CN109784015A - A kind of authentication identifying method and device - Google Patents
A kind of authentication identifying method and device Download PDFInfo
- Publication number
- CN109784015A CN109784015A CN201811610585.3A CN201811610585A CN109784015A CN 109784015 A CN109784015 A CN 109784015A CN 201811610585 A CN201811610585 A CN 201811610585A CN 109784015 A CN109784015 A CN 109784015A
- Authority
- CN
- China
- Prior art keywords
- identity
- model
- probabilistic information
- user
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The present invention relates to a kind of authentication identifying method and devices, which comprises loads corresponding identity according to the mark of logged account and identifies model, wherein it includes: behavioural characteristic model, environmental characteristic model and comprehensive descision model that the identity, which identifies model,;The behavioural characteristic for obtaining current operation user, is input to the behavioural characteristic model for the behavioural characteristic, obtains the identity probabilistic information of the current operation user;Current operating environment feature is obtained, the operating environment feature is input to the environmental characteristic model, obtains environmental abnormality probabilistic information;According to the identity probabilistic information and the environmental abnormality probabilistic information, the identity identification result of the current operation user is obtained by the comprehensive descision model.The present invention can come whether comprehensive distinguishing current operation user is legitimate user according to the behavioural characteristic and current operating environment feature of current operation user, and the identity for realizing unaware identifies, and improve safety and reliability.
Description
Technical field
The present invention relates to technical field of communication safety and comprising more particularly to a kind of authentication identifying methods and device.
Background technique
The identity of existing prevalence identifies the main or identification method based on biological characteristic, including recognition of face, fingerprint are known
Not, iris recognition, person's handwriting etc..And it is current based on the identification method of biological characteristic, there are problems, such as: need additional
Acquire equipment, fingerprint capturer, camera collector etc., and there are problems that equipment cost, equipment installation question and set
It is standby cannot general universal problem;These biological characteristics are easy to be replicated forgery, and identity identification module is difficult directly to distinguish these
The true and false of characteristic information causes identity identification result invalid.
Above-mentioned identity identification method there are aiming at the problem that, the invention proposes one kind be based on unaware behavior authentication technology
Authentication identifying method, password leakage or biological characteristic be forged imitation in the case where, can also obtain true and reliable
Identity identification result.
Summary of the invention
Technical problem to be solved by the present invention lies in provide a kind of authentication identifying method and device, build for each user
It founds independent identity and identifies model, can be come comprehensive according to the behavioural characteristic and current operating environment feature of current operation user
It closes and differentiates whether current operation user is legitimate user, the identity for realizing unaware identifies, and improves safety and reliability.
In order to solve the above-mentioned technical problem, in a first aspect, the present invention provides a kind of authentication identifying methods, comprising:
Corresponding identity is loaded according to the mark of logged account and identifies model, wherein the identity identifies model and includes:
Behavioural characteristic model, environmental characteristic model and comprehensive descision model;
The behavioural characteristic for obtaining current operation user, is input to the behavioural characteristic model for the behavioural characteristic, obtains
The identity probabilistic information of the current operation user;
Current operating environment feature is obtained, the operating environment feature is input to the environmental characteristic model, is obtained
Environmental abnormality probabilistic information;
According to the identity probabilistic information and the environmental abnormality probabilistic information, institute is obtained by the comprehensive descision model
State the identity identification result of current operation user.
Second aspect, the present invention provides a kind of identification devices, comprising:
Model loading module identifies model for loading corresponding identity according to the mark for being logged account, wherein described
It includes: behavioural characteristic model, environmental characteristic model and comprehensive descision model that identity, which identifies model,;
Identity probability obtains module and is input to the behavioural characteristic for obtaining the behavioural characteristic of current operation user
The behavioural characteristic model obtains the identity probabilistic information of the current operation user;
Ambient probability obtains module and is input to the operating environment feature for obtaining current operating environment feature
The environmental characteristic model, obtains environmental abnormality probabilistic information;
Comprehensive judgment module is used for according to the identity probabilistic information and the environmental abnormality probabilistic information, by described
Comprehensive descision model obtains the identity identification result of the current operation user.
The implementation of the embodiments of the present invention has the following beneficial effects:
The present invention is that each user establishes independent identity and identifies model, identity identify model include behavioural characteristic model,
Environmental characteristic model and comprehensive descision model;The behavioural characteristic of current operation user is input to the behavioural characteristic model, is obtained
To identity probabilistic information, current operating environment feature is input to corresponding identity and is identified in model, it is general to obtain environmental abnormality
Rate information;It is obtained by comprehensive descision model in conjunction with the identity probabilistic information and environmental abnormality probabilistic information of current operation user
The identity identification result of current operation user.Authentication identifying method of the invention is a kind of authentication identifying method of unaware, is kept away
Exempt from the dependence to biological characteristic, can effectively identify non-abnormal operation in person in a variety of contexts, or in person in exception
Normal operating under network/facility environment, the safety and reliability of lifting system.
Detailed description of the invention
Fig. 1 is implementation environment schematic diagram provided in an embodiment of the present invention;
Fig. 2 is a kind of authentication identifying method flow diagram provided in an embodiment of the present invention;
Fig. 3 is a kind of identity probabilistic information acquisition methods flow diagram provided in an embodiment of the present invention;
Fig. 4 is a kind of user identity judgment method flow diagram provided in an embodiment of the present invention;
Fig. 5 is a kind of data preprocessing method flow diagram provided in an embodiment of the present invention;
Fig. 6 is a kind of behavioural characteristic model building method schematic diagram provided in an embodiment of the present invention;
Fig. 7 is provided in an embodiment of the present invention a kind of based on the signal of the deep learning model of difference and track behavioral data
Figure;
Fig. 8 is LSTM schematic diagram of internal structure provided in an embodiment of the present invention;
Fig. 9 is Attention schematic diagram of mechanism provided in an embodiment of the present invention;
Figure 10 is a kind of environmental characteristic model building method schematic diagram provided in an embodiment of the present invention;
Figure 11 is authentication identifying method general frame schematic diagram provided in an embodiment of the present invention;
Figure 12 is a kind of identification device schematic diagram provided in an embodiment of the present invention;
Figure 13 is that identity probability provided in an embodiment of the present invention obtains module diagram;
Figure 14 is comprehensive judgment module schematic diagram provided in an embodiment of the present invention;
Figure 15 is weighted calculation module diagram provided in an embodiment of the present invention;
Figure 16 is behavioural characteristic model construction module schematic diagram provided in an embodiment of the present invention;
Figure 17 is environmental characteristic model construction module schematic diagram provided in an embodiment of the present invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, the present invention is made into one below in conjunction with attached drawing
Step ground detailed description.Obviously, described embodiment is only a part of the embodiments of the present invention, rather than whole implementation
Example.Based on the embodiments of the present invention, those of ordinary skill in the art are obtained without making creative work
Every other embodiment, shall fall within the protection scope of the present invention.
Referring to Figure 1, it illustrates implementation environment schematic diagrames of the invention, it may include: user terminal 110, server 120
And database 130, the user terminal 110 can be the terminal device with external input devices such as mouse, keyboards, user
Information can be inputted to terminal device by peripheral hardware;User terminal 110 and server 120 carry out data communication, in the present invention, pass through
The SDK (Software Development Kit, Software Development Kit) that front end provides believes to acquire the behavior of operation user
Then data information that these information of acquisition are uploaded to server 120, while acquired by breath and operating environment information also can be by
It stores in database 130;The behavioural information and operating environment information of the operation user of 120 pairs of server acquisitions is handled,
Data will be acquired and be converted to the behavioural characteristic and operating environment feature of operation user, and be input in identity identification model and carry out body
Part identifies, and obtains identity identification result;When identifying is illegal user, server 120 sends alarm letter to user terminal 110
Breath;It is stored with the behavior characteristic information and use environment characteristic information of multiple users in database 130, can be used for reflecting to identity
The repetitive exercise and model modification of other model.
Fig. 2 is referred to, it illustrates a kind of authentication identifying methods, can be applied to server side, it specifically includes:
S210. corresponding identity is loaded according to the mark for being logged account and identifies model, wherein the identity identifies model
It include: behavioural characteristic model, environmental characteristic model and comprehensive descision model.
When through account and a certain concrete application of password login or client, it can be obtained by the mark of the account
It obtains identity corresponding with the account and identifies model, this corresponding relationship is pre-established and reserved in the server, tool
Body may is that since the user's registration application, just according to the behavior characteristic information of the user and use environment information to the use
The identity at family identifies model and is trained, and establishes the corresponding relationship between the register account number and identity identification model, makes in this way
User is obtained when logging in the account, identity corresponding with the account can be loaded according to account and identify model, to current operation
The identity of user judges.
It includes: behavioural characteristic model, environmental characteristic model and comprehensive descision model that identity of the invention, which identifies model, is needed
The environmental characteristic of behavioural characteristic and current operation to active user judges respectively, finally obtains identity identification result.
S220. the behavioural characteristic for obtaining current operation user, is input to the behavioural characteristic model for the behavioural characteristic,
Obtain the identity probabilistic information of the current operation user.
The behavioural characteristic of user in the present invention includes difference behavioural characteristic and track behavioural characteristic, and wherein difference behavior is special
Sign includes: the time difference sequence of keystroke, time difference sequence of application window switching etc., and the time difference sequence of keystroke includes key
Time interval and the time interval of mouse clicking operation of disk input operation etc.;The time difference sequence of application window switching
It can be determined according to the window ID timestamp of application process.
Track behavioural characteristic includes: mouse input trajectory (x, y), using classification track sets of windows exchange etc., here
Can be determined on a timeline by the ID of window using the classification track of windows exchange.
It further include some supplementary features, such as shear plate along with above-mentioned difference behavioural characteristic and track behavioural characteristic
Whether data, the instantaneous moving direction of mouse and velocity characteristic etc. are had.According to these supplementary features, more can accurately judge
The use habit of the user, for example after user's operation mouse, shear plate has data, illustrates that the user has through mouse and selects
Select the habit of duplication, stickup;For user after operating keyboard, shear plate has data, illustrate the user have by keyboard come
The similar situation of the habit replicated, pasted etc..
Fig. 3 is referred to, according to the behavioural characteristic of these operation users of acquisition, obtains the identity probability of current operation user
Information is specific can include:
S310. the behavioural characteristic of current operation user is obtained with predetermined period, and obtains corresponding identity probabilistic information.
As long as active user has logged in account, the behavioural characteristic of current operation user will be obtained always, and according to each
The behavioural characteristic of acquisition obtains identity probabilistic information corresponding with the secondary behavioural characteristic by behavioural characteristic model.
S320. identity probabilistic information set is constructed, sequentially in time, by the identity probabilistic information of different time points
It stores in the identity probabilistic information set.
An identity probabilistic information is often obtained, is just stored in identity probabilistic information set, is finally obtained temporally first
The multinomial identity probabilistic information of sequential storage afterwards directly obtains corresponding identity probabilistic information in order to subsequent from this collection.
It is of the invention multinomial to refer to two or two or more.
S230. current operating environment feature is obtained, the operating environment feature is input to the environmental characteristic model,
Obtain environmental abnormality probabilistic information.
Operating environment information in the present invention includes: software information, hardware information and network environment information, wherein software
Information includes terminal device system information, virtual machine mark, special processing ID mark, process list etc.;Hardware information includes CPU
Model and ID, hard disk model and ID, network interface card model and ID, video card model and ID etc.;Network environment information includes client ip, visitor
Family end version, client protocol, user's operation environment IP, SDK version etc..
Above-mentioned user behavior characteristics and operating environment feature can pass through the related data of the SDK acquisition provided front end
Information, which is converted, to be obtained.
S240. according to the identity probabilistic information and the environmental abnormality probabilistic information, pass through the comprehensive descision model
Obtain the identity identification result of the current operation user.
Comprehensive identity probabilistic information and environmental abnormality probabilistic information, can be obtained the identity identification result of current operation user,
For details, reference can be made to Fig. 4, a kind of user identity judgment method, comprising:
S410. at least one identity probabilistic information is obtained from the identity probabilistic information set.
S420. judge that the item number of the identity probabilistic information obtained is for one or multinomial.
S430. general to the identity probabilistic information and the environmental abnormality when the item number of identity probabilistic information is one
Rate information is weighted, and obtains the legal probability of identity of current operation user.
S440. when the item number of identity probabilistic information is multinomial, weight is distributed for each identity probabilistic information, is calculated every
The weighted sum of identity probabilistic information.
It is carried out in the corresponding weight of the every identity probabilistic information of specific distribution, and according to the sequence of time order and function
Distribution, using current time as node, longer identity probabilistic information, the weight of distribution are got over the current time node separation time
It is small, its significance lies in that: the identity probabilistic information of longer time in the past point with current point in time interval time, to current identity
The influence of probabilistic determination is smaller.
S450. the weighted sum and the environmental abnormality probabilistic information are weighted, obtain current operation user
The legal probability of identity.
Since the variation of operating environment whithin a period of time may be relatively small, therefore environmental abnormality probability herein is with current
Environmental abnormality probabilistic information calculated.
S460. judge whether the legal probability of the identity is greater than preset threshold.
S470. when the legal probability of the identity is greater than preset threshold, determine that current operation user is logged in account to be described
Number legitimate user.
Preset threshold value can be determined according to the application scenarios of different requirements, field higher for accuracy requirement
Scape, preset threshold are settable greatly a bit;It is not very high application scenarios for accuracy requirement, preset threshold is settable small by one
Point.
Specifically, above-mentioned comprehensive descision model can be realized by following formula:
Wherein, a, b are weighting parameters, and occurrence can be adjusted according to different application scenarios, wherein parameter a's takes
Value range is generally 0.8~1.2, and the value range of parameter b is generally 0.1~0.5, can be by following to a certain concrete scene
Method determines parameter a and b:
1. data initialization, if a=1, b=0.1;
2. the parameter a=1 and b=0.1 of initialization are updated in formula (1), probability values are calculated;
3. the probability values being calculated are compared with the multinomial data in sample, and the average calculation error;When
When error is larger, another parameter value is adjusted in fixed one of parameter value;For example, the value of preset parameter a, to ginseng
The value of number b is adjusted, and calculates error;Or the value of preset parameter b, the value of parameter a is adjusted, and calculate error;
Can specifically be realized based on quasi-Newton iteration method algorithm, finally obtain so that the identity probabilistic information that calculates and real data error compared with
Small parameter a and b.Newton method in the present embodiment is a kind of method for solving and optimizing, it should be noted that other are for asking
The algorithm that solution optimizes also can be applied in the present embodiment.
peFor the environmental abnormality probability value of current operation environment.
λiFor the weight of every identity probabilistic information, piFor corresponding every identity probabilistic information, wherein right as N=0
An identity probabilistic information, λ should be only obtained in above-mentioned steps S4300=1;As N > 0, correspond to above-mentioned steps
Multinomial identity probabilistic information is obtained in S440, and has λ0+λ1+···λN=1, λ0> λ1> λN, λ0To work as
Preceding time point corresponding weight, λ1For time point corresponding weight before current point in time, λ2For λ1Before corresponding time point
Time point corresponding weight, and so on.Comprehensive multiple identity probabilistic information, then environmental abnormality probabilistic information is subtracted, it obtains most
Whole synthesis identity identification result.
The item number of identity probabilistic information is one and is known as the identification of single behavior identity, and the item number of identity probabilistic information is multinomial
Referred to as sequence behavior identity identifies, and the identification of sequence behavior identity discrimination ratio single behavior identity is more acurrate, more reliable, specifically can root
Specific identity probability item number is determined according to practical application scene.
In addition, sequence behavior identity identify in every identity probabilistic information between time interval it is not necessarily identical, can
With there are this two time intervals are long, the short situation of another two time intervals.
As long as operation user has logged in application, background server just persistently identifies operation user identity.Specific
Identity discrimination process in, background server constantly obtains the behavior characteristic information of current operation user, and identity is combined to identify
Model carries out identity with the preset period and identifies operation.When identifying current operation user is illegal user, server, which is sent, is accused
Alert information, the concrete mode to send a warning message here may include: that server sends a warning message and locks to user terminal
Account either sends a warning message to communication tools such as mailboxes or hand bound when registering the account, to remind account
There may be the danger usurped or stolen for the owner account.
The user's characteristic information that obtains in identity discrimination process, operating environment characteristic information can store database
In, and establish the corresponding relationship of each accounting number users Yu features described above information.Over time, the data of database purchase
Information is more and more, can periodically handle characteristic information data, for example, for the characteristic information of some user, 1 year
Characteristic information before may judge present identity to influence less, to be deleted.
It should be noted that an account is also possible to correspond to multiple identity identification models, for example kinsfolk shares together
One account, but the user behavior characteristics of each member be it is different, at this time can for each kinsfolk behavior it is special
Sign and use environment generate corresponding identity and identify model.
Above-mentioned user behavior characteristics and operating environment feature can pass through the related data of the SDK acquisition provided front end
Information, which is converted, to be obtained, and detailed process can be found in Fig. 5, and it illustrates a kind of data preprocessing methods, comprising:
S510. the primary data information (pdi) for acquiring current operation user carries out desensitization process to the primary data information (pdi).
The raw information of acquisition include keyboard operation information, mouse action information, process switching information, software and hardware information with
And network environment information etc., it needs that these raw informations are converted to numeric data according to default rule;Then logarithm is needed
Value Data desensitizes, and desensitization mainly includes the removal to true input content, is changed to interval time or track point data.
S520. feature extraction is carried out to the data information after desensitization, the feature of extraction is normalized.
This step realizes the normalization conversion of feature, removes the data of some interference or sky, and carry out to abnormal data
Removal is tested and analyzed, such as more than the data of specified value range.For example, Feature Conversion can include: according to keyboard timestamp into
The feature extraction of row difference of injection time, extraction of velocity characteristic that instantaneous moving direction is carried out to mouse data etc..Specifically, for key
Disk operation obtains timestamp when timestamp and current key when pressing current key bounce, and can obtain between key press time
Every, obtain timestamp when current key bounces and it is next by key pressing when timestamp, can obtain between two keys
Time interval;For mouse action, according to the coordinate (x1, y1) of two tracing points and (x2, y2), it is known that mouse movement side
To, according to timestamp corresponding between the two o'clock of acquisition, obtain the time interval between two o'clock, by calculate two o'clock between
Distance and binding time interval, obtain the instantaneous movement speed of mouse.
Normalization is converted, can be realized by following formula:
Wherein, X is data to be converted, and Y be the data after conversion, and A and B are the parameters obtained by study, and A >
B can be specifically arranged, the adjusting for range.
Normalization is converted, can also be realized by sigmoid function, details are not described herein.
Fig. 6 is referred to, it illustrates a kind of behavioural characteristic model building methods, specifically can include:
S610. for each target user, the historical behavior feature of the target user is obtained, and the target is used
The historical behavior feature at family is as positive sample.
When carrying out behavioural characteristic model training, the positive sample of input is that the behavior of the corresponding legitimate user of the account is special
Sign.
S620. the historical behavior feature of non-targeted user is obtained, and the historical behavior feature of the non-targeted user is made
For negative sample.
Negative sample can be directly acquired from database, refer to it is not characteristic information that the account corresponds to user.
S630. the behavioral data in the positive sample and negative sample is ranked up sequentially in time respectively, is extracted single
The behavioural characteristic at a time point obtains several behavioral sequences, and the behavioral sequence is converted to feature vector.
The user behavior characteristics of each time point are spliced into one-dimensional vector, include keyboard operation in each one-dimensional vector
Feature, mouse action feature, windows exchange feature etc..
S640. using several described eigenvectors as the input of supervised learning algorithm, behavioural characteristic model training is carried out.
Several one-dimensional vectors for including user characteristics behavior are sequentially sent into Training model be trained,
The corresponding output 1 of positive sample, the corresponding output 0 of negative sample.Specific training pattern can be found in Fig. 7, and it illustrates one kind to be based on difference
And the deep learning model of track behavioral data, specific training process can include: be converted to original user behavior characteristics
Onehot vector, feeding LSTM (Long Short-Term Memory, shot and long term memory network) model and addition
Attention algorithm layer exports user identity probability by softmax.
Wherein, it is the characteristics of LSTM, no matter list entries length can all be encoded into the vector table of a regular length
Show, and decodes the vector expression for being then limited to the regular length.Fig. 8 shows the internal structure signal of each loop module of LSTM
Figure, there is 4 layers of structure, including 3 sigmoid layer in each loop module, and 1 tanh layers, circle one two mesh operation of expression, two
A arrow, which merges into arrow and indicates that 2 vectors join end to end, to be stitched together.One arrow is branched into 2 arrows and indicates
One data is duplicated into 2 parts, is distributed to different places and goes.Concrete implementation process can be found in LSTM's in the prior art
Realization process, details are not described herein.
Attention mechanism is used in output sequence and is weighted processing to the behavior of each time point, makes model more
Be easy to focus in input behavior sequence it is some be considered important behavior moment point, thus exclude those interference when
Punctum, so that prediction result is more accurate.The matching degree that current input and output are calculated by corresponding matching module, then needs
It calculates current output and each input and does a matching operation, respectively of available current output and all inputs
With degree, due to calculating there is no normalizing, so we use softmax, making the sum of all weights when its output is 1.
Each input weight have, can calculate weighing vector and.By taking Fig. 9 as an example, have
Referring to Figure 10, it illustrates a kind of environmental characteristic model building method schematic diagrames, comprising:
S1010. for each target user, the operating environment feature of the target user is obtained, and by the target
The operating environment feature of user is as positive sample.
S1020. the operating environment feature of non-targeted user is obtained, and the operating environment feature of the non-targeted user is made
For negative sample.
Operating environment feature may include above-mentioned software information feature, hardware information feature and network environment characteristics, master
It may is that number of users/number of devices/number clients under same IP, with the multidimensional characteristics such as number of users/number of request under equipment.
Similar with user behavior characteristics model, the positive sample of input is that the operating environment of the corresponding legitimate user of the account is special
Sign, negative sample can directly acquire from database, refer to it is not operating environment feature that the account corresponds to user.
S1030. using the positive sample and the negative sample as the input of supervised learning algorithm, it is special to carry out environment
Levy model training.
Training to environmental characteristic model can be used XGBOOST/GBDT algorithm and be trained.Since need to predict is
The abnormal probability of environment, when carrying out model training, according to the positive negative sample of input, the corresponding output of positive sample is 0, negative sample pair
Should export is 1.
It is online real time execution that above-mentioned identity, which identifies engine, can the identification of real-time perfoming user identity.It simultaneously can basis
The big data of collection identifies model to identity in offline side and is iterated training, and online dynamic updates identity and identifies model,
Guarantee the long adaptation of model, the feature and modeling approach that wherein repetitive exercise uses are collinear, and upper model is similar, of the invention
Overall system architecture figure can be found in Figure 11, is input to identity by pretreated data and identifies progress identity on-line prediction in model
Identification, final output identity judging result simultaneously carry out feedback check;Offline lateral root carries out the update and tuning of model according to big data.
The present invention can also be using the analysis for carrying out exceptional sample and characteristic importance without (partly) supervision algorithm.In the present invention
The algorithm of Supervised classification includes GBDT/CNN/LSTM etc., includes PCA/kmeans/LPA etc. without (partly) supervision parser, comprehensive
Close a variety of off-line analysis methods be can further lift scheme predictablity rate, and abnormal data is monitored and is removed,
Lift scheme stability.
The user characteristic data acquired in the present invention is not defined intensionally as above-mentioned a few class data, as long as mainly including core
The corelation behaviour data and facility environment data content of the heart.The scheme of related supervised classification algorithm not only may be used in the present invention
Think given conventional algorithm, method used in each model may be different, it is also possible to real using many algorithms fusion
It is existing.
The operation behavior and use environment data modeling of synthetic user of the present invention, a variety of data in conjunction with dynamic and static state are comprehensive
It builds vertical user identity jointly and identifies model, whether various dimensions are my identity to identify;Using based on deep learning end to end
Model realization identity probabilistic forecasting, avoids the dependence to manual features, and bonding apparatus and environmental data can be mentioned further
The stability of rising mould type breaks through threshold with production is hacked;Independent behavior identity model is established for each user, and combines magnanimity big
Whether data, whether carry out comprehensive analysis user behavior has abnormal and is to operate in itself, and dynamic adjustment updates online mould in time
Type guarantees the long adaptation of model.
The present embodiment additionally provides a kind of identification device, which can be realized by way of hardware and/or software,
It can be found in Figure 12, described device includes:
Model loading module 1210 identifies model for loading corresponding identity according to the mark for being logged account, wherein
It includes: behavioural characteristic model, environmental characteristic model and comprehensive descision model that the identity, which identifies model,;
Identity probability obtains module 1220, for obtaining the behavioural characteristic of current operation user, the behavioural characteristic is defeated
Enter the identity probabilistic information that the current operation user is obtained to the behavioural characteristic model;
Ambient probability obtains module 1230, for obtaining current operating environment feature, the operating environment feature is defeated
Enter to the environmental characteristic model, obtains environmental abnormality probabilistic information;
Comprehensive judgment module 1240, for passing through according to the identity probabilistic information and the environmental abnormality probabilistic information
The comprehensive descision model obtains the identity identification result of the current operation user.
Wherein, referring to Figure 13, the identity probability obtains module 1220 and includes:
First obtains module 1310, for obtaining the behavioural characteristic of current operation user with predetermined period, and is corresponded to
Identity probabilistic information.
Set building module 1320, for constructing identity probabilistic information set, sequentially in time, by different time points
The identity probabilistic information storage is into the identity probabilistic information set.
Referring to Figure 14, the comprehensive judgment module 1240 includes:
Second obtains module 1410, for obtaining at least one identity probability letter from the identity probabilistic information set
Breath.
Weighted calculation module 1420, for being weighted to the identity probabilistic information and the environmental abnormality probabilistic information
Operation obtains the legal probability of identity of current operation user.
Determination module 1430, for when the legal probability of the identity is greater than preset threshold, determining that current operation user is
The legitimate user by login account.
Wherein, referring to Figure 15, the weighted calculation module 1420 further include:
Weight distribution module 1510, for being two when obtaining identity probabilistic information from the identity probabilistic information set
Or at two or more, weight is distributed for each identity probabilistic information, calculates the weighted sum of every identity probabilistic information.
COMPREHENSIVE CALCULATING module 1520, for the weighted sum and the environmental abnormality probabilistic information to be weighted,
Obtain the legal probability of identity of current operation user.
Referring to Figure 16, described device further includes behavioural characteristic model construction module 1600, comprising:
Behavior positive sample obtains module 1610, for obtaining the history of the target user for each target user
Behavioural characteristic, and using the historical behavior feature of the target user as positive sample.
Behavior negative sample obtains module 1620, for obtaining the historical behavior feature of non-targeted user, and by the non-mesh
The historical behavior feature of user is marked as negative sample.
Behavior sample conversion module 1630, for by the behavioral data in the positive sample and negative sample respectively according to the time
Sequence is ranked up, and extracts the behavioural characteristic at single time point, obtains several behavioral sequences, and by the behavioural characteristic sequence
Column are converted to feature vector.
Behavioural characteristic training module 1640, for using several described eigenvectors as the input of supervised learning algorithm,
Carry out behavioural characteristic model training.
Referring to Figure 17, described device further includes environmental characteristic model construction module 1700, comprising:
Environment positive sample obtains module 1710, for obtaining the operation of the target user for each target user
Environmental characteristic, and using the operating environment feature of the target user as positive sample.
Environment negative sample obtains module 1720, for obtaining the operating environment feature of non-targeted user, and by the non-mesh
The operating environment feature of user is marked as negative sample.
Environmental characteristic training module 1730, for being calculated using the positive sample and the negative sample as supervised learning
The input of method carries out environmental characteristic model training.
Described device further includes preprocessing module, for acquiring the primary data information (pdi) of operation user, to the original number
It is believed that breath carries out desensitization process;Feature extraction is carried out to the data information after desensitization, the feature of extraction is normalized.
Any embodiment of that present invention institute providing method can be performed in the device provided in above-described embodiment, has execution this method
Corresponding functional module and beneficial effect.The not technical detail of detailed description in the above-described embodiments, reference can be made to the present invention is any
Method provided by embodiment.
The present invention can effectively identify non-abnormal operation in person in a variety of contexts, as password leakage and equipment are stolen
High-risk scene, or the normal operating under abnormal network/facility environment in person realize the identity authentication identification of unaware, should
Method has higher safety and reliability;The present invention does not need extra hardware appliance device, due to using noninductive
Know technology, so that data non-displayization, black production is more difficult duplication and attack.Present invention is primarily applicable to the identity authentication fields at the end PC
Scape, including payment transaction, login authentication etc. provide noninductive in the case where password leakage or biological characteristic are forged imitation
Knowing and doing is the authentication identifying method of class.
The present embodiment additionally provides a kind of computer readable storage medium, and computer is stored in the storage medium to be held
Row instruction, the computer executable instructions are loaded by processor and execute the above-mentioned any means of the present embodiment.
The present embodiment additionally provides a kind of equipment, and the equipment includes processor and memory, wherein the processor
For calling and executing the program stored in the memory, the memory for storing program, described program for realizing
The above-mentioned any means of the present embodiment.
Present description provides the method operating procedures as described in embodiment or flow chart, but based on routine or without creation
The labour of property may include more or less operating procedure.The step of enumerating in embodiment and sequence are only numerous steps
One of execution sequence mode, does not represent and unique executes sequence.System in practice or when interrupting product and executing, can be with
It is executed according to embodiment or method shown in the drawings sequence or parallel executes (such as parallel processor or multiple threads
Environment).
Structure shown in the present embodiment, only part-structure relevant to application scheme, is not constituted to this
The restriction for the equipment that application scheme is applied thereon, specific equipment may include more or fewer components than showing,
Perhaps certain components or the arrangement with different components are combined.It is to be understood that method disclosed in the present embodiment,
Device etc., may be implemented in other ways.For example, the apparatus embodiments described above are merely exemplary, for example,
The division of the module is only a kind of division of logic function, and there may be another division manner in actual implementation, such as more
A unit or assembly can be combined or can be integrated into another system, or some features can be ignored or not executed.It is another
Point, shown or discussed mutual coupling, direct-coupling or communication connection can be through some interfaces, device or
The indirect coupling or communication connection of unit module.
Based on this understanding, technical solution of the present invention substantially in other words the part that contributes to existing technology or
The all or part of person's technical solution can be embodied in the form of software products, which is stored in one
In a storage medium, including some instructions are used so that computer equipment (it can be personal computer, server, or
Network equipment etc.) it performs all or part of the steps of the method described in the various embodiments of the present invention.And storage medium above-mentioned includes:
USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random
Access Memory), the various media that can store program code such as magnetic or disk.
Those skilled in the art further appreciate that, respectively show in conjunction with what embodiment disclosed in this specification described
Example unit and algorithm steps, being implemented in combination with electronic hardware, computer software or the two, in order to clearly demonstrate
The interchangeability of hardware and software generally describes each exemplary composition and step according to function in the above description
Suddenly.These functions are implemented in hardware or software actually, the specific application and design constraint item depending on technical solution
Part.Professional technician can use different methods to achieve the described function each specific application, but this reality
Now it should not be considered as beyond the scope of the present invention.
The above, the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although referring to before
Stating embodiment, invention is explained in detail, those skilled in the art should understand that: it still can be to preceding
Technical solution documented by each embodiment is stated to modify or equivalent replacement of some of the technical features;And these
It modifies or replaces, the spirit and scope for technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution.
Claims (10)
1. a kind of authentication identifying method characterized by comprising
Corresponding identity is loaded according to the mark of logged account and identifies model, wherein it includes: behavior that the identity, which identifies model,
Characteristic model, environmental characteristic model and comprehensive descision model;
The behavioural characteristic for obtaining current operation user, is input to the behavioural characteristic model for the behavioural characteristic, obtains described
The identity probabilistic information of current operation user;
Current operating environment feature is obtained, the operating environment feature is input to the environmental characteristic model, obtains environment
Abnormal probabilistic information;
According to the identity probabilistic information and the environmental abnormality probabilistic information, described work as, is obtained by the comprehensive descision model
The identity identification result of preceding operation user.
2. a kind of authentication identifying method according to claim 1, which is characterized in that the row for obtaining current operation user
It is characterized, and the behavioural characteristic is input to the behavioural characteristic model, obtain the identity probability of the current operation user
Information includes:
The behavioural characteristic of current operation user is obtained with predetermined period, and obtains corresponding identity probabilistic information;
Identity probabilistic information set is constructed, sequentially in time, by the identity probabilistic information storage of different time points to institute
It states in identity probabilistic information set.
3. a kind of authentication identifying method according to claim 2, which is characterized in that described according to the identity probabilistic information
With the environmental abnormality probabilistic information, the identity identification result of the current operation user is obtained by the comprehensive descision model
Include:
At least one identity probabilistic information is obtained from the identity probabilistic information set;
The identity probabilistic information and the environmental abnormality probabilistic information are weighted, the body of current operation user is obtained
The legal probability of part;
When the legal probability of the identity is greater than preset threshold, judgement current operation user is the legal use by login account
Family.
4. a kind of authentication identifying method according to claim 3, which is characterized in that when from the identity probabilistic information set
It is described to the identity probabilistic information and the environmental abnormality probability when middle acquisition identity probabilistic information is two or two or more
Information is weighted, and the identity for obtaining current operation user judges that probability includes:
Weight is distributed for each identity probabilistic information, calculates the weighted sum of every identity probabilistic information;
The weighted sum and the environmental abnormality probabilistic information are weighted, the identity for obtaining current operation user is legal
Probability.
5. a kind of authentication identifying method according to claim 1, which is characterized in that the building side of the behavioural characteristic model
Method includes:
For each target user, the historical behavior feature of the target user is obtained, and by the history of the target user
Behavioural characteristic is as positive sample;
The historical behavior feature of non-targeted user is obtained, and using the historical behavior feature of the non-targeted user as negative sample;
Behavioral data in the positive sample and negative sample is ranked up sequentially in time respectively, extracts single time point
Behavioural characteristic obtains several behavioral sequences, and the behavioral sequence is converted to feature vector;
Using several described eigenvectors as the input of supervised learning algorithm, behavioural characteristic model training is carried out.
6. a kind of authentication identifying method according to claim 5, which is characterized in that the behavioural characteristic includes difference behavior
Feature and track behavioural characteristic.
7. a kind of authentication identifying method according to claim 1, which is characterized in that the building side of the environmental characteristic model
Method includes:
For each target user, the operating environment feature of the target user is obtained, and by the operation of the target user
Environmental characteristic is as positive sample;
The operating environment feature of non-targeted user is obtained, and using the operating environment feature of the non-targeted user as negative sample;
Using the positive sample and the negative sample as the input of supervised learning algorithm, environmental characteristic model instruction is carried out
Practice.
8. a kind of authentication identifying method according to claim 7, which is characterized in that the operating environment feature includes:
Software information feature, hardware information feature and network environment information feature.
9. a kind of authentication identifying method according to claim 1, which is characterized in that in the behavior for obtaining current operation user
Before feature or current operating environment feature further include:
The primary data information (pdi) for acquiring current operation user carries out desensitization process to the primary data information (pdi);
Feature extraction is carried out to the data information after desensitization, the feature of extraction is normalized.
10. a kind of identification device characterized by comprising
Model loading module identifies model for loading corresponding identity according to the mark for being logged account, wherein the identity
Identifying model includes: behavioural characteristic model, environmental characteristic model and comprehensive descision model;
Identity probability obtains module, for obtaining the behavioural characteristic of current operation user, the behavioural characteristic is input to described
Behavioural characteristic model obtains the identity probabilistic information of the current operation user;
Ambient probability obtains module, for obtaining current operating environment feature, the operating environment feature is input to described
Environmental characteristic model obtains environmental abnormality probabilistic information;
Comprehensive judgment module, for passing through the synthesis according to the identity probabilistic information and the environmental abnormality probabilistic information
Judgment models obtain the identity identification result of the current operation user.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811610585.3A CN109784015B (en) | 2018-12-27 | 2018-12-27 | Identity authentication method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811610585.3A CN109784015B (en) | 2018-12-27 | 2018-12-27 | Identity authentication method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109784015A true CN109784015A (en) | 2019-05-21 |
CN109784015B CN109784015B (en) | 2023-05-12 |
Family
ID=66498574
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811610585.3A Active CN109784015B (en) | 2018-12-27 | 2018-12-27 | Identity authentication method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109784015B (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110232473A (en) * | 2019-05-22 | 2019-09-13 | 重庆邮电大学 | A kind of black production user in predicting method based on big data finance |
CN110335144A (en) * | 2019-07-10 | 2019-10-15 | 中国工商银行股份有限公司 | Personal electric bank account safety detection method and device |
CN110619528A (en) * | 2019-09-29 | 2019-12-27 | 武汉极意网络科技有限公司 | Behavior verification data processing method, behavior verification data processing device, behavior verification equipment and storage medium |
CN112131551A (en) * | 2020-09-25 | 2020-12-25 | 平安国际智慧城市科技股份有限公司 | Verification code verification method and device, computer equipment and readable storage medium |
WO2021022795A1 (en) * | 2019-08-06 | 2021-02-11 | 创新先进技术有限公司 | Method, apparatus, and device for detecting fraudulent behavior during facial recognition process |
CN113259368A (en) * | 2021-06-01 | 2021-08-13 | 北京芯盾时代科技有限公司 | Identity authentication method, device and equipment |
CN115412373A (en) * | 2022-11-01 | 2022-11-29 | 中网信安科技有限公司 | Method and system for safely accessing mechanical-electrical integrated industrial control network |
CN115859372A (en) * | 2023-03-04 | 2023-03-28 | 成都安哲斯生物医药科技有限公司 | Medical data desensitization method and system |
Citations (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140373139A1 (en) * | 2013-06-13 | 2014-12-18 | Alibaba Group Holding Limited | Method and system of distinguishing between human and machine |
JP2016018398A (en) * | 2014-07-08 | 2016-02-01 | 株式会社 日立産業制御ソリューションズ | Biometric authentication device, authentication control method and entering/leaving management system |
CN105844123A (en) * | 2015-01-14 | 2016-08-10 | 中兴通讯股份有限公司 | Method and device for identity authentication on terminal, and terminal |
US20160378544A1 (en) * | 2015-06-29 | 2016-12-29 | International Business Machines Corporation | Intellective switching between tasks |
WO2017032261A1 (en) * | 2015-08-21 | 2017-03-02 | 中国银联股份有限公司 | Identity authentication method, device and apparatus |
CN106507308A (en) * | 2016-11-29 | 2017-03-15 | 中国银联股份有限公司 | A kind of identity identifying method and device |
WO2017071126A1 (en) * | 2015-10-28 | 2017-05-04 | 同济大学 | Touch-screen user key-press behavior pattern construction and analysis system and identity recognition method thereof |
CN106713241A (en) * | 2015-11-16 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Identity verification method, device and system |
CN107317682A (en) * | 2017-05-10 | 2017-11-03 | 史展 | A kind of identity identifying method and system |
CN107819748A (en) * | 2017-10-26 | 2018-03-20 | 北京顶象技术有限公司 | A kind of anti-identifying code implementation method cracked and device |
CN107819945A (en) * | 2017-10-30 | 2018-03-20 | 同济大学 | The handheld device navigation patterns authentication method and system of comprehensive many factors |
WO2018073649A1 (en) * | 2016-10-17 | 2018-04-26 | Basewalk Ltd. | Desktop management and data transfer in a multi-computer environment |
CN108416198A (en) * | 2018-02-06 | 2018-08-17 | 平安科技(深圳)有限公司 | Man-machine identification model establishes device, method and computer readable storage medium |
CN108512827A (en) * | 2018-02-09 | 2018-09-07 | 世纪龙信息网络有限责任公司 | The identification of abnormal login and method for building up, the device of supervised learning model |
CN108683813A (en) * | 2018-05-18 | 2018-10-19 | 西北工业大学 | A kind of user identity based on smart mobile phone use habit continues recognition methods |
CN110162939A (en) * | 2018-10-25 | 2019-08-23 | 腾讯科技(深圳)有限公司 | Man-machine recognition methods, equipment and medium |
-
2018
- 2018-12-27 CN CN201811610585.3A patent/CN109784015B/en active Active
Patent Citations (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140373139A1 (en) * | 2013-06-13 | 2014-12-18 | Alibaba Group Holding Limited | Method and system of distinguishing between human and machine |
JP2016018398A (en) * | 2014-07-08 | 2016-02-01 | 株式会社 日立産業制御ソリューションズ | Biometric authentication device, authentication control method and entering/leaving management system |
CN105844123A (en) * | 2015-01-14 | 2016-08-10 | 中兴通讯股份有限公司 | Method and device for identity authentication on terminal, and terminal |
US20160378544A1 (en) * | 2015-06-29 | 2016-12-29 | International Business Machines Corporation | Intellective switching between tasks |
WO2017032261A1 (en) * | 2015-08-21 | 2017-03-02 | 中国银联股份有限公司 | Identity authentication method, device and apparatus |
WO2017071126A1 (en) * | 2015-10-28 | 2017-05-04 | 同济大学 | Touch-screen user key-press behavior pattern construction and analysis system and identity recognition method thereof |
CN106713241A (en) * | 2015-11-16 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Identity verification method, device and system |
WO2018073649A1 (en) * | 2016-10-17 | 2018-04-26 | Basewalk Ltd. | Desktop management and data transfer in a multi-computer environment |
CN106507308A (en) * | 2016-11-29 | 2017-03-15 | 中国银联股份有限公司 | A kind of identity identifying method and device |
CN107317682A (en) * | 2017-05-10 | 2017-11-03 | 史展 | A kind of identity identifying method and system |
CN107819748A (en) * | 2017-10-26 | 2018-03-20 | 北京顶象技术有限公司 | A kind of anti-identifying code implementation method cracked and device |
CN107819945A (en) * | 2017-10-30 | 2018-03-20 | 同济大学 | The handheld device navigation patterns authentication method and system of comprehensive many factors |
CN108416198A (en) * | 2018-02-06 | 2018-08-17 | 平安科技(深圳)有限公司 | Man-machine identification model establishes device, method and computer readable storage medium |
CN108512827A (en) * | 2018-02-09 | 2018-09-07 | 世纪龙信息网络有限责任公司 | The identification of abnormal login and method for building up, the device of supervised learning model |
CN108683813A (en) * | 2018-05-18 | 2018-10-19 | 西北工业大学 | A kind of user identity based on smart mobile phone use habit continues recognition methods |
CN110162939A (en) * | 2018-10-25 | 2019-08-23 | 腾讯科技(深圳)有限公司 | Man-machine recognition methods, equipment and medium |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110232473A (en) * | 2019-05-22 | 2019-09-13 | 重庆邮电大学 | A kind of black production user in predicting method based on big data finance |
CN110232473B (en) * | 2019-05-22 | 2022-12-27 | 重庆邮电大学 | Black product user prediction method based on big data finance |
CN110335144A (en) * | 2019-07-10 | 2019-10-15 | 中国工商银行股份有限公司 | Personal electric bank account safety detection method and device |
US11182475B2 (en) | 2019-08-06 | 2021-11-23 | Advanced New Technologies Co., Ltd. | Detecting fraudulent facial recognition |
WO2021022795A1 (en) * | 2019-08-06 | 2021-02-11 | 创新先进技术有限公司 | Method, apparatus, and device for detecting fraudulent behavior during facial recognition process |
US10936715B1 (en) | 2019-08-06 | 2021-03-02 | Advanced New Technologies Co., Ltd. | Detecting fraudulent facial recognition |
CN110619528A (en) * | 2019-09-29 | 2019-12-27 | 武汉极意网络科技有限公司 | Behavior verification data processing method, behavior verification data processing device, behavior verification equipment and storage medium |
CN112131551A (en) * | 2020-09-25 | 2020-12-25 | 平安国际智慧城市科技股份有限公司 | Verification code verification method and device, computer equipment and readable storage medium |
CN113259368A (en) * | 2021-06-01 | 2021-08-13 | 北京芯盾时代科技有限公司 | Identity authentication method, device and equipment |
CN115412373A (en) * | 2022-11-01 | 2022-11-29 | 中网信安科技有限公司 | Method and system for safely accessing mechanical-electrical integrated industrial control network |
CN115412373B (en) * | 2022-11-01 | 2023-03-21 | 中网信安科技有限公司 | Method and system for safely accessing mechanical-electrical integrated industrial control network |
CN115859372A (en) * | 2023-03-04 | 2023-03-28 | 成都安哲斯生物医药科技有限公司 | Medical data desensitization method and system |
CN115859372B (en) * | 2023-03-04 | 2023-04-25 | 成都安哲斯生物医药科技有限公司 | Medical data desensitization method and system |
Also Published As
Publication number | Publication date |
---|---|
CN109784015B (en) | 2023-05-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109784015A (en) | A kind of authentication identifying method and device | |
CN107316198B (en) | Account risk identification method and device | |
He et al. | A novel multimodal-sequential approach based on multi-view features for network intrusion detection | |
Li et al. | Unobservable re-authentication for smartphones. | |
CN110489964A (en) | Account detection method, device, server and storage medium | |
CN111368926B (en) | Image screening method, device and computer readable storage medium | |
CN112052948B (en) | Network model compression method and device, storage medium and electronic equipment | |
CN110414550B (en) | Training method, device and system of face recognition model and computer readable medium | |
JP2022141931A (en) | Method and device for training living body detection model, method and apparatus for living body detection, electronic apparatus, storage medium, and computer program | |
CN114332984B (en) | Training data processing method, device and storage medium | |
CN112700252A (en) | Information security detection method and device, electronic equipment and storage medium | |
CN110162939B (en) | Man-machine identification method, equipment and medium | |
CN112613599A (en) | Network intrusion detection method based on generation countermeasure network oversampling | |
CN111488501A (en) | E-commerce statistical system based on cloud platform | |
CN110555007B (en) | Method and device for discriminating theft behavior, computing equipment and storage medium | |
López et al. | A supervised ML biometric continuous authentication system for industry 4.0 | |
CN107222319A (en) | A kind of traffic operation analysis method and device | |
Yang et al. | An academic social network friend recommendation algorithm based on decision tree | |
Moctezuma et al. | Appearance model update based on online learning and soft‐biometrics traits for people re‐identification in multi‐camera environments | |
CN112491875B (en) | Intelligent tracking safety detection method and system based on account system | |
CN114021181A (en) | Mobile intelligent terminal privacy continuous protection system and method based on use habits | |
Tsaur et al. | Effective Bots’ Detection for Online Smartphone Game Using Multilayer Perceptron Neural Networks | |
CN113822412A (en) | Graph node marking method, device, equipment and storage medium | |
CN112364136A (en) | Keyword generation method, device, equipment and storage medium | |
Reichhuber et al. | Evolving Gaussian Mixture Models for Classification. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |