CN104809377A - Method for monitoring network user identity based on webpage input behavior characteristics - Google Patents
Method for monitoring network user identity based on webpage input behavior characteristics Download PDFInfo
- Publication number
- CN104809377A CN104809377A CN201510214216.2A CN201510214216A CN104809377A CN 104809377 A CN104809377 A CN 104809377A CN 201510214216 A CN201510214216 A CN 201510214216A CN 104809377 A CN104809377 A CN 104809377A
- Authority
- CN
- China
- Prior art keywords
- fractile
- mouse
- key
- proper vector
- keystroke
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- User Interface Of Digital Computer (AREA)
- Input From Keyboards Or The Like (AREA)
- Debugging And Monitoring (AREA)
- Digital Computer Display Output (AREA)
Abstract
The invention discloses a method for monitoring a network user identity based on webpage input behavior characteristics. The method comprises the following steps: recording mouse motion and keystroke operation when a network user performs webpage interaction in an undisturbed mode; performing operation segmentation based on input attributes; extracting input behavior characteristics which are in accordance with a network interaction mode; establishing an identity recognition model under each operation type; realizing real-time monitoring of the network user identity based on an observation window and threshold value comparison. The method has the advantages that input operations under a webpage interaction scene are frequent, and a unique and only operation mode is easy to form due to factors of different physiological characteristics, different behavioral habits and the like of different users; the identity model of each keystroke and mouse operation is established, so that the behavior characteristics of the users can be reflected better, and the identity monitoring fault tolerance is improved; compared with a conventional single-time authentication method, the webpage input operation runs through the whole user webpage interaction process, the real-time identity tracing and monitoring can be realized in the undisturbed mode, and the applicability is relatively extensive.
Description
Technical field
The present invention relates to network safety guard technology, particularly the identity method for supervising of a kind of network user in Web page system reciprocal process.
Background technology
Along with internet finance, online education, developing rapidly of the fields such as ecommerce, each network application system has become increasing people's daily life inalienable part.But the thing followed increasing Internet bank account is invaded, the Email Information network system such as to be stolen is impelled network information security protection question to be subject to people's attention gradually by the event of attacking.
Existing based on belongings (as ID (identity number) card), knowledge based (as password), all only verify identity legitimacy in some specific moment (during as system login) based on the auth method of traditional biological feature (as fingerprint and iris), be difficult to the inspection identity legitimacy of user being carried out to continuation in webpage reciprocal process, and there is security not high (easily leak as password and mix up) or need extra hardware to set limitations such as (as fingerprint and irises).But time mutual by analyzing web page, the input operation of mouse and keyboard also realizes the shortcoming that can be good at making up above-mentioned verification mode to the Real-Time Monitoring of network user identity legitimacy based on this, thus effectively protects property and the personal secrets of netizen.Network user identity monitor mode based on webpage input behavior has its significant advantage: 1) under webpage interaction scenarios, input operation is frequent, different user, because of factors such as different physilogical characteristics, behavioural habits or job specification, easily forms unique and unique operator scheme; 2) the input operation behavior that produces when webpage is mutual of user is without the need to carrying and remembering, and is difficult to hide and forge, and detects according to obtaining from webpage input operation, does not need extra hardware device; 3) in user and the mutual process of Web page system, complete data capture and identity detects, without the need to the cooperation that user is extra, the initiatively monitoring of non-offensive identity can be realized, there is security widely and applicability.
Summary of the invention
The object of this invention is to provide a kind of method verifying network user identity sustainably, the mouse input operation particularly utilizing user to produce in Web page system reciprocal process and Key stroke operating characteristics detect the method for operator's identity legitimacy in real time.
For reaching above object, the present invention takes following technical scheme to realize:
A kind of network user identity method for supervising based on webpage input behavior feature, described webpage input behavior is the mouse action behavior of user in webpage and keystroke operation behavior, it is characterized in that, comprise network user identity model of cognition and build and network user identity continuous surveillance two large divisions:
Wherein, network user identity model of cognition builds and comprises the steps:
(1) normally logining Web page system at validated user carries out in the process of interactive operation, gathers and the mouse action data that input on web interface of recording user and keystroke operation data, forms the raw data set of user's mouse, keystroke behavior;
(2) division of operation behavior: for mouse action, according to mouse pointer slip starting point and terminal line and forward horizontal sextant angle θ, the mouse action that raw data is concentrated is sorted out, wherein, θ is from-22.5 °, every 45 ° of orders are divided into I ~ VIII class, eight kinds of mouse action modes counterclockwise, form I ~ VIII class mouse mobile behavior training dataset; For keystroke operation, using newline " TAB " key and mouse event as the end mark of keystroke operation, dividing keystroke operation is the character string that multiple length does not wait;
(3) extraction of operation behavior proper vector: for different mouse action mode, extract proper vector and calculate proper vector template, the mouse action proper vector of proper vector template and extraction is carried out similarity measurement, obtains the distance feature vector of each mouse action; Form the training characteristics set under often kind of mouse action mode; For keystroke operation: 1. character and character precedence relationship contained by each character string, extracts the proper vector of corresponding button; 2. for each singly-bound and Macintosh, calculate keystroke operation proper vector template, wherein, Macintosh be two singly-bounds priority key between relation; 3. the proper vector of this proper vector template and each keystroke operation is carried out similarity measurement, form the Behavioral training characteristic set comprising each singly-bound and Macintosh feature;
(4) be positive class by the key mouse training characteristics aggregated label of validated user, adopt one-class classifier to build the identity model of validated user to often kind of mouse action mode and each keystroke operation, and obtain the judging identity threshold value of various mouse action mode and validated user corresponding to each keystroke operation; Accordingly, validated user identity model comprises at least eight identity submodels;
Network user identity continuous surveillance comprises the steps:
(1) after user logins Web page system, webpage is that the observation window of N starts to catch user's mouse action and keystroke operation behavior with length, and described observation window is that the user's webpage input operand comprising the N number of operation altogether of mouse and keystroke that collects is according to block;
(2) for mouse action, sort out it according to moving direction, extract mouse action proper vector, the proper vector template of the respective operations pattern obtained when building with identity model is carried out distance and is compared, and obtains the distance feature vector of mouse action; For keystroke operation, according to the relation between each key assignments and key that it comprises, extract keystroke operation proper vector, comprising the feature database of each singly-bound and Macintosh of simultaneously obtaining when identity model builds is extracted, combination characteristic of correspondence vector template, carry out distance metric, obtain the distance feature vector of keystroke operation;
(3) for each mouse action in webpage input operation data block and keystroke operation, using the vectorial input as the identity submodel of this operation correspondence of distance feature obtained, obtain the detected value of each operation, and the decision threshold of this detected value with corresponding identity submodel is compared, judge the abnormality of each operation;
(4) current user identities legitimacy is judged: if monitor M abnormal operation continuously in N behavior operation, then judge that active user is as disabled user; Otherwise then judge that active user is as validated user, wherein, M is less than or equal to N.
In said method, the data layout of described mouse action is: { mouse state, mouse position, time }; Wherein, mouse state refer to mouse button is pressed, mouse button release, mouse move the label information of three kinds of states; The data layout of described keystroke operation, represents that the singly-bound data layout of single key assignments is: { key value, time }; Represent that the Macintosh data layout of relation between key is: { last key value, this key value, time }.
The concrete steps that described operation behavior divides are:
For mouse action,
1) extract a mouse and move the starting point event of operation and the mouse position coordinate of endpoints, wherein the form of each position coordinates is { horizontal coordinate X, vertical coordinate Y};
2) calculating the angle theta of mobile operation starting point and terminal line and horizontal direction, is I class mouse action mode when θ is at-22.5 ° ~ 22.5 °; Be II class mouse action mode when θ is at 22.5 ° ~ 67.5 °; Be III class mouse action mode when θ is at 67.5 ° ~ 112.5 °; Be IV class mouse action mode when θ is at 112.5 ° ~ 157.5 °; Be V class mouse action mode when θ is 157.5 ° ~ 180 ° or-180 ° ~-157.5 °; Be VI class mouse action mode when θ is at-157.5 ° ~-112.5 °; Be VII class mouse action mode when θ is at-112.5 ° ~-67.5 °; Be VIII class mouse action mode when θ is at-67.5 ° ~-22.5 °;
For keystroke operation,
1) for the operation of current typing character, using " TAB " key and mouse event as the end mark of this keystroke operation, realize the division to keystroke operation, determine the character string keyed in;
2) extract the behavioural characteristic of relation between each key assignments and each key in character string one by one, be deposited in network user identity model of cognition builds comprise relationship characteristic between all key assignments, key singly-bound, in Macintosh Behavioral training feature database; In network user identity continuous surveillance, these behavioural characteristics are formed proper vector to be measured, and in training characteristics storehouse, search for, mate, be combined into the training feature vector template of correspondence, wherein, the feature of each singly-bound is key time durations, and the feature of each Macintosh is transfer time between key.
A series of behavior measure amounts that the space-time geometric locus produced when the proper vector of described mouse action refers to and moved in system webpage by mouse derives, comprise Integral Characteristic and processing statistic, specific as follows:
Integral Characteristic comprises:
Mouse moves X-coordinate, the Y-coordinate of starting point;
Mouse moves X-coordinate, the Y-coordinate of terminal;
The course length of mouse movement and the ratio of displacement;
The duration of mouse movement;
Processing statistic comprises:
Mouse moves 30% fractile, 35% fractile, 40% fractile, 45% fractile, 50% fractile, 55% fractile, 60% fractile, 65% fractile, 70% fractile of X-direction speed;
Mouse moves 30% fractile, 35% fractile, 40% fractile, 45% fractile, 50% fractile, 55% fractile, 60% fractile, 65% fractile, 70% fractile of Y-direction speed;
Mouse moves 30% fractile, 35% fractile, 40% fractile, 45% fractile, 50% fractile, 55% fractile, 60% fractile, 65% fractile, 70% fractile of X-direction acceleration;
Mouse moves 30% fractile, 35% fractile, 40% fractile, 45% fractile, 50% fractile, 55% fractile, 60% fractile, 65% fractile, 70% fractile of Y-direction acceleration;
30% fractile of mouse motion track angle, 35% fractile, 40% fractile, 45% fractile, 50% fractile, 55% fractile, 60% fractile, 65% fractile, 70% fractile.
The singly-bound of described keystroke operation, Macintosh proper vector refer to a series of behavior measure amounts derived by relation between each key assignments of typing character string and priority key, and specific features is as follows:
Singly-bound: the duration average of each button, standard deviation;
Macintosh: average transfer time between each adjacent key, standard deviation.
The calculating proper vector template of described mouse action refers to and moves in training data at the mouse of often kind of mouse mode, other moves the distance of operating characteristics vector in training data to adopt mahalanobis distance to calculate each mobile proper vector operated, form distance vector, the minimum proper vector of chosen distance vector mould is as the proper vector template of this operator scheme.
The calculating proper vector template of described keystroke operation refers to for each keystroke operation behavior, comprise in the singly-bound of relation between each key assignments, key in its typing character string, Macintosh Behavioral training database, Euclidean distance is adopted to calculate the distance of proper vector other character pair vector in training data of each singly-bound, Macintosh, form distance vector, the minimum proper vector of chosen distance vector mould as proper vector template, and is recorded in the Behavioral training feature database comprising each singly-bound, Macintosh feature.
The advantage of the inventive method is: under webpage interaction scenarios, input operation is frequent, and different user, because of factors such as different physilogical characteristics, behavioural habits or job specification, easily forms unique and unique operator scheme; Set up identification submodel for often kind of keystroke operation and mouse move operation, and merge judgement identity based on observation window, the behavioral trait of user can better be embodied, the fault-tolerance that raising authentication and identity are monitored; Compared to traditional cipher authentication method, webpage input operation runs through user and carries out the mutual whole process of webpage, can realize glitch-free real time identity tracking and monitoring, have security widely and applicability.
Accompanying drawing explanation
Below in conjunction with the drawings and the specific embodiments, the present invention is described in further detail.
Fig. 1 is the overall procedure schematic diagram of the inventive method.
Fig. 2 is the idiographic flow schematic diagram that the data in the mouse of Fig. 1 and keystroke operation division unit are sorted out.
Fig. 3 is the schematic flow sheet that the distance feature vector in the mouse of Fig. 1 and keystroke behavioural characteristic extraction unit generates.
Fig. 4 is the mouse of Fig. 1 and the schematic flow sheet of the sub-identity model construction unit of keystroke.
Fig. 5 is the experimental result picture adopting the inventive method to obtain.
Embodiment
See Fig. 1, the present invention is based on the network user identity method for supervising of webpage input behavior feature, comprise user identity model construction and operator's identity continuous surveillance two parts.The present invention can be used for the Real-Time Monitoring of the network system person of the logining identity legitimacy such as e-banking system, e-mail system, e-commerce system, realizes the security protection to legal user profile, property.Concrete implementation step is as follows:
1, user identity model construction part comprises the steps:
(1) normally logining Web page system user carries out in the process of interactive operation, gather and the mouse Mobile data that inputs on web interface of recording user and keystroke operation data, formed identity model build needed for mouse mobile behavior and keystroke Behavioral training data set; The form that mouse moves service data is: { mouse state, mouse position, time }, wherein, mouse state refer to mouse button is pressed, mouse button release, mouse move the label information of three kinds of states.
For the form of keystroke behavior service data, represent that its data layout of singly-bound of single key assignments is: { key value, time }, represent that its data layout of Macintosh of relation between key is: { last key value, this key value, time }.
(2) see Fig. 2, for mouse action, according to the difference of mouse moving direction, operation is moved to the mouse that training data is concentrated and sort out; For keystroke operation, according to TAB key and mouse event, the keystroke operation that training data is concentrated is sorted out, is specially:
For mouse action,
The first step, concentrates the starting point event of an extraction mouse movement and the cursor position coordinate of endpoints from training data, and wherein the form of each position coordinates is { horizontal coordinate X, vertical coordinate Y};
Second step, calculates the angle theta that mouse moves starting point and terminal line and horizontal direction, if θ is greater than-22.5 ° be less than or equal to 22.5 °, then mobile operation is classified as I class; If θ is greater than 22.5 ° and is less than or equal to 67.5 °, then mobile operation is classified as II class; If θ is greater than 67.5 ° and is less than or equal to 112.5 °, then mobile operation is classified as III class; If θ is greater than 112.5 ° and is less than or equal to 157.5 °, then mobile operation is classified as IV class; If θ is greater than 157.5 ° and is less than or equal to 180 ° or be greater than-180 ° and be less than or equal to-157.5 °, then mobile operation is classified as V class; If θ is greater than-157.5 ° and is less than or equal to-112.5 °, then mobile operation is classified as VI class; If θ is greater than-112.5 ° and is less than or equal to-67.5 °, then mobile operation is classified as VII class; If θ is greater than-67.5 ° and is less than or equal to-22.5 °, then mobile operation is classified as VIII class; If mobile operation starting point and terminal are at same position, then ignore this operation;
3rd step, form the mouse mobile behavior training dataset under different operation modes, mouse action mode comprises: I class mouse moves, II class mouse moves, III class mouse moves, IV class mouse moves, V class mouse moves, VI class mouse moves, VII class mouse moves and moves with VIII class mouse.
For keystroke operation,
The first step, for the operation of current typing character, using " TAB " key and mouse event as the end mark of this keystroke operation, realizes the division to keystroke operation according to this, determines the character string keyed in;
Second step, to extract in character string relation between each key assignments and each key one by one, be deposited into comprise relation between all key assignments, key singly-bound, in Macintosh Behavioral training database.Wherein, the feature of each singly-bound is key time durations, and the feature of each Macintosh is transfer time between key.
(3) see Fig. 3, move for the mouse under keystroke operation and often kind of operator scheme, extract proper vector and selected characteristic vector template, obtain the distance feature vector of each key mouse operation, be specially:
For mouse action,
The first step, the mouse action of training dataset is moved for the mouse under often kind of operator scheme, extract mouse mobile behavior proper vector, be specially mouse and move a series of behavior measure amounts that the space-time geometric locus that produces over the display derives, comprise Integral Characteristic and processing statistic two class.Wherein, Integral Characteristic is the whole description to once mobile operation, comprises mouse and moves the X-coordinate of starting point and Y-coordinate, mouse and move the X-coordinate of terminal and Y-coordinate, the course length of mouse movement and the ratio of displacement, the duration of mouse movement; Processing statistic describes the fine granularity once moving operating process, its computing method are the feature vector sequences first calculating description, comprise velocity series, acceleration sequence, angle sequence, then descriptive statistics amount is calculated as processing statistic to each feature vector sequence; The descriptive statistics amount used is mainly 30% fractile, 35% fractile, 40% fractile, 45% fractile, 50% fractile, 55% fractile, 60% fractile, 65% fractile, 70% fractile;
Second step, the proper vector adopting each mouse of horse formula distance calculating to move operation moves the distance of operating characteristics vector to other mouse in the training data under respective operations pattern, obtain the distance vector that dimension is (S-1), wherein S represents the number of proper vector in training set.
3rd step, calculates the mould of each distance vector, and the proper vector selecting modulus value minimum is as proper vector template;
4th step, calculates the difference value vector of the proper vector template in the proper vector of each operation and respective operations pattern, as the distance feature vector of this operation, then forms mouse mobile behavior training characteristics set under each operator scheme;
For keystroke operation,
The first step, for each keystroke operation that the keystroke operation training data of cutting is concentrated, extract the proper vector of all singly-bounds and the Macintosh wherein contained, be specially a series of behavior measure amounts derived by relation between each key assignments of typing character string and priority key, comprise the large class of feature two of the multiple Macintosh of characteristic sum of multiple singly-bound.Wherein, singly-bound feature is the description to button behavior each time, comprises a, b ... the character keys such as y, z, 0,1 ... 8, the numerical keys such as 9 and., the average of the key time durations of other keys such as #... and standard deviation.Macintosh feature is the description to every two button behavior precedence relationships, comprises aa, ab ... ay, az, a0, a1 ... a8, a9, a, a., a#...ba, bb ... by, bz, b0, b1 ... the average of transfer time and standard deviation between the key in all key combination situations such as b8, b9, b, b., b#....;
Second step, Euclidean distance is adopted to calculate the distance of proper vector to its proper vector in the training data under correspondence set of whole singly-bound contained in each keystroke operation and Macintosh, obtain the distance vector that dimension is (S-1), wherein S represents the number of proper vector in training set.
3rd step, calculates the mould of each distance vector, and the proper vector selecting modulus value minimum is as proper vector template;
4th step, calculates the difference value vector of the proper vector template in the proper vector of each singly-bound and Macintosh and corresponding storehouse, as the distance feature vector of this singly-bound or Macintosh situation, is then formed and their each self-corresponding training characteristics set;
(4) see Fig. 4, be positive class by the training characteristics aggregated label of validated user, one-class classifier is adopted often kind of mouse Move Mode (I ~ VIII class Move Mode) to be built to the identity submodel of validated user, adopt one-class classifier to build its respective validated user identity submodel to all singly-bounds and Macintosh, and obtain the judging identity threshold value of each identity submodel of validated user.
2, operator's identity continuous surveillance part, comprises the steps:
(1) logining network user enters the Web page in capable mutual process, catch the mouse of active user, keystroke operation, with length be the observation window of N formed comprise user's mouse move with the input operation data block of keystroke behavior (comprise in data block key do or mouse action altogether N number of);
(2) operation is moved for each mouse in service data block, according to moving direction, it is sorted out, extract proper vector, the proper vector template of the respective operations pattern obtained when building with identity model carries out distance metric, obtains the distance feature vector of this mouse action.For each keystroke operation in service data block, after dividing according to the method for aforementioned user identity model construction part steps 2, extract each singly-bound and become a complete characterization vector describing this keystroke operation with the combination of eigenvectors of Macintosh.The same proper vector searching out all identical singly-bounds and Macintosh in training characteristics storehouse, is combined into the proper vector template corresponding with this keystroke operation.Carry out distance metric, obtain the distance feature vector of this keystroke operation.
(3) move and keystroke operation for each mouse, using vectorial for its distance feature input as corresponding sub-identity model (such as, if mouse action is classified as II class and moves, then corresponding identity submodel is mouse II class mobility model), obtain the detected value of this operation;
(4) for each operation in key mouse operating block, its detected value is compared from the decision threshold ε (numerical value of ε is different according to model) of corresponding identity submodel, if detected value is greater than threshold value, then judges that this is operating as abnormal operation; If detected value is less than threshold value, then judge that this is operating as normal running;
(5) continuous surveillance of current user identities legitimacy: if monitor M abnormal operation continuously in N key mouse operation, wherein, M is less than or equal to N, then judge that active user is as disabled user; Otherwise then judge that active user is as validated user, wherein M is alarm threshold value, can by user's sets itself.
The present invention is with the user identity continuous surveillance of self-built simulation Internet bank system for embodiment has carried out experimental verification, and concrete steps are as follows:
The first step, the generation of training data.Requirement of experiment 14 users adhere to logining analog network banking system several weeks under hardware environment different from each other, complete the function of transfer accounts remittance, the inquiry into balance of simulation, gather and record the keystroke behavior of these users in system on web interface and mouse behavioral data, then according to keystroke, mouse behavior division rule, these data are sorted out, obtain the training data of keystroke, mouse different operation modes.
Second step, generates distance feature vector.For each user, extract the proper vector under often kind of operator scheme and proper vector template, then generate the training characteristics database of mouse movement under all singly-bounds, Macintosh and often kind of operator scheme.
3rd step, user identity model construction.For each user, be positive class by the training characteristics data markers of this user, nearest-neighbors method (mahalanobis distance) is adopted to move to often kind of mouse the identity model that operator scheme builds validated user, adopt Outlier-counting method to build the sub-identity model of validated user to each keystroke operation, and utilize training characteristics data to learn model.
4th step, the generation of test data.For each user, after the certain number of times of its login system, the key mouse behaviour behavioral data produced can not be taken as training data, but record as follow-up test data.
5th step, the continuous surveillance of user identity legitimacy.Select a certain user as validated user, be that the observation window of N is formed and comprises the input operation data block of keystroke and mouse movement with length, for wherein each test sample book, generation distance feature vector, finds the sub-identity model of its respective operations in validated user identity model, by this model of distance feature vector input, obtain the detected value to each test sample book, detected value is compared with threshold epsilon, if detected value is less than threshold epsilon, then judges that this is operating as abnormal operation; Otherwise, then judge that this is operating as normal running; If monitor continuously in the operation of N time more than M abnormal operation (M is less than N), then judge that active user is as disabled user.
6th step, selects remaining users successively as validated user, repeats the process of above-mentioned 5th step, obtain the continuous surveillance result of all users.
For all users, test the inventive method carries out the accuracy of continuous surveillance in analog network banking system to user identity.Fig. 5 be the embodiment of the present invention in simulation system identity continuous surveillance etc. error rate (equal-error rate) result, the vertical line in figure on each point illustrates the variance in the inferior error rate of this observed length.
As can be seen from the experimental result of Fig. 5, the monitoring that the present invention can continue the identity of current network user accurately and quickly and detection.When the size of observation window is 3 (every 3 operations are carried out identity legitimacy and detected), identity continuous surveillance etc. error rate be 3.68%; When the size of observation window is 5 (every 5 operations are carried out identity legitimacy and detected), identity continuous surveillance etc. error rate be 0.85%.This result verification feasibility of the present invention and validity, show that the inventive method can be used as a kind of network user identity safety protection technique efficiently.
Claims (7)
1. based on a network user identity method for supervising for webpage input behavior feature, it is characterized in that, comprise network user identity model of cognition and build and network user identity continuous surveillance two large divisions:
Wherein, the first step, network user identity model of cognition builds and comprises the steps:
(1) normally logining Web page system at validated user carries out in the process of interactive operation, gathers and the mouse action data that input on web interface of recording user and keystroke operation data, forms the raw data set of user's mouse, keystroke behavior;
(2) division of operation behavior: for mouse action, according to mouse pointer slip starting point and terminal line and forward horizontal sextant angle θ, the mouse action that raw data is concentrated is sorted out, wherein, θ is from-22.5 °, every 45 ° of orders are divided into I ~ VIII class, eight kinds of mouse action modes counterclockwise, form I ~ VIII class mouse mobile behavior training dataset; For keystroke operation, using newline " TAB " key and mouse event as the end mark of keystroke operation, dividing keystroke operation is the character string that multiple length does not wait;
(3) extraction of operation behavior proper vector: for different mouse action mode, extract proper vector and calculate proper vector template, the mouse action proper vector of proper vector template and extraction is carried out similarity measurement, obtains the distance feature vector of each mouse action; Form the training characteristics set under often kind of mouse action mode; For keystroke operation: 1. character and character precedence relationship contained by each character string, extracts the proper vector of corresponding button; 2. for each singly-bound and Macintosh, calculate keystroke operation proper vector template, wherein, described Macintosh be two singly-bounds priority key between relation; 3. the proper vector of this proper vector template and each keystroke operation is carried out similarity measurement, form the Behavioral training characteristic set comprising each singly-bound and Macintosh feature;
(4) be positive class by the key mouse training characteristics aggregated label of validated user, adopt one-class classifier to build the identity model of validated user to often kind of mouse action mode and each keystroke operation, and obtain the judging identity threshold value of various mouse action mode and validated user corresponding to each keystroke operation; Accordingly, validated user identity model comprises at least eight identity submodels;
Second step, network user identity continuous surveillance comprises the steps:
(1) after user logins Web page system, webpage is that the observation window of N starts to catch user's mouse action and keystroke operation behavior with length, and described observation window is that the user's webpage input operand comprising the N number of operation altogether of mouse and keystroke that collects is according to block;
(2) for mouse action, sort out it according to moving direction, extract mouse action proper vector, the proper vector template of the respective operations pattern obtained when building with identity model is carried out distance and is compared, and obtains the distance feature vector of mouse action; For keystroke operation, according to the relation between each key assignments and key that it comprises, extract keystroke operation proper vector, comprising the feature database of each singly-bound and Macintosh of simultaneously obtaining when identity model builds is extracted, combination characteristic of correspondence vector template, carry out distance metric, obtain the distance feature vector of keystroke operation;
(3) for each mouse action in webpage input operation data block and keystroke operation, using the vectorial input as the identity submodel of this operation correspondence of distance feature obtained, obtain the detected value of each operation, and the decision threshold of this detected value with corresponding identity submodel is compared, judge the abnormality of each operation;
(4) current user identities legitimacy is judged: if monitor M abnormal operation continuously in N behavior operation, then judge that active user is as disabled user; Otherwise then judge that active user is as validated user, wherein, M is less than or equal to N.
2., as claimed in claim 1 based on the network user identity method for supervising of webpage input behavior feature, it is characterized in that, the data layout of described mouse action is: { mouse state, mouse position, time }; Wherein, mouse state refer to mouse button is pressed, mouse button release, mouse move the label information of three kinds of states; The data layout of described keystroke operation, represents that the singly-bound data layout of single key assignments is: { key value, time }; Represent that the Macintosh data layout of relation between key is: { last key value, this key value, time }.
3. as claimed in claim 1 based on the network user identity method for supervising of webpage input behavior feature, it is characterized in that, the concrete steps that described operation behavior divides are:
For mouse action,
1) extract a mouse and move the starting point event of operation and the mouse position coordinate of endpoints, wherein the form of each position coordinates is { horizontal coordinate X, vertical coordinate Y};
2) calculating the angle theta of mobile operation starting point and terminal line and horizontal direction, is I class mouse action mode when θ is at-22.5 ° ~ 22.5 °; Be II class mouse action mode when θ is at 22.5 ° ~ 67.5 °; Be III class mouse action mode when θ is at 67.5 ° ~ 112.5 °; Be IV class mouse action mode when θ is at 112.5 ° ~ 157.5 °; Be V class mouse action mode when θ is 157.5 ° ~ 180 ° or-180 ° ~-157.5 °; Be VI class mouse action mode when θ is at-157.5 ° ~-112.5 °; Be VII class mouse action mode when θ is at-112.5 ° ~-67.5 °; Be VIII class mouse action mode when θ is at-67.5 ° ~-22.5 °;
For keystroke operation,
1) for the operation of current typing character, using " TAB " key and mouse event as the end mark of this keystroke operation, realize the division to keystroke operation, determine the character string keyed in;
2) extract the behavioural characteristic of relation between each key assignments and each key in character string one by one, be deposited in network user identity model of cognition builds comprise relationship characteristic between all key assignments, key singly-bound, in Macintosh Behavioral training feature database; In network user identity continuous surveillance, these behavioural characteristics are formed proper vector to be measured, and in training characteristics storehouse, search for, mate, be combined into the training feature vector template of correspondence, wherein, the feature of each singly-bound is key time durations, and the feature of each Macintosh is transfer time between key.
4. as claimed in claim 1 based on the network user identity method for supervising of webpage input behavior feature, it is characterized in that, a series of behavior measure amounts that the space-time geometric locus produced when the proper vector of described mouse action refers to and moved in system webpage by mouse derives, comprise Integral Characteristic and processing statistic, specific as follows:
Integral Characteristic comprises:
Mouse moves X-coordinate, the Y-coordinate of starting point;
Mouse moves X-coordinate, the Y-coordinate of terminal;
The course length of mouse movement and the ratio of displacement;
The duration of mouse movement;
Processing statistic comprises:
Mouse moves 30% fractile, 35% fractile, 40% fractile, 45% fractile, 50% fractile, 55% fractile, 60% fractile, 65% fractile, 70% fractile of X-direction speed;
Mouse moves 30% fractile, 35% fractile, 40% fractile, 45% fractile, 50% fractile, 55% fractile, 60% fractile, 65% fractile, 70% fractile of Y-direction speed;
Mouse moves 30% fractile, 35% fractile, 40% fractile, 45% fractile, 50% fractile, 55% fractile, 60% fractile, 65% fractile, 70% fractile of X-direction acceleration;
Mouse moves 30% fractile, 35% fractile, 40% fractile, 45% fractile, 50% fractile, 55% fractile, 60% fractile, 65% fractile, 70% fractile of Y-direction acceleration;
30% fractile of mouse move angle, 35% fractile, 40% fractile, 45% fractile, 50% fractile, 55% fractile, 60% fractile, 65% fractile, 70% fractile.
5. as claimed in claim 1 based on the network user identity method for supervising of webpage input behavior feature, it is characterized in that, the singly-bound of described keystroke operation, Macintosh proper vector refer to a series of behavior measure amounts derived by relation between each key assignments of typing character string and priority key, and specific features is as follows:
Singly-bound: the duration average of each button, standard deviation;
Macintosh: average transfer time between each adjacent key, standard deviation.
6. as claimed in claim 1 based on the network user identity method for supervising of webpage input behavior feature, the calculating proper vector template of described mouse action refers to and moves in training data at the mouse of often kind of mouse mode, other moves the distance of operating characteristics vector in training data to adopt mahalanobis distance to calculate each mobile proper vector operated, form distance vector, the minimum proper vector of chosen distance vector mould is as the proper vector template of this operator scheme.
7. as claimed in claim 1 based on the network user identity method for supervising of webpage input behavior feature, the calculating proper vector template of described keystroke operation refers to for each keystroke operation behavior, comprise each key assignments in its typing character string, the singly-bound of relation between key, in Macintosh Behavioral training database, Euclidean distance is adopted to calculate each singly-bound, the distance of proper vector other character pair vector in training data of Macintosh, form distance vector, the minimum proper vector of chosen distance vector mould is as proper vector template, and be recorded in and comprise each singly-bound, in the Behavioral training feature database of Macintosh feature.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510214216.2A CN104809377B (en) | 2015-04-29 | 2015-04-29 | Network user identity monitoring method based on webpage input behavior feature |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510214216.2A CN104809377B (en) | 2015-04-29 | 2015-04-29 | Network user identity monitoring method based on webpage input behavior feature |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104809377A true CN104809377A (en) | 2015-07-29 |
| CN104809377B CN104809377B (en) | 2018-01-05 |
Family
ID=53694193
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510214216.2A Active CN104809377B (en) | 2015-04-29 | 2015-04-29 | Network user identity monitoring method based on webpage input behavior feature |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104809377B (en) |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105429937A (en) * | 2015-10-22 | 2016-03-23 | 同济大学 | Identity authentication method and system based on keystroke behaviors |
| CN105933267A (en) * | 2015-08-21 | 2016-09-07 | 中国银联股份有限公司 | Identity authentication method and device |
| CN106039711A (en) * | 2016-05-17 | 2016-10-26 | 网易(杭州)网络有限公司 | User identity authentication method and device |
| CN106911668A (en) * | 2017-01-10 | 2017-06-30 | 同济大学 | A kind of identity identifying method and system based on personal behavior model |
| CN107093076A (en) * | 2016-02-18 | 2017-08-25 | 卡巴斯基实验室股份制公司 | The system and method for detecting fraudulent user transaction |
| CN107124395A (en) * | 2017-03-16 | 2017-09-01 | 华北电力大学 | It is a kind of based on the user identity identification system of the keystroke rhythm and its recognition methods |
| CN107194213A (en) * | 2016-03-14 | 2017-09-22 | 阿里巴巴集团控股有限公司 | A kind of personal identification method and device |
| CN107230084A (en) * | 2017-05-03 | 2017-10-03 | 同济大学 | A kind of user behavior authentication method and system based on big data |
| CN107368718A (en) * | 2017-07-06 | 2017-11-21 | 同济大学 | A kind of user browsing behavior authentication method and system |
| CN107623715A (en) * | 2017-08-08 | 2018-01-23 | 阿里巴巴集团控股有限公司 | A kind of identity information acquisition methods and device |
| CN108200450A (en) * | 2018-01-12 | 2018-06-22 | 武汉斗鱼网络科技有限公司 | A kind of determining method, apparatus, electronic equipment and medium for paying close attention to legitimacy |
| CN108229567A (en) * | 2018-01-09 | 2018-06-29 | 北京荣之联科技股份有限公司 | Driver identity recognition methods and device |
| CN109063431A (en) * | 2018-06-21 | 2018-12-21 | 西安理工大学 | Weight the method for identifying ID of keystroke characteristic curve diversity factor |
| CN109446780A (en) * | 2018-11-01 | 2019-03-08 | 北京知道创宇信息技术有限公司 | A kind of identity identifying method, device and its storage medium |
| CN110287664A (en) * | 2019-07-01 | 2019-09-27 | 贵州大学 | A kind of identity identifying method being characterized selection based on multirow |
| CN111124860A (en) * | 2019-12-16 | 2020-05-08 | 电子科技大学 | Method for identifying user by using keyboard and mouse data in uncontrollable environment |
| CN111209552A (en) * | 2020-04-20 | 2020-05-29 | 国网电子商务有限公司 | Identity authentication method and device based on user behaviors |
| CN111625789A (en) * | 2020-04-07 | 2020-09-04 | 北京工业大学 | Multi-core learning fusion mouse and keyboard behavior feature-based user identification method |
| CN112580004A (en) * | 2020-12-23 | 2021-03-30 | 北京通付盾人工智能技术有限公司 | Webpage end user behavior acquisition method and system based on biological probe technology |
| CN113158152A (en) * | 2021-05-13 | 2021-07-23 | 广西科技师范学院 | Computer intelligent auxiliary system based on behavior analysis |
| US11630896B1 (en) * | 2019-03-07 | 2023-04-18 | Educational Testing Service | Behavior-based electronic essay assessment fraud detection |
| CN116418587A (en) * | 2023-04-19 | 2023-07-11 | 中国电子科技集团公司第三十研究所 | Data cross-domain switching behavior audit trail method and data cross-domain switching system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101833619A (en) * | 2010-04-29 | 2010-09-15 | 西安交通大学 | Method for judging identity based on keyboard-mouse crossed certification |
| US20130239195A1 (en) * | 2010-11-29 | 2013-09-12 | Biocatch Ltd | Method and device for confirming computer end-user identity |
| CN103530540A (en) * | 2013-09-27 | 2014-01-22 | 西安交通大学 | User identity attribute detection method based on man-machine interaction behavior characteristics |
| CN104239761A (en) * | 2014-09-15 | 2014-12-24 | 西安交通大学 | Continuous identity authentication method based on touch screen slip behavior characteristics |
-
2015
- 2015-04-29 CN CN201510214216.2A patent/CN104809377B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101833619A (en) * | 2010-04-29 | 2010-09-15 | 西安交通大学 | Method for judging identity based on keyboard-mouse crossed certification |
| US20130239195A1 (en) * | 2010-11-29 | 2013-09-12 | Biocatch Ltd | Method and device for confirming computer end-user identity |
| CN103530540A (en) * | 2013-09-27 | 2014-01-22 | 西安交通大学 | User identity attribute detection method based on man-machine interaction behavior characteristics |
| CN104239761A (en) * | 2014-09-15 | 2014-12-24 | 西安交通大学 | Continuous identity authentication method based on touch screen slip behavior characteristics |
Cited By (37)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017032261A1 (en) * | 2015-08-21 | 2017-03-02 | 中国银联股份有限公司 | Identity authentication method, device and apparatus |
| CN105933267A (en) * | 2015-08-21 | 2016-09-07 | 中国银联股份有限公司 | Identity authentication method and device |
| CN105429937A (en) * | 2015-10-22 | 2016-03-23 | 同济大学 | Identity authentication method and system based on keystroke behaviors |
| CN105429937B (en) * | 2015-10-22 | 2018-07-06 | 同济大学 | Identity identifying method and system based on keystroke behavior |
| CN107093076A (en) * | 2016-02-18 | 2017-08-25 | 卡巴斯基实验室股份制公司 | The system and method for detecting fraudulent user transaction |
| CN107093076B (en) * | 2016-02-18 | 2021-07-13 | 卡巴斯基实验室股份制公司 | System and method for detecting fraudulent user transactions |
| CN107194213A (en) * | 2016-03-14 | 2017-09-22 | 阿里巴巴集团控股有限公司 | A kind of personal identification method and device |
| CN107194213B (en) * | 2016-03-14 | 2020-03-27 | 阿里巴巴集团控股有限公司 | Identity recognition method and device |
| CN106039711A (en) * | 2016-05-17 | 2016-10-26 | 网易(杭州)网络有限公司 | User identity authentication method and device |
| CN106039711B (en) * | 2016-05-17 | 2019-05-14 | 网易(杭州)网络有限公司 | A kind of method for authenticating user identity and device |
| CN106911668A (en) * | 2017-01-10 | 2017-06-30 | 同济大学 | A kind of identity identifying method and system based on personal behavior model |
| CN106911668B (en) * | 2017-01-10 | 2020-07-14 | 同济大学 | Identity authentication method and system based on user behavior model |
| CN107124395A (en) * | 2017-03-16 | 2017-09-01 | 华北电力大学 | It is a kind of based on the user identity identification system of the keystroke rhythm and its recognition methods |
| CN107124395B (en) * | 2017-03-16 | 2020-08-07 | 华北电力大学 | Identification method of user identity identification system based on keystroke rhythm |
| CN107230084A (en) * | 2017-05-03 | 2017-10-03 | 同济大学 | A kind of user behavior authentication method and system based on big data |
| CN107368718A (en) * | 2017-07-06 | 2017-11-21 | 同济大学 | A kind of user browsing behavior authentication method and system |
| CN107368718B (en) * | 2017-07-06 | 2022-08-16 | 同济大学 | User browsing behavior authentication method and system |
| CN107623715A (en) * | 2017-08-08 | 2018-01-23 | 阿里巴巴集团控股有限公司 | A kind of identity information acquisition methods and device |
| CN107623715B (en) * | 2017-08-08 | 2020-06-09 | 阿里巴巴集团控股有限公司 | Identity information acquisition method and device |
| CN108229567A (en) * | 2018-01-09 | 2018-06-29 | 北京荣之联科技股份有限公司 | Driver identity recognition methods and device |
| CN108229567B (en) * | 2018-01-09 | 2021-06-15 | 荣联科技集团股份有限公司 | Driver identity recognition method and device |
| CN108200450A (en) * | 2018-01-12 | 2018-06-22 | 武汉斗鱼网络科技有限公司 | A kind of determining method, apparatus, electronic equipment and medium for paying close attention to legitimacy |
| CN109063431B (en) * | 2018-06-21 | 2021-10-22 | 西安理工大学 | User identity recognition method for weighting keystroke characteristic curve difference degree |
| CN109063431A (en) * | 2018-06-21 | 2018-12-21 | 西安理工大学 | Weight the method for identifying ID of keystroke characteristic curve diversity factor |
| CN109446780B (en) * | 2018-11-01 | 2020-11-27 | 北京知道创宇信息技术股份有限公司 | Identity authentication method, device and storage medium thereof |
| CN109446780A (en) * | 2018-11-01 | 2019-03-08 | 北京知道创宇信息技术有限公司 | A kind of identity identifying method, device and its storage medium |
| US11630896B1 (en) * | 2019-03-07 | 2023-04-18 | Educational Testing Service | Behavior-based electronic essay assessment fraud detection |
| CN110287664A (en) * | 2019-07-01 | 2019-09-27 | 贵州大学 | A kind of identity identifying method being characterized selection based on multirow |
| CN111124860A (en) * | 2019-12-16 | 2020-05-08 | 电子科技大学 | Method for identifying user by using keyboard and mouse data in uncontrollable environment |
| CN111124860B (en) * | 2019-12-16 | 2021-04-27 | 电子科技大学 | Method for identifying user by using keyboard and mouse data in uncontrollable environment |
| CN111625789B (en) * | 2020-04-07 | 2023-04-07 | 北京工业大学 | User identification method based on multi-core learning fusion of mouse and keyboard behavior characteristics |
| CN111625789A (en) * | 2020-04-07 | 2020-09-04 | 北京工业大学 | Multi-core learning fusion mouse and keyboard behavior feature-based user identification method |
| CN111209552A (en) * | 2020-04-20 | 2020-05-29 | 国网电子商务有限公司 | Identity authentication method and device based on user behaviors |
| CN112580004A (en) * | 2020-12-23 | 2021-03-30 | 北京通付盾人工智能技术有限公司 | Webpage end user behavior acquisition method and system based on biological probe technology |
| CN113158152A (en) * | 2021-05-13 | 2021-07-23 | 广西科技师范学院 | Computer intelligent auxiliary system based on behavior analysis |
| CN116418587A (en) * | 2023-04-19 | 2023-07-11 | 中国电子科技集团公司第三十研究所 | Data cross-domain switching behavior audit trail method and data cross-domain switching system |
| CN116418587B (en) * | 2023-04-19 | 2024-04-30 | 中国电子科技集团公司第三十研究所 | Data cross-domain switching behavior audit trail method and data cross-domain switching system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104809377B (en) | 2018-01-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104809377A (en) | Method for monitoring network user identity based on webpage input behavior characteristics | |
| CN104239761B (en) | The identity for sliding behavioural characteristic based on touch screen continues authentication method | |
| US10467394B2 (en) | Pointing device biometrics for continuous user authentication | |
| Mondal et al. | Continuous authentication using mouse dynamics | |
| US20170140138A1 (en) | Behavior based authentication for touch screen devices | |
| Li et al. | Unobservable re-authentication for smartphones. | |
| Mahbub et al. | Continuous authentication of smartphones based on application usage | |
| Antal et al. | An evaluation of one-class and two-class classification algorithms for keystroke dynamics authentication on mobile devices | |
| Antal et al. | Information revealed from scrolling interactions on mobile devices | |
| CN105068743B (en) | Based on the mobile terminal user identity authentication method for more referring to touch-control behavioural characteristic | |
| JP2013122755A (en) | Event detection device and its method, operation recognition device and its method and program | |
| Roh et al. | Keystroke dynamics for authentication in smartphone | |
| Mhenni et al. | Double serial adaptation mechanism for keystroke dynamics authentication based on a single password | |
| WO2017075913A1 (en) | Mouse behaviors based authentication method | |
| Xu et al. | Challenge-response authentication using in-air handwriting style verification | |
| Van Nguyen et al. | Finger-drawn pin authentication on touch devices | |
| Shen et al. | MouseIdentity: Modeling mouse-interaction behavior for a user verification system | |
| Saini et al. | Keystroke dynamics for mobile phones: A survey | |
| Siirtola et al. | Effect of context in swipe gesture-based continuous authentication on smartphones | |
| Lee et al. | A parameterized model to select discriminating features on keystroke dynamics authentication on smartphones | |
| CN107273728B (en) | Smart watch unlocking and authentication method based on motion sensing behavior characteristics | |
| Ma et al. | A kind of mouse behavior authentication method on dynamic soft keyboard | |
| Al-Saraireh et al. | Keystroke and swipe biometrics fusion to enhance smartphones authentication | |
| Yıldırım et al. | Novel feature extraction methods for authentication via mouse dynamics with semi-supervised learning | |
| EP2490149A1 (en) | System for verifying user identity via mouse dynamics |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |