-09 腾讯科技(深圳)有限公司 Safety information checking method and safety information checking device and client terminal
CN101557287A (en) * 2008-04-07 2009-10-14 冀连有 Method for identity identification according to characteristics of user keystroke
CN101674184A (en) * 2009-10-19 2010-03-17 北京微通新成网络科技有限公司 Identity recognition method based on user keystroke characteristic
CN101833619A (en) * 2010-04-29 2010-09-15 西安交通大学 Method for judging identity based on keyboard-mouse crossed certification
CN102509044A (en) * 2011-10-17 2012-06-20 镇江金钛软件有限公司 Mouse behavior characteristic-based password authentication method

Also Published As

Publication number Publication date
CN104301286A (en) 2015-01-21

Similar Documents

Publication Publication Date Title
CN104301286B (en) User log-in authentication method and device
US20200036724A1 (en) System and Method for Validating Users Using Social Network Information
EP2069993B1 (en) Security system and method for detecting intrusion in a computerized system
US8843754B2 (en) Continuous user identification and situation analysis with identification of anonymous users through behaviormetrics
Traore et al. Combining mouse and keystroke dynamics biometrics for risk-based authentication in web environments
CN101730904B (en) Correlation and analysis of entity attributes
US9124431B2 (en) Evidence-based dynamic scoring to limit guesses in knowledge-based authentication
US10911437B2 (en) Detection of anomalous authentication attempts in a client-server architecture
CA3100378A1 (en) System and method for unauthorized activity detection
CN106650799A (en) Electronic evidence classification extraction method and system
KR101990454B1 (en) Method and apparatus for user authentication using keystroke pattern data
CN109936556B (en) Monitoring method and device for account stealing event
CN110602021A (en) Safety risk value evaluation method based on combination of HTTP request behavior and business process
US10958673B1 (en) Multi-factor authentication augmented workflow
CN109711173A (en) A kind of password file leakage detection method
US10897479B1 (en) Systems and methods for machine-learning based digital threat assessment with integrated activity verification
US9754209B1 (en) Managing knowledge-based authentication systems
CN116957049B (en) Unsupervised internal threat detection method based on countermeasure self-encoder
EP3550789A1 (en) Method for protecting web applications by automatically generating application models
Stanić Continuous user verification based on behavioral biometrics using mouse dynamics
KR101576993B1 (en) Method and System for preventing Login ID theft using captcha
CN116015677A (en) Network safety protection method and device based on key dynamics characteristics
US10255558B1 (en) Managing knowledge-based authentication systems
CN112272195B (en) Dynamic detection authentication system and method thereof
Nokovic et al. API security risk assessment based on dynamic ML models

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant