CN109784015B - Identity authentication method and device - Google Patents

Identity authentication method and device Download PDF

Info

Publication number
CN109784015B
CN109784015B CN201811610585.3A CN201811610585A CN109784015B CN 109784015 B CN109784015 B CN 109784015B CN 201811610585 A CN201811610585 A CN 201811610585A CN 109784015 B CN109784015 B CN 109784015B
Authority
CN
China
Prior art keywords
identity
behavior
probability information
environment
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811610585.3A
Other languages
Chinese (zh)
Other versions
CN109784015A (en
Inventor
范小龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201811610585.3A priority Critical patent/CN109784015B/en
Publication of CN109784015A publication Critical patent/CN109784015A/en
Application granted granted Critical
Publication of CN109784015B publication Critical patent/CN109784015B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Collating Specific Patterns (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention relates to an identity authentication method and device, wherein the method comprises the following steps: loading a corresponding identity authentication model according to the identification of the logged-in account, wherein the identity authentication model comprises: a behavior feature model, an environment feature model and a comprehensive judgment model; acquiring behavior characteristics of a current operation user, and inputting the behavior characteristics into the behavior characteristic model to obtain identity probability information of the current operation user; acquiring current operation environment characteristics, and inputting the operation environment characteristics into the environment characteristic model to obtain environment anomaly probability information; and obtaining the identity authentication result of the current operation user through the comprehensive judgment model according to the identity probability information and the environment anomaly probability information. According to the invention, whether the current operation user is a legal user or not can be comprehensively judged according to the behavior characteristics of the current operation user and the current operation environment characteristics, thus realizing the non-perception identity authentication and improving the safety and the reliability.

Description

Identity authentication method and device
Technical Field
The present invention relates to the field of communications security technologies, and in particular, to an identity authentication method and apparatus.
Background
The existing popular identity authentication is mainly based on biological characteristics, including face recognition, fingerprint recognition, iris recognition, handwriting and the like. However, the current authentication method based on biological characteristics has a plurality of problems, such as: additional acquisition equipment is needed, a fingerprint acquisition device, a camera acquisition device and the like are needed, and the problems of equipment cost, equipment installation and equipment cannot be popularized generally exist; these biological features are easy to copy and forge, and the identity authentication module is difficult to directly distinguish the authenticity of the feature information, so that the identity authentication result is invalid.
Aiming at the problems of the identity authentication mode, the invention provides an identity authentication method based on a non-perception behavior authentication technology, and a true and reliable identity authentication result can be obtained under the condition that a password is leaked or biological characteristics are counterfeited.
Disclosure of Invention
The technical problem to be solved by the invention is to provide an identity authentication method and an identity authentication device, which are used for establishing an independent identity authentication model for each user, comprehensively judging whether the current operation user is a legal user according to the behavior characteristics of the current operation user and the current operation environment characteristics, realizing the imperceptible identity authentication and improving the safety and the reliability.
In order to solve the above technical problem, in a first aspect, the present invention provides an identity authentication method, including:
loading a corresponding identity authentication model according to the identification of the logged-in account, wherein the identity authentication model comprises: a behavior feature model, an environment feature model and a comprehensive judgment model;
acquiring behavior characteristics of a current operation user, and inputting the behavior characteristics into the behavior characteristic model to obtain identity probability information of the current operation user;
acquiring current operation environment characteristics, and inputting the operation environment characteristics into the environment characteristic model to obtain environment anomaly probability information;
and obtaining the identity authentication result of the current operation user through the comprehensive judgment model according to the identity probability information and the environment anomaly probability information.
In a second aspect, the present invention provides an identity authentication device comprising:
the model loading module is used for loading a corresponding identity authentication model according to the identification of the logged-in account, wherein the identity authentication model comprises: a behavior feature model, an environment feature model and a comprehensive judgment model;
the identity probability acquisition module is used for acquiring the behavior characteristics of the current operation user, inputting the behavior characteristics into the behavior characteristic model and obtaining the identity probability information of the current operation user;
The environment probability acquisition module is used for acquiring current operation environment characteristics, inputting the operation environment characteristics into the environment characteristic model and obtaining environment anomaly probability information;
and the comprehensive judgment module is used for obtaining the identity authentication result of the current operation user through the comprehensive judgment model according to the identity probability information and the environment anomaly probability information.
The embodiment of the invention has the following beneficial effects:
the method comprises the steps of establishing an independent identity authentication model for each user, wherein the identity authentication model comprises a behavior characteristic model, an environment characteristic model and a comprehensive judgment model; inputting the behavior characteristics of the current operation user into the behavior characteristic model to obtain identity probability information, and inputting the current operation environment characteristics into the corresponding identity authentication model to obtain environment anomaly probability information; and combining the identity probability information and the environment anomaly probability information of the current operation user through the comprehensive judgment model to obtain an identity authentication result of the current operation user. The identity authentication method is a non-perception identity authentication method, avoids dependence on biological characteristics, can effectively authenticate abnormal operation of a non-self in various environments or normal operation of the self in an abnormal network/equipment environment, and improves the safety and reliability of a system.
Drawings
FIG. 1 is a schematic illustration of an implementation environment provided by an embodiment of the present invention;
FIG. 2 is a schematic flow chart of an identity authentication method according to an embodiment of the present invention;
fig. 3 is a schematic flow chart of a method for acquiring identity probability information according to an embodiment of the present invention;
fig. 4 is a flowchart of a user identity determining method according to an embodiment of the present invention;
FIG. 5 is a schematic flow chart of a data preprocessing method according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a behavior feature model construction method according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of a deep learning model based on differential and trajectory behavior data according to an embodiment of the present invention;
FIG. 8 is a schematic diagram of an LSTM internal structure provided by an embodiment of the invention;
FIG. 9 is a schematic diagram of an Attention mechanism provided by an embodiment of the present invention;
FIG. 10 is a schematic diagram of an environmental feature model construction method according to an embodiment of the present invention;
FIG. 11 is a schematic diagram of an overall framework of an identity authentication method according to an embodiment of the present invention;
FIG. 12 is a schematic diagram of an identity authentication device according to an embodiment of the present invention;
FIG. 13 is a schematic diagram of an identity probability acquisition module according to an embodiment of the present invention;
FIG. 14 is a schematic diagram of a comprehensive judgment module according to an embodiment of the present invention;
FIG. 15 is a schematic diagram of a weight calculation module according to an embodiment of the present invention;
FIG. 16 is a schematic diagram of a behavior feature model building module provided by an embodiment of the present invention;
FIG. 17 is a schematic diagram of an environmental feature model building module according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings, for the purpose of making the objects, technical solutions and advantages of the present invention more apparent. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, which illustrates a schematic view of an implementation environment of the present invention, the method may include: the user terminal 110, the server 120 and the database 130, wherein the user terminal 110 may be a terminal device with external input devices such as a mouse and a keyboard, and a user may input information to the terminal device through the external devices; the user terminal 110 is in data communication with the server 120, in the present invention, the behavior information and the operation environment information of the operation user are collected through the SDK (Software Development Kit ) provided by the front end, and then the collected information is uploaded to the server 120, and meanwhile, the collected data information is also stored in the database 130; the server 120 processes the collected behavior information and operation environment information of the operation user, converts the collected data into behavior characteristics and operation environment characteristics of the operation user, and inputs the behavior characteristics and operation environment characteristics into an identity authentication model for identity authentication to obtain an identity authentication result; when the user is authenticated as an illegal user, the server 120 transmits alarm information to the user terminal 110; the database 130 stores behavior characteristic information and usage environment characteristic information of a plurality of users, and can be used for iterative training of identity authentication models and model updating.
Referring to fig. 2, an identity authentication method is shown, which can be applied to a server side, and specifically includes:
s210, loading a corresponding identity authentication model according to the identification of the logged-in account, wherein the identity authentication model comprises: behavior feature model, environment feature model and comprehensive judgment model.
When a specific application or client is logged in through an account number and a password, an identity authentication model corresponding to the account number can be obtained through the identification of the account number, and the corresponding relation is pre-established and reserved in a server and specifically can be: the user starts to register the application, trains the identity authentication model of the user according to the behavior characteristic information and the use environment information of the user, and establishes the corresponding relation between the registered account and the identity authentication model, so that the user can load the identity authentication model corresponding to the account according to the account when logging in the account, and judge the identity of the current operation user.
The identity authentication model of the present invention comprises: the behavior feature model, the environment feature model and the comprehensive judgment model need to respectively judge the behavior feature of the current user and the environment feature of the current operation, and finally an identity authentication result is obtained.
S220, acquiring behavior characteristics of a current operation user, and inputting the behavior characteristics into the behavior characteristic model to obtain identity probability information of the current operation user.
The behavior characteristics of the user in the invention comprise differential behavior characteristics and track behavior characteristics, wherein the differential behavior characteristics comprise: a time difference sequence of key strokes, a time difference sequence of application window switching and the like, wherein the time difference sequence of key strokes comprises a time interval of keyboard input operation, a time interval of mouse click operation and the like; the time difference sequence of application window switching may be determined from the window ID timestamp of the application process.
The track behavior features include: mouse input track (x, y), category track sequence using window switching, etc., where the category track using window switching can be determined by the ID of the window on the time axis.
Along with the differential behavior feature and the track behavior feature, additional features are included, such as whether the clipboard has data, the instantaneous movement direction and speed feature of the mouse, and the like. According to the additional characteristics, the use habit of the user can be accurately judged, for example, after the user operates a mouse, the cut-off board has data, and the habit of selecting copy and paste by the mouse is shown; after the user operates the keyboard, the clipboard has data that indicates that the user has the habit of copying, pasting, etc. through the keyboard keys.
Referring to fig. 3, according to the obtained behavior characteristics of the operation users, obtaining the identity probability information of the current operation user may specifically include:
s310, acquiring behavior characteristics of a current operation user in a preset period, and obtaining corresponding identity probability information.
And as long as the current user logs in the account, the behavior characteristics of the current operation user are always acquired, and the identity probability information corresponding to the behavior characteristics is obtained through the behavior characteristic model according to the behavior characteristics acquired each time.
S320, constructing an identity probability information set, and storing the identity probability information of different time points into the identity probability information set according to a time sequence.
And storing the identity probability information into an identity probability information set every time the identity probability information is obtained, and finally obtaining a plurality of identity probability information stored in time sequence so as to be convenient for directly obtaining corresponding identity probability information from the set. The term "plurality of items" means two or more items.
S230, acquiring current operation environment characteristics, and inputting the operation environment characteristics into the environment characteristic model to obtain environment anomaly probability information.
The operating environment information in the present invention includes: software information, hardware information and network environment information, wherein the software information comprises terminal equipment system information, virtual machine identification, special process ID identification, a process list and the like; the hardware information comprises CPU model and ID, hard disk model and ID, network card model and ID, display card model and ID, etc.; the network environment information includes client IP, client version, client protocol, user operating environment IP, SDK version, etc.
The user behavior characteristics and the operation environment characteristics can be obtained by converting related data information acquired by the SDK provided by the front end.
S240, obtaining an identity authentication result of the current operation user through the comprehensive judgment model according to the identity probability information and the environment anomaly probability information.
The identity probability information and the environment anomaly probability information are combined to obtain the identity authentication result of the current operation user, specifically referring to fig. 4, a user identity judging method includes:
s410, acquiring at least one item of identity probability information from the identity probability information set.
S420, judging whether the number of the acquired identity probability information items is one item or multiple items.
S430, when the number of items of the identity probability information is one, weighting operation is carried out on the identity probability information and the environment anomaly probability information, and the identity legal probability of the current operation user is obtained.
S440, when the number of items of the identity probability information is multiple, weight is allocated to each item of the identity probability information, and the weighted sum of the identity probability information is calculated.
When the weights corresponding to the identity probability information are specifically allocated, the weights are also allocated according to the time sequence, the current time is taken as a node, the longer the time interval between the current time and the node is, the smaller the allocated weights are, and the significance is that: the longer the time interval from the current time point, the smaller the influence of the identity probability information of the past time point on the current identity probability judgment.
S450, carrying out weighted operation on the weighted sum and the environment anomaly probability information to obtain the identity legal probability of the current operation user.
Since the change in the operating environment over a period of time may be relatively small, the environmental anomaly probability here is calculated with the current environmental anomaly probability information.
S460, judging whether the identity legal probability is larger than a preset threshold value.
S470, when the identity legal probability is larger than a preset threshold value, judging that the current operation user is the legal user of the logged-in account.
The preset threshold value can be determined according to application scenes with different requirements, and the preset threshold value can be set to be larger for scenes with higher accuracy requirements; for application scenarios where the accuracy requirement is not very high, the preset threshold may be set smaller.
Specifically, the above comprehensive judgment model can be realized by the following formula:
Figure BDA0001924652420000061
the specific values of a and b are weighted parameters, and can be adjusted according to different application scenes, wherein the value range of the parameter a is generally 0.8-1.2, the value range of the parameter b is generally 0.1-0.5, and for a specific scene, the parameters a and b can be determined by the following method:
1. data initialization, let a=1, b=0.1;
2. Substituting the initialized parameters a=1 and b=0.1 into the formula (1), and calculating to obtain an initial probability value;
3. comparing the calculated initial probability value with a plurality of items of data in the sample, and calculating an average error; when the error is larger, one parameter value is fixed, and the other parameter value is adjusted; for example, the value of parameter a is fixed, the value of parameter b is adjusted, and the error is calculated; or fixing the value of the parameter b, adjusting the value of the parameter a, and calculating an error; the method can be realized based on a quasi-Newton iterative algorithm, and finally parameters a and b which enable the calculated identity probability information and the actual data to have smaller errors are obtained. The newton method in this embodiment is a method for solving the optimization, and it should be noted that other algorithms for solving the optimization may be applied to this embodiment.
p e Is an environmental anomaly probability value for the current operating environment.
λ i Weight p for each identity probability information i For each corresponding item of identity probability information, where, when n=0, only one item of identity probability information, λ, is obtained in step S430 0 =1; when N > 0, corresponding to the acquisition of the multiple identity probability information in the above step S440, and having lambda 01 +···λ N =1,λ 0 >λ 1 >···λ N ,λ 0 Lambda is the weight corresponding to the current time point 1 As the weight corresponding to the previous time point of the current time point, lambda 2 Lambda is lambda 1 Weights corresponding to points in time before the corresponding point in time, and so on. And integrating the multiple identity probability information, and subtracting the environment anomaly probability information to obtain a final integrated identity authentication result.
The number of items of identity probability information is called single behavior identity authentication, the number of items of identity probability information is called sequence behavior identity authentication, the sequence behavior identity authentication is more accurate and more reliable than the single behavior identity authentication, and the specific identity probability item number can be determined according to actual application scenes.
In addition, the time intervals between the identity probability information in the sequence behavior identity authentication are not necessarily the same, and the two time intervals can be long, and the other two time intervals are short.
The background server continues to authenticate the operating user as long as the operating user logs into the application. In a specific identity authentication process, a background server continuously acquires behavior characteristic information of a current operation user, and performs identity authentication operation in a preset period by combining an identity authentication model. When the current operation user is identified as an illegal user, the server sends alarm information, wherein the specific mode of sending the alarm information can comprise: the server sends alarm information to the user terminal and locks the account, or sends alarm information to a mailbox or a communication tool such as a hand and the like bound when registering the account, so as to remind an owner of the account that the account may be stolen or stolen.
The user characteristic information and the operating environment characteristic information acquired in the identity authentication process can be stored in a database, and the corresponding relation between each account user and the characteristic information is established. As time goes on, the data information stored in the database is more and more, and the characteristic information data can be processed periodically, for example, for the characteristic information of a certain user, the characteristic information before one year may have little influence on the present identity judgment, and the characteristic information can be deleted.
It should be noted that, one account may correspond to multiple authentication models, for example, family members share the same account, but the user behavior characteristics of each member are different, and at this time, the corresponding authentication model may be generated for the behavior characteristics and the usage environment of each family member.
The above user behavior characteristics and operation environment characteristics may be obtained by converting related data information collected by the SDK provided by the front end, and a specific process may be referred to fig. 5, which shows a data preprocessing method, including:
s510, collecting original data information of a current operation user, and performing desensitization processing on the original data information.
The acquired original information comprises keyboard operation information, mouse operation information, process switching information, software and hardware information, network environment information and the like, and the original information needs to be converted into digital data according to preset rules; the numerical data then needs to be desensitized, which mainly includes removal of the true input content, instead of interval time or trace point data.
S520, extracting features of the desensitized data information, and normalizing the extracted features.
The step realizes the normalized conversion of the features, removes some interference or empty data, and detects, analyzes and removes abnormal data, such as data exceeding a specified numerical range. For example, feature transformation may include: and extracting time sequence difference features according to the keyboard time stamp, extracting speed features of the instantaneous moving direction of the mouse data, and the like. Specifically, for keyboard operation, obtaining a time stamp when a current key is pressed and a time stamp when the current key is sprung, so as to obtain a key time interval, and obtaining the time stamp when the current key is sprung and the time stamp when the next key is pressed, so as to obtain a time interval between the two keys; for mouse operation, according to coordinates (x 1, y 1) and (x 2, y 2) of two track points, the moving direction of the mouse can be known, the time interval between two points can be obtained according to the obtained corresponding time stamp between the two points, and the instant moving speed of the mouse can be obtained by calculating the distance between the two points and combining the time interval.
For normalized conversion, this can be achieved by the following formula:
Figure BDA0001924652420000091
wherein X is data to be converted, Y is data after conversion, A and B are parameters obtained through learning, and A > B can be specifically set for adjusting the range.
The normalization conversion can also be implemented by a sigmoid function, which is not described in detail herein.
Referring to fig. 6, a method for constructing a behavior feature model is shown, which may specifically include:
s610, for each target user, acquiring the historical behavior characteristics of the target user, and taking the historical behavior characteristics of the target user as a positive sample.
When the behavior feature model is trained, the input positive sample is the behavior feature of the legal user corresponding to the account.
S620, acquiring historical behavior characteristics of a non-target user, and taking the historical behavior characteristics of the non-target user as a negative sample.
The negative sample may be obtained directly from the database, meaning that it is not the characteristic information of the user to whom the account corresponds.
S630, sorting the behavior data in the positive sample and the negative sample according to a time sequence, extracting behavior characteristics of a single time point, obtaining a plurality of behavior characteristic sequences, and converting the behavior characteristic sequences into characteristic vectors.
And splicing the user behavior characteristics of each time point into one-dimensional vectors, wherein each one-dimensional vector comprises keyboard operation characteristics, mouse operation characteristics, window switching characteristics and the like.
S640, taking a plurality of feature vectors as the input of a supervised learning algorithm to train a behavior feature model.
And sequentially sending a plurality of one-dimensional vectors containing user characteristic behaviors into a supervised training model for training, wherein a positive sample corresponds to output 1, and a negative sample corresponds to output 0. A specific training model can be seen in fig. 7, which shows a deep learning model based on differential and trajectory behavior data, and a specific training process can include: the original user behavior characteristics are converted into onehot vectors, the onehot vectors are sent into an LSTM (Long Short-Term Memory) model and an added attention algorithm layer, and user identity probability is output through softmax.
Wherein LSTM is characterized in that the input sequence, regardless of length, is encoded into a fixed length vector representation and decoding is limited to the fixed length vector representation. Fig. 8 shows a schematic diagram of the internal structure of each loop module of the LSTM, in which each loop module has a 4-layer structure including 3 sigmoid layers, 1 tanh layer, a circle represents a binocular operation, and two arrows are combined into one arrow to represent that 2 vectors are spliced together end to end. An arrow split into 2 arrows indicates that a data is copied into 2 copies and distributed to different places. The specific implementation process may refer to the implementation process of LSTM in the prior art, which is not described herein.
The Attention mechanism is used in the output sequence to weight the behavior of each time point, so that the model is easier to focus on some behavior time points which are considered important in the input behavior sequence, and therefore, the time points of interference are eliminated, and the prediction result is more accurate. The matching degree of the current input and the current output is calculated through the corresponding matching module, then the matching operation is needed to be carried out on the current output and each input, the matching degree of the current output and all the inputs can be obtained respectively, and the calculated matching degree is not normalized, so that the sum of all the weights is 1 when the matching degree is output by using softmax. The weight of each input is given, and a weight vector sum can be calculated. Taking fig. 9 as an example, there are
Figure BDA0001924652420000101
Referring to fig. 10, a schematic diagram of an environmental feature model construction method is shown, which includes:
s1010, for each target user, acquiring the operating environment characteristics of the target user, and taking the operating environment characteristics of the target user as a positive sample.
S1020, acquiring the operating environment characteristics of the non-target user, and taking the operating environment characteristics of the non-target user as a negative sample.
The operating environment features may include the software information features, the hardware information features, and the network environment features described above, and may be mainly: the number of users/devices/clients under IP and the number of users/requests under device are the same.
Similar to the user behavior feature model, the positive sample input is the operating environment feature of the legal user corresponding to the account, and the negative sample can be directly obtained from the database, which means that the positive sample is not the operating environment feature of the user corresponding to the account.
S1030, respectively taking the positive sample and the negative sample as inputs of a supervised learning algorithm to train an environmental characteristic model.
The training of the environmental characteristic model can be performed by adopting an XGBOOST/GBDT algorithm. Because the environment anomaly probability needs to be predicted, when model training is carried out, the positive sample corresponding output is 0, and the negative sample corresponding output is 1 according to the input positive and negative samples.
The identity authentication engine operates on line in real time and can perform user identity authentication in real time. At the same time, according to the collected big data, carrying out iterative training on the identity authentication model at the off-line side, and dynamically updating the identity authentication model on line to ensure the long-term adaptability of the model, wherein the characteristics and modeling ideas used in the iterative training are similar to those of the on-line model, the overall system architecture diagram of the invention can be seen in FIG. 11, the preprocessed data is input into the identity authentication model for carrying out identity on-line prediction recognition, and finally, the identity judgment result is output and feedback verification is carried out; and updating and optimizing the model according to the big data at the offline side.
The invention also adopts a (semi-) supervision algorithm to analyze the importance of the abnormal sample and the characteristics. The supervised classification algorithm comprises GBDT/CNN/LSTM and the like, the non (semi) supervised analysis algorithm comprises PCA/kmeans/LPA and the like, and the comprehensive multiple offline analysis methods can further improve the model prediction accuracy, monitor and remove abnormal data and improve the model stability.
The user characteristic data collected in the present invention is not necessarily defined as the above-mentioned several types of data, as long as the data mainly includes the relevant behavior data of the core and the data content of the device environment. The scheme of the related supervision classification algorithm in the invention can be not only a given conventional algorithm, but also a method used by each model can be different, and various algorithms can be fused for implementation.
The invention synthesizes the operation behavior of the user and uses the environmental data modeling, combines dynamic and static multiple data to comprehensively establish a user identity authentication model, and identifies whether the user identity is the identity or not by multiple dimensions; the end-to-end model based on deep learning is adopted to realize personal identity probability prediction, so that dependence on artificial characteristics is avoided, and the stability of the model can be further improved and a threshold is broken through by black production by combining equipment and environmental data; and establishing an independent behavior identity model for each user, comprehensively analyzing whether the user behaviors are abnormal or not and whether the user behaviors are self-operation by combining massive big data, dynamically adjusting and updating an online model in time, and ensuring the long-term adaptability of the model.
The embodiment also provides an identity authentication device, which can be implemented by hardware and/or software, and can be seen in fig. 12, and the device includes:
the model loading module 1210 is configured to load a corresponding identity authentication model according to an identifier of the logged-in account, where the identity authentication model includes: a behavior feature model, an environment feature model and a comprehensive judgment model;
the identity probability obtaining module 1220 is configured to obtain a behavior feature of a current operation user, input the behavior feature to the behavior feature model, and obtain identity probability information of the current operation user;
the environmental probability acquisition module 1230 is configured to acquire a current operating environmental feature, and input the operating environmental feature into the environmental feature model to obtain environmental anomaly probability information;
and the comprehensive judgment module 1240 is configured to obtain an identity authentication result of the current operation user according to the identity probability information and the environment anomaly probability information through the comprehensive judgment model.
Referring to fig. 13, the identity probability obtaining module 1220 includes:
the first obtaining module 1310 is configured to obtain, in a preset period, a behavior feature of a current operation user, and obtain corresponding identity probability information.
The set construction module 1320 is configured to construct an identity probability information set, and store the identity probability information of different time points into the identity probability information set according to a time sequence.
Referring to fig. 14, the comprehensive judging module 1240 includes:
a second obtaining module 1410, configured to obtain at least one item of identity probability information from the set of identity probability information.
And the weighting calculation module 1420 is configured to perform a weighting operation on the identity probability information and the environmental anomaly probability information to obtain an identity legal probability of the current operating user.
And the judging module 1430 is configured to judge that the current operating user is a legal user of the logged-in account when the identity legal probability is greater than a preset threshold.
Referring to fig. 15, the weight calculating module 1420 further includes:
the weight distribution module 1510 is configured to, when the identity probability information obtained from the identity probability information set is two or more, distribute weights to each item of identity probability information, and calculate a weighted sum of each item of identity probability information.
And a comprehensive calculation module 1520, configured to perform a weighted operation on the weighted sum and the environmental anomaly probability information, so as to obtain an identity legal probability of the current operating user.
Referring to fig. 16, the apparatus further includes a behavior feature model building module 1600, including:
a positive behavioral sample acquisition module 1610, configured to acquire, for each target user, a historical behavioral characteristic of the target user, and take the historical behavioral characteristic of the target user as a positive sample.
The behavior negative sample obtaining module 1620 is configured to obtain a historical behavior feature of a non-target user, and take the historical behavior feature of the non-target user as a negative sample.
The behavior sample conversion module 1630 is configured to sort the behavior data in the positive sample and the negative sample according to a time sequence, extract behavior features of a single time point, obtain a plurality of behavior feature sequences, and convert the behavior feature sequences into feature vectors.
The behavior feature training module 1640 is configured to perform behavior feature model training by using a plurality of feature vectors as inputs of a supervised learning algorithm.
Referring to fig. 17, the apparatus further includes an environmental feature model construction module 1700, including:
and the environmental positive sample acquiring module 1710 is configured to acquire, for each target user, an operating environment characteristic of the target user, and take the operating environment characteristic of the target user as a positive sample.
An environment negative sample acquisition module 1720, configured to acquire an operating environment characteristic of a non-target user, and take the operating environment characteristic of the non-target user as a negative sample.
And the environmental feature training module 1730 is configured to perform environmental feature model training by using the positive sample and the negative sample as inputs of a supervised learning algorithm, respectively.
The device also comprises a preprocessing module, a processing module and a processing module, wherein the preprocessing module is used for acquiring the original data information of an operation user and performing desensitization processing on the original data information; and carrying out feature extraction on the desensitized data information, and carrying out normalization processing on the extracted features.
The device provided in the above embodiment can execute the method provided in any embodiment of the present invention, and has the corresponding functional modules and beneficial effects of executing the method. Technical details not described in detail in the above embodiments may be found in the methods provided by any of the embodiments of the present invention.
The method can effectively identify abnormal operation of a non-self person in various environments, such as high-risk scenes of password leakage and equipment theft, or normal operation of the self person in an abnormal network/equipment environment, and realize non-perception identification, and has higher safety and reliability; the invention does not need redundant hardware equipment, and the data is not displayed and is more difficult to copy and attack due to the adoption of a non-perception technology. The invention can be mainly applied to the identity authentication scene of the PC end, including payment transaction, login verification and the like, and provides an identity authentication method without perception behavior under the condition that the password is leaked or the biological characteristics are counterfeited and imitated.
The present embodiment also provides a computer-readable storage medium having stored therein computer-executable instructions loaded by a processor and performing any of the methods of the present embodiment described above.
The embodiment also provides an apparatus, where the apparatus includes a processor and a memory, where the processor is configured to call and execute a program stored in the memory, and the memory is configured to store a program, where the program is configured to implement any of the methods described in the embodiment.
The present specification provides method operational steps as described in the examples or flowcharts, but may include more or fewer operational steps based on conventional or non-inventive labor. The steps and sequences recited in the embodiments are merely one manner of performing the sequence of steps and are not meant to be exclusive of the sequence of steps performed. In actual system or interrupt product execution, the methods illustrated in the embodiments or figures may be performed sequentially or in parallel (e.g., in the context of parallel processors or multi-threaded processing).
The structures shown in this embodiment are only partial structures related to the present application and do not constitute limitations of the apparatus to which the present application is applied, and a specific apparatus may include more or less components than those shown, or may combine some components, or may have different arrangements of components. It should be understood that the methods, apparatuses, etc. disclosed in the embodiments may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, and the division of the modules is merely a division of one logic function, and may be implemented in other manners, such as multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or unit modules.
Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (16)

1. An identity authentication method, comprising:
loading a corresponding identity authentication model according to the identification of the logged-in account, wherein the identity authentication model comprises: a behavior feature model, an environment feature model and a comprehensive judgment model;
acquiring behavior characteristics of a current operation user, and inputting the behavior characteristics into the behavior characteristic model to obtain identity probability information of the current operation user; the behavior characteristic comprises a time difference sequence of application program window switching;
acquiring current operation environment characteristics, and inputting the operation environment characteristics into the environment characteristic model to obtain environment anomaly probability information; the operating environment features comprise software information features and hardware information features;
According to the identity probability information and the environment anomaly probability information, obtaining an identity authentication result of the current operation user through the comprehensive judgment model;
when the identity probability information is two or more, the obtaining the identity authentication result of the current operation user through the comprehensive judgment model according to the identity probability information and the environment anomaly probability information comprises the following steps:
assigning a weight to each item of identity probability information, and calculating a weighted sum of each item of identity probability information; the longer the interval time between the identity probability information and the current time node is, the smaller the assigned weight value is;
and carrying out weighted operation on the weighted sum and the environment anomaly probability information to obtain the identity legal probability of the current operation user.
2. The method for authenticating an identity according to claim 1, wherein the steps of obtaining the behavior feature of the current operation user and inputting the behavior feature into the behavior feature model, and obtaining the identity probability information of the current operation user include:
acquiring behavior characteristics of a current operation user in a preset period, and obtaining corresponding identity probability information;
and constructing an identity probability information set, and storing the identity probability information of different time points into the identity probability information set according to a time sequence.
3. The method according to claim 2, wherein obtaining the identity authentication result of the current operation user through the comprehensive judgment model according to the identity probability information and the environment anomaly probability information comprises:
acquiring at least one item of identity probability information from the identity probability information set;
weighting the identity probability information and the environment anomaly probability information to obtain the identity legal probability of the current operation user;
and when the identity legal probability is larger than a preset threshold value, judging that the current operation user is the legal user of the logged-in account.
4. The method for identifying an identity according to claim 1, wherein the method for constructing the behavior feature model comprises the following steps:
for each target user, acquiring historical behavior characteristics of the target user, and taking the historical behavior characteristics of the target user as a positive sample;
acquiring historical behavior characteristics of a non-target user, and taking the historical behavior characteristics of the non-target user as a negative sample;
sequencing the behavior data in the positive sample and the negative sample according to a time sequence respectively, extracting behavior characteristics of a single time point to obtain a plurality of behavior characteristic sequences, and converting the behavior characteristic sequences into characteristic vectors;
And taking a plurality of feature vectors as the input of a supervised learning algorithm to train the behavior feature model.
5. An identity authentication method according to claim 4, wherein the behavioral characteristics include trajectory behavioral characteristics.
6. The method for identifying an identity according to claim 1, wherein the method for constructing the environmental feature model comprises the following steps:
for each target user, acquiring the operating environment characteristics of the target user, and taking the operating environment characteristics of the target user as a positive sample;
acquiring the operating environment characteristics of a non-target user, and taking the operating environment characteristics of the non-target user as a negative sample;
and respectively taking the positive sample and the negative sample as inputs of a supervised learning algorithm to train an environmental characteristic model.
7. The method of claim 6, wherein the operating environment features include:
network environment information features.
8. The method for authenticating an identity according to claim 1, further comprising, before acquiring the behavior feature of the current operating user or the current operating environment feature:
collecting original data information of a current operation user, and performing desensitization treatment on the original data information;
And carrying out feature extraction on the desensitized data information, and carrying out normalization processing on the extracted features.
9. An identity authentication device, comprising:
the model loading module is used for loading a corresponding identity authentication model according to the identification of the logged-in account, wherein the identity authentication model comprises: a behavior feature model, an environment feature model and a comprehensive judgment model;
the identity probability acquisition module is used for acquiring the behavior characteristics of the current operation user, inputting the behavior characteristics into the behavior characteristic model and obtaining the identity probability information of the current operation user; the behavior characteristic comprises a time difference sequence of application program window switching;
the environment probability acquisition module is used for acquiring current operation environment characteristics, inputting the operation environment characteristics into the environment characteristic model and obtaining environment anomaly probability information; the operating environment characteristics comprise software information and hardware information;
the comprehensive judgment module is used for obtaining the identity authentication result of the current operation user through the comprehensive judgment model according to the identity probability information and the environment abnormality probability information;
when the identity probability information is two or more, the obtaining the identity authentication result of the current operation user through the comprehensive judgment model according to the identity probability information and the environment anomaly probability information comprises the following steps:
Assigning a weight to each item of identity probability information, and calculating a weighted sum of each item of identity probability information; the longer the interval time between the identity probability information and the current time node is, the smaller the assigned weight value is;
and carrying out weighted operation on the weighted sum and the environment anomaly probability information to obtain the identity legal probability of the current operation user.
10. The apparatus of claim 9, wherein the identity probability acquisition module comprises:
the first acquisition module is used for acquiring the behavior characteristics of the current operation user in a preset period and obtaining corresponding identity probability information;
the set construction module is used for constructing an identity probability information set and storing the identity probability information of different time points into the identity probability information set according to a time sequence.
11. The apparatus of claim 10, wherein the comprehensive decision module comprises:
the second acquisition module is used for acquiring at least one item of identity probability information from the identity probability information set;
the weighting calculation module is used for carrying out weighting operation on the identity probability information and the environment anomaly probability information to obtain the identity legal probability of the current operation user;
And the judging module is used for judging that the current operation user is the legal user of the logged-in account when the identity legal probability is larger than a preset threshold value.
12. The apparatus of claim 9, further comprising a behavioral characteristics model building module comprising:
the system comprises a behavior positive sample acquisition module, a behavior analysis module and a behavior analysis module, wherein the behavior positive sample acquisition module is used for acquiring historical behavior characteristics of each target user and taking the historical behavior characteristics of the target user as a positive sample;
the behavior negative sample acquisition module is used for acquiring the historical behavior characteristics of the non-target user and taking the historical behavior characteristics of the non-target user as a negative sample;
the behavior sample conversion module is used for sequencing the behavior data in the positive sample and the negative sample according to the time sequence respectively, extracting behavior characteristics of a single time point, obtaining a plurality of behavior characteristic sequences, and converting the behavior characteristic sequences into characteristic vectors;
and the behavior feature training module is used for taking a plurality of feature vectors as the input of the supervised learning algorithm to train the behavior feature model.
13. The apparatus of claim 10, further comprising an environmental feature model building module, the environmental feature model building module comprising:
The system comprises an environment positive sample acquisition module, a storage module and a storage module, wherein the environment positive sample acquisition module is used for acquiring the operation environment characteristics of each target user and taking the operation environment characteristics of the target user as a positive sample;
the environment negative sample acquisition module is used for acquiring the operating environment characteristics of the non-target user and taking the operating environment characteristics of the non-target user as a negative sample;
and the environmental characteristic training module is used for respectively taking the positive sample and the negative sample as the input of the supervised learning algorithm to train the environmental characteristic model.
14. The device according to claim 9, further comprising a preprocessing module for collecting raw data information of an operating user and performing desensitization processing on the raw data information; and carrying out feature extraction on the desensitized data information, and carrying out normalization processing on the extracted features.
15. A computer readable storage medium having stored therein computer executable instructions loaded by a processor and performing the authentication method of any one of claims 1-8.
16. An electronic device, characterized in that the device comprises a processor and a memory, wherein the processor is arranged to invoke and execute a program stored in the memory, the memory being arranged to store a program for implementing the authentication method according to any of claims 1-8.
CN201811610585.3A 2018-12-27 2018-12-27 Identity authentication method and device Active CN109784015B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811610585.3A CN109784015B (en) 2018-12-27 2018-12-27 Identity authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811610585.3A CN109784015B (en) 2018-12-27 2018-12-27 Identity authentication method and device

Publications (2)

Publication Number Publication Date
CN109784015A CN109784015A (en) 2019-05-21
CN109784015B true CN109784015B (en) 2023-05-12

Family

ID=66498574

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811610585.3A Active CN109784015B (en) 2018-12-27 2018-12-27 Identity authentication method and device

Country Status (1)

Country Link
CN (1) CN109784015B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110232473B (en) * 2019-05-22 2022-12-27 重庆邮电大学 Black product user prediction method based on big data finance
CN110335144B (en) * 2019-07-10 2023-04-07 中国工商银行股份有限公司 Personal electronic bank account security detection method and device
CN110532895B (en) * 2019-08-06 2020-10-23 创新先进技术有限公司 Method, device and equipment for detecting fraudulent behavior in face recognition process
CN110619528A (en) * 2019-09-29 2019-12-27 武汉极意网络科技有限公司 Behavior verification data processing method, behavior verification data processing device, behavior verification equipment and storage medium
CN112131551A (en) * 2020-09-25 2020-12-25 平安国际智慧城市科技股份有限公司 Verification code verification method and device, computer equipment and readable storage medium
CN113259368B (en) * 2021-06-01 2021-10-12 北京芯盾时代科技有限公司 Identity authentication method, device and equipment
CN115412373B (en) * 2022-11-01 2023-03-21 中网信安科技有限公司 Method and system for safely accessing mechanical-electrical integrated industrial control network
CN115859372B (en) * 2023-03-04 2023-04-25 成都安哲斯生物医药科技有限公司 Medical data desensitization method and system

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2016018398A (en) * 2014-07-08 2016-02-01 株式会社 日立産業制御ソリューションズ Biometric authentication device, authentication control method and entering/leaving management system
WO2017032261A1 (en) * 2015-08-21 2017-03-02 中国银联股份有限公司 Identity authentication method, device and apparatus
WO2017071126A1 (en) * 2015-10-28 2017-05-04 同济大学 Touch-screen user key-press behavior pattern construction and analysis system and identity recognition method thereof
CN107317682A (en) * 2017-05-10 2017-11-03 史展 A kind of identity identifying method and system
CN107819748A (en) * 2017-10-26 2018-03-20 北京顶象技术有限公司 A kind of anti-identifying code implementation method cracked and device
WO2018073649A1 (en) * 2016-10-17 2018-04-26 Basewalk Ltd. Desktop management and data transfer in a multi-computer environment
CN108416198A (en) * 2018-02-06 2018-08-17 平安科技(深圳)有限公司 Man-machine identification model establishes device, method and computer readable storage medium
CN108512827A (en) * 2018-02-09 2018-09-07 世纪龙信息网络有限责任公司 The identification of abnormal login and method for building up, the device of supervised learning model
CN108683813A (en) * 2018-05-18 2018-10-19 西北工业大学 A kind of user identity based on smart mobile phone use habit continues recognition methods
CN110162939A (en) * 2018-10-25 2019-08-23 腾讯科技(深圳)有限公司 Man-machine recognition methods, equipment and medium

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104239758B (en) * 2013-06-13 2018-04-27 阿里巴巴集团控股有限公司 A kind of man-machine recognition methods and corresponding man-machine identifying system
CN105844123A (en) * 2015-01-14 2016-08-10 中兴通讯股份有限公司 Method and device for identity authentication on terminal, and terminal
US9785464B2 (en) * 2015-06-29 2017-10-10 International Business Machines Corporation Intellective switching between tasks
CN106713241B (en) * 2015-11-16 2019-09-27 腾讯科技(深圳)有限公司 A kind of auth method, device and system
CN106507308A (en) * 2016-11-29 2017-03-15 中国银联股份有限公司 A kind of identity identifying method and device
CN107819945B (en) * 2017-10-30 2020-11-03 同济大学 Handheld device browsing behavior authentication method and system integrating multiple factors

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2016018398A (en) * 2014-07-08 2016-02-01 株式会社 日立産業制御ソリューションズ Biometric authentication device, authentication control method and entering/leaving management system
WO2017032261A1 (en) * 2015-08-21 2017-03-02 中国银联股份有限公司 Identity authentication method, device and apparatus
WO2017071126A1 (en) * 2015-10-28 2017-05-04 同济大学 Touch-screen user key-press behavior pattern construction and analysis system and identity recognition method thereof
WO2018073649A1 (en) * 2016-10-17 2018-04-26 Basewalk Ltd. Desktop management and data transfer in a multi-computer environment
CN107317682A (en) * 2017-05-10 2017-11-03 史展 A kind of identity identifying method and system
CN107819748A (en) * 2017-10-26 2018-03-20 北京顶象技术有限公司 A kind of anti-identifying code implementation method cracked and device
CN108416198A (en) * 2018-02-06 2018-08-17 平安科技(深圳)有限公司 Man-machine identification model establishes device, method and computer readable storage medium
CN108512827A (en) * 2018-02-09 2018-09-07 世纪龙信息网络有限责任公司 The identification of abnormal login and method for building up, the device of supervised learning model
CN108683813A (en) * 2018-05-18 2018-10-19 西北工业大学 A kind of user identity based on smart mobile phone use habit continues recognition methods
CN110162939A (en) * 2018-10-25 2019-08-23 腾讯科技(深圳)有限公司 Man-machine recognition methods, equipment and medium

Also Published As

Publication number Publication date
CN109784015A (en) 2019-05-21

Similar Documents

Publication Publication Date Title
CN109784015B (en) Identity authentication method and device
CN109635872B (en) Identity recognition method, electronic device and computer program product
Krueger et al. Learning stateful models for network honeypots
Yin et al. A subgrid-oriented privacy-preserving microservice framework based on deep neural network for false data injection attack detection in smart grids
CN112837069B (en) Block chain and big data based secure payment method and cloud platform system
CN110263538A (en) A kind of malicious code detecting method based on system action sequence
CN112052761A (en) Method and device for generating confrontation face image
Chen et al. Automatic mobile application traffic identification by convolutional neural networks
CN112464117A (en) Request processing method and device, computer equipment and storage medium
CN111600919A (en) Web detection method and device based on artificial intelligence
CN111625792B (en) Identity recognition method based on abnormal behavior detection
KR102359090B1 (en) Method and System for Real-time Abnormal Insider Event Detection on Enterprise Resource Planning System
CN110677437A (en) User disguised attack detection method and system based on potential space countermeasure clustering
CN113033404B (en) Face attack event detection method, device, equipment and storage medium
Meena Siwach Anomaly detection for web log data analysis: a review
CN110290101B (en) Deep trust network-based associated attack behavior identification method in smart grid environment
CN116707859A (en) Feature rule extraction method and device, and network intrusion detection method and device
CN116827656A (en) Network information safety protection system and method thereof
CN117580046A (en) Deep learning-based 5G network dynamic security capability scheduling method
CN117009832A (en) Abnormal command detection method and device, electronic equipment and storage medium
CN114417251A (en) Retrieval method, device, equipment and storage medium based on hash code
CN113822684A (en) Heikou user recognition model training method and device, electronic equipment and storage medium
CN113469816A (en) Digital currency identification method, system and storage medium based on multigroup technology
CN116070191A (en) Information processing method and device, storage medium, and program product
CN113468540A (en) Security portrait processing method based on network security big data and network security system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant