CN111625792B - Identity recognition method based on abnormal behavior detection - Google Patents

Identity recognition method based on abnormal behavior detection Download PDF

Info

Publication number
CN111625792B
CN111625792B CN202010737568.7A CN202010737568A CN111625792B CN 111625792 B CN111625792 B CN 111625792B CN 202010737568 A CN202010737568 A CN 202010737568A CN 111625792 B CN111625792 B CN 111625792B
Authority
CN
China
Prior art keywords
sensor
behavior
representing
user
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010737568.7A
Other languages
Chinese (zh)
Other versions
CN111625792A (en
Inventor
谢林涛
向成钢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Chengyun Digital Technology Co.,Ltd.
Original Assignee
Hangzhou Dacheng Intelligent Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dacheng Intelligent Technology Co ltd filed Critical Hangzhou Dacheng Intelligent Technology Co ltd
Priority to CN202010737568.7A priority Critical patent/CN111625792B/en
Publication of CN111625792A publication Critical patent/CN111625792A/en
Application granted granted Critical
Publication of CN111625792B publication Critical patent/CN111625792B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/316User authentication by observing the pattern of computer usage, e.g. typical user behaviour
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/25Fusion techniques
    • G06F18/254Fusion techniques of classification results, e.g. of results related to same input data
    • G06F18/256Fusion techniques of classification results, e.g. of results related to same input data of results relating to different input data, e.g. multimodal recognition

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Security & Cryptography (AREA)
  • Evolutionary Computation (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Evolutionary Biology (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Social Psychology (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Telephone Function (AREA)

Abstract

The invention discloses an identity recognition method based on abnormal behavior detection, which mainly adopts the technical scheme that a plurality of behavior habit mechanisms of a point are pre-embedded, behavior data based on a sensor are collected, a standardized preprocessing method is adopted to generate characteristics, an OCSVM algorithm training model is adopted to obtain the probability of behavior abnormality according to the historical behavior characteristics of a password input by a target user, and finally the result of identity authentication is obtained in a linear combination mode by combining the results of the plurality of preset behavior habit mechanisms. According to the method and the device, only the target user sample is obtained in the training process, whether the new sample is the target user or not can be accurately and stably identified, and therefore the judgment accuracy and the judgment stability can be improved.

Description

Identity recognition method based on abnormal behavior detection
Technical Field
The invention relates to the technical field of identity recognition, in particular to an identity recognition method based on abnormal behavior detection.
Background
With the development of mobile internet, smart phones have been commonly used for the lives of the public. The mobile internet brings convenience and is accompanied by the threat of user information loss. APP on most smart mobile phones is applied, when scenes such as login and payment are carried out, whether the user operates himself or not needs to be identified by inputting a password, but only one password is still in great risk, and after the password is stolen by an invader through modes such as shoulder surfing, the invader only needs to input a correct password to steal all information of the APP of the user, and even money in the APP is transferred to other accounts.
Although some of the current APPs have been identified using methods such as fingerprint identification, face identification, etc., these methods have their own limitations. The fingerprint identification accuracy is high, but the influence of environmental factors is large. When the user has dirty substances on the finger, the fingerprint identification system is difficult to judge; the fingerprints of other users are fuzzy and difficult to identify; even a user fingerprint may be stolen. The face recognition also has great restriction, when the surrounding environment is darker, or the face wears other ornaments, just difficult discernment is limited to current technical scheme, and someone replaces face recognition with the photo and succeeds, and this brings the very big threat to user's privacy. The behavior identification is not influenced by surrounding environment factors, the uniqueness is realized, the accuracy is high, only a sensor of the mobile phone is needed, no additional equipment is needed, the behavior identification can be carried out secretly as a second authentication mode, and the behavior identification and the password input are simultaneously identified, so that the privacy of the user is doubly guaranteed.
With the development of machine learning, the machine learning algorithm has many applications in the identification field, such as SVM, RandomForest, XGBoost and the like in the supervised classification algorithm. However, in the identity recognition system of the present invention, the classification algorithm is not suitable, because in the classification algorithm, in order to ensure sample balance, a training process generally requires a lot of abnormal samples, and for most target users, adding samples of non-target users with the same password into the training samples is difficult to achieve. Therefore, the abnormal value detection algorithm is considered for identity recognition.
There are no abnormal samples for the training data, and two cases can be divided:
one is that based on the known information, we know that there are both data of normal behavior and data of abnormal behavior in the data, which belongs to the problem of abnormal value detection in unsupervised learning. Common algorithms are isolationf orest and localoulilierfactor, among others.
And secondly, if the data of normal behaviors exist, the situation belongs to the problem of singular value detection of semi-supervised learning. Common algorithms are onecapsassvm and the like.
In the identity recognition system of the invention, the used historical data belong to the target user and do not have the data of the non-target user, so the OneClassSVM algorithm (hereinafter called OCSVM for short) is adopted.
The basic idea of the OCSVM algorithm (one-class support vector machine algorithm) is as follows: under linear conditions, a plane is found in space, the distance from the origin to the plane is as large as possible, and the plane is to divide the normal sample points from the abnormal sample points as much as possible: under nonlinear conditions, sample points in the original space are mapped into a high-dimensional feature space.
Zheng et al propose a non-intrusive user authentication mechanism in the young Are How You Touch. The authors study identification by analyzing the way a user touches a cell phone, while taking into account data such as accelerometers, gyroscopes, and other touch screen sensors. Finally, they use the Z-score method to perform a classification and get better effect.
In the prior art, data of pressing intensity and pressing area are used, and sensors corresponding to the two types of data cannot be obtained in most Android mobile phones and are not suitable for production environments. Even though there are relevant sensors in the IOS system handset, we have found that these two types of data are not accurate. Therefore, in this context, we would cull the compression force and compression area data.
The prior art does not consider device orientation sensor data, which is a good dimension to our study to distinguish different users.
The prior art uses Z-score as a classification algorithm, and although the Z-score also achieves better effect, the technology has weaker generalization capability than OCSVM. We have therefore introduced the OCSVM algorithm.
In research, the judgment accuracy and stability of a target user are improved by adding a mechanism of a preset behavior habit and combining an OCSVM model.
Disclosure of Invention
In order to solve the problem of identity recognition based on sensor data of a smart phone, the invention provides an identity recognition method based on abnormal behavior detection, only a target user sample is used in the training process, and whether a new sample is a target user can be accurately and stably judged, so that the judgment accuracy and stability can be improved.
An identity recognition method based on abnormal behavior detection comprises the following steps:
step 1): collecting data of each sensor of the same password input by a user on the same smart phone for multiple times;
step 2): collecting the reaction results of the user to a preset behavior habit mechanism before and after inputting the user password;
step 3): step 1) obtaining characteristic values of each sensor data after cleaning and conversion to obtain normalization:
step 4): cleaning and converting the reaction result of the behavior habit mechanism obtained in the step 2) to obtain a characteristic value of the behavior habit mechanism;
step 5):repeating the steps 1), 2) and 3) to obtain a plurality of normalized characteristic values, and training a training set sample by using an OCSVM algorithm by using a sklern packet of Python language to obtain a model
Figure 643810DEST_PATH_IMAGE001
Step 6): repeating the steps 1), 2) and 4) to obtain characteristic values of a plurality of behavior habit mechanisms, constructing a behavior baseline of each habit of the target user, and integrating all behavior baselines to construct a model
Figure 965812DEST_PATH_IMAGE002
Step 7): integrating the models obtained in the step 5) and the step 6), and distributing weights to obtain a fusion model:
Figure 666921DEST_PATH_IMAGE003
wherein a and b are assigned weights;
step 8): and detecting abnormal behaviors by adopting a fusion model so as to identify whether the identity of the user is the owner or not.
The method comprises the steps of pre-embedding a plurality of behavior habit mechanisms, collecting behavior data based on a sensor, generating characteristics by adopting a standardized preprocessing method, obtaining the probability of the behavior abnormality by adopting an OCSVM algorithm training model according to the historical behavior characteristics of passwords input by a target user, combining the results of the plurality of preset behavior habit mechanisms, and finally obtaining the result of whether the behavior belongs to the target user or not in a linear combination mode.
In the step 1), each sensor comprises an equipment direction sensor, an acceleration sensor, a magnetic field sensor and a gyroscope sensor;
each sensor data comprises equipment direction sensor, acceleration sensor, magnetic field sensor and gyroscope sensor axis data;
in step 2), the reaction result of the preset behavior habit mechanism specifically includes:
when the input user name has numbers, the numbers in the keyboard are used as the reaction result of the first behavior habit mechanism of the user according to whether the user uses the numeric keyboard or directly uses the numbers in the alphabetic keyboard;
and the data of the acceleration sensor of the mobile phone equipment in a short time after the user finishes inputting the password is used as a reaction result of the second behavior habit mechanism of the user. The short time is 5-6 s, specifically 5.5 s.
Step 3): step 1) obtaining characteristic values of each sensor data after cleaning and conversion to obtain normalization, and the method specifically comprises the following steps:
A) removing the data with empty values in the sensor data obtained in the step 1) according to the timestamp sequence to obtain effective sensor data;
B) the valid sensor data in step a) requires a demolding length,
Figure 265393DEST_PATH_IMAGE004
wherein, in the step (A),
Figure 469978DEST_PATH_IMAGE005
the length of the mold is shown as,
Figure 230123DEST_PATH_IMAGE006
a value representing the x-axis of the sensor,
Figure 949687DEST_PATH_IMAGE007
a value representing the y-axis of the sensor,
Figure 414166DEST_PATH_IMAGE008
representing the value of the z axis of the sensor to obtain the modular length corresponding to the time stamp sequence;
C) calculating five-dimensional values of the mould length of each sensor when the sensor is pressed down, the mould length when the sensor is released, the maximum mould length of the release period, the minimum mould length of the release period and the average mould length of the release period according to the time stamp sequence and the mould length corresponding to the time stamp sequence obtained in the step B);
D) processing time stamp sequence into one time by adopting 6-bit digital passwordThe characteristic sequence:
Figure 286307DEST_PATH_IMAGE009
wherein, in the step (A),
Figure 938393DEST_PATH_IMAGE010
representing the sticky time when the number is pressed,
Figure 958301DEST_PATH_IMAGE011
representing the blank time during which the digit is released,
Figure 898576DEST_PATH_IMAGE012
representing the sticky time when the 1 st digit is pressed,
Figure 812174DEST_PATH_IMAGE013
representing the blank time during the release of the 1 st digit,
Figure 445280DEST_PATH_IMAGE014
representing the sticky time when the 2 nd digit is pressed,
Figure 952485DEST_PATH_IMAGE015
representing the blanking time during the 2 nd digit release,
Figure 883401DEST_PATH_IMAGE016
representing the sticky time when the 3 rd digit is pressed,
Figure 730134DEST_PATH_IMAGE017
representing the blanking time during the 3 rd digital release,
Figure 252251DEST_PATH_IMAGE018
representing the sticky time when the 4 th digit is pressed,
Figure 653277DEST_PATH_IMAGE019
representing the blanking time during the 4 th digit release,
Figure 921972DEST_PATH_IMAGE020
representing the sticky time when the 5 th digit is pressed,
Figure 623211DEST_PATH_IMAGE021
representing the blanking time during the 5 th digit release,
Figure 660437DEST_PATH_IMAGE022
representing the sticky time when the 6 th digit is pressed,
Figure 63606DEST_PATH_IMAGE023
representing the blank time during the 6 th digit release;
E) normalizing the values of the five dimensions of each sensor obtained in the step C) and the time characteristic sequence obtained in the step D) to obtain normalized characteristic values;
step 4): cleaning and converting the reaction result of the behavior habit mechanism obtained in the step 2) to obtain a characteristic value of the habit mechanism;
cleaning and converting the reaction result of the behavior habit mechanism obtained in the step 2) to obtain a characteristic value of the behavior habit mechanism, which specifically comprises the following steps:
converting the reaction result of the first behavior habit mechanism into Boolean values of-1 and 1 according to whether the user switches to a numeric keyboard or directly uses the numbers in an alphabetic keyboard;
and calculating the Euclidean distance between each group of vectors and the initial sensor vector for the acceleration sensor data of the user after the password is input as a reaction result of the second behavior habit mechanism:
Figure 87057DEST_PATH_IMAGE024
wherein
Figure 892070DEST_PATH_IMAGE025
Figure 100198DEST_PATH_IMAGE026
Figure 475816DEST_PATH_IMAGE027
Values representing the three axes of each set of acceleration sensors,
Figure 83383DEST_PATH_IMAGE028
Figure 759215DEST_PATH_IMAGE029
Figure 265808DEST_PATH_IMAGE030
representing an initial value of the acceleration sensor, as Euclidean distance
Figure 394301DEST_PATH_IMAGE031
And if the value is larger than the preset threshold value, the value is 1, otherwise, the value is-1.
Step 6) specifically comprises the following steps:
a) obtaining the weight of each behavior habit:
Figure 884188DEST_PATH_IMAGE032
wherein, in the step (A),
Figure 398215DEST_PATH_IMAGE033
a weight representing the jth behavioral habit mechanism,
Figure 620248DEST_PATH_IMAGE034
the characteristic value of the jth behavior habit mechanism is the ith characteristic value of the jth behavior habit mechanism, and n is the number of the characteristic values of each behavior habit mechanism;
b) normalizing the weights of all the behavior habit mechanisms obtained in the last step to obtain the normalized weights of the behavior habits
Figure 422988DEST_PATH_IMAGE035
c) Model obtained by synthesizing all behavior baselines
Figure 388670DEST_PATH_IMAGE036
Wherein
Figure 757204DEST_PATH_IMAGE037
Figure 150139DEST_PATH_IMAGE038
Is as follows
Figure 696965DEST_PATH_IMAGE039
The (n + 1) th characteristic value of each behavior habit mechanism.
Compared with the prior art, the invention has the following beneficial effects:
1) implicit identification: the traditional password input verification is still available for the user, but behavior recognition is implicitly embedded, so that the user is unaware and friendly to the user.
2) The precision is high: the invention utilizes OCSVM algorithm and behavior habit mechanism to identify the identity, and the accuracy reaches 96%.
3) Quick response: the invention can rapidly identify whether the user is legal or not under the limited data set;
4) low overhead: the invention utilizes the sensor data of the smart phone without other expenses;
5) difficult forgery: even if the behavior of the user is observed and imitated by an attacker, the attacker is difficult to cheat;
6) environment independent: the recognition result is not limited by the environment of the device, such as an application program, a user gesture and the like;
7) and (3) expandability: the behavior habit mechanism can be preset according to actual conditions.
Drawings
FIG. 1 is a flow chart of sensor data processing when a password is entered;
FIG. 2 is a flow chart of a preset behavior habit data processing;
FIG. 3 is a flow chart of an offline discriminant model training process;
FIG. 4 is a flow chart of online identity authentication;
Detailed Description
As shown in fig. 3, an identity recognition method based on abnormal behavior detection includes the following steps:
step 1): collecting data of each sensor of the same password input by a user on the same smart phone for multiple times;
each sensor comprises an equipment direction sensor, an acceleration sensor, a magnetic field sensor and a gyroscope sensor;
each sensor data comprises equipment direction sensor, acceleration sensor, magnetic field sensor and gyroscope sensor axis data;
step 2): collecting the reaction results of the user to a preset behavior habit mechanism before and after inputting the user password;
the preset reaction result of the behavior habit mechanism specifically comprises:
when the input user name has numbers, the numbers in the keyboard are used as the reaction result of the first behavior habit mechanism of the user according to whether the user uses the numeric keyboard or directly uses the numbers in the alphabetic keyboard;
and the data of the acceleration sensor of the mobile phone equipment in a short time after the user finishes inputting the password is used as a reaction result of the second behavior habit mechanism of the user. The short time is 5-6 s, specifically 5.5 s.
Step 3): step 1) obtaining characteristic values of each sensor data after cleaning and conversion to obtain normalization, and the method specifically comprises the following steps:
A) removing the data with empty values in the sensor data obtained in the step 1) according to the timestamp sequence to obtain effective sensor data;
B) the valid sensor data in step a) requires a demolding length,
Figure 918868DEST_PATH_IMAGE040
wherein, in the step (A),
Figure 486115DEST_PATH_IMAGE041
the length of the mold is shown as,
Figure 49952DEST_PATH_IMAGE042
representing the square of the value of the x-axis of the sensor,
Figure 92863DEST_PATH_IMAGE043
representing the square of the value of the y-axis of the sensor,
Figure 728244DEST_PATH_IMAGE044
representing the square of the value of the z axis of the sensor to obtain the modular length corresponding to the time stamp sequence;
C) calculating five-dimensional values of the mould length of each sensor when the sensor is pressed down, the mould length when the sensor is released, the maximum mould length of the release period, the minimum mould length of the release period and the average mould length of the release period according to the time stamp sequence and the mould length corresponding to the time stamp sequence obtained in the step B);
D) and processing the time stamp sequence into a time characteristic sequence by adopting a 6-bit digital password:
Figure 822102DEST_PATH_IMAGE045
wherein, in the step (A),
Figure 9369DEST_PATH_IMAGE046
representing the sticky time when the number is pressed,
Figure 821467DEST_PATH_IMAGE047
representing the blank time during the digital release.
E) Normalizing the values of the five dimensions of each sensor obtained in the step C) and the time characteristic sequence obtained in the step D) to obtain normalized characteristic values;
step 4): cleaning and converting the reaction result of the behavior habit mechanism obtained in the step 2) to obtain a characteristic value;
cleaning and converting the reaction result of the behavior habit mechanism obtained in the step 2) to obtain a characteristic value of the behavior habit mechanism, which specifically comprises the following steps:
converting the reaction result of the first behavior habit mechanism into Boolean values of-1 and 1 according to whether the user switches to a numeric keyboard or directly uses the numbers in an alphabetic keyboard;
and calculating the Euclidean distance between each group of vectors and the initial sensor vector for the acceleration sensor data of the user after the password is input as a reaction result of the second behavior habit mechanism:
Figure 260539DEST_PATH_IMAGE048
wherein the content of the first and second substances,
Figure 726680DEST_PATH_IMAGE049
values representing the three axes of each set of acceleration sensors,
Figure 101161DEST_PATH_IMAGE050
representing the acceleration sensor initial value. Current Euclidean distance
Figure 462872DEST_PATH_IMAGE051
And if the value is larger than the preset threshold value, the value is 1, otherwise, the value is-1.
Step 5): as shown in fig. 1, repeating steps 1), 2) and 3) to obtain a plurality of normalized eigenvalues, and training a training set sample by using a sklern packet of Python language and an OCSVM algorithm to obtain a model
Figure 627006DEST_PATH_IMAGE052
Step 6): as shown in fig. 2, repeating steps 1), 2) and 4) to obtain characteristic values of a plurality of behavior habit mechanisms, constructing a behavior baseline of each habit of a target user, and integrating all behavior baselines to construct a model
Figure 633139DEST_PATH_IMAGE053
The method specifically comprises the following steps:
a) obtaining the weight of each behavior habit:
Figure 303155DEST_PATH_IMAGE054
wherein, in the step (A),
Figure 339113DEST_PATH_IMAGE033
a weight representing the jth behavioral habit mechanism,
Figure 995353DEST_PATH_IMAGE034
for the jth behavioral habit mechanism
Figure 246206DEST_PATH_IMAGE055
A secondary eigenvalue;
b) normalizing the weights of all the behavior habit mechanisms obtained in the last step to obtain the normalized weights of the behavior habits
Figure 8494DEST_PATH_IMAGE035
c) Model obtained by synthesizing all behavior baselines
Figure 485743DEST_PATH_IMAGE036
Wherein
Figure 804729DEST_PATH_IMAGE056
Figure 99969DEST_PATH_IMAGE057
Is as follows
Figure 518312DEST_PATH_IMAGE039
The (n + 1) th characteristic value of each behavior habit mechanism.
Step 7): integrating the models obtained in the step 5) and the step 6), and distributing weights to obtain a fusion model:
Figure 466545DEST_PATH_IMAGE058
wherein a and b are assigned weights;
step 8): as shown in fig. 4, inputting new sample data, preprocessing the data, detecting abnormal behavior by using a fusion model, performing identity recognition, and ending the recognition.
Specifically, the identity recognition method based on abnormal behavior detection specifically comprises the following steps:
collecting data
The method comprises the following steps: and collecting data of each sensor of which the user inputs the same password on the same smart phone for multiple times.
1) Our SDK service is embedded in the APP that needs to enter the password.
2) The SDK is used to collect sensor data at a certain frequency while a user inputs a password, and to hold down a number and release the number of sensor data during the password input.
Step two: collecting the reaction results of the user to some preset behavior habit mechanisms before and after inputting the user password, for example:
1) behavioral habit mechanism 1: when the user name input has the number, the user switches to the numeric keyboard or directly uses the number in the alphabetic keyboard.
2) Behavior habit mechanism 2: and after the password is input, the data of the acceleration sensor of the mobile phone equipment in a short time.
Second, data preprocessing
The collected sensor data is cleaned, converted and the like:
the method comprises the following steps: data cleaning, screening data meeting conditions:
1) screening data conforming to the same password;
2) time sequence data and sensor data which are required to be used in the screening algorithm model, such as an equipment direction sensor, an acceleration sensor, a magnetic field sensor, a gyroscope sensor and the like, wherein the sensor data cannot be null, otherwise, the sensor data are rejected;
step two: and data conversion, namely processing and converting the raw data into a format capable of entering the model.
1) The sensors such as acceleration, equipment direction, magnetic field, gyroscope and the like collect data of all axes, the length of a model needs to be calculated,
Figure 589222DEST_PATH_IMAGE059
2) and then, the values of the five dimensions of the pressing time value, the releasing period maximum value, the releasing period minimum value and the releasing period average value of the sensor data are calculated.
3) For time series numberAccording to the processing, taking 6 as an example of a digital password, time series data is processed into a time characteristic sequence:
Figure 486771DEST_PATH_IMAGE060
Figure 528545DEST_PATH_IMAGE061
representing the sticky time when the digit is pressed and the blank time during the digit release, respectively).
4) In order to ensure convenience of data processing and speed up convergence in a later model training process, all characteristic values are subjected to normalization processing, and meanwhile, experiments prove that the model accuracy rate can be improved through the normalization processing. The normalization method is as follows:
Figure 105020DEST_PATH_IMAGE062
wherein the content of the first and second substances,
Figure 703491DEST_PATH_IMAGE063
and
Figure 642497DEST_PATH_IMAGE064
the data before and after the normalization are respectively obtained,
Figure 261698DEST_PATH_IMAGE065
and
Figure 324036DEST_PATH_IMAGE067
minimum and maximum values of the sample data, respectively.
Step three: processing behavior habit related data:
1) behavioral habit mechanism 1: the user switches to the numeric keypad or directly converts to boolean values of-1 and 1 using the numbers in the alphanumeric keypad.
2) Behavior habit mechanism 2: calculating the Euclidean distance between each group of vectors and the initial sensor vector for the acceleration sensor data of the user after the password is input:
Figure 258494DEST_PATH_IMAGE068
wherein
Figure 720699DEST_PATH_IMAGE069
Values representing the three axes of each set of acceleration sensors,
Figure 130821DEST_PATH_IMAGE070
representing the acceleration sensor initial value. When in use
Figure 133412DEST_PATH_IMAGE071
And if the value is larger than the preset threshold value, the value is 1, otherwise, the value is-1.
Third, model establishment
The method comprises the following steps: as shown in fig. 1, based on the historical sensor data of the target user, an OCSVM algorithm is used to train the training set samples by using a sklern packet of Python language to obtain a model.
1) And determining an evaluation index, and evaluating the quality of the model by using three indexes of a false positive rate (FAR), a false negative rate (FRR) and an Equal Error Rate (EER).
2) And determining a kernel function, and finally selecting a Gaussian kernel (RBF) through multiple experimental studies.
3) A training error (nu) is set.
4) OCSVM model for obtaining corresponding target user based on training set training
Figure 860060DEST_PATH_IMAGE072
Step two: as shown in fig. 2, based on the historical behavior habit data of the target user, a behavior baseline of each habit of the target user is constructed, and a model is constructed by integrating all behavior baselines:
1) obtaining the weight of each behavior habit:
Figure 945696DEST_PATH_IMAGE073
wherein
Figure 187322DEST_PATH_IMAGE025
Is the value of the (i) th time,
Figure 931287DEST_PATH_IMAGE074
is to sum up all the values of the sum,
Figure 964971DEST_PATH_IMAGE075
the number of all the values is calculated,
Figure 831296DEST_PATH_IMAGE076
and (6) calculating an absolute value.
2) Normalizing all the weights obtained in the last step to obtain the weight of each behavior habit
Figure 763480DEST_PATH_IMAGE035
3) Model obtained by synthesizing all behavior baselines
Figure 247155DEST_PATH_IMAGE077
Figure 276291DEST_PATH_IMAGE078
Is as follows
Figure 985621DEST_PATH_IMAGE039
The (n + 1) th characteristic value of each behavior habit mechanism.
Step three: integrating the models obtained in the first step and the second step, and distributing weights to obtain a fusion model:
Figure 857631DEST_PATH_IMAGE079
fourthly, detection and identification
As shown in fig. 4, after one or more new samples to be tested enter the system, a pre-trained fusion model is called. And the new sample data is converted into a data format capable of entering the fusion model through the steps of data cleaning and data preprocessing again, and finally a fusion model result is obtained.
And when the result output by the fusion model is greater than or equal to the threshold value, the sample is considered to belong to the target user, and when the model result is smaller than the threshold value, the sample is considered not to belong to the target user.

Claims (5)

1. An identity recognition method based on abnormal behavior detection is characterized by comprising the following steps:
step 1): collecting data of each sensor of the same password input by a user on the same smart phone for multiple times;
step 2): collecting the reaction results of the user to a preset behavior habit mechanism before and after inputting the user password;
step 3): step 1) obtaining characteristic values of each sensor data after cleaning and conversion to obtain normalization;
step 4): cleaning and converting the reaction result of the behavior habit mechanism obtained in the step 2) to obtain a characteristic value of the behavior habit mechanism;
step 5): repeating the steps 1), 2) and 3) to obtain a plurality of normalized characteristic values, and training a training set sample by using an OCSVM algorithm by using a sklern packet of Python language to obtain a model
Figure 731668DEST_PATH_IMAGE001
Step 6): repeating the steps 1), 2) and 4) to obtain characteristic values of a plurality of behavior habit mechanisms, constructing a behavior baseline of each habit of the target user, and integrating all behavior baselines to construct a model
Figure 287414DEST_PATH_IMAGE002
The method specifically comprises the following steps:
a) obtaining the weight of each behavior habit:
Figure 620175DEST_PATH_IMAGE003
wherein, in the step (A),
Figure 261372DEST_PATH_IMAGE004
representing the jth behavior habit mechanismThe weight of (a) is determined,
Figure 947569DEST_PATH_IMAGE005
for the jth behavioral habit mechanism
Figure 872668DEST_PATH_IMAGE006
N is the number of characteristic values of each behavior habit mechanism;
b) normalizing the weights of all the behavior habit mechanisms obtained in the last step to obtain the normalized weights of the behavior habits
Figure 861484DEST_PATH_IMAGE007
c) Model obtained by synthesizing all behavior baselines
Figure 239245DEST_PATH_IMAGE008
Wherein
Figure 729132DEST_PATH_IMAGE009
Figure 259470DEST_PATH_IMAGE010
Is as follows
Figure 936964DEST_PATH_IMAGE011
The (n + 1) th characteristic value of each behavior habit mechanism;
step 7): integrating the models obtained in the step 5) and the step 6), and distributing weights to obtain a fusion model:
Figure 552753DEST_PATH_IMAGE012
wherein a and b are assigned weights;
step 8): and detecting abnormal behaviors by adopting a fusion model so as to identify whether the identity of the user is the owner or not.
2. The method for identifying an identity based on abnormal behavior detection according to claim 1, wherein in the step 1), the respective sensor data comprises device direction sensor, acceleration sensor, magnetic field sensor and gyroscope sensor axis data.
3. The identity recognition method based on abnormal behavior detection as claimed in claim 1, wherein in step 2), the reaction result of the preset behavior habit mechanism specifically includes:
when the input user name has numbers, the numbers in the keyboard are used as the reaction result of the first behavior habit mechanism of the user according to whether the user uses the numeric keyboard or directly uses the numbers in the alphabetic keyboard;
and the data of the acceleration sensor of the mobile phone equipment in a short time after the user finishes inputting the password is used as a reaction result of a second behavior habit mechanism of the user, wherein the short time is 5-6 s.
4. The identity recognition method based on abnormal behavior detection according to claim 1, wherein in step 3), the step 1) obtains a normalized characteristic value obtained by cleaning and converting data of each sensor, and specifically comprises:
A) removing the data with empty values in the sensor data obtained in the step 1) according to the timestamp sequence to obtain effective sensor data;
B) the valid sensor data in step a) requires a demolding length,
Figure 580752DEST_PATH_IMAGE013
wherein, in the step (A),
Figure 214864DEST_PATH_IMAGE014
the length of the mold is shown as,
Figure 811062DEST_PATH_IMAGE015
a value representing the x-axis of the sensor,
Figure 163415DEST_PATH_IMAGE016
a value representing the y-axis of the sensor,
Figure 995104DEST_PATH_IMAGE017
representing the value of the z axis of the sensor to obtain the modular length corresponding to the time stamp sequence;
C) calculating five-dimensional values of the mould length of each sensor when the sensor is pressed down, the mould length when the sensor is released, the maximum mould length of the release period, the minimum mould length of the release period and the average mould length of the release period according to the time stamp sequence and the mould length corresponding to the time stamp sequence obtained in the step B);
D) and processing the time stamp sequence into a time characteristic sequence by adopting a 6-bit digital password:
Figure 234456DEST_PATH_IMAGE018
wherein, in the step (A),
Figure 250822DEST_PATH_IMAGE019
representing the sticky time when the 1 st digit is pressed,
Figure 841204DEST_PATH_IMAGE020
representing the blank time during the release of the 1 st digit,
Figure 211005DEST_PATH_IMAGE021
representing the sticky time when the 2 nd digit is pressed,
Figure 810921DEST_PATH_IMAGE022
representing the blanking time during the 2 nd digit release,
Figure 748921DEST_PATH_IMAGE023
representing the sticky time when the 3 rd digit is pressed,
Figure 810287DEST_PATH_IMAGE024
representing the blanking time during the 3 rd digital release,
Figure 249358DEST_PATH_IMAGE025
representing the sticky time when the 4 th digit is pressed,
Figure 463302DEST_PATH_IMAGE026
representing the blanking time during the 4 th digit release,
Figure 618209DEST_PATH_IMAGE027
representing the sticky time when the 5 th digit is pressed,
Figure 979920DEST_PATH_IMAGE028
representing the blanking time during the 5 th digit release,
Figure 146983DEST_PATH_IMAGE029
represents the stick time when the 6 th digit is pressed;
E) normalizing the values of the five dimensions of each sensor obtained in the step C) and the time characteristic sequence obtained in the step D) to obtain normalized characteristic values.
5. The identity recognition method based on abnormal behavior detection according to claim 1, wherein in the step 4), the characteristic value of the behavior habit mechanism is obtained by cleaning and converting the reaction result of the behavior habit mechanism obtained in the step 2), and specifically comprises:
converting the reaction result of the first behavior habit mechanism into Boolean values of-1 and 1 according to whether the user switches to a numeric keyboard or directly uses the numbers in an alphabetic keyboard;
and calculating the Euclidean distance between each group of vectors and the initial sensor vector for the acceleration sensor data of the user after the password is input as a reaction result of the second behavior habit mechanism:
Figure 871226DEST_PATH_IMAGE030
wherein
Figure 400296DEST_PATH_IMAGE031
Figure 46041DEST_PATH_IMAGE032
Figure 220058DEST_PATH_IMAGE033
Values representing the three axes of each set of acceleration sensors,
Figure 143015DEST_PATH_IMAGE034
Figure 983932DEST_PATH_IMAGE035
Figure 507186DEST_PATH_IMAGE036
representing the initial values of the three axes of the acceleration sensor, as Euclidean distance
Figure 701538DEST_PATH_IMAGE037
When the Euclidean distance is greater than the preset threshold value, the Euclidean distance is 1
Figure 993848DEST_PATH_IMAGE037
And is not more than the preset threshold value and is-1.
CN202010737568.7A 2020-07-28 2020-07-28 Identity recognition method based on abnormal behavior detection Active CN111625792B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010737568.7A CN111625792B (en) 2020-07-28 2020-07-28 Identity recognition method based on abnormal behavior detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010737568.7A CN111625792B (en) 2020-07-28 2020-07-28 Identity recognition method based on abnormal behavior detection

Publications (2)

Publication Number Publication Date
CN111625792A CN111625792A (en) 2020-09-04
CN111625792B true CN111625792B (en) 2021-01-01

Family

ID=72272373

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010737568.7A Active CN111625792B (en) 2020-07-28 2020-07-28 Identity recognition method based on abnormal behavior detection

Country Status (1)

Country Link
CN (1) CN111625792B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112184241B (en) * 2020-09-27 2024-02-20 中国银联股份有限公司 Identity authentication method and device
CN112597493A (en) * 2020-12-25 2021-04-02 北京通付盾人工智能技术有限公司 Method and system for detecting man-machine operation of mobile equipment
CN113259398B (en) * 2021-07-07 2021-10-15 杭州大乘智能科技有限公司 Account security detection method based on mail log data
CN114389901B (en) * 2022-03-24 2022-08-23 湖南三湘银行股份有限公司 Client authentication system based on online

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106921500B (en) * 2017-03-22 2020-06-12 深圳先进技术研究院 Identity authentication method and device for mobile equipment
CN107273726B (en) * 2017-06-02 2019-10-29 中国人民解放军信息工程大学 Equipment owner's identity real-time identification method and its device based on acceleration cycle variation law
CN108090332A (en) * 2017-12-06 2018-05-29 国云科技股份有限公司 A kind of air control method that behavioural analysis is logged in based on user
CN110163611B (en) * 2019-03-18 2022-12-27 腾讯科技(深圳)有限公司 Identity recognition method, device and related equipment

Also Published As

Publication number Publication date
CN111625792A (en) 2020-09-04

Similar Documents

Publication Publication Date Title
CN111625792B (en) Identity recognition method based on abnormal behavior detection
CN110163611B (en) Identity recognition method, device and related equipment
Tolosana et al. DeepSign: Deep on-line signature verification
Centeno et al. Mobile based continuous authentication using deep features
Saxena et al. Smart home security solutions using facial authentication and speaker recognition through artificial neural networks
Impedovo et al. Automatic signature verification in the mobile cloud scenario: survey and way ahead
Qin et al. A fuzzy authentication system based on neural network learning and extreme value statistics
CN109784015B (en) Identity authentication method and device
US20190147218A1 (en) User specific classifiers for biometric liveness detection
CN110276189B (en) User identity authentication method based on gait information
Sun et al. A 3‐D hand gesture signature based biometric authentication system for smartphones
Wang et al. Improving reliability: User authentication on smartphones using keystroke biometrics
Karnan et al. A model to secure mobile devices using keystroke dynamics through soft computing techniques
CN112861082A (en) Integrated system and method for passive authentication
Li et al. Handwritten signature authentication using smartwatch motion sensors
Giot et al. Keystroke dynamics authentication
Rilvan et al. Capacitive swipe gesture based smartphone user authentication and identification
Yang et al. Bubblemap: Privilege mapping for behavior-based implicit authentication systems
Cherifi et al. Performance evaluation of behavioral biometric systems
CN110674480A (en) Behavior data processing method, device and equipment and readable storage medium
Ouadjer et al. Feature importance evaluation of smartphone touch gestures for biometric authentication
Stylios et al. BioPrivacy: a behavioral biometrics continuous authentication system based on keystroke dynamics and touch gestures
Neha et al. Biometric re-authentication: An approach towards achieving transparency in user authentication
CN111159698B (en) Terminal implicit identity authentication method based on Sudoku password
CN113496015A (en) Identity authentication method and device and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 310000 Room 401, building 1, 1399 liangmu Road, Cangqian street, Yuhang District, Hangzhou City, Zhejiang Province

Patentee after: Hangzhou Chengyun Digital Technology Co.,Ltd.

Address before: 310000 Room 401, building 1, 1399 liangmu Road, Cangqian street, Yuhang District, Hangzhou City, Zhejiang Province

Patentee before: Hangzhou Dacheng Intelligent Technology Co.,Ltd.

EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20200904

Assignee: Suzhou Heyu Finance Leasing Co.,Ltd.

Assignor: Hangzhou Chengyun Digital Technology Co.,Ltd.

Contract record no.: X2023980047704

Denomination of invention: An identity recognition method based on abnormal behavior detection

Granted publication date: 20210101

License type: Exclusive License

Record date: 20231121

PE01 Entry into force of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: An identity recognition method based on abnormal behavior detection

Effective date of registration: 20231124

Granted publication date: 20210101

Pledgee: Suzhou Heyu Finance Leasing Co.,Ltd.

Pledgor: Hangzhou Chengyun Digital Technology Co.,Ltd.

Registration number: Y2023980067019