CN110245475B

CN110245475B - Identity verification method and device

Info

Publication number: CN110245475B
Application number: CN201910461265.4A
Authority: CN
Inventors: 金宏; 王维强; 赵闻飙
Original assignee: Advanced New Technologies Co Ltd
Current assignee: Advanced New Technologies Co Ltd; Advantageous New Technologies Co Ltd
Priority date: 2019-05-30
Filing date: 2019-05-30
Publication date: 2023-08-22
Anticipated expiration: 2039-05-30
Also published as: CN110245475A

Abstract

The embodiment of the application provides an identity verification method and an identity verification device, which are used for improving the safety of user identity verification. The method comprises the following steps: firstly, acquiring behavior information of network behavior of a user, network environment information and/or user equipment information related to the behavior information, extracting specific features from the acquired information according to preset feature extraction rules, judging whether the network behavior is risk behavior according to each extracted specific feature through a risk behavior recognition model, if so, selecting a target feature which enables the network behavior to be judged as risk behavior from each specific feature through an attribution analysis model, and finally, determining an identity verification problem of the user according to the target feature and carrying out identity verification on the user.

Description

Identity verification method and device

Technical Field

The present application relates to the field of computers, and in particular, to an identity verification method and apparatus.

Background

In the present risk control system, when the user behavior is abnormal, identity authentication needs to be performed on the user, for example, when the system judges that the login behavior of the user is abnormal, the user can be authenticated by adopting modes of inputting a short message authentication code, answering a preset authentication question and the like.

However, in the prior art, when the user is authenticated, the authentication questions displayed to the user are all fixed, and an illegal user can crack the authentication questions in a mode of answering multiple times to obtain answers to the authentication questions, so that the user system is invaded.

Therefore, the existing user identity verification method has the problems of low safety and easiness in cracking.

Disclosure of Invention

The embodiment of the application aims to provide an identity verification method and device for improving the safety of user identity verification.

In order to solve the technical problems, the embodiment of the application is realized as follows:

the embodiment of the application provides an identity verification method, which comprises the following steps:

acquiring behavior information of network behavior of a user, network environment information and/or user equipment information associated with the behavior information, and extracting specific features from the acquired information according to preset feature extraction rules;

if the network behavior is judged to be the risk behavior according to each extracted specific feature through a risk behavior recognition model, selecting a target feature which enables the network behavior to be judged to be the risk behavior from each specific feature through an attribution analysis model;

And determining an identity verification problem of the user according to the target characteristics, and carrying out identity verification on the user based on the identity verification problem.

The embodiment of the application provides an identity verification device, which comprises:

the system comprises an acquisition module, a characteristic extraction module and a characteristic extraction module, wherein the acquisition module is used for acquiring behavior information of network behaviors of a user, network environment information and/or user equipment information associated with the behavior information, and extracting specific characteristics from the acquired information according to a preset characteristic extraction rule;

the analysis module is used for selecting target features which enable the network behavior to be judged as risk behaviors from the specific features through the attribution analysis model if the network behavior is judged as risk behaviors according to the extracted specific features through the risk behavior identification model;

and the verification module is used for determining the identity verification problem of the user according to the target characteristics and carrying out identity verification on the user based on the identity verification problem.

The embodiment of the application provides identity verification equipment, which comprises the following components: a processor; and a memory arranged to store computer executable instructions that, when executed, cause the processor to implement the steps of the authentication method described above.

Embodiments of the present application provide a storage medium storing computer-executable instructions that, when executed, implement the steps of the authentication method described above.

In the embodiment of the application, firstly, the behavior information of the network behavior of the user and the network environment information and/or the user equipment information related to the behavior information are acquired, specific features are extracted from the acquired information according to a preset feature extraction rule, then if the network behavior is judged to be the risk behavior according to each extracted specific feature through a risk behavior recognition model, then the target feature which enables the network behavior to be judged to be the risk behavior is selected from each specific feature through an attribution analysis model, finally, the identity verification problem of the user is determined according to the target feature, and the user is authenticated based on the identity verification problem. Therefore, through the embodiment, the target characteristics which enable the network behavior of the user to be judged as the risk behavior can be determined, the identity verification problem is determined based on the target characteristics, and the user is authenticated, so that the effects of flexibly determining the identity verification problem and authenticating the user are achieved, the problems that the security of the identity verification process is low and the user is easy to crack due to the fact that the identity verification problem is fixed are solved, and the security of the user identity verification is improved.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic diagram of an authentication scenario according to an embodiment of the present application;

FIG. 2 is a flowchart of an authentication method according to an embodiment of the present application;

FIG. 3 is a schematic diagram of identity verification according to an embodiment of the present application;

fig. 4 is a schematic diagram of module components of an authentication device according to an embodiment of the present application;

fig. 5 is a schematic structural diagram of an authentication device according to an embodiment of the present application.

Detailed Description

In order to make the technical solution of the present application better understood by those skilled in the art, the technical solution of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, shall fall within the scope of the application.

The embodiment of the application aims to provide an identity verification method and device for improving the safety of user identity verification. Wherein the authentication method may be performed by an authentication device, such as a background server.

Fig. 1 is a schematic diagram of an authentication scenario provided in an embodiment of the present application, as shown in fig. 1, where the scenario includes a user terminal including, but not limited to, a tablet 101, a mobile phone 102, a desktop 103, and a notebook 104 as shown in fig. 1, and an authentication device including, but not limited to, a server 200 as shown in fig. 1. In this scenario, the authentication device may execute the authentication method provided in the embodiment of the present application, so as to perform authentication on the user.

Fig. 2 is a flow chart of an authentication method according to an embodiment of the application, as shown in fig. 2, the flow chart includes the following steps:

step S202, acquiring behavior information of network behavior of a user, network environment information and/or user equipment information associated with the behavior information, and extracting specific features from the acquired information according to a preset feature extraction rule;

step S204, if the network behavior is judged to be the risk behavior according to each extracted specific feature through the risk behavior recognition model, selecting a target feature which enables the network behavior to be judged to be the risk behavior from each specific feature through the attribution analysis model;

Step S206, determining the authentication problem of the user according to the target characteristics, and authenticating the user based on the authentication problem.

In step S202, behavior information of the network behavior of the user is acquired. The user's network behavior includes, but is not limited to, payment behavior, login behavior, and the like. The behavior information of the network behavior includes, but is not limited to, information of a behavior subject, information of a behavior object for which the behavior is directed, and information involved in the behavior process. Taking network behavior as payment behavior as an example, behavior information of the network behavior includes, but is not limited to, payment time, payment amount, payment user name, age, registration time, payee name, age, registration time, paymate identification, and the like. Taking the network behavior as a login behavior as an example, the behavior information of the network behavior includes, but is not limited to, login time, login user name, login result, and the like. Wherein the login result comprises login success and login failure.

In step S202, network environment information and/or user equipment information associated with the behavior information of the network behavior is also acquired. The network environment information includes, but is not limited to, an IP (Internet Protocol, network protocol) address of the user terminal, a network type of the user terminal, etc., used when the user performs the network action. The network types include WIFI (Wireless-Fidelity) and mobile data traffic, among others. The user equipment information includes, but is not limited to, an identification, a brand, a model number, a MAC (Media Access Control ) address, etc. of a user terminal used when the user performs the network action. In this embodiment, network environment information associated with behavior information of network behavior, or user equipment information associated with behavior information of network behavior, or both network environment information and user equipment information may be acquired.

In the step S202, specific features are extracted from the acquired information according to a preset feature extraction rule. The preset feature extraction rule specifies the types of features to be extracted from the acquired information, for example, the preset feature extraction rule specifies that when the network behavior is a payment behavior, specific features such as payment time, payment amount, collection account number and the like are extracted from behavior information, and when the network behavior is a login behavior, specific features such as login time, user name, website identification and the like are extracted from the behavior information. The preset feature extraction rules also provide that specific features such as an IP address, a network type and the like are extracted from the network environment information, and specific features such as a device identifier, a device model and the like are extracted from the user device information. Of course, only illustrative descriptions are given here, and specific features extracted from the information acquired from the respective items are not limited to the above examples.

In the step S204, first, whether the network row of the user is a risk action is determined according to each extracted specific feature by the risk action recognition model. Correspondingly, the method in the embodiment further comprises the following steps: and scoring the risk degree of the network behavior according to each extracted specific feature through a pre-trained risk behavior recognition model, determining the network behavior as the risk behavior if the scored risk score exceeds a score threshold, and determining the network behavior as not the risk behavior if the scored risk score does not exceed the score threshold.

Specifically, the risk behavior recognition model may be a neural network model, but of course, may also be other models, which are not particularly limited herein. Inputting each extracted specific feature into a risk behavior recognition model for operation, scoring the risk degree of the network behavior according to each extracted specific feature by the risk behavior recognition model, outputting a risk score value obtained by scoring, determining that the network behavior is the risk behavior if the risk score value obtained by scoring exceeds a score threshold, and determining that the network behavior is not the risk behavior if the risk score value obtained by scoring does not exceed the score threshold.

In one embodiment, the network behavior is a payment behavior, and each extracted specific feature includes a payer registration duration, a payee registration duration, a payer age, and a payment amount. The risk behavior recognition model scores the risk degree of the network behavior according to each extracted specific feature, for example, as follows: firstly judging whether the register time length of the payee is longer than the first time length, recording a score of 0.2 score if the register time length of the payee is not longer than the first time length, secondly judging whether the register time length of the payer is longer than the second time length, recording a score of 0.3 score if the register time length of the payer is not longer than the second time length, then judging whether the age of the payer is longer than an age threshold, recording a score of 0.3 score if the age of the payer is longer than the age threshold, finally judging whether the payment amount is longer than an amount threshold, recording a score of 0.3 score if the payment amount is longer than the amount threshold, finally obtaining a risk score value corresponding to the payment action of 0.8 score, and judging that the payment action is a risk action if the score threshold is longer than 0.2 score.

In the step S204, if the network behavior of the user is determined to be the risk behavior based on each of the extracted specific features by the risk behavior recognition model, the target feature for determining the network behavior of the user as the risk behavior is selected from each of the specific features by the attribution analysis model. It will be appreciated that the target feature is used to indicate that the user's network behaviour is determined to be the cause of the risk behaviour, and that the presence of the target feature results in the risk behaviour recognition model determining the user's network behaviour as the risk behaviour.

In this embodiment, the attribute analysis model selects a target feature that makes the network behavior of the user be determined as a risk behavior from the specific features, specifically:

(a1) Determining a marginal contribution expected value of each specific feature for the risk score value through an attribution analysis model; the attribution analysis model is established based on a Xia Puli value method, and the risk score value is a score value obtained by scoring the risk degree of the network behavior according to each specific characteristic by the risk behavior identification model;

(a2) And taking the characteristic with the marginal contribution expected value larger than the preset expected value threshold value as the target characteristic in each specific characteristic.

Specifically, in this embodiment, the attribution analysis model may be built based on a Shapley Value (Shapley Value) method, where Shapley Value is derived from game theory, and the main idea is that: assuming a total of N features, the final score is S, the extent to which each feature affects the final score S is scaled, primarily by calculating the expected value of the marginal contribution of each feature. In this embodiment, the attribution analysis model is used to analyze the cause of the risk score value obtained after the risk degree of the network behavior of the user is scored by the risk behavior identification model according to each specific feature.

In this embodiment, each specific feature extracted in step S202 may be obtained, a risk score value obtained by scoring the risk degree of the network behavior of the user according to each specific feature by the risk behavior recognition model may be obtained, each specific feature and the risk score value are input to the attribution analysis model for processing, and the marginal contribution expected value of each specific feature for the risk score value is output through the attribution analysis model, where the greater the corresponding marginal contribution expected value is, the greater the contribution of the specific feature to the risk score value is.

In this embodiment, a preset expected value threshold is further set, and a feature with a marginal contribution expected value greater than the preset expected value threshold is taken as a target feature in each specific feature, so as to select a target feature that enables the network behavior of the user to be determined as a risk behavior. By analyzing the target features, it can be determined that the network behavior of the user is determined to be the cause of the risk behavior.

In one embodiment, the network behavior of the user is a login behavior, the login behavior is determined to be a risk behavior by a risk behavior identification model, and the IP feature of the user terminal corresponding to the login behavior is determined to be a target feature by an attribution analysis model. By analyzing the IP characteristics, it can be determined that the reason why the login behavior of the user is determined as the risk behavior is that the user logs in from different places.

In this embodiment, the expected marginal contribution value of each specific feature to the risk score value is determined by the attribution analysis model, specifically:

(b1) Scoring the risk degree of the network behavior of the user based on each N characteristic in each specific characteristic successively through the attribution analysis model to obtain an Nth score value corresponding to each N specific characteristic;

wherein N is a positive integer which is more than or equal to 1 and less than or equal to the total number of the specific features, and the value of N is sequentially added with 1 when the specific features are sequentially marked;

(b2) And according to the scoring score values, determining the marginal contribution expected value of each specific feature for the risk score value.

The above-described processes (b 1) and (b 2) are described here by way of a specific example. In a specific embodiment, the number of specific features is three, including feature a, feature B, and feature C. In the above-mentioned action (b 1), the risk degree of the network behavior of the user is firstly scored based on each feature by attributing to the analysis model, so as to obtain a first score value corresponding to each specific feature, namely, each specific feature is respectively input into the risk behavior recognition model, the first score value based on each specific feature is obtained by the risk behavior recognition model, then the risk degree of the network behavior of the user is scored based on each two features, so as to obtain a second score value corresponding to each two specific features, namely, each specific feature is input into the risk behavior recognition model in a two-by-two manner, the second score value based on each combination is obtained by the risk behavior recognition model, finally, the risk degree of the network behavior of the user is scored based on each three features, so as to obtain a third score value corresponding to each three specific features, namely, each combination is input into the risk behavior recognition model, and the third score value based on each combination is obtained by the risk behavior recognition model, so that the third score value is the risk score value. The specific scoring situation is shown in table 1 below.

TABLE 1

Feature A	First score value D11
		Feature B	First score value D12
Feature C	First score value D13
		Features A+B	Second score D21
Features A+C	Second score D22
		Features B+C	Second score D23
Features A+B+C	Third score value D3

Then, the expected value of the marginal contribution of feature A is calculated as (D11+ (D21-D12) + (D22-D13) + (D3-D12-D13))/3, the expected value of the marginal contribution of feature B is calculated as (D12+ (D21-D11) + (D23-D13) + (D3-D11-D13))/3, and the expected value of the marginal contribution of feature C is calculated as (D13+ (D22-D11) + (D23-D12) + (D3-D12-D13))/3. In the attribution analysis model established based on the summer-top method, the method of calculating the expected value of the marginal contribution of each feature is not limited to the above example, and may be set according to actual demands.

In this embodiment, the attribution analysis model established based on the eplerian method may be a neural network model, and the training process of the model may be exemplified by: firstly, a large amount of sample data is acquired, the sample data can be collected manually, each group of sample data comprises a plurality of specific features, and a risk behavior recognition model scores the risk degree of the network behavior of a user according to the specific features to obtain a risk score value, and target features which cause the risk score value are marked in the specific features; when the model is trained, each group of sample data is input into a neural network model established based on the Charpy value method for training, and after training convergence of each parameter in the model, the obtained trained model is the attribution analysis model.

Therefore, in this embodiment, the target feature that makes the network behavior be determined as the risk behavior can be selected from the specific features through the attribution analysis model, so as to prepare for the subsequent determination of the authentication problem of the user, avoid the problems of low security and easy cracking in the authentication process caused by the fixed authentication problem of the user, and improve the security of the authentication of the user.

In the step S206, the authentication problem of the user is determined according to the target feature, specifically: searching an authentication problem corresponding to the target characteristic in a pre-established problem library, and taking the searched authentication problem as the authentication problem of the user. The authentication questions corresponding to the specific features are recorded in the question library, and the authentication questions recorded in the question library are constructed based on the knowledge graph of the user.

In this embodiment, since the feature extraction rule is preset, the types of the extracted specific features can be predetermined, so that the authentication questions corresponding to the specific features can be recorded in the question bank in advance by a manual manner. The authentication questions recorded in the question library can be constructed manually based on the knowledge graph of the user.

Knowledge graph (KBA) is a series of different graphs showing the relationship between the knowledge development process and the structure, and the knowledge resource and the carrier thereof are described by using a visualization technology, and knowledge and the interrelationship between the knowledge resource and the carrier thereof are mined, analyzed, constructed, drawn and displayed. When the identity verification problem is constructed for each specific feature manually based on the knowledge graph of the user, the construction thought can be as follows: when each specific feature is determined to be the target feature, the network behavior is a possible cause of the risk behavior, and the identity verification problem corresponding to the specific feature is constructed based on the possible cause. Such as: regarding the IP feature, since the main reasons why the IP feature causes the network behavior to be determined as a risk behavior include "login from elsewhere", "change device", etc., the problem of construction may be "what province is your birth place? "," is the model of the handset you were? "; accordingly, regarding the transaction amount feature, since the main reasons why the transaction amount feature causes the network behavior to be determined as a risky behavior include "stranger transaction", "excessive amount", etc., the constructed question may be "do you have transfer records with the payee? "," is you recently buying a product? ". The construction of corresponding authentication questions for other specific features is not exemplified here. When the authentication questions are constructed, the construction is needed based on the knowledge graph of the user so as to ensure that answers to the questions can be obtained from the knowledge graph of the user. In a specific embodiment, a real-time knowledge graph of the user can be generated, and the problem is constructed based on the real-time knowledge graph, so that all information of the user can be rapidly positioned and queried.

Therefore, in the step S206, the authentication problem corresponding to the target feature is searched in the pre-established problem library, the searched authentication problem is used as the authentication problem of the user, and the authentication problem of the user is displayed through the user terminal, so as to authenticate the identity of the user.

In the step S206, the authentication of the user is performed based on the authentication problem of the user, specifically: and displaying the authentication questions of the user through the user terminal, acquiring the answer data of the user aiming at the authentication questions, acquiring the correct answers of the authentication questions from the knowledge graph of the user, and if the answer data of the user is matched with the correct answers, confirming that the authentication is passed, otherwise, confirming that the authentication is not passed.

In one case, the number of target features is a plurality, and each target feature at least corresponds to one authentication problem, and in the step S206, authentication is performed on the user based on the authentication problem of the user, specifically:

(c1) Sequencing all the identity verification problems according to the target characteristics corresponding to all the identity verification problems;

(c2) Displaying the authentication questions to the user through the user terminal according to the sequence, and acquiring answer data of the user aiming at the authentication questions;

(c3) And carrying out identity authentication on the user according to the answer data and the knowledge graph of the user.

Firstly, in the action (c 1), ordering the identity verification problems according to target features corresponding to the identity verification problems, specifically, acquiring marginal contribution expected values of the target features, which are determined by an attribution analysis model, for risk score values, wherein the attribution analysis model is established based on a Xia Puli value method, the risk score values are score values obtained by scoring the risk degree of the network behavior according to specific features by a risk behavior recognition model, and ordering the identity verification problems according to the sequence of the marginal contribution expected values of the target features from large to small.

For example, the target features include M1 and M2, where M1 corresponds to the questions N1 and N2 and M2 corresponds to the questions N3 and N4, in the act (c 1), a marginal contribution expected value of the feature M1 for the risk score value determined by the attribution analysis model is obtained, and a marginal contribution expected value of the feature M2 for the risk score value determined by the attribution analysis model is obtained, and assuming that the marginal contribution expected value of M1 is greater than the marginal contribution expected value of M2, the questions are determined to be ordered: n1, N2, N3, N4. Wherein, a plurality of questions corresponding to the same target feature may be randomly ordered.

In the action (c 2), the authentication questions are displayed to the user through the user terminal according to the sequence, and the answer data of the user for the authentication questions are obtained. For example, the question N1 is displayed first, and after the answer data of the user for the question N1 is obtained, the next question is displayed, so that each question is displayed in turn, and the answer data of the user for each question is obtained. In this embodiment, the user may submit the answer data by selecting an answer or writing an answer.

In the action (c 3), acquiring a correct answer of each authentication question from the knowledge graph of the user, if the correct answer is determined, and if the proportion of the number of the correct questions to the number of the displayed authentication questions reaches a preset proportion, determining that the authentication of the user passes, otherwise, determining that the authentication does not pass.

In a specific embodiment, after each authentication question is presented to a user, obtaining answer data of the user for the question, obtaining a correct answer of the question from a knowledge graph of the user, judging whether the answer of the user is correct according to the correct answer, and calculating a score of the user according to a judgment result. If the score of the user reaches the preset score threshold after all the authentication questions are answered, the authentication is confirmed to pass, or all the authentication questions are not required to be displayed to the user, and if the number of the questions which are answered correctly continuously by the user reaches a certain number, the authentication is confirmed to pass. And stopping the presentation of the remaining questions.

Fig. 3 is a schematic diagram of identity verification provided in an embodiment of the present application, as shown in fig. 3, when determining that a login behavior of a user is a risk behavior, determining that a target feature is an IP feature, and determining an identity verification problem includes: "what is your birth place", "what is your frequency in birth province". And displaying the first authentication question to the user through the user terminal, and displaying the second authentication question after the user answers the first authentication question. The user may submit answer data by selecting an answer. If the two questions of the user are determined to be correct according to the knowledge graph of the user, the user identity verification is determined to pass, and the user is allowed to log in.

In summary, by the method in the embodiment, the target feature that makes the network behavior of the user be judged as the risk behavior can be determined, and the authentication problem is determined based on the target feature and the user is authenticated, so that the effects of flexibly determining the authentication problem and authenticating the user are achieved, the problems that the authentication process is low in safety and easy to crack due to the fact that the authentication problem is fixed are solved, and the security of the user authentication is improved.

Fig. 4 is a schematic diagram of module components of an authentication device according to an embodiment of the present application, as shown in fig. 4, where the device includes:

an obtaining module 41, configured to obtain behavior information of a network behavior of a user and network environment information and/or user equipment information associated with the behavior information, and extract specific features from the obtained information according to a preset feature extraction rule;

an analysis module 42, configured to select, from each of the specific features, a target feature that makes the network behavior be determined as a risk behavior by an attribution analysis model if the network behavior is determined as a risk behavior according to each of the extracted specific features by a risk behavior recognition model;

and the verification module 43 is configured to determine an authentication problem of the user according to the target feature, and perform authentication on the user based on the authentication problem.

Optionally, the device further comprises a judging module, configured to:

scoring the risk degree of the network behavior according to each extracted specific feature through a pre-trained risk behavior recognition model;

and if the risk score value obtained by scoring exceeds a score threshold value, determining the network behavior as a risk behavior.

Optionally, the analysis module 42 is specifically configured to:

determining a marginal contribution expected value of each specific feature for the risk score value through an attribution analysis model; wherein the attribution analysis model is established based on Xia Puli value method; the risk score value is obtained by scoring the risk degree of the network behavior according to each specific characteristic by the risk behavior recognition model;

and taking the characteristic of which the marginal contribution expected value is larger than a preset expected value threshold value as the target characteristic in each specific characteristic.

Optionally, the analysis module 42 is further specifically configured to:

scoring the risk degree of the network behavior based on every N characteristics in each specific characteristic successively through an attribution analysis model to obtain an Nth score value corresponding to every N specific characteristics;

wherein N is a positive integer equal to or greater than 1 and equal to or less than the total number of the specific features, and the value of N is sequentially added by 1 when the specific features are sequentially classified;

and respectively determining a marginal contribution expected value of each specific feature for the risk score value according to each score value obtained by scoring.

Optionally, the verification module 43 is specifically configured to:

Searching an identity verification problem corresponding to the target feature in a pre-established problem library;

taking the searched identity verification problem as the identity verification problem of the user;

the problem library is recorded with authentication problems corresponding to the specific features, and the authentication problems recorded in the problem library are constructed based on the knowledge graph of the user.

Optionally, the number of the target features is a plurality, and each target feature at least corresponds to one identity verification problem; the verification module 43 is specifically configured to:

ordering the identity verification questions according to the target features corresponding to the identity verification questions;

displaying the authentication questions to the user through a user terminal according to the ordering, and acquiring answer data of the user aiming at the authentication questions;

and carrying out identity verification on the user according to the answer data and the knowledge graph of the user.

Optionally, the verification module 43 is further specifically configured to:

acquiring a marginal contribution expected value of each target feature, which is determined by an attribution analysis model, for a risk score value; wherein the attribution analysis model is established based on Xia Puli value method; the risk score value is obtained by scoring the risk degree of the network behavior according to each specific characteristic by the risk behavior recognition model;

And ordering the identity verification problems according to the order of the expected marginal contribution values of the target features from large to small.

Therefore, through the embodiment, the target characteristics which enable the network behavior of the user to be judged as the risk behavior can be determined, the identity verification problem is determined based on the target characteristics, and the user is authenticated, so that the effects of flexibly determining the identity verification problem and authenticating the user are achieved, the problems that the security of the identity verification process is low and the user is easy to crack due to the fact that the identity verification problem is fixed are solved, and the security of the user identity verification is improved.

It should be noted that, the authentication device in this embodiment can implement each process of the foregoing authentication method, and achieve the same effects and functions, which are not repeated here.

Fig. 5 is a schematic structural diagram of an authentication device according to an embodiment of the present application, as shown in fig. 5, where the authentication device may have a relatively large difference due to different configurations or performances, and may include one or more processors 901 and a memory 902, where one or more storage applications or data may be stored in the memory 902. Wherein the memory 902 may be transient storage or persistent storage. The application program stored in the memory 902 may include one or more modules (not shown in the figures), each of which may include a series of computer-executable instructions for use in an authentication device. Still further, the processor 901 may be arranged to communicate with the memory 902 and execute a series of computer executable instructions in the memory 902 on the authentication device. The authentication device may also include one or more power supplies 903, one or more wired or wireless network interfaces 904, one or more input output interfaces 905, one or more keyboards 906, and the like.

In a particular embodiment, the authentication device includes a memory, and one or more programs, wherein the one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module may include a series of computer-executable instructions for the authentication device, and configured to be executed by the one or more processors, the one or more programs comprising computer-executable instructions for:

Optionally, the computer executable instructions, when executed, further comprise:

Optionally, the computer executable instructions, when executed, select, by an attribution analysis model, a target feature among the respective specific features that causes the network behavior to be determined as a risk behavior, comprising:

Optionally, the computer-executable instructions, when executed, respectively determine, by the attribution analysis model, a marginal contribution expected value for each of the specific features for the risk score value, comprising:

Optionally, the computer executable instructions, when executed, determine an authentication problem for the user from the target feature, comprising:

Optionally, the number of the target features is a plurality of, each of the target features corresponding to at least one of the authentication questions when the computer-executable instructions are executed; authenticating the user based on the authentication problem comprises:

Optionally, the computer executable instructions, when executed, rank each of the authentication questions according to the target feature corresponding to each of the authentication questions, including:

It should be noted that the authentication device in this embodiment can implement the respective processes of the foregoing authentication method and achieve the same effects and functions, and will not be repeated here.

Further, the embodiment of the present application further provides a storage medium, which is configured to store computer executable instructions, in a specific embodiment, the storage medium may be a usb disk, an optical disc, a hard disk, etc., where the computer executable instructions stored in the storage medium when executed by a processor can implement the following procedures:

Optionally, the storage medium stores computer executable instructions that when executed by the processor further comprise:

Optionally, the computer executable instructions stored on the storage medium, when executed by the processor, select, by the attribution analysis model, a target feature among the respective specific features that causes the network behavior to be determined to be a risk behavior, comprising:

Optionally, the computer executable instructions stored on the storage medium, when executed by the processor, determine, by attribution analysis model, a marginal contribution expected value for each of the specific features for the risk score value, respectively, comprising:

Optionally, the storage medium storing computer executable instructions that, when executed by the processor, determine an authentication problem for the user based on the target feature, comprising:

Optionally, the storage medium stores computer executable instructions that, when executed by the processor, number a plurality of said target features, each said target feature corresponding to at least one said authentication problem; authenticating the user based on the authentication problem comprises:

Optionally, the computer executable instructions stored on the storage medium, when executed by the processor, rank each of the authentication questions according to the target feature corresponding to each of the authentication questions, including:

It should be noted that the storage medium in this embodiment can implement the respective processes of the foregoing authentication method and achieve the same effects and functions, and are not repeated here.

In the 90 s of the 20 th century, improvements to one technology could clearly be distinguished as improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) or software (improvements to the process flow). However, with the development of technology, many improvements of the current method flows can be regarded as direct improvements of hardware circuit structures. Designers almost always obtain corresponding hardware circuit structures by programming improved method flows into hardware circuits. Therefore, an improvement of a method flow cannot be said to be realized by a hardware entity module. For example, a programmable logic device (Programmable Logic Device, PLD) (e.g., field programmable gate array (Field Programmable Gate Array, FPGA)) is an integrated circuit whose logic function is determined by the programming of the device by a user. A designer programs to "integrate" a digital system onto a PLD without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Moreover, nowadays, instead of manually manufacturing integrated circuit chips, such programming is mostly implemented by using "logic compiler" software, which is similar to the software compiler used in program development and writing, and the original code before the compiling is also written in a specific programming language, which is called hardware description language (Hardware Description Language, HDL), but not just one of the hdds, but a plurality of kinds, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), lava, lola, myHDL, PALASM, RHDL (Ruby Hardware Description Language), etc., VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog are currently most commonly used. It will also be apparent to those skilled in the art that a hardware circuit implementing the logic method flow can be readily obtained by merely slightly programming the method flow into an integrated circuit using several of the hardware description languages described above.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, application specific integrated circuits (Application Specific Integrated Circuit, ASIC), programmable logic controllers, and embedded microcontrollers, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic of the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller may thus be regarded as a kind of hardware component, and means for performing various functions included therein may also be regarded as structures within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.

The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. One typical implementation is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in the same piece or pieces of software and/or hardware when implementing the present application.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.

Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.

The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.

The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.

Claims

1. An identity verification method, comprising:

2. The method of claim 1, the method further comprising:

3. The method of claim 1, selecting, by an attribution analysis model, a target feature among the respective specific features that causes the network behavior to be determined as a risk behavior, comprising:

4. A method according to claim 3, determining a marginal contribution expected value for each of the specific features for a risk score value, respectively, by attribution analysis model, comprising:

5. A method according to any of claims 1 to 4, determining an authentication problem for the user from the target features, comprising:

6. A method according to any one of claims 1 to 4, the number of target features being a plurality, each target feature corresponding to at least one of the authentication questions; authenticating the user based on the authentication problem comprises:

7. The method of claim 6, ordering each of the authentication questions according to the target feature to which the authentication question corresponds, comprising:

8. An authentication apparatus comprising:

9. The apparatus of claim 8, the analysis module being specifically configured to:

10. The apparatus according to claim 8 or 9, the verification module being specifically configured to:

11. The apparatus of claim 8 or 9, the number of target features being a plurality, each target feature corresponding to at least one of the authentication questions; the verification module is specifically configured to:

12. An authentication device comprising: a processor; and a memory arranged to store computer executable instructions which when executed cause the processor to implement the steps of the authentication method of any one of the preceding claims 1 to 7.

13. A storage medium storing computer executable instructions which when executed implement the steps of the authentication method of any one of claims 1 to 7.