CN109784015A - A kind of authentication identifying method and device - Google Patents

A kind of authentication identifying method and device Download PDF

Info

Publication number
CN109784015A
CN109784015A CN201811610585.3A CN201811610585A CN109784015A CN 109784015 A CN109784015 A CN 109784015A CN 201811610585 A CN201811610585 A CN 201811610585A CN 109784015 A CN109784015 A CN 109784015A
Authority
CN
China
Prior art keywords
identity
model
probabilistic information
user
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811610585.3A
Other languages
Chinese (zh)
Other versions
CN109784015B (en
Inventor
范小龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201811610585.3A priority Critical patent/CN109784015B/en
Publication of CN109784015A publication Critical patent/CN109784015A/en
Application granted granted Critical
Publication of CN109784015B publication Critical patent/CN109784015B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The present invention relates to a kind of authentication identifying method and devices, which comprises loads corresponding identity according to the mark of logged account and identifies model, wherein it includes: behavioural characteristic model, environmental characteristic model and comprehensive descision model that the identity, which identifies model,;The behavioural characteristic for obtaining current operation user, is input to the behavioural characteristic model for the behavioural characteristic, obtains the identity probabilistic information of the current operation user;Current operating environment feature is obtained, the operating environment feature is input to the environmental characteristic model, obtains environmental abnormality probabilistic information;According to the identity probabilistic information and the environmental abnormality probabilistic information, the identity identification result of the current operation user is obtained by the comprehensive descision model.The present invention can come whether comprehensive distinguishing current operation user is legitimate user according to the behavioural characteristic and current operating environment feature of current operation user, and the identity for realizing unaware identifies, and improve safety and reliability.

Description

A kind of authentication identifying method and device
Technical field
The present invention relates to technical field of communication safety and comprising more particularly to a kind of authentication identifying methods and device.
Background technique
The identity of existing prevalence identifies the main or identification method based on biological characteristic, including recognition of face, fingerprint are known Not, iris recognition, person's handwriting etc..And it is current based on the identification method of biological characteristic, there are problems, such as: need additional Acquire equipment, fingerprint capturer, camera collector etc., and there are problems that equipment cost, equipment installation question and set It is standby cannot general universal problem;These biological characteristics are easy to be replicated forgery, and identity identification module is difficult directly to distinguish these The true and false of characteristic information causes identity identification result invalid.
Above-mentioned identity identification method there are aiming at the problem that, the invention proposes one kind be based on unaware behavior authentication technology Authentication identifying method, password leakage or biological characteristic be forged imitation in the case where, can also obtain true and reliable Identity identification result.
Summary of the invention
Technical problem to be solved by the present invention lies in provide a kind of authentication identifying method and device, build for each user It founds independent identity and identifies model, can be come comprehensive according to the behavioural characteristic and current operating environment feature of current operation user It closes and differentiates whether current operation user is legitimate user, the identity for realizing unaware identifies, and improves safety and reliability.
In order to solve the above-mentioned technical problem, in a first aspect, the present invention provides a kind of authentication identifying methods, comprising:
Corresponding identity is loaded according to the mark of logged account and identifies model, wherein the identity identifies model and includes: Behavioural characteristic model, environmental characteristic model and comprehensive descision model;
The behavioural characteristic for obtaining current operation user, is input to the behavioural characteristic model for the behavioural characteristic, obtains The identity probabilistic information of the current operation user;
Current operating environment feature is obtained, the operating environment feature is input to the environmental characteristic model, is obtained Environmental abnormality probabilistic information;
According to the identity probabilistic information and the environmental abnormality probabilistic information, institute is obtained by the comprehensive descision model State the identity identification result of current operation user.
Second aspect, the present invention provides a kind of identification devices, comprising:
Model loading module identifies model for loading corresponding identity according to the mark for being logged account, wherein described It includes: behavioural characteristic model, environmental characteristic model and comprehensive descision model that identity, which identifies model,;
Identity probability obtains module and is input to the behavioural characteristic for obtaining the behavioural characteristic of current operation user The behavioural characteristic model obtains the identity probabilistic information of the current operation user;
Ambient probability obtains module and is input to the operating environment feature for obtaining current operating environment feature The environmental characteristic model, obtains environmental abnormality probabilistic information;
Comprehensive judgment module is used for according to the identity probabilistic information and the environmental abnormality probabilistic information, by described Comprehensive descision model obtains the identity identification result of the current operation user.
The implementation of the embodiments of the present invention has the following beneficial effects:
The present invention is that each user establishes independent identity and identifies model, identity identify model include behavioural characteristic model, Environmental characteristic model and comprehensive descision model;The behavioural characteristic of current operation user is input to the behavioural characteristic model, is obtained To identity probabilistic information, current operating environment feature is input to corresponding identity and is identified in model, it is general to obtain environmental abnormality Rate information;It is obtained by comprehensive descision model in conjunction with the identity probabilistic information and environmental abnormality probabilistic information of current operation user The identity identification result of current operation user.Authentication identifying method of the invention is a kind of authentication identifying method of unaware, is kept away Exempt from the dependence to biological characteristic, can effectively identify non-abnormal operation in person in a variety of contexts, or in person in exception Normal operating under network/facility environment, the safety and reliability of lifting system.
Detailed description of the invention
Fig. 1 is implementation environment schematic diagram provided in an embodiment of the present invention;
Fig. 2 is a kind of authentication identifying method flow diagram provided in an embodiment of the present invention;
Fig. 3 is a kind of identity probabilistic information acquisition methods flow diagram provided in an embodiment of the present invention;
Fig. 4 is a kind of user identity judgment method flow diagram provided in an embodiment of the present invention;
Fig. 5 is a kind of data preprocessing method flow diagram provided in an embodiment of the present invention;
Fig. 6 is a kind of behavioural characteristic model building method schematic diagram provided in an embodiment of the present invention;
Fig. 7 is provided in an embodiment of the present invention a kind of based on the signal of the deep learning model of difference and track behavioral data Figure;
Fig. 8 is LSTM schematic diagram of internal structure provided in an embodiment of the present invention;
Fig. 9 is Attention schematic diagram of mechanism provided in an embodiment of the present invention;
Figure 10 is a kind of environmental characteristic model building method schematic diagram provided in an embodiment of the present invention;
Figure 11 is authentication identifying method general frame schematic diagram provided in an embodiment of the present invention;
Figure 12 is a kind of identification device schematic diagram provided in an embodiment of the present invention;
Figure 13 is that identity probability provided in an embodiment of the present invention obtains module diagram;
Figure 14 is comprehensive judgment module schematic diagram provided in an embodiment of the present invention;
Figure 15 is weighted calculation module diagram provided in an embodiment of the present invention;
Figure 16 is behavioural characteristic model construction module schematic diagram provided in an embodiment of the present invention;
Figure 17 is environmental characteristic model construction module schematic diagram provided in an embodiment of the present invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, the present invention is made into one below in conjunction with attached drawing Step ground detailed description.Obviously, described embodiment is only a part of the embodiments of the present invention, rather than whole implementation Example.Based on the embodiments of the present invention, those of ordinary skill in the art are obtained without making creative work Every other embodiment, shall fall within the protection scope of the present invention.
Referring to Figure 1, it illustrates implementation environment schematic diagrames of the invention, it may include: user terminal 110, server 120 And database 130, the user terminal 110 can be the terminal device with external input devices such as mouse, keyboards, user Information can be inputted to terminal device by peripheral hardware;User terminal 110 and server 120 carry out data communication, in the present invention, pass through The SDK (Software Development Kit, Software Development Kit) that front end provides believes to acquire the behavior of operation user Then data information that these information of acquisition are uploaded to server 120, while acquired by breath and operating environment information also can be by It stores in database 130;The behavioural information and operating environment information of the operation user of 120 pairs of server acquisitions is handled, Data will be acquired and be converted to the behavioural characteristic and operating environment feature of operation user, and be input in identity identification model and carry out body Part identifies, and obtains identity identification result;When identifying is illegal user, server 120 sends alarm letter to user terminal 110 Breath;It is stored with the behavior characteristic information and use environment characteristic information of multiple users in database 130, can be used for reflecting to identity The repetitive exercise and model modification of other model.
Fig. 2 is referred to, it illustrates a kind of authentication identifying methods, can be applied to server side, it specifically includes:
S210. corresponding identity is loaded according to the mark for being logged account and identifies model, wherein the identity identifies model It include: behavioural characteristic model, environmental characteristic model and comprehensive descision model.
When through account and a certain concrete application of password login or client, it can be obtained by the mark of the account It obtains identity corresponding with the account and identifies model, this corresponding relationship is pre-established and reserved in the server, tool Body may is that since the user's registration application, just according to the behavior characteristic information of the user and use environment information to the use The identity at family identifies model and is trained, and establishes the corresponding relationship between the register account number and identity identification model, makes in this way User is obtained when logging in the account, identity corresponding with the account can be loaded according to account and identify model, to current operation The identity of user judges.
It includes: behavioural characteristic model, environmental characteristic model and comprehensive descision model that identity of the invention, which identifies model, is needed The environmental characteristic of behavioural characteristic and current operation to active user judges respectively, finally obtains identity identification result.
S220. the behavioural characteristic for obtaining current operation user, is input to the behavioural characteristic model for the behavioural characteristic, Obtain the identity probabilistic information of the current operation user.
The behavioural characteristic of user in the present invention includes difference behavioural characteristic and track behavioural characteristic, and wherein difference behavior is special Sign includes: the time difference sequence of keystroke, time difference sequence of application window switching etc., and the time difference sequence of keystroke includes key Time interval and the time interval of mouse clicking operation of disk input operation etc.;The time difference sequence of application window switching It can be determined according to the window ID timestamp of application process.
Track behavioural characteristic includes: mouse input trajectory (x, y), using classification track sets of windows exchange etc., here Can be determined on a timeline by the ID of window using the classification track of windows exchange.
It further include some supplementary features, such as shear plate along with above-mentioned difference behavioural characteristic and track behavioural characteristic Whether data, the instantaneous moving direction of mouse and velocity characteristic etc. are had.According to these supplementary features, more can accurately judge The use habit of the user, for example after user's operation mouse, shear plate has data, illustrates that the user has through mouse and selects Select the habit of duplication, stickup;For user after operating keyboard, shear plate has data, illustrate the user have by keyboard come The similar situation of the habit replicated, pasted etc..
Fig. 3 is referred to, according to the behavioural characteristic of these operation users of acquisition, obtains the identity probability of current operation user Information is specific can include:
S310. the behavioural characteristic of current operation user is obtained with predetermined period, and obtains corresponding identity probabilistic information.
As long as active user has logged in account, the behavioural characteristic of current operation user will be obtained always, and according to each The behavioural characteristic of acquisition obtains identity probabilistic information corresponding with the secondary behavioural characteristic by behavioural characteristic model.
S320. identity probabilistic information set is constructed, sequentially in time, by the identity probabilistic information of different time points It stores in the identity probabilistic information set.
An identity probabilistic information is often obtained, is just stored in identity probabilistic information set, is finally obtained temporally first The multinomial identity probabilistic information of sequential storage afterwards directly obtains corresponding identity probabilistic information in order to subsequent from this collection. It is of the invention multinomial to refer to two or two or more.
S230. current operating environment feature is obtained, the operating environment feature is input to the environmental characteristic model, Obtain environmental abnormality probabilistic information.
Operating environment information in the present invention includes: software information, hardware information and network environment information, wherein software Information includes terminal device system information, virtual machine mark, special processing ID mark, process list etc.;Hardware information includes CPU Model and ID, hard disk model and ID, network interface card model and ID, video card model and ID etc.;Network environment information includes client ip, visitor Family end version, client protocol, user's operation environment IP, SDK version etc..
Above-mentioned user behavior characteristics and operating environment feature can pass through the related data of the SDK acquisition provided front end Information, which is converted, to be obtained.
S240. according to the identity probabilistic information and the environmental abnormality probabilistic information, pass through the comprehensive descision model Obtain the identity identification result of the current operation user.
Comprehensive identity probabilistic information and environmental abnormality probabilistic information, can be obtained the identity identification result of current operation user, For details, reference can be made to Fig. 4, a kind of user identity judgment method, comprising:
S410. at least one identity probabilistic information is obtained from the identity probabilistic information set.
S420. judge that the item number of the identity probabilistic information obtained is for one or multinomial.
S430. general to the identity probabilistic information and the environmental abnormality when the item number of identity probabilistic information is one Rate information is weighted, and obtains the legal probability of identity of current operation user.
S440. when the item number of identity probabilistic information is multinomial, weight is distributed for each identity probabilistic information, is calculated every The weighted sum of identity probabilistic information.
It is carried out in the corresponding weight of the every identity probabilistic information of specific distribution, and according to the sequence of time order and function Distribution, using current time as node, longer identity probabilistic information, the weight of distribution are got over the current time node separation time It is small, its significance lies in that: the identity probabilistic information of longer time in the past point with current point in time interval time, to current identity The influence of probabilistic determination is smaller.
S450. the weighted sum and the environmental abnormality probabilistic information are weighted, obtain current operation user The legal probability of identity.
Since the variation of operating environment whithin a period of time may be relatively small, therefore environmental abnormality probability herein is with current Environmental abnormality probabilistic information calculated.
S460. judge whether the legal probability of the identity is greater than preset threshold.
S470. when the legal probability of the identity is greater than preset threshold, determine that current operation user is logged in account to be described Number legitimate user.
Preset threshold value can be determined according to the application scenarios of different requirements, field higher for accuracy requirement Scape, preset threshold are settable greatly a bit;It is not very high application scenarios for accuracy requirement, preset threshold is settable small by one Point.
Specifically, above-mentioned comprehensive descision model can be realized by following formula:
Wherein, a, b are weighting parameters, and occurrence can be adjusted according to different application scenarios, wherein parameter a's takes Value range is generally 0.8~1.2, and the value range of parameter b is generally 0.1~0.5, can be by following to a certain concrete scene Method determines parameter a and b:
1. data initialization, if a=1, b=0.1;
2. the parameter a=1 and b=0.1 of initialization are updated in formula (1), probability values are calculated;
3. the probability values being calculated are compared with the multinomial data in sample, and the average calculation error;When When error is larger, another parameter value is adjusted in fixed one of parameter value;For example, the value of preset parameter a, to ginseng The value of number b is adjusted, and calculates error;Or the value of preset parameter b, the value of parameter a is adjusted, and calculate error; Can specifically be realized based on quasi-Newton iteration method algorithm, finally obtain so that the identity probabilistic information that calculates and real data error compared with Small parameter a and b.Newton method in the present embodiment is a kind of method for solving and optimizing, it should be noted that other are for asking The algorithm that solution optimizes also can be applied in the present embodiment.
peFor the environmental abnormality probability value of current operation environment.
λiFor the weight of every identity probabilistic information, piFor corresponding every identity probabilistic information, wherein right as N=0 An identity probabilistic information, λ should be only obtained in above-mentioned steps S4300=1;As N > 0, correspond to above-mentioned steps Multinomial identity probabilistic information is obtained in S440, and has λ01+···λN=1, λ0> λ1> λN, λ0To work as Preceding time point corresponding weight, λ1For time point corresponding weight before current point in time, λ2For λ1Before corresponding time point Time point corresponding weight, and so on.Comprehensive multiple identity probabilistic information, then environmental abnormality probabilistic information is subtracted, it obtains most Whole synthesis identity identification result.
The item number of identity probabilistic information is one and is known as the identification of single behavior identity, and the item number of identity probabilistic information is multinomial Referred to as sequence behavior identity identifies, and the identification of sequence behavior identity discrimination ratio single behavior identity is more acurrate, more reliable, specifically can root Specific identity probability item number is determined according to practical application scene.
In addition, sequence behavior identity identify in every identity probabilistic information between time interval it is not necessarily identical, can With there are this two time intervals are long, the short situation of another two time intervals.
As long as operation user has logged in application, background server just persistently identifies operation user identity.Specific Identity discrimination process in, background server constantly obtains the behavior characteristic information of current operation user, and identity is combined to identify Model carries out identity with the preset period and identifies operation.When identifying current operation user is illegal user, server, which is sent, is accused Alert information, the concrete mode to send a warning message here may include: that server sends a warning message and locks to user terminal Account either sends a warning message to communication tools such as mailboxes or hand bound when registering the account, to remind account There may be the danger usurped or stolen for the owner account.
The user's characteristic information that obtains in identity discrimination process, operating environment characteristic information can store database In, and establish the corresponding relationship of each accounting number users Yu features described above information.Over time, the data of database purchase Information is more and more, can periodically handle characteristic information data, for example, for the characteristic information of some user, 1 year Characteristic information before may judge present identity to influence less, to be deleted.
It should be noted that an account is also possible to correspond to multiple identity identification models, for example kinsfolk shares together One account, but the user behavior characteristics of each member be it is different, at this time can for each kinsfolk behavior it is special Sign and use environment generate corresponding identity and identify model.
Above-mentioned user behavior characteristics and operating environment feature can pass through the related data of the SDK acquisition provided front end Information, which is converted, to be obtained, and detailed process can be found in Fig. 5, and it illustrates a kind of data preprocessing methods, comprising:
S510. the primary data information (pdi) for acquiring current operation user carries out desensitization process to the primary data information (pdi).
The raw information of acquisition include keyboard operation information, mouse action information, process switching information, software and hardware information with And network environment information etc., it needs that these raw informations are converted to numeric data according to default rule;Then logarithm is needed Value Data desensitizes, and desensitization mainly includes the removal to true input content, is changed to interval time or track point data.
S520. feature extraction is carried out to the data information after desensitization, the feature of extraction is normalized.
This step realizes the normalization conversion of feature, removes the data of some interference or sky, and carry out to abnormal data Removal is tested and analyzed, such as more than the data of specified value range.For example, Feature Conversion can include: according to keyboard timestamp into The feature extraction of row difference of injection time, extraction of velocity characteristic that instantaneous moving direction is carried out to mouse data etc..Specifically, for key Disk operation obtains timestamp when timestamp and current key when pressing current key bounce, and can obtain between key press time Every, obtain timestamp when current key bounces and it is next by key pressing when timestamp, can obtain between two keys Time interval;For mouse action, according to the coordinate (x1, y1) of two tracing points and (x2, y2), it is known that mouse movement side To, according to timestamp corresponding between the two o'clock of acquisition, obtain the time interval between two o'clock, by calculate two o'clock between Distance and binding time interval, obtain the instantaneous movement speed of mouse.
Normalization is converted, can be realized by following formula:
Wherein, X is data to be converted, and Y be the data after conversion, and A and B are the parameters obtained by study, and A > B can be specifically arranged, the adjusting for range.
Normalization is converted, can also be realized by sigmoid function, details are not described herein.
Fig. 6 is referred to, it illustrates a kind of behavioural characteristic model building methods, specifically can include:
S610. for each target user, the historical behavior feature of the target user is obtained, and the target is used The historical behavior feature at family is as positive sample.
When carrying out behavioural characteristic model training, the positive sample of input is that the behavior of the corresponding legitimate user of the account is special Sign.
S620. the historical behavior feature of non-targeted user is obtained, and the historical behavior feature of the non-targeted user is made For negative sample.
Negative sample can be directly acquired from database, refer to it is not characteristic information that the account corresponds to user.
S630. the behavioral data in the positive sample and negative sample is ranked up sequentially in time respectively, is extracted single The behavioural characteristic at a time point obtains several behavioral sequences, and the behavioral sequence is converted to feature vector.
The user behavior characteristics of each time point are spliced into one-dimensional vector, include keyboard operation in each one-dimensional vector Feature, mouse action feature, windows exchange feature etc..
S640. using several described eigenvectors as the input of supervised learning algorithm, behavioural characteristic model training is carried out.
Several one-dimensional vectors for including user characteristics behavior are sequentially sent into Training model be trained, The corresponding output 1 of positive sample, the corresponding output 0 of negative sample.Specific training pattern can be found in Fig. 7, and it illustrates one kind to be based on difference And the deep learning model of track behavioral data, specific training process can include: be converted to original user behavior characteristics Onehot vector, feeding LSTM (Long Short-Term Memory, shot and long term memory network) model and addition Attention algorithm layer exports user identity probability by softmax.
Wherein, it is the characteristics of LSTM, no matter list entries length can all be encoded into the vector table of a regular length Show, and decodes the vector expression for being then limited to the regular length.Fig. 8 shows the internal structure signal of each loop module of LSTM Figure, there is 4 layers of structure, including 3 sigmoid layer in each loop module, and 1 tanh layers, circle one two mesh operation of expression, two A arrow, which merges into arrow and indicates that 2 vectors join end to end, to be stitched together.One arrow is branched into 2 arrows and indicates One data is duplicated into 2 parts, is distributed to different places and goes.Concrete implementation process can be found in LSTM's in the prior art Realization process, details are not described herein.
Attention mechanism is used in output sequence and is weighted processing to the behavior of each time point, makes model more Be easy to focus in input behavior sequence it is some be considered important behavior moment point, thus exclude those interference when Punctum, so that prediction result is more accurate.The matching degree that current input and output are calculated by corresponding matching module, then needs It calculates current output and each input and does a matching operation, respectively of available current output and all inputs With degree, due to calculating there is no normalizing, so we use softmax, making the sum of all weights when its output is 1. Each input weight have, can calculate weighing vector and.By taking Fig. 9 as an example, have
Referring to Figure 10, it illustrates a kind of environmental characteristic model building method schematic diagrames, comprising:
S1010. for each target user, the operating environment feature of the target user is obtained, and by the target The operating environment feature of user is as positive sample.
S1020. the operating environment feature of non-targeted user is obtained, and the operating environment feature of the non-targeted user is made For negative sample.
Operating environment feature may include above-mentioned software information feature, hardware information feature and network environment characteristics, master It may is that number of users/number of devices/number clients under same IP, with the multidimensional characteristics such as number of users/number of request under equipment.
Similar with user behavior characteristics model, the positive sample of input is that the operating environment of the corresponding legitimate user of the account is special Sign, negative sample can directly acquire from database, refer to it is not operating environment feature that the account corresponds to user.
S1030. using the positive sample and the negative sample as the input of supervised learning algorithm, it is special to carry out environment Levy model training.
Training to environmental characteristic model can be used XGBOOST/GBDT algorithm and be trained.Since need to predict is The abnormal probability of environment, when carrying out model training, according to the positive negative sample of input, the corresponding output of positive sample is 0, negative sample pair Should export is 1.
It is online real time execution that above-mentioned identity, which identifies engine, can the identification of real-time perfoming user identity.It simultaneously can basis The big data of collection identifies model to identity in offline side and is iterated training, and online dynamic updates identity and identifies model, Guarantee the long adaptation of model, the feature and modeling approach that wherein repetitive exercise uses are collinear, and upper model is similar, of the invention Overall system architecture figure can be found in Figure 11, is input to identity by pretreated data and identifies progress identity on-line prediction in model Identification, final output identity judging result simultaneously carry out feedback check;Offline lateral root carries out the update and tuning of model according to big data.
The present invention can also be using the analysis for carrying out exceptional sample and characteristic importance without (partly) supervision algorithm.In the present invention The algorithm of Supervised classification includes GBDT/CNN/LSTM etc., includes PCA/kmeans/LPA etc. without (partly) supervision parser, comprehensive Close a variety of off-line analysis methods be can further lift scheme predictablity rate, and abnormal data is monitored and is removed, Lift scheme stability.
The user characteristic data acquired in the present invention is not defined intensionally as above-mentioned a few class data, as long as mainly including core The corelation behaviour data and facility environment data content of the heart.The scheme of related supervised classification algorithm not only may be used in the present invention Think given conventional algorithm, method used in each model may be different, it is also possible to real using many algorithms fusion It is existing.
The operation behavior and use environment data modeling of synthetic user of the present invention, a variety of data in conjunction with dynamic and static state are comprehensive It builds vertical user identity jointly and identifies model, whether various dimensions are my identity to identify;Using based on deep learning end to end Model realization identity probabilistic forecasting, avoids the dependence to manual features, and bonding apparatus and environmental data can be mentioned further The stability of rising mould type breaks through threshold with production is hacked;Independent behavior identity model is established for each user, and combines magnanimity big Whether data, whether carry out comprehensive analysis user behavior has abnormal and is to operate in itself, and dynamic adjustment updates online mould in time Type guarantees the long adaptation of model.
The present embodiment additionally provides a kind of identification device, which can be realized by way of hardware and/or software, It can be found in Figure 12, described device includes:
Model loading module 1210 identifies model for loading corresponding identity according to the mark for being logged account, wherein It includes: behavioural characteristic model, environmental characteristic model and comprehensive descision model that the identity, which identifies model,;
Identity probability obtains module 1220, for obtaining the behavioural characteristic of current operation user, the behavioural characteristic is defeated Enter the identity probabilistic information that the current operation user is obtained to the behavioural characteristic model;
Ambient probability obtains module 1230, for obtaining current operating environment feature, the operating environment feature is defeated Enter to the environmental characteristic model, obtains environmental abnormality probabilistic information;
Comprehensive judgment module 1240, for passing through according to the identity probabilistic information and the environmental abnormality probabilistic information The comprehensive descision model obtains the identity identification result of the current operation user.
Wherein, referring to Figure 13, the identity probability obtains module 1220 and includes:
First obtains module 1310, for obtaining the behavioural characteristic of current operation user with predetermined period, and is corresponded to Identity probabilistic information.
Set building module 1320, for constructing identity probabilistic information set, sequentially in time, by different time points The identity probabilistic information storage is into the identity probabilistic information set.
Referring to Figure 14, the comprehensive judgment module 1240 includes:
Second obtains module 1410, for obtaining at least one identity probability letter from the identity probabilistic information set Breath.
Weighted calculation module 1420, for being weighted to the identity probabilistic information and the environmental abnormality probabilistic information Operation obtains the legal probability of identity of current operation user.
Determination module 1430, for when the legal probability of the identity is greater than preset threshold, determining that current operation user is The legitimate user by login account.
Wherein, referring to Figure 15, the weighted calculation module 1420 further include:
Weight distribution module 1510, for being two when obtaining identity probabilistic information from the identity probabilistic information set Or at two or more, weight is distributed for each identity probabilistic information, calculates the weighted sum of every identity probabilistic information.
COMPREHENSIVE CALCULATING module 1520, for the weighted sum and the environmental abnormality probabilistic information to be weighted, Obtain the legal probability of identity of current operation user.
Referring to Figure 16, described device further includes behavioural characteristic model construction module 1600, comprising:
Behavior positive sample obtains module 1610, for obtaining the history of the target user for each target user Behavioural characteristic, and using the historical behavior feature of the target user as positive sample.
Behavior negative sample obtains module 1620, for obtaining the historical behavior feature of non-targeted user, and by the non-mesh The historical behavior feature of user is marked as negative sample.
Behavior sample conversion module 1630, for by the behavioral data in the positive sample and negative sample respectively according to the time Sequence is ranked up, and extracts the behavioural characteristic at single time point, obtains several behavioral sequences, and by the behavioural characteristic sequence Column are converted to feature vector.
Behavioural characteristic training module 1640, for using several described eigenvectors as the input of supervised learning algorithm, Carry out behavioural characteristic model training.
Referring to Figure 17, described device further includes environmental characteristic model construction module 1700, comprising:
Environment positive sample obtains module 1710, for obtaining the operation of the target user for each target user Environmental characteristic, and using the operating environment feature of the target user as positive sample.
Environment negative sample obtains module 1720, for obtaining the operating environment feature of non-targeted user, and by the non-mesh The operating environment feature of user is marked as negative sample.
Environmental characteristic training module 1730, for being calculated using the positive sample and the negative sample as supervised learning The input of method carries out environmental characteristic model training.
Described device further includes preprocessing module, for acquiring the primary data information (pdi) of operation user, to the original number It is believed that breath carries out desensitization process;Feature extraction is carried out to the data information after desensitization, the feature of extraction is normalized.
Any embodiment of that present invention institute providing method can be performed in the device provided in above-described embodiment, has execution this method Corresponding functional module and beneficial effect.The not technical detail of detailed description in the above-described embodiments, reference can be made to the present invention is any Method provided by embodiment.
The present invention can effectively identify non-abnormal operation in person in a variety of contexts, as password leakage and equipment are stolen High-risk scene, or the normal operating under abnormal network/facility environment in person realize the identity authentication identification of unaware, should Method has higher safety and reliability;The present invention does not need extra hardware appliance device, due to using noninductive Know technology, so that data non-displayization, black production is more difficult duplication and attack.Present invention is primarily applicable to the identity authentication fields at the end PC Scape, including payment transaction, login authentication etc. provide noninductive in the case where password leakage or biological characteristic are forged imitation Knowing and doing is the authentication identifying method of class.
The present embodiment additionally provides a kind of computer readable storage medium, and computer is stored in the storage medium to be held Row instruction, the computer executable instructions are loaded by processor and execute the above-mentioned any means of the present embodiment.
The present embodiment additionally provides a kind of equipment, and the equipment includes processor and memory, wherein the processor For calling and executing the program stored in the memory, the memory for storing program, described program for realizing The above-mentioned any means of the present embodiment.
Present description provides the method operating procedures as described in embodiment or flow chart, but based on routine or without creation The labour of property may include more or less operating procedure.The step of enumerating in embodiment and sequence are only numerous steps One of execution sequence mode, does not represent and unique executes sequence.System in practice or when interrupting product and executing, can be with It is executed according to embodiment or method shown in the drawings sequence or parallel executes (such as parallel processor or multiple threads Environment).
Structure shown in the present embodiment, only part-structure relevant to application scheme, is not constituted to this The restriction for the equipment that application scheme is applied thereon, specific equipment may include more or fewer components than showing, Perhaps certain components or the arrangement with different components are combined.It is to be understood that method disclosed in the present embodiment, Device etc., may be implemented in other ways.For example, the apparatus embodiments described above are merely exemplary, for example, The division of the module is only a kind of division of logic function, and there may be another division manner in actual implementation, such as more A unit or assembly can be combined or can be integrated into another system, or some features can be ignored or not executed.It is another Point, shown or discussed mutual coupling, direct-coupling or communication connection can be through some interfaces, device or The indirect coupling or communication connection of unit module.
Based on this understanding, technical solution of the present invention substantially in other words the part that contributes to existing technology or The all or part of person's technical solution can be embodied in the form of software products, which is stored in one In a storage medium, including some instructions are used so that computer equipment (it can be personal computer, server, or Network equipment etc.) it performs all or part of the steps of the method described in the various embodiments of the present invention.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), the various media that can store program code such as magnetic or disk.
Those skilled in the art further appreciate that, respectively show in conjunction with what embodiment disclosed in this specification described Example unit and algorithm steps, being implemented in combination with electronic hardware, computer software or the two, in order to clearly demonstrate The interchangeability of hardware and software generally describes each exemplary composition and step according to function in the above description Suddenly.These functions are implemented in hardware or software actually, the specific application and design constraint item depending on technical solution Part.Professional technician can use different methods to achieve the described function each specific application, but this reality Now it should not be considered as beyond the scope of the present invention.
The above, the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although referring to before Stating embodiment, invention is explained in detail, those skilled in the art should understand that: it still can be to preceding Technical solution documented by each embodiment is stated to modify or equivalent replacement of some of the technical features;And these It modifies or replaces, the spirit and scope for technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution.

Claims (10)

1. a kind of authentication identifying method characterized by comprising
Corresponding identity is loaded according to the mark of logged account and identifies model, wherein it includes: behavior that the identity, which identifies model, Characteristic model, environmental characteristic model and comprehensive descision model;
The behavioural characteristic for obtaining current operation user, is input to the behavioural characteristic model for the behavioural characteristic, obtains described The identity probabilistic information of current operation user;
Current operating environment feature is obtained, the operating environment feature is input to the environmental characteristic model, obtains environment Abnormal probabilistic information;
According to the identity probabilistic information and the environmental abnormality probabilistic information, described work as, is obtained by the comprehensive descision model The identity identification result of preceding operation user.
2. a kind of authentication identifying method according to claim 1, which is characterized in that the row for obtaining current operation user It is characterized, and the behavioural characteristic is input to the behavioural characteristic model, obtain the identity probability of the current operation user Information includes:
The behavioural characteristic of current operation user is obtained with predetermined period, and obtains corresponding identity probabilistic information;
Identity probabilistic information set is constructed, sequentially in time, by the identity probabilistic information storage of different time points to institute It states in identity probabilistic information set.
3. a kind of authentication identifying method according to claim 2, which is characterized in that described according to the identity probabilistic information With the environmental abnormality probabilistic information, the identity identification result of the current operation user is obtained by the comprehensive descision model Include:
At least one identity probabilistic information is obtained from the identity probabilistic information set;
The identity probabilistic information and the environmental abnormality probabilistic information are weighted, the body of current operation user is obtained The legal probability of part;
When the legal probability of the identity is greater than preset threshold, judgement current operation user is the legal use by login account Family.
4. a kind of authentication identifying method according to claim 3, which is characterized in that when from the identity probabilistic information set It is described to the identity probabilistic information and the environmental abnormality probability when middle acquisition identity probabilistic information is two or two or more Information is weighted, and the identity for obtaining current operation user judges that probability includes:
Weight is distributed for each identity probabilistic information, calculates the weighted sum of every identity probabilistic information;
The weighted sum and the environmental abnormality probabilistic information are weighted, the identity for obtaining current operation user is legal Probability.
5. a kind of authentication identifying method according to claim 1, which is characterized in that the building side of the behavioural characteristic model Method includes:
For each target user, the historical behavior feature of the target user is obtained, and by the history of the target user Behavioural characteristic is as positive sample;
The historical behavior feature of non-targeted user is obtained, and using the historical behavior feature of the non-targeted user as negative sample;
Behavioral data in the positive sample and negative sample is ranked up sequentially in time respectively, extracts single time point Behavioural characteristic obtains several behavioral sequences, and the behavioral sequence is converted to feature vector;
Using several described eigenvectors as the input of supervised learning algorithm, behavioural characteristic model training is carried out.
6. a kind of authentication identifying method according to claim 5, which is characterized in that the behavioural characteristic includes difference behavior Feature and track behavioural characteristic.
7. a kind of authentication identifying method according to claim 1, which is characterized in that the building side of the environmental characteristic model Method includes:
For each target user, the operating environment feature of the target user is obtained, and by the operation of the target user Environmental characteristic is as positive sample;
The operating environment feature of non-targeted user is obtained, and using the operating environment feature of the non-targeted user as negative sample;
Using the positive sample and the negative sample as the input of supervised learning algorithm, environmental characteristic model instruction is carried out Practice.
8. a kind of authentication identifying method according to claim 7, which is characterized in that the operating environment feature includes:
Software information feature, hardware information feature and network environment information feature.
9. a kind of authentication identifying method according to claim 1, which is characterized in that in the behavior for obtaining current operation user Before feature or current operating environment feature further include:
The primary data information (pdi) for acquiring current operation user carries out desensitization process to the primary data information (pdi);
Feature extraction is carried out to the data information after desensitization, the feature of extraction is normalized.
10. a kind of identification device characterized by comprising
Model loading module identifies model for loading corresponding identity according to the mark for being logged account, wherein the identity Identifying model includes: behavioural characteristic model, environmental characteristic model and comprehensive descision model;
Identity probability obtains module, for obtaining the behavioural characteristic of current operation user, the behavioural characteristic is input to described Behavioural characteristic model obtains the identity probabilistic information of the current operation user;
Ambient probability obtains module, for obtaining current operating environment feature, the operating environment feature is input to described Environmental characteristic model obtains environmental abnormality probabilistic information;
Comprehensive judgment module, for passing through the synthesis according to the identity probabilistic information and the environmental abnormality probabilistic information Judgment models obtain the identity identification result of the current operation user.
CN201811610585.3A 2018-12-27 2018-12-27 Identity authentication method and device Active CN109784015B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811610585.3A CN109784015B (en) 2018-12-27 2018-12-27 Identity authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811610585.3A CN109784015B (en) 2018-12-27 2018-12-27 Identity authentication method and device

Publications (2)

Publication Number Publication Date
CN109784015A true CN109784015A (en) 2019-05-21
CN109784015B CN109784015B (en) 2023-05-12

Family

ID=66498574

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811610585.3A Active CN109784015B (en) 2018-12-27 2018-12-27 Identity authentication method and device

Country Status (1)

Country Link
CN (1) CN109784015B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110232473A (en) * 2019-05-22 2019-09-13 重庆邮电大学 A kind of black production user in predicting method based on big data finance
CN110335144A (en) * 2019-07-10 2019-10-15 中国工商银行股份有限公司 Personal electric bank account safety detection method and device
CN110619528A (en) * 2019-09-29 2019-12-27 武汉极意网络科技有限公司 Behavior verification data processing method, behavior verification data processing device, behavior verification equipment and storage medium
CN112131551A (en) * 2020-09-25 2020-12-25 平安国际智慧城市科技股份有限公司 Verification code verification method and device, computer equipment and readable storage medium
WO2021022795A1 (en) * 2019-08-06 2021-02-11 创新先进技术有限公司 Method, apparatus, and device for detecting fraudulent behavior during facial recognition process
CN113259368A (en) * 2021-06-01 2021-08-13 北京芯盾时代科技有限公司 Identity authentication method, device and equipment
CN115412373A (en) * 2022-11-01 2022-11-29 中网信安科技有限公司 Method and system for safely accessing mechanical-electrical integrated industrial control network
CN115859372A (en) * 2023-03-04 2023-03-28 成都安哲斯生物医药科技有限公司 Medical data desensitization method and system

Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140373139A1 (en) * 2013-06-13 2014-12-18 Alibaba Group Holding Limited Method and system of distinguishing between human and machine
JP2016018398A (en) * 2014-07-08 2016-02-01 株式会社 日立産業制御ソリューションズ Biometric authentication device, authentication control method and entering/leaving management system
CN105844123A (en) * 2015-01-14 2016-08-10 中兴通讯股份有限公司 Method and device for identity authentication on terminal, and terminal
US20160378544A1 (en) * 2015-06-29 2016-12-29 International Business Machines Corporation Intellective switching between tasks
WO2017032261A1 (en) * 2015-08-21 2017-03-02 中国银联股份有限公司 Identity authentication method, device and apparatus
CN106507308A (en) * 2016-11-29 2017-03-15 中国银联股份有限公司 A kind of identity identifying method and device
WO2017071126A1 (en) * 2015-10-28 2017-05-04 同济大学 Touch-screen user key-press behavior pattern construction and analysis system and identity recognition method thereof
CN106713241A (en) * 2015-11-16 2017-05-24 腾讯科技(深圳)有限公司 Identity verification method, device and system
CN107317682A (en) * 2017-05-10 2017-11-03 史展 A kind of identity identifying method and system
CN107819748A (en) * 2017-10-26 2018-03-20 北京顶象技术有限公司 A kind of anti-identifying code implementation method cracked and device
CN107819945A (en) * 2017-10-30 2018-03-20 同济大学 The handheld device navigation patterns authentication method and system of comprehensive many factors
WO2018073649A1 (en) * 2016-10-17 2018-04-26 Basewalk Ltd. Desktop management and data transfer in a multi-computer environment
CN108416198A (en) * 2018-02-06 2018-08-17 平安科技(深圳)有限公司 Man-machine identification model establishes device, method and computer readable storage medium
CN108512827A (en) * 2018-02-09 2018-09-07 世纪龙信息网络有限责任公司 The identification of abnormal login and method for building up, the device of supervised learning model
CN108683813A (en) * 2018-05-18 2018-10-19 西北工业大学 A kind of user identity based on smart mobile phone use habit continues recognition methods
CN110162939A (en) * 2018-10-25 2019-08-23 腾讯科技(深圳)有限公司 Man-machine recognition methods, equipment and medium

Patent Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140373139A1 (en) * 2013-06-13 2014-12-18 Alibaba Group Holding Limited Method and system of distinguishing between human and machine
JP2016018398A (en) * 2014-07-08 2016-02-01 株式会社 日立産業制御ソリューションズ Biometric authentication device, authentication control method and entering/leaving management system
CN105844123A (en) * 2015-01-14 2016-08-10 中兴通讯股份有限公司 Method and device for identity authentication on terminal, and terminal
US20160378544A1 (en) * 2015-06-29 2016-12-29 International Business Machines Corporation Intellective switching between tasks
WO2017032261A1 (en) * 2015-08-21 2017-03-02 中国银联股份有限公司 Identity authentication method, device and apparatus
WO2017071126A1 (en) * 2015-10-28 2017-05-04 同济大学 Touch-screen user key-press behavior pattern construction and analysis system and identity recognition method thereof
CN106713241A (en) * 2015-11-16 2017-05-24 腾讯科技(深圳)有限公司 Identity verification method, device and system
WO2018073649A1 (en) * 2016-10-17 2018-04-26 Basewalk Ltd. Desktop management and data transfer in a multi-computer environment
CN106507308A (en) * 2016-11-29 2017-03-15 中国银联股份有限公司 A kind of identity identifying method and device
CN107317682A (en) * 2017-05-10 2017-11-03 史展 A kind of identity identifying method and system
CN107819748A (en) * 2017-10-26 2018-03-20 北京顶象技术有限公司 A kind of anti-identifying code implementation method cracked and device
CN107819945A (en) * 2017-10-30 2018-03-20 同济大学 The handheld device navigation patterns authentication method and system of comprehensive many factors
CN108416198A (en) * 2018-02-06 2018-08-17 平安科技(深圳)有限公司 Man-machine identification model establishes device, method and computer readable storage medium
CN108512827A (en) * 2018-02-09 2018-09-07 世纪龙信息网络有限责任公司 The identification of abnormal login and method for building up, the device of supervised learning model
CN108683813A (en) * 2018-05-18 2018-10-19 西北工业大学 A kind of user identity based on smart mobile phone use habit continues recognition methods
CN110162939A (en) * 2018-10-25 2019-08-23 腾讯科技(深圳)有限公司 Man-machine recognition methods, equipment and medium

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110232473A (en) * 2019-05-22 2019-09-13 重庆邮电大学 A kind of black production user in predicting method based on big data finance
CN110232473B (en) * 2019-05-22 2022-12-27 重庆邮电大学 Black product user prediction method based on big data finance
CN110335144A (en) * 2019-07-10 2019-10-15 中国工商银行股份有限公司 Personal electric bank account safety detection method and device
US11182475B2 (en) 2019-08-06 2021-11-23 Advanced New Technologies Co., Ltd. Detecting fraudulent facial recognition
WO2021022795A1 (en) * 2019-08-06 2021-02-11 创新先进技术有限公司 Method, apparatus, and device for detecting fraudulent behavior during facial recognition process
US10936715B1 (en) 2019-08-06 2021-03-02 Advanced New Technologies Co., Ltd. Detecting fraudulent facial recognition
CN110619528A (en) * 2019-09-29 2019-12-27 武汉极意网络科技有限公司 Behavior verification data processing method, behavior verification data processing device, behavior verification equipment and storage medium
CN112131551A (en) * 2020-09-25 2020-12-25 平安国际智慧城市科技股份有限公司 Verification code verification method and device, computer equipment and readable storage medium
CN113259368A (en) * 2021-06-01 2021-08-13 北京芯盾时代科技有限公司 Identity authentication method, device and equipment
CN115412373A (en) * 2022-11-01 2022-11-29 中网信安科技有限公司 Method and system for safely accessing mechanical-electrical integrated industrial control network
CN115412373B (en) * 2022-11-01 2023-03-21 中网信安科技有限公司 Method and system for safely accessing mechanical-electrical integrated industrial control network
CN115859372A (en) * 2023-03-04 2023-03-28 成都安哲斯生物医药科技有限公司 Medical data desensitization method and system
CN115859372B (en) * 2023-03-04 2023-04-25 成都安哲斯生物医药科技有限公司 Medical data desensitization method and system

Also Published As

Publication number Publication date
CN109784015B (en) 2023-05-12

Similar Documents

Publication Publication Date Title
CN109784015A (en) A kind of authentication identifying method and device
CN107316198B (en) Account risk identification method and device
He et al. A novel multimodal-sequential approach based on multi-view features for network intrusion detection
Li et al. Unobservable re-authentication for smartphones.
CN110489964A (en) Account detection method, device, server and storage medium
CN111368926B (en) Image screening method, device and computer readable storage medium
CN112052948B (en) Network model compression method and device, storage medium and electronic equipment
CN110414550B (en) Training method, device and system of face recognition model and computer readable medium
JP2022141931A (en) Method and device for training living body detection model, method and apparatus for living body detection, electronic apparatus, storage medium, and computer program
CN114332984B (en) Training data processing method, device and storage medium
CN112700252A (en) Information security detection method and device, electronic equipment and storage medium
CN110162939B (en) Man-machine identification method, equipment and medium
CN112613599A (en) Network intrusion detection method based on generation countermeasure network oversampling
CN111488501A (en) E-commerce statistical system based on cloud platform
CN110555007B (en) Method and device for discriminating theft behavior, computing equipment and storage medium
López et al. A supervised ML biometric continuous authentication system for industry 4.0
CN107222319A (en) A kind of traffic operation analysis method and device
Yang et al. An academic social network friend recommendation algorithm based on decision tree
Moctezuma et al. Appearance model update based on online learning and soft‐biometrics traits for people re‐identification in multi‐camera environments
CN112491875B (en) Intelligent tracking safety detection method and system based on account system
CN114021181A (en) Mobile intelligent terminal privacy continuous protection system and method based on use habits
Tsaur et al. Effective Bots’ Detection for Online Smartphone Game Using Multilayer Perceptron Neural Networks
CN113822412A (en) Graph node marking method, device, equipment and storage medium
CN112364136A (en) Keyword generation method, device, equipment and storage medium
Reichhuber et al. Evolving Gaussian Mixture Models for Classification.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant